npm openclaw 2026.5.9-beta.1
openclaw 2026.5.9-beta.1
on Node.js NPM

6 hours ago

Changes

  • Chat commands: add /think default and /fast default to clear session overrides and inherit configured/provider defaults. (#79385) Thanks @VACInc.
  • Dependencies: refresh workspace dependency pins and lockfile, including @openai/codex 0.130.0, acpx 0.7.0, AWS SDK 3.1044.0, OpenTelemetry 0.217.0, typebox 1.1.38, vite 8.0.11, oxfmt 0.48.0, and oxlint 1.63.0, and update the Codex harness model snapshot for the new bundled app-server catalog.
  • Plugins/install: add guarded plugin install overrides so onboarding and repair tests can route specific plugins to registry specs or local npm pack artifacts via environment variables.
  • Tests/Docker: add Codex on-demand install and live plugin-tool dependency E2E lanes for packaged onboarding and npm-pack plugin proof.
  • Plugins/ACPX: accept an optional args array in agents.<name> config so paths and flag values containing spaces stay intact when spawning ACP agent processes. Thanks @TheArchitectit and @BunsDev.
  • Agents: inject the current provider/model identity into system prompts, including configured prompt overrides and CLI hook prompt replacements, so agents can answer model-identity questions from the actual runtime selection.
  • Plugins/CLI: add the optional bundled oc-path plugin, providing openclaw path for surgical oc:// access to markdown, JSONC, and JSONL workspace files.
  • Plugins/SDK: add unified model catalog registration for text, image, video, and music providers, including providerCatalogEntry manifests, shared media list help, live catalog caching, and per-model video capability overlays.
  • Plugin SDK: add presentation helpers for controls-only interactive rendering and opt-in empty fallback text so rich channel renderers can share MessagePresentation semantics without duplicating native cards or components.
  • CLI: make parser, startup, config, guardrail, channel, agent, task, session, and MCP failures explain what happened and point to the next recovery command.
  • GitHub Copilot: refresh the model catalog from ${baseUrl}/models so per-account entitlement and accurate context windows surface at runtime; static manifest catalog (now including gpt-5.5) remains the fallback when discovery is disabled or the API is unreachable.
  • Active Memory: support concrete plugins.entries.active-memory.config.toolsAllow recall tool names for custom memory plugins while keeping the built-in memory-core default on memory_search/memory_get and preserving memory_recall automatically for plugins.slots.memory: "memory-lancedb".
  • Telegram: share the grammY API throttler across polling and ad hoc send clients for the same bot token, so visible draft previews and CLI sends use one quota gate. Thanks @anagnorisis2peripeteia.
  • Telegram/Feishu: honor configured per-agent and global reasoningDefault values when deciding whether channel reasoning previews should stream or stay hidden, addressing the preview-default part of #73182. Thanks @anagnorisis2peripeteia.
  • Docker: run the runtime image under tini so long-lived containers reap orphaned child processes and forward signals correctly. (#77885) Thanks @VintageAyu.
  • Logging/redaction: redact quoted HTTP client secret fields and auth/cookie headers in shared log and formatted error output. Related #71211 and #65623. (#75033) Thanks @liaoandi.
  • Gateway/SDK: document and stabilize the task ledger RPC surface for tasks.list, tasks.get, and tasks.cancel, including generated Swift model typing for optional task summaries. Thanks @BunsDev.
  • Google/Gemini: normalize retired google/gemini-3-pro-preview and google-gemini-cli/gemini-3-pro-preview selections to google/gemini-3.1-pro-preview before they are written to model config.
  • Google/Gemini: emit canonical google/gemini-3.1-pro-preview ids from configured provider catalog rows so model list and selection paths can test Gemini 3.1 instead of retired Gemini 3 Pro.
  • Google/Gemini: normalize nested proxy-provider catalog ids like google/gemini-3-pro-preview to google/gemini-3.1-pro-preview, so Kilo-style configured catalogs test Gemini 3.1 instead of the retired Gemini 3 Pro id.
  • Google/Gemini: canonicalize provider-onboarding model alias maps so setup flows preserve settings under google/gemini-3.1-pro-preview instead of re-emitting retired Gemini 3 Pro config keys.
  • Google/Gemini: canonicalize retired Gemini 3 Pro Preview ids inside Google dynamic model resolution so runtime clones also use google/gemini-3.1-pro-preview.
  • Amazon Bedrock: support serviceTier parameter for Bedrock models, configurable via agents.defaults.params.serviceTier or per-model in agents.defaults.models. Valid values: default, flex, priority, reserved. (#64512) Thanks @mobilinkd.
  • Control UI: read the Quick Settings exec policy badge from tools.exec.security instead of the non-schema agents.defaults.exec.security path, so configured full/deny values render accurately. Fixes #78311. Thanks @FriedBack.
  • Control UI/usage: add transcript-backed historical lineage rollups for rotated logical sessions, with current-instance vs historical-lineage scope controls and long-range presets so usage history stays visible after restarts and updates. Fixes #50701. Thanks @dev-gideon-llc and @BunsDev.
  • Agents/failover: harden state-aware lane suspension by persisting quota resume transitions, restoring configured lane concurrency, preserving non-quota failure reasons, and exporting model failover events through diagnostics OTLP. Thanks @BunsDev.
  • Control UI/Windows: add the SPA-side WebView2 bridge for native hosts so draft text can update the chat composer and the ready handshake is wired through the app lifecycle. (#69633) Thanks @AlexAlves87.
  • Channels/streaming: make progress draft labels scroll away with other progress lines, render structured tool rows as compact emoji/title/details, show web-search queries from provider-native argument shapes, and skip empty Discord apply-patch starts until a patch summary exists. (#79146)
  • Runtime/performance: avoid full-array sorting while auto-selecting providers, resolving supported thinking levels, picking node last-seen timestamps, and extracting Codex usage-limit messages. Thanks @shakkernerd.
  • Plugins/doctor: avoid full-array sorting while selecting ClawHub search/archive results and bounded dreaming doctor entries. Thanks @shakkernerd.
  • Agents/compaction: keep contributor diagnostics to a bounded top-three selection without sorting the full history. Thanks @shakkernerd.
  • Sessions/UI: avoid full-array sorting while selecting ACPX leases, Google Meet calendar events, and latest chat sessions. Thanks @shakkernerd.
  • Plugin SDK: mark direct deliverOutboundPayloads and legacy reply-dispatch bridges as deprecated compatibility substrate, enrich sendDurableMessageBatch with explicit durable send outcomes, migrate bundled send/turn paths off deprecated APIs, and enforce the split with check:deprecated-api-usage.
  • Telegram: preserve the channel-specific 10-option poll cap in the unified outbound adapter so over-limit polls are rejected before send. (#78762) Thanks @obviyus.
  • Telegram/streaming: continue over-limit draft previews in a new message instead of stopping when rendered preview text crosses Telegram's message limit. (#74508) Thanks @anagnorisis2peripeteia.
  • Slack: route handled top-level channel turns in implicit-conversation channels to thread-scoped sessions when Slack reply threading is enabled, keeping the root turn and later thread replies on one OpenClaw session. (#78522) Thanks @zeroth-blip.
  • Telegram: re-probe the primary fetch transport after repeated sticky fallback success so transient IPv4 or pinned-IP fallback promotion can recover without a gateway restart. Fixes #77088. (#77157) Thanks @MkDev11.
  • Runtime/install: raise the supported Node 22 floor to 22.16+ so native SQLite query handling can rely on the node:sqlite statement metadata API while continuing to recommend Node 24. (#78921)
  • Discord/voice: make duplicate same-guild auto-join entries resolve to the last configured channel so moving an agent between voice channels does not keep joining the stale channel.
  • Discord/voice: add realtime /vc modes so Discord voice channels can run as STT/TTS, a realtime talk buffer with the OpenClaw agent brain, or a bidi realtime session with openclaw_agent_consult.
  • Discord/voice: add bounded realtime gateway logs for voice channel joins, realtime model/voice selection, transcripts, consult routing/answers, and playback start, allow OpenAI realtime Discord sessions to disable input-triggered response interruption for echo-heavy rooms while keeping explicit Discord barge-in available for new and already-active speakers, and allow voice turns to target an existing Discord channel agent session.
  • Discord/voice: add voice.realtime.minBargeInAudioEndMs and let the realtime provider own playback clearing, so speaker echo no longer cuts OpenAI realtime model audio at audioEndMs=0 while low-echo rooms can opt back into immediate barge-in with 0.
  • Discord/voice: make agent-proxy the default voice mode so realtime voice acts as the microphone/speaker extension of the routed OpenClaw agent session, with stt-tts remaining available as an explicit fallback.
  • Discord/voice: keep OpenAI realtime bidi consults quiet while the supervisor agent is still working, accept Codex-style conversation.item.done function-call events, and preserve continuing tool results through the gateway relay so the OpenAI realtime bridge reliably routes consults before speaking the final answer.
  • Discord/voice: include a bounded one-line STT transcript preview in verbose voice logs so live voice debugging shows what speakers said before the agent reply.
  • Codex app-server: pin the managed Codex harness and Codex CLI smoke package to @openai/codex@0.129.0, defer OpenClaw integration dynamic tools behind Codex tool search by default, and accept current Codex service-tier values so legacy fast settings survive the stable harness upgrade as priority.
  • Codex app-server: annotate message-tool-only direct chat turns in the dynamic message tool spec so visible replies are sent through message(action="send") instead of staying private. (#79704)
  • Agents/PI: route explicit OpenAI Codex Responses runs through PI's native WebSocket-capable transport and remove OpenClaw's custom OpenAI Responses WebSocket stack while preserving auth injection, run abort signals, and prompt cache boundary stripping.
  • Models/config: allow compat.thinkingFormat values qwen and qwen-chat-template for configured OpenAI-compatible Qwen models, preserving them through catalog normalization and mapping /think levels to enable_thinking or chat_template_kwargs.enable_thinking. Fixes #79677. (#79777) Thanks @indulgeback.
  • Codex app-server: default implicit local stdio app-server permissions to guardian when Codex system requirements disallow the YOLO approval, reviewer, or sandbox value, including hostname-scoped remote sandbox entries, avoiding turn-start failures on managed hosts that permit only reviewed approval or narrower sandboxes.
