fix(docker): keep default OpenAI harness plugin in release images by YuanHanzhong · Pull Request #83626 · openclaw/openclaw

YuanHanzhong · 2026-05-18T14:11:01Z

Summary

include the default harness plugin in official Docker release keep lists
add a workflow regression assertion so both release architectures keep that plugin

Real behavior proof

Behavior or issue addressed: Official Docker release images now keep the default harness plugin in both release architecture paths instead of pruning it from the packaged extension set.
Real environment tested: Local openclaw/openclaw checkout on macOS using the project Node.js test runner and release workflow file checks.
Exact steps or command run after this patch: Checked the Docker release workflow keep-list entries, ran the focused Docker packaging regression command with node scripts/run-vitest.mjs, then ran git diff --check.
Evidence after fix: Terminal capture from the release workflow and packaging checks:

$ <release workflow keep-list check>
release workflow default harness keep-list entries: 2

$ node scripts/run-vitest.mjs <focused Docker packaging tests>
65 passed

Observed result after fix: Both release architecture paths keep the default harness plugin, and the focused Docker packaging regression suite passed.
What was not tested: A live multi-architecture Docker image publish was not run locally.

Tests

Release workflow keep-list check
Focused Docker packaging regression command
git diff --check

clawsweeper · 2026-05-18T14:12:27Z

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

ClawSweeper keeps one durable marker-backed review comment per issue or PR.
Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
Maintainers can also comment @clawsweeper review to request a fresh review only.
Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds codex to both official Docker release OPENCLAW_EXTENSIONS keep lists, adds a static regression assertion, and records a changelog fix.

Reproducibility: yes. Source inspection shows current main excludes dist/extensions/codex/**, prunes excluded plugin dist unless OPENCLAW_EXTENSIONS keeps it, and official release jobs pass only diagnostics-otel; I did not run a full Docker image build in this read-only review.

PR rating
Overall: 🧂 unranked krab
Proof: 🧂 unranked krab
Patch quality: 🐚 platinum hermit
Summary: The implementation is small and likely correct, but the PR is not merge-ready until real Docker image proof verifies the packaged runtime behavior.

Rank-up moves:

Add redacted official-style Docker build/run proof showing /app/dist/extensions/codex/openclaw.plugin.json exists and openclaw plugins inspect codex --runtime --json reports the codex harness.

What the crustacean ranks mean

🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

PR egg
🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?

The egg game starts only after the PR passes the real-behavior proof check.
Before that, no creature, rarity, or ASCII portrait is rolled. The treat waits for real proof.
This is still just collectible flavor: proof affects review readiness, not creature quality.

Real behavior proof
Needs real behavior proof before merge: Needs real behavior proof before merge: the PR body supplies static workflow-check and Vitest output only; add redacted Docker build/run output, terminal screenshot, logs, or a linked artifact showing the manifest and runtime inspect result, then update the PR body for automatic re-review.

Risk before merge
Why this matters: - Real release-image behavior is not yet proven: the PR body shows static workflow and Vitest output, but no Docker build/run output proving the Codex manifest exists in the image and runtime inspection loads the codex harness.

The change intentionally alters official release image contents and can restore Codex harness selection for default OpenAI agent turns in Docker images, so maintainers should own the compatibility and auth-provider impact before merge.

Maintainer options:

Require release-image proof (recommended)
Merge after redacted official-style Docker build/run output shows the Codex manifest exists in the image and openclaw plugins inspect codex --runtime --json reports the harness.
Maintainer-provided Docker proof
A maintainer can run equivalent image proof and treat the contributor proof gap as satisfied if the release-image behavior is shown directly.
Pause if image contents are not approved
If maintainers do not want Codex restored in default official release images, pause or close this PR and keep the linked issue open for a different packaging decision.

Next step before merge
Needs contributor or maintainer real Docker image proof before merge; there is no narrow code repair for automation to attempt.

Security
Cleared: Cleared: the diff keeps an existing first-party bundled plugin in release build args and adds a static test/changelog; it does not change action refs, permissions, secrets, dependency sources, or executable downloads.

