chore(deps): update ghcr.io/openclaw/openclaw docker tag to v2026.4.12 #19
No reviewers
Labels
No labels
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
les_clankeurs/openclaw-image-2!19
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/docker-images"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
2026.4.11→2026.4.12Release Notes
openclaw/openclaw (ghcr.io/openclaw/openclaw)
v2026.4.12Compare Source
Changes
openclaw qa credentialsadmin commands and broker setup docs. (#65596) Thanks @joshavant./verboseinspection, advanced prompt/thinking overrides for tuning, and opt-in transcript persistence for debugging. Docs: https://docs.openclaw.ai/concepts/active-memory. (#63286) Thanks @Takhoffman.openclaw exec-policycommand withshow,preset, andsetsubcommands for synchronizing requestedtools.exec.*config with the local exec approvals file, plus follow-up hardening for node-host rejection, rollback safety, and sync conflict detection. (#64050)commands.listRPC so remote gateway clients can discover runtime-native, text, skill, and plugin commands with surface-aware naming and serialized argument metadata. (#62656) Thanks @samzong.models.providers.*.request.allowPrivateNetworkfor trusted self-hosted OpenAI-compatible endpoints, keep the opt-in scoped to model request surfaces, and refresh cached WebSocket managers when request transport overrides change. (#63671) Thanks @qas.--runner multipasslane foropenclaw qa suiteso repo-backed QA scenarios can run inside a disposable Linux VM and write back the usual report, summary, and VM logs. (#63426) Thanks @shakkernerd.openai/gpt-5.4path. (#62969, #63808) Thanks @hxy91819.openclaw qa telegramlane for private-group bot-to-bot checks, harden its artifact handling, and preserve native Telegram command reply threading for QA verification. (#64303) Thanks @obviyus.codex/gpt-*models use Codex-managed auth, native threads, model discovery, and compaction whileopenai/gpt-*stays on the normal OpenAI provider path. (#64298) Thanks @steipete.memory-wikibridge setups. (#63165) Thanks @sercada and @vincentkoc.Fixes
fix(security): remove busybox/toybox from interpreter-like safe bins [AI-assisted]. (#65713) Thanks @pgondhi987.
fix(approval-auth): prevent empty approver list from granting explicit approval authorization [AI]. (#65714) Thanks @pgondhi987.
fix(security): broaden shell-wrapper detection and block env-argv assignment injection [AI-assisted]. (#65717) Thanks @pgondhi987.
Gateway/startup: defer scheduled services until sidecars finish, gate chat history and model listing during sidecar resume, and let Control UI retry startup-gated history loads so Sandbox wake resumes channels first. (#65365) Thanks @lml2468.
Control UI/chat: load the live gateway slash-command catalog into the composer and command palette so dock commands, plugin commands, and direct skill aliases appear in chat, while keeping trusted local commands authoritative and bounding remote command metadata. (#65620) Thanks @BunsDev.
CLI/update: respawn tracked plugin refresh from the updated entrypoint after package self-updates so
openclaw updatestops failing on stale hasheddist/install.runtime-*.jschunk imports. (#65471)Memory/active-memory: keep recall runs on the resolved channel when wrappers like
mx-claware enabled, improve lexical fallback ranking, and keep lexical boosts out of hybrid search so recall finds the right memories more consistently. (#65049, #65395) Thanks @Takhoffman.Dreaming: consume managed heartbeat events exactly once, stage light-sleep confidence from all recorded short-term signals, wake scheduled jobs immediately, raise dreaming-only promotion enough to cross the durable-memory gate, and stop dreaming from re-ingesting its own narrative transcripts.
Dreaming/narrative: harden transient narrative cleanup by retrying timed-out deletes, scrubbing stale dreaming session artifacts through the lock-aware session-store path, and isolating transient narrative session keys per workspace. (#65320, #61674)
Memory/wiki: preserve Unicode letters, digits, and combining marks in wiki slugs and contradiction clustering, and cap Unicode filename segments to safe byte lengths so non-ASCII titles stop collapsing or overflowing path limits. (#64742) Thanks @zhouhe-xydt.
Memory/short-term recall: allow nested daily notes under
memory/**/YYYY-MM-DD.mdto feed short-term recall, while still excluding generated dream reports undermemory/dreaming/**so dreaming does not promote its own output. (#64682) Thanks @SARAMALI15792.UI/WebChat: hide synthetic transcript-repair tool results from chat history reloads so internal recovery markers do not leak into visible chat after reconnects. (#65247) Thanks @wangwllu.
