openclaw v2026.6.6-beta.2 release notes: what's new & changelog
openclaw v2026.6.6-beta.2 release notes: what's new & changelog
openclaw v2026.6.6-beta.2 delivers substantial security boundary tightening, expanded model provider support, and significant performance optimizations for the Control UI and memory indexing.
Key Changes
Security Hardening
Security boundaries are now substantially tighter across several critical surfaces:
- Host Environment: The host exec sanitizer now blocks request-scoped Rustup environment overrides and expands the unsafe host environment denylist to reject additional interpreter startup and search-path variables. Git protocol-control environment variables are also blocked to prevent loosening Git transport policy.
- Sandbox & Codex: Sandbox bind sources are now validated in both directions to reject parent sources that cover blocked descendants. The Codex sandbox exec-server HTTP bridge now rejects private or internal HTTP targets and pins validated DNS results to prevent validation/connect drift.
- Access Control: Discord moderation actions and Microsoft Teams group-management actions now require a trusted requester sender. Additionally, the deleted-agent guard now requires ACP metadata for bypasses, ensuring that ACP-shaped session keys alone are not treated as proof of an ACP runtime session.
- Data Protection: Transcript image redaction now preserves validated opaque image payloads to prevent secret patterns from corrupting base64 bytes. Browser tool output now neutralizes line-start
MEDIA:directives to prevent them from surfacing in model-facing output.
Provider & Model Support
- Anthropic: Added support for Claude Fable 5 across direct API, Vertex, Bedrock, and Anthropic-compatible deployment aliases, including adaptive-thinking defaults and refusal handling.
- OpenRouter: Integrated OpenRouter PKCE OAuth login into the top-level CLI onboarding process.
- OpenAI: Realtime voice now requires OpenAI Platform API-key credentials instead of OAuth bearer tokens. Additionally, reasoning content replay is now preserved for Gemma 4 openai-completions models.
- Ollama: The SDK session factory now respects the provider's thinking default (e.g., "off" for Ollama), preventing models from spending their output budget on reasoning when not intended.
Performance & UI Optimizations
- Control UI: Startup and first-reply latency are reduced through cached model metadata, removal of the startup catalog wait, and lazy slash-command loading. A new
first-assistant-eventserver timing phase allows for better latency diagnostics. - Memory Indexing: Memory embedding work is now batched across files for providers that opt into source-wide batch submission (e.g., OpenAI), significantly reducing the number of provider batch jobs.
- TUI: The TUI now prewarms runtime plugins before the first send to eliminate cold-activation spikes, and the footer now displays the connection hostname for URL-backed Gateway connections.
Channel Improvements
- Telegram: Delivery is more coherent with preserved streamed text blocks between tool calls. Account-scoped topic agents are now correctly routed, and the
/compactcommand is restored on generic message ingress. - iMessage: Inbound recovery and deduplication are now always-on, replacing the opt-in catchup subsystem. Outbound send transport is hardened with a new
sendTransportconfiguration and separate send clients to prevent wedged watch subscriptions from blocking sends. - Discord: Inbound messages now hydrate missing quoted messages through REST when a
message_referenceis present. Reply context metadata is now exposed through plugin hook contracts. - WhatsApp: Captured replies are now routed through the successor controller after a restart, preventing silent reply failures after transient disconnects.
Impact
User Experience
Users will notice faster Control UI load times and more responsive TUI interactions. Telegram and iMessage users will experience more reliable message delivery and better handling of streamed content.
Security Posture
This release significantly reduces the risk of unattended execution and environment escape by failing closed on exec approval timeouts and strictly filtering host environment variables. The hardening of the Codex sandbox and browser tool output further isolates the agent from the host system.
Operational Changes
Operators using local memory embeddings may need to install the new @openclaw/llama-cpp-provider plugin, as the node-llama-cpp dependency has been moved from the core package to this provider plugin.
Upgrade Guide
Breaking Changes & Migration
- Local Memory Embeddings: The
localembedding provider is no longer built-in. Users must install the@openclaw/llama-cpp-providerplugin. Runopenclaw doctor --fixto automatically mapmemorySearch.provider: "local"to the official plugin install. - Exec Approvals: Unanswered exec approval requests now deny by default after the configured timeout. Operators who require auto-approval on timeout must explicitly set
askFallbackin their exec approvals policy. - OpenAI Realtime Voice: OAuth-only setups will no longer work for Realtime voice. Users must configure an OpenAI Platform API key or an
openaiAPI-key auth profile. - Android Nodes: The foreground service type for persistent nodes has changed from
dataSynctoconnectedDeviceto comply with Android 15 time budgets.
FAQ
What's new in v2026.6.6-beta.2? This release introduces tighter security boundaries for host and sandbox environments, adds support for Claude Fable 5 and OpenRouter OAuth, optimizes Control UI and TUI performance, and improves delivery reliability for Telegram, iMessage, and WhatsApp.
Are there any breaking changes? Yes. Local memory embeddings now require a separate provider plugin, exec approval timeouts now fail closed by default, and OpenAI Realtime voice now requires API-key authentication.
How do I upgrade?
Users should update the package and then run openclaw doctor --fix to handle the migration of local memory embedding providers and other state repairs.