Review details

Best possible solution:

Land the keep-list fix after redacted official-style Docker build/run proof shows the Codex plugin manifest exists in the release image and runtime inspection reports the codex harness.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows current main excludes dist/extensions/codex/**, prunes excluded plugin dist unless OPENCLAW_EXTENSIONS keeps it, and official release jobs pass only diagnostics-otel; I did not run a full Docker image build in this read-only review.

Is this the best way to solve the issue?

Yes. Using the existing OPENCLAW_EXTENSIONS keep-list for both official release architectures is the narrowest code path for the reported official-image bug, but merge readiness still needs real Docker image proof.

Label justifications:

P2: This is a focused Docker packaging bug fix for the default OpenAI/Codex harness path with limited but real release-image impact.
merge-risk: 🚨 compatibility: Merging changes official release image contents and can change upgraded Docker users from PI fallback behavior back to the intended Codex harness path.
merge-risk: 🚨 auth-provider: The kept plugin owns the default OpenAI agent harness, so the release image can affect provider/runtime selection and Codex auth behavior.

Acceptance criteria:

Build an official-style Docker image from the PR branch.
Run docker run --rm --entrypoint bash <image> -lc 'test -f /app/dist/extensions/codex/openclaw.plugin.json && openclaw plugins inspect codex --runtime --json' and confirm agentHarnessIds includes codex.
Run the focused test command reported by the PR body, node scripts/run-vitest.mjs src/dockerfile.test.ts, plus git diff --check.

What I checked:

Current main release workflow omits Codex: Both official release image jobs on current main pass OPENCLAW_EXTENSIONS=diagnostics-otel without codex, so the release build does not keep the Codex plugin through the Docker prune step. (.github/workflows/docker-release.yml:158, b7ba7c3f2a1e)
Package publish list excludes Codex dist by default: The root package file excludes dist/extensions/codex/**, making Codex one of the plugin dist folders that Docker pruning can remove unless the keep list includes it. (package.json:41, b7ba7c3f2a1e)
Prune script keeps only requested excluded plugins: pruneDockerPluginDist reads OPENCLAW_EXTENSIONS, collects excluded bundled plugin ids, and removes each excluded plugin from dist and dist-runtime unless the keep list contains that id. (scripts/prune-docker-plugin-dist.mjs:23, b7ba7c3f2a1e)
Dockerfile runs the prune step during runtime image assembly: The runtime-assets stage passes the workflow build arg into scripts/prune-docker-plugin-dist.mjs, so the release workflow keep list controls which excluded plugin dist folders remain in the final image. (Dockerfile:121, b7ba7c3f2a1e)
Codex plugin owns the harness being kept: The Codex manifest activates on the codex agent harness and the plugin entry registers the Codex app-server agent harness, which matches the linked issue's default OpenAI harness concern. (extensions/codex/openclaw.plugin.json:21, b7ba7c3f2a1e)
Docs describe Codex as the default OpenAI agent runtime when available: The agent-harness docs say plain openai/gpt-* refs select the Codex harness by default, and the Codex harness docs require the bundled codex plugin to be available. Public docs: docs/plugins/sdk-agent-harness.md. (docs/plugins/sdk-agent-harness.md:149, b7ba7c3f2a1e)

Likely related people:

