Openclaw Release Notes

Changes

• CLI: add openclaw logs --local-time to display log timestamps in local timezone. (#13818) Thanks @xialonglee.
• Telegram: render blockquotes as native tags instead of stripping them. (#14608)
• Config: avoid redacting maxTokens-like fields during config snapshot redaction, preventing round-trip validation failures in /config. (#14006) Thanks @constansino.

Breaking

• Hooks: POST /hooks/agent now rejects payload sessionKey overrides by default. To keep fixed hook context, set hooks.defaultSessionKey (recommended with hooks.allowedSessionKeyPrefixes: ["hook:"]). If you need legacy behavior, explicitly set hooks.allowRequestSessionKey: true. Thanks @alpernae for reporting.

Fixes

• Gateway/OpenResponses: harden URL-based input_file/input_image handling with explicit SSRF deny policy, hostname allowlists (files.urlAllowlist / images.urlAllowlist), per-request URL input caps (maxUrlParts), blocked-fetch audit logging, and regression coverage/docs updates.
• Security: fix unauthenticated Nostr profile API remote config tampering. (#13719) Thanks @coygeek.
• Security: remove bundled soul-evil hook. (#14757) Thanks @Imccccc.
• Security/Audit: add hook session-routing hardening checks (hooks.defaultSessionKey, hooks.allowRequestSessionKey, and prefix allowlists), and warn when HTTP API endpoints allow explicit session-key routing.
• Security/Sandbox: confine mirrored skill sync destinations to the sandbox skills/ root and stop using frontmatter-controlled skill names as filesystem destination paths. Thanks @1seal.
• Security/Web tools: treat browser/web content as untrusted by default (wrapped outputs for browser snapshot/tabs/console and structured external-content metadata for web tools), and strip toolResult.details from model-facing transcript/compaction inputs to reduce prompt-injection replay risk.
• Security/Hooks: harden webhook and device token verification with shared constant-time secret comparison, and add per-client auth-failure throttling for hook endpoints (429 + Retry-After). Thanks @akhmittra.
• Security/Browser: require auth for loopback browser control HTTP routes, auto-generate gateway.auth.token when browser control starts without auth, and add a security-audit check for unauthenticated browser control. Thanks @tcusolle.
• Sessions/Gateway: harden transcript path resolution and reject unsafe session IDs/file paths so session operations stay within agent sessions directories. Thanks @akhmittra.
• Gateway: raise WS payload/buffer limits so 5,000,000-byte image attachments work reliably. (#14486) Thanks @0xRaini.
• Logging/CLI: use local timezone timestamps for console prefixing, and include ±HH:MM offsets when using openclaw logs --local-time to avoid ambiguity. (#14771) Thanks @0xRaini.
• Gateway: drain active turns before restart to prevent message loss. (#13931) Thanks @0xRaini.
• Gateway: auto-generate auth token during install to prevent launchd restart loops. (#13813) Thanks @cathrynlavery.
• Gateway: prevent undefined/missing token in auth config. (#13809) Thanks @asklee-klawd.
• Gateway: handle async EPIPE on stdout/stderr during shutdown. (#13414) Thanks @keshav55.
• Gateway/Control UI: resolve missing dashboard assets when openclaw is installed globally via symlink-based Node managers (nvm/fnm/n/Homebrew). (#14919) Thanks @aynorica.
