{"type":"system","subtype":"init","cwd":"./bench/results/mcp-no-toolsearch/list_releases/run5/workspace","session_id":"246b2626-2210-4274-a7b6-16347d764227","tools":["Task","TaskOutput","Bash","Glob","Grep","ExitPlanMode","Read","Edit","Write","NotebookEdit","WebFetch","TodoWrite","WebSearch","TaskStop","AskUserQuestion","Skill","EnterPlanMode","EnterWorktree","ExitWorktree","CronCreate","CronDelete","CronList","mcp__chrome-devtools__click","mcp__chrome-devtools__close_page","mcp__chrome-devtools__drag","mcp__chrome-devtools__emulate","mcp__chrome-devtools__evaluate_script","mcp__chrome-devtools__fill","mcp__chrome-devtools__fill_form","mcp__chrome-devtools__get_console_message","mcp__chrome-devtools__get_network_request","mcp__chrome-devtools__handle_dialog","mcp__chrome-devtools__hover","mcp__chrome-devtools__lighthouse_audit","mcp__chrome-devtools__list_console_messages","mcp__chrome-devtools__list_network_requests","mcp__chrome-devtools__list_pages","mcp__chrome-devtools__navigate_page","mcp__chrome-devtools__new_page","mcp__chrome-devtools__performance_analyze_insight","mcp__chrome-devtools__performance_start_trace","mcp__chrome-devtools__performance_stop_trace","mcp__chrome-devtools__press_key","mcp__chrome-devtools__resize_page","mcp__chrome-devtools__select_page","mcp__chrome-devtools__take_memory_snapshot","mcp__chrome-devtools__take_screenshot","mcp__chrome-devtools__take_snapshot","mcp__chrome-devtools__type_text","mcp__chrome-devtools__upload_file","mcp__chrome-devtools__wait_for","mcp__github__add_comment_to_pending_review","mcp__github__add_issue_comment","mcp__github__add_reply_to_pull_request_comment","mcp__github__assign_copilot_to_issue","mcp__github__create_branch","mcp__github__create_or_update_file","mcp__github__create_pull_request","mcp__github__create_pull_request_with_copilot","mcp__github__create_repository","mcp__github__delete_file","mcp__github__fork_repository","mcp__github__get_commit","mcp__github__get_copilot_job_status","mcp__github__get_file_contents","mcp__github__get_label","mcp__github__get_latest_release","mcp__github__get_me","mcp__github__get_release_by_tag","mcp__github__get_tag","mcp__github__get_team_members","mcp__github__get_teams","mcp__github__issue_read","mcp__github__issue_write","mcp__github__list_branches","mcp__github__list_commits","mcp__github__list_issue_types","mcp__github__list_issues","mcp__github__list_pull_requests","mcp__github__list_releases","mcp__github__list_tags","mcp__github__merge_pull_request","mcp__github__pull_request_read","mcp__github__pull_request_review_write","mcp__github__push_files","mcp__github__request_copilot_review","mcp__github__run_secret_scanning","mcp__github__search_code","mcp__github__search_issues","mcp__github__search_pull_requests","mcp__github__search_repositories","mcp__github__search_users","mcp__github__sub_issue_write","mcp__github__update_pull_request","mcp__github__update_pull_request_branch","ListMcpResourcesTool","ReadMcpResourceTool"],"mcp_servers":[{"name":"chrome-devtools","status":"connected"},{"name":"github","status":"connected"},{"name":"claude.ai Google Calendar","status":"needs-auth"},{"name":"claude.ai Gmail","status":"needs-auth"}],"model":"claude-sonnet-4-6","permissionMode":"bypassPermissions","slash_commands":["update-config","debug","simplify","batch","loop","claude-api","test-driven-development","app-installer","release-notify-issues","cli-demo-recorder","readme-generator","compact","context","cost","heapdump","init","pr-comments","release-notes","review","security-review","extra-usage","insights","mcp__github__AssignCodingAgent","mcp__github__issue_to_fix_workflow"],"apiKeySource":"none","claude_code_version":"2.1.77","output_style":"default","agents":["general-purpose","statusline-setup","Explore","Plan","claude-code-guide"],"skills":["update-config","debug","simplify","batch","loop","claude-api","test-driven-development","app-installer","release-notify-issues","cli-demo-recorder","readme-generator"],"plugins":[],"uuid":"48b12bb8-a107-43a7-b66d-0c4b1d10d15f","fast_mode_state":"off"}
{"type":"assistant","message":{"model":"claude-sonnet-4-6","id":"msg_01KSEhKXvqnqmuoQatjsUv3f","type":"message","role":"assistant","content":[{"type":"thinking","thinking":"Let me list releases for the openclaw/openclaw repository using the GitHub MCP tool.","signature":"EvwBCkYICxgCKkBnIHdqdSvsPs0hfPFlWMCZ5xjWMtnM9Kx3V1omXZveEWP4iWRWR5v/pzYEV8WELUbDLjJtw5bRSCVLGtetgdR7EgwFjgFjR+Rj34G4GjAaDDQVuU0XD0D8MmJC3yIwPOC8Hqtz4TJlmpLYgbhIpfmM+pF2vREzZFQkIdC4wYfOdiI47onN0JLYjwEChjS+KmS2GyxwinyLzyib0Bz6aeFzfCncBY5sj6nna847/w+Y4x4rsi9QNJA79HXk42QRVkoKcgp4C5fUE7g0AuD09Jfur4kcC5oUF4YUpmR23rlJb50yU0C+ftyH71WvqUhWP+hZ9OJSGAE="}],"stop_reason":null,"stop_sequence":null,"usage":{"input_tokens":3,"cache_creation_input_tokens":6874,"cache_read_input_tokens":34112,"cache_creation":{"ephemeral_5m_input_tokens":0,"ephemeral_1h_input_tokens":6874},"output_tokens":1,"service_tier":"standard","inference_geo":"not_available"},"context_management":null},"parent_tool_use_id":null,"session_id":"246b2626-2210-4274-a7b6-16347d764227","uuid":"5196af31-cc77-46a1-a957-5ebe315ad6d1"}
{"type":"assistant","message":{"model":"claude-sonnet-4-6","id":"msg_01KSEhKXvqnqmuoQatjsUv3f","type":"message","role":"assistant","content":[{"type":"tool_use","id":"toolu_01HbBNroiJsuXAyMWTkVrM5V","name":"mcp__github__list_releases","input":{"owner":"openclaw","repo":"openclaw","perPage":3},"caller":{"type":"direct"}}],"stop_reason":null,"stop_sequence":null,"usage":{"input_tokens":3,"cache_creation_input_tokens":6874,"cache_read_input_tokens":34112,"cache_creation":{"ephemeral_5m_input_tokens":0,"ephemeral_1h_input_tokens":6874},"output_tokens":1,"service_tier":"standard","inference_geo":"not_available"},"context_management":null},"parent_tool_use_id":null,"session_id":"246b2626-2210-4274-a7b6-16347d764227","uuid":"6dac55d8-2224-4011-89df-87f0d3a89003"}
{"type":"rate_limit_event","rate_limit_info":{"status":"allowed","resetsAt":1774126800,"rateLimitType":"five_hour","overageStatus":"rejected","overageDisabledReason":"org_level_disabled","isUsingOverage":false},"uuid":"b297b4be-fed8-4dad-898d-385f4d49723c","session_id":"246b2626-2210-4274-a7b6-16347d764227"}
{"type":"user","message":{"role":"user","content":[{"tool_use_id":"toolu_01HbBNroiJsuXAyMWTkVrM5V","type":"tool_result","content":[{"type":"text","text":"[{\"id\":297041210,\"tag_name\":\"v2026.3.13-1\",\"name\":\"openclaw 2026.3.13\",\"body\":\"This recovery release uses `v2026.3.13-1` because GitHub immutable releases do not allow reusing `v2026.3.13` after publication.\\r\\n\\r\\nImportant:\\r\\n- This release exists to recover the broken `v2026.3.13` tag/release path.\\r\\n- The corresponding npm version is still `2026.3.13`, not `2026.3.13-1`.\\r\\n- The `-1` suffix is for the Git tag and GitHub Release only.\\r\\n\\r\\n\\r\\n## What's Changed\\r\\n* fix(compaction): use full-session token count for post-compaction sanity check by @efe-arv in https://github.com/openclaw/openclaw/pull/28347\\r\\n* fix(telegram): thread media transport policy into SSRF by @obviyus in https://github.com/openclaw/openclaw/pull/44639\\r\\n* fix: handle Discord gateway metadata fetch failures by @jalehman in https://github.com/openclaw/openclaw/pull/44397\\r\\n* docs: move post-release changelog entries to Unreleased by @jalehman in https://github.com/openclaw/openclaw/pull/44691\\r\\n* fix(session): preserve `lastAccountId ` and `lastThreadId` on session reset by @Lanfei in https://github.com/openclaw/openclaw/pull/44773\\r\\n* Updated default model from openai-codex/gpt-5.3-codex to openai-codex/gpt-5.4 in tests. by @jrrcdev in https://github.com/openclaw/openclaw/pull/44367\\r\\n* fix: address delivery dedupe review follow-ups by @frankekn in https://github.com/openclaw/openclaw/pull/44666\\r\\n* CLI: align xhigh thinking help text by @frankekn in https://github.com/openclaw/openclaw/pull/44819\\r\\n* docs: fix changelog credit for xhigh help by @frankekn in https://github.com/openclaw/openclaw/pull/44874\\r\\n* fix(agents): drop Anthropic thinking blocks on replay by @frankekn in https://github.com/openclaw/openclaw/pull/44843\\r\\n* docs: fix session key :dm: → :direct: by @Lanfei in https://github.com/openclaw/openclaw/pull/26506\\r\\n* feat(android): redesign chat settings UI by @obviyus in https://github.com/openclaw/openclaw/pull/44894\\r\\n* fix(agents): avoid injecting memory file twice on case-insensitive mounts by @Lanfei in https://github.com/openclaw/openclaw/pull/26054\\r\\n* Docker: add OPENCLAW_TZ timezone support by @Lanfei in https://github.com/openclaw/openclaw/pull/34119\\r\\n* Android: fix HttpURLConnection leak in TalkModeVoiceResolver by @Kaneki-x in https://github.com/openclaw/openclaw/pull/43780\\r\\n* fix(agents): respect explicit user compat overrides for non-native openai-completions by @cheapestinference in https://github.com/openclaw/openclaw/pull/44432\\r\\n* test(config): cover requiresOpenAiAnthropicToolPayload in compat schema fixture by @xingsy97 in https://github.com/openclaw/openclaw/pull/43438\\r\\n* fix(agents): rephrase session reset prompt to avoid Azure content filter by @xingsy97 in https://github.com/openclaw/openclaw/pull/43403\\r\\n* fix(config): add missing params field to agents.list[] validation schema by @atian8179 in https://github.com/openclaw/openclaw/pull/41171\\r\\n* fix(android): use Google Code Scanner for onboarding QR by @obviyus in https://github.com/openclaw/openclaw/pull/45021\\r\\n* fix: restore web fetch firecrawl config in runtime zod schema by @stim64045-spec in https://github.com/openclaw/openclaw/pull/42583\\r\\n* fix(signal): add groups config to Signal channel schema by @unisone in https://github.com/openclaw/openclaw/pull/27199\\r\\n* feat(ios): add onboarding welcome pager by @ngutman in https://github.com/openclaw/openclaw/pull/45054\\r\\n* small addition to .gitignore  by @Sovtoshi-SC in https://github.com/openclaw/openclaw/pull/42879\\r\\n* fix(discovery): add missing domain to wideArea Zod config schema by @ingyukoh in https://github.com/openclaw/openclaw/pull/35615\\r\\n* fix(ui): keep shared auth on insecure control-ui connects by @velvet-shark in https://github.com/openclaw/openclaw/pull/45088\\r\\n* fix: preserve persona and language continuity in compaction summaries by @keepitmello in https://github.com/openclaw/openclaw/pull/10456\\r\\n* ui: mobile navigation drawer \\u0026 theme variant refinements by @BunsDev in https://github.com/openclaw/openclaw/pull/45107\\r\\n* fix: resolve target agent workspace for cross-agent subagent spawns by @moshehbenavraham in https://github.com/openclaw/openclaw/pull/40176\\r\\n* fix(ollama): hide native reasoning-only output by @frankekn in https://github.com/openclaw/openclaw/pull/45330\\r\\n* test: annotate chat abort helper exports by @frankekn in https://github.com/openclaw/openclaw/pull/45346\\r\\n* Fix incorrect rendering of brave costs in docs by @keelanfh in https://github.com/openclaw/openclaw/pull/44989\\r\\n* security(docker): prevent gateway token leak in Docker build context by @xingsy97 in https://github.com/openclaw/openclaw/pull/44956\\r\\n* refactor: remove redundant ?? undefined in Slack probe by @Cafexss in https://github.com/openclaw/openclaw/pull/44775\\r\\n* fix(ui): restore chat-new-messages class on scroll pill button by @Astro-Han in https://github.com/openclaw/openclaw/pull/44856\\r\\n* fix(windows): suppress visible console windows during restart and process cleanup by @MoerAI in