chore(deps): update ghcr.io/openclaw/openclaw docker tag to v2026.4.14 #20

Merged
notarock-s-renovate[bot] merged 1 commit from renovate/docker-images into main 2026-04-15 02:37:37 +00:00
notarock-s-renovate[bot] commented 2026-04-14 14:10:34 +00:00 (Migrated from github.com)

This PR contains the following updates:

Package Type Update Change
ghcr.io/openclaw/openclaw (source) final patch 2026.4.122026.4.14

Release Notes

openclaw/openclaw (ghcr.io/openclaw/openclaw)

v2026.4.14

Compare Source

Changes
  • OpenAI Codex/models: add forward-compat support for gpt-5.4-pro, including Codex pricing/limits and list/status visibility before the upstream catalog catches up. (#​66453) Thanks @​jepson-liu.
  • Telegram/forum topics: surface human topic names in agent context, prompt metadata, and plugin hook metadata by learning names from Telegram forum service messages. (#​65973) Thanks @​ptahdunbar.
Fixes
  • Agents/Ollama: forward the configured embedded-run timeout into the global undici stream timeout tuning so slow local Ollama runs no longer inherit the default stream cutoff instead of the operator-set run timeout. (#​63175) Thanks @​mindcraftreader and @​vincentkoc.
  • Models/Codex: include apiKey in the codex provider catalog output so the Pi ModelRegistry validator no longer rejects the entry and silently drops all custom models from every provider in models.json. (#​66180) Thanks @​hoyyeva.
  • Tools/image+pdf: normalize configured provider/model refs before media-tool registry lookup so image and PDF tool runs stop rejecting valid Ollama vision models as unknown just because the tool path skipped the usual model-ref normalization step. (#​59943) Thanks @​yqli2420 and @​vincentkoc.
  • Slack/interactions: apply the configured global allowFrom owner allowlist to channel block-action and modal interactive events, require an expected sender id for cross-verification, and reject ambiguous channel types so interactive triggers can no longer bypass the documented allowlist intent in channels without a users list. Open-by-default behavior is preserved when no allowlists are configured. (#​66028) Thanks @​eleqtrizit.
  • Media-understanding/attachments: fail closed when a local attachment path cannot be canonically resolved via realpath, so a realpath error can no longer downgrade the canonical-roots allowlist check to a non-canonical comparison; attachments that also have a URL still fall back to the network fetch path. (#​66022) Thanks @​eleqtrizit.
  • Agents/gateway-tool: reject config.patch and config.apply calls from the model-facing gateway tool when they would newly enable any flag enumerated by openclaw security audit (for example dangerouslyDisableDeviceAuth, allowInsecureAuth, dangerouslyAllowHostHeaderOriginFallback, hooks.gmail.allowUnsafeExternalContent, tools.exec.applyPatch.workspaceOnly: false); already-enabled flags pass through unchanged so non-dangerous edits in the same patch still apply, and direct authenticated operator RPC behavior is unchanged. (#​62006) Thanks @​eleqtrizit.
  • Google image generation: strip a trailing /openai suffix from configured Google base URLs only when calling the native Gemini image API so Gemini image requests stop 404ing without breaking explicit OpenAI-compatible Google endpoints. (#​66445) Thanks @​dapzthelegend.
  • Telegram/forum topics: persist learned topic names to the Telegram session sidecar store so agent context can keep using human topic names after a restart instead of relearning from future service metadata. (#​66107) Thanks @​obviyus.
  • Doctor/systemd: keep openclaw doctor --repair and service reinstall from re-embedding dotenv-backed secrets in user systemd units, while preserving newer inline overrides over stale state-dir .env values. (#​66249) Thanks @​tmimmanuel.
  • Ollama/OpenAI-compat: send stream_options.include_usage for Ollama streaming completions so local Ollama runs report real usage instead of falling back to bogus prompt-token counts that trigger premature compaction. (#​64568) Thanks @​xchunzhao and @​vincentkoc.
  • Doctor/plugins: cache external preferOver catalog lookups within each plugin auto-enable pass so large agents.list configs no longer peg CPU and repeatedly reread plugin catalogs during doctor/plugins resolution. (#​66246) Thanks @​yfge.
  • GitHub Copilot/thinking: allow github-copilot/gpt-5.4 to use xhigh reasoning so Copilot GPT-5.4 matches the rest of the GPT-5.4 family. (#​50168) Thanks @​jakepresent and @​vincentkoc.
  • Memory/embeddings: preserve non-OpenAI provider prefixes when normalizing OpenAI-compatible embedding model refs so proxy-backed memory providers stop failing with Unknown memory embedding provider. (#​66452) Thanks @​jlapenna.
  • Agents/local models: clarify low-context preflight hints for self-hosted models, point config-backed caps at the relevant OpenClaw setting, and stop suggesting larger models when agents.defaults.contextTokens is the real limit. (#​66236) Thanks @​ImLukeF.
  • Browser/SSRF: restore hostname navigation under the default browser SSRF policy while keeping explicit strict mode reachable from config, and keep managed loopback CDP /json/new fallback requests on the local CDP control policy so browser follow-up fixes stop regressing normal navigation or self-blocking local CDP control. (#​66386) Thanks @​obviyus.
  • Models/Codex: canonicalize the legacy openai-codex/gpt-5.4-codex runtime alias to openai-codex/gpt-5.4 while still honoring alias-specific and canonical per-model overrides. (#​43060) Thanks @​Sapientropic and @​vincentkoc.