• Cron: use requested agentId for isolated job auth resolution. (#13983) Thanks @0xRaini.
• Cron: prevent cron jobs from skipping execution when nextRunAtMs advances. (#14068) Thanks @WalterSumbon.
• Cron: pass agentId to runHeartbeatOnce for main-session jobs. (#14140) Thanks @ishikawa-pro.
• Cron: re-arm timers when onTimer fires while a job is still executing. (#14233) Thanks @tomron87.
• Cron: prevent duplicate fires when multiple jobs trigger simultaneously. (#14256) Thanks @xinhuagu.
• Cron: isolate scheduler errors so one bad job does not break all jobs. (#14385) Thanks @MarvinDontPanic.
• Cron: prevent one-shot at jobs from re-firing on restart after skipped/errored runs. (#13878) Thanks @lailoo.
• Heartbeat: prevent scheduler stalls on unexpected run errors and avoid immediate rerun loops after requests-in-flight skips. (#14901) Thanks @joeykrug.
• Cron: honor stored session model overrides for isolated-agent runs while preserving hooks.gmail.model precedence for Gmail hook sessions. (#14983) Thanks @shtse8.
• Logging/Browser: fall back to os.tmpdir()/openclaw for default log, browser trace, and browser download temp paths when /tmp/openclaw is unavailable.
• WhatsApp: convert Markdown bold/strikethrough to WhatsApp formatting. (#14285) Thanks @Raikan10.
• WhatsApp: allow media-only sends and normalize leading blank payloads. (#14408) Thanks @karimnaguib.
• WhatsApp: default MIME type for voice messages when Baileys omits it. (#14444) Thanks @mcaxtr.
• Telegram: handle no-text message in model picker editMessageText. (#14397) Thanks @0xRaini.
• Telegram: surface REACTION_INVALID as non-fatal warning. (#14340) Thanks @0xRaini.
• BlueBubbles: fix webhook auth bypass via loopback proxy trust. (#13787) Thanks @coygeek.
• Slack: change default replyToMode from "off" to "all". (#14364) Thanks @nm-de.
• Slack: detect control commands when channel messages start with bot mention prefixes (for example, @Bot /new). (#14142) Thanks @beefiker.
• Signal: enforce E.164 validation for the Signal bot account prompt so mistyped numbers are caught early. (#15063) Thanks @Duartemartins.
• Discord: process DM reactions instead of silently dropping them. (#10418) Thanks @mcaxtr.
• Discord: respect replyToMode in threads. (#11062) Thanks @cordx56.
• Heartbeat: filter noise-only system events so scheduled reminder notifications do not fire when cron runs carry only heartbeat markers. (#13317) Thanks @pvtclawn.
• Signal: render mention placeholders as @uuid/@phone so mention gating and Clawdbot targeting work. (#2013) Thanks @alexgleason.
• Discord: omit empty content fields for media-only messages while preserving caption whitespace. (#9507) Thanks @leszekszpunar.
• Onboarding/Providers: add Z.AI endpoint-specific auth choices (zai-coding-global, zai-coding-cn, zai-global, zai-cn) and expand default Z.AI model wiring. (#13456) Thanks @tomsun28.
• Onboarding/Providers: update MiniMax API default/recommended models from M2.1 to M2.5, add M2.5/M2.5-Lightning model entries, and include minimax-m2.5 in modern model filtering. (#14865) Thanks @adao-max.
• Ollama: use configured models.providers.ollama.baseUrl for model discovery and normalize /v1 endpoints to the native Ollama API root. (#14131) Thanks @shtse8.
• Voice Call: pass Twilio stream auth token via instead of query string. (#14029) Thanks @mcwigglesmcgee.