  • Plugins/install: run managed npm-root install, uninstall, prune, and repair commands from the managed root without a redundant --prefix ., avoiding npm 10.9.3 Arborist crashes on native Windows WhatsApp plugin installs. Fixes #78514. (#78902) Thanks @melihselamett-stack.
  • Discord/voice: stream ElevenLabs TTS directly into Discord playback and send ElevenLabs latency optimization as the documented query parameter so spoken replies can start sooner.
  • Discord/voice: keep TTS playback running when another user starts speaking, ignore new capture during playback to avoid feedback loops, and downgrade expected receive-stream aborts to verbose diagnostics.
  • iMessage: expose native private-API message actions through imsg rpc for reactions, edits, unsends, replies, rich sends, attachments, and group management when imsg status --json reports the required bridge capabilities.
  • Gateway/tasks: reconcile stale CLI run-context tasks whose live run context disappeared even when a child session row remains, and apply the default bounded reload deferral timeout to channel hot reloads so stale task records cannot block Discord/Slack/Telegram reloads forever.
  • Gateway/sessions: keep session-store index writes atomic while skipping durable fsync inside the writer lock, reducing cron and channel-turn starvation on slow filesystems and addressing the session-store strand of #73655. Thanks @mmartoccia.
  • Discord/voice: make openclaw channels capabilities --channel discord --target channel:<id> and channels status --probe audit voice-channel permissions, including auto-join targets, so missing Connect/Speak/Read Message History permissions show up before /vc join.
  • Gateway/restart: expose skipDeferral on the gateway.restart.request RPC and add openclaw gateway restart --safe --skip-deferral so operators can bypass the safe-restart deferral gate when a pinned task run prevents the OpenClaw-aware restart from draining. Surfaces the existing internal scheduleGatewaySigusr1Restart({ skipDeferral }) semantics added in #71637 to a public surface, complementing gateway.reload.deferralTimeoutMs. Refs #76162. Thanks @solomonneas.
  • Discord/streaming: default Discord replies to progress draft previews so tool/work activity appears in one edited Discord message unless channels.discord.streaming.mode is set to off.
  • OpenAI/realtime: default realtime voice to gpt-realtime-2, use the GA Realtime WebSocket session shape for backend OpenAI bridges, and cover backend, WebRTC, Google Live, and Gateway relay paths in the live Talk smoke. (#79130)
  • Update/Windows: spawn the post-core-update child process with stdio:"pipe" on Windows so PowerShell/CMD console handles are not inherited, preventing the terminal from hanging after openclaw update completes. Fixes #78445. (#78483) Thanks @Beandon13.
  • Plugins/install: add npm-pack:<path.tgz> installs so local npm pack artifacts run through the same managed npm-root install, lockfile verification, dependency scan, and install-record path as registry npm plugins.
  • Channels/plugins: show configured official external channels as missing-plugin status rows and send errors with exact install/doctor repair commands after raw package-manager upgrades leave Feishu or WhatsApp uninstalled. Fixes #78702 and #78593. Thanks @MarkMa84 and @mkupiainen.
  • Matrix: move the Matrix channel back to an official external ClawHub/npm plugin so core installs no longer need Matrix SDK runtime dependencies.
  • Matrix: attach com.openclaw.presentation metadata to semantic presentation replies so OpenClaw-aware Matrix clients can render rich buttons, selects, context rows, and dividers while stock clients keep the plain text fallback. (#73312) Thanks @kakahu2015.
  • Codex app-server: disarm the short post-tool completion watchdog after current-turn activity, expose appServer.turnCompletionIdleTimeoutMs, and include raw assistant item context in idle-timeout diagnostics so status-only post-tool stalls stop failing as idle. Fixes #77984. Thanks @roseware-dev and @rubencu.
  • Plugin skills/Windows: publish plugin-provided skill directories as junctions on Windows so standard users without Developer Mode can register plugin skills without symlink EPERM failures. Fixes #77958. (#77971) Thanks @hclsys and @jarro.
  • Shell env/Windows: hide the login-shell environment probe child window so gateway startup and shell-env refreshes do not flash a console on Windows. Fixes #78159. (#78266) Thanks @BradGroux.
  • MS Teams: surface blocked Bot Framework egress by logging JWKS fetch network failures and adding a Bot Connector send hint for transport-level reply failures. Fixes #77674. (#78081) Thanks @Beandon13.
  • Gateway/sessions: fast-path already-qualified model refs while building session-list rows so openclaw sessions and Control UI session lists avoid heavyweight model resolution on large stores. (#77902) Thanks @ragesaq.
  • Contributor PRs: remind external contributors to redact private information like IP addresses, API keys, phone numbers, and non-public endpoints from real behavior proof. Thanks @pashpashpash.
  • ACP bridge: relay Gateway exec approval prompts from active ACP turns to the ACP client's session/request_permission handler before resolving the Gateway approval. Thanks @amknight.
  • Codex/plugins: enable migrated source-installed openai-curated Codex plugins in the same Codex harness thread with explicit codexPlugins config, cached app readiness, and fail-closed destructive-action policy. Thanks @kevinslin.
  • Codex/plugins: enforce native plugin destructive-action policy with Codex app-level destructive_enabled config instead of OpenClaw-maintained per-tool deny lists, leave plugin app open_world_enabled on by default, and invalidate existing plugin app thread bindings so old generated app config is rebuilt. Thanks @kevinslin.
  • PR triage: mark external pull requests with proof: supplied when Barnacle finds structured real behavior proof, keep stale negative proof labels in sync across CRLF-edited PR bodies, and let ClawSweeper own the stronger proof: sufficient judgement.
  • ACPX/Codex: preserve trusted Codex project declarations when launching isolated Codex ACP sessions, avoiding interactive trust prompts in headless runs. Thanks @Stedyclaw.
  • ACPX/Codex: reap stale OpenClaw-owned ACPX/Codex ACP process trees on startup and after ACP session close, preventing orphaned harness processes from slowing the Gateway. Thanks @91wan.
  • ACP bridge: implement stable session list, resume, and close handlers so ACP clients can page Gateway sessions, rebind existing sessions without replay, and close bridge sessions cleanly. Thanks @amknight.
  • ACP bridge: replay complete ledger-backed ACP sessions on load, including user prompts, tool updates, session metadata, and usage snapshots, while keeping older sessions on the existing transcript fallback. Thanks @amknight.
  • ACP sessions: allow parent agents to inspect and message their own spawned cross-agent ACP sessions without enabling broad agent-to-agent visibility. Thanks @barronlroth.
  • Talk/voice: unify realtime relay, transcription relay, managed-room handoff, Voice Call, Google Meet, VoiceClaw, and native clients around a shared Talk session controller and add the Gateway-managed talk.session.* RPC surface.
  • Diagnostics/Talk: export bounded Talk lifecycle/audio metrics and session recovery metrics through OpenTelemetry and Prometheus without exposing transcripts, audio payloads, room ids, turn ids, or session ids.
  • Logging/Talk: route shared Talk lifecycle events into bounded file and OTLP log records while keeping transcript text, audio payloads, turn ids, call ids, and provider item ids out of logs.
  • Voice Call/realtime: add opt-in OpenClaw agent voice context capsules and consult-cadence guidance so Gemini/OpenAI realtime calls can sound like the configured agent without consulting the full agent on every ordinary turn. Thanks @scoootscooob.
  • Telegram/streaming: keep draft preview rotation from reusing a pre-tool assistant preview after visible tool or media output lands between compaction replay and the next assistant message. Thanks @vincentkoc.
  • Telegram/performance: skip non-forum topic-cache setup, defer status reaction variant work until reactions are needed, and reuse ack reaction gating during message context assembly. Thanks @vincentkoc.
  • CLI/migrate: add bulk on/off and skip controls to interactive Codex skill migration, leaving conflicting skill copies unchecked by default. (#77597) Thanks @kevinslin.
  • CLI/migrate: show native Codex plugin names before truncated plan items and prompt for plugin activation explicitly during interactive Codex migration instead of silently keeping every planned plugin. Thanks @kevinslin.
  • CLI/migrate: leave already configured target Codex plugins unchecked in the interactive plugin selector and show a plugin exists conflict hint while keeping new plugin activations selected by default. Thanks @kevinslin.
  • CLI/migrate: return cleanly without apply confirmation when interactive Codex migration leaves both skill copies and native plugin activations unselected. Thanks @kevinslin.
  • Cron CLI: add openclaw cron list --agent <id>, normalize the requested agent id, and include jobs without a stored agent id under the configured default agent while keeping cron list unfiltered when no agent is supplied. Fixes #77118. Thanks @zhanggttry.
  • Slack/performance: reduce message preparation, stream recipient lookup, and thread-context allocation overhead on Slack reply hot paths. Thanks @vincentkoc.
  • Control UI/chat: strip untrusted sender metadata from live streams and transcript display, preserve canvas preview anchors, and stop operator UI clients from injecting their internal client id as sender identity. Fixes #78739. Thanks @tmimmanuel, @guguangxin-eng, @hclsys, and @BunsDev.
  • Control UI/chat: collapse consecutive duplicate text messages into one bubble with a count so repeated text-only messages stay compact without hiding nearby context.
  • Control UI/chat and Sessions: label inherited thinking defaults separately from explicit overrides while preserving provider-supplied option labels. Fixes #77581. Thanks @BunsDev and @Beandon13.
  • Agents/runtime: add prepared runtime foundation contracts for carrying provider, model, tool, TTS, and outbound runtime facts through later reply-path migrations. Thanks @mcaxtr.
  • Control UI/WhatsApp: keep Show QR available for unlinked WhatsApp accounts while switching linked accounts to the explicit Relink action and showing Wait for scan only when a QR is active. Thanks @BunsDev.
  • Gateway/performance: reuse the compatible plugin metadata snapshot across dashboard and channel agent turns so auto-enabled runtime config does not repeatedly rescan plugin metadata before provider calls. Thanks @shakkernerd.