WhatsApp/outbound: fall back to the first
mediaUrlsentry whenmediaUrlis empty so gateway media sends stop silently dropping attachments that already have a resolved media list. (#64394) Thanks @eric-fr4 and @vincentkoc.Doctor/Discord: stop
openclaw doctor --fixfrom rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editingchannels.discord.streaming. (#65035) Thanks @vincentkoc.Gateway/auth: blank the shipped example gateway credential in
.env.exampleand fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech and @vincentkoc.Memory/active-memory+dreaming: keep active-memory recall runs on the strongest resolved channel, consume managed dreaming heartbeat events exactly once, stop dreaming from re-ingesting its own narrative transcripts, and add explicit repair/dedupe recovery flows in CLI, doctor, and the Dreams UI.
Agents/queueing: carry orphaned active-turn user text into the next prompt before repairing transcript ordering, so follow-up messages that arrive mid-run are no longer silently dropped. (#65388) Thanks @adminfedres and @vincentkoc.
Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with
tick timeoutwhile long-running work is still alive. (#65256) Thanks @100yenadmin and @vincentkoc.Matrix/mentions: keep room mention gating strict while accepting visible
@displayNameMatrix URI labels, sorequireMentionworks for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.Doctor: warn when on-disk agent directories still exist under
~/.openclaw/agents/<id>/agentbut the matchingagents.list[]entries are missing from config. (#65113) Thanks @neeravmakwana.Telegram: route approval button callback queries onto a separate sequentializer lane so plugin approval clicks can resolve immediately instead of deadlocking behind the blocked agent turn. (#64979) Thanks @nk3750.
Telegram/direct sessions: keep commentary-only assistant fallback payloads out of visible direct delivery, so Codex planning chatter cannot leak into Telegram DMs when a run has no
final_answertext.Gateway/keepalive: stop marking WebSocket tick broadcasts as droppable so slow or backpressured clients do not self-disconnect with
tick timeoutwhile long-running work is still alive. (#65436)Gateway/plugins: always send a non-empty
idempotencyKeyfor plugin subagent runs, so dreaming narrative jobs stop failing gateway schema validation. (#65354) Thanks @CodeForgeNet.Gateway/auth: blank the shipped example gateway credential in
.env.exampleand fail startup when a copied placeholder token or password is still configured, so operators cannot accidentally launch with a publicly known secret. (#64586) Thanks @navarrotech.Plugins/memory-core dreaming: keep bundled
memory-coreloaded alongside an explicit external memory slot owner only when that owner enables dreaming, while preservingplugins.slots.memory = "none"disable semantics. (#65411) Thanks @pradeep7127.Doctor/Discord: stop
openclaw doctor --fixfrom rewriting legacy Discord preview-streaming config into the nested modern shape, so downgrades can still recover without hand-editingchannels.discord.streaming.Doctor: warn when on-disk agent directories still exist under
~/.openclaw/agents/<id>/agentbut the matchingagents.list[]entries are missing from config. (#65113) Thanks @neeravmakwana.CLI/plugins: honor
memory-wikiwhenplugins.allowis set foropenclaw wiki, and pass the active app config into the metadata registrar so plugin-owned wiki commands resolve the live plugin config instead of falling back to defaults. (#64779, #65012)QA/packaging: stop packaged QA helpers from crashing when optional scenario execution config is unavailable, so npm distributions can skip the repo-only scenario pack without breaking completion-cache and startup paths. (#65118) Thanks @EdderTalmor.
Media/audio transcription: surface the real provider failure when every audio transcription attempt fails, so status output and the CLI stop collapsing those errors into generic skips. (#65096) Thanks @l0cka.
Infra/net: fix multipart FormData fields (including
model) being silently dropped when a guarded runtime fetch body crosses a FormData implementation boundary, restoring OpenAI audio transcription requests that failed with HTTP 400. (#64349) Thanks @petr-sloup.Dreaming/diary: use the host local timezone for diary timestamps when
dreaming.timezoneis unset, and include the timezone abbreviation soDREAMS.mdand the UI make local or UTC time explicit. (#65034, #65057)Dreaming/promotion: raise phase reinforcement enough for repeated dreaming-only revisits to clear the default durable-memory gate after multiple days, instead of stalling just below the score threshold. (#64068) Thanks @vincentkoc.