• Feishu: pass Buffer directly to the Feishu SDK upload APIs instead of Readable.from(...) to avoid form-data upload failures. (#10345) Thanks @youngerstyle.
• Feishu: trigger mention-gated group handling only when the bot itself is mentioned (not just any mention). (#11088) Thanks @openperf.
• Feishu: probe status uses the resolved account context for multi-account credential checks. (#11233) Thanks @onevcat.
• Feishu DocX: preserve top-level converted block order using firstLevelBlockIds when writing/appending documents. (#13994) Thanks @Cynosure159.
• Feishu plugin packaging: remove workspace:* openclaw dependency from extensions/feishu and sync lockfile for install compatibility. (#14423) Thanks @jackcooper2015.
• CLI/Wizard: exit with code 1 when configure, agents add, or interactive onboard wizards are canceled, so set -e automation stops correctly. (#14156) Thanks @0xRaini.
• Media: strip MEDIA: lines with local paths instead of leaking as visible text. (#14399) Thanks @0xRaini.
• Config/Cron: exclude maxTokens from config redaction and honor deleteAfterRun on skipped cron jobs. (#13342) Thanks @niceysam.
• Config: ignore meta field changes in config file watcher. (#13460) Thanks @brandonwise.
• Cron: use requested agentId for isolated job auth resolution. (#13983) Thanks @0xRaini.
• Cron: pass agentId to runHeartbeatOnce for main-session jobs. (#14140) Thanks @ishikawa-pro.
• Cron: prevent cron jobs from skipping execution when nextRunAtMs advances. (#14068) Thanks @WalterSumbon.
• Cron: re-arm timers when onTimer fires while a job is still executing. (#14233) Thanks @tomron87.
• Cron: prevent duplicate fires when multiple jobs trigger simultaneously. (#14256) Thanks @xinhuagu.
• Cron: isolate scheduler errors so one bad job does not break all jobs. (#14385) Thanks @MarvinDontPanic.
• Cron: prevent one-shot at jobs from re-firing on restart after skipped/errored runs. (#13878) Thanks @lailoo.
• Daemon: suppress EPIPE error when restarting LaunchAgent. (#14343) Thanks @0xRaini.
• Antigravity: add opus 4.6 forward-compat model and bypass thinking signature sanitization. (#14218) Thanks @jg-noncelogic.
• Agents: prevent file descriptor leaks in child process cleanup. (#13565) Thanks @KyleChen26.
• Agents: prevent double compaction caused by cache TTL bypassing guard. (#13514) Thanks @taw0002.
• Agents: use last API call's cache tokens for context display instead of accumulated sum. (#13805) Thanks @akari-musubi.
• Agents: keep followup-runner session totalTokens aligned with post-compaction context by using last-call usage and shared token-accounting logic. (#14979) Thanks @shtse8.
• Hooks/Plugins: wire 9 previously unwired plugin lifecycle hooks into core runtime paths (session, compaction, gateway, and outbound message hooks). (#14882) Thanks @shtse8.
• Hooks/Tools: dispatch before_tool_call and after_tool_call hooks from both tool execution paths with rebased conflict fixes. (#15012) Thanks @Patrick-Barletta, @Takhoffman.
• Discord: allow channel-edit to archive/lock threads and set auto-archive duration. (#5542) Thanks @stumct.
• Discord tests: use a partial @buape/carbon mock in slash command coverage. (#13262) Thanks @arosstale.
• Tests: update thread ID handling in Slack message collection tests. (#14108) Thanks @swizzmagik.