  • Gateway/performance: reuse current plugin metadata for provider activation, auth/env candidate lookup, and bundle settings during dashboard and channel agent turns while keeping the configless secret-target cache unscoped and refusing stale unscoped reuse when plugin discovery roots differ. Thanks @shakkernerd.
  • Gateway/performance: avoid resolving plugin auto-enable metadata twice in one runtime config pass, reducing repeated dashboard turn metadata scans. Thanks @shakkernerd.
  • Auth/providers: pass config and workspaceDir lookup context through to provider-id resolution so workspace-scoped auth aliases resolve correctly when no explicit alias map is supplied. Thanks @shakkernerd.
  • Gateway/diagnostics: add startup phase spans, active work labels, stale terminal bridge markers, and opt-in sync-I/O tracing in pnpm gateway:watch so slow Gateway turns are easier to attribute from logs and stability diagnostics.
  • QA/Mantis: add an opt-in Discord thread attachment before/after scenario that creates a real thread, calls message.thread-reply with filePath, and captures baseline/candidate screenshot evidence.
  • Discord: preserve filePath and path attachments when replying to a thread with the message tool.
  • QA/Mantis: add visual desktop tasks with Crabbox MP4 recording, screenshot capture, and optional image-understanding assertions, and preserve video artifacts in Mantis before/after reports.
  • QA/WhatsApp: add pnpm openclaw qa whatsapp for live DM canary and pairing-gate coverage using two pre-linked WhatsApp Web sessions from the QA credential pool.
  • CI/Crabbox: default owned AWS fallback to standard multi-region capacity with broker hints enabled, reserving beast for explicit CPU-bound maintainer lanes.
  • Plugins/install: run managed npm-root install, rollback, repair, and uninstall mutations with legacy peer resolution so removing one plugin cannot rehydrate a stale registry openclaw package into the shared root. Thanks @vincentkoc.
  • Plugin SDK: add openclaw/plugin-sdk/channel-message lifecycle helpers for defineChannelMessageAdapter, deliverInboundReplyWithMessageSendContext, send/receive/live/state contracts, durable final-delivery capability derivation, capability proof helpers, and normalized message receipts.
  • Plugin SDK: add createChannelMessageAdapterFromOutbound so channel plugins can derive durable message adapters from proven outbound adapters without duplicating send/receipt bridge code.
  • Plugin SDK: add actions.prepareSendPayload(...) so channel plugins can shape message-tool sends into durable payloads while core owns queueing, hooks, retry, recovery, and acknowledgements.
  • Plugin SDK: make the legacy channel-reply-pipeline subpath a compatibility wrapper over the shared reply core while steering root compat deprecations toward plugin-sdk/channel-message.
  • Plugin SDK: move Discord, Slack, Mattermost, and Matrix live-preview finalization onto plugin-sdk/channel-message and attach message receipts to Telegram finalized previews plus Teams native stream finals, so preview edits and stream finals are represented in the message lifecycle instead of draft-only helpers.
  • Telegram: persist the polling restart watermark after successful update dispatch instead of at handler entry, leaving failed updates retryable while still coalescing completed offsets safely.
  • Plugin SDK/fs-safe: expose reusable atomic replacement, sibling-temp writes, and cross-device move fallback helpers through plugin-sdk/security-runtime, and move OpenClaw's duplicated safe filesystem write paths onto the shared @openclaw/fs-safe package.
  • Plugin SDK/fs-safe: route browser, media, channel, and QA external output producers through staged fs-safe writes before final publication. (#78768)
  • Plugin SDK/fs-safe: rename the public temp workspace helpers to tempWorkspace, withTempWorkspace, tempWorkspaceSync, and withTempWorkspaceSync, matching the cleaner @openclaw/fs-safe API before the package is published.
  • Core/performance: trim reply payload routing, heartbeat filtering, tool display, core tool assembly, channel directory, task status, and Slack approval formatting helper chains with direct bounded scans. Thanks @vincentkoc.
  • Control UI/performance: keep chat, config, and channel refreshes responsive by decoupling slow history/schema/status work, reducing the client history window, and logging over-budget chat/config renders. Refs #77060, #45698, #47979, #44107. Thanks @BunsDev.
  • Gateway/diagnostics: add startup phase spans, active work labels, stale terminal bridge markers, and opt-in sync-I/O tracing in pnpm gateway:watch so slow Gateway turns are easier to attribute from logs and stability diagnostics.
  • QA/Mantis: add visual desktop tasks with Crabbox MP4 recording, screenshot capture, and optional image-understanding assertions, and preserve video artifacts in Mantis before/after reports.
  • QA/Mantis: reuse Crabbox desktop/browser capture tooling and pnpm store caches during Slack desktop smoke runs, reducing per-scenario setup work before screenshots and videos are captured.
  • QA/Mantis: add Slack desktop hydrate modes and per-phase timing reports so warm prehydrated VNC leases can skip source install/build while cold runs still prove the full source checkout.
  • QA/Mantis: pass the runtime env through desktop-browser Crabbox and artifact-copy child commands, so embedded Mantis callers can provide Crabbox credentials without mutating the parent process. Thanks @vincentkoc.
  • QA/Mantis: return the copied Slack desktop screenshot path even when remote Slack QA fails, so the CLI still prints the failure screenshot artifact. Thanks @vincentkoc.
  • QA/Mantis: accept Blacksmith Testbox tbx_... lease ids from desktop smoke warmup, so provider overrides do not fail before inspect/run. Thanks @vincentkoc.
  • Plugins/SDK: add bounded before_agent_finalize retry instructions so workflow plugins can request one more model pass. Thanks @100yenadmin.
  • Plugin SDK: add plugin-owned SessionEntry slot projection and scoped trusted-policy session extension reads. (#75609; replaces part of #73384/#74483) Thanks @100yenadmin.
  • Plugins/SDK: expose host-derived tool target paths to before_tool_call and trusted policy hooks so workflow plugins can reason about known file targets without reparsing tool envelopes. (#75605) Thanks @100yenadmin.
  • Control UI/WebChat: show a persistent compact context usage indicator from fresh session token data before the high-pressure warning state, while keeping the existing compaction prompt threshold. Fixes #46398; refs #45048, #50071, and #73744. Thanks @walterwkchoy, @AxelrodAI, @Brissux, @vincentkoc, and @BunsDev.
  • Contributor PRs: require external pull requests to include after-fix real behavior proof from a real OpenClaw setup, with terminal screenshots, console output, redacted runtime logs, linked artifacts, and copied live output treated as valid evidence while unit tests, mocks, lint, typechecks, snapshots, and CI remain supplemental only.
  • Plugins/catalog: add an @tencent-weixin/openclaw-weixin external entry pinned to 2.4.1 so onboarding and openclaw channels add can install the Tencent Weixin (personal WeChat) channel by default. (#77269) Thanks @pumpkinxing1.
  • Developer tooling: add checked-in VS Code Gateway debugging configs and an opt-in OUTPUT_SOURCE_MAPS=1 source-map build path for breakpoints in TypeScript source. (#45710) Thanks @SwissArmyBud.
  • Managed proxy: add proxy.loopbackMode for Gateway loopback control-plane traffic, allowing operators to keep the default Gateway loopback bypass, force loopback Gateway traffic through the proxy, or block it. (#77018) Thanks @jesse-merhi.
  • Telegram/native commands: show the current thinking level above the /think level picker so users can see the active setting before changing it. (#78278) Thanks @obviyus.
  • Plugins/hooks: add a before_agent_run pass/block gate that can stop a user prompt before model submission while preserving a redacted transcript entry for the user, and clarify that raw conversation hooks require hooks.allowConversationAccess=true. (#75035) Thanks @jesse-merhi.
  • Config/Nix: keep startup-derived plugin enablement, gateway auth tokens, control UI origins, and owner-display secrets runtime-only instead of rewriting openclaw.json; in Nix mode, config writers, mutating openclaw update, plugin lifecycle mutators, and doctor repair/token-generation now refuse with agent-first nix-openclaw guidance. (#78047) Thanks @joshp123.
  • Plugin SDK: add a generic api.runtime.llm.complete host completion helper with runtime-derived caller attribution, config-gated model/agent overrides, session-bound context-engine access, request-scoped config, audit metadata, and normalized usage attribution. (#64294) Thanks @DaevMithran.
  • Control UI/exec approvals: highlight parsed shell command fragments that may deserve extra review in approval prompts. (#77153) Thanks @jesse-merhi.
  • Channels/iMessage: honor channels.imessage.groups.<chat_id>.systemPrompt (and the groups["*"] wildcard) by forwarding it as GroupSystemPrompt on inbound group turns, mirroring the byte-identical resolver semantic from WhatsApp where defining the key as an empty string on a specific group suppresses the wildcard fallback. Brings iMessage to parity with the per-group systemPrompt pattern already supported by Discord, Telegram, IRC, Slack, GoogleChat, and the retired BlueBubbles channel. Fixes #78285. (#79383) Thanks @omarshahine.
  • iMessage: add opt-in inbound catchup that replays messages received while the gateway was offline (crash, restart, mac sleep) on next startup. Enable with channels.imessage.catchup.enabled: true; tunables for maxAgeMinutes, perRunLimit, firstRunLookbackMinutes, and maxFailureRetries. Persists a per-account cursor under the OpenClaw state dir (<openclawStateDir>/imessage/catchup/), replays each row through the live dispatch path so allowlists/group policy/dedupe behave identically on replayed and live messages, and force-advances past wedged guids after maxFailureRetries to prevent stuck cursors. Extends the persisted echo-cache retention window so the agent's own outbound rows from before a gap are not re-fed as inbound on replay. Includes a regenerated src/config/bundled-channel-config-metadata.generated.ts so the runtime AJV schema accepts the new channels.imessage.catchup block. Fixes #78649. (#79387) Thanks @omarshahine.
  • Channels/Yuanbao: bump the bundled openclaw-plugin-yuanbao npm spec from 2.11.0 to 2.13.0 in the official external channel catalog and refresh the pinned integrity hash, so fresh installs and catalog-driven reinstalls pick up the newer Yuanbao channel plugin release. (#79620) Thanks @loongfay.
  • Providers/Mistral: add mistral-medium-3-5 to the bundled catalog with reasoning support. Thanks @sliekens.
  • Docs/Mistral: document Medium 3.5 setup, local infer smoke usage, adjustable reasoning, and the Mistral HTTP 400 caveat for reasoning_effort="high" with temperature: 0.

