v2026.5.7 — sync with upstream openclaw 2026.5.7

Sync with upstream openclaw 2026.5.7 — a pure fix release with no new interactive prompts and no new config keys.

Existing users: openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up these changes automatically.

What v2026.5.7 fixes

Doctor self-heal pair

• Doctor/Codex OAuth (fixes #78407 follow-up): doctor --fix now preserves working openai-codex/* PI routes and recovers any openai/* GPT-5 routes that v2026.5.5 had rewritten when only Codex OAuth auth is available. Subscription-auth setups are no longer broken by update repair.
• Cron/doctor (fixes #78549): doctor --fix removes bad payload.model overrides on persisted cron jobs ("default", "null", blank, or JSON null) while keeping cron runtime model validation strict.

CLI surface cleanup

• Channels CLI (#78456): openclaw channels list is now channel-only and renders installed/configured/enabled state. New --all flag includes bundled and catalog channels. Model auth/usage details have moved to openclaw models auth list, openclaw status, and openclaw models list.
• Cron CLI (#78701): openclaw cron list --json and openclaw cron show --json now include a computed status field (disabled/running/ok/error/skipped/idle) so external tooling can read cron state without reimplementing derivation.

Other notable upstream fixes (no wrapper impact)

• Agents/context engine: cached assembled context views are invalidated on history shrink/assembly failure, preventing stale pre-reset history reuse (fixes #77968).
• Agents/compaction: compaction summary reserve tokens are clamped to each model's output limit, ending invalid max_tokens for high-context compaction (#54392).
• Telegram polling watchdog stays tied to getUpdates liveness so unrelated outbound calls cannot mask a wedged poller (fixes #78422).
• Codex/approvals: pre-guardian native PermissionRequest hook is no longer installed by default in Codex approval modes; allow-always decisions are remembered for identical native payloads within the active session window.
• WhatsApp: proactive sends route through Baileys LID forward mappings when available (fixes #67378).
• Discord/voice: default post-speech silence grace extended to 2.5s; new voice.captureSilenceGraceMs for noisy sessions.
• Tavily: tavily_search/tavily_extract resolve credentials from the active runtime config snapshot so exec SecretRef-backed keys arrive resolved (#78610).

Full upstream notes: https://github.com/openclaw/openclaw/releases/tag/v2026.5.7

Wrapper changes

File	Change
VERSION	v2026.5.6 → v2026.5.7
CLAUDE.md	Version header bump
docs/commands.md	Annotate channels list --all, cron list/show --json status field

No installer/updater script changes — the yes n pipe in scripts/commands/update.sh already covers v2026.5.7 (no new interactive prompts).

v2026.5.6 — sync with upstream openclaw 2026.5.6 (resolves v2026.5.5 #78407)

Sync with upstream openclaw 2026.5.6 — a same-day hotfix released ~9 hours after v2026.5.5. Resolves the #78407 codex-route rewrite that v2026.5.5 carried as a known issue.

If you skipped v2026.5.5 because of the warning in its release notes, this is the version to upgrade to. If you already upgraded and got bit, recovery steps are below.

Existing users: openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up these changes automatically.

What v2026.5.6 fixes

• Doctor/OpenAI Codex (fixes #78407): reverts the v2026.5.5 doctor --fix repair that rewrote valid openai-codex/* ChatGPT/Codex OAuth routes to openai/*. OAuth-only setups (ChatGPT subscription, no OPENAI_API_KEY) now stay on the Codex OAuth PI route as intended.
• Plugins/runtime fetch (#77846): drops third-party symbol metadata from header dicts before passing them to native fetch/Headers, so SDK and guarded/proxy fetch paths no longer reject otherwise valid plugin requests.
• Debug proxy: header dictionaries are normalized before replay so symbol metadata cannot poison debug-proxy fetches.
• Web fetch (#78439): guarded dispatcher cleanup is bounded after request timeouts so timed-out fetches return tool errors instead of leaving Gateway tool lanes active.

Recovery for users already on v2026.5.5

If openclaw doctor --fix already rewrote your openai-codex/* refs to openai/*, run on the Mac host:

orb -m openclaw-vm bash -lc 'openclaw models set openai-codex/gpt-5.5 && openclaw config validate'

Or restore from doctor's pre-doctor backup (atomic):

orb -m openclaw-vm bash -lc \
  'cp ~/.openclaw/openclaw.json.bak.1 ~/.openclaw/openclaw.json && \
   systemctl --user restart openclaw-gateway.service'

Upstream recovery docs: docs.openclaw.ai/providers/openai#check-and-recover-codex-oauth-routing

What didn't change

• No new doctor interactive prompts.
• No new config opt-ins (templates/openclaw.json.example unchanged).
• No new CLI commands or flags (docs/commands.md unchanged).
• No channel or provider additions.

Full changelog: v2026.5.5...v2026.5.6

v2026.5.5 — sync with upstream openclaw 2026.5.5

Sync with upstream openclaw 2026.5.5. This is a wrapper version bump only — VERSION and CLAUDE.md header. No installer/script changes.

Existing users: openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up these changes automatically. Please read the known issue below before upgrading.

Highlights for OrbStack users

• Telegram/Codex (#75641): message-tool-only progress drafts stay visible; native Codex tool progress is rendered once per tool instead of duplicating draft lines.
• OpenAI/Gateway: streaming chat-completion flushes the assistant role SSE chunk as soon as headers are accepted, so cold agent setup no longer hangs the client until idle timeout.
• CLI/sessions cleanup (#77608): orphan transcripts, compaction checkpoints, and trajectory artifacts are pruned during normal openclaw sessions cleanup.
• Plugins/update: official npm and ClawHub plugins (Codex, Discord, WhatsApp, diagnostics) stay synced during host updates even when disabled or exact-pinned.
• Auth profiles: format-level rejections no longer cool down providers, keeping fallback chains stable.

⚠️ Known issue carried into v2026.5.5 — please read before upgrading

On upgrade, openclaw doctor --fix (run automatically by openclaw-update) rewrites every `openai-codex/` model reference to `openai/` across `agents.defaults.modelOverride`, per-agent and per-channel `modelOverride`, and `agents.modelCatalog`. Setups that authenticate via OpenAI Codex OAuth only (ChatGPT subscription, no `OPENAI_API_KEY`) will fail every agent run on boot with:

```
[boot] agent run failed: No API key found for provider "openai".
```

Upstream tracking: openclaw/openclaw#78407

Recovery (run on the Mac host):

```bash
orb -m openclaw-vm bash -lc \
'cp ~/.openclaw/openclaw.json.bak.1 ~/.openclaw/openclaw.json && \
systemctl --user restart openclaw-gateway.service'
```

Or repush from a known-good source, if you maintain one:

```bash
orb -m openclaw-vm bash -c 'cat > ~/.openclaw/openclaw.json' \
< local/openclaw.json
orb -m openclaw-vm systemctl --user restart openclaw-gateway.service
```

The wrapper deliberately does not patch `update.sh` to auto-rollback — we'd rather wait for the upstream fix than carry codex-route inference logic that fights with doctor's repair branch.