Added

• iOS: alpha node app + setup-code onboarding. (#11756) Thanks @mbelinky.
• Channels: comprehensive BlueBubbles and channel cleanup. (#11093) Thanks @tyler6204.
• Plugins: device pairing + phone control plugins (Telegram /pair, iOS/Android node controls). (#11755) Thanks @mbelinky.
• Tools: add Grok (xAI) as a web_search provider. (#12419) Thanks @tmchow.
• Gateway: add agent management RPC methods for the web UI (agents.create, agents.update, agents.delete). (#11045) Thanks @advaitpaliwal.
• Web UI: show a Compaction divider in chat history. (#11341) Thanks @Takhoffman.
• Agents: include runtime shell in agent envelopes. (#1835) Thanks @Takhoffman.
• Paths: add OPENCLAW_HOME for overriding the home directory used by internal path resolution. (#12091) Thanks @sebslight.

Fixes

• Telegram: harden quote parsing; preserve quote context; avoid QUOTE_TEXT_INVALID; avoid nested reply quote misclassification. (#12156) Thanks @rybnikov.
• Telegram: recover proactive sends when stale topic thread IDs are used by retrying without message_thread_id. (#11620)
• Telegram: render markdown spoilers with <tg-spoiler> HTML tags. (#11543) Thanks @ezhikkk.
• Telegram: truncate command registration to 100 entries to avoid BOT_COMMANDS_TOO_MUCH failures on startup. (#12356) Thanks @arosstale.
• Telegram: match DM allowFrom against sender user id (fallback to chat id) and clarify pairing logs. (#12779) Thanks @liuxiaopai-ai.
• Onboarding: QuickStart now auto-installs shell completion (prompt only in Manual).
• Auth: strip embedded line breaks from pasted API keys and tokens before storing/resolving credentials.
• Web UI: make chat refresh smoothly scroll to the latest messages and suppress new-messages badge flash during manual refresh.
• Tools/web_search: include provider-specific settings in the web search cache key, and pass inlineCitations for Grok. (#12419) Thanks @tmchow.
• Tools/web_search: normalize direct Perplexity model IDs while keeping OpenRouter model IDs unchanged. (#12795) Thanks @cdorsey.
• Model failover: treat HTTP 400 errors as failover-eligible, enabling automatic model fallback. (#1879) Thanks @orenyomtov.
• Errors: prevent false positive context overflow detection when conversation mentions "context overflow" topic. (#2078) Thanks @sbking.
• Gateway: no more post-compaction amnesia; injected transcript writes now preserve Pi session parentId chain so agents can remember again. (#12283) Thanks @Takhoffman.
• Gateway: fix multi-agent sessions.usage discovery. (#11523) Thanks @Takhoffman.
• Agents: recover from context overflow caused by oversized tool results (pre-emptive capping + fallback truncation). (#11579) Thanks @tyler6204.
• Subagents/compaction: stabilize announce timing and preserve compaction metrics across retries. (#11664) Thanks @tyler6204.
• Cron: share isolated announce flow and harden scheduling/delivery reliability. (#11641) Thanks @tyler6204.
• Cron tool: recover flat params when LLM omits the job wrapper for add requests. (#12124) Thanks @tyler6204.
• Gateway/CLI: when gateway.bind=lan, use a LAN IP for probe URLs and Control UI links. (#11448) Thanks @AnonO6.
• Hooks: fix bundled hooks broken since 2026.2.2 (tsdown migration). (#9295) Thanks @patrickshao.
• Routing: refresh bindings per message by loading config at route resolution so binding changes apply without restart. (#11372) Thanks @juanpablodlc.
• Exec approvals: render forwarded commands in monospace for safer approval scanning. (#11937) Thanks @sebslight.
• Config: clamp maxTokens to contextWindow to prevent invalid model configs. (#5516) Thanks @lailoo.
• Thinking: allow xhigh for github-copilot/gpt-5.2-codex and github-copilot/gpt-5.2. (#11646) Thanks @LatencyTDH.
• Discord: support forum/media thread-create starter messages, wire message thread create --message, and harden routing. (#10062) Thanks @jarvis89757.
• Paths: structurally resolve OPENCLAW_HOME-derived home paths and fix Windows drive-letter handling in tool meta shortening. (#12125) Thanks @mcaxtr.
• Memory: set Voyage embeddings input_type for improved retrieval. (#10818) Thanks @mcinteerj.
• Memory/QMD: reuse default model cache across agents instead of re-downloading per agent. (#12114) Thanks @tyler6204.
• Media understanding: recognize .caf audio attachments for transcription. (#10982) Thanks @succ985.
• State dir: honor OPENCLAW_STATE_DIR for default device identity and canvas storage paths. (#4824) Thanks @kossoy.

