chore(deps): update ghcr.io/openclaw/openclaw docker tag to v2026.4.21 #23

Merged
notarock-s-renovate[bot] merged 1 commit from renovate/docker-images into main 2026-04-23 03:21:15 +00:00
notarock-s-renovate[bot] commented 2026-04-21 20:04:31 +00:00 (Migrated from github.com)

This PR contains the following updates:

Package Type Update Change
ghcr.io/openclaw/openclaw (source) final patch 2026.4.152026.4.21

Release Notes

openclaw/openclaw (ghcr.io/openclaw/openclaw)

v2026.4.21

Compare Source

Changes
  • OpenAI/images: default the bundled image-generation provider and live media smoke tests to gpt-image-2, and advertise the newer 2K/4K OpenAI size hints in image-generation docs and tool metadata.
  • Plugins/skills: add the Skill Workshop plugin, which captures reusable workflow corrections as pending or auto-applied workspace skills, runs threshold-based reviewer passes for stronger completion bias on reusable procedures, quarantines unsafe proposals, and refreshes skill availability after safe writes.
  • Plugin SDK/channels: add presentation and skills runtime contracts, decouple channel presentation rendering, and document message presentation cards so plugins can own richer interactive surfaces without channel-specific glue.
  • Fireworks/models: add Kimi K2.6 (fireworks/accounts/fireworks/models/kimi-k2p6) to the bundled catalog and live-model priority list, while keeping Kimi thinking disabled for Fireworks K2.6 requests.
  • Onboard/wizard: simplify the security disclaimer copy, and switch remaining onboarding pickers with long dynamic option lists to searchable autocompletes for search providers, plugin configuration, and model provider filtering.
  • Channels/preview streaming: stream tool-progress updates into live preview edits for Discord, Slack, and Telegram so in-flight replies show incremental tool state in the same preview message before finalization. (#​69611) Thanks @​thewilloftheshadow.
  • Ollama/onboard: populate the cloud-only model list from ollama.com/api/tags, cap the discovered list at 500, and fall back to static suggestions when ollama.com is unavailable. (#​68463) Thanks @​BruceMacD.
  • QQBot: extract a self-contained engine architecture with QR-code onboarding, native approval handling via /bot-approve, per-account resource stacks, credential backup/restore, shared media storage, and unified API/bridge/gateway modules. (#​67960) Thanks @​cxyhhhhh.
  • Matrix/startup: narrow Matrix runtime registration and defer setup/doctor surfaces so cold plugin registration spends about 1.8s less in setChannelRuntime. (#​69782) Thanks @​gumadeiras.
  • Telegram/plugin startup: load Telegram's bundled runtime setter through a narrow sidecar and native built-sidecar loading, cutting measured setup-runtime registration by about 14s while preserving runtime API compatibility. (#​69786) Thanks @​gumadeiras.
  • Discord/plugin startup: lazy-load the Carbon UI runtime and load Discord's bundled runtime setter through a narrow sidecar, cutting measured registration time by about 98% while keeping packaged installs off Carbon until the Discord UI surface is needed. (#​69791) Thanks @​gumadeiras.
Fixes
  • Agents/ACP: skip the sessions_send A2A ping-pong flow when a parent sends to its own background oneshot ACP child, preventing parent/child echo loops while preserving normal A2A delivery for non-parent senders. (#​69817) Thanks @​scotthuang.
  • Image generation: log failed provider/model candidates at warn level before automatic provider fallback, so OpenAI image failures are visible in the gateway log even when a later provider succeeds.
  • Agents/subagents: stop terminal failed subagent runs from freezing or announcing captured reply text, so failover-exhausted runs report a clean failure instead of replaying stale assistant/tool output.
  • Security/external content: strip common self-hosted LLM chat-template special-token literals, including Qwen/ChatML, Llama, Gemma, Mistral, Phi, and GPT-OSS markers, from wrapped external content and metadata, preventing tokenizer-layer role-boundary spoofing against OpenAI-compatible backends that preserve special tokens in user text.
  • npm/install: mirror the node-domexception alias into root package.json overrides, so npm installs stop surfacing the deprecated google-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexception chain pulled through Pi/Google runtime deps. Thanks @​vincentkoc.
  • Auth/commands: require owner identity (an owner-candidate match or internal operator.admin) for owner-enforced commands instead of treating wildcard channel allowFrom or empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback when enforceOwnerForCommands=true and commands.ownerAllowFrom is unset. (#​69774) Thanks @​drobison00.
  • Control UI/CSP: tighten img-src to 'self' data: only, and make Control UI avatar helpers drop remote http(s) and protocol-relative URLs so the UI falls back to the built-in logo/badge instead of issuing arbitrary remote image fetches. Same-origin avatar routes (relative paths) and data:image/... avatars still render. (#​69773)
  • CLI/channels: keep status, health, channels list, and channels status on read-only channel metadata when Telegram, Slack, Discord, or third-party channel plugins are configured, avoiding full bundled plugin runtime imports on those cold paths. Fixes #​69042. (#​69479) Thanks @​gumadeiras.
  • Synology Chat: validate outbound webhook file_url values against the shared SSRF policy before forwarding to the NAS, rejecting malformed URLs, non-http(s) schemes, and private/blocked network targets so the NAS cannot be used as a confused deputy to fetch internal addresses. (#​69784) Thanks @​eleqtrizit.
  • LINE: validate outbound media URLs against the shared public-network guard before handing them to LINE, preserving arbitrary public HTTPS media while rejecting loopback, link-local, and private-network targets.
  • Gateway/Control UI: require gateway auth on the Control UI avatar route (GET /avatar/<agentId> and ?meta=1 metadata) when auth is configured, matching the sibling assistant-media route, and propagate the existing gateway token through the UI avatar fetch (bearer header + authenticated blob URL) so authenticated dashboards still load local avatars. (#​69775)
  • Google Chat/auth: replace the Google auth gaxios shim with a scoped SSRF-guarded transport, validate service-account auth endpoints against trusted Google URLs, and let the plugin own its staged gaxios auth runtime instead of patching process-wide globals or the root CLI startup path. Thanks @​vincentkoc.
  • Exec/allowlist: reject POSIX parameter expansion forms such as $VAR, $?, $$, $1, and $@&#8203; inside unquoted heredocs during shell approval analysis, so these heredocs no longer pass allowlist review as plain text. (#​69795) Thanks @​drobison00.
  • Gateway/MCP loopback: derive owner-only tool visibility from distinct authenticated owner vs non-owner loopback bearers instead of the caller-controlled owner header, so non-owner MCP child processes cannot recover owner access by spoofing request metadata. (#​69796)
  • GitHub Copilot: update the default Opus model from claude-opus-4.6 to claude-opus-4.7 after GitHub removed Copilot support for 4.6. (#​69818) Thanks @​shakkernerd.
  • OpenShell: pin host-side sandbox writes under the mounted root so symlink-parent rebinds cannot redirect writeFile outside the workspace during local mirror updates. (#​69797) Thanks @​drobison00.
  • Ollama/media understanding: register Ollama as an image-capable media-understanding provider so agents.defaults.imageModel.primary values like ollama/qwen2.5vl:7b route through the Ollama plugin instead of failing as unknown models. (#​69816) Thanks @​soloclz.
  • CLI/media understanding: make openclaw infer image describe --model <provider/model> execute the explicit image model instead of skipping description when that model supports native vision.
  • Usage/providers: keep plugin-owned usage auth enabled when manifest-declared provider auth env vars such as MINIMAX_CODE_PLAN_KEY are present, so /usage can resolve MiniMax billing credentials through the provider plugin.
  • Tlon/uploads: route both hosted Memex upload targets and custom-S3 presigned upload URLs through the shared SSRF guard so blocked private or loopback destinations fail before upload, while public upload URLs continue through the existing hosted upload flow. (#​69794) Thanks @​drobison00.
  • Channels/thread routing: keep outbound replies in existing Slack, Mattermost, Matrix, Telegram, Discord, and QA-channel thread sessions by sharing the Plugin SDK thread-aware route builder across bundled plugins.
  • Agents/replay: normalize restored assistant text content before provider replay and prompt submission, so legacy or repaired sessions no longer crash on assistantMsg.content.flatMap. (#​69850) Thanks @​fuller-stack-dev.

v2026.4.20

Compare Source

Changes
  • Onboard/wizard: restyle the setup security disclaimer with a single yellow warning banner, section headings and bulleted checklists, and un-dim the note body so key guidance is easy to scan; add a loading spinner during the initial model catalog load so the wizard no longer goes blank while it runs; add an "API key" placeholder to provider API key prompts. (#​69553) Thanks @​Patrick-Erichsen.
  • Agents/prompts: strengthen the default system prompt and OpenAI GPT-5 overlay with clearer completion bias, live-state checks, weak-result recovery, and verification-before-final guidance.
  • Models/costs: support tiered model pricing from cached catalogs and configured models, and include bundled Moonshot Kimi K2.6/K2.5 cost estimates for token-usage reports. (#​67605) Thanks @​sliverp.
