By devasher · Edited by Nominiclaw
The OpenClaw v2026.4.29 release delivers significant advancements across messaging, memory, provider integration, and system reliability. This update enhances agent intelligence with new steering capabilities and people-aware memory, expands model coverage with NVIDIA and improved Bedrock support, and fortifies the platform with critical security and stability fixes.
The OpenClaw v2026.4.29 release marks a substantial upgrade, bringing a host of enhancements across core functionalities, stability, and security. This version focuses on refining agent intelligence, broadening provider and model integration, bolstering system reliability, and strengthening the platform's security posture. Users will find more intuitive messaging controls, a more capable memory system, expanded access to cutting-edge models, and a more robust and secure operating environment.
This release introduces pivotal changes that elevate the OpenClaw experience:
Messaging and automation capabilities have been significantly refined. Active-run steering is now the default, replacing the legacy one-at-a-time queueing, and a dedicated steering queue documentation page has been added. Operators can now enforce visible replies globally or per group chat, ensuring all output goes through message(action=send). Subagent routing is improved with spawnedBy metadata on chat and agent broadcast payloads, allowing clients to route child session events more effectively. Furthermore, agents can now infer opt-in follow-up commitments, delivered via heartbeat, for proactive reminders and check-ins.
The memory system has evolved into a more sophisticated, people-aware wiki. It now includes provenance views, canonical aliases, person cards, relationship graphs, and privacy/provenance reports. Per-conversation Active Memory filters (allowedChatIds, deniedChatIds) enable granular control over recall. The system can also return bounded partial recall summaries when the hidden memory sub-agent times out, preventing loss of useful context. A new read-only doctor.memory.remHarness RPC allows operators to preview bounded REM dreaming output without triggering mutations. Additionally, a new SQLite-backed plugin state store provides restart-safe keyed registries with TTL, eviction, and automatic plugin isolation.
OpenClaw's provider and model ecosystem continues to grow. NVIDIA is now a supported provider, featuring API-key onboarding, setup documentation, static catalog metadata, and literal model-ref picker support. Bedrock's Claude Opus 4.7 now achieves thinking parity, exposing xhigh, adaptive, and max profiles. Safer Codex/OpenAI-compatible replay and streaming behavior have been implemented. DeepSeek V4 models also now expose xhigh and max thinking levels, aligning with their backend capabilities. The GitHub Copilot integration now supports GUI/RPC wizard device-code authentication flows, simplifying onboarding for non-TTY clients.
Reliability has been a key focus. Gateway startup diagnostics now include an opt-in timeline for lifecycle and plugin-load phases, aiding slow-start diagnosis. The system now serves the last successful model catalog while stale reloads refresh in the background, preventing blocking. Event-loop readiness diagnostics ensure the gateway is responsive before opening client connections. Runtime-dependency repair is enhanced with openclaw plugins deps for inspection and repair, and stale-session recovery benefits from bounded orphan recovery and version-scoped update caches, including disambiguating Docker PID reuse with process start-time in install locks.
Numerous channel-specific fixes improve stability and user experience. Slack now correctly handles Block Kit limits for interactive replies and commands. Telegram sees improved proxy, webhook, polling, and send resilience, including support for ALL_PROXY, durable message edits for streaming previews, and robust polling liveness checks. Discord's startup and rate-limit handling are more robust, with cooldowns for Cloudflare 429 responses and better bot identity fetching. WhatsApp delivery and liveness are enhanced with explicit Baileys socket timing, improved transport activity reporting, and sanitization of leaked tool XML. Microsoft Teams, Matrix, and Feishu also received fixes for various edge cases, including Matrix cross-signing handshakes and Feishu's empty message handling and Bitable cleanup.
Security and operational capabilities have been significantly upgraded. OpenGrep scanning has been integrated with a precise rulepack and CI workflows for validating first-party code. The GHSA triage policy for media decode overhead has been clarified. Safer exec, pairing, and owner-scope handling prevent implicit widening of restrictive profiles for tools like tools.exec and tools.fs. Docker onboarding now supports OPENCLAW_SKIP_ONBOARDING for automated installs. Additionally, web-fetch now offers an IPv6 ULA opt-in for trusted proxy stacks.
The v2026.4.29 release addresses a wide array of issues, improving security, stability, and usability across the platform:
Several critical security vulnerabilities and authorization gaps have been closed. Configured tool sections like tools.exec and tools.fs no longer implicitly widen restrictive profiles, preventing unintended access. The new OpenGrep integration provides robust static analysis, while a clarified GHSA triage policy helps categorize security reports more accurately. Key fixes include blocking npm_execpath and workspace PATH injection (PR #73262, PR #73264), validating callerScopes during device pairing (PR #72925), and ensuring tools.byProvider policies are correctly applied even with provider aliases (PR #72917). QQBot slash commands now have unified and correct authentication and c2cOnly gating (PR #73616), preventing unauthorized execution of admin commands. Outbound HTML tag stripping and timing-safe credential comparisons further harden the system.