https://github.com/openclaw/openclaw/pull/44842\\r\\n* Slack: add opt-in interactive reply directives by @vincentkoc in https://github.com/openclaw/openclaw/pull/44607\\r\\n* Docs: describe Slack interactive replies by @vincentkoc in https://github.com/openclaw/openclaw/pull/45463\\r\\n* fix(cron): prevent isolated cron nested lane deadlocks by @vincentkoc in https://github.com/openclaw/openclaw/pull/45459\\r\\n* Fix updater refresh cwd for service reinstall by @vincentkoc in https://github.com/openclaw/openclaw/pull/45452\\r\\n* [codex] Polish sidebar status, agent skills, and chat rendering by @BunsDev in https://github.com/openclaw/openclaw/pull/45451\\r\\n* perf(build): deduplicate plugin-sdk chunks to fix ~2x memory regression by @TarasShyn in https://github.com/openclaw/openclaw/pull/45426\\r\\n* Guard updater service refresh against missing invocation cwd by @vincentkoc in https://github.com/openclaw/openclaw/pull/45486\\r\\n* fix(browser): normalize batch act dispatch for selector and batch support by @vincentkoc in https://github.com/openclaw/openclaw/pull/45457\\r\\n* docs(android): note that app is not publicly released yet by @eengad in https://github.com/openclaw/openclaw/pull/23051\\r\\n* fix(browser): follow up batch failure and limit handling by @vincentkoc in https://github.com/openclaw/openclaw/pull/45506\\r\\n* docker: add apt-get upgrade to all Dockerfiles by @jacobtomlinson in https://github.com/openclaw/openclaw/pull/45384\\r\\n* fix(config): avoid Anthropic startup crash by @BunsDev in https://github.com/openclaw/openclaw/pull/45520\\r\\n* test: preserve wrapper behavior for targeted runs by @Takhoffman in https://github.com/openclaw/openclaw/pull/45518\\r\\n* UI: fix chat context notice icon sizing by @BunsDev in https://github.com/openclaw/openclaw/pull/45533\\r\\n* fix(ui): stop dashboard chat history reload storm by @BunsDev in https://github.com/openclaw/openclaw/pull/45541\\r\\n* fix: retry Telegram inbound media downloads over IPv4 fallback by @frankekn in https://github.com/openclaw/openclaw/pull/45327\\r\\n* fix(feishu): preserve non-ASCII filenames in file uploads (#33912) by @fabiaodemianyang in https://github.com/openclaw/openclaw/pull/34262\\r\\n* macOS: respect exec-approvals.json settings in gateway prompter by @sliekens in https://github.com/openclaw/openclaw/pull/13707\\r\\n* fix(ui): keep oversized chat replies readable by @BunsDev in https://github.com/openclaw/openclaw/pull/45559\\r\\n* fix(gateway/ui): restore control-ui auth bypass and classify connect failures by @sallyom in https://github.com/openclaw/openclaw/pull/45512\\r\\n* fix(macos): prevent PortGuard from killing Docker Desktop in remote mode by @teslamint in https://github.com/openclaw/openclaw/pull/13798\\r\\n* fix(sessions): create transcript file on chat.inject when missing by @2233admin in https://github.com/openclaw/openclaw/pull/36645\\r\\n* Plugins: fail fast on channel and binding collisions by @vincentkoc in https://github.com/openclaw/openclaw/pull/45628\\r\\n* fix(macos): align minimum Node.js version with runtime guard (22.16.0) by @ImLukeF in https://github.com/openclaw/openclaw/pull/45640\\r\\n* fix(agents): preserve blank local custom-provider API keys after onboarding by @frankekn in https://github.com/openclaw/openclaw/pull/45631\\r\\n* fix(browser): harden existing-session driver validation and session lifecycle by @odysseus0 in https://github.com/openclaw/openclaw/pull/45682\\r\\n* fix(feishu): add early event-level dedup to prevent duplicate replies by @yunweibang in https://github.com/openclaw/openclaw/pull/43762\\r\\n* fix(models): apply Gemini model-id normalization to google-vertex provider by @scoootscooob in https://github.com/openclaw/openclaw/pull/42435\\r\\n* Gateway: treat scope-limited probe RPC as degraded reachability by @joshavant in https://github.com/openclaw/openclaw/pull/45622\\r\\n* fix(gateway): bound unanswered client requests by @Takhoffman in https://github.com/openclaw/openclaw/pull/45689\\r\\n\\r\\n## New Contributors\\r\\n* @jrrcdev made their first contribution in https://github.com/openclaw/openclaw/pull/44367\\r\\n* @Kaneki-x made their first contribution in https://github.com/openclaw/openclaw/pull/43780\\r\\n* @cheapestinference made their first contribution in https://github.com/openclaw/openclaw/pull/44432\\r\\n* @xingsy97 made their first contribution in https://github.com/openclaw/openclaw/pull/43438\\r\\n* @atian8179 made their first contribution in https://github.com/openclaw/openclaw/pull/41171\\r\\n* @stim64045-spec made their first contribution in https://github.com/openclaw/openclaw/pull/42583\\r\\n* @Sovtoshi-SC made their first contribution in https://github.com/openclaw/openclaw/pull/42879\\r\\n* @keepitmello made their first contribution in https://github.com/openclaw/openclaw/pull/10456\\r\\n* @moshehbenavraham made their first contribution in https://github.com/openclaw/openclaw/pull/40176\\r\\n* @keelanfh made their first contribution in https://github.com/openclaw/openclaw/pull/44989\\r\\n* @Cafexss made their first contribution in https://github.com/openclaw/openclaw/pull/44775\\r\\n* @Astro-Han made their first contribution in https://github.com/openclaw/openclaw/pull/44856\\r\\n* @eengad made their first contribution in https://github.com/openclaw/openclaw/pull/23051\\r\\n* @jacobtomlinson made their first contribution in https://github.com/openclaw/openclaw/pull/45384\\r\\n* @fabiaodemianyang made their first contribution in https://github.com/openclaw/openclaw/pull/34262\\r\\n* @sliekens made their first contribution in https://github.com/openclaw/openclaw/pull/13707\\r\\n* @teslamint made their first contribution in https://github.com/openclaw/openclaw/pull/13798\\r\\n* @yunweibang made their first contribution in https://github.com/openclaw/openclaw/pull/43762\\r\\n\\r\\n**Full Changelog**: https://github.com/openclaw/openclaw/compare/v2026.3.12...v2026.3.13-1\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.13-1\",\"published_at\":\"2026-03-14T18:04:28Z\",\"prerelease\":false,\"draft\":false,\"author\":{\"login\":\"onutc\",\"id\":152018508,\"profile_url\":\"https://github.com/onutc\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/152018508?v=4\"}},{\"id\":296954903,\"tag_name\":\"v2026.3.13-beta.1\",\"name\":\"openclaw 2026.3.13-beta.1\",\"body\":\"Pre-release for npm beta tag `v2026.3.13-beta.1`.\\n\\nmacOS assets are built with stable app version `2026.3.13` so they can be reused for the later non-beta release. `appcast.xml` is intentionally unchanged in this pre-release.\\n\\n\\n### Changes\\n\\n- Android/chat settings: redesign the chat settings sheet with grouped device and media sections, refresh the Connect and Voice tabs, and tighten the chat composer/session header for a denser mobile layout. (#44894) Thanks @obviyus.\\n- iOS/onboarding: add a first-run welcome pager before gateway setup, stop auto-opening the QR scanner, and show `/pair qr` instructions on the connect step. (#45054) Thanks @ngutman.\\n- Browser/existing-session: add an official Chrome DevTools MCP attach mode for signed-in live Chrome sessions, with docs for `chrome://inspect/#remote-debugging` enablement and direct backlinks to Chrome’s own setup guides.\\n- Browser/agents: add built-in `profile=\\\"user\\\"` for the logged-in host browser and `profile=\\\"chrome-relay\\\"` for the extension relay, so agent browser calls can prefer the real signed-in browser without the extra `browserSession` selector.\\n- Browser/act automation: add batched actions, selector targeting, and delayed clicks for browser act requests with normalized batch dispatch. Thanks @vincentkoc.\\n- Docker/timezone override: add `OPENCLAW_TZ` so `docker-setup.sh` can pin gateway and CLI containers to a chosen IANA timezone instead of inheriting the daemon default. (#34119) Thanks @Lanfei.\\n- Dependencies/pi: bump `@mariozechner/pi-agent-core`, `@mariozechner/pi-ai`, `@mariozechner/pi-coding-agent`, and `@mariozechner/pi-tui` to `0.58.0`.\\n\\n### Fixes\\n\\n- Dashboard/chat UI: stop reloading full chat history on every live tool result in dashboard v2 so tool-heavy runs no longer trigger UI freeze/re-render storms while the final event still refreshes persisted history. (#45541) Thanks @BunsDev.\\n- Ollama/reasoning visibility: stop promoting native `thinking` and `reasoning` fields into final assistant text so local reasoning models no longer leak internal thoughts in normal replies. (#45330) Thanks @xi7ang.\\n- Android/onboarding QR scan: switch setup QR scanning to Google Code Scanner so onboarding uses a more reliable scanner instead of the legacy embedded ZXing flow. (#45021) Thanks @obviyus.\\n- Browser/existing-session: harden driver validation and session lifecycle so transport errors trigger reconnects while tool-level errors preserve the session, and extract shared ARIA role sets to deduplicate Playwright and Chrome MCP snapshot paths. (#45682) Thanks @odysseus0.\\n- Browser/existing-session: accept text-only `list_pages` and `new_page` responses from Chrome DevTools MCP so live-session tab discovery and new-tab open flows keep working when the server omits structured page metadata.\\n- Control UI/insecure auth: preserve explicit shared token and password auth on plain-HTTP Control UI connects so LAN and reverse-proxy sessions no longer drop shared auth before the first WebSocket handshake. (#45088) Thanks @velvet-shark.\\n- Gateway/session reset: preserve `lastAccountId` and `lastThreadId` across gateway session resets so replies keep routing back to the same account and thread after `/reset`. (#44773) Thanks @Lanfei.\\n- macOS/onboarding: avoid self-restarting freshly bootstrapped launchd gateways and give new daemon installs longer to become healthy, so `openclaw onboard --install-daemon` no longer false-fails on slower Macs and fresh VM snapshots.\\n- Gateway/status: add `openclaw gateway status --require-rpc` and clearer Linux non-interactive daemon-install failure reporting so automation can fail hard on probe misses instead of treating a printed RPC error as green.\\n- macOS/exec approvals: respect per-agent exec approval settings in the gateway prompter, including allowlist fallback when the native prompt cannot be shown, so gateway-triggered `system.run` requests follow configured policy instead of always prompting or denying unexpectedly. (#13707) Thanks @sliekens.\\n- Telegram/media downloads: thread the same direct or proxy transport policy into SSRF-guarded file fetches so inbound attachments keep working when Telegram falls back between env-proxy and direct networking. (#44639) Thanks @obviyus.\\n- Telegram/inbound media IPv4 fallback: retry SSRF-guarded Telegram file downloads once with the same IPv4 fallback policy as Bot API calls so fresh installs on IPv6-broken hosts no longer fail to download inbound images.\\n- Windows/gateway install: bound `schtasks` calls and fall back to the Startup-folder login item when task creation hangs, so native `openclaw gateway install` fails fast instead of wedging forever on broken Scheduled Task setups.\\n- Windows/gateway stop: resolve Startup-folder fallback listeners from the installed `gateway.cmd` port, so `openclaw gateway stop` now actually kills fallback-launched gateway processes before restart.\\n- Windows/gateway status: reuse the installed service command environment when reading runtime status, so startup-fallback gateways keep reporting the configured port and running state in `gateway status --json` instead of falling back to `gateway port unknown`.