  • Sessions/Maintenance: enforce the built-in entry cap and age prune by default, and prune oversized stores at load time so accumulated cron/executor session backlogs cannot OOM the gateway before the write path runs. (#​69404) Thanks @​bobrenze-bot.
  • Plugins/tests: reuse plugin loader alias and Jiti config resolution across repeated same-context loads, reducing import-heavy test overhead. (#​69316) Thanks @​amknight.
  • Cron: split runtime execution state into jobs-state.json so jobs.json stays stable for git-tracked job definitions. (#​63105) Thanks @​Feelw00.
  • Agents/compaction: send opt-in start and completion notices during context compaction. (#​67830) Thanks @​feniix.
  • Moonshot/Kimi: default bundled Moonshot setup, web search, and media-understanding surfaces to kimi-k2.6 while keeping kimi-k2.5 available for compatibility. (#​69477) Thanks @​scoootscooob.
  • Moonshot/Kimi: allow thinking.keep = "all" on moonshot/kimi-k2.6, and strip it for other Moonshot models or requests where pinned tool_choice disables thinking. (#​68816) Thanks @​aniaan.
  • BlueBubbles/groups: forward per-group systemPrompt config into inbound context GroupSystemPrompt so configured group-specific behavioral instructions (for example threaded-reply and tapback conventions) are injected on every turn. Supports "*" wildcard fallback matching the existing requireMention pattern. Closes #​60665. (#​69198) Thanks @​omarshahine.
  • Plugins/tasks: add a detached runtime registration contract so plugin executors can own detached task lifecycle and cancellation without reaching into core task internals. (#​68915) Thanks @​mbelinky.
  • Terminal/logging: optimize sanitizeForLog() by replacing the iterative control-character stripping loop with a single regex pass while preserving the existing ANSI-first sanitization behavior. (#​67205) Thanks @​bulutmuf.
  • QA/CI: make openclaw qa suite and openclaw qa telegram fail by default when scenarios fail, add --allow-failures for artifact-only runs, and tighten live-lane defaults for CI automation. (#​69122) Thanks @​joshavant.
  • Mattermost: stream thinking, tool activity, and partial reply text into a single draft preview post that finalizes in place when safe. (#​47838) thanks @​ninjaa.
Fixes
  • Exec/YOLO: stop rejecting gateway-host exec in security=full plus ask=off mode via the Python/Node script preflight hardening path, so promptless YOLO exec once again runs direct interpreter stdin and heredoc forms such as node <<'NODE' ... NODE.
  • OpenAI Codex: normalize legacy openai-completions transport overrides on default OpenAI/Codex and GitHub Copilot-compatible hosts back to the native Codex Responses transport while leaving custom proxies untouched. (#​45304, #​42194) Thanks @​dyss1992 and @​DeadlySilent.
  • Anthropic/plugins: scope Anthropic api: "anthropic-messages" defaulting to Anthropic-owned providers, so openai-codex and other providers without an explicit api no longer get rewritten to the wrong transport. Fixes #​64534.
  • fix(qqbot): add SSRF guard to direct-upload URL paths in uploadC2CMedia and uploadGroupMedia [AI-assisted]. (#​69595) Thanks @​pgondhi987.
  • fix(gateway): enforce allowRequestSessionKey gate on template-rendered mapping sessionKeys. (#​69381) Thanks @​pgondhi987.
  • Browser/Chrome MCP: surface DevToolsActivePort attach failures as browser-connectivity errors instead of a generic "waiting for tabs" timeout, and point signed-out fallbacks toward the managed openclaw profile.
  • Webchat/images: treat inline image attachments as media for empty-turn gating while still ignoring metadata-only blank turns. (#​69474) Thanks @​Jaswir.
  • Discord/think: only show adaptive in /think autocomplete for provider/model pairs that actually support provider-managed adaptive thinking, so GPT/OpenAI models no longer advertise an Anthropic-only option.
  • Thinking: only expose max for models that explicitly support provider max reasoning, and remap stored max settings to the largest supported thinking mode when users switch to another model.
  • Gateway/usage: bound the cost usage cache with FIFO eviction so date/range lookups cannot grow unbounded. (#​68842) Thanks @​Feelw00.
  • OpenAI/Responses: resolve /think levels against each GPT model's supported reasoning efforts so /think off no longer becomes high reasoning or sends unsupported reasoning.effort: "none" payloads.
  • Lobster/TaskFlow: allow managed approval resumes to use approvalId without a resume token, and persist that id in approval wait state. (#​69559) Thanks @​kirkluokun.
  • Plugins/startup: install bundled runtime dependencies into each plugin's own runtime directory, reuse source-checkout repair caches after rebuilds, and log only packages that were actually installed so repeated Gateway starts stay quiet once deps are present.
  • Plugins/startup: ignore pnpm's npm_execpath when repairing bundled plugin runtime dependencies and skip workspace-only package specs so npm-only install flags or local workspace links do not break packaged plugin startup.
  • MCP: block interpreter-startup env keys such as NODE_OPTIONS for stdio servers while preserving ordinary credential and proxy env vars. (#​69540) Thanks @​drobison00.
  • Agents/shell: ignore non-interactive placeholder shells like /usr/bin/false and /sbin/nologin, falling back to sh so service-user exec runs no longer exit immediately. (#​69308) Thanks @​sk7n4k3d.
  • Setup/TUI: relaunch the setup hatch TUI in a fresh process while preserving the configured gateway target and auth source, so onboarding recovers terminal state cleanly without exposing gateway secrets on command-line args. (#​69524) Thanks @​shakkernerd.
  • Codex: avoid re-exposing the image-generation tool on native vision turns with inbound images, and keep bare image-model overrides on the configured image provider. (#​65061) Thanks @​zhulijin1991.
  • Sessions/reset: clear auto-sourced model, provider, and auth-profile overrides on /new and /reset while preserving explicit user selections, so channel sessions stop staying pinned to runtime fallback choices. (#​69419) Thanks @​sk7n4k3d.
  • Sessions/costs: snapshot estimatedCostUsd like token counters so repeated persist paths no longer compound the same run cost by up to dozens of times. (#​69403) Thanks @​MrMiaigi.
  • OpenAI Codex: route ChatGPT/Codex OAuth Responses requests through the /backend-api/codex endpoint so openai-codex/gpt-5.4 no longer hits the removed /backend-api/responses alias. (#​69336) Thanks @​mzogithub.
  • OpenAI/Responses: omit disabled reasoning payloads when /think off is active, so GPT reasoning models no longer receive unsupported reasoning.effort: "none" requests. (#​61982) Thanks @​a-tokyo.
  • Gateway/pairing: treat loopback shared-secret node-host, TUI, and gateway clients as local for pairing decisions, so trusted local tools no longer reconnect as remote clients and fail with pairing required. (#​69431) Thanks @​SARAMALI15792.
  • Active Memory: degrade gracefully when memory recall fails during prompt building, logging a warning and letting the reply continue without memory context instead of failing the whole turn. (#​69485) Thanks @​Magicray1217.
  • Ollama: add provider-policy defaults for baseUrl and models so implicit local discovery can run before config validation rejects a minimal Ollama provider config. (#​69370) Thanks @​PratikRai0101.
  • Agents/model selection: clear transient auto-failover session overrides before each turn so recovered primary models are retried immediately without emitting user-override reset warnings. (#​69365) Thanks @​hitesh-github99.
  • Auto-reply: apply silent NO_REPLY policy per conversation type, so direct chats get a helpful rewritten reply while groups and internal deliveries can remain quiet. (#​68644) Thanks @​Takhoffman.
  • Telegram/status reactions: honor messages.removeAckAfterReply when lifecycle status reactions are enabled, clearing or restoring the reaction after success/error using the configured hold timings. (#​68067) Thanks @​poiskgit.
  • Web search/plugins: resolve plugin-scoped SecretRef API keys for bundled Exa, Firecrawl, Gemini, Kimi, Perplexity, Tavily, and Grok web-search providers when they are selected through the shared web-search config. (#​68424) Thanks @​afurm.
  • Telegram/polling: raise the default polling watchdog threshold from 90s to 120s and add configurable channels.telegram.pollingStallThresholdMs (also per-account) so long-running Telegram work gets more room before polling is treated as stalled. (#​57737) Thanks @​Vitalcheffe.
  • Telegram/polling: bound the persisted-offset confirmation getUpdates probe with a client-side timeout so a zombie socket cannot hang polling recovery before the runner watchdog starts. (#​50368) Thanks @​boticlaw.
  • Agents/Pi runner: retry silent stopReason=error turns with no output when no side effects ran, so non-frontier providers that briefly return empty error turns get another chance instead of ending the session early. (#​68310) Thanks @​Chased1k.
  • Plugins/memory: preserve the active memory capability when read-only snapshot plugin loads run, so status and provider discovery paths no longer wipe memory public artifacts. (#​69219) Thanks @​zeroaltitude.
  • Plugins: keep only the highest-precedence manifest when distinct discovered plugins share an id, so lower-precedence global or workspace duplicates no longer load beside bundled or config-selected plugins. (#​41626) Thanks @​Tortes.