steipete: Recent history shows Docker release workflow and slim runtime commits, plus several recent Codex harness documentation/routing fixes that define the default OpenAI-to-Codex behavior this PR restores in release images. (role: recent Docker release and Codex routing contributor; confidence: high; commits: bb294bcd20eb, 2cd23957c06a, a04e40e6fa45; files: .github/workflows/docker-release.yml, Dockerfile, docs/plugins/codex-harness.md)
vincentkoc: GitHub history shows the Docker plugin dist pruning script was introduced by fix(docker): prune external plugin dist, and the same contributor recently touched Docker release workflow settings. (role: Docker prune and release workflow contributor; confidence: high; commits: 7e229f0d3d63, dc05c93c024c, bd51f82efafd; files: scripts/prune-docker-plugin-dist.mjs, .github/workflows/docker-release.yml)
sallyom: Recent history shows a Dockerfile/test change for external Dockerfile frontend behavior, and the live PR commit is currently committed by this account after the force-push noted in the timeline. (role: recent Docker area contributor; confidence: medium; commits: e1795256d5a2, bc5b38f2aeb6; files: Dockerfile, src/dockerfile.test.ts, .github/workflows/docker-release.yml)
obviyus: Recent Dockerfile history includes fix(docker): prune with source workspace policy, which is adjacent to the runtime-assets pruning behavior used by this fix. (role: adjacent Docker prune contributor; confidence: medium; commits: 4a009612c9ab; files: Dockerfile, src/dockerfile.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b7ba7c3f2a1e.

liorb-mountapps · 2026-05-18T17:00:11Z

Hi @YuanHanzhong
You might want to ask for review in the clawtributors discord channel on the openclaw discord server.
They pick it up pretty quickly from there

sallyom

Maintainer verification for rebased head bc5b38f2aeb6630e97b7c3f6114d0ced937d7e9c.

Behavior addressed: official Docker release images now keep the bundled codex plugin alongside diagnostics-otel, so Docker pruning does not remove the default OpenAI agent harness runtime from release images.

Real environment tested: local OpenClaw checkout plus maintainer Podman image smoke.

Exact steps or command run after this patch:

node scripts/run-vitest.mjs src/dockerfile.test.ts
git diff --check origin/main...HEAD
podman build -t quay.io/sallyom/openclaw:codex --build-arg OPENCLAW_EXTENSIONS=diagnostics-otel,codex .

Evidence after fix:

Local focused Docker workflow/package regression passed.
Whitespace diff check passed.
CI for head bc5b38f2aeb6630e97b7c3f6114d0ced937d7e9c has no failed or pending jobs/check-runs from the GitHub API.
Relevant CI/run proof includes CI run 26102366024, CodeQL Critical Quality run 26102366039, and Real behavior proof run 26102719666.
Maintainer Podman image smoke using OPENCLAW_EXTENSIONS=diagnostics-otel,codex was reported good.

Observed result after fix: the release workflow keep list includes diagnostics-otel,codex for both release architecture builds, and the smoke-built image exercises the same root Dockerfile build arg path.

What was not tested: a live multi-architecture GHCR release publish.

