Skip to content

fix: constrain Windows task script names [AI]#85064

Merged
pgondhi987 merged 4 commits into
openclaw:mainfrom
pgondhi987:fix/fix-678
May 22, 2026
Merged

fix: constrain Windows task script names [AI]#85064
pgondhi987 merged 4 commits into
openclaw:mainfrom
pgondhi987:fix/fix-678

Conversation

@pgondhi987

@pgondhi987 pgondhi987 commented May 21, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Problem: Windows task script names from environment configuration were accepted as path-like values before being joined under the gateway state directory.
  • Solution: Require OPENCLAW_TASK_SCRIPT_NAME to be a bare file name before constructing the task script path.
  • What changed: Added validation for separators and traversal markers, plus regression coverage for rejected path-like names.
  • What did NOT change (scope boundary): Explicit OPENCLAW_TASK_SCRIPT full-path overrides remain unchanged.

AI-assisted change.

Motivation

  • Keep generated Windows task scripts constrained to the intended state directory when using the script-name configuration path.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor required for the fix
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

  • Related: N/A
  • This PR addresses a bug or regression

Real behavior proof (required for external PRs)

  • Behavior addressed: Path-like task script names are rejected before the scheduled-task script path is resolved.
  • Real environment tested: Not tested in a live Windows setup.
  • Exact steps or command run after this patch: node scripts/run-vitest.mjs src/daemon/schtasks.test.ts
  • Evidence after fix: src/daemon/schtasks.test.ts passed with 29 tests.
  • Observed result after fix: Bare file names still resolve under the state directory; names containing /, \\, or .. throw before path construction.
  • What was not tested: Live Windows scheduled-task installation or startup behavior.
  • Before evidence: N/A

Root Cause (if applicable)

  • Root cause: OPENCLAW_TASK_SCRIPT_NAME was trimmed and joined with the state directory without first checking that it was only a file name.
  • Missing detection / guardrail: There was no regression coverage for path-like task script names.
  • Contributing context (if known): N/A

Regression Test Plan (if applicable)

  • Coverage level that should have caught this:
    • Unit test
    • Seam / integration test
    • End-to-end test
    • Existing coverage already sufficient
  • Target test or file: src/daemon/schtasks.test.ts
  • Scenario the test should lock in: Accept a bare custom script file name and reject path-like script names.
  • Why this is the smallest reliable guardrail: resolveTaskScriptPath() owns the path construction decision directly.
  • Existing test that already covers this (if any): Existing path resolution tests covered defaults and state directory selection, but not path-like script names.
  • If no new test is added, why not: N/A

User-visible / Behavior Changes

OPENCLAW_TASK_SCRIPT_NAME now accepts file names only. Existing explicit OPENCLAW_TASK_SCRIPT path overrides are unchanged.

Diagram (if applicable)

Before:
OPENCLAW_TASK_SCRIPT_NAME -> path.join(stateDir, value)

After:
OPENCLAW_TASK_SCRIPT_NAME -> validate bare file name -> path.join(stateDir, value)

Security Impact (required)

  • New permissions/capabilities? (Yes/No) No
  • Secrets/tokens handling changed? (Yes/No) No
  • New/changed network calls? (Yes/No) No
  • Command/tool execution surface changed? (Yes/No) Yes
  • Data access scope changed? (Yes/No) No
  • If any Yes, explain risk + mitigation: The Windows scheduled-task script-name path now rejects path-like input before the script path is built, reducing the writable path surface for generated task scripts.

Repro + Verification

Environment

  • OS: Linux test environment
  • Runtime/container: Node test wrapper
  • Model/provider: N/A
  • Integration/channel (if any): N/A
  • Relevant config (redacted): OPENCLAW_TASK_SCRIPT_NAME

Steps

  1. Set OPENCLAW_TASK_SCRIPT_NAME to a path-like value such as ../gateway.cmd.
  2. Resolve the Windows scheduled-task script path through resolveTaskScriptPath().
  3. Run the focused daemon test file.

Expected

  • Path-like script names are rejected.
  • Bare script file names still resolve under the gateway state directory.

Actual

  • Focused tests passed and covered both accepted and rejected script-name values.

Evidence

  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

  • Verified scenarios: Default task script path, custom bare file name, and path-like names containing separators or traversal markers.
  • Edge cases checked: Forward slash, backslash, parent traversal, nested path segments, and .. inside the file name.
  • What you did not verify: Live Windows scheduled-task installation.

Review Conversations

  • I replied to or resolved every bot review conversation I addressed in this PR.
  • I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

  • Backward compatible? (Yes/No) Yes for valid bare file names and explicit full-path overrides
  • Config/env changes? (Yes/No) Yes
  • Migration needed? (Yes/No) No
  • If yes, exact upgrade steps: Use OPENCLAW_TASK_SCRIPT_NAME only for a file name. Use OPENCLAW_TASK_SCRIPT when an explicit path override is required.

Risks and Mitigations

  • Risk: Existing local configurations may have used OPENCLAW_TASK_SCRIPT_NAME as a relative path.
    • Mitigation: The explicit OPENCLAW_TASK_SCRIPT override remains available for path-based configuration.

@openclaw-barnacle openclaw-barnacle Bot added gateway Gateway runtime size: XS maintainer Maintainer-authored PR labels May 21, 2026
@clawsweeper

clawsweeper Bot commented May 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR adds validation to resolveTaskScriptPath() so OPENCLAW_TASK_SCRIPT_NAME is treated as a bare filename, plus schtasks regression coverage for accepted and rejected names.

Reproducibility: yes. for the source-level issue: current main joins OPENCLAW_TASK_SCRIPT_NAME under the state directory without proving it is only a filename. I did not establish a live Windows scheduled-task reproduction in this read-only review.

PR rating
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Summary: The patch targets the right boundary, but mock-only proof and an overbroad filename guard keep it below merge-ready quality.

Rank-up moves:

  • Replace substring .. rejection with segment-aware filename validation and add a legal dotted-name regression test.
  • Add redacted real Windows proof for rejected path-like names and the unchanged OPENCLAW_TASK_SCRIPT full-path override.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: The PR body provides only focused Vitest output and explicitly says no live Windows setup was tested; add redacted Windows terminal/log/screenshot proof and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review.

Risk before merge

  • Merging this as written can reject existing valid bare filenames such as gateway..cmd, which is broader than the stated filename-only boundary.
  • The PR intentionally changes env-config behavior, so maintainers should explicitly accept path-like OPENCLAW_TASK_SCRIPT_NAME values failing in favor of OPENCLAW_TASK_SCRIPT.
  • The contributor proof is unit-test only and does not show a real Windows scheduled-task or startup-path run after the change.