  • fix(security): block MINIMAX_API_HOST workspace env injection and remove env-driven URL routing [AI-assisted]. (#​67300) Thanks @​pgondhi987.
  • Cron/delivery: treat explicit delivery.mode: "none" runs as not requested even if the runner reports delivered: false, so no-delivery cron jobs no longer persist false delivery failures or errors. (#​69285) Thanks @​matsuri1987.
  • Plugins/install: repair active and default-enabled bundled plugin runtime dependencies before import in packaged installs, so bundled Discord, WhatsApp, Slack, Telegram, and provider plugins work without putting their dependency trees in core.
  • BlueBubbles: raise the outbound /api/v1/message/text send timeout default from 10s to 30s, and add a configurable channels.bluebubbles.sendTimeoutMs (also per-account) so macOS 26 setups where Private API iMessage sends stall for 60+ seconds no longer silently lose messages at the 10s abort. Probes, chat lookups, and health checks keep the shorter 10s default. Fixes #​67486. (#​69193) Thanks @​omarshahine.
  • Agents/bootstrap: budget truncation markers against per-file caps, preserve source content instead of silently wasting bootstrap bytes, and avoid marker-only output in tiny-budget truncation cases. (#​69114) Thanks @​BKF-Gitty.
  • Context engine/plugins: stop rejecting third-party context engines whose info.id differs from the registered plugin slot id. The strict-match contract added in 2026.4.14 broke lossless-claw and other plugins whose internal engine id does not equal the slot id they are registered under, producing repeated info.id must match registered id lane failures on every turn. Fixes #​66601. (#​66678) Thanks @​GodsBoy.
  • Agents/compaction: rename embedded Pi compaction lifecycle events to compaction_start / compaction_end so OpenClaw stays aligned with pi-coding-agent 0.66.1 event naming. (#​67713) Thanks @​mpz4life.
  • Security/dotenv: block all OPENCLAW_* keys from untrusted workspace .env files so workspace-local env loading fails closed for new runtime-control variables instead of silently inheriting them. (#​473)
  • Gateway/device pairing: restrict non-admin paired-device sessions (device-token auth) to their own pairing list, approve, and reject actions so a paired device cannot enumerate other devices or approve/reject pairing requests authored by another device. Admin and shared-secret operator sessions retain full visibility. (#​69375) Thanks @​eleqtrizit.
  • Agents/gateway tool: extend the agent-facing gateway tool's config mutation guard so model-driven config.patch and config.apply cannot rewrite operator-trusted paths (sandbox, plugin trust, gateway auth/TLS, hook routing and tokens, SSRF policy, MCP servers, workspace filesystem hardening) and cannot bypass the guard by editing per-agent sandbox, tools, or embedded-Pi overrides in place under agents.list[]. (#​69377) Thanks @​eleqtrizit.
  • Gateway/websocket broadcasts: require operator.read (or higher) for chat, agent, and tool-result event frames so pairing-scoped and node-role sessions no longer passively receive session chat content, and scope-gate unknown broadcast events by default. Plugin-defined plugin.* broadcasts are scoped to operator.write/admin, and status/transport events (heartbeat, presence, tick, etc.) remain unrestricted. Per-client sequence numbers preserve per-connection monotonicity. (#​69373) Thanks @​eleqtrizit.
  • Agents/compaction: always reload embedded Pi resources through an explicit loader and reapply reserve-token overrides so runs without extension factories no longer silently lose compaction settings before session start. (#​67146) Thanks @​ly85206559.
  • Memory-core/dreaming: normalize sweep timestamps and reuse hashed narrative session keys for fallback cleanup so Dreaming narrative sub-sessions stop leaking. (#​67023) Thanks @​chiyouYCH.
  • Gateway/startup: delay HTTP bind until websocket handlers are attached, so immediate post-startup websocket health/connect probes no longer hit the startup race window. (#​43392) Thanks @​dalefrieswthat.
  • Codex/app-server: release the session lane when a downstream consumer throws while draining the turn/completed notification, so follow-up messages after a Codex plugin reply stop queueing behind a stale lane lock. Fixes #​67996. (#​69072) Thanks @​ayeshakhalid192007-dev.
  • Codex/app-server: default approval handling to on-request so Codex harness sessions do not start with overly permissive tool approvals. (#​68721) Thanks @​Lucenx9.
  • Cron/delivery: keep isolated cron chat delivery tools available, resolve channel: "last" targets from the gateway, show delivery previews in cron list/show, and avoid duplicate fallback sends after direct message-tool delivery. (#​69587) Thanks @​obviyus.
  • Cron/Telegram: key isolated direct-delivery dedupe to each cron execution instead of the reused session id, so recurring Telegram announce runs no longer report delivered while silently skipping later sends. (#​69000) Thanks @​obviyus.
  • Models/Kimi: default bundled Kimi thinking to off and normalize Anthropic-compatible thinking payloads so stale session /think state no longer silently re-enables reasoning on Kimi runs. (#​68907) Thanks @​frankekn.
  • Control UI/cron: keep the runtime-only last delivery sentinel from being materialized into persisted cron delivery and failure-alert channel configs when jobs are created or edited. (#​68829) Thanks @​tianhaocui.
  • OpenAI/Responses: strip orphaned reasoning blocks before outbound Responses API calls so compacted or restored histories no longer fail on standalone reasoning items. (#​55787) Thanks @​suboss87.
  • Cron/CLI: parse PowerShell-style --tools allow-lists the same way as comma-separated input, so cron add and cron edit no longer persist exec read write as one combined tool entry on Windows. (#​68858) Thanks @​chen-zhang-cs-code.
  • Browser/user-profile: let existing-session profile="user" tool calls auto-route to a connected browser node or use explicit target="node", while still honoring explicit target="host" pinning. (#​48677)
  • Discord/slash commands: tolerate partial Discord channel metadata in slash-command and model-picker flows so partial channel objects no longer crash when channel names, topics, or thread parent metadata are unavailable. (#​68953) Thanks @​dutifulbob.
  • BlueBubbles: consolidate outbound HTTP through a typed BlueBubblesClient that resolves the SSRF policy once at construction so image attachments stop getting blocked on localhost and reactions stop getting blocked on private-IP BB deployments. Fixes #​34749 and #​59722. (#​68234) Thanks @​omarshahine.
  • Cron/gateway: reject ambiguous announce delivery config at add/update time so invalid multi-channel or target-id provider settings fail early instead of persisting broken cron jobs. (#​69015) Thanks @​obviyus.
  • Cron/main-session delivery: preserve heartbeat.target="last" through deferred wake queuing, gateway wake forwarding, and same-target wake coalescing so queued cron replies still return to the last active chat. (#​69021) Thanks @​obviyus.
  • Cron/gateway: ignore disabled channels when announce delivery ambiguity is checked, and validate main-session delivery patches against the live cron service default agent so hot-reloaded agent config does not falsely reject valid updates. (#​69040) Thanks @​obviyus.
  • Matrix/allowlists: hot-reload dm.allowFrom and groupAllowFrom entries on inbound messages while keeping config removals authoritative, so Matrix allowlist changes no longer require a channel restart to add or revoke a sender. (#​68546) Thanks @​johnlanni.
  • BlueBubbles: always set method explicitly on outbound text sends ("private-api" when available, "apple-script" otherwise), and prefer Private API on macOS 26 even for plain text. Fixes silent delivery failure on macOS setups without Private API where an omitted method let BB Server fall back to version-dependent default behavior that silently drops the message (#​64480), and the AppleScript -1700 error on macOS 26 Tahoe plain text sends (#​53159). (#​69070) Thanks @​xqing3.
  • Matrix/commands: recognize slash commands that are prefixed with the bot's Matrix mention, so room messages like @bot:server /new trigger the command path without requiring custom mention regexes. (#​68570) Thanks @​nightq and @​johnlanni.
  • Gateway/pairing: return reason-specific PAIRING_REQUIRED details, remediation hints, and request ids so unapproved-device and scope-upgrade failures surface actionable recovery guidance in the CLI and Control UI. (#​69227) Thanks @​obviyus.
  • Agents/subagents: include requested role and runtime timing on subagent failure payloads so parent agents can correlate failed or timed-out child work. (#​68726) Thanks @​BKF-Gitty.
  • Gateway/sessions: reject stale agent-scoped sessions after an agent is removed from config while preserving legacy default-agent main-session aliases. (#​65986) Thanks @​bittoby.
  • Doctor/gateway: surface pending device pairing requests, scope-upgrade approval drift, and stale device-token mismatch repair steps so openclaw doctor --fix no longer leaves pairing/auth setup failures unexplained. (#​69210) Thanks @​obviyus.
  • Cron/isolated-agent: preserve explicit delivery.mode: "none" message targets for isolated runs without inheriting implicit last routing, so agent-initiated Telegram sends keep their authored destination while bare mode:none jobs stay targetless. (#​69153) Thanks @​davehappyminion and @​nikilster.
  • Cron/isolated-agent: keep delivery.mode: "none" account-only or thread-only configs from inheriting a stale implicit recipient, so isolated runs only resolve message routing when the job authored an explicit to target. (#​69163) Thanks @​davehappyminion and @​nikilster.