The maintainer's own VM stays on v2026.5.4 pending the upstream fix; the wrapper is bumped so fresh installs and community users track upstream.

Full changelog: v2026.5.4...v2026.5.5

v2026.5.4 — sync with upstream openclaw 2026.5.4

Sync with upstream openclaw 2026.5.4 — a medium release with no breaking config changes and no new interactive doctor prompts. Includes a sandbox-tracking fix that preserves existing sandbox images on upgrade (zero rebuild required for v5.x users).

Existing users: openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up these changes automatically. Your existing sandbox images are preserved — see "Sandbox path-tracking fix" below.

What's in this sync

• VERSION + CLAUDE.md header bumped to v2026.5.4.
• docs/commands.md:
  • new openclaw models auth list [--provider <id>] [--json] documented under 模型管理 → 认证 (lists saved per-agent auth profiles without dumping secrets)
  • openclaw sessions now caps to newest 100 rows by default (#77500); documented --limit <n|all> flag
• Sandbox path-tracking fix — see below.

Sandbox path-tracking fix (this release)

Upstream v2026.5.3 moved the three sandbox Dockerfiles from the repo root to scripts/docker/sandbox/ and renamed them:

Old (≤ v5.2)	New (≥ v5.3)
Dockerfile.sandbox	scripts/docker/sandbox/Dockerfile
Dockerfile.sandbox-common	scripts/docker/sandbox/Dockerfile.common
Dockerfile.sandbox-browser	scripts/docker/sandbox/Dockerfile.browser

Our wrapper kept referencing the legacy paths in openclaw-orbstack-setup.sh, scripts/commands/sandbox-rebuild.sh, and scripts/commands/update.sh. The primary path (./scripts/sandbox-*-setup.sh) kept working because upstream's helper scripts auto-followed the move, but:

• Hash inputs were silently truncated — cat Dockerfile.sandbox no longer found the file, leaving only the helper script content in the SHA256 input. Stale-detection compared inconsistent hashes and stopped triggering rebuilds.
• Fallback docker build -f Dockerfile.sandbox* commands in setup.sh and sandbox-rebuild.sh would error out on the legacy path if ever used.

This release:

1. Fallback build commands now point at scripts/docker/sandbox/Dockerfile{,.common,.browser}.

2. Hash inputs everywhere now list both new and legacy paths (cat $new $old $setup); cat silently skips missing files via 2>/dev/null, so hashes track whichever layout the upstream checkout actually has.

3. One-time hash-format migration (gated by ~/.openclaw/.sandbox-hash-format-v54 marker): if the user's last successful build was a v2026.5.x release, update.sh overwrites the hash files with the new fallback-aware format and skips the rebuild that the bare hash mismatch would otherwise force.

   Why this is safe for v5.x users: verified at sync time that the upstream sandbox Dockerfile content is byte-identical across v2026.5.2 → v2026.5.3 → v2026.5.4 (only paths/filenames moved). So any sandbox image built from a v5.x checkout is byte-equivalent to one built from v5.4 — the rebuild is purely cosmetic.

   Users on a pre-v5.x BUILT_VERSION (where Dockerfile content actually changed) fall through to normal stale-detection and get a real rebuild, which is correct.

You'll see one new line in the update output:

🔧 Migrating empty sandbox hashes (one-time fix for upstream path move in v2026.5.3)...
✓ Sandbox hashes migrated in place. Existing images preserved — no rebuild needed.

To confirm post-update, run cat ~/.openclaw/.sandbox-hash-{base,common,browser} inside the VM. The three hashes should now be:

• base: fc9b4ea0773b8882b88b466213795eb38015ea29112a7e0a8e79189530deb317
• common: 247ffca97bed53ab47d3e7538c0ab3aac444086b3a44fd3e362e1052a9201ce5
• browser: ef78030ccdcda9af9bac056ad0907d045bbcbcbe5a0fca1bb35bd9c86c96bd78

Direct wins from upstream v2026.5.4 (no wrapper config edit needed)

• #77293 / #77450 / #77215 — CalVer correction versions like 2026.5.3-1 are now treated as stable for npm installs, plugin updates, plugin API range satisfaction, and bundled-version comparisons. Directly fixes our wrapper version-suffix policy — latest no longer asks for downgrade confirmation, and plugins requiring base runtime API ranges install cleanly on correction builds.
• #77244 — Gateway startup auto-loads provider plugins that own explicitly configured image, video, or music generation defaults. Our openai/gpt-image-2 becomes ready immediately after gateway restart instead of remaining catalog-only until first triggered.
• #77431 — Per-turn runtime context kept out of ordinary chat system prompts (while still delivering hidden current-turn context). Restores prompt-cache reuse on chat continuations — main-model cache hit rate on long sessions should recover.
• #77400 — doctor --fix preserves active auth.profiles metadata when stripping stale secret fields.
• #77485 — Clears the active reply-run guard before draining queued same-session follow-up turns; sequential chat.send calls no longer trip ReplyRunAlreadyActiveError every other request.
• #77087 — Gateway shutdown close path moved behind a stable runtime chunk + compatibility aliases shipped, so manual npm package replacement cannot leave an already-running Gateway unable to shut down cleanly.
• #77530 — Package-update follow-up uses an absolute POSIX npm shell, so restricted PATH environments can still run dependency lifecycle scripts during update.
• #76339 — gateway install --force confirms preferring supported system Node over nvm/fnm/volta/asdf/mise (we install Node via NodeSource apt, so this strictly helps).

Upstream-handled migrations (verify post-upgrade only)

• #76623 / #77155 — doctor --fix now installs plugins.allow-only configured-but-not-loaded official plugins, and skips channel-derived installs when another configured plugin owns the same channel.
• #68615 — doctor --fix clears auto-created stale session routing state when plugin-owned model/runtime/auth/session bindings drift outside the current configured route.
• bundledDiscovery: "compat" — Restrictive plugins.allow configs now require plugins.bundledDiscovery: \"compat\" for legacy bundled provider discovery; doctor --fix migrates legacy configs automatically. We don't ship a restrictive allowlist, so this is a no-op for the wrapper.
• #69793 — Telegram media derives no-caption inbound media placeholders from saved MIME metadata instead of the Telegram photo shape.

Doctor non-interactive flow scan

No new interactive prompts in v2026.5.4. All doctor --fix behavior changes are silent. The existing yes n | pipe in scripts/commands/update.sh remains correct and protective:

• still answers "no" to v2026.4.29 #73106 orphan-archive confirm (preserves .jsonl files)
• still answers "no" to v2026.5.2 #310 Gateway service-rewrite confirm (preserves operator's existing service file)

After upgrade, verify ~/.openclaw/.update-doctor.log shows no Setup cancelled lines.