  • Browser/SSRF: preserve explicit strict browser navigation mode for legacy browser.ssrfPolicy.allowPrivateNetwork: false configs by normalizing the legacy alias to the canonical strict marker instead of silently widening those installs to the default non-strict hostname-navigation path.
  • Onboarding/custom providers: use max_tokens=16 for OpenAI-compatible verification probes so stricter custom endpoints stop rejecting onboarding checks that only need a tiny completion. (#​66450) Thanks @​WuKongAI-CMU.
  • Agents/subagents: emit the subagent registry lazy-runtime stub on the stable dist path that both source and bundled runtime imports resolve, so the follow-up dist fix no longer still fails with ERR_MODULE_NOT_FOUND at runtime. (#​66420) Thanks @​obviyus.
  • Media-understanding/proxy env: auto-upgrade provider HTTP helper requests to trusted env-proxy mode only when HTTP_PROXY/HTTPS_PROXY is active and the target is not bypassed by NO_PROXY, so remote media-understanding and transcription requests stop failing local DNS pre-resolution in proxy-only environments without widening SSRF bypasses. (#​52162) Thanks @​mjamiv and @​vincentkoc.
  • Telegram/media downloads: let Telegram media fetches trust an operator-configured explicit proxy for target DNS resolution after hostname-policy checks, so proxy-backed installs stop failing could not download media on Bot API file downloads after the DNS-pinning regression. (#​66245) Thanks @​dawei41468 and @​vincentkoc.
  • Browser: keep loopback CDP readiness checks reachable under strict SSRF defaults so OpenClaw can reconnect to locally started managed Chrome. (#​66354) Thanks @​hxy91819.
  • Agents/context engine: compact engine-owned sessions from the first tool-loop delta and preserve ingest fallback when afterTurn is absent, so long-running tool loops can stay bounded without dropping engine state. (#​63555) Thanks @​Bikkies.
  • OpenAI Codex/auth: keep malformed Codex CLI auth-file diagnostics on the debug logger instead of stdout so interactive command output stays clean while auth read failures remain traceable. (#​66451) Thanks @​SimbaKingjoe.
  • Discord/native commands: return the real status card for native /status interactions instead of falling through to the synthetic ✅ Done. ack when the generic dispatcher produces no visible reply. (#​54629) Thanks @​tkozzer and @​vincentkoc.
  • Hooks/Ollama: let LLM-backed session-memory slug generation honor an explicit agents.defaults.timeoutSeconds override instead of always aborting after 15 seconds, so slow local Ollama runs stop silently dropping back to generic filenames. (#​66237) Thanks @​dmak and @​vincentkoc.
  • Media/transcription: remap .aac filenames to .m4a for OpenAI-compatible audio uploads so AAC voice notes stop failing MIME-sensitive transcription endpoints. (#​66446) Thanks @​ben-z.
  • WhatsApp/Baileys media upload: keep encrypted upload POSTs streaming while still guarding generic-agent dispatcher wiring, so large outbound media sends avoid full-buffer RSS spikes and OOM regressions. (#​65966) Thanks @​frankekn.
  • UI/chat: replace marked.js with markdown-it so maliciously crafted markdown can no longer freeze the Control UI via ReDoS. (#​46707) Thanks @​zhangfnf.
  • Auto-reply/send policy: keep sendPolicy: "deny" from blocking inbound message processing, so the agent still runs its turn while all outbound delivery is suppressed for observer-style setups. (#​65461, #​53328) Thanks @​omarshahine.
  • BlueBubbles: lazy-refresh the Private API server-info cache on send when reply threading or message effects are requested but status is unknown, so sends no longer silently degrade to plain messages when the 10-minute cache expires. (#​65447, #​43764) Thanks @​omarshahine.
  • Heartbeat/security: force owner downgrade for untrusted hook:wake system events [AI-assisted]. (#​66031) Thanks @​pgondhi987.
  • Browser/security: enforce SSRF policy on snapshot, screenshot, and tab routes [AI]. (#​66040) Thanks @​pgondhi987.
  • Microsoft Teams/security: enforce sender allowlist checks on SSO signin invokes [AI]. (#​66033) Thanks @​pgondhi987.
  • Config/security: redact sourceConfig and runtimeConfig alias fields in redactConfigSnapshot [AI]. (#​66030) Thanks @​pgondhi987.
  • Agents/context engines: run opt-in turn maintenance as idle-aware background work so the next foreground turn no longer waits on proactive maintenance. (#​65233) Thanks @​100yenadmin.
  • Plugins/status: report the registered context-engine IDs in plugins inspect instead of the owning plugin ID, so non-matching engine IDs and multi-engine plugins are classified correctly. (#​58766) Thanks @​zhuisDEV.
  • Context engines: reject resolved plugin engines whose reported info.id does not match their registered slot id, so malformed engines fail fast before id-based runtime branches can misbehave. (#​63222) Thanks @​fuller-stack-dev.
  • WhatsApp: patch installed Baileys media encryption writes during OpenClaw postinstall so the default npm/install.sh delivery path waits for encrypted media files to finish flushing before readback, avoiding transient ENOENT crashes on image sends. (#​65896) Thanks @​frankekn.
  • Gateway/update: unify service entrypoint resolution around the canonical bundled gateway entrypoint so update, reinstall, and doctor repair stop drifting between stale dist/entry.js and current dist/index.js paths. (#​65984) Thanks @​mbelinky.