\\n- Windows/gateway auth: stop attaching device identity on local loopback shared-token and password gateway calls, so native Windows agent replies no longer log stale `device signature expired` fallback noise before succeeding.\\n- Discord/gateway startup: treat plain-text and transient `/gateway/bot` metadata fetch failures as transient startup errors so Discord gateway boot no longer crashes on unhandled rejections. (#44397) Thanks @jalehman.\\n- Slack/probe: keep `auth.test()` bot and team metadata mapping stable while simplifying the probe result path. (#44775) Thanks @Cafexss.\\n- Dashboard/chat UI: render oversized plain-text replies as normal paragraphs instead of capped gray code blocks, so long desktop chat responses stay readable without tab-switching refreshes.\\n- Dashboard/chat UI: restore the `chat-new-messages` class on the New messages scroll pill so the button uses its existing compact styling instead of rendering as a full-screen SVG overlay. (#44856) Thanks @Astro-Han.\\n- Gateway/Control UI: restore the operator-only device-auth bypass and classify browser connect failures so origin and device-identity problems no longer show up as auth errors in the Control UI and web chat. (#45512) thanks @sallyom.\\n- macOS/voice wake: stop crashing wake-word command extraction when speech segment ranges come from a different transcript instance.\\n- Discord/allowlists: honor raw `guild_id` when hydrated guild objects are missing so allowlisted channels and threads like `#maintainers` no longer get false-dropped before channel allowlist checks.\\n- macOS/runtime locator: require Node \\u003e=22.16.0 during macOS runtime discovery so the app no longer accepts Node versions that the main runtime guard rejects later. Thanks @sumleo.\\n- Agents/custom providers: preserve blank API keys for loopback OpenAI-compatible custom providers by clearing the synthetic Authorization header at runtime, while keeping explicit apiKey and oauth/token config from silently downgrading into fake bearer auth. (#45631) Thanks @xinhuagu.\\n- Models/google-vertex Gemini flash-lite normalization: apply existing bare-ID preview normalization to `google-vertex` model refs and provider configs so `google-vertex/gemini-3.1-flash-lite` resolves as `gemini-3.1-flash-lite-preview`. (#42435) thanks @scoootscooob.\\n- iMessage/remote attachments: reject unsafe remote attachment paths before spawning SCP, so sender-controlled filenames can no longer inject shell metacharacters into remote media staging. Thanks @lintsinghua.\\n- Telegram/webhook auth: validate the Telegram webhook secret before reading or parsing request bodies, so unauthenticated requests are rejected immediately instead of consuming up to 1 MB first. Thanks @space08.\\n- Security/device pairing: make bootstrap setup codes single-use so pending device pairing requests cannot be silently replayed and widened to admin before approval. Thanks @tdjackey.\\n- Security/external content: strip zero-width and soft-hyphen marker-splitting characters during boundary sanitization so spoofed `EXTERNAL_UNTRUSTED_CONTENT` markers fall back to the existing hardening path instead of bypassing marker normalization.\\n- Security/exec approvals: unwrap more `pnpm` runtime forms during approval binding, including `pnpm --reporter ... exec` and direct `pnpm node` file runs, with matching regression coverage and docs updates.\\n- Security/exec approvals: fail closed for Perl `-M` and `-I` approval flows so preload and load-path module resolution stays outside approval-backed runtime execution unless the operator uses a broader explicit trust path.\\n- Security/exec approvals: recognize PowerShell `-File` and `-f` wrapper forms during inline-command extraction so approval and command-analysis paths treat file-based PowerShell launches like the existing `-Command` variants.\\n- Security/exec approvals: unwrap `env` dispatch wrappers inside shell-segment allowlist resolution on macOS so `env FOO=bar /path/to/bin` resolves against the effective executable instead of the wrapper token.\\n- Security/exec approvals: treat backslash-newline as shell line continuation during macOS shell-chain parsing so line-continued `$(` substitutions fail closed instead of slipping past command-substitution checks.\\n- Security/exec approvals: bind macOS skill auto-allow trust to both executable name and resolved path so same-basename binaries no longer inherit trust from unrelated skill bins.\\n- Build/plugin-sdk bundling: bundle plugin-sdk subpath entries in one shared build pass so published packages stop duplicating shared chunks and avoid the recent plugin-sdk memory blow-up. (#45426) Thanks @TarasShyn.\\n- Cron/isolated sessions: route nested cron-triggered embedded runner work onto the nested lane so isolated cron jobs no longer deadlock when compaction or other queued inner work runs. Thanks @vincentkoc.\\n- Agents/OpenAI-compatible compat overrides: respect explicit user `models[].compat` opt-ins for non-native `openai-completions` endpoints so usage-in-streaming capability overrides no longer get forced off when the endpoint actually supports them. (#44432) Thanks @cheapestinference.\\n- Agents/Azure OpenAI startup prompts: rephrase the built-in `/new`, `/reset`, and post-compaction startup instruction so Azure OpenAI deployments no longer hit HTTP 400 false positives from the content filter. (#43403) Thanks @xingsy97.\\n- Agents/memory bootstrap: load only one root memory file, preferring `MEMORY.md` and using `memory.md` as a fallback, so case-insensitive Docker mounts no longer inject duplicate memory context. (#26054) Thanks @Lanfei.\\n- Agents/compaction: compare post-compaction token sanity checks against full-session pre-compaction totals and skip the check when token estimation fails, so sessions with large bootstrap context keep real token counts instead of falling back to unknown. (#28347) thanks @efe-arv.\\n- Agents/compaction: preserve safeguard compaction summary language continuity via default and configurable custom instructions so persona drift is reduced after auto-compaction. (#10456) Thanks @keepitmello.\\n- Agents/tool warnings: distinguish gated core tools like `apply_patch` from plugin-only unknown entries in `tools.profile` warnings, so unavailable core tools now report current runtime/provider/model/config gating instead of suggesting a missing plugin.\\n- Config/validation: accept documented `agents.list[].params` per-agent overrides in strict config validation so `openclaw config validate` no longer rejects runtime-supported `cacheRetention`, `temperature`, and `maxTokens` settings. (#41171) Thanks @atian8179.\\n- Config/web fetch: restore runtime validation for documented `tools.web.fetch.readability` and `tools.web.fetch.firecrawl` settings so valid web fetch configs no longer fail with unrecognized-key errors. (#42583) Thanks @stim64045-spec.\\n- Signal/config validation: add `channels.signal.groups` schema support so per-group `requireMention`, `tools`, and `toolsBySender` overrides no longer get rejected during config validation. (#27199) Thanks @unisone.\\n- Config/discovery: accept `discovery.wideArea.domain` in strict config validation so unicast DNS-SD gateway configs no longer fail with an unrecognized-key error. (#35615) Thanks @ingyukoh.\\n- Telegram/media errors: redact Telegram file URLs before building media fetch errors so failed inbound downloads do not leak bot tokens into logs. Thanks @space08.\\n\\n\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.13-beta.1\",\"published_at\":\"2026-03-14T05:17:09Z\",\"prerelease\":true,\"draft\":false,\"author\":{\"login\":\"steipete\",\"id\":58493,\"profile_url\":\"https://github.com/steipete\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/58493?v=4\"}},{\"id\":296518523,\"tag_name\":\"v2026.3.12\",\"name\":\"openclaw 2026.3.12\",\"body\":\"\\n### Changes\\n\\n- Control UI/dashboard-v2: refresh the gateway dashboard with modular overview, chat, config, agent, and session views, plus a command palette, mobile bottom tabs, and richer chat tools like slash commands, search, export, and pinned messages. (#41503) Thanks @BunsDev.\\n- OpenAI/GPT-5.4 fast mode: add configurable session-level fast toggles across `/fast`, TUI, Control UI, and ACP, with per-model config defaults and OpenAI/Codex request shaping.\\n- Anthropic/Claude fast mode: map the shared `/fast` toggle and `params.fastMode` to direct Anthropic API-key `service_tier` requests, with live verification for both Anthropic and OpenAI fast-mode tiers.\\n- Models/plugins: move Ollama, vLLM, and SGLang onto the provider-plugin architecture, with provider-owned onboarding, discovery, model-picker setup, and post-selection hooks so core provider wiring is more modular.\\n- Docs/Kubernetes: Add a starter K8s install path with raw manifests, Kind setup, and deployment docs. Thanks @sallyom @dzianisv @egkristi\\n- Agents/subagents: add `sessions_yield` so orchestrators can end the current turn immediately, skip queued tool work, and carry a hidden follow-up payload into the next session turn. (#36537) thanks @jriff\\n- Slack/agent replies: support `channelData.slack.blocks` in the shared reply delivery path so agents can send Block Kit messages through standard Slack outbound delivery. (#44592) Thanks @vincentkoc.\\n\\n### Fixes\\n\\n- Security/device pairing: switch `/pair` and `openclaw qr` setup codes to short-lived bootstrap tokens so the next release no longer embeds shared gateway credentials in chat or QR pairing payloads. Thanks @lintsinghua.\\n- Security/plugins: disable implicit workspace plugin auto-load so cloned repositories cannot execute workspace plugin code without an explicit trust decision. (`GHSA-99qw-6mr3-36qr`)(#44174) Thanks @lintsinghua and @vincentkoc.\\n- Models/Kimi Coding: send `anthropic-messages` tools in native Anthropic format again so `kimi-coding` stops degrading tool calls into XML/plain-text pseudo invocations instead of real `tool_use` blocks. (#38669, #39907, #40552) Thanks @opriz.\\n- TUI/chat log: reuse the active assistant message component for the same streaming run so `openclaw tui` no longer renders duplicate assistant replies. (#35364) Thanks @lisitan.\\n- Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in `/models` button validation. (#40105) Thanks @avirweb.\\n- Cron/proactive delivery: keep isolated direct cron sends out of the write-ahead resend queue so transient-send retries do not replay duplicate proactive messages after restart. (#40646) Thanks @openperf and @vincentkoc.\\n- Models/Kimi Coding: send the built-in `User-Agent: claude-code/0.1.0` header by default for `kimi-coding` while still allowing explicit provider headers to override it, so Kimi Code subscription auth can work without a local header-injection proxy. (#30099) Thanks @Amineelfarssi and @vincentkoc.\\n- Models/OpenAI Codex Spark: keep `gpt-5.3-codex-spark` working on the `openai-codex/*` path via resolver fallbacks and clearer Codex-only handling, while continuing to suppress the stale direct `openai/*` Spark row that OpenAI rejects live.\\n- Ollama/Kimi Cloud: apply the Moonshot Kimi payload compatibility wrapper to Ollama-hosted Kimi models like `kimi-k2.5:cloud`, so tool routing no longer breaks when thinking is enabled. (#41519) Thanks @vincentkoc.\\n- Moonshot CN API: respect explicit `baseUrl` (api.moonshot.cn) in implicit provider resolution so platform.moonshot.cn API keys authenticate correctly instead of returning HTTP 401. (#33637) Thanks @chengzhichao-xydt.