Behavior changes worth noting

• Google Meet realtime default → mode: \"agent\" (STT → OpenClaw agent → TTS) instead of direct realtime voice. mode: \"bidi\" keeps the previous direct realtime model behavior; mode: \"realtime\" accepted as compatibility alias. N/A if you don't run Meet.
• tools.loopDetection.postCompactionGuard.windowSize (default 3, #77474) — Post-compaction loop guard arms after auto-compaction-retry and aborts with compaction_loop_persisted when the agent emits the same (tool, args, result) triple windowSize times in a row. Disable via tools.loopDetection.enabled: false. Long tool-heavy sessions that previously got stuck in a compaction → same-tool-call → compaction loop will now abort visibly instead of silently looping.

Tracked upstream OPEN bugs (still open after v5.4)

• #74837 — sessions_spawn child model override discarded
• #75593 — Subagent spawn/list lifecycle split
• #72096 — DREAMS.md duplicate emission
• #68691 — Sandbox PPID=1 zombies (PR #74083 + our complementary PR #76590 still pending)

None of these were resolved in v2026.5.4.

Verify post-upgrade

openclaw-update                                   # picks up wrapper changes automatically
openclaw doctor                                   # should pass
cat ~/.openclaw/.update-doctor.log | grep -i cancelled  # must be empty
openclaw status                                   # gateway + channels healthy
openclaw models auth list                         # new v5.4 command

To confirm sandbox migration ran (only relevant if you upgraded from a v5.x release):

openclaw-shell -c 'test -f ~/.openclaw/.sandbox-hash-format-v54 && echo "migration: done" || echo "migration: not yet"'
openclaw-shell -c 'cat ~/.openclaw/.sandbox-hash-base ~/.openclaw/.sandbox-hash-common ~/.openclaw/.sandbox-hash-browser'
# Expect:
# base    fc9b4ea0773b8882b88b466213795eb38015ea29112a7e0a8e79189530deb317
# common  247ffca97bed53ab47d3e7538c0ab3aac444086b3a44fd3e362e1052a9201ce5
# browser ef78030ccdcda9af9bac056ad0907d045bbcbcbe5a0fca1bb35bd9c86c96bd78

🤖 Generated with Claude Code

v2026.5.3-1 — sync with upstream openclaw 2026.5.3-1

Sync with upstream openclaw 2026.5.3 plus the v2026.5.3-1 hotfix (npm scanner false-positive on bundled plugin packages — internal only, no wrapper impact).

Existing users: openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up these changes automatically.

What's in this sync

• VERSION + CLAUDE.md header bumped to v2026.5.3-1.
• docs/commands.md — new "通用聊天命令" section documenting:
  • /btw <message> — side question, doesn't disrupt main thread
  • /side <message> — alias for /btw (added in upstream #76934)
  • /steer <message> — queue-independent steering of the active session run when the session is idle, without starting a new turn (upstream #76934)
• scripts/commands/update.sh — comment near the doctor invocation noting that v2026.5.3 (#74831) silently migrates the legacy monolithic sandbox registry into per-runtime shard files under ~/.openclaw/state/sandbox/runtimes/*.json. No new prompt, no wrapper code change needed; future debugging should look for shard files rather than one monolithic JSON.

Direct wins from upstream v2026.5.3 (no wrapper config edit needed)

• #76507 — tools.profile: "full" now grants ALL tools including optional plugin tools (browser etc.). Pre-v5.3 the full profile silently dropped optional plugin tools that required an explicit allowlist entry. Our standard config uses tools.profile: "full" so behavior strictly improves.
• #76779 — Anthropic Opus 4.7 thinking profiles xhigh / adaptive / max exposed via the bundled provider-policy artifact; non-runtime callers no longer downgrade to high. Direct hit on the Opus 4.7 fallback path.
• #76648 — OpenCode claude-opus-4-7 thinking levels through the lightweight provider policy surface; xhigh / adaptive / max no longer remapped to high. (This fix originated from a wrapper-author bug report — flagged here because it lands directly in the wrapper user community.)
• #76339 — gateway install --force now prefers system Node over nvm / fnm / volta / asdf / mise when regenerating managed Gateway services. We install Node via NodeSource apt (/usr/bin/node = system Node), so doctor stops flagging version-manager-backed services without further wrapper intervention.

Upstream-handled migrations (verify post-upgrade only)

• #74831 — Sandbox container & browser registry → per-runtime shard files. doctor --fix migrates the legacy monolithic registry silently. After upgrade, ~/.openclaw/state/sandbox/runtimes/*.json should contain shard files.
• #76872 — doctor --fix now auto-installs configured-but-missing official plugins (Discord, Brave) and auto-enables provider plugins. Default wrapper installs configure only bundled plugins, so this code path won't trigger.
• #76860 — Gateway env file preserves operator-added secrets across re-stage; clears OpenClaw-managed keys (OPENCLAW_GATEWAY_TOKEN, etc.) so a fresh staging value is never shadowed by a stale env-file copy. Wrapper writes OPENCLAW_GATEWAY_TOKEN to operator-managed ~/.openclaw/.env (state dir), which upstream still preserves.

Doctor non-interactive flow scan

No new interactive prompts in v2026.5.3. All migration-driven changes (registry shard, snapshot caps, plugin-record reconciliation) are silent. The existing yes n | pipe in update.sh remains correct and protective:

• still answers "no" to v2026.4.29 #73106 orphan-archive confirm (preserves .jsonl files)
• still answers "no" to v2026.5.2 #310 Gateway service-rewrite confirm (preserves operator's existing service file)
• still defends against any new prompts that may slip in later

Note: upstream v2026.5.3 release notes (lines 130 and 143) show upstream itself now uses doctor --fix --non-interactive in its dev-gateway watchdog and post-update flow. We could eventually swap our yes n | for the explicit flag, but that's a separate refactor — the current pipe works and is well-commented.

Skipped (verified out of scope)

Upstream change	Why skipped
streaming.mode: "progress" unified across channels	Wrapper template doesn't set custom streaming config
channels.telegram.mediaGroupFlushMs, channels.feishu.blockStreaming	Opt-in tuning
tools.web.fetch.useTrustedEnvProxy	Proxy-only env opt-in
tools.deny: ["write"] no longer implies apply_patch deny (BREAKING)	Wrapper templates don't use this pattern
macOS LaunchAgent recovery (#76790, #76261, #76466)	Wrapper Gateway runs systemd in Linux VM, not Mac LaunchAgent
Mattermost / MSTeams / Tlon channel hardening	Out of typical wrapper deployment scope

How to upgrade

openclaw-update

That's it — the script self-updates the wrapper repo, then runs the upstream OpenClaw upgrade flow.

Post-upgrade verification

1. ~/.openclaw/.update-doctor.log shows NO Setup cancelled lines.
2. ls ~/.openclaw/state/sandbox/runtimes/ returns shard JSON files (legacy monolithic registry should be gone).
3. Agents using tools.profile: "full" see browser tool without explicit allow entries.
4. Opus 4.7 / OpenCode claude-opus-4-7 accept /think xhigh directly.

v2026.5.2 — sync with upstream openclaw 2026.5.2

Sync with upstream openclaw 2026.5.2. Skips v2026.4.30 / v2026.5.0 / v2026.5.1 (upstream did not ship those stable tags; v5.2 jumped directly from v4.29).

