OpenClaw v2026.5.12-beta.7 Release Summary

Key Changes

Core Infrastructure & Security

• Security Hardening: Implemented stricter validation for Windows sandbox binds to block credential-bearing roots (e.g., .ssh, .codex) even when HOME is redirected. Additionally, the sandbox browser CDP relay now requires an application-layer credential, replacing the previous reliance on network source filtering.
• Device Pairing & Auth: Enhanced the pairing process by requiring explicit approval for setup-code device pairing and browser-origin Control UI sessions. Trusted-proxy authentication now rejects host-local non-loopback interface peers to prevent unauthorized access via the gateway host's own addresses.
• Configuration Management: Centralized config-file mutations to prevent data loss during concurrent writes. A new pre-update snapshot mechanism now protects openclaw.json from being wiped during version upgrades, specifically fixing issues where doctor --fix would strip unknown keys before migration.
• Build System: Upgraded the workspace to pnpm 11, aligning Docker, install, and update workflows with the new package manager surface.

Agent & Runtime Enhancements

• Codex Harness: Improved the Codex app-server by mirroring native subagent lifecycle events into the Task Registry and rotating incompatible context-engine threads to prevent stale history from causing context-window overflows. Codex cron turns now execute automation payloads directly, skipping unnecessary workspace bootstrap reads to avoid timeouts.
• ACP (Agent Client Protocol): Added backend provider failover for UNAVAILABLE errors, allowing ACP turns to try configured backup backends. The ACP bridge now exposes session lineage metadata (e.g., parentSessionId, spawnDepth) in _meta fields for better client-side session graphing.
• Tooling & Execution: Introduced per-sender tool capability tiers via toolsBySender, allowing operators to restrict dangerous tools (like exec) for specific users at the schema level. The system now also normalizes array tool schemas by adding permissive items: {} to prevent OpenAI-compatible providers from rejecting tool submissions.

Channel & Integration Updates

• Telegram: Significantly improved polling resilience by moving ingress to an isolated worker with a durable local spool, ensuring messages are not lost during main event-loop stalls. Added support for localized command menu descriptions and fixed a critical bug where bot token rotation caused the poller to silently drop new messages due to stale offsets.
• Slack: Added replyBroadcast support for thread replies and improved the handling of private-file redirect headers to prevent media download failures.
• iMessage: Fixed a bug where media-only sends included visible <media:image> placeholder text and improved the handling of pasted links by ignoring Apple's internal preview blobs.
• WhatsApp: Externalized the WhatsApp channel as a ClawHub/npm plugin to reduce core runtime dependencies and updated the underlying Baileys library.

UI & Diagnostics

• Control UI: Added a persisted auto-scroll mode selector for WebChat and nested subagent sessions visually under their parent in the session picker. A new /context map command provides a WinDirStat-style treemap image of session context contributors.
• Diagnostics: Introduced a startupGraceMs window to suppress false liveness warnings during cold starts, while still sampling metrics for baseline analysis.

Impact

This release primarily impacts operators running high-concurrency agents or those utilizing the Codex and ACP runtimes. The move to an isolated worker for Telegram polling prevents catastrophic message loss during event-loop saturation. Security-conscious deployments benefit from the hardened sandbox and pairing requirements, which move the system toward a "fail-closed" security model for device and browser access.

For plugin developers, the expanded SDK now supports typed session actions, host-mediated attachments, and scheduled session turns, enabling more complex asynchronous workflows without requiring internal runner access.

Upgrade Guide

Breaking Changes & Migration

• iMessage Sender Allowlist: Sender allowlist matching now strictly requires normalized sender handles. Conversation-scoped IDs (chat IDs/GUIDs) are no longer accepted as proof of sender identity. Users must update their allowFrom configurations to use sender handles.
• Trusted Proxy Configuration: Deployments that listed the gateway host's own non-loopback interface address in gateway.trustedProxies will find these requests rejected. Use a distinct proxy peer address or the loopback trusted-proxy path.
• Plugin Installations: Some plugin installs may now be blocked by the built-in scanner if installed dependency runtime files contain critical code patterns. Use the --force or trusted install flags to override these blocks if necessary.