OpenClaw v2026.5.12-beta.7 Release Summary
OpenClaw v2026.5.12-beta.7 Release Summary
Key Changes
Core Infrastructure & Security
- Security Hardening: Implemented stricter validation for Windows sandbox binds to block credential-bearing roots (e.g.,
.ssh,.codex) even whenHOMEis redirected. Additionally, the sandbox browser CDP relay now requires an application-layer credential, replacing the previous reliance on network source filtering. - Device Pairing & Auth: Enhanced the pairing process by requiring explicit approval for setup-code device pairing and browser-origin Control UI sessions. Trusted-proxy authentication now rejects host-local non-loopback interface peers to prevent unauthorized access via the gateway host's own addresses.
- Configuration Management: Centralized config-file mutations to prevent data loss during concurrent writes. A new pre-update snapshot mechanism now protects
openclaw.jsonfrom being wiped during version upgrades, specifically fixing issues wheredoctor --fixwould strip unknown keys before migration. - Build System: Upgraded the workspace to pnpm 11, aligning Docker, install, and update workflows with the new package manager surface.
Agent & Runtime Enhancements
- Codex Harness: Improved the Codex app-server by mirroring native subagent lifecycle events into the Task Registry and rotating incompatible context-engine threads to prevent stale history from causing context-window overflows. Codex cron turns now execute automation payloads directly, skipping unnecessary workspace bootstrap reads to avoid timeouts.
- ACP (Agent Client Protocol): Added backend provider failover for
UNAVAILABLEerrors, allowing ACP turns to try configured backup backends. The ACP bridge now exposes session lineage metadata (e.g.,parentSessionId,spawnDepth) in_metafields for better client-side session graphing. - Tooling & Execution: Introduced per-sender tool capability tiers via
toolsBySender, allowing operators to restrict dangerous tools (likeexec) for specific users at the schema level. The system now also normalizes array tool schemas by adding permissiveitems: {}to prevent OpenAI-compatible providers from rejecting tool submissions.
Channel & Integration Updates
- Telegram: Significantly improved polling resilience by moving ingress to an isolated worker with a durable local spool, ensuring messages are not lost during main event-loop stalls. Added support for localized command menu descriptions and fixed a critical bug where bot token rotation caused the poller to silently drop new messages due to stale offsets.
- Slack: Added
replyBroadcastsupport for thread replies and improved the handling of private-file redirect headers to prevent media download failures. - iMessage: Fixed a bug where media-only sends included visible
<media:image>placeholder text and improved the handling of pasted links by ignoring Apple's internal preview blobs. - WhatsApp: Externalized the WhatsApp channel as a ClawHub/npm plugin to reduce core runtime dependencies and updated the underlying Baileys library.
UI & Diagnostics
- Control UI: Added a persisted auto-scroll mode selector for WebChat and nested subagent sessions visually under their parent in the session picker. A new
/context mapcommand provides a WinDirStat-style treemap image of session context contributors. - Diagnostics: Introduced a
startupGraceMswindow to suppress false liveness warnings during cold starts, while still sampling metrics for baseline analysis.
Impact
This release primarily impacts operators running high-concurrency agents or those utilizing the Codex and ACP runtimes. The move to an isolated worker for Telegram polling prevents catastrophic message loss during event-loop saturation. Security-conscious deployments benefit from the hardened sandbox and pairing requirements, which move the system toward a "fail-closed" security model for device and browser access.
For plugin developers, the expanded SDK now supports typed session actions, host-mediated attachments, and scheduled session turns, enabling more complex asynchronous workflows without requiring internal runner access.
Upgrade Guide
Breaking Changes & Migration
- iMessage Sender Allowlist: Sender allowlist matching now strictly requires normalized sender handles. Conversation-scoped IDs (chat IDs/GUIDs) are no longer accepted as proof of sender identity. Users must update their
allowFromconfigurations to use sender handles. - Trusted Proxy Configuration: Deployments that listed the gateway host's own non-loopback interface address in
gateway.trustedProxieswill find these requests rejected. Use a distinct proxy peer address or the loopback trusted-proxy path. - Plugin Installations: Some plugin installs may now be blocked by the built-in scanner if installed dependency runtime files contain critical code patterns. Use the
--forceor trusted install flags to override these blocks if necessary.