\\n- Kimi Coding/provider config: respect explicit `models.providers[\\\"kimi-coding\\\"].baseUrl` when resolving the implicit provider so custom Kimi Coding endpoints no longer get overwritten by the built-in default. (#36353) Thanks @2233admin.\\n- Gateway/main-session routing: keep TUI and other `mode:UI` main-session sends on the internal surface when `deliver` is enabled, so replies no longer inherit the session's persisted Telegram/WhatsApp route. (#43918) Thanks @obviyus.\\n- BlueBubbles/self-chat echo dedupe: drop reflected duplicate webhook copies only when a matching `fromMe` event was just seen for the same chat, body, and timestamp, preventing self-chat loops without broad webhook suppression. Related to #32166. (#38442) Thanks @vincentkoc.\\n- iMessage/self-chat echo dedupe: drop reflected duplicate copies only when a matching `is_from_me` event was just seen for the same chat, text, and `created_at`, preventing self-chat loops without broad text-only suppression. Related to #32166. (#38440) Thanks @vincentkoc.\\n- Subagents/completion announce retries: raise the default announce timeout to 90 seconds and stop retrying gateway-timeout failures for externally delivered completion announces, preventing duplicate user-facing completion messages after slow gateway responses. Fixes #41235. Thanks @vasujain00 and @vincentkoc.\\n- Mattermost/block streaming: fix duplicate message delivery (one threaded, one top-level) when block streaming is active by excluding `replyToId` from the block reply dedup key and adding an explicit `threading` dock to the Mattermost plugin. (#41362) Thanks @mathiasnagler and @vincentkoc.\\n- Mattermost/reply media delivery: pass agent-scoped `mediaLocalRoots` through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#44021) Thanks @LyleLiu666.\\n- macOS/Reminders: add the missing `NSRemindersUsageDescription` to the bundled app so `apple-reminders` can trigger the system permission prompt from OpenClaw.app. (#8559) Thanks @dinakars777.\\n- Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated `session.store` roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#44176) thanks @gumadeiras.\\n- Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process `HOME`/`OPENCLAW_HOME` changes no longer reuse stale plugin state or misreport `~/...` plugins as untracked. (#44046) thanks @gumadeiras.\\n- Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and `models list --plain`, and migrate legacy duplicated `openrouter/openrouter/...` config entries forward on write.\\n- Windows/native update: make package installs use the npm update path instead of the git path, carry portable Git into native Windows updates, and mirror the installer's Windows npm env so `openclaw update` no longer dies early on missing `git` or `node-llama-cpp` download setup.\\n- Sandbox/write: preserve pinned mutation-helper payload stdin so sandboxed `write` no longer reports success while creating empty files. (#43876) Thanks @glitch418x.\\n- Security/exec approvals: escape invisible Unicode format characters in approval prompts so zero-width command text renders as visible `\\\\u{...}` escapes instead of spoofing the reviewed command. (`GHSA-pcqg-f7rg-xfvv`)(#43687) Thanks @EkiXu and @vincentkoc.\\n- Hooks/loader: fail closed when workspace hook paths cannot be resolved with `realpath`, so unreadable or broken internal hook paths are skipped instead of falling back to unresolved imports. (#44437) Thanks @vincentkoc.\\n- Hooks/agent deliveries: dedupe repeated hook requests by optional idempotency key so webhook retries can reuse the first run instead of launching duplicate agent executions. (#44438) Thanks @vincentkoc.\\n- Security/exec detection: normalize compatibility Unicode and strip invisible formatting code points before obfuscation checks so zero-width and fullwidth command tricks no longer suppress heuristic detection. (`GHSA-9r3v-37xh-2cf6`)(#44091) Thanks @wooluo and @vincentkoc.\\n- Security/exec allowlist: preserve POSIX case sensitivity and keep `?` within a single path segment so exact-looking allowlist patterns no longer overmatch executables across case or directory boundaries. (`GHSA-f8r2-vg7x-gh8m`)(#43798) Thanks @zpbrent and @vincentkoc.\\n- Security/commands: require sender ownership for `/config` and `/debug` so authorized non-owner senders can no longer reach owner-only config and runtime debug surfaces. (`GHSA-r7vr-gr74-94p8`)(#44305) Thanks @tdjackey and @vincentkoc.\\n- Security/gateway auth: clear unbound client-declared scopes on shared-token WebSocket connects so device-less shared-token operators cannot self-declare elevated scopes. (`GHSA-rqpp-rjj8-7wv8`)(#44306) Thanks @LUOYEcode and @vincentkoc.\\n- Security/browser.request: block persistent browser profile create/delete routes from write-scoped `browser.request` so callers can no longer persist admin-only browser profile changes through the browser control surface. (`GHSA-vmhq-cqm9-6p7q`)(#43800) Thanks @tdjackey and @vincentkoc.\\n- Security/agent: reject public spawned-run lineage fields and keep workspace inheritance on the internal spawned-session path so external `agent` callers can no longer override the gateway workspace boundary. (`GHSA-2rqg-gjgv-84jm`)(#43801) Thanks @tdjackey and @vincentkoc.\\n- Security/session_status: enforce sandbox session-tree visibility and shared agent-to-agent access guards before reading or mutating target session state, so sandboxed subagents can no longer inspect parent session metadata or write parent model overrides via `session_status`. (`GHSA-wcxr-59v9-rxr8`)(#43754) Thanks @tdjackey and @vincentkoc.\\n- Security/agent tools: mark `nodes` as explicitly owner-only and document/test that `canvas` remains a shared trusted-operator surface unless a real boundary bypass exists.\\n- Security/exec approvals: fail closed for Ruby approval flows that use `-r`, `--require`, or `-I` so approval-backed commands no longer bind only the main script while extra local code-loading flags remain outside the reviewed file snapshot.\\n- Security/device pairing: cap issued and verified device-token scopes to each paired device's approved scope baseline so stale or overbroad tokens cannot exceed approved access. (`GHSA-2pwv-x786-56f8`)(#43686) Thanks @tdjackey and @vincentkoc.\\n- Docs/onboarding: align the legacy wizard reference and `openclaw onboard` command docs with the Ollama onboarding flow so all onboarding reference paths now document `--auth-choice ollama`, Cloud + Local mode, and non-interactive usage. (#43473) Thanks @BruceMacD.\\n- Models/secrets: enforce source-managed SecretRef markers in generated `models.json` so runtime-resolved provider secrets are not persisted when runtime projection is skipped. (#43759) Thanks @joshavant.\\n- Security/WebSocket preauth: shorten unauthenticated handshake retention and reject oversized pre-auth frames before application-layer parsing to reduce pre-pairing exposure on unsupported public deployments. (`GHSA-jv4g-m82p-2j93`)(#44089) (`GHSA-xwx2-ppv2-wx98`)(#44089) Thanks @ez-lbz and @vincentkoc.\\n- Security/proxy attachments: restore the shared media-store size cap for persisted browser proxy files so oversized payloads are rejected instead of overriding the intended 5 MB limit. (`GHSA-6rph-mmhp-h7h9`)(#43684) Thanks @tdjackey and @vincentkoc.\\n- Security/host env: block inherited `GIT_EXEC_PATH` from sanitized host exec environments so Git helper resolution cannot be steered by host environment state. (`GHSA-jf5v-pqgw-gm5m`)(#43685) Thanks @zpbrent and @vincentkoc.\\n- Security/Feishu webhook: require `encryptKey` alongside `verificationToken` in webhook mode so unsigned forged events are rejected instead of being processed with token-only configuration. (`GHSA-g353-mgv3-8pcj`)(#44087) Thanks @lintsinghua and @vincentkoc.\\n- Security/Feishu reactions: preserve looked-up group chat typing and fail closed on ambiguous reaction context so group authorization and mention gating cannot be bypassed through synthetic `p2p` reactions. (`GHSA-m69h-jm2f-2pv8`)(#44088) Thanks @zpbrent and @vincentkoc.\\n- Security/LINE webhook: require signatures for empty-event POST probes too so unsigned requests no longer confirm webhook reachability with a `200` response. (`GHSA-mhxh-9pjm-w7q5`)(#44090) Thanks @TerminalsandCoffee and @vincentkoc.\\n- Security/Zalo webhook: rate limit invalid secret guesses before auth so weak webhook secrets cannot be brute-forced through unauthenticated churned requests without pre-auth `429` responses. (`GHSA-5m9r-p9g7-679c`)(#44173) Thanks @zpbrent and @vincentkoc.\\n- Security/Zalouser groups: require stable group IDs for allowlist auth by default and gate mutable group-name matching behind `channels.zalouser.dangerouslyAllowNameMatching`. Thanks @zpbrent.\\n- Security/Slack and Teams routing: require stable channel and team IDs for allowlist routing by default, with mutable name matching only via each channel's `dangerouslyAllowNameMatching` break-glass flag.\\n- Security/exec approvals: fail closed for ambiguous inline loader and shell-payload script execution, bind the real script after POSIX shell value-taking flags, and unwrap `pnpm`/`npm exec`/`npx` script runners before approval binding. (`GHSA-57jw-9722-6rf2`)(`GHSA-jvqh-rfmh-jh27`)(`GHSA-x7pp-23xv-mmr4`)(`GHSA-jc5j-vg4r-j5jx`)(#44247) Thanks @tdjackey and @vincentkoc.\\n- Doctor/gateway service audit: canonicalize service entrypoint paths before comparing them so symlink-vs-realpath installs no longer trigger false \\\"entrypoint does not match the current install\\\" repair prompts. (#43882) Thanks @ngutman.\\n- Doctor/gateway service audit: earlier groundwork for this fix landed in the superseded #28338 branch. Thanks @realriphub.\\n- Gateway/session stores: regenerate the Swift push-test protocol models and align Windows native session-store realpath handling so protocol checks and sync session discovery stop drifting on Windows. (#44266) thanks @jalehman.\\n- Context engine/session routing: forward optional `sessionKey` through context-engine lifecycle calls so plugins can see structured routing metadata during bootstrap, assembly, post-turn ingestion, and compaction. (#44157) thanks @jalehman.\\n- Agents/failover: classify z.ai `network_error` stop reasons as retryable timeouts so provider connectivity failures trigger fallback instead of surfacing raw unhandled-stop-reason errors. (#43884) Thanks @hougangdev.\\n- Memory/session sync: add mode-aware post-compaction session reindexing with `agents.defaults.compaction.postIndexSync` plus `agents.defaults.memorySearch.sync.sessions.postCompactionForce`, so compacted session memory can refresh immediately without forcing every deployment into synchronous reindexing. (#25561) thanks @rodrigouroz.\\n- Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in `/models` button validation. (#40105) Thanks @avirweb.\\n- Telegram/native command sync: suppress expected `BOT_COMMANDS_TOO_MUCH` retry error noise, add a final fallback summary log, and document the difference between command-menu overflow and real Telegram network failures.\\n- Mattermost/reply media delivery: pass agent-scoped `mediaLocalRoots` through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#44021) Thanks @LyleLiu666.\\n- Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process `HOME`/`OPENCLAW_HOME` changes no longer reuse stale plugin state or misreport `~/...` plugins as untracked. (#44046) thanks @gumadeiras.