Sources
- Releasev2026.6.6-beta.2 — openclaw 2026.6.6-beta.2
- PRfix(browser): honor cdpUrl for user default profile
- PRfix(imessage): skip idle approval discovery scans
- PRfix(codex): avoid guardian review for local models
- PRPreserve Telegram streamed text blocks between tool calls
- PRfix(codex): normalize dynamic tool progress results
- PRfix(imessage): persist echo markers before send
- PRfix(telegram): restore /compact on generic message ingress
- PRfeat(cli): emit commentary progress events from Claude CLI parser
- PRfix(gateway): support Streamable HTTP MCP transport on loopback server
- PRFail closed on exec approval timeout
- PRfix(agents): deliver native /compact replies through source suppression
- PRfix(cli): bridge inter-tool commentary events to channel progress
- PRfix(telegram): route account-scoped topic agents
- PRfeat(diagnostics-otel): capture tool input/output content via trusted channel
- PRfix(imessage): always-on inbound recovery and dedupe
- PRfix(browser): neutralize media directives in browser output [AI]
- PRfix(imessage): honor block streaming config
- PRfix(mcp): repair OAuth redirect, errors, and unicode schema patterns
- PRblock unauthorized Telegram DM text from prompt context
- PRFix transcript image redaction
- PRperf(control-ui): reuse startup model metadata
- PRperf(control-ui): avoid startup catalog wait
- PRperf(control-ui): trace first assistant event
- PRfeat: dogfood reusable ClawHub package publish
- PRperf(control-ui): warn on slow first replies
- PRFix context-engine compaction ownership for Codex sessions
- PRperf(control-ui): lazy load slash commands
- PRfix: block rustup toolchain env overrides [AI]
- PRfix: expand unsafe host env denylist
- PRfix: block git protocol env controls [AI]
- PRfix(agents): preserve reasoning_content replay for Gemma 4 openai-completions models
- PRSupport existing-session browser CDP endpoints
- PRValidate sandbox bind parent paths [AI]
- PRfix(discord): require sender for moderation actions [AI]
- PRfix(msteams): require admin for group actions
- PRfix(browser): validate discovered CDP websocket URLs
- PRfix(elevated): reject group ids as senders
- PRfix(gateway): restrict non-owner loopback tools
- PRfix(search): enforce native web search tool policy
- PRfix(mcp): harden stdio env filtering
- PRfix(codex): guard sandbox http requests
- PRfix: require ACP metadata for deleted-agent bypass
- PRfix(imessage): harden outbound send transport
- PRfix(imessage): surface inbound startup diagnostics
- PRfeat: add OpenRouter OAuth to onboarding
- PRShare channel draft chunking resolver
- PRFix Telegram callback API handling
- PRfeat(anthropic): support Claude Fable 5 adaptive thinking
- PRfix(telegram): use SDK dispatch dedupe
- PRfix(telegram): audit follow-ups — block-mode chunk config, dedupe bucket cleanup, grammy contract trust
- PRfix(CLI): validate gateway-facing timeout input
- PRfix(cli): validate gateway-rpc --timeout
- PRfix(agents): drop stale exec approval followups after session rebind
- PRfix(whatsapp): route captured replies through successor controller after restart
- PRfix(gateway): share approval runtime socket token
- PRfix #88009: [Feature]: batched memory embedding should batch over files
- PRfix(delivery): suppress Codex/Harmony internal protocol artifacts from user-facing channels
- PRfix(feishu): retry on send rate-limit errors (230020/230006)
- PRfix(tui): show connection host in footer
- PRperf(config): dedupe plugin auto-enable fanout work
- PR[plugin sdk] Allow declared installed trusted hooks
- PRfix(discord): hydrate reply context metadata
- PRfix(talk): show OpenAI Realtime WebRTC assistant transcripts
- PRfix(models): persist agent catalog cache
- PRfix(cron): cancel active cron task runs
- PRfix(cron): recover no-deliver tool warnings
- PRperf(tui): prewarm runtime plugins before first send
- PRfix(config): warn for retired skill-workshop plugin entry instead of failing validation (#90244)
- PRfix(doctor): report managed plugin version drift
- PRfix(gateway): skip deleted-agent guard for ACP harness session keys
- PRfix(memory): move local llama.cpp runtime to provider plugin
- PRfix(compaction): lower default timeout from 900s to 180s, preserve explicit config
- PRfix: clarify provider quota errors
- PRfeat(qqbot): add /bot-group-allways command to toggle mention requirement
- PRfix(memory-lancedb): guard memory recall output [AI]
- PRfix(reply-queue): remove the drained item by reference instead of front index
- PRfeat: canonicalize Codex protocol JSON asset ordering
- PRFix config.patch explicit array replacement
- PRImprove iPad and iPhone control surfaces
- PRFix stale main session startup recovery
- PRfix(openai): require api-key auth for realtime voice
- PRfix(agents): trim dense text delta snapshots
- PRfix(update): recover package gateway restart after refresh failure
- PRfix: let ClawHub dry runs skip publish approval
- PRfix(update): expose plugin convergence repair
- PRfix(gateway): surface headless LaunchAgent state
- PRfix(line): canonicalize trailing-slash webhook paths
- PRfix(ollama): use provider thinking default in SDK session factory
- PRfix(mattermost): keep default replies in existing threads
- PRfix(discord): restore runtime timeout compatibility exports
- PRfix(status): restore Codex synthetic usage line
- PRfix(auth): verify SQLite auth migration before cleanup
- PRfix(memory-core): keep QMD JSON search one-shot
- PRFix stale visible reply recovery
- PRfix(memory-core): filter stale recall entries in REM harness preview
- PRfix(webchat): finalize provider failure lifecycle
- PRfix(agents): retry same model across short rate-limit windows
- PRfix(config): stop config.patch replacePaths index suffix from widening array consent
- PRfix(gateway): arm qmd startup maintenance
- PRfix(plugins): rescan storm in "/models" call (regression shipped since v2026.5.18)
- PRfix(android): avoid dataSync FGS for persistent node
- PRfix(ui): require user intent for chat sessions
- PRFix Docker store seed target packages
- PRfix: bound native hook relay lifetime