Maintainer options:

  1. Narrow the filename guard first (recommended)
    Reject path separators and ./.. path segments without banning legal dotted bare filenames, then require Windows proof for the changed env behavior.
  2. Accept the stricter env contract
    Maintainers can intentionally ban any .. substring, but that should be an explicit compatibility decision with migration guidance to OPENCLAW_TASK_SCRIPT.
  3. Pause until Windows proof is available
    Hold the PR until the contributor shows redacted live Windows output for a rejected path-like name and the unchanged full-path override.

Next step before merge
Needs contributor Windows proof plus maintainer handling for the compatibility-sensitive env contract; this should not queue a repair marker while the external proof gate is mock-only.

Security
Cleared: The diff narrows a security-sensitive Windows task-script write path and does not add new dependencies, permissions, secret handling, network calls, or supply-chain execution.

Review findings

  • [P2] Preserve legal dotted filenames — src/daemon/schtasks.ts:53
Review details

Best possible solution:

Land a segment-aware filename-only guard that rejects separators and ./.. path segments, preserves legal dotted filenames and the full-path override, and includes redacted Windows proof.

Do we have a high-confidence way to reproduce the issue?

Yes for the source-level issue: current main joins OPENCLAW_TASK_SCRIPT_NAME under the state directory without proving it is only a filename. I did not establish a live Windows scheduled-task reproduction in this read-only review.

Is this the best way to solve the issue?

No, not as written: the filename-only direction is right, but substring matching .. is broader than the security boundary requires. A segment-aware guard plus proof for the unchanged OPENCLAW_TASK_SCRIPT override is safer.

Label changes:

  • add status: 🛠️ actively grinding: The PR author has acted after the latest ClawSweeper review and work remains. Needs real behavior proof before merge: The PR body provides only focused Vitest output and explicitly says no live Windows setup was tested; add redacted Windows terminal/log/screenshot proof and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review.
  • remove status: 📣 needs proof: Current PR status label is status: 🛠️ actively grinding.

Label justifications:

  • P2: This is focused gateway security hardening with limited blast radius, but it changes env-config behavior and needs compatibility cleanup before merge.
  • merge-risk: 🚨 compatibility: Merging this PR can break existing OPENCLAW_TASK_SCRIPT_NAME configurations, including legal bare filenames containing a double-dot substring.
  • rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🦐 gold shrimp, and The patch targets the right boundary, but mock-only proof and an overbroad filename guard keep it below merge-ready quality.
  • status: 🛠️ actively grinding: The PR author has acted after the latest ClawSweeper review and work remains. Needs real behavior proof before merge: The PR body provides only focused Vitest output and explicitly says no live Windows setup was tested; add redacted Windows terminal/log/screenshot proof and update the PR body to trigger re-review, or ask a maintainer to comment @clawsweeper re-review.

Full review comments:

  • [P2] Preserve legal dotted filenames — src/daemon/schtasks.ts:53
    The new guard rejects any .. substring, so OPENCLAW_TASK_SCRIPT_NAME=gateway..cmd throws even though it is a single filename and stays under the state directory. Please reject separators and ./.. path segments rather than every dotted filename, and keep coverage for a legal dotted name.
    Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.86

What I checked:

  • Current main path construction: Current main trims OPENCLAW_TASK_SCRIPT_NAME and passes it directly into path.join(stateDir, scriptName) when OPENCLAW_TASK_SCRIPT is absent. (src/daemon/schtasks.ts:47, ebd8b00cc318)
  • Write surface: The resolved task script path is used to create the parent directory and write the generated task script, so this name controls the Windows task script write location. (src/daemon/schtasks.ts:657, ebd8b00cc318)
  • Documented intended location: The Windows gateway docs describe the fallback launcher as pointing at gateway.cmd inside the state directory, supporting a filename-only boundary for generated scripts. Public docs: docs/gateway/index.md. (docs/gateway/index.md:277, ebd8b00cc318)
  • PR guard remains overbroad: The live PR diff rejects /, \, or any .. substring and explicitly treats gateway..cmd as invalid, even though that is a single bare filename. (src/daemon/schtasks.ts:53, e11d6deaba67)
  • Path semantics check: A focused Node path.win32.join probe showed gateway..cmd stays under the state directory while .. and ../gateway.cmd escape to the parent, so validation should be segment-aware rather than substring-based.
  • Proof gate: The PR body reports only node scripts/run-vitest.mjs src/daemon/schtasks.test.ts and explicitly says a live Windows setup was not tested. (e11d6deaba67)

Likely related people:

  • frankekn: The current resolveTaskScriptPath() implementation, related tests, and node service script-name wiring blame to the squash merge for perf: speed up secrets and nodes help startup #84818. (role: feature introducer; confidence: high; commits: 233765b36105; files: src/daemon/schtasks.ts, src/daemon/schtasks.test.ts, src/daemon/service-env.ts)
  • steipete: Recent history shows multiple Windows schtasks fixes and refactors in the same daemon surface, including quoting, locale/runtime status, fixtures, and restart behavior. (role: adjacent owner; confidence: medium; commits: dafe52e8cf1a, 280c6b117b2f, 80a6eb3131f0; files: src/daemon/schtasks.ts, src/daemon/schtasks.install.test.ts, src/daemon/schtasks.test.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against ebd8b00cc318.

@clawsweeper clawsweeper Bot added rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. P2 Normal backlog priority with limited blast radius. merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. labels May 21, 2026
@clawsweeper

clawsweeper Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?
  • The egg game starts only after the PR passes the real-behavior proof check.
  • Before that, no creature or rarity is rolled. The treat waits for real proof.
  • This is still just collectible flavor: proof affects review readiness, not creature quality.

@pgondhi987

pgondhi987 commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Not applicable to this automation stage; changelog/release-note and external real behavior proof requirements are handled outside auto-pr stages.

Quoted comment from @clawsweeper:

Codex review: needs real behavior proof before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible ``@clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper` re-review` or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment ``@clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper` autofix`, @clawsweeper automerge, @clawsweeper` fix ci`, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper` explain` to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR validates OPENCLAW_TASK_SCRIPT_NAME in resolveTaskScriptPath() by rejecting separators or .., and adds schtasks regression coverage for accepted bare names and rejected path-like names.

Reproducibility: yes. from source inspection: current main joins OPENCLAW_TASK_SCRIPT_NAME under the state directory without first proving it is only a filename. I did not run a live Windows install during this read-only review.

PR rating
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦐 gold shrimp
Summary: The patch targets the right boundary, but mock-only proof and an overbroad filename guard keep it below merge-ready quality.

Rank-up moves:

  • Replace substring .. rejection with segment-aware filename validation and add a legal dotted-name regression test.
  • Add redacted real Windows proof for the rejected path-like name and unchanged OPENCLAW_TASK_SCRIPT full-path override; updating the PR body should trigger a fresh ClawSweeper review, or a maintainer can comment ``@clawsweeper re-review.
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Needs real behavior proof before merge: The PR body reports only node scripts/run-vitest.mjs src/daemon/schtasks.test.ts; add redacted real Windows terminal/log/screenshot proof of the rejected path-like name and unchanged full-path override, then update the PR body for re-review.