…026.5.20) (#615) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://github.com/openclaw/openclaw)) | patch | `2026.5.19` → `2026.5.20` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/567) for more information. --- ### Release Notes <details> <summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary> ### [`v2026.5.20`](https://github.com/openclaw/openclaw/blob/HEAD/CHANGELOG.md#2026520) [Compare Source](openclaw/openclaw@v2026.5.19...v2026.5.20) ##### Changes - Exec approvals: remove the old `cat SKILL.md && printf ... && <skill-wrapper>` allowlist compatibility path so skill files must be loaded with the read tool and only the real skill executable is auto-allowed. - Discord: let voice sessions follow configured Discord users into voice channels, with allowed-channel checks, multi-user handoff, bounded reconciliation, and DAVE recovery preservation. ([#84264](openclaw/openclaw#84264)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Discord/voice: include bounded `IDENTITY.md`, `USER.md`, and `SOUL.md` profile context in realtime voice session instructions by default, with `voice.realtime.bootstrapContextFiles: []` available to disable it. ([#84499](openclaw/openclaw#84499)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Dependencies: bump the bundled Codex harness to `@openai/codex` `0.132.0` and refresh the app-server model-list docs for the new catalog. - CLI/policy: add the bundled Policy plugin for policy-backed channel conformance checks, doctor lint findings, and opt-in workspace repair. ([#80407](openclaw/openclaw#80407)) Thanks [@giodl73-repo](https://github.com/giodl73-repo). - Agents/config: allow `agents.list[].experimental.localModelLean` so lean local-model mode can be enabled for one configured agent instead of globally. - Providers/xAI: add device-code OAuth login so remote and headless setups can authorize xAI without a localhost browser callback. ([#84005](openclaw/openclaw#84005)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Providers/OpenRouter: honor provider-level `params.provider` routing policy for OpenRouter requests, with model and agent params overriding the defaults. Thanks [@amknight](https://github.com/amknight). ##### Fixes - CLI/tasks: include stale-running task maintenance decisions in `openclaw tasks maintenance --json` so retained and reconcile candidates explain backing-session, cron, CLI, and wedged-subagent state. ([#84691](openclaw/openclaw#84691)) Thanks [@efpiva](https://github.com/efpiva). - Codex app-server: keep system-prompt reports working when bootstrap hooks provide workspace files with only a path and content, so hook-supplied SOUL/IDENTITY/TOOLS/USER context still reports injected characters correctly. ([#84736](openclaw/openclaw#84736)) Thanks [@JARVIS-Glasses](https://github.com/JARVIS-Glasses). - Providers/MiniMax music: stop advertising `durationSeconds` control and remove prompt-injected duration hints, so `music_generate` reports MiniMax duration as an unsupported override instead of suggesting MiniMax can enforce track length. Fixes [#84508](openclaw/openclaw#84508). Thanks [@neeravmakwana](https://github.com/neeravmakwana). - Doctor: warn when sandbox tool policy hides configured MCP server tools before provider requests. ([#84699](openclaw/openclaw#84699)) Thanks [@nxmxbbd](https://github.com/nxmxbbd). - WhatsApp: update Baileys to `7.0.0-rc12`. - Build: suppress per-locale `rolldown-plugin-dts:fake-js` CommonJS dts warnings emitted while bundling the intentionally-inlined `zod/v4/locales/*.d.cts` files, so `pnpm build` output stays readable after the 0.25.1 plugin bump. Thanks [@romneyda](https://github.com/romneyda). - CLI/nodes: route lazy plugin-registration logs to stderr for JSON-mode `openclaw nodes` commands so stdout stays parseable. ([#84684](openclaw/openclaw#84684)) Thanks [@TurboTheTurtle](https://github.com/TurboTheTurtle). - Approvals: route manual `/approve` decisions through the trusted approval runtime so active exec and plugin approvals no longer look unknown or expired. - Mac app: update the About settings copyright year to 2026. ([#84385](openclaw/openclaw#84385)) Thanks [@pejmanjohn](https://github.com/pejmanjohn). - Dependencies: update `@openclaw/fs-safe` to `0.2.7` so OpenClaw's default Python-helper-off policy keeps best-effort Node write fallbacks for private stores, secret writes, run logs, and media attachments on Linux/macOS. - Infra/secrets: restore the fail-closed contract for `tryReadSecretFileSync` so credential loaders that pass `rejectSymlink: true` (Telegram, LINE, Zalo, IRC, Nextcloud Talk tokens) refuse symlinked credential files instead of silently accepting them, and the infra-state CI shard's secret-file symlink test passes again. Thanks [@romneyda](https://github.com/romneyda). - Browser: honor the configured image sanitization limit for screenshots and labeled snapshots so browser-captured images follow the same resize policy as other image results. ([#84595](openclaw/openclaw#84595)) - Doctor: remove unrecognized `models.providers.