Breaking

  • Channels/iMessage: remove the bundled BlueBubbles channel surface and deprecate BlueBubbles-backed iMessage setup in OpenClaw. Existing channels.bluebubbles configs must migrate to channels.imessage using imsg on a signed-in Mac or an SSH wrapper, and non-macOS default imsg configs now report remote-Mac wrapper guidance.

Fixes

  • Agents/CLI: handle resumed CLI JSONL output and bound supervisor output buffering so resumed runs stay readable without letting noisy child output grow unbounded.

  • Agents/sandbox: include the container workspace path hint in sandbox-root escape errors while preserving shortened host workspace roots. Fixes #79712. Thanks @haumanto and @hclsys.

  • Image generation: honor configured web-fetch SSRF policy across OpenAI, Google, MiniMax, OpenRouter, and Vydra provider requests so RFC2544 fake-IP proxy opt-ins reach generation calls. Fixes #79716. (#79765) Thanks @hclsys.

  • QQBot: route gateway WebSocket connections through the ambient proxy agent so deployments with https_proxy, HTTPS_PROXY, or HTTP_PROXY can reach the QQ gateway. (#72961) Thanks @xialonglee.

  • Agents/subagents: treat sessions_spawn model: "default" as the default-model fallback and ignore ACP-only stream targets for native sub-agent spawns. Fixes #72078. (#72101) Thanks @xialonglee.

  • Agents/failover: stop retrying assistant-prefill format rejections across auth profiles or model fallbacks, surfacing the deterministic provider error instead of requeueing the lane. Fixes #79688. (#79728) Thanks @hclsys.

  • Google/Gemini: resolve missing Gemini 3 Flash catalog rows through the Google provider template path so image-capable media-understanding models keep input: ["text", "image"] instead of falling back to text-only metadata. Fixes #79750. (#79759) Thanks @fenglanhua and @hclsys.

  • Memory/QMD: warn with a manual stale collection removal hint when QMD reports a path/pattern conflict but collection list lacks verifiable metadata, avoiding unsafe stderr-only rebinds. Refs #71783. (#72297) Thanks @MonkeyLeeT.

  • Models/auth: make openclaw models status --check and dashboard auth health honor effective auth profile order while keeping stale profiles visible. (#79685) Thanks @nimbleenigma.

  • Agents/failover: classify bare stream_read_error streaming failures as transient timeouts so configured model fallback runs instead of surfacing the raw transport error. Fixes #79689. (#79692) Thanks @hekunwang.

  • Agents/failover: persist overloaded auth-profile cooldown marks before exhausted fallback summaries surface, so immediate fallback retries honor the recorded cooldown state.

  • Docs/Subagents: correct the listed sub-agent bootstrap context files to include SOUL.md, IDENTITY.md, and USER.md. (#79470) Thanks @lastguru-net.

  • Backup: keep live backup archives from copying current agent session transcripts, cron run logs, and delivery queues while preserving workspace lock/temp files and keeping --json output parseable when volatile files are skipped. Fixes #72249. (#72251) Thanks @abnershang.

  • Backup: place the temp manifest outside every backed-up asset so backup create --verify still passes when TMPDIR resolves inside a source path (for example ~/.openclaw/tmp), avoiding the duplicate root manifest that otherwise tripped Expected exactly one backup manifest entry, found 2. Fixes #75007. Thanks @YaanFPV.

  • OpenAI/Codex: install the Codex runtime plugin from npm during OpenAI onboarding and load it automatically for implicit OpenAI model routes, while preserving manual PI runtime overrides. Fixes #79358.

  • OpenAI/realtime voice: defer response.create while a realtime response is still active, retry after response.done/response.cancelled, and align GA input transcription/noise-reduction defaults with the Codex realtime reference so Discord/Voice Call consult results can resume speaking instead of tripping the active-response race.

  • OpenAI/realtime voice: avoid duplicate barge-in cancellation requests, log realtime model interruption/cutoff events in Discord voice logs, and treat OpenAI's no-active-response cancellation reply as a completed cancel so Discord voice sessions do not wedge pending speech after fast interruptions.

  • Agents/runtime: strip trailing assistant prefill for Claude-family OpenAI Responses routes, persist prompt/assistant profile cooldown marks before fallback, and show the configured container root in sandbox escape diagnostics. Fixes #79688 and #79712. Thanks @stainlu and @mushuiyu886.

  • Gateway: avoid false degraded event-loop health during rapid health/readiness/status probes unless sustained load has delay co-evidence, while keeping hard delay detection immediate. (#77028) Thanks @rubencu.

  • Markdown: keep blockquote spans off trailing paragraph separators. Fixes #79646.

  • Plugin SDK/LM Studio: recover Harmony plain-text tool calls from LM Studio streams. Fixes #78326.

  • Control UI: refresh the model cache after session_status(model=...) changes a session model. Fixes #79613.

  • Agents/context-engine: share loop-hook checkpoints with the after-turn finalizer so messages are not replayed. Fixes #79630.

  • Codex app-server: keep native hook relays alive for long-running turns so shell and file approvals stay reachable until the configured run window finishes. (#77533) Thanks @rubencu.

  • Gateway/macOS: clear ignored SIGUSR1 restart state, skip redundant package-update restarts when the refreshed LaunchAgent already serves the expected version, and give launchd a 10s throttle plus 20s shutdown window so update restarts do not leave old gateways alive or fight supervisor recovery. Fixes #79577; refs #78699 and #60885. Thanks @BunsDev.

  • Status/Codex: route Codex-harness openai/* usage through the OpenAI Codex quota provider and scope CLI status usage to the default agent auth store so /status and openclaw status --usage show Codex quota windows again. Fixes #79312. Thanks @keshavbotagent.

  • Gateway/agent: pass the session-key agent id into inline image attachment validation so the first image in a fresh per-agent session uses the agent's vision-capable model override instead of the text-only system default. Fixes #79407. Thanks @pandadev66.

  • Gateway/maintenance: prune dedupe overflow against a stable excess count and keep active agent retries from starting duplicate runs after cache eviction. (#73841) Thanks @thesomewhatyou.

  • Control UI/subagents: suppress internal subagent_announce handoff prompts from requester transcripts and hide legacy inter-session wrapper rows so completed subagent results no longer surface runtime context in WebChat history. (#79618) Thanks @joshavant.