  • Gateway/TUI: retry session history while the local gateway is still finishing startup, so openclaw tui reconnects no longer fail on transient chat.history unavailable during gateway startup errors. (#​69164) Thanks @​shakkernerd.
  • BlueBubbles/reactions: fall back to love when an agent reacts with an emoji outside the iMessage tapback set (love/like/dislike/laugh/emphasize/question), so wider-vocabulary model reactions like 👀 still produce a visible tapback instead of failing the whole reaction request. Configured ack reactions still validate strictly via the new normalizeBlueBubblesReactionInputStrict path. (#​64693) Thanks @​zqchris.
  • BlueBubbles: prefer iMessage over SMS when both chats exist for the same handle, honor explicit sms: targets, and never silently downgrade iMessage-available recipients. (#​61781) Thanks @​rmartin.
  • Telegram/setup: require numeric allowFrom user IDs during setup instead of offering unsupported @username DM resolution, and point operators to from.id/getUpdates for discovery. (#​69191) Thanks @​obviyus.
  • GitHub Copilot/onboarding: default GitHub Copilot setup to claude-opus-4.6 and keep the bundled default model list aligned, so new Copilot setups no longer start on the older gpt-4o default. (#​69207) Thanks @​obviyus.
  • Gateway/status: separate reachability, capability, and read-probe reporting so connect-only or scope-limited sessions no longer look fully healthy, and normalize SSH targets entered as ssh user@host. (#​69215) Thanks @​obviyus.
  • Slack: fix outbound replies failing with "unresolved SecretRef" for accounts configured via file or exec secret sources; the send path now tolerates the runtime snapshot retaining an unresolved channel SecretRef when a boot-resolved token override is already available. (#​68954) Thanks @​openperf.
  • Control UI/device pairing: explain scope and role approval upgrades during reconnects, and show requested versus approved access in the Control UI and openclaw devices so broader reconnects no longer look like lost pairings. (#​69221) Thanks @​obviyus.
  • Gateway/Control UI: surface pending scope, role, and device-metadata pairing approvals in auth errors and Control UI hints so broader reconnects no longer look like random auth breakage. (#​69226) Thanks @​obviyus.

Configuration

📅 Schedule: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://redirect.github.com/openclaw/openclaw)) | final | patch | `2026.4.15` → `2026.4.21` | --- ### Release Notes <details> <summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary> ### [`v2026.4.21`](https://redirect.github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026421) [Compare Source](https://redirect.github.com/openclaw/openclaw/compare/v2026.4.20...v2026.4.21) ##### Changes - OpenAI/images: default the bundled image-generation provider and live media smoke tests to `gpt-image-2`, and advertise the newer 2K/4K OpenAI size hints in image-generation docs and tool metadata. - Plugins/skills: add the Skill Workshop plugin, which captures reusable workflow corrections as pending or auto-applied workspace skills, runs threshold-based reviewer passes for stronger completion bias on reusable procedures, quarantines unsafe proposals, and refreshes skill availability after safe writes. - Plugin SDK/channels: add presentation and skills runtime contracts, decouple channel presentation rendering, and document message presentation cards so plugins can own richer interactive surfaces without channel-specific glue. - Fireworks/models: add Kimi K2.6 (`fireworks/accounts/fireworks/models/kimi-k2p6`) to the bundled catalog and live-model priority list, while keeping Kimi thinking disabled for Fireworks K2.6 requests. - Onboard/wizard: simplify the security disclaimer copy, and switch remaining onboarding pickers with long dynamic option lists to searchable autocompletes for search providers, plugin configuration, and model provider filtering. - Channels/preview streaming: stream tool-progress updates into live preview edits for Discord, Slack, and Telegram so in-flight replies show incremental tool state in the same preview message before finalization. ([#&#8203;69611](https://redirect.github.com/openclaw/openclaw/issues/69611)) Thanks [@&#8203;thewilloftheshadow](https://redirect.github.com/thewilloftheshadow). - Ollama/onboard: populate the cloud-only model list from `ollama.com/api/tags`, cap the discovered list at 500, and fall back to static suggestions when ollama.com is unavailable. ([#&#8203;68463](https://redirect.github.com/openclaw/openclaw/issues/68463)) Thanks [@&#8203;BruceMacD](https://redirect.github.com/BruceMacD). - QQBot: extract a self-contained engine architecture with QR-code onboarding, native approval handling via `/bot-approve`, per-account resource stacks, credential backup/restore, shared media storage, and unified API/bridge/gateway modules. ([#&#8203;67960](https://redirect.github.com/openclaw/openclaw/issues/67960)) Thanks [@&#8203;cxyhhhhh](https://redirect.github.com/cxyhhhhh). - Matrix/startup: narrow Matrix runtime registration and defer setup/doctor surfaces so cold plugin registration spends about 1.8s less in `setChannelRuntime`. ([#&#8203;69782](https://redirect.github.com/openclaw/openclaw/issues/69782)) Thanks [@&#8203;gumadeiras](https://redirect.github.com/gumadeiras). - Telegram/plugin startup: load Telegram's bundled runtime setter through a narrow sidecar and native built-sidecar loading, cutting measured setup-runtime registration by about 14s while preserving runtime API compatibility. ([#&#8203;69786](https://redirect.github.com/openclaw/openclaw/issues/69786)) Thanks [@&#8203;gumadeiras](https://redirect.github.com/gumadeiras). - Discord/plugin startup: lazy-load the Carbon UI runtime and load Discord's bundled runtime setter through a narrow sidecar, cutting measured registration time by about 98% while keeping packaged installs off Carbon until the Discord UI surface is needed. ([#&#8203;69791](https://redirect.github.com/openclaw/openclaw/issues/69791)) Thanks [@&#8203;gumadeiras](https://redirect.github.com/gumadeiras). ##### Fixes - Agents/ACP: skip the `sessions_send` A2A ping-pong flow when a parent sends to its own background oneshot ACP child, preventing parent/child echo loops while preserving normal A2A delivery for non-parent senders. ([#&#8203;69817](https://redirect.github.com/openclaw/openclaw/issues/69817)) Thanks [@&#8203;scotthuang](https://redirect.github.com/scotthuang). - Image generation: log failed provider/model candidates at warn level before automatic provider fallback, so OpenAI image failures are visible in the gateway log even when a later provider succeeds. - Agents/subagents: stop terminal failed subagent runs from freezing or announcing captured reply text, so failover-exhausted runs report a clean failure instead of replaying stale assistant/tool output. - Security/external content: strip common self-hosted LLM chat-template special-token literals, including Qwen/ChatML, Llama, Gemma, Mistral, Phi, and GPT-OSS markers, from wrapped external content and metadata, preventing tokenizer-layer role-boundary spoofing against OpenAI-compatible backends that preserve special tokens in user text. - npm/install: mirror the `node-domexception` alias into root `package.json` `overrides`, so npm installs stop surfacing the deprecated `google-auth-library -> gaxios -> node-fetch -> fetch-blob -> node-domexception` chain pulled through Pi/Google runtime deps. Thanks [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Auth/commands: require owner identity (an owner-candidate match or internal `operator.admin`) for owner-enforced commands instead of treating wildcard channel `allowFrom` or empty owner-candidate lists as sufficient, so non-owner senders can no longer reach owner-only commands through a permissive fallback when `enforceOwnerForCommands=true` and `commands.ownerAllowFrom` is unset. ([#&#8203;69774](https://redirect.github.com/openclaw/openclaw/issues/69774)) Thanks [@&#8203;drobison00](https://redirect.github.com/drobison00). - Control UI/CSP: tighten `img-src` to `'self' data:` only, and make Control UI avatar helpers drop remote `http(s)` and protocol-relative URLs so the UI falls back to the built-in logo/badge instead of issuing arbitrary remote image fetches. Same-origin avatar routes (relative paths) and `data:image/...