Risk before merge

  • The PR intentionally changes an env-config path, so maintainers should explicitly accept breaking path-like OPENCLAW_TASK_SCRIPT_NAME values in favor of OPENCLAW_TASK_SCRIPT.
  • The current regex rejects legal bare filenames containing .., which can break more configurations than the stated filename-only boundary requires.
  • The PR body reports only focused Vitest proof, not a real Windows scheduled-task or startup-path run after the change.

Maintainer options:

  1. Narrow the filename guard before merge (recommended)
    Require validation that rejects path segments and separators without banning legal dotted bare filenames, then ask for real Windows proof of the changed env behavior.
  2. Accept a stricter env contract explicitly
    Maintainers could intentionally reject any .. substring, but that should be an explicit compatibility decision with migration guidance to OPENCLAW_TASK_SCRIPT.

Next step before merge
Needs contributor real Windows proof and maintainer handling for the compatibility-sensitive filename contract; ClawSweeper should not queue a repair marker while the external proof gate is mock-only.

Security
Cleared: The diff touches a security-sensitive Windows task-script path, but I found no new supply-chain, permission, secret-handling, or code-execution expansion beyond the overbroad compatibility guard noted separately.

Review findings

  • [P2] Preserve legal bare filenames with double dots — src/daemon/schtasks.ts:53
Review details

Best possible solution:

Land a segment-aware filename-only guard that rejects separators and ./.. path segments, preserves legal bare filenames and the full-path override, and includes Windows upgrade proof.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: current main joins OPENCLAW_TASK_SCRIPT_NAME under the state directory without first proving it is only a filename. I did not run a live Windows install during this read-only review.

Is this the best way to solve the issue?

No, not as written: the filename-only direction is right, but substring matching .. is broader than the security boundary requires. The safer fix is segment-aware validation plus explicit proof that full-path users can keep using OPENCLAW_TASK_SCRIPT.

Label changes:

  • add P2: This is a focused gateway security-hardening fix with limited blast radius, but it changes env-config behavior and needs proof/compatibility cleanup before merge.
  • add merge-risk: 🚨 compatibility: Merging this PR can make existing OPENCLAW_TASK_SCRIPT_NAME configurations fail, including legal bare filenames that contain a double-dot substring.
  • add rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🦐 gold shrimp, and The patch targets the right boundary, but mock-only proof and an overbroad filename guard keep it below merge-ready quality.
  • add status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body reports only node scripts/run-vitest.mjs src/daemon/schtasks.test.ts; add redacted real Windows terminal/log/screenshot proof of the rejected path-like name and unchanged full-path override, then update the PR body for re-review.

Label justifications:

  • P2: This is a focused gateway security-hardening fix with limited blast radius, but it changes env-config behavior and needs proof/compatibility cleanup before merge.
  • merge-risk: 🚨 compatibility: Merging this PR can make existing OPENCLAW_TASK_SCRIPT_NAME configurations fail, including legal bare filenames that contain a double-dot substring.
  • rating: 🦪 silver shellfish: Current PR rating is 🦪 silver shellfish because proof is 🦪 silver shellfish, patch quality is 🦐 gold shrimp, and The patch targets the right boundary, but mock-only proof and an overbroad filename guard keep it below merge-ready quality.
  • status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs real behavior proof before merge: The PR body reports only node scripts/run-vitest.mjs src/daemon/schtasks.test.ts; add redacted real Windows terminal/log/screenshot proof of the rejected path-like name and unchanged full-path override, then update the PR body for re-review.

Full review comments:

  • [P2] Preserve legal bare filenames with double dots — src/daemon/schtasks.ts:53
    The new guard rejects any .. substring, so OPENCLAW_TASK_SCRIPT_NAME=gateway..cmd throws even though it is a single filename and stays under the state directory. Please reject separators and ./.. path segments rather than every dotted filename, and keep coverage for a legal dotted name.
    Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.84

Acceptance criteria:

  • node scripts/run-vitest.mjs src/daemon/schtasks.test.ts
  • Real Windows proof: set OPENCLAW_TASK_SCRIPT_NAME to a path-like value and confirm the gateway task script path fails closed; set OPENCLAW_TASK_SCRIPT to a full path and confirm that override still works.

What I checked:

  • Current main path construction: resolveTaskScriptPath() currently trims OPENCLAW_TASK_SCRIPT_NAME and passes it directly to path.join(stateDir, scriptName) when the full OPENCLAW_TASK_SCRIPT override is absent. (src/daemon/schtasks.ts:47, b25a0d013b64)
  • Write surface: The resolved task script path is used for fs.mkdir(path.dirname(scriptPath)) and fs.writeFile(scriptPath, script, "utf8"), so the name resolution controls where the generated Windows task script is written. (src/daemon/schtasks.ts:645, b25a0d013b64)
  • Documented intended location: The Windows gateway docs describe the fallback launcher as pointing at gateway.cmd inside the state directory, supporting the file-name-only boundary for generated scripts. Public docs: docs/gateway/index.md. (docs/gateway/index.md:280, b25a0d013b64)
  • Current coverage gap: Current main covers default/profile/state-dir resolution, but has no custom OPENCLAW_TASK_SCRIPT_NAME acceptance or rejection cases before this PR. (src/daemon/schtasks.test.ts:126, b25a0d013b64)
  • PR validation behavior: The proposed source change rejects any /, \, or .. substring; the proposed test suite explicitly rejects gateway..cmd, which is a single bare filename rather than a traversal path. (src/daemon/schtasks.ts:53, b4c1a551b96b)
  • Path behavior check: A focused Node path probe showed path.win32.join('C:\\Users\\test\\.openclaw', 'gateway..cmd') stays under the state directory while '..' escapes to the parent, so validation needs path-segment semantics rather than substring matching.

Likely related people:

  • Shakker: The central resolveTaskScriptPath() lines and related OPENCLAW_TASK_SCRIPT_NAME occurrences blame to Shakker's commit in the available current-main history. (role: recent area contributor; confidence: medium; commits: e3b77d6d2c89; files: src/daemon/schtasks.ts, src/daemon/schtasks.test.ts, src/daemon/service-env.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against b25a0d013b64.

@pgondhi987

pgondhi987 commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Not applicable to this automation stage; changelog/release-note and external real behavior proof requirements are handled outside auto-pr stages.

Quoted comment from @clawsweeper:

ClawSweeper PR egg

🎁 Pass real behavior proof to wake the egg and unlock a hatchable treat.

Where did the egg go?
  • The egg game starts only after the PR passes the real-behavior proof check.
  • Before that, no creature or rarity is rolled. The treat waits for real proof.
  • This is still just collectible flavor: proof affects review readiness, not creature quality.