  • Discord: preserve username target resolution for Discord outbound sends. (#79076) Thanks @vincentkoc.

  • Gateway/sessions: rotate generated transcript paths when gateway sessions reset, complementing the daily-rollover transcript persistence. (#79076) Thanks @vincentkoc.

  • Dependencies: pin the transitive fast-uri production dependency to 3.1.2 so the production dependency audit no longer resolves the vulnerable <=3.1.1 range. Thanks @shakkernerd.

  • Plugins/install: fail managed npm plugin installs when OpenClaw cannot repair a required plugin-local node_modules/openclaw peer link, preventing that peer-link failure mode from producing unusable @openclaw/codex installs. Refs #79462. Thanks @ai-hpc.

  • Cron/agents: recognize same-target editwrite recovery in isSameToolMutationAction, so a successful write to a path clears an earlier failed edit on the same path. Stops cron from reporting fatal failures when an agent self-heals across edit and write, while preserving same-tool fingerprint matching, blocking different-target writes, and excluding tools (including apply_patch) whose real call args do not produce a stable path fingerprint segment. Fixes #79024. Thanks @RenzoMXD.

  • Gateway/Tailscale: add opt-in gateway.tailscale.preserveFunnel so when tailscale.mode = "serve" and an externally configured Tailscale Funnel route already covers the gateway port, OpenClaw skips re-applying tailscale serve on startup and skips the resetOnExit teardown for that run, keeping operator-managed Funnel exposure alive across gateway restarts. Fixes #57241. Thanks @RenzoMXD.

  • CLI/router: when openclaw <name> does not match a CLI subcommand, check plugin tool manifests first so names like lcm_recent get an agent-tool diagnostic instead of the misleading suggestion to add the tool name to plugins.allow. Fixes #77214. Thanks @100yenadmin.

  • QA-lab/parity: bump the live mock-openai parity baseline from claude-opus-4-6/claude-sonnet-4-6 to claude-opus-4-7/claude-sonnet-4-7 and the candidate alt from gpt-5.4-alt to gpt-5.5-alt in openclaw-release-checks.yml and qa-live-transports-convex.yml, matching the active Opus 4.7 / GPT-5.5 defaults already used elsewhere on main. Carries forward the surface-bump portion of #74290. Thanks @100yenadmin.

  • QA-lab/scenarios: raise the approval-turn-tool-followthrough per-turn fallback timeouts from 20s/30s to 60s so cold mock-gateway parity runs do not flake on the approval-turn chain. Carries forward the timeout-bump portion of #74290. Thanks @100yenadmin.

  • Agents/compaction: keep the recent tail after manual /compact when Pi returns an empty or no-op compaction summary, preventing blank checkpoints from replacing the live context.

  • Native commands: handle slash commands before workspace and agent-reply bootstrap so Telegram /status and other command-only native replies do not wait behind full agent turn setup.

  • Plugins/Nix: allow externally configured plugin roots under /nix/store to load in OPENCLAW_NIX_MODE=1 while keeping normal external plugin hardlink rejection unchanged. Thanks @joshp123.

  • Nextcloud Talk: include the required bot response feature in setup, explain missing --feature response on rejected sends, and surface missing response capability in doctor/status checks. Fixes #78935. (#79657) Thanks @joshavant.

  • fix(discord): gate user allowlist name resolution [AI]. (#79002) Thanks @pgondhi987.

  • fix(msteams): gate startup user allowlist resolution [AI]. (#79003) Thanks @pgondhi987.

  • Infra/fetch-timeout: pass operation and url context to buildTimeoutAbortSignal from the music-generate reference fetch and the Matrix guarded redirect transport, so the fetch timeout reached; aborting operation warning carries actionable structured fields instead of a bare line. Fixes #79195. Thanks @pandadev66.

  • Harden macOS shell wrapper allowlist parsing [AI]. (#78518) Thanks @pgondhi987.

  • macOS/config: reject stale or destructive app fallback config writes before direct replacement and keep rejected payloads as private audit artifacts, so gateway.mode, metadata, and auth are not silently clobbered. Fixes #64973 and #74890. Thanks @BunsDev.

  • Gateway/macOS: include Apple Silicon Homebrew bin and sbin directories in generated LaunchAgent service PATHs and service-audit expectations so openclaw gateway restart keeps Homebrew Node installs reachable. Fixes #79232. Thanks @BunsDev and @TurboTheTurtle.

  • Doctor/OpenAI: stop pinning migrated openai-codex/* routes to the Codex runtime so mixed-provider agents keep automatic PI routing for MiniMax, Anthropic, and other non-OpenAI model switches.

  • Gateway/macOS: openclaw gateway stop now uses launchctl bootout by default instead of unconditionally calling launchctl disable, so KeepAlive auto-recovery still works after unexpected crashes; use the new --disable flag to opt into the persistent-disable behavior when a manual stop should survive reboots. Fixes #77934. Thanks @bmoran1022.

  • Gateway/macOS: repairLaunchAgentBootstrap no longer kickstarts an already-running LaunchAgent, preventing unnecessary service restarts and session disconnects when repair runs against a healthy gateway. Fixes #77428. Thanks @ramitrkar-hash.

  • Gateway/macOS: openclaw gateway stop --disable now persists the LaunchAgent disable bit even after a previous bootout left the service not loaded, keeping the explicit stay-down path reliable. (#78412) Thanks @wdeveloper16.

  • CLI/status: keep lean openclaw status --json off manifest-backed channel discovery so configured-channel checks do not repeatedly rescan plugin metadata. Fixes #79129.

  • Control UI/chat: hide retired and non-public Google Gemini model IDs from chat model catalogs and route the bare gemini-3-pro alias to Gemini 3.1 Pro Preview instead of the shut-down Gemini 3 Pro Preview. Thanks @BunsDev.

  • CLI/infer: canonicalize case-only catalog model refs in infer model run --model so mixed-case provider/model strings resolve to the canonical catalog entry instead of failing with Unknown model. (#78940) Thanks @ai-hpc.

  • CLI/infer: allow explicit local infer model run --model <provider/model> probes to use exact bundled static catalog rows before the provider is written to config, surfacing missing credentials as auth errors instead of Unknown model.

  • CLI/install: refuse state-mutating OpenClaw CLI runs as root by default, keep an explicit OPENCLAW_ALLOW_ROOT=1 escape hatch for intentional root/container use, and update DigitalOcean setup guidance to run OpenClaw as a non-root user. Fixes #67478. Thanks @Jerry-Xin and @natechicago.

  • Auto-reply/media: resolve scp from PATH when staging sandbox media so nonstandard OpenSSH installs can copy remote attachments.

  • Agents/PI: route PI-native OpenAI-compatible default streams through OpenClaw boundary-aware transports so local-compatible model runs keep API-key injection and transport policy.

  • Gateway/media: require authenticated owner or admin context for managed outgoing image bytes instead of trusting requester-session headers.

  • Doctor/gateway: avoid duplicate Node runtime warnings when the daemon install plan already selected a supported Node runtime.

  • Gateway/nodes: ignore malformed non-string capability entries from live nodes instead of throwing while listing the node catalog.

  • Gateway/pairing: preserve deliberately narrowed role-token scopes when approving device scope upgrades instead of regranting the whole approved baseline.

  • Telegram/ACP: keep chat-bound ACP replies durable by delivering final-only ACP output as final text instead of transient Telegram preview blocks. Thanks @shakkernerd.

  • Telegram: hydrate replied-to messages as a persisted nearest-first reply chain so agents can see observed parent text, media refs, captions, senders, timestamps, and nested replies instead of guessing from a shallow reply id.

  • Gateway/watch: leave OPENCLAW_TRACE_SYNC_IO disabled by default in pnpm gateway:watch:raw so watch mode avoids noisy Node sync-I/O stack traces unless explicitly requested.

  • Codex app-server: close stdio stdin before force-killing the managed app-server, matching Codex single-client shutdown behavior and avoiding unsettled CLI exits after successful runs.

  • CLI/Codex: dispose registered agent harnesses during short-lived CLI shutdown so successful Codex-backed agent --local runs do not leave app-server child processes alive.

  • Agents/Codex: auto-enable the Codex harness plugin for one-shot OpenAI model overrides so openclaw agent --local --model openai/... does not fail with an unregistered codex harness.

  • Gateway/live tests: avoid full model-registry enumeration for explicit provider-qualified live model filters, preventing .profile OpenAI gateway profile runs from hanging before provider dispatch.

  • Gateway/status: surface CLI and gateway runtime versions, warn about stale PATH/global wrappers when they differ, and add stale-wrapper checks to the newer-config warning. Refs #79091. Thanks @RamaAditya49 and @sallyom.

  • Google/Gemini: retry stalled Gemini 3 preview direct API-key streams with a lean first-response payload and share Gemini tool-schema cleanup across direct Google and Gemini CLI providers, so main sessions with coding tools can recover before the LLM idle watchdog fires. (#79668) Thanks @joshavant.

  • Providers: preserve non-OK text/event-stream response bodies so provider HTTP errors keep their JSON detail instead of collapsing to generic streaming failures. Fixes #78180.

  • Gateway/auth: make explicit trusted-proxy mode fail closed instead of accepting local password fallback credentials after trusted-proxy identity checks fail. Fixes #78684.