\\n- Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated `session.store` roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#44176) thanks @gumadeiras.\\n- Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and `models list --plain`, and migrate legacy duplicated `openrouter/openrouter/...` config entries forward on write.\\n- Gateway/hooks: bucket hook auth failures by forwarded client IP behind trusted proxies and warn when `hooks.allowedAgentIds` leaves hook routing unrestricted.\\n- Agents/compaction: skip the post-compaction `cache-ttl` marker write when a compaction completed in the same attempt, preventing the next turn from immediately triggering a second tiny compaction. (#28548) thanks @MoerAI.\\n- Native chat/macOS: add `/new`, `/reset`, and `/clear` reset triggers, keep shared main-session aliases aligned, and ignore stale model-selection completions so native chat state stays in sync across reset and fast model changes. (#10898) Thanks @Nachx639.\\n- Agents/compaction safeguard: route missing-model and missing-API-key cancellation warnings through the shared subsystem logger so they land in structured and file logs. (#9974) Thanks @dinakars777.\\n- Cron/doctor: stop flagging canonical `agentTurn` and `systemEvent` payload kinds as legacy cron storage, while still normalizing whitespace-padded and non-canonical variants. (#44012) Thanks @shuicici.\\n- ACP/client final-message delivery: preserve terminal assistant text snapshots before resolving `end_turn`, so ACP clients no longer drop the last visible reply when the gateway sends the final message body on the terminal chat event. (#17615) Thanks @pjeby.\\n- Telegram/Discord status reactions: show a temporary compacting reaction during auto-compaction pauses and restore thinking afterward so the bot no longer appears frozen while context is being compacted. (#35474) thanks @Cypherm.\\n\\n\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12\",\"published_at\":\"2026-03-13T04:26:46Z\",\"prerelease\":false,\"draft\":false,\"author\":{\"login\":\"steipete\",\"id\":58493,\"profile_url\":\"https://github.com/steipete\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/58493?v=4\"}}]"}]}]},"parent_tool_use_id":null,"session_id":"246b2626-2210-4274-a7b6-16347d764227","uuid":"7b2fb78a-732f-431b-8f78-ed2c183b8016","timestamp":"2026-03-21T18:28:07.904Z","tool_use_result":[{"type":"text","text":"[{\"id\":297041210,\"tag_name\":\"v2026.3.13-1\",\"name\":\"openclaw 2026.3.13\",\"body\":\"This recovery release uses `v2026.3.13-1` because GitHub immutable releases do not allow reusing `v2026.3.13` after publication.\\r\\n\\r\\nImportant:\\r\\n- This release exists to recover the broken `v2026.3.13` tag/release path.\\r\\n- The corresponding npm version is still `2026.3.13`, not `2026.3.13-1`.\\r\\n- The `-1` suffix is for the Git tag and GitHub Release only.\\r\\n\\r\\n\\r\\n## What's Changed\\r\\n* fix(compaction): use full-session token count for post-compaction sanity check by @efe-arv in https://github.com/openclaw/openclaw/pull/28347\\r\\n* fix(telegram): thread media transport policy into SSRF by @obviyus in https://github.com/openclaw/openclaw/pull/44639\\r\\n* fix: handle Discord gateway metadata fetch failures by @jalehman in https://github.com/openclaw/openclaw/pull/44397\\r\\n* docs: move post-release changelog entries to Unreleased by @jalehman in https://github.com/openclaw/openclaw/pull/44691\\r\\n* fix(session): preserve `lastAccountId ` and `lastThreadId` on session reset by @Lanfei in https://github.com/openclaw/openclaw/pull/44773\\r\\n* Updated default model from openai-codex/gpt-5.3-codex to openai-codex/gpt-5.4 in tests. by @jrrcdev in https://github.com/openclaw/openclaw/pull/44367\\r\\n* fix: address delivery dedupe review follow-ups by @frankekn in https://github.com/openclaw/openclaw/pull/44666\\r\\n* CLI: align xhigh thinking help text by @frankekn in https://github.com/openclaw/openclaw/pull/44819\\r\\n* docs: fix changelog credit for xhigh help by @frankekn in https://github.com/openclaw/openclaw/pull/44874\\r\\n* fix(agents): drop Anthropic thinking blocks on replay by @frankekn in https://github.com/openclaw/openclaw/pull/44843\\r\\n* docs: fix session key :dm: → :direct: by @Lanfei in https://github.com/openclaw/openclaw/pull/26506\\r\\n* feat(android): redesign chat settings UI by @obviyus in https://github.com/openclaw/openclaw/pull/44894\\r\\n* fix(agents): avoid injecting memory file twice on case-insensitive mounts by @Lanfei in https://github.com/openclaw/openclaw/pull/26054\\r\\n* Docker: add OPENCLAW_TZ timezone support by @Lanfei in https://github.com/openclaw/openclaw/pull/34119\\r\\n* Android: fix HttpURLConnection leak in TalkModeVoiceResolver by @Kaneki-x in https://github.com/openclaw/openclaw/pull/43780\\r\\n* fix(agents): respect explicit user compat overrides for non-native openai-completions by @cheapestinference in https://github.com/openclaw/openclaw/pull/44432\\r\\n* test(config): cover requiresOpenAiAnthropicToolPayload in compat schema fixture by @xingsy97 in https://github.com/openclaw/openclaw/pull/43438\\r\\n* fix(agents): rephrase session reset prompt to avoid Azure content filter by @xingsy97 in https://github.com/openclaw/openclaw/pull/43403\\r\\n* fix(config): add missing params field to agents.list[] validation schema by @atian8179 in https://github.com/openclaw/openclaw/pull/41171\\r\\n* fix(android): use Google Code Scanner for onboarding QR by @obviyus in https://github.com/openclaw/openclaw/pull/45021\\r\\n* fix: restore web fetch firecrawl config in runtime zod schema by @stim64045-spec in https://github.com/openclaw/openclaw/pull/42583\\r\\n* fix(signal): add groups config to Signal channel schema by @unisone in https://github.com/openclaw/openclaw/pull/27199\\r\\n* feat(ios): add onboarding welcome pager by @ngutman in https://github.com/openclaw/openclaw/pull/45054\\r\\n* small addition to .gitignore  by @Sovtoshi-SC in https://github.com/openclaw/openclaw/pull/42879\\r\\n* fix(discovery): add missing domain to wideArea Zod config schema by @ingyukoh in https://github.com/openclaw/openclaw/pull/35615\\r\\n* fix(ui): keep shared auth on insecure control-ui connects by @velvet-shark in https://github.com/openclaw/openclaw/pull/45088\\r\\n* fix: preserve persona and language continuity in compaction summaries by @keepitmello in https://github.com/openclaw/openclaw/pull/10456\\r\\n* ui: mobile navigation drawer \\u0026 theme variant refinements by @BunsDev in https://github.com/openclaw/openclaw/pull/45107\\r\\n* fix: resolve target agent workspace for cross-agent subagent spawns by @moshehbenavraham in https://github.com/openclaw/openclaw/pull/40176\\r\\n* fix(ollama): hide native reasoning-only output by @frankekn in https://github.com/openclaw/openclaw/pull/45330\\r\\n* test: annotate chat abort helper exports by @frankekn in https://github.com/openclaw/openclaw/pull/45346\\r\\n* Fix incorrect rendering of brave costs in docs by @keelanfh in https://github.com/openclaw/openclaw/pull/44989\\r\\n* security(docker): prevent gateway token leak in Docker build context by @xingsy97 in https://github.com/openclaw/openclaw/pull/44956\\r\\n* refactor: remove redundant ?? undefined in Slack probe by @Cafexss in https://github.com/openclaw/openclaw/pull/44775\\r\\n* fix(ui): restore chat-new-messages class on scroll pill button by @Astro-Han in https://github.com/openclaw/openclaw/pull/44856\\r\\n* fix(windows): suppress visible console windows during restart and process cleanup by @MoerAI in https://github.com/openclaw/openclaw/pull/44842\\r\\n* Slack: add opt-in interactive reply directives by @vincentkoc in https://github.com/openclaw/openclaw/pull/44607\\r\\n* Docs: describe Slack interactive replies by @vincentkoc in https://github.com/openclaw/openclaw/pull/45463\\r\\n* fix(cron): prevent isolated cron nested lane deadlocks by @vincentkoc in https://github.com/openclaw/openclaw/pull/45459\\r\\n* Fix updater refresh cwd for service reinstall by @vincentkoc in https://github.com/openclaw/openclaw/pull/45452\\r\\n* [codex] Polish sidebar status, agent skills, and chat rendering by @BunsDev in https://github.com/openclaw/openclaw/pull/45451\\r\\n* perf(build): deduplicate plugin-sdk chunks to fix ~2x memory regression by @TarasShyn in https://github.com/openclaw/openclaw/pull/45426\\r\\n* Guard updater service refresh against missing invocation cwd by @vincentkoc in https://github.com/openclaw/openclaw/pull/45486\\r\\n* fix(browser): normalize batch act dispatch for selector and batch support by @vincentkoc in https://github.com/openclaw/openclaw/pull/45457\\r\\n* docs(android): note that app is not publicly released yet by @eengad in https://github.com/openclaw/openclaw/pull/23051\\r\\n* fix(browser): follow up batch failure and limit handling by @vincentkoc in https://github.com/openclaw/openclaw/pull/45506\\r\\n* docker: add apt-get upgrade to all Dockerfiles by @jacobtomlinson in https://github.com/openclaw/openclaw/pull/45384\\r\\n* fix(config): avoid Anthropic startup crash by @BunsDev in https://github.com/openclaw/openclaw/pull/45520\\r\\n* test: preserve wrapper behavior for targeted runs by @Takhoffman in https://github.com/openclaw/openclaw/pull/45518\\r\\n* UI: fix chat context notice icon sizing by @BunsDev in https://github.com/openclaw/openclaw/pull/45533\\r\\n* fix(ui): stop dashboard chat history reload storm by @BunsDev in https://github.com/openclaw/openclaw/pull/45541\\r\\n* fix: retry Telegram inbound media downloads over IPv4 fallback by @frankekn in https://github.com/openclaw/openclaw/pull/45327\\r\\n* fix(feishu): preserve non-ASCII filenames in file uploads (#33912) by @fabiaodemianyang in https://github.com/openclaw/openclaw/pull/34262\\r\\n* macOS: respect exec-approvals.json settings in gateway prompter by @sliekens in https://github.com/openclaw/openclaw/pull/13707\\r\\n* fix(ui): keep oversized chat replies readable by @BunsDev in https://github.com/openclaw/openclaw/pull/45559\\r\\n* fix(gateway/ui): restore control-ui auth bypass and classify connect failures by @sallyom in https://github.com/openclaw/openclaw/pull/45512\\r\\n* fix(macos): prevent PortGuard from killing Docker Desktop in remote mode by @teslamint in https://github.com/openclaw/openclaw/pull/13798\\r\\n* fix(sessions): create transcript file on chat.inject when missing by @2233admin in https://github.com/openclaw/openclaw/pull/36645\\r\\n* Plugins: fail fast on channel and binding collisions by @vincentkoc in https://github.com/openclaw/openclaw/pull/45628\\r\\n* fix(macos): align minimum Node.js version with runtime guard (22.16.0) by @ImLukeF in https://github.com/openclaw/openclaw/pull/45640\\r\\n* fix(agents): preserve blank local custom-provider API keys after onboarding by @frankekn in https://github.com/openclaw/openclaw/pull/45631\\r\\n* fix(browser): harden existing-session driver validation and session lifecycle by @odysseus0 in https://github.com/openclaw/openclaw/pull/45682\\r\\n* fix(feishu): add early event-level dedup to prevent duplicate replies by @yunweibang in https://github.com/openclaw/openclaw/pull/43762\\r\\n* fix(models): apply Gemini model-id normalization to google-vertex provider by @scoootscooob in https://github.com/openclaw/openclaw/pull/42435\\r\\n* Gateway: treat scope-limited probe RPC as degraded reachability by @joshavant in https://github.com/openclaw/openclaw/pull/45622\\r\\n* fix(gateway): bound unanswered client requests by @Takhoffman in