` avatars still render. ([#&#8203;69773](https://redirect.github.com/openclaw/openclaw/issues/69773)) - CLI/channels: keep `status`, `health`, `channels list`, and `channels status` on read-only channel metadata when Telegram, Slack, Discord, or third-party channel plugins are configured, avoiding full bundled plugin runtime imports on those cold paths. Fixes [#&#8203;69042](https://redirect.github.com/openclaw/openclaw/issues/69042). ([#&#8203;69479](https://redirect.github.com/openclaw/openclaw/issues/69479)) Thanks [@&#8203;gumadeiras](https://redirect.github.com/gumadeiras). - Synology Chat: validate outbound webhook `file_url` values against the shared SSRF policy before forwarding to the NAS, rejecting malformed URLs, non-`http(s)` schemes, and private/blocked network targets so the NAS cannot be used as a confused deputy to fetch internal addresses. ([#&#8203;69784](https://redirect.github.com/openclaw/openclaw/issues/69784)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - LINE: validate outbound media URLs against the shared public-network guard before handing them to LINE, preserving arbitrary public HTTPS media while rejecting loopback, link-local, and private-network targets. - Gateway/Control UI: require gateway auth on the Control UI avatar route (`GET /avatar/<agentId>` and `?meta=1` metadata) when auth is configured, matching the sibling assistant-media route, and propagate the existing gateway token through the UI avatar fetch (bearer header + authenticated blob URL) so authenticated dashboards still load local avatars. ([#&#8203;69775](https://redirect.github.com/openclaw/openclaw/issues/69775)) - Google Chat/auth: replace the Google auth `gaxios` shim with a scoped SSRF-guarded transport, validate service-account auth endpoints against trusted Google URLs, and let the plugin own its staged `gaxios` auth runtime instead of patching process-wide globals or the root CLI startup path. Thanks [@&#8203;vincentkoc](https://redirect.github.com/vincentkoc). - Exec/allowlist: reject POSIX parameter expansion forms such as `$VAR`, `$?`, `$$`, `$1`, and `$@&#8203;` inside unquoted heredocs during shell approval analysis, so these heredocs no longer pass allowlist review as plain text. ([#&#8203;69795](https://redirect.github.com/openclaw/openclaw/issues/69795)) Thanks [@&#8203;drobison00](https://redirect.github.com/drobison00). - Gateway/MCP loopback: derive owner-only tool visibility from distinct authenticated owner vs non-owner loopback bearers instead of the caller-controlled owner header, so non-owner MCP child processes cannot recover owner access by spoofing request metadata. ([#&#8203;69796](https://redirect.github.com/openclaw/openclaw/issues/69796)) - GitHub Copilot: update the default Opus model from `claude-opus-4.6` to `claude-opus-4.7` after GitHub removed Copilot support for 4.6. ([#&#8203;69818](https://redirect.github.com/openclaw/openclaw/issues/69818)) Thanks [@&#8203;shakkernerd](https://redirect.github.com/shakkernerd). - OpenShell: pin host-side sandbox writes under the mounted root so symlink-parent rebinds cannot redirect `writeFile` outside the workspace during local mirror updates. ([#&#8203;69797](https://redirect.github.com/openclaw/openclaw/issues/69797)) Thanks [@&#8203;drobison00](https://redirect.github.com/drobison00). - Ollama/media understanding: register Ollama as an image-capable media-understanding provider so `agents.defaults.imageModel.primary` values like `ollama/qwen2.5vl:7b` route through the Ollama plugin instead of failing as unknown models. ([#&#8203;69816](https://redirect.github.com/openclaw/openclaw/issues/69816)) Thanks [@&#8203;soloclz](https://redirect.github.com/soloclz). - CLI/media understanding: make `openclaw infer image describe --model <provider/model>` execute the explicit image model instead of skipping description when that model supports native vision. - Usage/providers: keep plugin-owned usage auth enabled when manifest-declared provider auth env vars such as `MINIMAX_CODE_PLAN_KEY` are present, so `/usage` can resolve MiniMax billing credentials through the provider plugin. - Tlon/uploads: route both hosted Memex upload targets and custom-S3 presigned upload URLs through the shared SSRF guard so blocked private or loopback destinations fail before upload, while public upload URLs continue through the existing hosted upload flow. ([#&#8203;69794](https://redirect.github.com/openclaw/openclaw/issues/69794)) Thanks [@&#8203;drobison00](https://redirect.github.com/drobison00). - Channels/thread routing: keep outbound replies in existing Slack, Mattermost, Matrix, Telegram, Discord, and QA-channel thread sessions by sharing the Plugin SDK thread-aware route builder across bundled plugins. - Agents/replay: normalize restored assistant text content before provider replay and prompt submission, so legacy or repaired sessions no longer crash on `assistantMsg.content.flatMap`. ([#&#8203;69850](https://redirect.github.com/openclaw/openclaw/issues/69850)) Thanks [@&#8203;fuller-stack-dev](https://redirect.github.com/fuller-stack-dev). ### [`v2026.4.20`](https://redirect.github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026420) [Compare Source](https://redirect.github.com/openclaw/openclaw/compare/v2026.4.15...v2026.4.20) ##### Changes - Onboard/wizard: restyle the setup security disclaimer with a single yellow warning banner, section headings and bulleted checklists, and un-dim the note body so key guidance is easy to scan; add a loading spinner during the initial model catalog load so the wizard no longer goes blank while it runs; add an "API key" placeholder to provider API key prompts. ([#&#8203;69553](https://redirect.github.com/openclaw/openclaw/issues/69553)) Thanks [@&#8203;Patrick-Erichsen](https://redirect.github.com/Patrick-Erichsen). - Agents/prompts: strengthen the default system prompt and OpenAI GPT-5 overlay with clearer completion bias, live-state checks, weak-result recovery, and verification-before-final guidance. - Models/costs: support tiered model pricing from cached catalogs and configured models, and include bundled Moonshot Kimi K2.6/K2.5 cost estimates for token-usage reports. ([#&#8203;67605](https://redirect.github.com/openclaw/openclaw/issues/67605)) Thanks [@&#8203;sliverp](https://redirect.github.com/sliverp). - Sessions/Maintenance: enforce the built-in entry cap and age prune by default, and prune oversized stores at load time so accumulated cron/executor session backlogs cannot OOM the gateway before the write path runs. ([#&#8203;69404](https://redirect.github.com/openclaw/openclaw/issues/69404)) Thanks [@&#8203;bobrenze-bot](https://redirect.github.com/bobrenze-bot). - Plugins/tests: reuse plugin loader alias and Jiti config resolution across repeated same-context loads, reducing import-heavy test overhead. ([#&#8203;69316](https://redirect.github.com/openclaw/openclaw/issues/69316)) Thanks [@&#8203;amknight](https://redirect.github.com/amknight). - Cron: split runtime execution state into `jobs-state.json` so `jobs.json` stays stable for git-tracked job definitions. ([#&#8203;63105](https://redirect.github.com/openclaw/openclaw/issues/63105)) Thanks [@&#8203;Feelw00](https://redirect.github.com/Feelw00). - Agents/compaction: send opt-in start and completion notices during context compaction. ([#&#8203;67830](https://redirect.github.com/openclaw/openclaw/issues/67830)) Thanks [@&#8203;feniix](https://redirect.github.com/feniix). - Moonshot/Kimi: default bundled Moonshot setup, web search, and media-understanding surfaces to `kimi-k2.6` while keeping `kimi-k2.5` available for compatibility. ([#&#8203;69477](https://redirect.github.com/openclaw/openclaw/issues/69477)) Thanks [@&#8203;scoootscooob](https://redirect.github.com/scoootscooob). - Moonshot/Kimi: allow `thinking.keep = "all"` on `moonshot/kimi-k2.6`, and strip it for other Moonshot models or requests where pinned `tool_choice` disables thinking. ([#&#8203;68816](https://redirect.github.com/openclaw/openclaw/issues/68816)) Thanks [@&#8203;aniaan](https://redirect.github.com/aniaan). - BlueBubbles/groups: forward per-group `systemPrompt` config into inbound context `GroupSystemPrompt` so configured group-specific behavioral instructions (for example threaded-reply and tapback conventions) are injected on every turn. Supports `"*"` wildcard fallback matching the existing `requireMention` pattern. Closes [#&#8203;60665](https://redirect.github.com/openclaw/openclaw/issues/60665). ([#&#8203;69198](https://redirect.github.com/openclaw/openclaw/issues/69198)) Thanks [@&#8203;omarshahine](https://redirect.github.com/omarshahine). - Plugins/tasks: add a detached runtime registration contract so plugin executors can own detached task lifecycle and cancellation without reaching into core task internals. ([#&#8203;68915](https://redirect.github.com/openclaw/openclaw/issues/68915)) Thanks [@&#8203;mbelinky](https://redirect.github.com/mbelinky). - Terminal/logging: optimize `sanitizeForLog()` by replacing the iterative control-character stripping loop with a single regex pass while preserving the existing ANSI-first sanitization behavior. ([#&#8203;67205](https://redirect.github.com/openclaw/openclaw/issues/67205)) Thanks [@&#8203;bulutmuf](https://redirect.github.com/bulutmuf). - QA/CI: make `openclaw qa suite` and `openclaw qa telegram` fail by default when scenarios fail, add `--allow-failures` for artifact-only runs, and tighten live-lane defaults for CI automation. ([#&#8203;69122](https://redirect.github.com/openclaw/openclaw/issues/69122)) Thanks [@&#8203;joshavant](https://redirect.github.com/joshavant). - Mattermost: stream thinking, tool activity, and partial reply text into a single draft preview post that finalizes in place when safe. ([#&#8203;47838](https://redirect.github.com/openclaw/openclaw/issues/47838)) thanks [@&#8203;ninjaa](https://redirect.github.com/ninjaa). ##### Fixes - Exec/YOLO: stop rejecting gateway-host exec in `security=full` plus `ask=off` mode via the Python/Node script preflight hardening path, so promptless YOLO exec once again runs direct interpreter stdin and heredoc forms such as `node <<'NODE' ... NODE`. - OpenAI Codex: normalize legacy `openai-completions` transport overrides on default OpenAI/Codex