  • Active memory: treat Google Chat spaces/... conversation ids as scoped targets instead of runnable channel names so recall runs no longer fail bundled-plugin dirName validation. Fixes #78918.

  • Active memory: make /active-memory status honor the configured agent allowlist instead of reporting on for agents where recall is disabled. Fixes #78986.

  • Mistral: normalize structured OpenAI-compatible completions content blocks so thinking objects are not persisted as [object Object] visible reply text. Fixes #78846.

  • Tools/session status: render the active heartbeat/run model for session_status({"sessionKey":"current"}) instead of falling back to the persisted session default. Fixes #77493.

  • Doctor/secrets: allow safe inherited exec SecretRef passEnv names such as HOME while still blocking dangerous runtime env hooks. Fixes #78216.

  • Chat commands: make /model default reset the session model override instead of treating it as a literal model name. Fixes #78182.

  • Cron: make rejected payload.model errors show the configured agents.defaults.models allowlist instead of echoing the rejected model twice. Fixes #79058.

  • Agents/subagents: retry parent wake announces when the announce-summary model run fails with fallback cooldown exhaustion instead of dropping the wake on the first transient provider overload. Refs #78581.

  • Providers/network: honor IPv4 CIDR and octet-wildcard NO_PROXY entries such as 100.64.0.0/10 and 100.64.* before enabling trusted env-proxy mode for model-provider requests. Fixes #79030.

  • Skills: cap skills watcher directory traversal at the same depth used by skill discovery so large non-skill trees under configured skill roots do not exhaust file descriptors on startup. Fixes #75501. Thanks @wzq-xzwj.

  • Docs/Docker: document a local Compose override for Docker Desktop DNS failures in the shared-network openclaw-cli sidecar, keeping the default compose setup hardened while unblocking openclaw plugins install when users opt in. Fixes #79018. Thanks @Jason-Vaughan.

  • Installer: when npm installs openclaw outside the parent shell PATH, print follow-up commands with the resolved binary path instead of telling users to run openclaw from a shell that will report command not found. Fixes #72382. Thanks @jbob762.

  • Plugins/runtime: share MIME and JSON Schema helpers across bundled plugins while preserving canonical media MIME inference, browser URL wildcard semantics, migration home-path resolution, QA request-limit responses, and extensionless text file previews.

  • Agents/memory flush: persist the pre-increment compaction counter after flush-triggered compaction so consecutive eligible compaction cycles run memoryFlush instead of alternating. Fixes #12590. Refs #12760, #26145, and #46513. Thanks @Kaspre, @lailoo, @drvoss, @Br1an67, and @dial481.

  • Compute plugin callback authorization dynamically [AI]. (#78866) Thanks @pgondhi987.

  • Gateway/auth: allow gateway.auth.mode: "none" loopback backend RPC clients to skip device identity only for local non-browser backend connections, restoring subagent spawns and gateway tools without opening remote or browser-origin bypasses. Fixes #75780. Thanks @yozakura-ava.

  • Canvas plugin: keep legacy root canvasHost configs valid until openclaw doctor --fix migrates them into plugins.entries.canvas.config.host, move Canvas/A2UI clients to gateway protocol v4 plugin surfaces, and refresh the generated A2UI bundle hash so normal builds stay clean.

  • feishu: honor config write policy for dynamic agents [AI]. (#78520) Thanks @pgondhi987.

  • fix(skill-workshop): honor pending approval for tool suggestions [AI]. (#78516) Thanks @pgondhi987.

  • BytePlus: mark Kimi K2.5 and Kimi K2 Thinking catalog entries as reasoning-capable, raise their output cap to 32k tokens, and fill Kimi cache-read pricing. Fixes #54149.

  • Control UI/chat: wait for an in-flight model dropdown patch before sending the next chat message, so immediate sends use the selected session model instead of racing the previous override. Fixes #54240.

  • Native chat: decode gateway-provided thinking metadata for the iOS/macOS picker so provider-specific levels such as adaptive, xhigh, and max appear without leaking unsupported default-model options. Thanks @BunsDev.

  • Agents/compaction: cap summarization output reserve tokens to the selected model's maxTokens so 1M-context Anthropic compactions do not request more output than the API permits. Fixes #54383.

  • Control UI/login: replace raw connection failures with structured, actionable login guidance for auth, pairing, insecure HTTP, origin, protocol, and transport failures. Thanks @BunsDev.

  • Agents/tools: fail exec host=node before system.run when the selected node is known to be disconnected, with an actionable reconnect message instead of a raw node invoke failure. Thanks @BunsDev.

  • Agents/models: accept legacy anthropic-cli/* model refs as Claude CLI runtime refs instead of failing model resolution with Unknown model. Thanks @BunsDev.

  • Agents/tools: keep restrictive-profile tool-section warnings scoped to the configured sections whose tools are still missing from alsoAllow, so already re-allowed filesystem tools do not make exec-only fixes look broader than they are. Thanks @BunsDev.

  • Agents/tools: avoid warning messaging-only agents about inherited global tools.exec or tools.fs sections when the agent profile did not configure those tool sections itself. Thanks @BunsDev.

  • Codex dynamic tools: normalize runtime toolsAllow entries the same way as Pi tool policy, so aliases like bash and apply-patch still expose the intended OpenClaw tools. Thanks @BunsDev.

  • Memory/dreaming: read OpenAI-style output_text assistant parts from narrative subagent transcripts, so light-phase Dream Diary entries are not dropped as empty. Thanks @BunsDev.

  • OpenAI-compatible providers: honor compat.supportsTools=false by stripping tool payload fields before dispatch to chat-only endpoints. Fixes #74664.

  • OpenAI-compatible providers: apply model-declared unsupported tool-schema keyword stripping to native OpenAI transport payloads and mark Fireworks Kimi K2.5 as rejecting not schemas. Fixes #75467.

  • OpenAI-compatible gateway: sanitize images supplied through request content even when the prompt text contains no image file references, preventing oversized attachment payloads from bypassing the resize/drop pipeline. Fixes #59913.

  • Auth profiles: normalize inline API keys and tokens loaded from auth-profiles.json so masked or rich-text credential artifacts fail as auth errors instead of crashing HTTP header construction. Fixes #77624.

  • llm-task: resolve configured model aliases before embedded dispatch so model="gemini-flash" and other aliases route to the intended provider instead of the agent default. Fixes #54166.

  • Media generation: resolve slash-containing model-only overrides like fal-ai/flux/dev through registered provider model metadata so FAL image/video models do not get misparsed as provider fal-ai. Fixes #77444.

  • CLI backends: keep versioned OAuth identity matches reusable when auth profile ids rotate, so Claude CLI sessions do not reset and lose continuity during same-account OAuth refresh/profile alias changes. Fixes #78541.

  • Amazon Bedrock: refresh shared AWS profile/config file credentials before Bedrock model, discovery, and embedding requests so long-running Gateway processes pick up renewed profile credentials without restart. Fixes #77551.

  • Amazon Bedrock: treat named aws-sdk auth profiles as config routing metadata instead of stored credentials, and let doctor --fix move legacy markers out of auth-profiles.json. Fixes #69708.

  • Anthropic: reject uppercase provider-prefixed forward-compat model ids locally instead of sending malformed dynamic ids upstream. Fixes #73715.

  • OpenAI/embeddings: pass configured output dimensionality through single and batched embedding requests so memory embedding indexes can request smaller vectors. Fixes #55126.

  • CLI/infer: normalize HEIC/HEIF image files to JPEG before model-run requests, avoiding providers that reject Apple image container formats. Fixes #50081.

  • CLI/infer: fall back to macOS sips when optional image tooling cannot decode HEIC/HEIF input files before model-run requests. Refs #50081.

  • OpenRouter: keep the default openrouter/auto model ref canonical while preventing TUI and Control UI catalog pickers from displaying or submitting openrouter/openrouter/auto. Fixes #62655.

  • Status/Claude CLI: show oauth (claude-cli) for working Claude CLI OAuth runtime sessions instead of unknown when no local auth profile exists. Fixes #78632. Thanks @gorkem2020.

  • Memory search: preserve keyword-only hybrid FTS matches when vector scoring is unavailable or below the configured minimum score, so exact lexical hits are not dropped by weighted min-score filtering.

  • Exec approvals/node: let trusted backend node invokes complete no-device Control UI approvals after the original request connection changes, while keeping node, command, cwd, env, and allow-once replay bindings enforced. Fixes #78569. Thanks @naturedogdog.

  • Agents/subagents: keep background completion delivery on the requester-agent handoff/queue-retry path instead of raw-sending child results directly, and strip child-result wrapper or OpenClaw runtime-context scaffolding from queued outbound retries. Fixes #78531. Thanks @EthanSK.

  • Sandbox: recreate cached browser bridges when JavaScript-evaluation permission changes, keep failed prune removals tracked for retry, and make cross-device directory moves copy-then-commit without partially emptying the source on failure.

  • CLI/completion: guard the shell-profile source line written by openclaw completion --install with a file existence check ([ -f ... ] && source ... for bash/zsh, test -f ...; and source ... for fish) so uninstalling OpenClaw no longer makes new login shells error on a missing completion cache. (#78659) Thanks @sjf.