https://github.com/openclaw/openclaw/pull/45689\\r\\n\\r\\n## New Contributors\\r\\n* @jrrcdev made their first contribution in https://github.com/openclaw/openclaw/pull/44367\\r\\n* @Kaneki-x made their first contribution in https://github.com/openclaw/openclaw/pull/43780\\r\\n* @cheapestinference made their first contribution in https://github.com/openclaw/openclaw/pull/44432\\r\\n* @xingsy97 made their first contribution in https://github.com/openclaw/openclaw/pull/43438\\r\\n* @atian8179 made their first contribution in https://github.com/openclaw/openclaw/pull/41171\\r\\n* @stim64045-spec made their first contribution in https://github.com/openclaw/openclaw/pull/42583\\r\\n* @Sovtoshi-SC made their first contribution in https://github.com/openclaw/openclaw/pull/42879\\r\\n* @keepitmello made their first contribution in https://github.com/openclaw/openclaw/pull/10456\\r\\n* @moshehbenavraham made their first contribution in https://github.com/openclaw/openclaw/pull/40176\\r\\n* @keelanfh made their first contribution in https://github.com/openclaw/openclaw/pull/44989\\r\\n* @Cafexss made their first contribution in https://github.com/openclaw/openclaw/pull/44775\\r\\n* @Astro-Han made their first contribution in https://github.com/openclaw/openclaw/pull/44856\\r\\n* @eengad made their first contribution in https://github.com/openclaw/openclaw/pull/23051\\r\\n* @jacobtomlinson made their first contribution in https://github.com/openclaw/openclaw/pull/45384\\r\\n* @fabiaodemianyang made their first contribution in https://github.com/openclaw/openclaw/pull/34262\\r\\n* @sliekens made their first contribution in https://github.com/openclaw/openclaw/pull/13707\\r\\n* @teslamint made their first contribution in https://github.com/openclaw/openclaw/pull/13798\\r\\n* @yunweibang made their first contribution in https://github.com/openclaw/openclaw/pull/43762\\r\\n\\r\\n**Full Changelog**: https://github.com/openclaw/openclaw/compare/v2026.3.12...v2026.3.13-1\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.13-1\",\"published_at\":\"2026-03-14T18:04:28Z\",\"prerelease\":false,\"draft\":false,\"author\":{\"login\":\"onutc\",\"id\":152018508,\"profile_url\":\"https://github.com/onutc\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/152018508?v=4\"}},{\"id\":296954903,\"tag_name\":\"v2026.3.13-beta.1\",\"name\":\"openclaw 2026.3.13-beta.1\",\"body\":\"Pre-release for npm beta tag `v2026.3.13-beta.1`.\\n\\nmacOS assets are built with stable app version `2026.3.13` so they can be reused for the later non-beta release. `appcast.xml` is intentionally unchanged in this pre-release.\\n\\n\\n### Changes\\n\\n- Android/chat settings: redesign the chat settings sheet with grouped device and media sections, refresh the Connect and Voice tabs, and tighten the chat composer/session header for a denser mobile layout. (#44894) Thanks @obviyus.\\n- iOS/onboarding: add a first-run welcome pager before gateway setup, stop auto-opening the QR scanner, and show `/pair qr` instructions on the connect step. (#45054) Thanks @ngutman.\\n- Browser/existing-session: add an official Chrome DevTools MCP attach mode for signed-in live Chrome sessions, with docs for `chrome://inspect/#remote-debugging` enablement and direct backlinks to Chrome’s own setup guides.\\n- Browser/agents: add built-in `profile=\\\"user\\\"` for the logged-in host browser and `profile=\\\"chrome-relay\\\"` for the extension relay, so agent browser calls can prefer the real signed-in browser without the extra `browserSession` selector.\\n- Browser/act automation: add batched actions, selector targeting, and delayed clicks for browser act requests with normalized batch dispatch. Thanks @vincentkoc.\\n- Docker/timezone override: add `OPENCLAW_TZ` so `docker-setup.sh` can pin gateway and CLI containers to a chosen IANA timezone instead of inheriting the daemon default. (#34119) Thanks @Lanfei.\\n- Dependencies/pi: bump `@mariozechner/pi-agent-core`, `@mariozechner/pi-ai`, `@mariozechner/pi-coding-agent`, and `@mariozechner/pi-tui` to `0.58.0`.\\n\\n### Fixes\\n\\n- Dashboard/chat UI: stop reloading full chat history on every live tool result in dashboard v2 so tool-heavy runs no longer trigger UI freeze/re-render storms while the final event still refreshes persisted history. (#45541) Thanks @BunsDev.\\n- Ollama/reasoning visibility: stop promoting native `thinking` and `reasoning` fields into final assistant text so local reasoning models no longer leak internal thoughts in normal replies. (#45330) Thanks @xi7ang.\\n- Android/onboarding QR scan: switch setup QR scanning to Google Code Scanner so onboarding uses a more reliable scanner instead of the legacy embedded ZXing flow. (#45021) Thanks @obviyus.\\n- Browser/existing-session: harden driver validation and session lifecycle so transport errors trigger reconnects while tool-level errors preserve the session, and extract shared ARIA role sets to deduplicate Playwright and Chrome MCP snapshot paths. (#45682) Thanks @odysseus0.\\n- Browser/existing-session: accept text-only `list_pages` and `new_page` responses from Chrome DevTools MCP so live-session tab discovery and new-tab open flows keep working when the server omits structured page metadata.\\n- Control UI/insecure auth: preserve explicit shared token and password auth on plain-HTTP Control UI connects so LAN and reverse-proxy sessions no longer drop shared auth before the first WebSocket handshake. (#45088) Thanks @velvet-shark.\\n- Gateway/session reset: preserve `lastAccountId` and `lastThreadId` across gateway session resets so replies keep routing back to the same account and thread after `/reset`. (#44773) Thanks @Lanfei.\\n- macOS/onboarding: avoid self-restarting freshly bootstrapped launchd gateways and give new daemon installs longer to become healthy, so `openclaw onboard --install-daemon` no longer false-fails on slower Macs and fresh VM snapshots.\\n- Gateway/status: add `openclaw gateway status --require-rpc` and clearer Linux non-interactive daemon-install failure reporting so automation can fail hard on probe misses instead of treating a printed RPC error as green.\\n- macOS/exec approvals: respect per-agent exec approval settings in the gateway prompter, including allowlist fallback when the native prompt cannot be shown, so gateway-triggered `system.run` requests follow configured policy instead of always prompting or denying unexpectedly. (#13707) Thanks @sliekens.\\n- Telegram/media downloads: thread the same direct or proxy transport policy into SSRF-guarded file fetches so inbound attachments keep working when Telegram falls back between env-proxy and direct networking. (#44639) Thanks @obviyus.\\n- Telegram/inbound media IPv4 fallback: retry SSRF-guarded Telegram file downloads once with the same IPv4 fallback policy as Bot API calls so fresh installs on IPv6-broken hosts no longer fail to download inbound images.\\n- Windows/gateway install: bound `schtasks` calls and fall back to the Startup-folder login item when task creation hangs, so native `openclaw gateway install` fails fast instead of wedging forever on broken Scheduled Task setups.\\n- Windows/gateway stop: resolve Startup-folder fallback listeners from the installed `gateway.cmd` port, so `openclaw gateway stop` now actually kills fallback-launched gateway processes before restart.\\n- Windows/gateway status: reuse the installed service command environment when reading runtime status, so startup-fallback gateways keep reporting the configured port and running state in `gateway status --json` instead of falling back to `gateway port unknown`.\\n- Windows/gateway auth: stop attaching device identity on local loopback shared-token and password gateway calls, so native Windows agent replies no longer log stale `device signature expired` fallback noise before succeeding.\\n- Discord/gateway startup: treat plain-text and transient `/gateway/bot` metadata fetch failures as transient startup errors so Discord gateway boot no longer crashes on unhandled rejections. (#44397) Thanks @jalehman.\\n- Slack/probe: keep `auth.test()` bot and team metadata mapping stable while simplifying the probe result path. (#44775) Thanks @Cafexss.\\n- Dashboard/chat UI: render oversized plain-text replies as normal paragraphs instead of capped gray code blocks, so long desktop chat responses stay readable without tab-switching refreshes.\\n- Dashboard/chat UI: restore the `chat-new-messages` class on the New messages scroll pill so the button uses its existing compact styling instead of rendering as a full-screen SVG overlay. (#44856) Thanks @Astro-Han.\\n- Gateway/Control UI: restore the operator-only device-auth bypass and classify browser connect failures so origin and device-identity problems no longer show up as auth errors in the Control UI and web chat. (#45512) thanks @sallyom.\\n- macOS/voice wake: stop crashing wake-word command extraction when speech segment ranges come from a different transcript instance.\\n- Discord/allowlists: honor raw `guild_id` when hydrated guild objects are missing so allowlisted channels and threads like `#maintainers` no longer get false-dropped before channel allowlist checks.\\n- macOS/runtime locator: require Node \\u003e=22.16.0 during macOS runtime discovery so the app no longer accepts Node versions that the main runtime guard rejects later. Thanks @sumleo.\\n- Agents/custom providers: preserve blank API keys for loopback OpenAI-compatible custom providers by clearing the synthetic Authorization header at runtime, while keeping explicit apiKey and oauth/token config from silently downgrading into fake bearer auth. (#45631) Thanks @xinhuagu.\\n- Models/google-vertex Gemini flash-lite normalization: apply existing bare-ID preview normalization to `google-vertex` model refs and provider configs so `google-vertex/gemini-3.1-flash-lite` resolves as `gemini-3.1-flash-lite-preview`. (#42435) thanks @scoootscooob.\\n- iMessage/remote attachments: reject unsafe remote attachment paths before spawning SCP, so sender-controlled filenames can no longer inject shell metacharacters into remote media staging. Thanks @lintsinghua.\\n- Telegram/webhook auth: validate the Telegram webhook secret before reading or parsing request bodies, so unauthenticated requests are rejected immediately instead of consuming up to 1 MB first. Thanks @space08.\\n- Security/device pairing: make bootstrap setup codes single-use so pending device pairing requests cannot be silently replayed and widened to admin before approval. Thanks @tdjackey.\\n- Security/external content: strip zero-width and soft-hyphen marker-splitting characters during boundary sanitization so spoofed `EXTERNAL_UNTRUSTED_CONTENT` markers fall back to the existing hardening path instead of bypassing marker normalization.\\n- Security/exec approvals: unwrap more `pnpm` runtime forms during approval binding, including `pnpm --reporter ... exec` and direct `pnpm node` file runs, with matching regression coverage and docs updates.\\n- Security/exec approvals: fail closed for Perl `-M` and `-I` approval flows so preload and load-path module resolution stays outside approval-backed runtime execution unless the operator uses a broader explicit trust path.\\n- Security/exec approvals: recognize PowerShell `-File` and `-f` wrapper forms during inline-command extraction so approval and command-analysis paths treat file-based PowerShell launches like the existing `-Command` variants.