Sources
- Releasev2026.5.12-beta.7 — openclaw 2026.5.12-beta.7
- PRfix(security): classify dangerous Windows sandbox binds first
- PRfeat(acp): add backend provider failover for UNAVAILABLE errors
- PRfix(security): add session transcript redaction guards at bare appendMessage call sites
- PRfix(config): serialize concurrent config mutations
- PRfix(imessage): keep pasted links, ignore Apple preview blobs
- PRfix(sessions): classify spawn-child sessions correctly; extract shared classifier
- PRfix(sessions): report ACP-runtime metadata for ACP-keyed sessions
- PRfix(security): inline redact into appendSessionTranscriptMessage
- PRfix: prevent config data loss during version upgrade
- PR[AI-assisted] fix(channel): refresh WeCom onboarding install
- PR[security] redact persisted tool result details
- PRfix(agents): escalate LLM idle timeout to model fallback after profile rotation
- PRfix(telegram): detect same-bot token rotation via fingerprinted offset state
- PR[Fix] Add incremental chat delta payloads
- PRGate node surfaces on pairing approval
- PRfix(acp): drop unsupported timeout config option for claude-agent-acp
- PRRestrict chat sender allowlist matching [AI]
- PRfix(anthropic): enable Claude CLI session-expired history reseed
- PRInherit tool restrictions for delegated sessions [AI]
- PRfix: scan plugin runtime entries during install [AI]
- PRfix: detect carried exec command forms [AI]
- PRReject truncated exec approval commands [AI]
- PRRequire auth for sandbox browser CDP relay [AI]
- PRLimit hook CLI tool authority [AI]
- PRfix(plugins): scan installed dependency runtime code [AI]
- PRRequire admin scope for node device token management [AI]
- PRbrowser: enforce navigation checks for act interactions [AI]
- PRValidate node exec event provenance [AI]
- PR[AI-assisted] fix(docker): pin setup-time container paths
- PRfix(imessage): avoid visible media placeholder text
- PR[AI-assisted] fix(agents): normalize array tool schemas
- PRfix(codex): rotate incompatible context-engine threads
- PRfix(gateway): forward temperature and top_p through OpenAI-compatible HTTP APIs
- PRRequire Control UI pairing before proxy-scoped access [AI]
- PRRequire explicit browser device pairing [AI]
- PRHarden trusted-proxy source validation [AI]
- PRRequire approval for setup-code device pairing [AI]
- PRFix stale diagnostic lanes for reply runs
- PRfeat(telegram): localized command menu descriptions
- PRgateway: pass Talk session scope to resolver [AI]
- PR[Fix] Carry transcript update sequence
- PRfix: restore Codex cron automation compatibility
- PRfix: route plugin LLM completions through Codex runtime
- PR[AI-assisted] fix(plugins): discover setup provider env vars
- PRRoute Codex message tool replies back to WebChat and TUI
- PRfix(onboard): forward provider auth flags through wizard
- PRfix(gateway): suppress startup liveness warnings
- PRfix(migrate): drop trailing periods from migrate item messages
- PRfix(browser): request admin scope for CLI control
- PRFix Telegram polling ingress under event-loop stalls
- PRHandle generic provider internal errors
- PRfeat(session): raise maxPingPongTurns ceiling from 5 to 20 (#52382)
- PRfeat(slack): add replyBroadcast parameter for thread reply channel broadcast
- PRfix(exec): skip heartbeat wake for subagent sessions
- PRfeat(tools): per-sender tool capability tiers via toolsBySender
- PR[plugin sdk] Consolidate workflow seams and fixtures
- PR[Feat] expose session lineage metadata
- PR[Feat] Add upload archive install RPC
- PR[Feat] Add single-job cron get path
- PRfix(ui): prevent webchat sends into isolated heartbeat sessions
- PRdocs(subagents): document announce timeout
- PR[plugin sdk] Add session action gateway protocol
- PRControl UI/sessions: nest subagent sessions under parent with visual prefix
- PREnable realtime Talk instructions config
- PRfix(agents): preserve active exec references across compaction
- PRMake exec command highlighting optional