@clawsweeper clawsweeper Bot added status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains. and removed status: 📣 needs proof The PR needs real behavior proof before ClawSweeper can clear the contributor ask. labels May 21, 2026
@pgondhi987 pgondhi987 merged commit 229490a into openclaw:main May 22, 2026
24 checks passed
@BradGroux BradGroux mentioned this pull request May 22, 2026
Draft
@github-actions github-actions Bot mentioned this pull request May 22, 2026
Open
eleboucher pushed a commit to eleboucher/homelab that referenced this pull request May 24, 2026
@eleboucher
fix(container): update image ghcr.io/openclaw/openclaw (2026.5.20 ➔ 2…
d519eb8 
…026.5.22) (#645)

This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/openclaw/openclaw](https://openclaw.ai) ([source](https://github.com/openclaw/openclaw)) | patch | `2026.5.20` → `2026.5.22` |

---

### Release Notes

<details>
<summary>openclaw/openclaw (ghcr.io/openclaw/openclaw)</summary>

### [`v2026.5.22`](https://github.com/openclaw/openclaw/releases/tag/v2026.5.22): openclaw 2026.5.22

[Compare Source](https://github.com/openclaw/openclaw/compare/v2026.5.20...v2026.5.22)

##### 2026.5.22

##### Changes

- Gateway/perf: reuse process-stable channel catalog reads, avoid repeated bundled-channel boundary checks, and rotate gateway watch CPU profiles so benchmark runs do not accumulate unbounded artifacts.
- Gateway/perf: reuse immutable plugin metadata snapshots across startup, config, model, channel, setup, and secret metadata readers so hot paths avoid repeated plugin file stats and manifest registry reloads.
- Gateway/perf: lazy-load startup-idle plugin work, core gateway method handlers, and the embedded ACPX runtime so Gateway health and ready signals no longer wait on unused handler trees or ACPX probes.
- Gateway/perf: cache plugin SDK public-surface alias maps and skip irrelevant macOS Linuxbrew PATH probes so Gateway startup avoids repeated filesystem walks and slow missing-directory stats.
- Meeting Notes: add a source-only external meeting-notes plugin and SDK source-provider contract outside the core npm package, with auto-start capture config, manual transcript imports, read-only `openclaw meeting-notes` CLI access, and Discord voice as the first live source.
- Docs/channels/config: add Signal `configPath`, Telegram wildcard topic defaults, local-time backup archive names, Termux home fallback, include-path validation, secret-scanner-safe placeholder guidance, Gemini CLI/Antigravity media guidance, and macOS VM auto-login guidance. Thanks [@&#8203;NorseGaud](https://github.com/NorseGaud), [@&#8203;yudistiraashadi](https://github.com/yudistiraashadi), [@&#8203;huangqian8](https://github.com/huangqian8), [@&#8203;VibhorGautam](https://github.com/VibhorGautam), [@&#8203;maweibin](https://github.com/maweibin), [@&#8203;tianxingleo](https://github.com/tianxingleo), [@&#8203;IgnacioPro](https://github.com/IgnacioPro), and [@&#8203;xzcxzcyy-claw](https://github.com/xzcxzcyy-claw).
- Docs: clarify model-usage portability, Codex migration prerequisites, status bootstrap wording, thread-bound subagent limits, hook ownership, and config-preserving safety guidance. Thanks [@&#8203;aniruddhaadak80](https://github.com/aniruddhaadak80), [@&#8203;leno23](https://github.com/leno23), [@&#8203;TomDjerry](https://github.com/TomDjerry), [@&#8203;matthewxmurphy](https://github.com/matthewxmurphy), [@&#8203;vincentkoc](https://github.com/vincentkoc), and [@&#8203;stablegenius49](https://github.com/stablegenius49).
- Docs: clarify README onboarding and Gateway startup paths, WhatsApp QR/408 recovery, cron output language prompts, skill advanced features, gateway upstream 403 troubleshooting, and plugin fallback override guidance. Thanks [@&#8203;deepujain](https://github.com/deepujain), [@&#8203;Zacxxx](https://github.com/Zacxxx), [@&#8203;Jah-yee](https://github.com/Jah-yee), [@&#8203;neyric](https://github.com/neyric), [@&#8203;usimic](https://github.com/usimic), [@&#8203;Renu-Cybe](https://github.com/Renu-Cybe), [@&#8203;BigUncle](https://github.com/BigUncle), and [@&#8203;SeashoreShi](https://github.com/SeashoreShi).
- Docs: clarify context-pruning ratio bounds, local dashboard recovery, CLI env markers, remote onboarding token behavior, and Peekaboo Bridge permissions for subprocess agents. Thanks [@&#8203;ayesha-aziz123](https://github.com/ayesha-aziz123), [@&#8203;dishraters](https://github.com/dishraters), [@&#8203;hougangdev](https://github.com/hougangdev), and [@&#8203;brandonlipman](https://github.com/brandonlipman).
- Docs: clarify browser CDP diagnostics, Plugin SDK allowlist imports, status-reaction timing defaults, queue steering behavior, limited-tool troubleshooting, cron HEARTBEAT handling, Telegram multi-agent groups, Bitwarden SecretRef setup, and EasyRunner deployments. Thanks [@&#8203;Quratulain-bilal](https://github.com/Quratulain-bilal), [@&#8203;mbelinky](https://github.com/mbelinky), [@&#8203;Mickey-](https://github.com/Mickey-), [@&#8203;vancece](https://github.com/vancece), [@&#8203;xenouzik](https://github.com/xenouzik), [@&#8203;posigit](https://github.com/posigit), [@&#8203;surlymochan](https://github.com/surlymochan), [@&#8203;janaka](https://github.com/janaka), and [@&#8203;choiking](https://github.com/choiking).
- Crabbox/Testbox: run clean sparse-checkout Testbox syncs from a temporary full checkout and route remote changed gates through Corepack pnpm.
- Docs: clarify IPv4-only Gateway BYOH binding, trusted-proxy scope clearing, Android pairing approval, macOS Accessibility grants, Zalo profile env vars, password-store SecretRef setup, and Chinese memory navigation. Thanks [@&#8203;itskai-dev](https://github.com/itskai-dev), [@&#8203;gwh7078](https://github.com/gwh7078), [@&#8203;longstoryscott](https://github.com/longstoryscott), [@&#8203;MoeJaberr](https://github.com/MoeJaberr), and [@&#8203;yuaiccc](https://github.com/yuaiccc).
- Docs: consolidate GLM under Z.AI, add the Upstash Box install guide and Gateway exposure runbook, clarify MEDIA directives, Copilot and Voyage setup, config path quoting, real behavior proof, and memory-file write guidance. Thanks [@&#8203;BobDu](https://github.com/BobDu), [@&#8203;alitariksahin](https://github.com/alitariksahin), [@&#8203;Jefsky](https://github.com/Jefsky), [@&#8203;musaabhasan](https://github.com/musaabhasan), [@&#8203;OmerZeyveli](https://github.com/OmerZeyveli), [@&#8203;leno23](https://github.com/leno23), [@&#8203;WuKongAI-CMU](https://github.com/WuKongAI-CMU), [@&#8203;luoyanglang](https://github.com/luoyanglang), and [@&#8203;majin1102](https://github.com/majin1102).
- Docs: clarify media provider credentials, Codex/OpenClaw code-mode boundaries, Slack and Telegram ack reactions, Feishu dynamic agents, secrets plaintext boundaries, memory guidance, and Chinese glossary terms. Thanks [@&#8203;nielskaspers](https://github.com/nielskaspers), [@&#8203;cosmopolitan033](https://github.com/cosmopolitan033), [@&#8203;drclaw-iq](https://github.com/drclaw-iq), [@&#8203;alexgduarte](https://github.com/alexgduarte), [@&#8203;zccyman](https://github.com/zccyman), [@&#8203;chengoak](https://github.com/chengoak), and [@&#8203;cassthebandit](https://github.com/cassthebandit).
