openclaw v2026.6.6-beta.1 release notes: what's new & changelog

openclaw v2026.6.6-beta.1 delivers tightened security boundaries for host and sandbox environments, improved message delivery reliability for Telegram and iMessage, and expanded provider support including Claude Fable 5 adaptive thinking.

Key Changes

Security Hardening

Security boundaries have been substantially tightened across multiple surfaces to reduce unattended execution risk and prevent unauthorized access:

• Exec Approvals: Unanswered execution approval requests now fail closed (deny) by default after a timeout, rather than treating silence as approval (#91938).
• Host Environment: The host environment safety policy now blocks request-scoped overrides for Rustup toolchains (#91615), Git protocol controls (#91619), and various interpreter startup/search-path variables such as BASHOPTS and FPATH (#91618).
• Sandbox Binds: Docker sandbox bind source validation now rejects parent sources that cover blocked descendants (e.g., blocking /var if /var/run is protected) (#91741).
• MCP Security: stdio MCP server environment filtering now drops inherited child-process config pivots (e.g., Ansible and Terraform config keys) while preserving explicit credential keys like GITHUB_TOKEN (#91751).
• Codex Sandbox: The Codex sandbox HTTP bridge now rejects private/internal HTTP targets and blocks protected metadata/internal IPs (#91752).
• Access Control: Deleted-agent guards now require persisted ACP metadata to prove a session is ACP-owned, preventing sessions under deleted configured agents from incorrectly bypassing guards (#91763).

Channel Enhancements

Telegram

• Delivery Reliability: Answer text emitted between tool calls is now preserved across assistant-message boundaries, preventing intermediate findings from disappearing during streaming (#88682).
• Routing: Non-default Telegram account topic routes with an explicit agentId now dispatch correctly instead of being dropped (#91189).
• Deduplication: Dispatch replay deduplication now uses the SDK persistent claimable dedupe helper (#91904).
• Privacy: Unauthorized Telegram DM text is now blocked before it can enter the prompt context or conversation cache (#91478).
• Command Fixes: The native /compact command now correctly delivers acknowledgment replies to the user (#89588).

iMessage

• Recovery: Inbound recovery is now always-on, using a persistent claimable GUID dedupe and a rowid-based cursor to replay messages missed during downtime (#91335).
• Reliability: Outbound send transport is hardened with a new sendTransport configuration (auto, bridge, or applescript) and isolated send clients to prevent wedged watch subscriptions from blocking outbound messages (#91783).
• Streaming: The blockStreaming configuration is now properly honored, allowing interim progress replies before the final answer (#91449).
• Diagnostics: New privacy-safe diagnostics surface why inbound rows are dropped (e.g., echo or reflection) and provide startup context for watch.subscribe failures (#91785).

Other Channels

• WhatsApp: Captured replies are now routed through successor controllers after a restart, preventing RECONNECT_IN_PROGRESS_ERROR failures (#85823).
• Feishu: Added bounded retries for send-time rate-limit errors (HTTP 429 and specific business codes) to prevent message loss (#89659).

Provider and Model Support

• Claude Fable 5: Added support for Claude Fable 5 adaptive thinking across direct API, Vertex, and Bedrock, including adaptive-thinking defaults and replay safety (#91882).
• Gemma 4: Fixed a bug where reasoning_content was stripped during multi-turn tool replay for Gemma 4 models via OpenAI-compatible completions (#91696).
• OpenRouter: Added OpenRouter OAuth to the CLI onboarding process (#91830).

Performance and UI

• Control UI Latency: Startup and first-reply latency are reduced through cached model metadata (#91531), removal of the startup catalog wait (#91538), and lazy loading of slash commands (#91598).
• Observability: Added a first-assistant-event server timing phase to split first-message latency between the gateway and browser paint (#91568), and warnings for slow first replies (#91583).

Impact

For Operators

• Approval Workflow: If you rely on silent timeout auto-approval for execution requests, you must now explicitly configure askFallback in your exec approvals policy, as the default is now deny.
• Host Security: Certain environment variables used for Git, Rustup, and shell interpreters are now blocked. This may affect specialized local toolchains that rely on these overrides.
• Sandbox Configuration: Broad host parent directory binds in Docker sandboxes may now fail validation if they cover protected system paths.

For Users

• Improved Responsiveness: Users of the Control UI will experience faster initial chat boots and reduced first-reply latency.
• Better Message Integrity: Telegram and iMessage users will see more consistent streaming behavior and more reliable message recovery after gateway restarts.

FAQ

What's new in v2026.6.6-beta.1? This release delivers tightened security boundaries for host and sandbox environments, improved message delivery reliability for Telegram and iMessage, and expanded provider support including Claude Fable 5 adaptive thinking.

Are there any breaking changes? Yes. Unanswered exec approval requests now deny by default after timeout (previously they were approved). Additionally, broad host parent directory binds in Docker sandboxes may now be rejected if they cover blocked descendants, and several host environment variables (Git, Rustup, and interpreter paths) are now blocked.

How do I upgrade? The source does not provide specific upgrade commands, but it notes that operators who want to maintain timeout auto-approval for execution requests must explicitly set askFallback in their exec approvals policy.