Updated: this release was re-tagged at commit 1753d2c to include four wrapper-side fixes for openclaw-update, the gateway service file, and orphan archive handling. Existing users do not need to do anything special — openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up all fixes automatically.

Wrapper fixes (post-publish, included in this re-tag)

fix(update): rotate doctor log — keep last 5 runs (45c721f)

Previous behavior overwrote ~/.openclaw/.update-doctor.log on every openclaw-update run. If an upgrade misbehaved, the prior log was already gone by the time you noticed. Now update.sh rotates the file before writing: .update-doctor.log → .1 → .2 → ... → .5. The last 5 runs are always available for diff or post-mortem.

fix(gateway): pin canonical PATH via systemd drop-in (86154dd) — Linux only

Upstream v2026.5.2 #75233 cleaned up the Gateway service PATH on macOS LaunchAgent only. On Linux, openclaw gateway install still derives PATH from the operator's shell at install time, so version-manager / package-manager directories (.bun/bin, .npm-global/bin, .nix-profile/bin, .local/share/pnpm, etc.) leak into the service PATH. Functionally harmless — Node lives at /usr/bin/node and the gateway runs fine — but doctor reports a "recommend a minimal PATH" advisory on every run.

This wrapper now installs ~/.config/systemd/user/openclaw-gateway.service.d/99-openclaw-orbstack-path.conf that pins:

Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

systemd evaluates drop-ins after the main unit; the last Environment=PATH= wins; the 99- prefix wins lexicographic ordering against any other drop-ins.

Both openclaw-orbstack-setup.sh (first install) and scripts/commands/update.sh (every update) ensure the drop-in exists. If/when upstream ships #75233-equivalent on Linux, the drop-in remains compatible — it just becomes redundant, never broken.

Triggered by a real v2026.4.29 → v2026.5.2 upgrade where doctor still listed the version-manager PATH advisory after openclaw gateway install --force. Verified live: PATH now reports the canonical six-entry list, gateway health 143ms, doctor no longer warns.

fix(update): auto-archive orphan transcripts before doctor (bf6d68e)

Previously update.sh piped yes n to doctor, answering "no" to the v2026.4.29 #73106 "Archive N orphan transcripts?" confirm. This preserved the .jsonl files but made doctor flag the same orphans on every subsequent update run — cosmetically noisy and not what the operator wants in normal flow.

We couldn't simply switch to yes y: v2026.5.2 line 310 added a second prompt "Install/rewrite Gateway service?" that we MUST answer "no" to, otherwise update.sh's temp environment would replace the operator's existing launchd/systemd service. Order-sensitive printf "y\nn\n" is also fragile (when there are no orphans, "y" feeds the wrong prompt).

Solution: pre-archive orphans BEFORE doctor runs. Doctor's archive action just renames .jsonl files not referenced in sessions.json to *.deleted.<timestamp>; we do the same with a UUID substring grep (collision-safe at 128-bit). After this, doctor sees zero orphans and the prompt never appears. The yes n pipe remains as defense-in-depth and to safely answer "no" to the Gateway service rewrite prompt.

The pre-archive walks every agent's sessions/ dir to handle multi-agent setups.

fix(update): use upstream ISO 8601 format for archived transcripts (1753d2c)

The pre-archive step above used date +%Y%m%dT%H%M%S → 20260503T091230 for the timestamp suffix. This does not match upstream's archive timestamp regex ^\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}(\.\d{3})?Z$ from src/config/sessions/artifacts.ts. Files with non-matching timestamps are unrecognized by cleanupArchivedSessionTranscripts, so they would never be auto-pruned by upstream's default 30-day retention — they'd sit on disk forever.

Switched to date -u +%Y-%m-%dT%H-%M-%SZ which produces 2026-05-03T09-12-30Z, matching the regex (without the optional ms suffix). Now files we archive are eligible for the same auto-prune flow as files doctor archives.

Bonus: corrected templates/openclaw.json.example session.maintenance docs

The previous commented stub used pruneOlderThanDays, which does not exist in upstream config schema. The canonical user-facing key is pruneAfter (string duration like "30d"), with pruneDays as the deprecated legacy name. The template now documents the correct fields and explains that defaults (mode: "enforce", pruneAfter: "30d", maxEntries: 500) are already active without any config — the explicit block is purely for visibility/auditability.

Note: pruneAfter controls two things simultaneously: (1) sessions.json entries older than N days are pruned during enforce-mode maintenance; (2) *.deleted.<timestamp> archive files older than N days are real-deleted (fs.rm). Lifecycle is therefore: session inactive → entry pruned (after pruneAfter days) → transcript becomes orphan → wrapper pre-archive renames to .deleted.<ts> → upstream cleanup deletes (after another pruneAfter days). Total: ~2× pruneAfter from creation to disk free.

Highlights affecting this wrapper

Resolves 2 of our 3 tracked OPEN issues

• #74860 — createOpenClawTools 7s event-loop stall — CLOSED. Fix is in commits 29ed5266bf (keeps runtime-deps repair out of plugin tool/runtime hot paths) and 354084b1b3 (caches targeted provider runtime hook resolution instead of redoing the work per call). The 6000–7700ms gateway stalls under steady tool-call load no longer reproduce; Tier 2 watchdog restarts on this fingerprint should stop firing.
• #75220 — Linux systemd Gateway PATH warnings for non-existent user-bin dirs — CLOSED via #76017. v5.2 release notes line 99 (Doctor/gateway: stop warning that non-existent, unconfigured user-bin directories are required in the Gateway service PATH) lands the fix that our 2026-05-01 evidence comment on #75220 was pushing for.

Still OPEN (not blocking VM upgrade)

• #74837 — sessions_spawn child model override is still dropped (subagent runs fall back to target agent default instead of the spawn-time model argument).
• #75593 — subagent spawn/list lifecycle split: spawn returns childSessionKey but /subagents list and subagents(action="list") return empty for the same requester.
• #72096 — DREAMS.md light-phase summary repeats verbatim across hourly cycles.

None of these affect main-path functionality.

Direct config benefits

• line 282 — OpenAI Codex GPT-5.x xhigh thinking preserved through Gateway session validation when bundled providers are still startup-lazy. Our main model (openai-codex/gpt-5.5 with xhigh thinking) keeps working through cold-path validation.
• line 274 — OpenAI Codex OAuth image generation explicitly retained. Validates the imageGenerationModel.primary: "openai/gpt-image-2" + Codex OAuth route we just wired up.
• line 167 — OpenRouter Anthropic adapter strips trailing assistant prefill when reasoning is enabled (#75395). Claude 4.6 / Opus 4.7 routes through OpenRouter no longer hit Anthropic's prefill rejection.
• line 269 — Gemini 2.5 Flash-Lite reasoning: "minimal" rejection fixed by raising thinking-budget floor to 512 (#70629). Gemini 3.1 Pro fallback unaffected; Flash-Lite usable as a cheap fallback.
• line 365 — Tool-result guard repeated to use runtime context token budget (#74917), originally landed in v4.29 — confirms the long-tool-heavy GPT-5.5 session compaction guard.