- Packaging: exclude documentation images and assets from the npm tarball, reducing published package size without affecting runtime docs search or CLI behavior. Thanks [@&#8203;SebTardif](https://github.com/SebTardif).
- Media understanding: stop auto-probing Gemini CLI and use Antigravity CLI only as a lower-priority image/video fallback after configured provider APIs.
- Agents/subagents: limit default sub-agent bootstrap context to `AGENTS.md` and `TOOLS.md`, keeping persona, identity, user, memory, heartbeat, and setup files out of delegated workers by default. ([#&#8203;85283](https://github.com/openclaw/openclaw/issues/85283)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- Maintainer skills: exclude plugin SDK/API boundary work from `openclaw-landable-bug-sweep` so bugbash sweeps stay focused on small paper-cut fixes.
- QA-Lab/diagnostics: extend the OpenTelemetry smoke harness to prove trace, metric, and log export, and add first-class Prometheus and observability smoke aliases.
- Plugin SDK: add a generic channel-message poll sender so channel plugins can expose poll delivery without depending on channel-specific SDK facades.
- Crabbox: keep the local wrapper's provider validation synced with the installed Crabbox binary while preserving supported aliases such as `docker` and `blacksmith`. ([#&#8203;85302](https://github.com/openclaw/openclaw/issues/85302)) Thanks [@&#8203;hxy91819](https://github.com/hxy91819).
- Maintainer skills: add `openclaw-landable-bug-sweep` for producing five small, reviewed, CI-green OpenClaw bugfix PRs from issue/PR sweeps.
- Control UI/chat: add search and Load More pagination to the chat session picker, keeping initial session loads bounded while making older conversations reachable. ([#&#8203;85237](https://github.com/openclaw/openclaw/issues/85237)) Thanks [@&#8203;amknight](https://github.com/amknight).
- CLI/onboarding: start classic onboarding when bare `openclaw` runs before an authored config exists, while keeping configured installs on Crestodian. ([#&#8203;72343](https://github.com/openclaw/openclaw/issues/72343)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- Discord: allow configuring a bounded `agentComponents.ttlMs` callback registry lifetime for long-running component workflows, with per-account overrides and a 24-hour cap. ([#&#8203;84189](https://github.com/openclaw/openclaw/issues/84189)) Thanks [@&#8203;100menotu001](https://github.com/100menotu001).
- xAI/Grok: reuse xAI OAuth auth profiles for Grok `web_search`, thread active-agent auth through web search, add Grok model aliases, and let media providers declare default operation timeouts. ([#&#8203;85182](https://github.com/openclaw/openclaw/issues/85182)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- Plugin SDK: add row-level session workflow helpers and deprecate `loadSessionStore` so plugins can read and patch sessions without depending on the legacy whole-store shape. ([#&#8203;84693](https://github.com/openclaw/openclaw/issues/84693)) Thanks [@&#8203;efpiva](https://github.com/efpiva).
- Gateway/plugins: reuse a compatible Gateway startup plugin registry during dispatch so safe plugin dispatches avoid redundant registry loading. ([#&#8203;84324](https://github.com/openclaw/openclaw/issues/84324)) Thanks [@&#8203;ai-hpc](https://github.com/ai-hpc).
- Plugins/SDK: add a general `embeddingProviders` capability contract and registration API so embeddings can become a reusable provider surface outside memory-specific adapters.
- Dependencies: refresh provider, plugin, UI, and tooling packages, update `protobufjs` to 8.4.0 to clear the current npm advisory, and carry the Claude ACP completion patch forward to `@agentclientprotocol/claude-agent-acp` 0.36.1.
- Agents/tools: remove the old sender-owner tool gating path so configured tools stay visible for trusted sessions while command and channel-action auth still carry real sender identity.
- QA-Lab: add curated mock JSONL replay fixtures and first-drift reporting for runtime-parity audits. ([#&#8203;80323](https://github.com/openclaw/openclaw/issues/80323), refs [#&#8203;80176](https://github.com/openclaw/openclaw/issues/80176)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- QA-Lab: add a QA bus tool-trace visibility scenario for sanitized tool-call assertions.
- QA-Lab: replace generic evidence framing in seeded scenario prompts with concrete observed QA behavior.
- QA-Lab: list named scenario packs in the coverage report so personal-agent privacy coverage stays visible in audits.
- QA-Lab: list live transport lane membership in the coverage report so real transport checks stay separate from seeded qa-channel scenarios.
- Release/package: run package integrity checks before package acceptance lanes so public install/update validation fails before private QA assets can leak into the package.
- QA-Lab: include the optional 100-turn runtime parity soak in release-soak artifacts so long-run Codex/Pi transcript drift stays visible outside the default gate. ([#&#8203;80395](https://github.com/openclaw/openclaw/issues/80395)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- QA-Lab: add a live-only long-context progress watchdog scenario for Codex app-server timeout and stalled-run sentinels. ([#&#8203;80323](https://github.com/openclaw/openclaw/issues/80323)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- QA-Lab: tag gateway restart recovery and streaming final-integrity scenarios as live-only runtime parity lanes. ([#&#8203;80323](https://github.com/openclaw/openclaw/issues/80323)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- QA-Lab: add a personal-agent failure recovery scenario that checks honest partial status, retry boundaries, and local recovery artifacts. ([#&#8203;83872](https://github.com/openclaw/openclaw/issues/83872)) Thanks [@&#8203;iFiras-Max1](https://github.com/iFiras-Max1).
- QA-Lab: include an opt-in `update.run` package self-upgrade sentinel for destructive latest-package recovery checks.
- QA-Lab: add Codex plugin lifecycle and auth-profile fixture coverage for missing installs, pinned-version drift, first-turn install ordering, and doctor migration safety. ([#&#8203;80323](https://github.com/openclaw/openclaw/issues/80323), refs [#&#8203;80174](https://github.com/openclaw/openclaw/issues/80174)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- Models/perf: pre-warm the provider auth-state map at gateway startup so `/models` and every model-listing call short-circuits the per-provider plugin / external-CLI discovery on the hot path. Per-call cost drops from \~20 s to \~5 ms (\~4,100×); the one-time startup warm resets and re-warms after hot reloads. ([#&#8203;84816](https://github.com/openclaw/openclaw/issues/84816)) Thanks [@&#8203;sjf](https://github.com/sjf).
- Release/security: ship the root npm package and OpenClaw-owned npm plugins with generated shrinkwrap, support bundled plugin runtime dependencies for suitable plugin tarballs, and require review for lockfile/shrinkwrap changes so published installs use locked dependency graphs.
- Tests/perf: isolate doctor core health check unit coverage from real skills/workspace discovery so `doctor-core-checks` no longer dominates unit perf while keeping one real skills-readiness smoke. ([#&#8203;84493](https://github.com/openclaw/openclaw/issues/84493)) Thanks [@&#8203;frankekn](https://github.com/frankekn).