Dreaming/light-sleep: compute staged candidate confidence from all recorded short-term signals instead of recall-only counts, so dreaming-only entries stop rendering as
confidence: 0.00. (#64599) Thanks @vincentkoc.Plugins/memory: restore cached memory capability public artifacts on plugin-registry cache hits so memory-backed artifact surfaces stay visible after warm loads.
Gateway/cron: preserve requested isolated-agent config across runtime reloads so subagent jobs and heartbeat overrides keep the right workspace and heartbeat settings when the hot-loaded snapshot is stale.
Cron/isolated sessions: persist the right transcript path for each isolated run, including fresh session rollovers, so cron runs stop appending to stale session files.
Discord/gateway: clear stale heartbeat timers before reconnecting so zombie gateway callbacks cannot crash the process and drop in-flight replies. (#65009) Thanks @SARAMALI15792.
Matrix/mentions: keep room mention gating strict while accepting visible
@displayNameMatrix URI labels, sorequireMentionworks for non-OpenClaw Matrix clients again. (#64796) Thanks @hclsys.Agents/Anthropic replay: preserve immutable signed-thinking replay safety across stored and live reruns, keep non-thinking embedded
tool_resultuser blocks intact, and drop conflicting preserved tool IDs before validation so retries stop degrading into omitted tool calls. (#65126) Thanks @shakkernerd.Memory/QMD: allow channel sessions in the shipped default QMD scope, while still denying groups.
Memory/QMD: stop registering the legacy lowercase root memory file as a separate default collection, so QMD now prefers
MEMORY.mdand thememory/tree without duplicate collection-add warnings.Memory/memory-core: watch the
memorydirectory directly and ignore non-markdown churn so nested note changes still sync on macOS + Node 25 environments where recursivememory/**/*.mdglob watching fails. (#64711) Thanks @jasonxargs-boop and @vincentkoc.WhatsApp: centralize per-account connection ownership so reconnects, login recovery, and outbound readiness stay attached to the live socket instead of drifting across monitor and login paths. (#65290) Thanks @mcaxtr and @vincentkoc.
iMessage: retry transient
watch.subscribestartup failures before tearing down the monitor, and sanitize startup error logging so brief local transport stalls do not immediately bounce the channel or leak raw imsg RPC payloads into logs. (#65393) Thanks @vincentkoc.CLI/audio providers: report env-authenticated providers as configured in
openclaw infer audio providers --json, while keeping trusted workspace provider env lookup defaults stable during auth setup. (#65491)Plugins/install: reinstall bundled runtime packages when the matching platform native optional child is missing, so packaged Windows installs can recover dependencies that were packed on another host OS.
Memory/QMD: preserve explicit
memory.qmd.commandpaths, create missing agent workspaces before QMD probes, and keep the current Node binary on QMD subprocess PATH so service and gateway environments do not fall back to builtin search unnecessarily.Plugins/Lobster: load the published
@clawdbot/lobster/coreruntime in process so bundled Lobster runs stop depending on private package internals. (#64755) Thanks @mbelinky.Agents/CLI: keep unrelated config, session, transcript, and MCP bootstrap runtime off common
openclaw agentcold paths so provider selection and agent startup stop stalling on heavyweight imports. Thanks @vincentkoc.Setup/config/install: stop setup, config dry-runs, and daemon install from eagerly booting auth-profile and plugin repair runtime when those paths are not needed, so onboarding and local service setup avoid long cold-start stalls. Thanks @vincentkoc.
Cron/direct delivery: slim isolated-agent delivery cold paths so direct channel delivery and related cron execution spend less time loading unrelated auth, plugin, and channel runtime. Thanks @vincentkoc.
Channels/replay dedupe: standardize replay claims, retryable-failure release, and post-success commit behavior across Telegram, Discord, Slack, Mattermost, WhatsApp, Matrix, LINE, Feishu, Zalo, Nextcloud Talk, TLON, Nostr, Voice Call, and shared plugin interactive callbacks so duplicate deliveries stay reply-once after success but retry cleanly after pre-delivery failures. Thanks @vincentkoc.
Configuration
📅 Schedule: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.