  • Telegram: fail private-topic sends instead of retrying them as plain DMs when Telegram rejects the topic id, keeping private-topic message_thread_id routing intact. Fixes #79455. (#78575) Thanks @tmimmanuel.

  • Discord/groups: instruct group-chat agents to stay silent when a message is addressed to someone else, replying only when invited or correcting key facts. (#78615)

  • Discord/groups: tell Discord-channel agents to wrap bare URLs as <https://example.com> so link previews do not expand into uninvited embeds. (#78614)

  • Agents/fallback: fail fast on session write-lock timeouts instead of trying fallback models for local file contention. Fixes #66646. Thanks @sallyom.

  • Browser/SSRF: stop closing user-owned Chrome tabs when a read-only operation (snapshot/screenshot/interactions) is rejected by the SSRF guard — only OpenClaw-initiated navigations now close on policy denial. Thanks @scotthuang.

  • Agents/Gateway: throttle and cap live exec command-output events so noisy tool runs cannot flood Gateway WebSocket clients or starve RPC handling. (#78645) Thanks @joshavant.

  • Memory Wiki: skip empty and whitespace-only source pages when refreshing generated Related blocks, preventing blank pages from being rewritten into Related-only stubs. Fixes #78121. Thanks @amknight.

  • Telegram: keep duplicate message-tool-only Codex turns from posting generic silent-reply fallback text, so private finals stay private after inbound dedupe. Thanks @rubencu.

  • Telegram/sessions: gap-fill delivered embedded final replies into the session JSONL even when the runner trace is missing, so Telegram answers after tool calls do not vanish from the durable transcript. Fixes #77814. (#78426) Thanks @obviyus, @ChushulSuri, and @DougButdorf.

  • Cron/heartbeat: let restricted cron-triggered runs read their own status and current-job list metadata again, preventing heartbeat STATUS freshness checks from going stale while preserving self-remove-only mutation limits. Fixes #78208. Thanks @amknight.

  • Channels/cron: ignore stale runtime conversation bindings that point at completed isolated cron run sessions, so follow-up DMs fall back to their normal route instead of reusing a closed cron task prompt. Fixes #78074. Thanks @amknight.

  • ACP: preserve streamed chunk boundaries in background-task progress summaries so CJK text, paths, URLs, and identifiers are no longer split with synthetic spaces. Fixes #78312. Thanks @amknight.

  • Agents/DeepSeek: suppress provider-private DSML transport syntax (tool-use-error, tool-call, function-call shadow blocks) so it never leaks into assistant-visible text; native delta.tool_calls remains the only authoritative tool-call source. (#78331) Thanks @samzong.

  • Agents/subagents: preserve the delegated task prompt when a spawned target agent uses systemPromptOverride, so sessions_spawn(mode: "run") child runs still see their assigned task. Fixes #77950. Thanks @amknight.

  • Node/Windows: fall back to the Startup-folder launcher when Spanish-localized schtasks reports Acceso denegado, matching the existing access-denied fallback path. Fixes #77993. Thanks @jackonedev.

  • Agents/compaction: treat visible custom-message, bash, and branch-summary entries as real conversation anchors so safeguard mode does not write empty fallback summaries for cron and split-turn sessions with substantive tool work. Fixes #78300. Thanks @amknight.

  • Network/runtime: avoid importing Undici's package dispatcher during no-proxy timeout bootstrap so external channel plugin fetch requests with explicit Content-Length keep working. Fixes #78007. Thanks @shakkernerd.

  • Agents/TTS: send media-bearing block replies directly when block streaming is off, so agent tts tool audio attached to a final text reply is delivered instead of being consumed before final Telegram/media delivery. Thanks @Conan-Scott.

  • Gateway/performance: reuse the current compatible plugin metadata snapshot across hot read-only status, channel, auth, skills, and embedded agent settings paths, avoiding repeated synchronous plugin metadata scans during Gateway activity. Fixes #77983. Thanks @shakkernerd.

  • Plugins: dispatch cached descriptor-backed tools by the resolved runtime tool name for unnamed factories, fixing multi-tool plugins whose shared manifest contracts exposed sibling tools but failed at execution. Fixes #78671. Thanks @zanni098.

  • Plugins/update: repair plugin-local openclaw peer links for all recorded npm plugins after any npm update mutates the shared managed npm tree, so targeted or batch updates cannot leave Codex, Discord, or Brave with pruned SDK imports. (#77787) Thanks @ProspectOre.

  • Codex harness: honor models.providers.openai-codex.models[].contextTokens for native openai/* Codex runtime runs and /status context reporting, so subscription-backed Codex agents use the configured OAuth context cap without inflating past the runtime model window. Fixes #77858. Thanks @lilesjtu.

  • Sessions cleanup: add openclaw sessions cleanup --fix-dm-scope so operators who return session.dmScope to main can dry-run and retire stale direct-DM session rows while preserving transcripts as deleted archives. Fixes #47561 and #45554. Thanks @BunsDev.

  • Doctor/Codex: repair legacy openai-codex/* routes to canonical openai/*, keep OpenAI agent turns on Codex by default, ignore stale whole-agent/session runtime pins, preserve explicit provider/model runtime policy, and migrate legacy runtime model refs to model-scoped runtime entries. Thanks @vincentkoc.

  • Video generation: wait up to 20 minutes for slow fal/MiniMax queue-backed jobs, stop forwarding unsupported Google Veo generated-audio options, and normalize MiniMax 720P requests to its supported 768P resolution with the usual override warning/details instead of failing fallback.

  • Channels/durable delivery: preserve channel-specific final reply semantics when using durable sends, including Telegram selected quotes and silent error replies plus WhatsApp message-sending cancellations.

  • Channels/message lifecycle: build legacy channel delivery results from message receipts and add receipts to BlueBubbles, Feishu, Google Chat, iMessage, IRC, LINE, Nextcloud Talk, QQ Bot, Signal, Synology Chat, Tlon, Twitch, WhatsApp, Zalo, and Zalo Personal send results and owner-path reply delivery plus Discord, Matrix, Mattermost, Slack, and Teams send results while preserving existing message id compatibility.

  • iMessage: run durable final replies through the iMessage outbound sanitizer before sending, matching direct auto-reply delivery and preventing assistant-internal scaffolding from leaking through queued delivery.

  • CLI/plugins: handle closed stdin during plugins uninstall confirmation prompt and exit 1 with actionable --force guidance instead of crashing with Node exit 13 unsettled top-level await. Fixes #73562. (#73566) Thanks @ai-hpc.

  • Control UI/Sessions: hide disk-discovered unregistered-agent sessions by default and fall back from restored unconfigured agent session keys before chat refresh, preventing deleted-agent stores from reopening the wrong workspace. Fixes #41685. Thanks @BunsDev.

  • Slack: keep health-monitor recovery stops from poisoning manual-stop state after channel stop timeouts, allowing Socket Mode accounts to reconnect after event-loop stalls instead of staying dead until Gateway restart. Fixes #77651. Thanks @Gusty3055.

  • Codex app-server: ignore account and rate-limit notifications when measuring active-turn liveness and suppress duplicate generic timeout replies after a visible messaging-tool delivery, so lost completion signals no longer keep Telegram/Discord turns active behind a delivered reply. (#79667) Thanks @joshavant.

  • Control UI/Gateway: preserve verified trusted-proxy operator scopes for browser WebSocket sessions so nginx/Authelia deployments can load chat history, models, sessions, nodes, and logs instead of failing with missing operator.read. Fixes #78508. (#79643) Thanks @joshavant.

  • Cloudflare AI Gateway: preserve boundary-aware Anthropic Messages transport when runtime auth creates a custom session stream, keeping the upstream x-api-key header intact for Gateway runs. (#79673) Thanks @joshavant.

  • Webhooks/Gmail/Windows: resolve gcloud, gog, and tailscale PATH/PATHEXT shims before setup and watcher spawns, using the Windows-safe .cmd wrapper for long-lived gog serve processes. (#74881, fixes #54470) Thanks @Angfr95.

  • Control UI/chat: suppress HEARTBEAT_OK acknowledgement history, streams, deltas, and final events before they enter the transcript view, so repeated heartbeat no-op turns do not stack noisy bubbles. Thanks @BunsDev.

  • Agents/skills: require exact <location> skill paths for both single-skill and multi-skill prompt selection, so agents do not guess or hard-code skill file paths. (#74161) Thanks @lanzhi-lee.

  • Agents/skills: rebuild sandboxed non-rw run skill prompts from the sandbox workspace copy, so <available_skills> no longer points at host-only ~/.openclaw/skills paths. Fixes #50590. Thanks @kidroca and @sallyom.

  • Agents/media: tell async music and video completion agents when normal final replies are private, and send completion fallbacks directly to message-tool-only group/channel routes when the completion agent still only writes a private final reply, so generated media does not disappear behind the delivery contract.

  • CLI/update: report corrupt or unloadable managed plugins as post-update warnings instead of disabling them or turning a successful OpenClaw package update into a failed update result. Thanks @vincentkoc and @Patrick-Erichsen.

  • Update/restart: probe managed Gateway restarts with the service environment and add a Docker product lane that exercises candidate-owned openclaw update --yes --json restarts, so SecretRef-backed local gateway auth cannot regress behind mocked restart checks. Thanks @vincentkoc.