##### Fixes

- WebChat: summarize internal message-tool source replies so tool cards no longer duplicate the visible reply body. ([#&#8203;84773](https://github.com/openclaw/openclaw/issues/84773)) Thanks [@&#8203;jason-allen-oneal](https://github.com/jason-allen-oneal).
- Gateway: preserve deferred lifecycle-error cleanup across later non-terminal events so provider timeouts can persist failed session state instead of leaving sessions stuck running. ([#&#8203;85256](https://github.com/openclaw/openclaw/issues/85256), fixes [#&#8203;63819](https://github.com/openclaw/openclaw/issues/63819)) Thanks [@&#8203;samzong](https://github.com/samzong).
- Agents/subagents: report tool-only child progress during timeout summaries instead of showing no visible output.
- Telegram/ACP: preserve explicit `:topic:` conversation suffixes when inbound ACP targets do not carry a separate thread id.
- Browser/proxy: bypass the managed proxy for the exact local managed Chrome CDP readiness and DevTools WebSocket endpoints, so `openclaw browser start` works when the operator proxy blocks loopback egress. ([#&#8203;83255](https://github.com/openclaw/openclaw/issues/83255)) Thanks [@&#8203;lightcap](https://github.com/lightcap).
- Ollama: bypass the managed proxy for configured local embedding origins while keeping SSRF guardrails on unconfigured targets. Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- OpenAI/images: route Codex API-key image generation through the native OpenAI Images API instead of the Codex OAuth streaming backend, avoiding 401s from valid API keys.
- Agents/OpenAI completions: omit empty tool payload fields for proxy-like OpenAI-compatible endpoints so strict vLLM-style servers accept tool-free turns. ([#&#8203;85835](https://github.com/openclaw/openclaw/issues/85835)) Thanks [@&#8203;rendrag-git](https://github.com/rendrag-git).
- Checks/Windows: route full `pnpm check` stage commands through the managed child runner so Windows avoids Node shell-argv deprecation warnings there too.
- Checks/Windows: run managed child commands through explicit `cmd.exe` wrapping instead of Node shell mode with argv, avoiding Node 24 subprocess deprecation warnings during changed checks.
- Gateway: omit internal stream-error placeholder entries from agent prompt history so failed assistant turns are not replayed as model-authored text. ([#&#8203;85652](https://github.com/openclaw/openclaw/issues/85652)) Thanks [@&#8203;anyech](https://github.com/anyech).
- Sessions: enforce the session write-lock max-hold policy during lock acquisition so long-held locks can be reclaimed before the stale-lock window. ([#&#8203;85764](https://github.com/openclaw/openclaw/issues/85764)) Thanks [@&#8203;njuboy11](https://github.com/njuboy11).
- Models: prune retired Groq, GitHub Copilot, OpenAI, xAI, and old Claude catalog entries, with doctor migration to upgrade existing configs to current provider refs.
- Doctor/update: recognize junction-backed source checkouts as git installs by comparing canonical paths before showing package-manager update guidance. Fixes [#&#8203;82215](https://github.com/openclaw/openclaw/issues/82215). Thanks [@&#8203;igormf](https://github.com/igormf).
- Channels: honor `/verbose on` for tool/progress summaries across direct chats, groups, channels, and forum topics while preserving quiet default behavior. ([#&#8203;85488](https://github.com/openclaw/openclaw/issues/85488)) Thanks [@&#8203;kurplunkin](https://github.com/kurplunkin).
- CLI/skills: show an all-ready note with next-step commands when skill setup has no missing dependencies to install. ([#&#8203;85032](https://github.com/openclaw/openclaw/issues/85032)) Thanks [@&#8203;aniruddhaadak80](https://github.com/aniruddhaadak80).
- Microsoft Foundry: route DeepSeek V4 Pro and Flash models through the Foundry Responses API while keeping older DeepSeek models on their existing path. ([#&#8203;85549](https://github.com/openclaw/openclaw/issues/85549)) Thanks [@&#8203;roslinmahmud](https://github.com/roslinmahmud).
- Status/usage: show configured cost estimates for AWS SDK models in full usage output while keeping token-only usage replies cost-free. ([#&#8203;85619](https://github.com/openclaw/openclaw/issues/85619)) Thanks [@&#8203;ItsOtherMauridian](https://github.com/ItsOtherMauridian).
- Agents/OpenAI Responses: retry non-visible reasoning-only turns for OpenAI Responses API families instead of treating them as empty failed turns. ([#&#8203;85603](https://github.com/openclaw/openclaw/issues/85603)) Thanks [@&#8203;SebTardif](https://github.com/SebTardif).
- Directive tags: preserve message and content-part object identity when display stripping makes no directive-tag changes. ([#&#8203;85682](https://github.com/openclaw/openclaw/issues/85682)) Thanks [@&#8203;willamhou](https://github.com/willamhou).
- Telegram: send local `path`/`filePath` and structured attachment media from `sendMessage` actions instead of dropping them or sending text-only messages. ([#&#8203;85219](https://github.com/openclaw/openclaw/issues/85219)) Thanks [@&#8203;keshavbotagent](https://github.com/keshavbotagent).
- Sessions/status: show the estimated context budget when fresh provider usage is unavailable and clear stale estimates across session resets and compaction boundaries. ([#&#8203;84830](https://github.com/openclaw/openclaw/issues/84830)) Thanks [@&#8203;giodl73-repo](https://github.com/giodl73-repo).
- Gateway/config: pin relative `OPENCLAW_STATE_DIR` overrides to an absolute path at startup so later working-directory changes cannot retarget gateway state. ([#&#8203;52264](https://github.com/openclaw/openclaw/issues/52264)) Thanks [@&#8203;PerfectPan](https://github.com/PerfectPan).
- Release/package: run npm release, prepublish, and postpublish verification through Windows-safe npm command shims so native Windows checks can execute `npm.cmd` instead of treating it as a binary.
- Agents/harness: pass CLI runtime aliases through harness selection so provider-owned CLI aliases no longer get rejected before reaching the right runtime. ([#&#8203;85631](https://github.com/openclaw/openclaw/issues/85631)) Thanks [@&#8203;potterdigital](https://github.com/potterdigital).
- Secrets: show the irreversible apply warning after interactive `secrets configure` confirmation so confirmed migrations still get the final safety prompt. ([#&#8203;85638](https://github.com/openclaw/openclaw/issues/85638)) Thanks [@&#8203;alkor2000](https://github.com/alkor2000).
- Agents/CLI output: ignore cumulative Claude `stream-json` result usage when assistant usage events are present, preventing inflated cache-read accounting. ([#&#8203;85625](https://github.com/openclaw/openclaw/issues/85625)) Thanks [@&#8203;zhouhe-xydt](https://github.com/zhouhe-xydt).