Changes

• Models: support Anthropic Opus 4.6 and OpenAI Codex gpt-5.3-codex (forward-compat fallbacks). (#9853, #10720, #9995) Thanks @TinyTb, @calvin-hpnet, @tyler6204.
• Providers: add xAI (Grok) support. (#9885) Thanks @grp06.
• Web UI: add token usage dashboard. (#10072) Thanks @Takhoffman.
• Memory: native Voyage AI support. (#7078) Thanks @mcinteerj.
• Sessions: cap sessions_history payloads to reduce context overflow. (#10000) Thanks @gut-puncture.
• CLI: sort commands alphabetically in help output. (#8068) Thanks @deepsoumya617.
• Agents: bump pi-mono to 0.52.7; add embedded forward-compat fallback for Opus 4.6 model ids.

Fixes

• Telegram: auto-inject DM topic threadId in message tool + subagent announce. (#7235) Thanks @Lukavyi.
• Security: require auth for Gateway canvas host and A2UI assets. (#9518) Thanks @coygeek.
• Cron: fix scheduling and reminder delivery regressions; harden next-run recompute + timer re-arming + legacy schedule fields. (#9733, #9823, #9948, #9932) Thanks @tyler6204, @pycckuu, @j2h4u, @fujiwara-tofu-shop.
• Update: harden Control UI asset handling in update flow. (#10146) Thanks @gumadeiras.
• Security: add skill/plugin code safety scanner; redact credentials from config.get gateway responses. (#9806, #9858) Thanks @abdelsfane.
• Exec approvals: coerce bare string allowlist entries to objects. (#9903) Thanks @mcaxtr.
• Slack: add mention stripPatterns for /new and /reset. (#9971) Thanks @ironbyte-rgb.
• Chrome extension: fix bundled path resolution. (#8914) Thanks @kelvinCB.
• Compaction/errors: allow multiple compaction retries on context overflow; show clear billing errors. (#8928, #8391) Thanks @Glucksberg.

Changes

• Telegram: remove last @ts-nocheck from bot-handlers.ts, use Grammy types directly, deduplicate StickerMetadata. Zero @ts-nocheck remaining in src/telegram/. (#9206)
• Telegram: remove @ts-nocheck from bot-message.ts, type deps via Omit<BuildTelegramMessageContextParams>, widen allMedia to TelegramMediaRef[]. (#9180)
• Telegram: remove @ts-nocheck from bot.ts, fix duplicate bot.catch error handler (Grammy overrides), remove dead reaction message_thread_id routing, harden sticker cache guard. (#9077)
• Onboarding: add Cloudflare AI Gateway provider setup and docs. (#7914) Thanks @roerohan.
• Onboarding: add Moonshot (.cn) auth choice and keep the China base URL when preserving defaults. (#7180) Thanks @waynelwz.
• Docs: clarify tmux send-keys for TUI by splitting text and Enter. (#7737) Thanks @Wangnov.
• Docs: mirror the landing page revamp for zh-CN (features, quickstart, docs directory, network model, credits). (#8994) Thanks @joshp123.
• Messages: add per-channel and per-account responsePrefix overrides across channels. (#9001) Thanks @mudrii.
• Cron: add announce delivery mode for isolated jobs (CLI + Control UI) and delivery mode config.
• Cron: default isolated jobs to announce delivery; accept ISO 8601 schedule.at in tool inputs.
• Cron: hard-migrate isolated jobs to announce/none delivery; drop legacy post-to-main/payload delivery fields and atMs inputs.
• Cron: delete one-shot jobs after success by default; add --keep-after-run for CLI.
• Cron: suppress messaging tools during announce delivery so summaries post consistently.
• Cron: avoid duplicate deliveries when isolated runs send messages directly.
• Fixes
• Heartbeat: allow explicit accountId routing for multi-account channels. (#8702) Thanks @lsh411.
• TUI/Gateway: handle non-streaming finals, refresh history for non-local chat runs, and avoid event gap warnings for targeted tool streams. (#8432) Thanks @gumadeiras.
• Shell completion: auto-detect and migrate slow dynamic patterns to cached files for faster terminal startup; add completion health checks to doctor/update/onboard.
• Telegram: honor session model overrides in inline model selection. (#8193) Thanks @gildo.
• Web UI: fix agent model selection saves for default/non-default agents and wrap long workspace paths. Thanks @Takhoffman.
• Web UI: resolve header logo path when gateway.controlUi.basePath is set. (#7178) Thanks @Yeom-JinHo.
• Web UI: apply button styling to the new-messages indicator.
• Onboarding: infer auth choice from non-interactive API key flags. (#8484) Thanks @f-trycua.
• Security: keep untrusted channel metadata out of system prompts (Slack/Discord). Thanks @KonstantinMirin.
• Security: enforce sandboxed media paths for message tool attachments. (#9182) Thanks @victormier.
• Security: require explicit credentials for gateway URL overrides to prevent credential leakage. (#8113) Thanks @victormier.
• Security: gate whatsapp_login tool to owner senders and default-deny non-owner contexts. (#8768) Thanks @victormier.
• Voice call: harden webhook verification with host allowlists/proxy trust and keep ngrok loopback bypass.
• Voice call: add regression coverage for anonymous inbound caller IDs with allowlist policy. (#8104) Thanks @victormier.
• Cron: accept epoch timestamps and 0ms durations in CLI --at parsing.
• Cron: reload store data when the store file is recreated or mtime changes.
• Cron: deliver announce runs directly, honor delivery mode, and respect wakeMode for summaries. (#8540) Thanks @tyler6204.
• Telegram: include forward_from_chat metadata in forwarded messages and harden cron delivery target checks. (#8392) Thanks @Glucksberg.
• macOS: fix cron payload summary rendering and ISO 8601 formatter concurrency safety.