and GitHub Copilot-compatible hosts back to the native Codex Responses transport while leaving custom proxies untouched. ([#&#8203;45304](https://redirect.github.com/openclaw/openclaw/issues/45304), [#&#8203;42194](https://redirect.github.com/openclaw/openclaw/issues/42194)) Thanks [@&#8203;dyss1992](https://redirect.github.com/dyss1992) and [@&#8203;DeadlySilent](https://redirect.github.com/DeadlySilent). - Anthropic/plugins: scope Anthropic `api: "anthropic-messages"` defaulting to Anthropic-owned providers, so `openai-codex` and other providers without an explicit `api` no longer get rewritten to the wrong transport. Fixes [#&#8203;64534](https://redirect.github.com/openclaw/openclaw/issues/64534). - fix(qqbot): add SSRF guard to direct-upload URL paths in uploadC2CMedia and uploadGroupMedia \[AI-assisted]. ([#&#8203;69595](https://redirect.github.com/openclaw/openclaw/issues/69595)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - fix(gateway): enforce allowRequestSessionKey gate on template-rendered mapping sessionKeys. ([#&#8203;69381](https://redirect.github.com/openclaw/openclaw/issues/69381)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Browser/Chrome MCP: surface `DevToolsActivePort` attach failures as browser-connectivity errors instead of a generic "waiting for tabs" timeout, and point signed-out fallbacks toward the managed `openclaw` profile. - Webchat/images: treat inline image attachments as media for empty-turn gating while still ignoring metadata-only blank turns. ([#&#8203;69474](https://redirect.github.com/openclaw/openclaw/issues/69474)) Thanks [@&#8203;Jaswir](https://redirect.github.com/Jaswir). - Discord/think: only show `adaptive` in `/think` autocomplete for provider/model pairs that actually support provider-managed adaptive thinking, so GPT/OpenAI models no longer advertise an Anthropic-only option. - Thinking: only expose `max` for models that explicitly support provider max reasoning, and remap stored `max` settings to the largest supported thinking mode when users switch to another model. - Gateway/usage: bound the cost usage cache with FIFO eviction so date/range lookups cannot grow unbounded. ([#&#8203;68842](https://redirect.github.com/openclaw/openclaw/issues/68842)) Thanks [@&#8203;Feelw00](https://redirect.github.com/Feelw00). - OpenAI/Responses: resolve `/think` levels against each GPT model's supported reasoning efforts so `/think off` no longer becomes high reasoning or sends unsupported `reasoning.effort: "none"` payloads. - Lobster/TaskFlow: allow managed approval resumes to use `approvalId` without a resume token, and persist that id in approval wait state. ([#&#8203;69559](https://redirect.github.com/openclaw/openclaw/issues/69559)) Thanks [@&#8203;kirkluokun](https://redirect.github.com/kirkluokun). - Plugins/startup: install bundled runtime dependencies into each plugin's own runtime directory, reuse source-checkout repair caches after rebuilds, and log only packages that were actually installed so repeated Gateway starts stay quiet once deps are present. - Plugins/startup: ignore pnpm's `npm_execpath` when repairing bundled plugin runtime dependencies and skip workspace-only package specs so npm-only install flags or local workspace links do not break packaged plugin startup. - MCP: block interpreter-startup env keys such as `NODE_OPTIONS` for stdio servers while preserving ordinary credential and proxy env vars. ([#&#8203;69540](https://redirect.github.com/openclaw/openclaw/issues/69540)) Thanks [@&#8203;drobison00](https://redirect.github.com/drobison00). - Agents/shell: ignore non-interactive placeholder shells like `/usr/bin/false` and `/sbin/nologin`, falling back to `sh` so service-user exec runs no longer exit immediately. ([#&#8203;69308](https://redirect.github.com/openclaw/openclaw/issues/69308)) Thanks [@&#8203;sk7n4k3d](https://redirect.github.com/sk7n4k3d). - Setup/TUI: relaunch the setup hatch TUI in a fresh process while preserving the configured gateway target and auth source, so onboarding recovers terminal state cleanly without exposing gateway secrets on command-line args. ([#&#8203;69524](https://redirect.github.com/openclaw/openclaw/issues/69524)) Thanks [@&#8203;shakkernerd](https://redirect.github.com/shakkernerd). - Codex: avoid re-exposing the image-generation tool on native vision turns with inbound images, and keep bare image-model overrides on the configured image provider. ([#&#8203;65061](https://redirect.github.com/openclaw/openclaw/issues/65061)) Thanks [@&#8203;zhulijin1991](https://redirect.github.com/zhulijin1991). - Sessions/reset: clear auto-sourced model, provider, and auth-profile overrides on `/new` and `/reset` while preserving explicit user selections, so channel sessions stop staying pinned to runtime fallback choices. ([#&#8203;69419](https://redirect.github.com/openclaw/openclaw/issues/69419)) Thanks [@&#8203;sk7n4k3d](https://redirect.github.com/sk7n4k3d). - Sessions/costs: snapshot `estimatedCostUsd` like token counters so repeated persist paths no longer compound the same run cost by up to dozens of times. ([#&#8203;69403](https://redirect.github.com/openclaw/openclaw/issues/69403)) Thanks [@&#8203;MrMiaigi](https://redirect.github.com/MrMiaigi). - OpenAI Codex: route ChatGPT/Codex OAuth Responses requests through the `/backend-api/codex` endpoint so `openai-codex/gpt-5.4` no longer hits the removed `/backend-api/responses` alias. ([#&#8203;69336](https://redirect.github.com/openclaw/openclaw/issues/69336)) Thanks [@&#8203;mzogithub](https://redirect.github.com/mzogithub). - OpenAI/Responses: omit disabled reasoning payloads when `/think off` is active, so GPT reasoning models no longer receive unsupported `reasoning.effort: "none"` requests. ([#&#8203;61982](https://redirect.github.com/openclaw/openclaw/issues/61982)) Thanks [@&#8203;a-tokyo](https://redirect.github.com/a-tokyo). - Gateway/pairing: treat loopback shared-secret node-host, TUI, and gateway clients as local for pairing decisions, so trusted local tools no longer reconnect as remote clients and fail with `pairing required`. ([#&#8203;69431](https://redirect.github.com/openclaw/openclaw/issues/69431)) Thanks [@&#8203;SARAMALI15792](https://redirect.github.com/SARAMALI15792). - Active Memory: degrade gracefully when memory recall fails during prompt building, logging a warning and letting the reply continue without memory context instead of failing the whole turn. ([#&#8203;69485](https://redirect.github.com/openclaw/openclaw/issues/69485)) Thanks [@&#8203;Magicray1217](https://redirect.github.com/Magicray1217). - Ollama: add provider-policy defaults for `baseUrl` and `models` so implicit local discovery can run before config validation rejects a minimal Ollama provider config. ([#&#8203;69370](https://redirect.github.com/openclaw/openclaw/issues/69370)) Thanks [@&#8203;PratikRai0101](https://redirect.github.com/PratikRai0101). - Agents/model selection: clear transient auto-failover session overrides before each turn so recovered primary models are retried immediately without emitting user-override reset warnings. ([#&#8203;69365](https://redirect.github.com/openclaw/openclaw/issues/69365)) Thanks [@&#8203;hitesh-github99](https://redirect.github.com/hitesh-github99). - Auto-reply: apply silent `NO_REPLY` policy per conversation type, so direct chats get a helpful rewritten reply while groups and internal deliveries can remain quiet. ([#&#8203;68644](https://redirect.github.com/openclaw/openclaw/issues/68644)) Thanks [@&#8203;Takhoffman](https://redirect.github.com/Takhoffman). - Telegram/status reactions: honor `messages.removeAckAfterReply` when lifecycle status reactions are enabled, clearing or restoring the reaction after success/error using the configured hold timings. ([#&#8203;68067](https://redirect.github.com/openclaw/openclaw/issues/68067)) Thanks [@&#8203;poiskgit](https://redirect.github.com/poiskgit). - Web search/plugins: resolve plugin-scoped SecretRef API keys for bundled Exa, Firecrawl, Gemini, Kimi, Perplexity, Tavily, and Grok web-search providers when they are selected through the shared web-search config. ([#&#8203;68424](https://redirect.github.com/openclaw/openclaw/issues/68424)) Thanks [@&#8203;afurm](https://redirect.github.com/afurm). - Telegram/polling: raise the default polling watchdog threshold from 90s to 120s and add configurable `channels.telegram.pollingStallThresholdMs` (also per-account) so long-running Telegram work gets more room before polling is treated as stalled. ([#&#8203;57737](https://redirect.github.com/openclaw/openclaw/issues/57737)) Thanks [@&#8203;Vitalcheffe](https://redirect.github.com/Vitalcheffe). - Telegram/polling: bound the persisted-offset confirmation `getUpdates` probe with a client-side timeout so a zombie socket cannot hang polling recovery before the runner watchdog starts. ([#&#8203;50368](https://redirect.github.com/openclaw/openclaw/issues/50368)) Thanks [@&#8203;boticlaw](https://redirect.github.com/boticlaw). - Agents/Pi runner: retry silent `stopReason=error` turns with no output when no side effects ran, so non-frontier providers that briefly return empty error turns get another chance instead of ending the session early. ([#&#8203;68310](https://redirect.github.com/openclaw/openclaw/issues/68310)) Thanks [@&#8203;Chased1k](https://redirect.github.com/Chased1k). - Plugins/memory: preserve the active memory capability when read-only snapshot plugin loads run, so status and provider discovery paths no longer wipe memory public artifacts. ([#&#8203;69219](https://redirect.github.com/openclaw/openclaw/issues/69219)) Thanks [@&#8203;zeroaltitude](https://redirect.github.com/zeroaltitude). - Plugins: keep only the highest-precedence manifest when distinct discovered plugins share an id, so lower-precedence global or workspace duplicates no longer load beside bundled or config-selected plugins. ([#&#8203;41626](https://redirect.github.com/openclaw/openclaw/issues/41626)) Thanks [@&#8203;Tortes](https://redirect.github.com/Tortes). - fix(security): block MINIMAX\_API\_HOST workspace env injection and remove env-driven URL routing \[AI-assisted]. ([#&#8203;67300](https://redirect.github.com/openclaw/openclaw/issues/67300)) Thanks [@&#8203;pgondhi987](https://redirect.github.com/pgondhi987). - Cron/delivery: treat explicit `delivery.mode: "none"` runs as not requested even if the runner reports `delivered: false`, so no-delivery cron jobs no longer persist false delivery failures or errors. ([#&#8203;69285](https://redirect.github.com/openclaw/openclaw/issues/69285)) Thanks [@&#8203;matsuri1987](https://redirect.github.com/matsuri1987). - Plugins/install: repair active and default-enabled bundled plugin runtime dependencies before import in packaged installs, so bundled Discord, WhatsApp, Slack, Telegram, and provider plugins work without putting their dependency trees in core. - BlueBubbles: raise the outbound `/api/v1/message/text` send timeout default from 10s to 30s, and add a configurable `channels.bluebubbles.sendTimeoutMs` (also per-account) so macOS 26 setups where Private API iMessage sends stall for 60+ seconds no longer silently lose messages at the 10s abort. Probes, chat lookups, and health checks keep the shorter 10s default. Fixes [#&#8203;67486](https://redirect.github.com/openclaw/openclaw/issues/67486). ([#&#8203;69193](https://redirect.github.com/openclaw/openclaw/issues/69193)) Thanks [@&#8203;omarshahine](https://redirect.github.com/omarshahine). - Agents/bootstrap: budget truncation markers against per-file caps, preserve source content instead of silently wasting bootstrap bytes, and avoid marker-only output in tiny-budget truncation cases. ([#&#8203;69114](https://redirect.github.com/openclaw/openclaw/issues/69114)) Thanks [@&#8203;BKF-Gitty](https://redirect.github.com/BKF-Gitty). - Context engine/plugins: stop rejecting third-party context engines whose `info.id` differs from the registered plugin slot id. The strict-match contract added in 2026.4.14 broke `lossless-claw` and other plugins whose internal engine id does not equal the slot id they are registered under, producing repeated `info.id must match registered id` lane failures on every turn. Fixes [#&#8203;66601](https://redirect.github.com/openclaw/openclaw/issues/66601). ([#&#8203;66678](https://redirect.github.com/openclaw/openclaw/issues/66678)) Thanks [@&#8203;GodsBoy](https://redirect.github.com/GodsBoy). - Agents/compaction: rename embedded Pi compaction lifecycle events to `compaction_start` / `compaction_end` so OpenClaw stays aligned with `pi-coding-agent` 0.66.1 event naming. ([#&#8203;67713](https://redirect.github.com/openclaw/openclaw/issues/67713)) Thanks [@&#8203;mpz4life](https://redirect.github.com/mpz4life). - Security/dotenv: block all `OPENCLAW_*` keys from untrusted workspace `.env` files so workspace-local env loading fails closed for new runtime-control variables instead of silently inheriting them. ([#&#8203;473](https://redirect.github.com/openclaw/openclaw/issues/473)) - Gateway/device pairing: restrict non-admin paired-device sessions (device-token auth) to their own pairing list, approve, and reject actions so a paired device cannot enumerate other devices or approve/reject pairing requests authored by another device. Admin and shared-secret operator sessions retain full visibility. ([#&#8203;69375](https://redirect.github.com/openclaw/openclaw/issues/69375)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Agents/gateway tool: extend the agent-facing `gateway` tool's config mutation guard so model-driven `config.patch` and `config.apply` cannot rewrite operator-trusted paths (sandbox, plugin trust, gateway auth/TLS, hook routing and tokens, SSRF policy, MCP servers, workspace filesystem hardening) and cannot bypass the guard by editing per-agent sandbox, tools, or embedded-Pi overrides in place under `agents.list[]`. ([#&#8203;69377](https://redirect.github.com/openclaw/openclaw/issues/69377)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Gateway/websocket broadcasts: require `operator.read` (or higher) for chat, agent, and tool-result event frames so pairing-scoped and node-role sessions no longer passively receive session chat content, and scope-gate unknown broadcast events by default. Plugin-defined `plugin.*` broadcasts are scoped to operator.write/admin, and status/transport events (`heartbeat`, `presence`, `tick`, etc.) remain unrestricted. Per-client sequence numbers preserve per-connection monotonicity. ([#&#8203;69373](https://redirect.github.com/openclaw/openclaw/issues/69373)) Thanks [@&#8203;eleqtrizit](https://redirect.github.com/eleqtrizit). - Agents/compaction: always reload embedded Pi resources through an explicit loader and reapply reserve-token overrides so runs without extension factories no longer silently lose compaction settings before session start. ([#&#8203;67146](https://redirect.github.com/openclaw/openclaw/issues/67146)) Thanks [@&#8203;ly85206559](https://redirect.github.com/ly85206559). - Memory-core/dreaming: normalize sweep timestamps and reuse hashed narrative session keys for fallback cleanup so Dreaming narrative sub-sessions stop leaking. ([#&#8203;67023](https://redirect.github.com/openclaw/openclaw/issues/67023)) Thanks [@&#8203;chiyouYCH](https://redirect.github.com/chiyouYCH). - Gateway/startup: delay HTTP bind until websocket handlers are attached, so immediate post-startup websocket health/connect probes no longer hit the startup race window. ([#&#8203;43392](https://redirect.github.com/openclaw/openclaw/issues/43392)) Thanks [@&#8203;dalefrieswthat](https://redirect.github.com/dalefrieswthat). - Codex/app-server: release the session lane when a downstream consumer throws while draining the `turn/completed` notification, so follow-up messages after a Codex plugin reply stop queueing behind a stale lane lock. Fixes [#&#8203;67996](https://redirect.github.com/openclaw/openclaw/issues/67996). ([#&#8203;69072](https://redirect.github.com/openclaw/openclaw/issues/69072)) Thanks [@&#8203;ayeshakhalid192007-dev](https://redirect.github.com/ayeshakhalid192007-dev). - Codex/app-server: default approval handling to `on-request` so Codex harness sessions do not start with overly permissive tool approvals. ([#&#8203;68721](https://redirect.github.com/openclaw/openclaw/issues/68721)) Thanks [@&#8203;Lucenx9](https://redirect.github.com/Lucenx9). - Cron/delivery: keep isolated cron chat delivery tools available, resolve `channel: "last"` targets from the gateway, show delivery previews in `cron list/show`, and avoid duplicate fallback sends after direct message-tool delivery. ([#&#8203;69587](https://redirect.github.com/openclaw/openclaw/issues/69587)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Cron/Telegram: key isolated direct-delivery dedupe to each cron execution instead of the reused session id, so recurring Telegram announce runs no longer report delivered while silently skipping later sends. ([#&#8203;69000](https://redirect.github.com/openclaw/openclaw/issues/69000)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Models/Kimi: default bundled Kimi thinking to off and normalize Anthropic-compatible `thinking` payloads so stale session `/think` state no longer silently re-enables reasoning on Kimi runs. ([#&#8203;68907](https://redirect.github.com/openclaw/openclaw/issues/68907)) Thanks [@&#8203;frankekn](https://redirect.github.com/frankekn). - Control UI/cron: keep the runtime-only `last` delivery sentinel from being materialized into persisted cron delivery and failure-alert channel configs when jobs are created or edited. ([#&#8203;68829](https://redirect.github.com/openclaw/openclaw/issues/68829)) Thanks [@&#8203;tianhaocui](https://redirect.github.com/tianhaocui). - OpenAI/Responses: strip orphaned reasoning blocks before outbound Responses API calls so compacted or restored histories no longer fail on standalone reasoning items. ([#&#8203;55787](https://redirect.github.com/openclaw/openclaw/issues/55787)) Thanks [@&#8203;suboss87](https://redirect.github.com/suboss87). - Cron/CLI: parse PowerShell-style `--tools` allow-lists the same way as comma-separated input, so `cron add` and `cron edit` no longer persist `exec read write` as one combined tool entry on Windows. ([#&#8203;68858](https://redirect.github.com/openclaw/openclaw/issues/68858)) Thanks [@&#8203;chen-zhang-cs-code](https://redirect.github.com/chen-zhang-cs-code). - Browser/user-profile: let existing-session `profile="user"` tool calls auto-route to a connected browser node or use explicit `target="node"`, while still honoring explicit `target="host"` pinning. ([#&#8203;48677](https://redirect.github.com/openclaw/openclaw/issues/48677)) - Discord/slash commands: tolerate partial Discord channel metadata in slash-command and model-picker flows so partial channel objects no longer crash when channel names, topics, or thread parent metadata are unavailable. ([#&#8203;68953](https://redirect.github.com/openclaw/openclaw/issues/68953)) Thanks [@&#8203;dutifulbob](https://redirect.github.com/dutifulbob). - BlueBubbles: consolidate outbound HTTP through a typed `BlueBubblesClient` that resolves the SSRF policy once at construction so image attachments stop getting blocked on localhost and reactions stop getting blocked on private-IP BB deployments. Fixes [#&#8203;34749](https://redirect.github.com/openclaw/openclaw/issues/34749) and [#&#8203;59722](https://redirect.github.com/openclaw/openclaw/issues/59722). ([#&#8203;68234](https://redirect.github.com/openclaw/openclaw/issues/68234)) Thanks [@&#8203;omarshahine](https://redirect.github.com/omarshahine). - Cron/gateway: reject ambiguous announce delivery config at add/update time so invalid multi-channel or target-id provider settings fail early instead of persisting broken cron jobs. ([#&#8203;69015](https://redirect.github.com/openclaw/openclaw/issues/69015)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Cron/main-session delivery: preserve `heartbeat.target="last"` through deferred wake queuing, gateway wake forwarding, and same-target wake coalescing so queued cron replies still return to the last active chat. ([#&#8203;69021](https://redirect.github.com/openclaw/openclaw/issues/69021)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Cron/gateway: ignore disabled channels when announce delivery ambiguity is checked, and validate main-session delivery patches against the live cron service default agent so hot-reloaded agent config does not falsely reject valid updates. ([#&#8203;69040](https://redirect.github.com/openclaw/openclaw/issues/69040)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Matrix/allowlists: hot-reload `dm.allowFrom` and `groupAllowFrom` entries on inbound messages while keeping config removals authoritative, so Matrix allowlist changes no longer require a channel restart to add or revoke a sender. ([#&#8203;68546](https://redirect.github.com/openclaw/openclaw/issues/68546)) Thanks [@&#8203;johnlanni](https://redirect.github.com/johnlanni). - BlueBubbles: always set `method` explicitly on outbound text sends (`"private-api"` when available, `"apple-script"` otherwise), and prefer Private API on macOS 26 even for plain text. Fixes silent delivery failure on macOS setups without Private API where an omitted `method` let BB Server fall back to version-dependent default behavior that silently drops the message ([#&#8203;64480](https://redirect.github.com/openclaw/openclaw/issues/64480)), and the AppleScript `-1700` error on macOS 26 Tahoe plain text sends ([#&#8203;53159](https://redirect.github.com/openclaw/openclaw/issues/53159)). ([#&#8203;69070](https://redirect.github.com/openclaw/openclaw/issues/69070)) Thanks [@&#8203;xqing3](https://redirect.github.com/xqing3). - Matrix/commands: recognize slash commands that are prefixed with the bot's Matrix mention, so room messages like `@bot:server /new` trigger the command path without requiring custom mention regexes. ([#&#8203;68570](https://redirect.github.com/openclaw/openclaw/issues/68570)) Thanks [@&#8203;nightq](https://redirect.github.com/nightq) and [@&#8203;johnlanni](https://redirect.github.com/johnlanni). - Gateway/pairing: return reason-specific `PAIRING_REQUIRED` details, remediation hints, and request ids so unapproved-device and scope-upgrade failures surface actionable recovery guidance in the CLI and Control UI. ([#&#8203;69227](https://redirect.github.com/openclaw/openclaw/issues/69227)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Agents/subagents: include requested role and runtime timing on subagent failure payloads so parent agents can correlate failed or timed-out child work. ([#&#8203;68726](https://redirect.github.com/openclaw/openclaw/issues/68726)) Thanks [@&#8203;BKF-Gitty](https://redirect.github.com/BKF-Gitty). - Gateway/sessions: reject stale agent-scoped sessions after an agent is removed from config while preserving legacy default-agent main-session aliases. ([#&#8203;65986](https://redirect.github.com/openclaw/openclaw/issues/65986)) Thanks [@&#8203;bittoby](https://redirect.github.com/bittoby). - Doctor/gateway: surface pending device pairing requests, scope-upgrade approval drift, and stale device-token mismatch repair steps so `openclaw doctor --fix` no longer leaves pairing/auth setup failures unexplained. ([#&#8203;69210](https://redirect.github.com/openclaw/openclaw/issues/69210)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Cron/isolated-agent: preserve explicit `delivery.mode: "none"` message targets for isolated runs without inheriting implicit `last` routing, so agent-initiated Telegram sends keep their authored destination while bare `mode:none` jobs stay targetless. ([#&#8203;69153](https://redirect.github.com/openclaw/openclaw/issues/69153)) Thanks [@&#8203;davehappyminion](https://redirect.github.com/davehappyminion) and [@&#8203;nikilster](https://redirect.github.com/nikilster). - Cron/isolated-agent: keep `delivery.mode: "none"` account-only or thread-only configs from inheriting a stale implicit recipient, so isolated runs only resolve message routing when the job authored an explicit `to` target. ([#&#8203;69163](https://redirect.github.com/openclaw/openclaw/issues/69163)) Thanks [@&#8203;davehappyminion](https://redirect.github.com/davehappyminion) and [@&#8203;nikilster](https://redirect.github.com/nikilster). - Gateway/TUI: retry session history while the local gateway is still finishing startup, so `openclaw tui` reconnects no longer fail on transient `chat.history unavailable during gateway startup` errors. ([#&#8203;69164](https://redirect.github.com/openclaw/openclaw/issues/69164)) Thanks [@&#8203;shakkernerd](https://redirect.github.com/shakkernerd). - BlueBubbles/reactions: fall back to `love` when an agent reacts with an emoji outside the iMessage tapback set (`love`/`like`/`dislike`/`laugh`/`emphasize`/`question`), so wider-vocabulary model reactions like `👀` still produce a visible tapback instead of failing the whole reaction request. Configured ack reactions still validate strictly via the new `normalizeBlueBubblesReactionInputStrict` path. ([#&#8203;64693](https://redirect.github.com/openclaw/openclaw/issues/64693)) Thanks [@&#8203;zqchris](https://redirect.github.com/zqchris). - BlueBubbles: prefer iMessage over SMS when both chats exist for the same handle, honor explicit `sms:` targets, and never silently downgrade iMessage-available recipients. ([#&#8203;61781](https://redirect.github.com/openclaw/openclaw/issues/61781)) Thanks [@&#8203;rmartin](https://redirect.github.com/rmartin). - Telegram/setup: require numeric `allowFrom` user IDs during setup instead of offering unsupported `@username` DM resolution, and point operators to `from.id`/`getUpdates` for discovery. ([#&#8203;69191](https://redirect.github.com/openclaw/openclaw/issues/69191)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - GitHub Copilot/onboarding: default GitHub Copilot setup to `claude-opus-4.6` and keep the bundled default model list aligned, so new Copilot setups no longer start on the older `gpt-4o` default. ([#&#8203;69207](https://redirect.github.com/openclaw/openclaw/issues/69207)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Gateway/status: separate reachability, capability, and read-probe reporting so connect-only or scope-limited sessions no longer look fully healthy, and normalize SSH targets entered as `ssh user@host`. ([#&#8203;69215](https://redirect.github.com/openclaw/openclaw/issues/69215)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Slack: fix outbound replies failing with "unresolved SecretRef" for accounts configured via `file` or `exec` secret sources; the send path now tolerates the runtime snapshot retaining an unresolved channel SecretRef when a boot-resolved token override is already available. ([#&#8203;68954](https://redirect.github.com/openclaw/openclaw/issues/68954)) Thanks [@&#8203;openperf](https://redirect.github.com/openperf). - Control UI/device pairing: explain scope and role approval upgrades during reconnects, and show requested versus approved access in the Control UI and `openclaw devices` so broader reconnects no longer look like lost pairings. ([#&#8203;69221](https://redirect.github.com/openclaw/openclaw/issues/69221)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). - Gateway/Control UI: surface pending scope, role, and device-metadata pairing approvals in auth errors and Control UI hints so broader reconnects no longer look like random auth breakage. ([#&#8203;69226](https://redirect.github.com/openclaw/openclaw/issues/69226)) Thanks [@&#8203;obviyus](https://redirect.github.com/obviyus). </details> --- ### Configuration 📅 **Schedule**: Branch creation - Every minute ( * * * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My43Ni4yIiwidXBkYXRlZEluVmVyIjoiNDMuNzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
les_clankeurs/openclaw-image-2!23
No description provided.