- CLI: keep `waitForever()` alive by leaving its keep-alive interval ref'd so the public helper no longer exits immediately with Node's unsettled-await code. ([#&#8203;85694](https://github.com/openclaw/openclaw/issues/85694)) Thanks [@&#8203;m1qaweb](https://github.com/m1qaweb).
- Agents/bootstrap: guard bootstrap name checks against missing file names so malformed bootstrap entries warn and truncate instead of crashing. Fixes [#&#8203;85523](https://github.com/openclaw/openclaw/issues/85523). ([#&#8203;85615](https://github.com/openclaw/openclaw/issues/85615)) Thanks [@&#8203;zhouhe-xydt](https://github.com/zhouhe-xydt).
- CLI/tasks: reject partially numeric `openclaw tasks audit --limit` values so audit limits must be real positive integers instead of accepting strings like `5abc`. ([#&#8203;84901](https://github.com/openclaw/openclaw/issues/84901)) Thanks [@&#8203;jbetala7](https://github.com/jbetala7).
- Status/diagnostics: bound deep Docker audit probes so `openclaw status --deep` reports slow container checks instead of hanging behind unbounded inspection. ([#&#8203;85476](https://github.com/openclaw/openclaw/issues/85476)) Thanks [@&#8203;giodl73-repo](https://github.com/giodl73-repo).
- Providers/Anthropic: migrate 1M context handling to GA-capable Claude 4.x models by sizing eligible models at 1M without the retired `context-1m-2025-08-07` beta, ignoring that retired beta in older configs, and preserving OAuth-required Anthropic beta headers. ([#&#8203;45613](https://github.com/openclaw/openclaw/issues/45613)) Thanks [@&#8203;haoyu-haoyu](https://github.com/haoyu-haoyu).
- Cron/Telegram: parse forum-topic delivery targets through the Telegram plugin instead of cron core, including `:topic:` and `:topicId` forms for announce delivery. Thanks [@&#8203;etticat](https://github.com/etticat).
- Twitch: keep stale message-handler cleanup callbacks from removing newer handler registrations for the same account, preserving inbound message delivery after reconnects. Fixes [#&#8203;83888](https://github.com/openclaw/openclaw/issues/83888). ([#&#8203;85425](https://github.com/openclaw/openclaw/issues/85425)) Thanks [@&#8203;alkor2000](https://github.com/alkor2000).
- Memory/LanceDB: expose public memory artifacts through the active memory provider bridge so memory-wiki imports durable memory files, daily notes, dream reports, and event logs without depending on memory-core internals. Fixes [#&#8203;83604](https://github.com/openclaw/openclaw/issues/83604). ([#&#8203;85060](https://github.com/openclaw/openclaw/issues/85060)) Thanks [@&#8203;brokemac79](https://github.com/brokemac79).
- Crabbox: keep AWS hydration compatible with local Actions replay by inlining the hydrate workflow's Node/pnpm setup instead of invoking repo-local composite actions.
- Agents/subagents: simplify native sub-agent completion handoff so children report their latest visible assistant result to the requester without using `message`, while keeping parent-owned message-tool delivery policy intact. Fixes [#&#8203;85070](https://github.com/openclaw/openclaw/issues/85070). ([#&#8203;85089](https://github.com/openclaw/openclaw/issues/85089)) Thanks [@&#8203;brokemac79](https://github.com/brokemac79).
- Docker setup: stop printing the Gateway bearer token in setup logs and printed follow-up commands.
- Agents: let embedded compaction fallback retries proceed when PI-compatible candidates do not need agent harness plugin preparation.
- Agents/tools: honor configured custom provider API keys when deciding whether media, image-generation, video-generation, music-generation, and PDF tools are available. ([#&#8203;85570](https://github.com/openclaw/openclaw/issues/85570))
- StepFun: stop advertising stale generic API key auth choices so onboarding only offers runtime-backed Standard and Step Plan choices.
- Diagnostics: keep OpenTelemetry log bodies behind explicit content capture and scrub scoped agent-session keys from OpenTelemetry and Prometheus labels while preserving bounded queue-lane prefixes.
- Windows installer: fail Git checkout installs when `pnpm install` or `pnpm build` fails instead of writing a wrapper to a missing CLI build.
- Sessions: surface previous-transcript archive failures during `/new` rotation so disk rename errors are logged instead of silently hiding stranded transcript files. Fixes [#&#8203;81984](https://github.com/openclaw/openclaw/issues/81984). ([#&#8203;85586](https://github.com/openclaw/openclaw/issues/85586), from [#&#8203;82081](https://github.com/openclaw/openclaw/issues/82081)) Thanks [@&#8203;0xghost42](https://github.com/0xghost42).
- TUI/agents: mirror internal-ui message-tool replies into final chat output so message-tool-only agents remain visible in `openclaw tui`. Fixes [#&#8203;85538](https://github.com/openclaw/openclaw/issues/85538). Thanks [@&#8203;danpolasek](https://github.com/danpolasek).
- Agents: keep parallel OpenAI-compatible tool-call deltas in separate argument buffers so interleaved tool calls no longer corrupt streamed arguments. ([#&#8203;82263](https://github.com/openclaw/openclaw/issues/82263)) Thanks [@&#8203;luna-system](https://github.com/luna-system).
- Memory/doctor: report missing or unusable QMD workspace directories as workspace failures instead of generic binary failures. ([#&#8203;63167](https://github.com/openclaw/openclaw/issues/63167)) Thanks [@&#8203;sercada](https://github.com/sercada).
- Debug proxy: record CONNECT client-socket errors and destroy the paired upstream socket so abrupt client disconnects no longer leak tunnel resources. ([#&#8203;82444](https://github.com/openclaw/openclaw/issues/82444)) Thanks [@&#8203;SebTardif](https://github.com/SebTardif).
- Diffs: continue hydrating later diff cards when one card fails so a single broken card no longer blanks the whole diff viewer. ([#&#8203;84775](https://github.com/openclaw/openclaw/issues/84775)) Thanks [@&#8203;cosmopolitan033](https://github.com/cosmopolitan033).
- Mac app: use the native settings sidebar window chrome so the sidebar toggle stays on the left and content no longer clips under oversized titlebar padding.
- QA-Lab/Codex: bundle auth/plugin fixture imports for flow scenarios and let terminal async media tools end Codex app-server turns without timing out. ([#&#8203;80397](https://github.com/openclaw/openclaw/issues/80397), refs [#&#8203;80323](https://github.com/openclaw/openclaw/issues/80323)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- Gateway/agents: preserve fresh session overrides and metadata when stale cached agent-session entries race with store updates, so subagent model/provider overrides and routing policy survive concurrent writes. ([#&#8203;19328](https://github.com/openclaw/openclaw/issues/19328)) Thanks [@&#8203;CodeReclaimers](https://github.com/CodeReclaimers).