Changes

• Feishu: add Feishu/Lark plugin support + docs. (#7313) Thanks @jiulingyun (openclaw-cn).
• Web UI: add Agents dashboard for managing agent files, tools, skills, models, channels, and cron jobs.
• Memory: implement the opt-in QMD backend for workspace memory. (#3160) Thanks @vignesh07.
• Security: add healthcheck skill and bootstrap audit guidance. (#7641) Thanks @Takhoffman.
• Config: allow setting a default subagent thinking level via agents.defaults.subagents.thinking (and per-agent agents.list[].subagents.thinking). (#7372) Thanks @tyler6204.
• Docs: zh-CN translations seed + polish, pipeline guidance, nav/landing updates, and typo fixes. (#8202, #6995, #6619, #7242, #7303, #7415) Thanks @AaronWander, @taiyi747, @Explorer1092, @rendaoyuan, @joshp123, @lailoo.

Fixes

• Security: require operator.approvals for gateway /approve commands. (#1) Thanks @mitsuhiko, @yueyueL.
• Security: Matrix allowlists now require full MXIDs; ambiguous name resolution no longer grants access. Thanks @MegaManSec.
• Security: enforce access-group gating for Slack slash commands when channel type lookup fails.
• Security: require validated shared-secret auth before skipping device identity on gateway connect.
• Security: guard skill installer downloads with SSRF checks (block private/localhost URLs).
• Security: harden Windows exec allowlist; block cmd.exe bypass via single &. Thanks @simecek.
• fix(voice-call): harden inbound allowlist; reject anonymous callers; require Telnyx publicKey for allowlist; token-gate Twilio media streams; cap webhook body size (thanks @simecek)
• Media understanding: apply SSRF guardrails to provider fetches; allow private baseUrl overrides explicitly.
• fix(webchat): respect user scroll position during streaming and refresh (#7226) (thanks @marcomarandiz)
• Telegram: recover from grammY long-poll timed out errors. (#7466) Thanks @macmimi23.
• Agents: repair malformed tool calls and session transcripts. (#7473) Thanks @justinhuangcode.
• fix(agents): validate AbortSignal instances before calling AbortSignal.any() (#7277) (thanks @Elarwei001)
• Media understanding: skip binary media from file text extraction. (#7475) Thanks @AlexZhangji.
• Onboarding: keep TUI flow exclusive (skip completion prompt + background Web UI seed); completion prompt now handled by install/update.
• TUI: block onboarding output while TUI is active and restore terminal state on exit.
• CLI/Zsh completion: cache scripts in state dir and escape option descriptions to avoid invalid option errors.
• fix(ui): resolve Control UI asset path correctly.
• fix(ui): refresh agent files after external edits.
• Docs: finish renaming the QMD memory docs to reference the OpenClaw state dir.
• Tests: stub SSRF DNS pinning in web auto-reply + Gemini video coverage. (#6619) Thanks @joshp123.