Heartbeat scheduler hardening

• #76276 — Centralized exec-event/notification/spawn/retry cooldown. Production reproduction had a configured every: "30m" heartbeat firing every ~10s, pegging the gateway event loop with eventLoopDelayMaxMs > 6s spikes. Our heartbeat config (every: "24h") is unlikely to be affected, but the cooldown is now a hard guarantee.
• #75487 — Heartbeat phase scheduling is active-hours-aware. Non-UTC activeHours.timezone (e.g. Asia/Shanghai) now correctly influences when the next heartbeat timer fires; quiet-hours ticks no longer waste runs.
• line 60 — heartbeat_respond structured tool replaces HEARTBEAT_OK text parsing (#75765) for tool-capable heartbeat runs.

Doctor / non-interactive flow change (wrapper-impacting)

v5.2 line 310 adds a second interactive prompt to doctor --fix: "Install/rewrite Gateway service?" before replacing the operator's launchd / systemd service from a temporary environment. With our existing yes n | pipe in scripts/commands/update.sh, the wrapper answers "no" → preserves the operator's existing service file. This is the safe default and matches the new behavior intent.

The yes n pipe also continues to handle the v4.29 orphan-archive prompt as defense-in-depth, but with the new pre-archive step (see the bf6d68e fix above), that prompt no longer appears in the normal flow.

New CLIs (now documented in docs/commands.md)

• openclaw gateway restart --force --wait <duration> — skip active-task deferral timers and bound the wait window (#68327).
• openclaw proxy validate — verify effective proxy configuration, reachability, and allow/deny destination behavior before deploying proxy-routed setups (#73438).

New opt-in config options (commented stubs in templates/openclaw.json.example)

• agents.defaults.skipOptionalBootstrapFiles (#62110)
• agents.defaults.compaction.midTurnPrecheck (#73499)
• session.writeLock.acquireTimeoutMs — default raised from 30s to 60s (#75894); only override if your IO is unusually fast...

v2026.4.29 — sync with upstream openclaw 2026.4.29

Sync with upstream openclaw 2026.4.29. Skips v4.28 (upstream did not ship a stable v4.28; only a v2026.4.29-beta.1 prerelease).

Updated: this release was re-tagged at commit 33434d7 to include two wrapper-side fixes for openclaw-update. Existing users do not need to do anything special — openclaw-update self-updates the wrapper repo before each run, so the next invocation picks up both fixes automatically.

Wrapper fixes (post-publish, included in this re-tag)

fix(update): keep doctor non-interactive past v4.29 orphan-archive prompt (33434d7)

v4.29 release notes line 123 (#73106) added an interactive confirm to openclaw doctor --fix before archiving orphan transcripts. With stdin redirected, @clack/prompts sees EOF and triggers Setup cancelled. — which silently skips the rest of doctor's work (state migration, systemd service config repair, security audit, plugin sweep). update.sh's || true masks the early exit and the upgrade looks fine, but the systemd service file may not be regenerated.

Both doctor invocations now pipe yes n so the orphan-archive prompt resolves to a conservative "No" (preserve transcripts) and doctor continues. A post-update hint points users at interactive openclaw doctor --fix for archiving when desired.

Triggered by a real v4.27 → v4.29 upgrade where doctor cancelled at "Archive 23 orphan transcripts?" right after plugin registry refresh.

fix(update): prune stale tracking refs before fetch (557d391)

Upstream openclaw carries a lot of force-pushed and renamed branches (clawsweeper bots, codex/* feature branches). Plain git fetch --tags --force accumulates stale tracking refs and eventually fails with refname conflict / some local refs could not be updated, aborting the entire upgrade. scripts/commands/update.sh now runs git remote prune origin && git fetch --prune --tags --force so subsequent updates clean themselves before fetching.

Triggered by a real upgrade attempt where v4.27 → v4.29 aborted on copilot/stabilize-app-client-happy-path failed: refname conflict.

Highlights affecting this wrapper

Resolves all v4.27 packaging blockers

The v4.27 release artifact was missing several runtime dependencies. v4.29 fixes all of them:

• #74702 — restored plugin-sdk/zalouser command-auth facade.
• #74692 — sqlite-vec mirrored into bundled plugin runtime deps for builtin memory.
• #74688 / #74883 family — structural fix: 10 root-package deps (chokidar, @agentclientprotocol/sdk, @lydell/node-pty, croner, dotenv, jiti, json5, jszip, markdown-it, tar, web-push) added to MIRRORED_CORE_RUNTIME_DEP_NAMES plus a static drift-guard CI test that fails when one is missing.
• #74899 — browser-control verifies staged ajv package entry files before reusing mirrored runtime roots.
• #74765 — Discord SecretRef env:default:... no longer fails on read-only allowlist accessors (#74737).

Direct config benefits

• #74451 — openai-codex/gpt-5.4-mini is restored on ChatGPT/Codex OAuth runs after live OAuth proof. v4.27 had silently suppressed it; v4.29 re-enables it with proper manifest, forward-compat metadata, docs, and regression coverage. Stale heartbeat / active-memory cron configs that use this model resolve again.
• #74917 — Tool-result guard now uses the resolved runtime context-token budget for non-context-engine overflow checks instead of native contextWindow. Long tool-heavy sessions on GPT-5.5 no longer compact early.
• #74864 — subagent-orphan-recovery is bounded with persisted recovery attempts and a wedged-session tombstone; task maintenance / doctor reconcile those sessions so restart loops no longer require manual sessions.json surgery.
• #74896 — Gateway no longer fails to bind when a credential-free tools.web.fetch config block is present. Docker / Kubernetes deployments unblocked.
• #74137 — Blank visible user prompts skipped at the embedded-runner boundary; Telegram / group sessions no longer leak messages must not be empty provider errors.
• #74868 — Group chats fall back to automatic source delivery when a channel precomputed message-tool-only replies but the message tool is unavailable.

Codex / ChatGPT Responses hardening

• #75111 preserves wrapped Codex streams during OpenAI attribution; OAuth bearer reaches ChatGPT/Codex Responses; native Codex-only unsupported payload fields stripped.
• #73820 fixes ChatGPT backend 400s on system-prompt-only Codex turns (input: []).
• #73559 fixes openai-codex-responses boundary-aware embedded stream 401 Unauthorized: Missing bearer.
• OpenAI Codex /verbose full persistence and app-server tool-output forwarding restored.