*.models[*].compat.thinkingFormat` values during `doctor --fix` so stale provider model config can validate after upgrade. Fixes [#77803](openclaw/openclaw#77803). - Doctor: warn when `openclaw.json` stores plaintext secret-bearing config fields, including model provider API keys and sensitive provider headers. ([#84718](openclaw/openclaw#84718)) Thanks [@lukaIvanic](https://github.com/lukaIvanic). - Status: show the configured default, session-selected model, reason, clear hint, and docs link when a session remains pinned to a model that differs from `agents.defaults.model.primary`. - WebChat: clear stale typing indicators when session change events mark the active chat run complete. - Mac app: keep local packaging signed with a stable app identity for permission testing and fix Control UI production builds under current Vite/Highlight.js exports. - macOS app: update the embedded Peekaboo bridge to 3.2.1 so OpenClaw-hosted UI automation works with current Peekaboo CLI capture flows. - Cron: deliver preferred final assistant output for successful scheduled runs when trailing plain tool warnings remain in diagnostics instead of marking the run failed. - fix(mattermost): fail closed on missing channel type \[AI]. ([#84091](openclaw/openclaw#84091)) Thanks [@pgondhi987](https://github.com/pgondhi987). - Recheck rebuilt system.run argv \[AI]. ([#84090](openclaw/openclaw#84090)) Thanks [@pgondhi987](https://github.com/pgondhi987). - CLI: keep the private QA subcommand out of exported command descriptors unless `OPENCLAW_ENABLE_PRIVATE_QA_CLI=1`, so root help and subcommand markers match runtime registration. ([#84519](openclaw/openclaw#84519)) - CLI/cron: bound `openclaw cron show` job lookup pagination so non-advancing or unbounded `cron.list` responses fail instead of hanging the command. Fixes [#83856](openclaw/openclaw#83856). ([#83989](openclaw/openclaw#83989)) - Agents/messages: stop message-tool-only turns after a successful source-channel `message` send while keeping transcript mirrors under the session write lock. ([#84289](openclaw/openclaw#84289)) - Agents: filter silent heartbeat response-tool transcript artifacts out of embedded context snapshots so later user turns are not polluted by heartbeat no-op messages. ([#83477](openclaw/openclaw#83477)) Thanks [@fuller-stack-dev](https://github.com/fuller-stack-dev). - Agents/OpenAI: log repeated strict tool-schema downgrade diagnostics once per provider/model/tool signature, reducing duplicate debug noise while preserving `strict=false` fallback behavior. Fixes [#82930](openclaw/openclaw#82930). ([#82933](openclaw/openclaw#82933)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/code mode: spell out the `exec` tool's JavaScript/TypeScript, no Node module, and catalog-bridge constraints in model-visible schema text so agents can use enabled tools without trial-and-error. ([#84269](openclaw/openclaw#84269)) Thanks [@Kaspre](https://github.com/Kaspre). - Codex: give `image_generate` dynamic-tool calls a 120s default watchdog when no per-call or configured image timeout is set, so image generation no longer falls back to the generic 30s bridge timeout. ([#84254](openclaw/openclaw#84254)) Thanks [@moritzmmayerhofer](https://github.com/moritzmmayerhofer). - Codex: avoid duplicate dynamic tool terminal diagnostics while large diagnostic backlogs drain without blocking tool responses. ([#82937](openclaw/openclaw#82937)) Thanks [@galiniliev](https://github.com/galiniliev). - CLI/message: include a stable top-level `messageId` in `openclaw message --json` output when channel sends return one. ([#84191](openclaw/openclaw#84191)) Thanks [@100menotu001](https://github.com/100menotu001). - Cron: preserve legacy top-level array `jobs.json` stores when loading or adding scheduled jobs so old cron jobs are no longer treated as an empty store during upgrade. Fixes [#60799](openclaw/openclaw#60799). ([#84433](openclaw/openclaw#84433)) Thanks [@IWhatsskill](https://github.com/IWhatsskill). - Gateway/agents: use an agent's `identity.name` in Gateway agent summaries when `agents.list[].name` is unset, so configured agent labels remain visible in clients. ([#84355](openclaw/openclaw#84355); refs [#57835](openclaw/openclaw#57835)) Thanks [@luoyanglang](https://github.com/luoyanglang). - Channels/replies: keep normal `/verbose` failed-tool progress compact in message-tool replies and prevent late text-only tool output from appearing after the final answer. ([#84303](openclaw/openclaw#84303)) Thanks [@VACInc](https://github.com/VACInc). - Plugins/hooks: apply a default 30-second timeout to `before_compaction` and `after_compaction` hooks so a hung plugin handler no longer blocks compaction completion. ([#84153](openclaw/openclaw#84153)) - Discord: preserve disabled presentation buttons when adapting and rendering Discord message controls. ([#84188](openclaw/openclaw#84188)) Thanks [@100menotu001](https://github.com/100menotu001). - Twitch: add a test-only