  • Heartbeat/Telegram topics: keep isolated heartbeat replies on the bound forum topic when target=last, instead of dropping them into the group root chat. (#​66035) Thanks @​mbelinky.
  • Browser/CDP: let managed local Chrome readiness, status probes, and managed loopback CDP control bypass browser SSRF policy for their own loopback control plane, so OpenClaw no longer misclassifies a healthy child browser as "not reachable after start". (#​65695, #​66043) Thanks @​mbelinky.
  • Gateway/sessions: stop heartbeat, cron-event, and exec-event turns from overwriting shared-session routing and origin metadata, preventing synthetic heartbeat targets from poisoning later cron or user delivery. (#​66073, #​63733, #​35300) Thanks @​mbelinky.
  • Browser/CDP: let local attach-only manual-cdp profiles reuse the local loopback CDP control plane under strict default policy and remote-class probe timeouts, so tabs/snapshot stop falsely reporting a live local browser session as not running. (#​65611, #​66080) Thanks @​mbelinky.
  • Cron/scheduler: stop inventing short retries when cron next-run calculation returns no valid future slot, and keep a maintenance wake armed so enabled unscheduled jobs recover without entering a refire loop. (#​66019, #​66083) Thanks @​mbelinky.
  • Cron/scheduler: preserve the active error-backoff floor when maintenance repair recomputes a missing cron next-run, so recurring errored jobs do not resume early after a transient next-run resolution failure. (#​66019, #​66083, #​66113) Thanks @​mbelinky.
  • Outbound/delivery-queue: persist the originating outbound session context on queued delivery entries and replay it during recovery, so write-ahead-queued sends keep their original outbound media policy context after restart instead of evaluating against a missing session. (#​66025) Thanks @​eleqtrizit.
  • Memory/Ollama: restore the built-in ollama embedding adapter in memory-core so explicit memorySearch.provider: "ollama" works again, and include endpoint-aware cache keys so different Ollama hosts do not reuse each other's embeddings. (#​63429, #​66078, #​66163) Thanks @​nnish16 and @​vincentkoc.
  • Auto-reply/queue: split collect-mode followup drains into contiguous groups by per-message authorization context (sender id, owner status, exec/bash-elevated overrides), so queued items from different senders or exec configs no longer execute under the last queued run's owner-only and exec-approval context. (#​66024) Thanks @​eleqtrizit.
  • Dreaming/memory-core: require a live queued Dreaming cron event before the heartbeat hook runs the sweep, so managed Dreaming no longer replays on later heartbeats after the scheduled run was already consumed. (#​66139) Thanks @​mbelinky.
  • Control UI/Dreaming: stop Imported Insights and Memory Palace from calling optional memory-wiki gateway methods when the plugin is off, and refresh config before wiki reloads so the Dreaming tab stops showing misleading unknown-method failures. (#​66140) Thanks @​mbelinky.
  • Agents/tools: only mark streamed unknown-tool retries as counted when a streamed message actually classifies an unavailable tool, and keep incomplete streamed tool names from resetting the retry streak before the final assistant message arrives. (#​66145) Thanks @​dutifulbob.
  • Memory/active-memory: move recalled memory onto the hidden untrusted prompt-prefix path instead of system prompt injection, label the visible Active Memory status line fields, and include the resolved recall provider/model in gateway debug logs so trace/debug output matches what the model actually saw. (#​66144) Thanks @​Takhoffman.
  • Memory/QMD: stop treating legacy lowercase memory.md as a second default root collection, so QMD recall no longer searches phantom memory-alt-* collections and builtin/QMD root-memory fallback stays aligned. (#​66141) Thanks @​mbelinky.
  • Agents/subagents: ship dist/agents/subagent-registry.runtime.js in npm builds so runtime: "subagent" runs stop stalling in queued after the registry import fails. (#​66189) Thanks @​yqli2420 and @​vincentkoc.
  • Agents/OpenAI: map minimal thinking to OpenAI's supported low reasoning effort for GPT-5.4 requests, so embedded runs stop failing request validation. Thanks @​steipete.
  • Voice-call/media-stream: resolve the source IP from trusted forwarding headers for per-IP pending-connection limits when webhookSecurity.trustForwardingHeaders and trustedProxyIPs are configured, and reserve maxConnections capacity for in-flight WebSocket upgrades so concurrent handshakes can no longer momentarily exceed the operator-set cap. (#​66027) Thanks @​eleqtrizit.
  • Feishu/allowlist: canonicalize allowlist entries by explicit user/chat kind, strip repeated feishu:/lark: provider prefixes, and stop folding opaque Feishu IDs to lowercase, so allowlist matching no longer crosses user/chat namespaces or widens to case-insensitive ID matches the operator did not intend. (#​66021) Thanks @​eleqtrizit.
  • Telegram/status commands: let read-only status slash commands bypass busy topic turns, while keeping /export-session on the normal lane so it cannot interleave with an in-flight session mutation. (#​66226) Thanks @​VACInc and @​vincentkoc.
  • TTS/reply media: persist OpenClaw temp voice outputs into managed outbound media and allow them through reply-media normalization, so voice-note replies stop silently dropping. (#​63511) Thanks @​jetd1.
  • Agents/tools: treat Windows drive-letter paths (C:\\...) as absolute when resolving sandbox and read-tool paths so workspace root is not prepended under POSIX path rules. (#​54039) Thanks @​ly85206559 and @​vincentkoc.
