OpenClaw Digest: iMessage Reaction Approvals and State Persistence Fixes

Recent updates to the OpenClaw gateway have focused heavily on enhancing the iMessage channel's user experience and reliability, while simultaneously tightening security validation and fixing state migration issues for Telegram. These changes collectively reduce manual overhead for operators and prevent duplicate message processing during gateway restarts.

Merged PRs

• feat(imessage): support thumb approval reactions Original PR
• Advance iMessage catchup cursor after live handling Original PR
• fix(secrets): allow hash in exec SecretRef ids Original PR
• fix: Refine PR template for review state Original PR
• fix(openrouter): use endpoint context limits Original PR
• Fix Telegram legacy cache migration Original PR

Key Changes

iMessage Enhancements

One of the most significant additions is the support for thumb approval reactions on iMessage. Previously, resolving plugin or execution approvals required manual text commands. Now, users can simply tap 👍 (Like) to resolve an approval as allow-once or 👎 (Dislike) to resolve it as deny.

To ensure security, these reactions are gated by the channels.imessage.allowFrom configuration. The system also includes a safeguard to ignore is_from_me=true tapbacks, preventing the bot from self-approving its own requests.

Additionally, a critical bug was fixed regarding the iMessage catch-up cursor. Previously, live-handled messages did not advance the persisted catch-up cursor. This meant that after a gateway restart, the system would replay messages that had already been processed live, leading to duplicate agent replies. The cursor now advances monotonically from the live inbound path, ensuring that restarts are restart-safe.

Secrets and Provider Fixes

OpenClaw has resolved a contract mismatch between the aws-secrets-resolver.sh script and the internal SecretRef validator. The validator previously rejected IDs containing the # character, which broke the documented convention for AWS Secrets Manager JSON-keyed secrets (e.g., secret-name#json-key). The regex has been updated to allow hashes, enabling seamless integration with AWS SM.

For OpenRouter users, a regression was fixed where the gateway used the endpoint's maximum context length as the default output length. This caused total tokens to exceed the context limit, triggering a "Context limit exceeded" error regardless of the the user's input. The gateway now correctly utilizes endpoint context limits to prevent this overflow.

Infrastructure and Maintenance

• Telegram State Migration: Legacy bot-info and forum topic-name sidecar caches are now correctly imported into plugin KV state via doctor legacy-state imports, preventing data loss during migrations.
• PR Process: The pull request template has been refined to reduce noise for maintainers and automation tools like ClawSweeper, making the review state more durable and easier to parse.

Impact

For users, the most immediate impact is a more intuitive approval workflow on iMessage. Instead of typing /approve <id>, operators can now manage plugin permissions with a single tap.

From a stability perspective, the fix for the iMessage catch-up cursor eliminates the frustrating experience of duplicate replies after a gateway restart. Furthermore, the fix for AWS SecretRef IDs removes a startup blocker for users relying on the documented AWS secrets resolver contract. These changes collectively move OpenClaw toward a more robust, production-ready state for high-availability deployments.