client-manager registry reset helper so non-isolated Twitch tests can clear cached managers between cases. Fixes [#83887](openclaw/openclaw#83887). ([#84244](openclaw/openclaw#84244)) Thanks [@hclsys](https://github.com/hclsys). - Cron: run main-session scheduled work on a cron-owned wake lane while preserving reply delivery context, so background cron turns no longer block human main-session chat. Fixes [#82766](openclaw/openclaw#82766). ([#82767](openclaw/openclaw#82767)) Thanks [@galiniliev](https://github.com/galiniliev). - Cron: use structured embedded-run denial metadata for isolated scheduled tasks so blocked exec requests fail the job without treating ordinary assistant prose as a denial. ([#84067](openclaw/openclaw#84067)) Thanks [@abnershang](https://github.com/abnershang). - Cron: keep recovered tool warnings diagnostic for successful scheduled runs so final cron output is delivered instead of being replaced by a post-processing warning. ([#84045](openclaw/openclaw#84045)) Thanks [@abnershang](https://github.com/abnershang). - Plugins/perf: thread explicit plugin discovery results through `loadBundledCapabilityRuntimeRegistry`, `resolveBundledPluginSources`, and `listChannelCatalogEntries` so callers that already hold a discovery result skip redundant filesystem walks. Thanks [@SebTardif](https://github.com/SebTardif). - harden update restart script creation \[AI]. ([#84088](openclaw/openclaw#84088)) Thanks [@pgondhi987](https://github.com/pgondhi987). - Docker: keep the bundled Codex plugin in official release image keep lists so the default OpenAI agent harness remains available after Docker pruning. Fixes [#83613](openclaw/openclaw#83613). ([#83626](openclaw/openclaw#83626)) Thanks [@YuanHanzhong](https://github.com/YuanHanzhong). - CLI/channels: preserve the first line of `openclaw channels logs` output when the rolling tail window starts exactly on a line boundary, mirroring the already-fixed `readLogSlice` behavior in `src/logging/log-tail.ts`. - Control UI: treat terminal session status as authoritative over stale active-run flags so completed terminal runs stop showing abort/live UI. ([#84057](openclaw/openclaw#84057)) - CLI: preserve embedded equals signs in inline root option values instead of truncating after the second separator. ([#83995](openclaw/openclaw#83995)) Thanks [@ThiagoCAltoe](https://github.com/ThiagoCAltoe). - Matrix/config: accept `messages.queue.byChannel.matrix` queue overrides and keep queue provider schema/type keys aligned for Matrix, Google Chat, and Mattermost. Thanks [@bdjben](https://github.com/bdjben). - CLI: format `openclaw acp client` failures through the shared error formatter so object-shaped errors stay readable instead of printing `[object Object]`. Fixes [#83904](openclaw/openclaw#83904). ([#84080](openclaw/openclaw#84080)) - Providers/Ollama: default unknown-capabilities models to tool-capable so discovered native Ollama models can use tools when `/api/show` omits capabilities. ([#84055](openclaw/openclaw#84055)) Thanks [@dutifulbob](https://github.com/dutifulbob). - Installer/Windows: launch `install.ps1` onboarding as an attached child process so fresh native Windows installs do not freeze visibly at `Starting setup...` or corrupt the wizard's terminal rendering. - CLI/update: keep restart health checks working across one-version CLI/Gateway protocol skew and use the managed Gateway service Node for all follow-up commands even when the package root is unchanged, so `openclaw update` no longer silently switches the gateway to a different Node binary when multiple Node installations are present. Thanks [@amknight](https://github.com/amknight). - CLI/gateway: include the running Gateway version in `gateway status` JSON output, preserving existing server metadata while falling back to status RPC data for read probes. Fixes [#56222](openclaw/openclaw#56222). Thanks [@galiniliev](https://github.com/galiniliev). - Memory/search: close local embedding providers when active-memory searches time out so pending local model loads and embedding contexts are aborted and released. ([#83858](openclaw/openclaw#83858)) Thanks [@brokemac79](https://github.com/brokemac79). - CLI/nodes: request pending node surface approval scopes before `openclaw nodes approve` so exec-capable node approval can use admin-scoped Gateway credentials instead of failing with `missing scope: operator.admin`. ([#84392](openclaw/openclaw#84392)) Thanks [@joshavant](https://github.com/joshavant). - Gateway: reject slow node event sends before outbound buffers grow unbounded and log the rejected payload diagnostic. ([#84387](openclaw/openclaw#84387)) Thanks [@samzong](https://github.com/samzong). - Agents: include bounded trajectory queued-writer diagnostics in `pi-trajectory-flush` timeout warnings so flush stalls show pending writes, queued bytes, and append state. Fixes [#82961](openclaw/openclaw#82961). ([#82962](openclaw/openclaw#82962)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/subagents: recover stale