New config (opt-in, documented in template)

• messages.queueMode: "steer" | "queue" — active-run queueing default changed to steer (drains all pending steering at next model boundary). Set to queue to restore legacy one-at-a-time behavior.
• messages.visibleReplies — global visible-reply enforcement (alongside per-channel messages.groupChat.visibleReplies).
• commitments.enabled / commitments.maxPerDay — opt-in inferred follow-up commitments delivered through heartbeat (#74189).
• memory.qmd.update.startup — opt-in startup QMD refresh; cold Gateway boot no longer imports / initializes QMD by default.
• tools.web.fetch.ssrfPolicy.allowIpv6UniqueLocalRange — opt-in for trusted fake-IP proxy stacks using fc00::/7 (#74351).
• gateway.handshakeTimeoutMs — exposed in config / schema / docs (was env-only); env still wins.
• heartbeat.skipWhenBusy — opt-in skip when cron / subagent lanes are active (#50773).
• Active Memory allowedChatIds / deniedChatIds (#67977) and bounded partial recall on timeout (#73219).

New CLI (documented in docs/commands.md)

• openclaw plugins deps [--repair] — independent inspect / repair for bundled plugin runtime-deps; the right tool for v4.27-class packaging issues.

New bundled provider

• NVIDIA — API key onboarding, setup docs, static catalog metadata, literal model-ref picker (#71204).

Breaking change (does not affect this wrapper)

• tools.exec and tools.fs no longer implicitly widen restrictive messaging / minimal profiles. Users on those profiles must add explicit alsoAllow entries; a startup warning identifies affected configs (#47487). Default config in this wrapper uses tools.profile: "full" and is unaffected.

Still OPEN (does not block upgrade, but worth retesting after)

• #74837 / #74763 — sessions_spawn(model=...) override silently dropped (v4.27 claimed #73180 fixed this; v4.29 does not explicitly close it).
• #74860 — Gateway 7-second event-loop stall in createOpenClawTools (v4.29 adds /readyz event-loop diagnostics and defers agent run scheduling, which mitigates but does not resolve the root cause).

Notes

• VM upgrade is a separate user decision. After upgrading, run openclaw doctor --fix (per v4.25 #71761 transcript pollution repair) and re-test sessions_spawn with explicit model overrides plus restart latency.
• This release skips v2026.4.28 because upstream did not ship a stable v4.28.

v2026.4.27 — sync with upstream openclaw 2026.4.27

Sync with upstream openclaw 2026.4.27.

Highlights affecting this wrapper

Unblocks the v4.26 VM upgrade hold

Two regressions held the local VM at v4.25 across v4.26. Both are fixed in upstream v4.27:

• #73242 — openai-codex/gpt-5.4-mini no longer surfaces through Codex OAuth (was failing cron with "ChatGPT account unsupported"); direct openai/gpt-5.4-mini is preserved.
• #73367 / #73412 — bare /new and /reset on openai-codex/* no longer fall through into empty Responses API calls (was failing with "must be provided").

GPT-5.4 / GPT-5.5 reliability

• #73053 — OpenAI Responses preserves encrypted rs_* reasoning items in WebSocket replay and requests reasoning.encrypted_content so primary model sessions don't drop required state.

New config (opt-in, documented in template)

• sandbox.docker.gpus — Docker GPU passthrough (#57976).
• proxy.enabled + proxy.proxyUrl / OPENCLAW_PROXY_URL — operator-managed outbound HTTP proxy (#70044).
• models.pricing.enabled — skip OpenRouter / LiteLLM startup pricing fetches on offline / restricted networks (#53639).
• agents.defaults.compaction.memoryFlush.model — exact model override for memory flush, doesn't inherit active session fallback chain (#53772).

New CLI (documented in docs/commands.md)

• openclaw codex computer-use status/install — Codex Computer Use marketplace + fail-closed MCP checks (#72094).
• openclaw infer image describe --prompt --timeout-ms + describe-many — pass custom vision instructions and timeout to Ollama / OpenAI / Google / OpenRouter (#63700).
• openclaw cron add/edit --thread-id — preserve Telegram forum topic delivery across scheduled runs.

New bundled provider / channels

• DeepInfra bundled provider — model discovery, image gen/edit, image+audio understanding, TTS, text-to-video, embeddings, provider-owned base URL policy.
• Tencent Yuanbao channel + QQBot group chat (FIFO queue, C2C streaming, chunked media upload, pipeline refactor).

Notes

• VM upgrade is a separate user decision. After upgrading, run openclaw doctor --fix (per v4.25 #71761 transcript pollution repair).
• Discord group chat default changed to private replies — set messages.groupChat.visibleReplies: "automatic" to restore legacy auto-posting if needed (we do not use Discord groups by default).
• Heartbeat model context-overflow now points to isolatedSession / lightContext guidance when the runtime model matches the configured heartbeat model.

v2026.4.26 — Tracks upstream; #72729 OpenCode thinking fix shipped + Anthropic prefill repair

Sync with upstream OpenClaw v2026.4.26. Recommended upgrade from v2026.4.25 — this release ships the upstream fix for #72729 (an issue we filed: OpenCode /think xhigh|adaptive|max rejected for proxied Opus 4.7 / Sonnet 4.6) plus an Anthropic extended-thinking trailing-prefill repair that affects every Opus 4.7 / Sonnet 4.6 user.

Highlights affecting this project

• #72729 fixed (PR #72778) — OpenCode now exposes Anthropic Opus/Sonnet 4.x thinking levels for proxied Claude models, so /think xhigh, /think adaptive, and /think max validate consistently with the direct Anthropic provider. Thanks to upstream maintainers for landing this within 24 hours of v2026.4.25.
• Anthropic extended-thinking prefill repair (#72739, #72556) — trailing assistant-prefill payloads are stripped from Opus 4.7 / Sonnet 4.6 outbound replay when extended thinking is enabled, so requests no longer fail Anthropic's user-final-turn validation.
• Codex cached input tokens no longer double-counted in /status, session_status, or persisted sessionEntry.totalTokens (#69298). Affects everyone on openai-codex/gpt-5.5.

Wrapper changes

• VERSION + CLAUDE.md header bumped to v2026.4.26
• templates/openclaw.json.example:
  • Documented opt-in agents.defaults.compaction.maxActiveTranscriptBytes — JSONL-byte preflight trigger that runs normal local compaction when the active transcript grows too large, rotating onto a smaller successor file instead of byte-splitting history
  • Documented new dreaming.model knob — Dream Diary narrative subagent model override, wired through phase config and the existing plugin subagent model-override trust gate (refs #65963)
• docs/commands.md:
  • Nodes (v2026.4.26+) — openclaw nodes remove --node <id|name|ip> for cleaning stale gateway-owned paired-node records without hand-editing state files
  • Migration (v2026.4.26+) — openclaw migrate with bundled importers: Claude Code/Desktop instructions, MCP servers, skills, command prompts; plus a Hermes (NousResearch) importer for configuration, memory/plugin hints, model providers, MCP servers, skills, and supported credentials. Supports --plan, --dry-run, --json, --backup
  • Matrix encryption (v2026.4.26+) — openclaw matrix encryption setup enables Matrix encryption, bootstraps recovery, and prints verification status from one setup flow

Upstream highlights (v2026.4.26)