\\n- Security/exec approvals: unwrap `env` dispatch wrappers inside shell-segment allowlist resolution on macOS so `env FOO=bar /path/to/bin` resolves against the effective executable instead of the wrapper token.\\n- Security/exec approvals: treat backslash-newline as shell line continuation during macOS shell-chain parsing so line-continued `$(` substitutions fail closed instead of slipping past command-substitution checks.\\n- Security/exec approvals: bind macOS skill auto-allow trust to both executable name and resolved path so same-basename binaries no longer inherit trust from unrelated skill bins.\\n- Build/plugin-sdk bundling: bundle plugin-sdk subpath entries in one shared build pass so published packages stop duplicating shared chunks and avoid the recent plugin-sdk memory blow-up. (#45426) Thanks @TarasShyn.\\n- Cron/isolated sessions: route nested cron-triggered embedded runner work onto the nested lane so isolated cron jobs no longer deadlock when compaction or other queued inner work runs. Thanks @vincentkoc.\\n- Agents/OpenAI-compatible compat overrides: respect explicit user `models[].compat` opt-ins for non-native `openai-completions` endpoints so usage-in-streaming capability overrides no longer get forced off when the endpoint actually supports them. (#44432) Thanks @cheapestinference.\\n- Agents/Azure OpenAI startup prompts: rephrase the built-in `/new`, `/reset`, and post-compaction startup instruction so Azure OpenAI deployments no longer hit HTTP 400 false positives from the content filter. (#43403) Thanks @xingsy97.\\n- Agents/memory bootstrap: load only one root memory file, preferring `MEMORY.md` and using `memory.md` as a fallback, so case-insensitive Docker mounts no longer inject duplicate memory context. (#26054) Thanks @Lanfei.\\n- Agents/compaction: compare post-compaction token sanity checks against full-session pre-compaction totals and skip the check when token estimation fails, so sessions with large bootstrap context keep real token counts instead of falling back to unknown. (#28347) thanks @efe-arv.\\n- Agents/compaction: preserve safeguard compaction summary language continuity via default and configurable custom instructions so persona drift is reduced after auto-compaction. (#10456) Thanks @keepitmello.\\n- Agents/tool warnings: distinguish gated core tools like `apply_patch` from plugin-only unknown entries in `tools.profile` warnings, so unavailable core tools now report current runtime/provider/model/config gating instead of suggesting a missing plugin.\\n- Config/validation: accept documented `agents.list[].params` per-agent overrides in strict config validation so `openclaw config validate` no longer rejects runtime-supported `cacheRetention`, `temperature`, and `maxTokens` settings. (#41171) Thanks @atian8179.\\n- Config/web fetch: restore runtime validation for documented `tools.web.fetch.readability` and `tools.web.fetch.firecrawl` settings so valid web fetch configs no longer fail with unrecognized-key errors. (#42583) Thanks @stim64045-spec.\\n- Signal/config validation: add `channels.signal.groups` schema support so per-group `requireMention`, `tools`, and `toolsBySender` overrides no longer get rejected during config validation. (#27199) Thanks @unisone.\\n- Config/discovery: accept `discovery.wideArea.domain` in strict config validation so unicast DNS-SD gateway configs no longer fail with an unrecognized-key error. (#35615) Thanks @ingyukoh.\\n- Telegram/media errors: redact Telegram file URLs before building media fetch errors so failed inbound downloads do not leak bot tokens into logs. Thanks @space08.\\n\\n\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.13-beta.1\",\"published_at\":\"2026-03-14T05:17:09Z\",\"prerelease\":true,\"draft\":false,\"author\":{\"login\":\"steipete\",\"id\":58493,\"profile_url\":\"https://github.com/steipete\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/58493?v=4\"}},{\"id\":296518523,\"tag_name\":\"v2026.3.12\",\"name\":\"openclaw 2026.3.12\",\"body\":\"\\n### Changes\\n\\n- Control UI/dashboard-v2: refresh the gateway dashboard with modular overview, chat, config, agent, and session views, plus a command palette, mobile bottom tabs, and richer chat tools like slash commands, search, export, and pinned messages. (#41503) Thanks @BunsDev.\\n- OpenAI/GPT-5.4 fast mode: add configurable session-level fast toggles across `/fast`, TUI, Control UI, and ACP, with per-model config defaults and OpenAI/Codex request shaping.\\n- Anthropic/Claude fast mode: map the shared `/fast` toggle and `params.fastMode` to direct Anthropic API-key `service_tier` requests, with live verification for both Anthropic and OpenAI fast-mode tiers.\\n- Models/plugins: move Ollama, vLLM, and SGLang onto the provider-plugin architecture, with provider-owned onboarding, discovery, model-picker setup, and post-selection hooks so core provider wiring is more modular.\\n- Docs/Kubernetes: Add a starter K8s install path with raw manifests, Kind setup, and deployment docs. Thanks @sallyom @dzianisv @egkristi\\n- Agents/subagents: add `sessions_yield` so orchestrators can end the current turn immediately, skip queued tool work, and carry a hidden follow-up payload into the next session turn. (#36537) thanks @jriff\\n- Slack/agent replies: support `channelData.slack.blocks` in the shared reply delivery path so agents can send Block Kit messages through standard Slack outbound delivery. (#44592) Thanks @vincentkoc.\\n\\n### Fixes\\n\\n- Security/device pairing: switch `/pair` and `openclaw qr` setup codes to short-lived bootstrap tokens so the next release no longer embeds shared gateway credentials in chat or QR pairing payloads. Thanks @lintsinghua.\\n- Security/plugins: disable implicit workspace plugin auto-load so cloned repositories cannot execute workspace plugin code without an explicit trust decision. (`GHSA-99qw-6mr3-36qr`)(#44174) Thanks @lintsinghua and @vincentkoc.\\n- Models/Kimi Coding: send `anthropic-messages` tools in native Anthropic format again so `kimi-coding` stops degrading tool calls into XML/plain-text pseudo invocations instead of real `tool_use` blocks. (#38669, #39907, #40552) Thanks @opriz.\\n- TUI/chat log: reuse the active assistant message component for the same streaming run so `openclaw tui` no longer renders duplicate assistant replies. (#35364) Thanks @lisitan.\\n- Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in `/models` button validation. (#40105) Thanks @avirweb.\\n- Cron/proactive delivery: keep isolated direct cron sends out of the write-ahead resend queue so transient-send retries do not replay duplicate proactive messages after restart. (#40646) Thanks @openperf and @vincentkoc.\\n- Models/Kimi Coding: send the built-in `User-Agent: claude-code/0.1.0` header by default for `kimi-coding` while still allowing explicit provider headers to override it, so Kimi Code subscription auth can work without a local header-injection proxy. (#30099) Thanks @Amineelfarssi and @vincentkoc.\\n- Models/OpenAI Codex Spark: keep `gpt-5.3-codex-spark` working on the `openai-codex/*` path via resolver fallbacks and clearer Codex-only handling, while continuing to suppress the stale direct `openai/*` Spark row that OpenAI rejects live.\\n- Ollama/Kimi Cloud: apply the Moonshot Kimi payload compatibility wrapper to Ollama-hosted Kimi models like `kimi-k2.5:cloud`, so tool routing no longer breaks when thinking is enabled. (#41519) Thanks @vincentkoc.\\n- Moonshot CN API: respect explicit `baseUrl` (api.moonshot.cn) in implicit provider resolution so platform.moonshot.cn API keys authenticate correctly instead of returning HTTP 401. (#33637) Thanks @chengzhichao-xydt.\\n- Kimi Coding/provider config: respect explicit `models.providers[\\\"kimi-coding\\\"].baseUrl` when resolving the implicit provider so custom Kimi Coding endpoints no longer get overwritten by the built-in default. (#36353) Thanks @2233admin.\\n- Gateway/main-session routing: keep TUI and other `mode:UI` main-session sends on the internal surface when `deliver` is enabled, so replies no longer inherit the session's persisted Telegram/WhatsApp route. (#43918) Thanks @obviyus.\\n- BlueBubbles/self-chat echo dedupe: drop reflected duplicate webhook copies only when a matching `fromMe` event was just seen for the same chat, body, and timestamp, preventing self-chat loops without broad webhook suppression. Related to #32166. (#38442) Thanks @vincentkoc.\\n- iMessage/self-chat echo dedupe: drop reflected duplicate copies only when a matching `is_from_me` event was just seen for the same chat, text, and `created_at`, preventing self-chat loops without broad text-only suppression. Related to #32166. (#38440) Thanks @vincentkoc.\\n- Subagents/completion announce retries: raise the default announce timeout to 90 seconds and stop retrying gateway-timeout failures for externally delivered completion announces, preventing duplicate user-facing completion messages after slow gateway responses. Fixes #41235. Thanks @vasujain00 and @vincentkoc.\\n- Mattermost/block streaming: fix duplicate message delivery (one threaded, one top-level) when block streaming is active by excluding `replyToId` from the block reply dedup key and adding an explicit `threading` dock to the Mattermost plugin. (#41362) Thanks @mathiasnagler and @vincentkoc.\\n- Mattermost/reply media delivery: pass agent-scoped `mediaLocalRoots` through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#44021) Thanks @LyleLiu666.\\n- macOS/Reminders: add the missing `NSRemindersUsageDescription` to the bundled app so `apple-reminders` can trigger the system permission prompt from OpenClaw.app. (#8559) Thanks @dinakars777.\\n- Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated `session.store` roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#44176) thanks @gumadeiras.\\n- Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process `HOME`/`OPENCLAW_HOME` changes no longer reuse stale plugin state or misreport `~/...` plugins as untracked. (#44046) thanks @gumadeiras.\\n- Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and `models list --plain`, and migrate legacy duplicated `openrouter/openrouter/...` config entries forward on write.\\n- Windows/native update: make package installs use the npm update path instead of the git path, carry portable Git into native Windows updates, and mirror the installer's Windows npm env so `openclaw update` no longer dies early on missing `git` or `node-llama-cpp` download setup.\\n- Sandbox/write: preserve pinned mutation-helper payload stdin so sandboxed `write` no longer reports success while creating empty files. (#43876) Thanks @glitch418x.\\n- Security/exec approvals: escape invisible Unicode format characters in approval prompts so zero-width command text renders as visible `\\\\u{...}` escapes instead of spoofing the reviewed command. (`GHSA-pcqg-f7rg-xfvv`)(#43687) Thanks @EkiXu and @vincentkoc.\\n- Hooks/loader: fail closed when workspace hook paths cannot be resolved with `realpath`, so unreadable or broken internal hook paths are skipped instead of falling back to unresolved imports. (#44437) Thanks @vincentkoc.\\n- Hooks/agent deliveries: dedupe repeated hook requests by optional idempotency key so webhook retries can reuse the first run instead of launching duplicate agent executions. (#44438) Thanks @vincentkoc.\\n- Security/exec detection: normalize compatibility Unicode and strip invisible formatting code points before obfuscation checks so zero-width and fullwidth command tricks no longer suppress heuristic detection. (`GHSA-9r3v-37xh-2cf6`)(#44091) Thanks @wooluo and @vincentkoc.