completion announces by retrying unsupported transcript-wait wakes without transcript waiting and forcing a message-tool handoff when the requester run is already stale. Fixes [#83699](openclaw/openclaw#83699). ([#83700](openclaw/openclaw#83700)) Thanks [@galiniliev](https://github.com/galiniliev). - Agents/subagents: constrain wildcard subagent target allowlists to configured agents while preserving explicitly listed compatibility targets. Fixes [#84040](openclaw/openclaw#84040). ([#84357](openclaw/openclaw#84357)) Thanks [@joshavant](https://github.com/joshavant). - Providers/Anthropic: route Anthropic model refs selected with Claude CLI auth through the Claude CLI runtime so shorthand refs such as `anthropic/opus-4.7` no longer fall back to embedded Anthropic billing. Fixes [#84222](openclaw/openclaw#84222). ([#84374](openclaw/openclaw#84374)) Thanks [@joshavant](https://github.com/joshavant). - Agents: honor explicit `models.providers.<id>.timeoutSeconds` values above the default idle watchdog for cloud and self-hosted providers, so long first-token waits no longer fall back at \~120s when the provider timeout is higher. ([#83979](openclaw/openclaw#83979)) Thanks [@yujiawei](https://github.com/yujiawei). - Agents/Codex: keep encrypted Responses reasoning replay provenance-bound so stale mirrored Codex transcripts drop invalid encrypted content before request assembly while preserving matching same-session replay. Fixes [#83836](openclaw/openclaw#83836). ([#84367](openclaw/openclaw#84367)) Thanks [@joshavant](https://github.com/joshavant). - Agents/subagents: skip stale embedded-run wake probes for dormant completion requesters, so late subagent completions go straight to requester-agent/direct handoff instead of producing `reason=no_active_run` queue noise. ([#82964](openclaw/openclaw#82964)) Thanks [@galiniliev](https://github.com/galiniliev). - CLI: retry config snapshot reads after a transient failure so one rejected read no longer poisons later commands in the same process. ([#83931](openclaw/openclaw#83931)) Thanks [@honor2030](https://github.com/honor2030). - Media: decode URL path basenames before using them as remote media fallback filenames, so files like `My%20Report.pdf` are surfaced as `My Report.pdf`. Fixes [#84050](openclaw/openclaw#84050). ([#84052](openclaw/openclaw#84052)) Thanks [@jbetala7](https://github.com/jbetala7). - WhatsApp: clarify inbound group diagnostics so observed but unregistered groups point to `channels.whatsapp.groups` without changing routing or sender authorization. ([#83846](openclaw/openclaw#83846)) Thanks [@neeravmakwana](https://github.com/neeravmakwana). - WhatsApp: drain pending outbound deliveries on a 30s periodic timer in addition to the reconnect handler, so messages enqueued while the provider is already connected no longer wait for the next reconnect to send. ([#79083](openclaw/openclaw#79083)) Thanks [@Oviemudiaga](https://github.com/Oviemudiaga). - CLI/TUI: include gateway plugin slash commands in TUI autocomplete, so connected sessions can suggest plugin-owned commands exposed by the running Gateway. ([#83640](openclaw/openclaw#83640)) Thanks [@se7en-agent](https://github.com/se7en-agent). - Gateway/mobile: restore QR setup-code handoff of bounded operator tokens for iOS and Android onboarding while keeping admin and pairing scopes out of bootstrap. ([#83684](openclaw/openclaw#83684)) Thanks [@ngutman](https://github.com/ngutman). - iOS: repair Release archive compilation for the TestFlight build. ([#84255](openclaw/openclaw#84255)) Thanks [@ngutman](https://github.com/ngutman). - Agents/compaction: bound plugin-owned CLI transcript compaction with the host safety timeout so a hung context engine can no longer stall post-turn cleanup. ([#84083](openclaw/openclaw#84083)) Thanks [@100yenadmin](https://github.com/100yenadmin). - Control UI/usage: truncate long context skill, tool, and file names in the usage panel while keeping the full name available on hover. ([#42197](openclaw/openclaw#42197)) Thanks [@Rain120](https://github.com/Rain120). - Codex: respect explicit `models auth order set` and `config.auth.order` precedence over stale `lastGood` in `/codex account`, and show `no working credential` when every explicit-order profile is ineligible instead of marking a lower-ranked profile as active. Fixes [#84386](openclaw/openclaw#84386). ([#84412](openclaw/openclaw#84412)) Thanks [@openperf](https://github.com/openperf). - Agents: honor `messages.suppressToolErrors` for mutating tool failures so configured chat surfaces do not receive separate warning payloads. ([#81561](openclaw/openclaw#81561)) Thanks [@moeedahmed](https://github.com/moeedahmed). - Agents/fallback: surface billing guidance for mixed rate-limit plus billing fallback exhaustion instead of generic failure copy. Fixes [#79396](openclaw/openclaw#79396). ([#79489](openclaw/openclaw#79489)) Thanks [@aayushprsingh](https://github.com/aayushprsingh). </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/615