  • Agents/OpenAI: recover embedded GPT-style runs when reasoning-only or empty turns need bounded continuation, with replay-safe retry gating and incomplete-turn fallback when no visible answer arrives. (#​66167) thanks @​jalehman
  • Outbound/relay-status: suppress internal relay-status placeholder payloads (No channel reply., Replied in-thread., Replied in #..., wiki-update status variants ending in No channel reply.) before channel delivery so internal housekeeping text does not leak to users.
  • Slack/doctor: add a dedicated doctor-contract sidecar so config warmup paths such as openclaw cron no longer fall back to Slack's broader contract surface, which could trigger Slack-related config-read crashes on affected setups. (#​63192) Thanks @​shhtheonlyperson.
  • Hooks/session-memory: pass the resolved agent workspace into gateway /new and /reset session-memory hooks so reset snapshots stay scoped to the right agent workspace instead of leaking into the default workspace. (#​64735) Thanks @​suboss87 and @​vincentkoc.
  • CLI/approvals: raise the default openclaw approvals get gateway timeout and report config-load timeouts explicitly, so slow hosts stop showing a misleading Config unavailable. note when the approvals snapshot succeeds but the follow-up config RPC needs more time. (#​66239) Thanks @​neeravmakwana.
  • Media/store: honor configured agent media limits when saving generated media and persisting outbound reply media, so the store no longer hard-stops those flows at 5 MB before the configured limit applies. (#​66229) Thanks @​neeravmakwana and @​vincentkoc.
  • Plugins/setup-entry: preserve separate setup-entry secrets exports when loading bundled setup-runtime channels, so setup-mode flows keep the channel secret contract for split plugin + secrets entrypoints. (#​66261) Thanks @​hxy91819.

Configuration

📅 Schedule: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://redirect.github.com/openclaw/openclaw)) | final | patch | `2026.4.12` → `2026.4.14` | --- ### Release Notes <details> <summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary> ### [`v2026.4.14`](https://redirect.github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026414) [Compare Source](https://redirect.github.com/openclaw/openclaw/compare/v2026.4.12...v2026.4.14) ##### Changes - OpenAI Codex/models: add forward-compat support for `gpt-5.4-pro`, including Codex pricing/limits and list/status visibility before the upstream catalog catches up. ([#&#8203;66453](https://redirect.github.com/openclaw/openclaw/issues/66453)) Thanks [@&#8203;jepson-liu](https://redirect.github.com/jepson-liu). - Telegram/forum topics: surface human topic names in agent context, prompt metadata, and plugin hook metadata by learning names from Telegram forum service messages. ([#&#8203;65973](https://redirect.github.com/openclaw/openclaw/issues/65973)) Thanks [@&#8203;ptahdunbar](https://redirect.github.com/ptahdunbar). ##### Fixes - Agents/Ollama: forward the configured embedded-run timeout into the global undici stream timeout tuning so slow local Ollama runs no longer inherit the default stream cutoff instead of the operator-set run timeout. ([#&#8203;63175](https://redirect.github.com/openclaw/openclaw/issues/63175)) Thanks [@&#8203;mindcraftreader](https://redirect.github.com/mindcraftreader) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Models/Codex: include `apiKey` in the codex provider catalog output so the Pi ModelRegistry validator no longer rejects the entry and silently drops all custom models from every provider in `models.json`. ([#&#8203;66180](https://redirect.github.com/openclaw/openclaw/issues/66180)) Thanks [@&#8203;hoyyeva](https://redirect.github.com/hoyyeva). - Tools/image+pdf: normalize configured provider/model refs before media-tool registry lookup so image and PDF tool runs stop rejecting valid Ollama vision models as unknown just because the tool path skipped the usual model-ref normalization step. ([#&#8203;59943](https://redirect.github.com/openclaw/openclaw/issues/59943)) Thanks [@&#8203;yqli2420](https://redirect.github.com/yqli2420) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Slack/interactions: apply the configured global `allowFrom` owner allowlist to channel block-action and modal interactive events, require an expected sender id for cross-verification, and reject ambiguous channel types so interactive triggers can no longer bypass the documented allowlist intent in channels without a `users` list. Open-by-default behavior is preserved when no allowlists are configured. ([#&#8203;66028](https://redirect.github.com/openclaw/openclaw/issues/66028)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Media-understanding/attachments: fail closed when a local attachment path cannot be canonically resolved via `realpath`, so a `realpath` error can no longer downgrade the canonical-roots allowlist check to a non-canonical comparison; attachments that also have a URL still fall back to the network fetch path. ([#&#8203;66022](https://redirect.github.com/openclaw/openclaw/issues/66022)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Agents/gateway-tool: reject `config.patch` and `config.apply` calls from the model-facing gateway tool when they would newly enable any flag enumerated by `openclaw security audit` (for example `dangerouslyDisableDeviceAuth`, `allowInsecureAuth`, `dangerouslyAllowHostHeaderOriginFallback`, `hooks.gmail.allowUnsafeExternalContent`, `tools.exec.applyPatch.workspaceOnly: false`); already-enabled flags pass through unchanged so non-dangerous edits in the same patch still apply, and direct authenticated operator RPC behavior is unchanged. ([#&#8203;62006](https://redirect.github.com/openclaw/openclaw/issues/62006)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Google image generation: strip a trailing `/openai` suffix from configured Google base URLs only when calling the native Gemini image API so Gemini image requests stop 404ing without breaking explicit OpenAI-compatible Google endpoints. ([#&#8203;66445](https://redirect.github.com/openclaw/openclaw/issues/66445)) Thanks [@&#8203;dapzthelegend](https://redirect.github.com/dapzthelegend). - Telegram/forum topics: persist learned topic names to the Telegram session sidecar store so agent context can keep using human topic names after a restart instead of relearning from future service metadata. ([#&#8203;66107](https://redirect.github.com/openclaw/openclaw/issues/66107)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Doctor/systemd: keep `openclaw doctor --repair` and service reinstall from re-embedding dotenv-backed secrets in user systemd units, while preserving newer inline overrides over stale state-dir `.env` values. ([#&#8203;66249](https://redirect.github.com/openclaw/openclaw/issues/66249)) Thanks [@&#8203;tmimmanuel](https://redirect.github.com/tmimmanuel). - Ollama/OpenAI-compat: send `stream_options.include_usage` for Ollama streaming completions so local Ollama runs report real usage instead of falling back to bogus prompt-token counts that trigger premature compaction. ([#&#8203;64568](https://redirect.github.com/openclaw/openclaw/issues/64568)) Thanks [@&#8203;xchunzhao](https://redirect.github.com/xchunzhao) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Doctor/plugins: cache external `preferOver` catalog lookups within each plugin auto-enable pass so large `agents.list` configs no longer peg CPU and repeatedly reread plugin catalogs during doctor/plugins resolution. ([#&#8203;66246](https://redirect.github.com/openclaw/openclaw/issues/66246)) Thanks [@&#8203;yfge](https://redirect.github.com/yfge). - GitHub Copilot/thinking: allow `github-copilot/gpt-5.4` to use `xhigh` reasoning so Copilot GPT-5.4 matches the rest of the GPT-5.4 family. ([#&#8203;50168](https://redirect.github.com/openclaw/openclaw/issues/50168)) Thanks [@&#8203;jakepresent](https://redirect.github.com/jakepresent) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Memory/embeddings: preserve non-OpenAI provider prefixes when normalizing OpenAI-compatible embedding model refs so proxy-backed memory providers stop failing with `Unknown memory embedding provider`. ([#&#8203;66452](https://redirect.github.com/openclaw/openclaw/issues/66452)) Thanks [@&#8203;jlapenna](https://redirect.github.com/jlapenna). - Agents/local models: clarify low-context preflight hints for self-hosted models, point config-backed caps at the relevant OpenClaw setting, and stop suggesting larger models when `agents.defaults.contextTokens` is the real limit. ([#&#8203;66236](https://redirect.github.com/openclaw/openclaw/issues/66236)) Thanks [@&#8203;ImLukeF](https://redirect.github.com/ImLukeF). - Browser/SSRF: restore hostname navigation under the default browser SSRF policy while keeping explicit strict mode reachable from config, and keep managed loopback CDP `/json/new` fallback requests on the local CDP control policy so browser follow-up fixes stop regressing normal navigation or self-blocking local CDP control. ([#&#8203;66386](https://redirect.github.com/openclaw/openclaw/issues/66386)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Models/Codex: canonicalize the legacy `openai-codex/gpt-5.4-codex` runtime alias to `openai-codex/gpt-5.4` while still honoring alias-specific and canonical per-model overrides. ([#&#8203;43060](https://redirect.github.com/openclaw/openclaw/issues/43060)) Thanks [@&#8203;Sapientropic](https://redirect.github.com/Sapientropic) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Browser/SSRF: preserve explicit strict browser navigation mode for legacy `browser.ssrfPolicy.allowPrivateNetwork: false` configs by normalizing the legacy alias to the canonical strict marker instead of silently widening those installs to the default non-strict hostname-navigation path. - Onboarding/custom providers: use `max_tokens=16` for OpenAI-compatible verification probes so stricter custom endpoints stop rejecting onboarding checks that only need a tiny completion. ([#&#8203;66450](https://redirect.github.com/openclaw/openclaw/issues/66450)) Thanks [@&#8203;WuKongAI-CMU](https://redirect.github.com/WuKongAI-CMU). - Agents/subagents: emit the subagent registry lazy-runtime stub on the stable dist path that both source and bundled runtime imports resolve, so the follow-up dist fix no longer still fails with `ERR_MODULE_NOT_FOUND` at runtime. ([#&#8203;66420](https://redirect.github.com/openclaw/openclaw/issues/66420)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Media-understanding/proxy env: auto-upgrade provider HTTP helper requests to trusted env-proxy mode only when `HTTP_PROXY`/`HTTPS_PROXY` is active and the target is not bypassed by `NO_PROXY`, so remote media-understanding and transcription requests stop failing local DNS pre-resolution in proxy-only environments without widening SSRF bypasses. ([#&#8203;52162](https://redirect.github.com/openclaw/openclaw/issues/52162)) Thanks [@&#8203;mjamiv](https://redirect.github.com/mjamiv) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Telegram/media downloads: let Telegram media fetches trust an operator-configured explicit proxy for target DNS resolution after hostname-policy checks, so proxy-backed installs stop failing `could not download media` on Bot API file downloads after the DNS-pinning regression. ([#&#8203;66245](https://redirect.github.com/openclaw/openclaw/issues/66245)) Thanks [@&#8203;dawei41468](https://redirect.github.com/dawei41468) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Browser: keep loopback CDP readiness checks reachable under strict SSRF defaults so OpenClaw can reconnect