\\n- Security/exec allowlist: preserve POSIX case sensitivity and keep `?` within a single path segment so exact-looking allowlist patterns no longer overmatch executables across case or directory boundaries. (`GHSA-f8r2-vg7x-gh8m`)(#43798) Thanks @zpbrent and @vincentkoc.\\n- Security/commands: require sender ownership for `/config` and `/debug` so authorized non-owner senders can no longer reach owner-only config and runtime debug surfaces. (`GHSA-r7vr-gr74-94p8`)(#44305) Thanks @tdjackey and @vincentkoc.\\n- Security/gateway auth: clear unbound client-declared scopes on shared-token WebSocket connects so device-less shared-token operators cannot self-declare elevated scopes. (`GHSA-rqpp-rjj8-7wv8`)(#44306) Thanks @LUOYEcode and @vincentkoc.\\n- Security/browser.request: block persistent browser profile create/delete routes from write-scoped `browser.request` so callers can no longer persist admin-only browser profile changes through the browser control surface. (`GHSA-vmhq-cqm9-6p7q`)(#43800) Thanks @tdjackey and @vincentkoc.\\n- Security/agent: reject public spawned-run lineage fields and keep workspace inheritance on the internal spawned-session path so external `agent` callers can no longer override the gateway workspace boundary. (`GHSA-2rqg-gjgv-84jm`)(#43801) Thanks @tdjackey and @vincentkoc.\\n- Security/session_status: enforce sandbox session-tree visibility and shared agent-to-agent access guards before reading or mutating target session state, so sandboxed subagents can no longer inspect parent session metadata or write parent model overrides via `session_status`. (`GHSA-wcxr-59v9-rxr8`)(#43754) Thanks @tdjackey and @vincentkoc.\\n- Security/agent tools: mark `nodes` as explicitly owner-only and document/test that `canvas` remains a shared trusted-operator surface unless a real boundary bypass exists.\\n- Security/exec approvals: fail closed for Ruby approval flows that use `-r`, `--require`, or `-I` so approval-backed commands no longer bind only the main script while extra local code-loading flags remain outside the reviewed file snapshot.\\n- Security/device pairing: cap issued and verified device-token scopes to each paired device's approved scope baseline so stale or overbroad tokens cannot exceed approved access. (`GHSA-2pwv-x786-56f8`)(#43686) Thanks @tdjackey and @vincentkoc.\\n- Docs/onboarding: align the legacy wizard reference and `openclaw onboard` command docs with the Ollama onboarding flow so all onboarding reference paths now document `--auth-choice ollama`, Cloud + Local mode, and non-interactive usage. (#43473) Thanks @BruceMacD.\\n- Models/secrets: enforce source-managed SecretRef markers in generated `models.json` so runtime-resolved provider secrets are not persisted when runtime projection is skipped. (#43759) Thanks @joshavant.\\n- Security/WebSocket preauth: shorten unauthenticated handshake retention and reject oversized pre-auth frames before application-layer parsing to reduce pre-pairing exposure on unsupported public deployments. (`GHSA-jv4g-m82p-2j93`)(#44089) (`GHSA-xwx2-ppv2-wx98`)(#44089) Thanks @ez-lbz and @vincentkoc.\\n- Security/proxy attachments: restore the shared media-store size cap for persisted browser proxy files so oversized payloads are rejected instead of overriding the intended 5 MB limit. (`GHSA-6rph-mmhp-h7h9`)(#43684) Thanks @tdjackey and @vincentkoc.\\n- Security/host env: block inherited `GIT_EXEC_PATH` from sanitized host exec environments so Git helper resolution cannot be steered by host environment state. (`GHSA-jf5v-pqgw-gm5m`)(#43685) Thanks @zpbrent and @vincentkoc.\\n- Security/Feishu webhook: require `encryptKey` alongside `verificationToken` in webhook mode so unsigned forged events are rejected instead of being processed with token-only configuration. (`GHSA-g353-mgv3-8pcj`)(#44087) Thanks @lintsinghua and @vincentkoc.\\n- Security/Feishu reactions: preserve looked-up group chat typing and fail closed on ambiguous reaction context so group authorization and mention gating cannot be bypassed through synthetic `p2p` reactions. (`GHSA-m69h-jm2f-2pv8`)(#44088) Thanks @zpbrent and @vincentkoc.\\n- Security/LINE webhook: require signatures for empty-event POST probes too so unsigned requests no longer confirm webhook reachability with a `200` response. (`GHSA-mhxh-9pjm-w7q5`)(#44090) Thanks @TerminalsandCoffee and @vincentkoc.\\n- Security/Zalo webhook: rate limit invalid secret guesses before auth so weak webhook secrets cannot be brute-forced through unauthenticated churned requests without pre-auth `429` responses. (`GHSA-5m9r-p9g7-679c`)(#44173) Thanks @zpbrent and @vincentkoc.\\n- Security/Zalouser groups: require stable group IDs for allowlist auth by default and gate mutable group-name matching behind `channels.zalouser.dangerouslyAllowNameMatching`. Thanks @zpbrent.\\n- Security/Slack and Teams routing: require stable channel and team IDs for allowlist routing by default, with mutable name matching only via each channel's `dangerouslyAllowNameMatching` break-glass flag.\\n- Security/exec approvals: fail closed for ambiguous inline loader and shell-payload script execution, bind the real script after POSIX shell value-taking flags, and unwrap `pnpm`/`npm exec`/`npx` script runners before approval binding. (`GHSA-57jw-9722-6rf2`)(`GHSA-jvqh-rfmh-jh27`)(`GHSA-x7pp-23xv-mmr4`)(`GHSA-jc5j-vg4r-j5jx`)(#44247) Thanks @tdjackey and @vincentkoc.\\n- Doctor/gateway service audit: canonicalize service entrypoint paths before comparing them so symlink-vs-realpath installs no longer trigger false \\\"entrypoint does not match the current install\\\" repair prompts. (#43882) Thanks @ngutman.\\n- Doctor/gateway service audit: earlier groundwork for this fix landed in the superseded #28338 branch. Thanks @realriphub.\\n- Gateway/session stores: regenerate the Swift push-test protocol models and align Windows native session-store realpath handling so protocol checks and sync session discovery stop drifting on Windows. (#44266) thanks @jalehman.\\n- Context engine/session routing: forward optional `sessionKey` through context-engine lifecycle calls so plugins can see structured routing metadata during bootstrap, assembly, post-turn ingestion, and compaction. (#44157) thanks @jalehman.\\n- Agents/failover: classify z.ai `network_error` stop reasons as retryable timeouts so provider connectivity failures trigger fallback instead of surfacing raw unhandled-stop-reason errors. (#43884) Thanks @hougangdev.\\n- Memory/session sync: add mode-aware post-compaction session reindexing with `agents.defaults.compaction.postIndexSync` plus `agents.defaults.memorySearch.sync.sessions.postCompactionForce`, so compacted session memory can refresh immediately without forcing every deployment into synchronous reindexing. (#25561) thanks @rodrigouroz.\\n- Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in `/models` button validation. (#40105) Thanks @avirweb.\\n- Telegram/native command sync: suppress expected `BOT_COMMANDS_TOO_MUCH` retry error noise, add a final fallback summary log, and document the difference between command-menu overflow and real Telegram network failures.\\n- Mattermost/reply media delivery: pass agent-scoped `mediaLocalRoots` through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#44021) Thanks @LyleLiu666.\\n- Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process `HOME`/`OPENCLAW_HOME` changes no longer reuse stale plugin state or misreport `~/...` plugins as untracked. (#44046) thanks @gumadeiras.\\n- Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated `session.store` roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#44176) thanks @gumadeiras.\\n- Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and `models list --plain`, and migrate legacy duplicated `openrouter/openrouter/...` config entries forward on write.\\n- Gateway/hooks: bucket hook auth failures by forwarded client IP behind trusted proxies and warn when `hooks.allowedAgentIds` leaves hook routing unrestricted.\\n- Agents/compaction: skip the post-compaction `cache-ttl` marker write when a compaction completed in the same attempt, preventing the next turn from immediately triggering a second tiny compaction. (#28548) thanks @MoerAI.\\n- Native chat/macOS: add `/new`, `/reset`, and `/clear` reset triggers, keep shared main-session aliases aligned, and ignore stale model-selection completions so native chat state stays in sync across reset and fast model changes. (#10898) Thanks @Nachx639.\\n- Agents/compaction safeguard: route missing-model and missing-API-key cancellation warnings through the shared subsystem logger so they land in structured and file logs. (#9974) Thanks @dinakars777.\\n- Cron/doctor: stop flagging canonical `agentTurn` and `systemEvent` payload kinds as legacy cron storage, while still normalizing whitespace-padded and non-canonical variants. (#44012) Thanks @shuicici.\\n- ACP/client final-message delivery: preserve terminal assistant text snapshots before resolving `end_turn`, so ACP clients no longer drop the last visible reply when the gateway sends the final message body on the terminal chat event. (#17615) Thanks @pjeby.\\n- Telegram/Discord status reactions: show a temporary compacting reaction during auto-compaction pauses and restore thinking afterward so the bot no longer appears frozen while context is being compacted. (#35474) thanks @Cypherm.\\n\\n\",\"html_url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.3.12\",\"published_at\":\"2026-03-13T04:26:46Z\",\"prerelease\":false,\"draft\":false,\"author\":{\"login\":\"steipete\",\"id\":58493,\"profile_url\":\"https://github.com/steipete\",\"avatar_url\":\"https://avatars.githubusercontent.com/u/58493?v=4\"}}]"}]}
{"type":"assistant","message":{"model":"claude-sonnet-4-6","id":"msg_01D4NRdXNUkRvX5PKxm12YPx","type":"message","role":"assistant","content":[{"type":"text","text":"The 3 most recent releases for `openclaw/openclaw` are:\n\n1. `v2026.3.13-1`\n2. `v2026.3.13-beta.1`\n3. `v2026.3.12`"}],"stop_reason":null,"stop_sequence":null,"usage":{"input_tokens":1,"cache_creation_input_tokens":11956,"cache_read_input_tokens":40986,"cache_creation":{"ephemeral_5m_input_tokens":0,"ephemeral_1h_input_tokens":11956},"output_tokens":1,"service_tier":"standard","inference_geo":"not_available"},"context_management":null},"parent_tool_use_id":null,"session_id":"246b2626-2210-4274-a7b6-16347d764227","uuid":"2b835af3-e0ae-4ac9-9a91-a48cbf28e9f9"}
{"type":"result","subtype":"success","is_error":false,"duration_ms":5732,"duration_api_ms":5262,"num_turns":2,"result":"The 3 most recent releases for `openclaw/openclaw` are:\n\n1. `v2026.3.13-1`\n2. `v2026.3.13-beta.1`\n3. `v2026.3.12`","stop_reason":"end_turn","session_id":"246b2626-2210-4274-a7b6-16347d764227","total_cost_usd":0.09601889999999999,"usage":{"input_tokens":4,"cache_creation_input_tokens":18830,"cache_read_input_tokens":75098,"output_tokens":191,"server_tool_use":{"web_search_requests":0,"web_fetch_requests":0},"service_tier":"standard","cache_creation":{"ephemeral_1h_input_tokens":18830,"ephemeral_5m_input_tokens":0},"inference_geo":"","iterations":[],"speed":"standard"},"modelUsage":{"claude-sonnet-4-6":{"inputTokens":4,"outputTokens":191,"cacheReadInputTokens":75098,"cacheCreationInputTokens":18830,"webSearchRequests":0,"costUSD":0.09601889999999999,"contextWindow":200000,"maxOutputTokens":32000}},"permission_denials":[],"fast_mode_state":"off","uuid":"fa8cdb23-9bf3-43ac-abde-0e20b6e0bad1"}