New capabilities

• Cerebras added as a bundled provider with onboarding, static model catalog, docs, and manifest-owned endpoint metadata
• Google Live browser Talk sessions — generic browser realtime transport contract, constrained ephemeral tokens, Gateway relay for backend-only realtime voice plugins
• agents.defaults.compaction.maxActiveTranscriptBytes — opt-in preflight trigger for transcript rotation
• dreaming.model — Dream Diary narrative subagent model override
• Memory asymmetric embeddings — memorySearch.inputType, queryInputType, documentInputType config for OpenAI-compatible providers with asymmetric query/document embedding endpoints
• Ollama embeddings — moved to /api/embed with batched input requests; model-specific retrieval query prefixes for nomic-embed-text, qwen3-embedding, and mxbai-embed-large
• openclaw migrate — Claude Code/Desktop and Hermes importers
• openclaw nodes remove — clean stale paired-node records
• openclaw matrix encryption setup — one-step Matrix E2EE bootstrap
• failureAlert.includeSkipped + --failure-alert-include-skipped — alert on persistently skipped cron jobs without counting skips as execution errors or affecting retry backoff
• OPENCLAW_NO_AUTO_UPDATE=1 — Gateway startup kill-switch for configured background package auto-updates (#72715)
• realtime.agentId — Google Meet live consults can target a named OpenClaw agent (#72381)

Reliability and provider fixes

• Anthropic / Google — strip stale trailing assistant/model prefill turns from outbound replay (#72556, #72739)
• OpenAI Responses — retry replay-safe empty stop turns once for openai-completions endpoints (#72751); openclaw agent --model restored for one-shot CLI runs
• Codex harness — normalize cached input tokens (#69298); codex/* image models routed through app-server image turns
• Claude CLI — force live-session launches to include --output-format stream-json whenever --input-format stream-json is used (#72206)
• macOS Gateway — detect installed-but-unloaded LaunchAgent split-brain states during status, doctor, and restart, and re-bootstrap launchd supervision before falling back to unmanaged listener restarts (#67335, #53475, #71060)
• Local models — default custom providers with only baseUrl to the Chat Completions adapter and trust loopback model requests automatically (#40024); local Ollama / vLLM / SGLang model discovery routed through the guarded fetch path pinned to the configured host
• MCP — normalize CLI-native type: "http" MCP server entries to OpenClaw transport: "streamable-http" on save, with doctor repair for existing configs (#72757)
• CLI/update — install npm global updates into a verified temporary prefix before swapping the package tree into place, preventing mixed old/new installs and stale packaged files from breaking openclaw update verification
• Gateway — skip CLI startup self-respawn for foreground gateway runs on low-memory Linux/Node 24 hosts (#72720)
• Docker — install the CA certificate bundle in the slim runtime image so HTTPS calls from containerized gateways no longer fail TLS setup after the bookworm-slim base switch (#72787)
• Plugin runtime deps — OPENCLAW_PLUGIN_STAGE_DIR may now contain layered runtime-dependency roots, resolving read-only preinstalled deps before installing missing deps into the final writable root (#72396); bundled runtime deps staged before Gateway startup with drained update restarts

Memory / QMD

• Multi-collection QMD search — group same-source collections into one QMD search invocation when the installed QMD supports multiple -c filters (#72484)
• QMD status vector parsing — accept variants such as Vectors = 42, Vectors:42, Vectors: 42 embedded (#63652)
• Lexical-mode skip — skip QMD vector status probes and embedding maintenance in searchMode: "search", so BM25-only QMD setups on ARM no longer trigger llama.cpp/Vulkan builds during status checks (#59234, #67113)
• Watcher dirty state — memory status reports the live watcher dirty state so changed QMD-backed memory files show as dirty until the queued sync finishes (#60244)
• --mask collection pattern — root memory indexing stays scoped to MEMORY.md instead of widening to every markdown file in the workspace (#65480)

Performance

Extensive Gateway startup lazy-loading work: HTTP auth, canvas auth, plugin route dispatch, MCP loopback, cron runner, hook dispatch, subscriber registries, embedded-run state, channel runtime helpers, and chat session event projection are all loaded on demand. No-plugin Gateway boots see a measurable RSS drop. Lobster Ajv schema compilation is now cached against content-identical schemas (#71148).

Notes

• Wrapper-side, no breaking changes. local/openclaw.json does not require edits — all v4.26 additions are opt-in.
• Per the project's local-test-first policy, the wrapper is published now; the VM upgrade will follow community feedback.
• Issues filed by this project tracked in memory: #71495 (/subagents list empty regression — still OPEN, unaddressed in v4.26) and #72096 (Dreaming light-phase summary verbatim repeats — still OPEN). v4.26 ships an indirectly related subagent fix (#70187: clear active embedded-run state before terminal lifecycle) that is worth retesting against /subagents list.

🤖 Generated with Claude Code

v2026.4.25 — Tracks upstream; #71761 transcript repair + TTS overhaul

Sync with upstream OpenClaw v2026.4.25. Recommended upgrade from v2026.4.24 — this release ships the upstream repair tooling for a transcript-corruption regression introduced in v2026.4.24, plus a TTS overhaul, a plugin cold-registry migration, and broader OpenTelemetry coverage.

Critical: run openclaw doctor --fix after upgrading

Upstream v2026.4.24 had a regression (#71761) where embedded runtime context was being delivered as a visible user prompt, polluting session transcripts with duplicated prompt-rewrite branches. v2026.4.25 fixes the root cause and teaches openclaw doctor --fix to repair already-affected v2026.4.24 transcripts. Anyone who ran v2026.4.24 should run openclaw doctor --fix once after upgrading.

The same doctor --fix pass also handles two other v2026.4.25 migrations:

• agentRuntime.id is now the canonical config key; legacy runtime-policy configs are auto-migrated (#71957).
• Plugin cold registry — plugins/installs.json replaces plugins/installed-index.json; the doctor pass refreshes the cold registry index and aligns install records.

Wrapper changes

• VERSION + CLAUDE.md header bumped to v2026.4.25
• docs/commands.md:
  • TTS chat commands (v2026.4.25+) — /tts latest (read-aloud the latest reply, with duplicate suppression), /tts chat on|off|default (session-scoped auto-TTS overrides), /tts persona <name> (provider-aware voice persona switching), plus /tts audio and /tts status
  • Browser — openclaw browser doctor --deep (live snapshot probing with iframe-aware role / cursor-clickable detection) and openclaw browser start --headless (one-shot headless launch override that does not rewrite the persisted browser config)
  • Plugins — openclaw plugins registry (and --refresh) for inspecting and rebuilding the new persisted cold registry; deprecation note for OPENCLAW_DISABLE_PERSISTED_PLUGIN_REGISTRY
  • Image generation/edit flags (v2026.4.25+) — generic --background (alias --openai-background), fal --output-format png|jpeg, and --size / --aspect-ratio / --resolution on infer image edit
  • New doctor --fix (v2026.4.25+) section explaining the #71761 transcript repair, the agentRuntime.id migration, and the cold registry refresh
• templates/openclaw.json.example:
  • Expanded TTS provider comment listing the v2026.4.25 bundled additions: Azure Speech, Xiaomi MiMo, Local CLI TTS, Inworld, Volcengine/BytePlus Seed Speech, plus ElevenLabs eleven_v3
  • Documented the new override layering: agents.list[].tts overrides global TTS per agent, and channels.<channel>.accounts.<id>.tts deep-merges over global plus per-agent config (Feishu/QQBot account-level overrides)