to locally started managed Chrome. ([#&#8203;66354](https://redirect.github.com/openclaw/openclaw/issues/66354)) Thanks [@&#8203;hxy91819](https://redirect.github.com/hxy91819). - Agents/context engine: compact engine-owned sessions from the first tool-loop delta and preserve ingest fallback when `afterTurn` is absent, so long-running tool loops can stay bounded without dropping engine state. ([#&#8203;63555](https://redirect.github.com/openclaw/openclaw/issues/63555)) Thanks [@&#8203;Bikkies](https://redirect.github.com/Bikkies). - OpenAI Codex/auth: keep malformed Codex CLI auth-file diagnostics on the debug logger instead of stdout so interactive command output stays clean while auth read failures remain traceable. ([#&#8203;66451](https://redirect.github.com/openclaw/openclaw/issues/66451)) Thanks [@&#8203;SimbaKingjoe](https://redirect.github.com/SimbaKingjoe). - Discord/native commands: return the real status card for native `/status` interactions instead of falling through to the synthetic `✅ Done.` ack when the generic dispatcher produces no visible reply. ([#&#8203;54629](https://redirect.github.com/openclaw/openclaw/issues/54629)) Thanks [@&#8203;tkozzer](https://redirect.github.com/tkozzer) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Hooks/Ollama: let LLM-backed session-memory slug generation honor an explicit `agents.defaults.timeoutSeconds` override instead of always aborting after 15 seconds, so slow local Ollama runs stop silently dropping back to generic filenames. ([#&#8203;66237](https://redirect.github.com/openclaw/openclaw/issues/66237)) Thanks [@&#8203;dmak](https://redirect.github.com/dmak) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Media/transcription: remap `.aac` filenames to `.m4a` for OpenAI-compatible audio uploads so AAC voice notes stop failing MIME-sensitive transcription endpoints. ([#&#8203;66446](https://redirect.github.com/openclaw/openclaw/issues/66446)) Thanks [@&#8203;ben-z](https://redirect.github.com/ben-z). - WhatsApp/Baileys media upload: keep encrypted upload POSTs streaming while still guarding generic-agent dispatcher wiring, so large outbound media sends avoid full-buffer RSS spikes and OOM regressions. ([#&#8203;65966](https://redirect.github.com/openclaw/openclaw/issues/65966)) Thanks [@&#8203;frankekn](https://redirect.github.com/frankekn). - UI/chat: replace marked.js with markdown-it so maliciously crafted markdown can no longer freeze the Control UI via ReDoS. ([#&#8203;46707](https://redirect.github.com/openclaw/openclaw/issues/46707)) Thanks [@&#8203;zhangfnf](https://redirect.github.com/zhangfnf). - Auto-reply/send policy: keep `sendPolicy: "deny"` from blocking inbound message processing, so the agent still runs its turn while all outbound delivery is suppressed for observer-style setups. ([#&#8203;65461](https://redirect.github.com/openclaw/openclaw/issues/65461), [#&#8203;53328](https://redirect.github.com/openclaw/openclaw/issues/53328)) Thanks [@&#8203;omarshahine](https://redirect.github.com/omarshahine). - BlueBubbles: lazy-refresh the Private API server-info cache on send when reply threading or message effects are requested but status is unknown, so sends no longer silently degrade to plain messages when the 10-minute cache expires. ([#&#8203;65447](https://redirect.github.com/openclaw/openclaw/issues/65447), [#&#8203;43764](https://redirect.github.com/openclaw/openclaw/issues/43764)) Thanks [@&#8203;omarshahine](https://redirect.github.com/omarshahine). - Heartbeat/security: force owner downgrade for untrusted `hook:wake` system events \[AI-assisted]. ([#&#8203;66031](https://redirect.github.com/openclaw/openclaw/issues/66031)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Browser/security: enforce SSRF policy on snapshot, screenshot, and tab routes \[AI]. ([#&#8203;66040](https://redirect.github.com/openclaw/openclaw/issues/66040)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Microsoft Teams/security: enforce sender allowlist checks on SSO signin invokes \[AI]. ([#&#8203;66033](https://redirect.github.com/openclaw/openclaw/issues/66033)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Config/security: redact `sourceConfig` and `runtimeConfig` alias fields in `redactConfigSnapshot` \[AI]. ([#&#8203;66030](https://redirect.github.com/openclaw/openclaw/issues/66030)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Agents/context engines: run opt-in turn maintenance as idle-aware background work so the next foreground turn no longer waits on proactive maintenance. ([#&#8203;65233](https://redirect.github.com/openclaw/openclaw/issues/65233)) Thanks [@&#8203;100yenadmin](https://redirect.github.com/100yenadmin). - Plugins/status: report the registered context-engine IDs in `plugins inspect` instead of the owning plugin ID, so non-matching engine IDs and multi-engine plugins are classified correctly. ([#&#8203;58766](https://redirect.github.com/openclaw/openclaw/issues/58766)) Thanks [@&#8203;zhuisDEV](https://redirect.github.com/zhuisDEV). - Context engines: reject resolved plugin engines whose reported `info.id` does not match their registered slot id, so malformed engines fail fast before id-based runtime branches can misbehave. ([#&#8203;63222](https://redirect.github.com/openclaw/openclaw/issues/63222)) Thanks [@&#8203;fuller-stack-dev](https://redirect.github.com/fuller-stack-dev). - WhatsApp: patch installed Baileys media encryption writes during OpenClaw postinstall so the default npm/install.sh delivery path waits for encrypted media files to finish flushing before readback, avoiding transient `ENOENT` crashes on image sends. ([#&#8203;65896](https://redirect.github.com/openclaw/openclaw/issues/65896)) Thanks [@&#8203;frankekn](https://redirect.github.com/frankekn). - Gateway/update: unify service entrypoint resolution