- PRbuild(pnpm): upgrade workspace to pnpm 11
- PRfix(agents): forward explicit per-run timeout to LLM idle watchdog
- PRMirror Codex native subagents into task registry
- PRAdd /context map treemap
- PRfix(runtime): detect Fly Machines as containers
- PRchore(pnpm): align pnpm 11 follow-up surfaces
- PRDocs: announce BlueBubbles to iMessage migration
- PREnforce gateway command scopes by caller context [AI]
- PRfix(qqbot): authorize approval button callbacks [AI]
- PRRecognize PowerShell -ec inline commands [AI]
- PRfix(node-pairing): replace changed pending requests [AI]
- PRfix(memory-wiki): require admin scope for ingest [AI]
- PREnforce Slack plugin approval button authorization [AI]
- PRValidate Control UI loopback retry endpoints [AI]
- PRHarden exported markdown link rendering [AI]
- PRfix(gateway): honor minimal discovery mode for wide-area DNS-SD [AI]
- PRmemory-wiki: require write scope for Obsidian search [AI]
- PRScrub streamable MCP redirect headers [AI]
- PRslack: enforce reaction notification policy [AI]
- PRfix(onboard): accept Codex auth in model check
- PRfix: surface silent model fallback failures
- PRfix: skip metadata for build-excluded bundled plugins
- PRfix(azure):Drain split provider stream frames
- PRRate limit Google Chat webhook requests [AI]
- PRfix(feishu): normalize webhook rate-limit client keys [AI]
- PRfix(auth): prevent bootstrap pairing scope changes [AI]
- PRfix(telegram): render supported HTML replies
- PREnforce inline shell wrapper payload matching [AI]
- PRPersist Docker auth profile key mount
- PRfix(telegram): fall back to root groups on empty account allowlist
- PRfix(commitments): write json output to stdout
- PRfix(whatsapp): drain debounced inbound before close
- PRAllow pnpm source updates to build OpenClaw
- PRfix(codex): keep post-tool watchdog armed
- PRfix(slack): forward agent identity to draft stream initial message
- PRfeat(imessage): add tapback reaction support as inbound agent events
- PRfeat(slack): add allowBots "mentions" mode (parity with Discord)
- PRfix(slack): fetch fresh download URL via files.info for DM file attachments
- PRfix(slack): add mrkdwn formatting hints to messageToolHints
- PRfix(skills): normalize backslashes in compacted skill paths on Windows
- PRfix(microsoft-foundry): replace unsafe non-null assertion in subscription lookup
- PRfix(gateway): resolve inflight deduplication race for send and poll
- PRfix(infra): keep retryAsync delays above server-supplied Retry-After
- PRfix(auto-reply): guard FOLLOWUP_QUEUES delete against late drain finally
- PRfix(gateway): clear nodeWakeById on no-registration early-return
- PRfix(feishu): accept nested schema 2 card identity
- PRfix(memory): preserve session corpus labels
- PRfix(agents): restore compaction gateway logs
- PRfix(memory-search): label session hits with sessions corpus
- PR[AI-assisted] fix(providers): use llama.cpp runtime context cap
- PRfix(memory-core): cap MEMORY.md size during dreaming promotions to pr…
- PRfix(bonjour): cap advertiser restarts in a sliding window (#74209)
- PRfix(doctor): don't flag the live compatibility agent dir as orphan
- PRfix(bonjour): avoid probing watchdog repair loops
- PRFix TUI exit after gateway disconnect
- PRfix(agents): use run workspace for post-compaction context
- PRfix(agents): recover read offsets beyond EOF
- PRfix(memory): skip cron warnings without gateway context
- PRfix(tasks): route group acp completions through parent
- PRfix(doctor): repair managed plugin openclaw peer links
- PRfix: preserve gateway install env sources
- PRfix(doctor): surface GH_CONFIG_DIR hint when gh auth lives at a different HOME
- PRfix(cron): mark active-jobs on manual-run path to suppress transient lost marker
- PRbuild: clean up Node.js 26 deprecation warnings
- PRfix(doctor): consolidate Gateway service config panels into a single note (#80287)
- PRRedact persisted secret-shaped payloads [AI]