Upstream highlights (v2026.4.25)

Major new capabilities

• TTS overhaul — /tts latest, chat-scoped auto-TTS overrides, provider-aware personas (#70748), per-agent voice overrides, per-channel-account deep-merged TTS config, native voice-note routing through channel plugin capabilities
• New bundled TTS providers — Azure Speech (#51776), Xiaomi MiMo (#52376/55614), Local CLI TTS (#56239), Inworld (#55972), Volcengine/BytePlus Seed Speech (#55641); ElevenLabs eleven_v3 added to the bundled model catalog (#68321)
• Voice Wake trigger-based routing — macOS voice wake phrases can target a specific agent or session (#30354)
• Plugin cold registry — gateway startup, plugin update, repair, provider discovery, and install metadata move onto a versioned persisted registry (plugins/installs.json); broad manifest scans are eliminated from the hot path; new openclaw plugins registry [--refresh] CLI; OPENCLAW_DISABLE_PERSISTED_PLUGIN_REGISTRY marked deprecated
• OpenTelemetry expansion — GenAI gen_ai.client.token.usage and gen_ai.client.operation.duration histograms; openclaw.context.assembled, openclaw.tool.loop, openclaw.harness.run, openclaw.exec, and outbound delivery spans; bounded request-id hashes; OTEL_SEMCONV_STABILITY_OPT_IN=gen_ai_latest_experimental enables gen_ai.provider.name; signal-specific OTLP endpoint overrides; new bundled diagnostics-prometheus plugin
• Browser — openclaw browser doctor --deep live snapshot probing, iframe-aware CDP role snapshots, cursor-clickable detection, openclaw browser start --headless one-shot launch, configurable CDP ready timeout for slow hosts (Pi #66803), safe tab URLs in agent responses, stable tabId labels preserved across navigation (#46137)
• Control UI — PWA install support and Web Push notifications for Gateway chat (#44590)
• Crestodian / TUI setup — first-run setup helper, full-TUI interactive Crestodian, startup progress indicators, context mode selector, shorter startup greeting (#71720, #71760)
• Codex harness 0.125.0+ — native MCP PreToolUse/PostToolUse/PermissionRequest payloads through the OpenClaw hook relay; agents prefer /codex ... over Codex ACP unless ACP is explicit
• Factory Droid added to the live ACP bind Docker matrix
• Bedrock Mantle supports Claude Opus 4.7
• LiteLLM image generation registered as an image_generate provider; fal Seedance 2.0 reference-to-video with multi-image/video/audio reference inputs; MiniMax image-01 routed to the dedicated image generation endpoint (#61149); MiniMax-portal music and video generation (#63241); Z.AI thinking controls mapped, opt-in preserved-thinking replay via params.preserveThinking (#58680)
• Discord — channels.discord.voice.model overrides the LLM used for voice channel responses while keeping STT/TTS on the existing media settings (#64368)

Critical fixes

• #71761 — v2026.4.24 transcript pollution: embedded runtime context is now sent as a hidden next-turn custom message; openclaw doctor --fix repairs already-affected transcripts with duplicated prompt-rewrite branches
• #71946 — Codex --thinking minimal rejected on first turn: translated to low for gpt-5.5, gpt-5.4, gpt-5.4-mini, gpt-5.2 at request build time, eliminating the wasted call + retry-with-low fallback
• OpenAI Responses web_search + minimal thinking — raised to the lowest supported reasoning effort instead of sending a rejected minimal payload (same root pattern as our previously-filed #71269, opposite direction)
• Sessions reset freshness decoupled from updatedAt — heartbeat, cron, exec, and gateway bookkeeping no longer prevent configured daily/idle resets from rolling long-running channel sessions (#68315, #63732, #63820, #69083)
• agentRuntime.id as canonical key with doctor --fix migration; canonical Anthropic models routed through claude-cli without passing CLI backend aliases to embedded harness selection (#71957)

Notable fixes

• WhatsApp Web watchdog — based on transport activity rather than app silence, keeping quiet but healthy linked-device sessions connected (#70678/#71466)
• Telegram — automatic native quote excerpts for threaded replies and reply tags (#6975), exact selected quote text preserved when sending native quote replies (#71952)
• Bonjour/mDNS — gateway crash-loops on CIAO PROBING CANCELLED and watchdog cancellation are now contained; Bonjour disables itself for the current process after repeated failed restarts; bundled Compose gateways disable Bonjour by default on bridge networking (#69011, #71879)
• Plugin runtime deps — package update verifies actually-placed bundled runtime packages and reports missing specs instead of false-success repairs (#71883); rejects pre-populated .openclaw-install-stage directories during release packaging (#71752); ignores stale staging directories during global install verification
• Logging — configured redaction patterns applied to persisted session transcript JSONL (#42982); secrets at console and file-log sink exits redacted (#67953); file rotation at logging.maxFileBytes with bounded numbered archives (#58583, #62381); logging.file and redaction loaded from the active config path in bundled runtimes (#59370, #67168, #61295)
• Gateway — /healthz and /readyz reserved ahead of plugin/canvas/Control UI HTTP stages so liveness probes still answer when later handlers stall (#69674); refuses process and service mutations from older OpenClaw binaries when the config was last written by a newer version (#57079)
• Subagents — completed yielded-subagent results delivered back to no-thread requester routes via direct fallback; queued subagent announces stay session-only when the requester has no external channel target (#59201)
• Sessions/usage — compaction checkpoint transcript snapshots excluded from usage totals and session discovery
• Auto-reply dedupe — poisoned after replay-unsafe provider/runtime failures so retries stay safe before visible progress but cannot duplicate after block output, tool side effects, or session progress (#69303)
• WhatsApp — ack reactions removed after a visible reply when messages.removeAckAfterReply is enabled (#26183)
• Feishu — Schema 2.0 card action callbacks accepted with context.open_chat_id (#71670); inbound voice-note transcription via the shared media audio path (#67120, #61876); final-mode streamed TTS-only audio normalized before delivery (#71920)
• vLLM/Nemotron — Nemotron 3 chat-template kwargs sent when thinking is off; configured params.chat_template_kwargs honored for OpenAI-compatible completions (#71891)
• Channels/replies — copied inbound metadata blocks (Conversation info, UNTRUSTED ... message body) stripped from user-facing assistant replies and replay history (#71847)

Breaking change

• OPENCLAW_DISABLE_PERSISTED_PLUGIN_REGISTRY is marked deprecated as a break-glass switch — operators should use openclaw plugins registry --refresh or openclaw doctor --fix for registry repair instead. No impact on this wrapper — we do not set this env var.

Upgrade procedure...