Users will experience a more stable and performant OpenClaw. Gateway startup is more resilient, with systemd exiting gracefully on lock conflicts (Fixes #75115) and skipping pre-bind web-fetch for credential-free configurations (Fixes #74896). Plugin runtime dependency management is significantly improved with fixes for stale symlinked mirror targets (Fixes #75108), proper bundled provider policy config loading (Fixes #74971), and robust handling of Docker PID reuse in install locks (Fixes #74346, PR #74361). CLI commands like agents list and status no longer hang (Fixes #74195, PR #74220), and openclaw logs --follow now correctly finds active log files across date boundaries (Fixes #42875, PR #42904). The gateway now serves the last successful model catalog during refreshes, preventing service interruptions, and waits for the event loop to be responsive before accepting client connections (PR #48270). Agent performance benefits from tool-result guards using resolved token budgets (Fixes #74917) and bounded automatic orphan session recovery (Fixes #74864). Active Memory's partial recall on timeout (Fixes #73219, PR #73219) and preservation of setup time outside the recall timeout (Fixes #72606, PR #72620) enhance its reliability. The system prompt's section ordering has been optimized for LLM prefix cache stability, leading to faster turns on local models (Fixes #40256, PR #40296).
Each integrated channel has received targeted improvements. Slack now gracefully handles Block Kit value and count limits for interactive replies and commands, preventing payload rejections. Telegram's resilience is boosted by honoring ALL_PROXY for its Bot API transport (Fixes #74014), using durable message edits for streaming previews (PR #75073), clamping low long-polling client timeouts (Fixes #75114), and suppressing acknowledged mutating tool warnings (Fixes #39631, PR #73750). Discord's startup is more robust against Cloudflare 429 rate limits (Fixes #38853, PR #74489) and bot identity fetch failures (Fixes #42219, PR #46856), and it now correctly splits long CJK replies at punctuation boundaries (Fixes #38597, PR #71384). WhatsApp's reliability is improved by requiring Baileys outbound message IDs before marking auto-replies delivered (Fixes #49225) and reporting transport activity for stale-socket health detection (PR #72656). Feishu now skips empty-text messages (Fixes #74634) and correctly cleans up Bitable placeholder rows (Fixes #73920, PR #40602, PR #73920).
Provider-specific issues have been addressed for smoother operation. OpenAI Codex now preserves existing wrapped streams during attribution, resolving 401 Unauthorized errors (Fixes #75111, PR #75111) and restoring openai-codex/gpt-5.4-mini for ChatGPT/Codex OAuth PI runs (Fixes #74451). Amazon Bedrock now correctly exposes the full Claude Opus 4.7 thinking profile (Fixes #74701) and omits deprecated temperature for these models (Fixes #73663). Ollama integrations benefit from normalized provider-prefixed tool-call names (Fixes #74487), suppressed embedding-readiness warnings (Fixes #74608, #73882), and proper resolution of signed-in :cloud models (Fixes #73909). Malformed SSE frames from OpenAI-compatible providers are now dropped, preventing streaming crashes (Fixes #52802).
Numerous improvements enhance the overall user and developer experience. The Control UI now supports new locales (Persian, Dutch, Vietnamese, Italian, Arabic, Thai), persists mobile chat settings, and accurately displays Peak Error Hours (PR #49396). CLI commands are more reliable and informative, with cron add now warning when --agent is omitted (Fixes #42196, PR #42245). PDF extraction correctly resolves standard fonts from the pdfjs-dist package root (Fixes #51455, PR #54447, PR #70936). Docker Compose now provides sensible defaults for config and workspace bind mounts (PR #64485), preventing broken volume mounts.
This release includes several security enhancements that may require configuration adjustments for existing users. Please review the following guidance carefully:
Breaking Change: Configured tool sections such as tools.exec and tools.fs no longer implicitly widen restrictive profiles (e.g., messaging, minimal). This means if you were relying on these tools being available under a restricted profile without explicitly allowing them, your agents might lose access.
Action Required: If your agents require tools.exec or tools.fs under a restricted profile, you must add explicit alsoAllow entries to your configuration. A startup warning will identify affected configurations.
nominiclaw{
"agents": {
"myRestrictedAgent": {
"profile": "messaging",
"alsoAllow": [
"tools.exec",
"tools.fs"
]
}
}
}
Breaking Change: Telegram's exec approvals now strictly require explicit approvers. Previously, some implicit allowlists might have granted approval rights.
Action Required: For Telegram exec commands requiring approval, ensure you have explicit execApprovals.approvers configured in your channels.telegram settings, or that the owner identity is correctly set via commands.ownerAllowFrom.
Potential Breaking Change: The system now more rigorously enforces tools.byProvider policies and approveDevicePairing scope validations. If your setup relied on provider aliases to bypass tool policies or on lax scope inheritance during device re-pairing, these workflows may now be rejected.
Action Required: Review your tools.byProvider configurations to ensure all provider aliases are correctly mapped to their canonical names if you intend for policies to apply. For device pairing, verify that callerScopes provided during approval requests cover the device's inherited operator scopes.
Potential Breaking Change: Security hardening prevents npm_execpath injection from workspace .env files (PR #73262) and workspace PATH injection via service environment and trash helpers (PR #73264). Additionally, bundled plugin directory resolution is now restricted to trusted package roots (PR #73275).
Action Required: If you utilize non-standard Node.js installations, custom npm_execpath settings, or modified PATH environments that point into your OpenClaw workspace, review these configurations. The system will now prioritize trusted Node-adjacent paths for npm execution and filter out untrusted workspace-derived directories from the service PATH. This may affect custom build or cleanup scripts that relied on these mechanisms.