- PRfix(matrix): gate name-based allowlist resolution [AI]
- PR[Fix] Scope session resolve store loads
- PRfix(yuanbao) support sourceReplyDeliveryMode: "automatic" for group chat
- PR[codex] Fix Codex app-server OAuth harness auth
- PRfix(codex): mark native tools active for diagnostics
- PRfix(browser): add pageReady to Chrome MCP existing-session status
- PR[Fix] Share streaming event envelopes
- PR[Fix] Block memory extra path symlink traversal
- PR[Fix] Cache selected channel registry lookups
- PRFix Telegram thinking status defaults
- PRExpose native tool completions to plugin hooks
- PRfix(telegram): honor force document for videos
- PR[codex] fix update v-prefixed version verify
- PRFix Telegram legacy message cache recovery
- PRfix: stabilize code-mode follow-up tool display and replay
- PRfix: honor configured media generation timeouts
- PRTelegram: keep topic context after reset boundary
- PRfix(matrix): default markdown tables to bullets across Matrix clients
- PRfix(slack): retain channel history when requireMention is false
- PRfix(doctor): case-insensitive safe-bin trusted dir matching on macOS/Windows
- PRCron: honor server_error retries
- PRfix(delivery): track and log silent delivery failures
- PRfix(slack): include API error details in log messages
- PRfix(agents): replace blank tool names with sentinel to prevent dispatch loops
- PRfeat(delivery): surface deliveryStatus in --json output
- PRfix(acpx): add windowsHide to MCP proxy spawn on Windows
- PRfix(gateway): restore runtime-postbuild sync in watch mode
- PRfix(gateway): reject malformed session kill paths
- PRfix(telegram): show full provider/model label for nested OpenRouter ids
- PRfix(infra): dedupe system events by (text, contextKey)
- PRfix(slack): respect dmScope when updating main session route for DMs
- PRfix(slack): honor configured ACP bindings
- PRfix(slack): make download-file fileId requirement self-evident to LLMs
- PRfix(moonshot): accept moonshotai/<model> as direct-API alias
- PRfix(slack): harden thread continuation gating
- PRfix(gateway): redact fast-path console logs
- PRfix(exec-approvals): lazy-load command explainer
- PRfix(whatsapp): downgrade recovered watchdog disconnects
- PRfix(feishu): keep group_topic message-tool replies inside the topic
- PRfix(browser): extend existing-session status probe
- PRfix(telegram): keep no-response DM turns quiet (no silent-reply rewrite)
- PR[Fix] Remove reverted plugin allow entries
- PRFix agent model override gateway scope
- PR[AI-assisted] fix(whatsapp): delta repeated tool preambles
- PRfix(whatsapp): pass routing ctx to transcribeFirstAudio so echoTranscript can deliver (#79778)
- PRfix: handle Telegram select callbacks safely
- PRfix(slack): wake interactive reply sessions
- PRfix(imessage): wire reply attachments through send-rich --file (with feature gate)
- PRtest: sandbox audit-exec-surface under HOME tempdir
- PRfix(onboard): custom provider context window vs compaction floor (#79428)
- PR[codex] Map ACP thinking to advertised effort key
- PRfix(agents): surface exec failures after claimed success
- PRfix(imessage): WARN-log when private API bridge is unavailable
- PRfix(telegram): preserve debounce for partial draft fragments
- PRFix Copilot token integration identity
- PRfix(config): persist explicit default values
- PRfix(cli): return null for unknown non-plugin commands instead of suggesting plugins.allow
- PRfix(doctor): invalidate persisted plugin registry when a diagnostic source path no longer exists
- PRfix(codex): normalize thread id/sessionId cross-fill before schema validation
- PR[Fix] Wait for Pi abort settle before cleanup
- PRTelegram: keep verbose tool results separate from final answers
- PRSupport Kimi Anthropic thinking streams
- PRfix(plugins): retry npm alias override installs
- PRDisable non-POSIX command approval highlights
- PRfix: abort generic no-progress tool loops
- PRfix: enable native require fast path on Windows for plugin-sdk root alias