openclaw-barnacle Bot added size: XS triage: needs-real-behavior-proof Candidate: external PR needs after-fix proof from a real setup. labels May 18, 2026

openclaw-barnacle Bot added proof: supplied External PR includes structured after-fix real behavior proof. and removed triage: needs-real-behavior-proof Candidate: external PR needs after-fix proof from a real setup. labels May 18, 2026

clawsweeper Bot added the merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. label May 18, 2026

sallyom self-assigned this May 19, 2026

fix(docker): keep codex plugin in release images

bc5b38f

sallyom force-pushed the yh/fix-docker-codex-plugin branch from 30167b0 to bc5b38f Compare May 19, 2026 14:03

clawsweeper Bot added the merge-risk: 🚨 auth-provider 🚨 May break OAuth, tokens, provider routing, model choice, or credentials. label May 19, 2026

sallyom approved these changes May 19, 2026

View reviewed changes

sallyom merged commit d0f7c8f into openclaw:main May 19, 2026
110 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(docker): keep default OpenAI harness plugin in release images#83626

fix(docker): keep default OpenAI harness plugin in release images#83626
sallyom merged 1 commit into
openclaw:mainfrom
YuanHanzhong:yh/fix-docker-codex-plugin

YuanHanzhong commented May 18, 2026 •

edited

Loading

Uh oh!

clawsweeper Bot commented May 18, 2026 •

edited

Loading

Uh oh!

liorb-mountapps commented May 18, 2026

Uh oh!

sallyom left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

YuanHanzhong commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Real behavior proof

Tests

Uh oh!

clawsweeper Bot commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

liorb-mountapps commented May 18, 2026

Uh oh!

sallyom left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

YuanHanzhong commented May 18, 2026 •

edited

Loading

clawsweeper Bot commented May 18, 2026 •

edited

Loading