This beta release introduces significant security hardening, expanded model provider coverage including Pixverse and DeepInfra, and critical stability fixes for Codex and session lock management.
OpenClaw v2026.5.27-beta.1 brings a comprehensive set of updates focused on system security, provider expansion, and the reliability of the Codex app-server. This release is particularly critical for operators managing complex agent fallback chains and those utilizing the Codex runtime, as it resolves several high-impact deadlock and authentication issues.
Key Changes
Security and Content Boundaries
This release implements several layers of hardening to prevent prompt injection and unauthorized system access:
Prompt Isolation: Untrusted group prompt metadata is now routed outside of the system prompt into a structured user-role context, preventing user-controlled channel metadata from overriding system instructions (#87144).
Command Wrapper Blocking: Side-effecting command wrappers (such as BSD script or GNU time -o) are now blocked by the execution approval policy to prevent hidden file writes or transcript captures (#87292).
Runtime Environment Protection: Unsafe Node.js runtime environment overrides (e.g., NODE_V8_COVERAGE) are now blocked in the shared host environment policy (#87308).
Access Control: Admin authority is now strictly required for node and device-role approvals (#87146), and QQBot fallback approval buttons are now gated by explicit actor authorization (#87154).
Codex and Runtime Stability
Significant improvements have been made to the Codex app-server and agent harness selection:
Harness Validation: The agent harness selector now consults the supports() predicate before pinning a runtime. This prevents a common failure where a forced Codex harness would attempt to serve an unsupported provider, leading to late RPC errors (#74341).
Shared Client Preservation: Logical startup failures (such as 401 Unauthorized) in spawned helper runs no longer retire the shared app-server client used by the main session, preventing unnecessary gateway disconnects (#87375, #87428).
Memory Routing: Native Codex workspace MEMORY.md is now routed through memory tools when available, reducing the prompt budget used by raw memory injection (#87383, #87403).
Provider and Model Expansion
OpenAI-Compatible Embeddings: A new core openai-compatible embedding provider is now available, allowing for easier integration of local and hosted OpenAI-style endpoints (#85269).
DeepInfra Enhancements: The DeepInfra plugin now dynamically loads the full model catalog (88+ models) during onboarding and supports live image-gen and video-gen catalogs (#84549). Additionally, Anthropic prompt caching now correctly fires for DeepInfra-routed requests.
Pixverse Integration: Added the Pixverse video generation provider with API region selection and external plugin packaging support.
Claude CLI OAuth: PI embedded runs and /btw side questions now correctly load Claude CLI OAuth for auth profiles, ensuring credentials are preserved across sessions (#87167).
Performance and Delivery
Gateway Latency: Performance is improved by propagating metadata snapshots and eliminating ESM side-effects in auth environment variables, cutting resolution latency by approximately 50% (#86439).
Durable Delivery: Telegram sendMessage actions are now routed through the durable outbound delivery path, ensuring that agent outputs are retryable if the platform send fails (#87261).
Session Lock Recovery: A critical fix ensures that session write locks are released immediately upon a timeout abort of an embedded run, resolving a deadlock that previously required a gateway restart (#87278).
Impact
Fixed Issues
Deadlocks: Resolved the Pi session event queue self-wait that could hang the Gateway during tool calls (#86093) and the session write lock leak during subagent announce timeouts (#86816).
False Warnings: Fixed a bug where "Write failed" warnings were shown even when files were successfully saved, by implementing source-backed write timeout recovery (#55424).
Search Failures: QMD search results on Apple Silicon are now salvaged even if the subprocess exits with a non-zero code due to Metal GPU cleanup crashes (#85217).
Auth Regressions: Fixed an issue where btw spawn with an invalid bearer token would trigger a full gateway disconnect (#72574).
Breaking Changes
Plugin SDK: Vitest-backed test-helper subpaths (e.g., openclaw/plugin-sdk/testing) are no longer exported as public package exports. These are now repo-local surfaces and should not be used in published plugins (#87120).
Embedding API: Memory-specific embedding provider registration is now deprecated in favor of the generic embedding provider bridge (#85072).
Upgrade Guide
For Plugin Developers
Test Helpers: If your custom scripts rely on importing openclaw/plugin-sdk/* test helpers, you must now move those tests into the OpenClaw repository or provide your own test utilities, as these are no longer exported in the npm package.
Embedding Providers: Transition from api.registerMemoryEmbeddingProvider to the generic api.registerEmbeddingProvider to avoid deprecation warnings.
For Operators
Environment Variables: Review any custom .env or skill overrides to ensure they do not use the now-blocked Node runtime-control variables (e.g., NODE_REPL_HISTORY).
Device Approvals: Ensure that users responsible for approving node/device roles have the operator.admin scope.
nominiclaw