  • Gateway/sessions: cache selected model override resolution while building session-list rows so openclaw sessions and Control UI session lists stay responsive on model-heavy stores. (#77650) Thanks @ragesaq.

  • Gateway/diagnostics: make stuck-session recovery outcome-driven and generation-guarded, add diagnostics.stuckSessionAbortMs, and emit structured recovery requested/completed events so stale or skipped recovery no longer looks like a successful abort.

  • Messaging: queue assembled channel-turn final replies before sending to reduce response loss when the gateway restarts between assistant completion and channel delivery. Refs #77000.

  • Agents/replay-history: drop trailing assistant turns whose content is empty or carries only the stream-error sentinel before sending the transcript to the provider, so prefill-strict providers (such as github-copilot/claude-opus-4.6) no longer reject the request with 400 The conversation must end with a user message after a session whose last turn errored before producing content. Refs #77228. (#77287) Thanks @openperf.

  • Agents/session-file-repair: drop type: "message" entries with a missing, null, or blank role during the on-disk repair pass so sessions that accumulated null-role JSONL corruption (such as the 935+ corrupt entries in #77228) get fully cleaned up rather than carried forward into the repaired file. Refs #77228. (#77288) Thanks @openperf.

  • Doctor/device pairing: stop suggesting openclaw devices rotate --role <role> for stale local cached device auth when that role is no longer approved by the gateway pairing record, so doctor no longer points users at a command that must be denied. (#77688) Thanks @Conan-Scott.

  • Ollama/thinking: expose the lightweight Ollama provider thinking profile through the public provider-policy artifact too, so reasoning-capable Ollama models such as ollama/deepseek-v4-pro:cloud keep /think max available even before the full plugin runtime activates. (#77617, fixes #77612) Thanks @rriggs and @yfge.

  • Codex/app-server: stabilize transcript mirror dedupe across re-mirrored turns so reordered snapshots no longer drop reasoning entries or duplicate the assistant reply. Refs #77012. (#77046) Thanks @openperf.

  • Agents/auth-profiles: do not record request-shape (format) rejections as auth-profile health failures, so a single per-session transcript-shape error (such as a prefill-strict 400 "conversation must end with a user message") no longer triggers a profile-wide cooldown that blocks every other healthy session sharing the same auth profile. Refs #77228. (#77280) Thanks @openperf.

  • CLI/update: stop dev-channel source updates immediately when git fetch fails, so tag conflicts cannot keep preflight, rebase, or build steps running against stale refs while the Gateway is still on the old runtime. (#77845) Thanks @obviyus.

  • Config/recovery: chmod restored openclaw.json back to owner-only (0600) after suspicious-read backup recovery on POSIX hosts, so a previously world-readable config mode cannot persist into a freshly restored credential-bearing config. (#77488) Thanks @drobison00.

  • Memory/dreaming: persist last dreaming-ingestion calendar day per daily note in daily-ingestion.json so unchanged notes are still re-ingested once per dreaming day for promotion signals toward deep thresholds. Fixes #76225. (#76359) Thanks @neeravmakwana.

  • Agents/embed: keep message_end safety delivery armed when a silent text_end chunk produces no block reply, fixing dropped Telegram/forum replies. Fixes #77833. (#77840) Thanks @neeravmakwana.

  • Install/postinstall: skip noisy compile-cache prune warnings when EACCES/EPERM prevent removing shared /tmp/node-compile-cache entries owned by another user. Fixes #76353. (#76362) Thanks @RayWoo and @neeravmakwana.

  • Agents/messaging: surface CLI subprocess watchdog/turn timeout messages to chat users when verbose failures are off, instead of collapsing them into generic external-run failure copy. Fixes #77007. (#77015) Thanks @neeravmakwana.

  • Agents/sessions: after embedded Pi runs, append assistant-visible reply text to session JSONL only when Pi did not already persist an equivalent tail assistant entry, without re-mirroring the user prompt Pi owns. Fixes #77823. (#77839) Thanks @neeravmakwana.

  • Plugins/CLI: load the install-records ledger when listing channel-catalog entries, so npm-installed third-party channel plugins resolve through openclaw channels login/channels add instead of failing with Unsupported channel. (#77269) Thanks @pumpkinxing1.

  • Memory wiki/Security: enforce session visibility on shared-memory wiki_search and wiki_get so sandboxed subagents cannot read transcript content from sibling or parent sessions. Fixes GHSA-72fw-cqh5-f324. Thanks @zsxsoft.

  • Exec approvals: enforce allowlist argPattern argument restrictions on Linux and macOS as well as Windows, so an entry like { pattern: "python3", argPattern: "^safe\.py$" } no longer silently relaxes to a path-only match on non-Windows hosts. (#75143) Thanks @eleqtrizit.

  • Agents/compaction: disable Pi auto-compaction whenever OpenClaw effectively owns safeguard compaction, including provider-backed safeguard mode, so Pi and OpenClaw no longer fight over long-session compaction. Fixes #73003. (#73839) Thanks @bradhallett.

  • Telegram/streaming: finalize text replies by stopping the edited stream message instead of sending a second answer bubble, so Telegram turns cannot duplicate the streamed final response. (#77947) Thanks @obviyus.

  • web_search/Brave: fix provider selection when Brave is installed as an external plugin and tools.web.search.provider: "brave" is explicitly configured — a redundant provider re-resolution at startup could race and return an empty list, causing a spurious WEB_SEARCH_PROVIDER_INVALID_AUTODETECT warning and treating the explicitly configured provider as absent. Fixes #77676. Thanks @openperf.

  • Doctor/plugins: discover doctor contracts from load-path channel plugins during openclaw doctor --fix, so plugin-owned legacy config repair runs before validation. (#77477) Thanks @jalehman.

  • Dependencies: bump transitive basic-ftp to 5.3.1 so the runtime lockfile no longer includes the vulnerable 5.3.0 build flagged by the production dependency audit. (#78637) Thanks @sallyom.

  • Hooks/cron: log returned /hooks/agent isolated-run errors and failed cron jobs with cron diagnostic summaries, so rejected payload.model values are visible instead of looking like accepted-but-missing runs. Fixes #78597. (#78655) Thanks @kevinslin.

  • Managed proxy/security: classify raw socket callsites and proxy runtime mutations in boundary checks so new direct egress or unmanaged proxy-state changes cannot land without explicit review. (#77126) Thanks @jesse-merhi.

  • Channels/iMessage: surface the silent group-allowlist drop at default log level by emitting a one-time warn per account at monitor startup when channels.imessage.groupPolicy: "allowlist" is set without a channels.imessage.groups block, plus a one-time warn per chat_id when the runtime gate drops a specific group, naming the exact channels.imessage.groups[...] key to add to allow it. Fixes #78749. (#79190) Thanks @omarshahine.

  • WhatsApp: stop Gateway-originated outbound echoes from advancing inbound activity in openclaw channels status, so outbound self-sends no longer look like handled inbound messages. Fixes #79056. (#79057) Thanks @ai-hpc and @bittoby.

  • Gateway/nodes: preserve the live node registry session and invoke ownership when an older same-node WebSocket closes after reconnecting. (#78351) Thanks @samzong.

  • Browser/downloads: route explicit and managed browser download output directories through fs-safe validation before staging final files, so symlinked output roots are rejected before writes. (#78780) Thanks @jesse-merhi.

  • Agents/PI: skip the idle wait during aborted embedded-run cleanup, so stopped or timed-out runs clear pending tool state and release the session lock promptly. (#74919) Thanks @medns.

  • Agents/current-time: split UTC into a separate Reference UTC: prompt line so local Current time: stays anchored to the user's timezone. (#42654) Thanks @chencheng-li.

  • Agents/reasoning: keep embedded reasoning deltas raw for correct same-line streaming while preserving formatted Telegram, Feishu, Discord, and heartbeat delivery at the channel edge. (#78397) Thanks @medns.

  • Agents/failover: rotate auth profiles before deferred cooldown marking on rate-limit failures, so file-lock contention cannot stall profile failover. Fixes #57281. (#57283) Thanks @jeremyknows.

  • Gateway/sessions: when session.dmScope: "main" is configured, route a bare webchat /new against the agent's main session (sessions.create with emitCommandHooks=true) to an in-place reset instead of creating a parallel dashboard: child, matching /new behavior on Telegram/Discord. Fixes #77434. (#71170) Thanks @statxc.

  • Scripts/UI/Windows: launch .cmd and .bat UI runners through the shared cmd.exe escaping path with shell mode disabled, avoiding Node.js v24 DEP0190 warnings while preserving argument boundaries. (#62910) Thanks @nandanadileep.

  • Agents/CLI runner: disable supervisor stdout/stderr capture for prepared CLI runs while keeping bounded diagnostics and incremental JSONL output parsing, preventing long CLI output from being retained in memory. (#79617) Thanks @samzong.

  • Telegram: treat a DM binding that carries the chat id in both conversationId and parentConversationId as a direct conversation instead of a topic, so reverse delivery for Telegram DMs is not misrouted through a topic-shaped target. (#79700) Thanks @TSHOGX.

Check out latest releases or
releases around openclaw 2026.5.9-beta.1

Don't miss a new openclaw release

NewReleases is sending notifications on new releases.

Get notifications