Changes

• Docs: onboarding/install/i18n/exec-approvals/Control UI/exe.dev/cacheRetention updates + misc nav/typos. (#3050, #3461, #4064, #4675, #4729, #4763, #5003, #5402, #5446, #5474, #5663, #5689, #5694, #5967, #6270, #6300, #6311, #6416, #6487, #6550, #6789)
• Telegram: use shared pairing store. (#6127) Thanks @obviyus.
• Agents: add OpenRouter app attribution headers. Thanks @alexanderatallah.
• Agents: add system prompt safety guardrails. (#5445) Thanks @joshp123.
• Agents: update pi-ai to 0.50.9 and rename cacheControlTtl -> cacheRetention (with back-compat mapping).
• Agents: extend CreateAgentSessionOptions with systemPrompt/skills/contextFiles.
• Agents: add tool policy conformance snapshot (no runtime behavior change). (#6011)
• Auth: update MiniMax OAuth hint + portal auth note copy.
• Discord: inherit thread parent bindings for routing. (#3892) Thanks @aerolalit.
• Gateway: inject timestamps into agent and chat.send messages. (#3705) Thanks @conroywhitney, @CashWilliams.
• Gateway: require TLS 1.3 minimum for TLS listeners. (#5970) Thanks @loganaden.
• Web UI: refine chat layout + extend session active duration.
• CI: add formal conformance + alias consistency checks. (#5723, #5807)

Fixes

• Plugins: validate plugin/hook install paths and reject traversal-like names.
• Telegram: add download timeouts for file fetches. (#6914) Thanks @hclsys.
• Telegram: enforce thread specs for DM vs forum sends. (#6833) Thanks @obviyus.
• Streaming: flush block streaming on paragraph boundaries for newline chunking. (#7014)
• Streaming: stabilize partial streaming filters.
• Auto-reply: avoid referencing workspace files in /new greeting prompt. (#5706) Thanks @bravostation.
• Tools: align tool execute adapters/signatures (legacy + parameter order + arg normalization).
• Tools: treat "*" tool allowlist entries as valid to avoid spurious unknown-entry warnings.
• Skills: update session-logs paths from .clawdbot to .openclaw. (#4502)
• Slack: harden media fetch limits and Slack file URL validation. (#6639) Thanks @davidiach.
• Lint: satisfy curly rule after import sorting. (#6310)
• Process: resolve Windows spawn() failures for npm-family CLIs by appending .cmd when needed. (#5815) Thanks @thejhinvirtuoso.
• Discord: resolve PluralKit proxied senders for allowlists and labels. (#5838) Thanks @thewilloftheshadow.
• Tlon: add timeout to SSE client fetch calls (CWE-400). (#5926)
• Memory search: L2-normalize local embedding vectors to fix semantic search. (#5332)
• Agents: align embedded runner + typings with pi-coding-agent API updates (pi 0.51.0).
• Agents: ensure OpenRouter attribution headers apply in the embedded runner.
• Agents: cap context window resolution for compaction safeguard. (#6187) Thanks @iamEvanYT.
• System prompt: resolve overrides and hint using session_status for current date/time. (#1897, #1928, #2108, #3677)
• Agents: fix Pi prompt template argument syntax. (#6543)
• Subagents: fix announce failover race (always emit lifecycle end; timeout=0 means no-timeout). (#6621)
• Teams: gate media auth retries.
• Telegram: restore draft streaming partials. (#5543) Thanks @obviyus.
• Onboarding: friendlier Windows onboarding message. (#6242) Thanks @shanselman.
• TUI: prevent crash when searching with digits in the model selector.
• Agents: wire before_tool_call plugin hook into tool execution. (#6570, #6660) Thanks @ryancnelson.
• Browser: secure Chrome extension relay CDP sessions.
• Docker: use container port for gateway command instead of host port. (#5110) Thanks @mise42.
• fix(lobster): block arbitrary exec via lobsterPath/cwd injection (GHSA-4mhr-g7xj-cg8j). (#5335) Thanks @vignesh07.
• Security: sanitize WhatsApp accountId to prevent path traversal. (#4610)
• Security: restrict MEDIA path extraction to prevent LFI. (#4930)
• Security: validate message-tool filePath/path against sandbox root. (#6398)
• Security: block LD*/DYLD* env overrides for host exec. (#4896) Thanks @HassanFleyah.
• Security: harden web tool content wrapping + file parsing safeguards. (#4058) Thanks @VACInc.
• Security: enforce Twitch allowFrom allowlist gating (deny non-allowlisted senders). Thanks @MegaManSec.