around the canonical bundled gateway entrypoint so update, reinstall, and doctor repair stop drifting between stale `dist/entry.js` and current `dist/index.js` paths. ([#&#8203;65984](https://redirect.github.com/openclaw/openclaw/issues/65984)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Heartbeat/Telegram topics: keep isolated heartbeat replies on the bound forum topic when `target=last`, instead of dropping them into the group root chat. ([#&#8203;66035](https://redirect.github.com/openclaw/openclaw/issues/66035)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Browser/CDP: let managed local Chrome readiness, status probes, and managed loopback CDP control bypass browser SSRF policy for their own loopback control plane, so OpenClaw no longer misclassifies a healthy child browser as "not reachable after start". ([#&#8203;65695](https://redirect.github.com/openclaw/openclaw/issues/65695), [#&#8203;66043](https://redirect.github.com/openclaw/openclaw/issues/66043)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Gateway/sessions: stop heartbeat, cron-event, and exec-event turns from overwriting shared-session routing and origin metadata, preventing synthetic `heartbeat` targets from poisoning later cron or user delivery. ([#&#8203;66073](https://redirect.github.com/openclaw/openclaw/issues/66073), [#&#8203;63733](https://redirect.github.com/openclaw/openclaw/issues/63733), [#&#8203;35300](https://redirect.github.com/openclaw/openclaw/issues/35300)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Browser/CDP: let local attach-only `manual-cdp` profiles reuse the local loopback CDP control plane under strict default policy and remote-class probe timeouts, so tabs/snapshot stop falsely reporting a live local browser session as not running. ([#&#8203;65611](https://redirect.github.com/openclaw/openclaw/issues/65611), [#&#8203;66080](https://redirect.github.com/openclaw/openclaw/issues/66080)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Cron/scheduler: stop inventing short retries when cron next-run calculation returns no valid future slot, and keep a maintenance wake armed so enabled unscheduled jobs recover without entering a refire loop. ([#&#8203;66019](https://redirect.github.com/openclaw/openclaw/issues/66019), [#&#8203;66083](https://redirect.github.com/openclaw/openclaw/issues/66083)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Cron/scheduler: preserve the active error-backoff floor when maintenance repair recomputes a missing cron next-run, so recurring errored jobs do not resume early after a transient next-run resolution failure. ([#&#8203;66019](https://redirect.github.com/openclaw/openclaw/issues/66019), [#&#8203;66083](https://redirect.github.com/openclaw/openclaw/issues/66083), [#&#8203;66113](https://redirect.github.com/openclaw/openclaw/issues/66113)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Outbound/delivery-queue: persist the originating outbound `session` context on queued delivery entries and replay it during recovery, so write-ahead-queued sends keep their original outbound media policy context after restart instead of evaluating against a missing session. ([#&#8203;66025](https://redirect.github.com/openclaw/openclaw/issues/66025)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Memory/Ollama: restore the built-in `ollama` embedding adapter in memory-core so explicit `memorySearch.provider: "ollama"` works again, and include endpoint-aware cache keys so different Ollama hosts do not reuse each other's embeddings. ([#&#8203;63429](https://redirect.github.com/openclaw/openclaw/issues/63429), [#&#8203;66078](https://redirect.github.com/openclaw/openclaw/issues/66078), [#&#8203;66163](https://redirect.github.com/openclaw/openclaw/issues/66163)) Thanks [@&#8203;nnish16](https://redirect.github.com/nnish16) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Auto-reply/queue: split collect-mode followup drains into contiguous groups by per-message authorization context (sender id, owner status, exec/bash-elevated overrides), so queued items from different senders or exec configs no longer execute under the last queued run's owner-only and exec-approval context. ([#&#8203;66024](https://redirect.github.com/openclaw/openclaw/issues/66024)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Dreaming/memory-core: require a live queued Dreaming cron event before the heartbeat hook runs the sweep, so managed Dreaming no longer replays on later heartbeats after the scheduled run was already consumed. ([#&#8203;66139](https://redirect.github.com/openclaw/openclaw/issues/66139)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Control UI/Dreaming: stop Imported Insights and Memory Palace from calling optional `memory-wiki` gateway methods when the plugin is off, and refresh config before wiki reloads so the Dreaming tab stops showing misleading unknown-method failures. ([#&#8203;66140](https://redirect.github.com/openclaw/openclaw/issues/66140)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Agents/tools: only mark streamed unknown-tool retries as counted when a streamed message actually classifies an unavailable tool, and keep incomplete streamed tool names from resetting the retry streak before the final assistant message arrives. ([#&#8203;66145](https://redirect.github.com/openclaw/openclaw/issues/66145)) Thanks [@&#8203;dutifulbob](https://redirect.github.com/dutifulbob). - Memory/active-memory: move recalled memory onto the hidden untrusted prompt-prefix path instead of system prompt injection, label the visible Active Memory status line fields, and include the resolved recall provider/model in gateway debug logs so trace/debug output matches what the model actually saw. ([#&#8203;66144](https://redirect.github.com/openclaw/openclaw/issues/66144)) Thanks [@&#8203;Takhoffman](https://redirect.github.com/Takhoffman). - Memory/QMD: stop treating legacy lowercase `memory.md` as a second default root collection, so QMD recall no longer searches phantom `memory-alt-*` collections and builtin/QMD root-memory fallback stays aligned. ([#&#8203;66141](https://redirect.github.com/openclaw/openclaw/issues/66141)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Agents/subagents: ship `dist/agents/subagent-registry.runtime.js` in npm builds so `runtime: "subagent"` runs stop stalling in `queued` after the registry import fails. ([#&#8203;66189](https://redirect.github.com/openclaw/openclaw/issues/66189)) Thanks [@&#8203;yqli2420](https://redirect.github.com/yqli2420) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Agents/OpenAI: map `minimal` thinking to OpenAI's supported `low` reasoning effort for GPT-5.4 requests, so embedded runs stop failing request validation. Thanks [@&#8203;steipete](https://redirect.github.com/steipete). - Voice-call/media-stream: resolve the source IP from trusted forwarding headers for per-IP pending-connection limits when `webhookSecurity.trustForwardingHeaders` and `trustedProxyIPs` are configured, and reserve `maxConnections` capacity for in-flight WebSocket upgrades so concurrent handshakes can no longer momentarily exceed the operator-set cap. ([#&#8203;66027](https://redirect.github.com/openclaw/openclaw/issues/66027)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Feishu/allowlist: canonicalize allowlist entries by explicit `user`/`chat` kind, strip repeated `feishu:`/`lark:` provider prefixes, and stop folding opaque Feishu IDs to lowercase, so allowlist matching no longer crosses user/chat namespaces or widens to case-insensitive ID matches the operator did not intend. ([#&#8203;66021](https://redirect.github.com/openclaw/openclaw/issues/66021)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Telegram/status commands: let read-only status slash commands bypass busy topic turns, while keeping `/export-session` on the normal lane so it cannot interleave with an in-flight session mutation. ([#&#8203;66226](https://redirect.github.com/openclaw/openclaw/issues/66226)) Thanks [@&#8203;VACInc](https://redirect.github.com/VACInc) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - TTS/reply media: persist OpenClaw temp voice outputs into managed outbound media and allow them through reply-media normalization, so voice-note replies stop silently dropping. ([#&#8203;63511](https://redirect.github.com/openclaw/openclaw/issues/63511)) Thanks [@&#8203;jetd1](https://redirect.github.com/jetd1). - Agents/tools: treat Windows drive-letter paths (`C:\\...`) as absolute when resolving sandbox and read-tool paths so workspace root is not prepended under POSIX path rules. ([#&#8203;54039](https://redirect.github.com/openclaw/openclaw/issues/54039)) Thanks [@&#8203;ly85206559](https://redirect.github.com/ly85206559) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Agents/OpenAI: recover embedded GPT-style runs when reasoning-only or empty turns need bounded continuation, with replay-safe retry gating and incomplete-turn fallback when no visible answer arrives. ([#&#8203;66167](https://redirect.github.com/openclaw/openclaw/issues/66167)) thanks [@&#8203;jalehman](https://redirect.github.com/jalehman) - Outbound/relay-status: suppress internal relay-status placeholder payloads (`No channel reply.`, `Replied in-thread.`, `Replied in #...`, wiki-update status variants ending in `No channel reply.`) before channel delivery so internal housekeeping text does not leak to users. - Slack/doctor: add a dedicated doctor-contract sidecar so config warmup paths such as `openclaw cron` no longer fall back to Slack's broader contract surface, which could trigger Slack-related config-read crashes on affected setups. ([#&#8203;63192](https://redirect.github.com/openclaw/openclaw/issues/63192)) Thanks [@&#8203;shhtheonlyperson](https://redirect.github.com/shhtheonlyperson). - Hooks/session-memory: pass the resolved agent workspace into gateway `/new` and `/reset` session-memory hooks so reset snapshots stay scoped to the right agent workspace instead of leaking into the default workspace. ([#&#8203;64735](https://redirect.github.com/openclaw/openclaw/issues/64735)) Thanks [@&#8203;suboss87](https://redirect.github.com/suboss87) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - CLI/approvals: raise the default `openclaw approvals get` gateway timeout and report config-load timeouts explicitly, so slow hosts stop showing a misleading `Config unavailable.` note when the approvals snapshot succeeds but the follow-up config RPC needs more time. ([#&#8203;66239](https://redirect.github.com/openclaw/openclaw/issues/66239)) Thanks [@&#8203;neeravmakwana](https://redirect.github.com/neeravmakwana). - Media/store: honor configured agent media limits when saving generated media and persisting outbound reply media, so the store no longer hard-stops those flows at 5 MB before the configured limit applies. ([#&#8203;66229](https://redirect.github.com/openclaw/openclaw/issues/66229)) Thanks [@&#8203;neeravmakwana](https://redirect.github.com/neeravmakwana) and [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Plugins/setup-entry: preserve separate setup-entry secrets exports when loading bundled setup-runtime channels, so setup-mode flows keep the channel secret contract for split plugin + secrets entrypoints. ([#&#8203;66261](https://redirect.github.com/openclaw/openclaw/issues/66261)) Thanks [@&#8203;hxy91819](https://redirect.github.com/hxy91819). </details> --- ### Configuration 📅 **Schedule**: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ni4yIiwidXBkYXRlZEluVmVyIjoiNDMuNzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
les_clankeurs/openclaw-image-2!20
No description provided.