Changes

• CLI: add completion command (Zsh/Bash/PowerShell/Fish) and auto-setup during postinstall/onboarding.
• CLI: add per-agent models status (--agent filter). (#4780) Thanks @jlowin.
• Agents: add Kimi K2.5 to the synthetic model catalog. (#4407) Thanks @manikv12.
• Auth: switch Kimi Coding to built-in provider; normalize OAuth profile email.
• Auth: add MiniMax OAuth plugin + onboarding option. (#4521) Thanks @Maosghoul.
• Agents: update pi SDK/API usage and dependencies.
• Web UI: refresh sessions after chat commands and improve session display names.
• Build: move TypeScript builds to tsdown + tsgo (faster builds, CI typechecks), update tsconfig target, and clean up lint rules.
• Build: align npm tar override and bin metadata so the openclaw CLI entrypoint is preserved in npm publishes.
• Docs: add pi/pi-dev docs and update OpenClaw branding + install links.
• Fixes
• Security: restrict local path extraction in media parser to prevent LFI. (#4880)
• Gateway: prevent token defaults from becoming the literal "undefined". (#4873) Thanks @Hisleren.
• Control UI: fix assets resolution for npm global installs. (#4909) Thanks @YuriNachos.
• macOS: avoid stderr pipe backpressure in gateway discovery. (#3304) Thanks @abhijeet117.
• Telegram: normalize account token lookup for non-normalized IDs. (#5055) Thanks @jasonsschin.
• Telegram: preserve delivery thread fallback and fix threadId handling in delivery context.
• Telegram: fix HTML nesting for overlapping styles/links. (#4578) Thanks @ThanhNguyxn.
• Telegram: accept numeric messageId/chatId in react actions. (#4533) Thanks @Ayush10.
• Telegram: honor per-account proxy dispatcher via undici fetch. (#4456) Thanks @spiceoogway.
• Telegram: scope skill commands to bound agent per bot. (#4360) Thanks @robhparker.
• BlueBubbles: debounce by messageId to preserve attachments in text+image messages. (#4984)
• Routing: prefer requesterOrigin over stale session entries for sub-agent announce delivery. (#4957)
• Extensions: restore embedded extension discovery typings.
• CLI: fix tui:dev port resolution.
• LINE: fix status command TypeError. (#4651)
• OAuth: skip expired-token warnings when refresh tokens are still valid. (#4593)
• Build: skip redundant UI install step in Dockerfile. (#4584) Thanks @obviyus.