- Control UI/chat: keep chat session search inline with the session selector so the header no longer shows a duplicate standalone search row.
- Control UI/chat: collapse focused-mode header chrome and suppress hidden-header scroll updates so focus mode no longer jumps while scrolling. Thanks [@&#8203;amknight](https://github.com/amknight).
- Codex app-server: restart the native app-server and retry once when server-side compaction times out, so preflight compaction stalls recover instead of failing every dispatch. ([#&#8203;85500](https://github.com/openclaw/openclaw/issues/85500))
- Restore Control UI gateway token pairing \[AI]. ([#&#8203;85459](https://github.com/openclaw/openclaw/issues/85459)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- OpenAI video: honor configured provider request private-network opt-in for local/custom video endpoints so explicitly trusted mock and self-hosted providers are not blocked. Thanks [@&#8203;shakkernerd](https://github.com/shakkernerd).
- OpenAI video: send uploaded video edit requests to the documented `/videos/edits` endpoint with a `video` file instead of posting MP4 references to `/videos`. Thanks [@&#8203;shakkernerd](https://github.com/shakkernerd).
- Agents/channels: preserve message-tool delivery evidence through gateway agent completion handoffs so successful generated media sends are not followed by false failure messages. Thanks [@&#8203;shakkernerd](https://github.com/shakkernerd).
- CLI/update: repair managed npm plugin `openclaw` peer links during post-core convergence and reject stale or wrong-target peer links before restart. ([#&#8203;83794](https://github.com/openclaw/openclaw/issues/83794)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- CLI/agents: default new omitted-account bindings to all accounts when the channel has multiple configured accounts, and clarify account-scope docs. ([#&#8203;49769](https://github.com/openclaw/openclaw/issues/49769)) Thanks [@&#8203;Gcaufy](https://github.com/Gcaufy).
- Codex app-server: let authorized `/codex` control commands such as `/codex detach` escape plugin-owned conversation bindings while keeping unknown or unauthorized slash text routed to the bound plugin. Fixes [#&#8203;85157](https://github.com/openclaw/openclaw/issues/85157). ([#&#8203;85188](https://github.com/openclaw/openclaw/issues/85188)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Auto-reply/models: keep `/models` browse replies fast by sharing the bounded read-only catalog path with Gateway model listing. ([#&#8203;84735](https://github.com/openclaw/openclaw/issues/84735)) Thanks [@&#8203;safrano9999](https://github.com/safrano9999).
- Codex app-server: disable native Code Mode when the effective exec host is `node` and keep OpenClaw `exec`/`process` available, so `/exec host=node` routes shell commands through the selected node instead of the gateway. Fixes [#&#8203;85012](https://github.com/openclaw/openclaw/issues/85012). ([#&#8203;85090](https://github.com/openclaw/openclaw/issues/85090)) Thanks [@&#8203;sahilsatralkar](https://github.com/sahilsatralkar).
- Agents: bound embedded auto-compaction session write-lock watchdogs to the compaction timeout instead of the full run timeout, so stuck compaction cannot hold the live session lock for the whole run window. ([#&#8203;84949](https://github.com/openclaw/openclaw/issues/84949)) Thanks [@&#8203;luoyanglang](https://github.com/luoyanglang).
- Gateway/agents: return phase-aware `agent.wait` timeout attribution and only cool auth profiles on provider-started timeouts. Refs [#&#8203;65504](https://github.com/openclaw/openclaw/issues/65504). Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- Gateway: defer provider auth-state prewarm until after startup readiness so early gateway tool/session requests are not blocked by provider auth discovery. ([#&#8203;85272](https://github.com/openclaw/openclaw/issues/85272)) Thanks [@&#8203;dutifulbob](https://github.com/dutifulbob).
- Gateway/models: coalesce provider auth-state rewarms after auth-profile failures and log event-loop delay for warm/rewarm work, so provider auth bursts no longer stack full auth sweeps behind channel replies.
- Gateway/models: stop cancelled provider auth-state prewarms from continuing full provider sweeps, so reload and auth-failure bursts no longer keep startup busy.
- Agents/Codex: show the first plan update as a transient chat status notice without counting it as final assistant content.
- CLI/update: walk the macOS process ancestry and honor the inherited Gateway runtime PID before package updates stop the managed Gateway service, so nested in-band updater children can refuse instead of killing the LaunchAgent-supervised Gateway that owns them. Fixes [#&#8203;85120](https://github.com/openclaw/openclaw/issues/85120).
- Gateway/LaunchAgent: wait for launchd reload bootout to finish and fall back to kickstart when bootstrap races, so reload handoff does not leave the service deregistered. Fixes [#&#8203;84630](https://github.com/openclaw/openclaw/issues/84630). ([#&#8203;84641](https://github.com/openclaw/openclaw/issues/84641)) Thanks [@&#8203;NianJiuZst](https://github.com/NianJiuZst).
- Gateway/LaunchAgent: treat a concurrent launchd bootstrap as a successful restart when the service is already loaded, avoiding false macOS Gateway restart failures. Fixes [#&#8203;84721](https://github.com/openclaw/openclaw/issues/84721). ([#&#8203;84722](https://github.com/openclaw/openclaw/issues/84722)) Thanks [@&#8203;googlerest](https://github.com/googlerest).
- Gateway/service: include the active `openclaw` command bin directory in managed service PATH generation and doctor audit expectations for npm-global macOS installs. Fixes [#&#8203;84201](https://github.com/openclaw/openclaw/issues/84201). ([#&#8203;84475](https://github.com/openclaw/openclaw/issues/84475)) Thanks [@&#8203;jbetala7](https://github.com/jbetala7).
- Control UI/chat: disable the thinking selector for known non-reasoning models instead of showing duplicate Off choices. Fixes [#&#8203;84069](https://github.com/openclaw/openclaw/issues/84069). Thanks [@&#8203;DrippingMellow](https://github.com/DrippingMellow).
- Memory: expand `~` in configured extra memory paths before resolving them, so home-relative folders are not treated as workspace-relative. Fixes [#&#8203;58026](https://github.com/openclaw/openclaw/issues/58026). Thanks [@&#8203;stadman](https://github.com/stadman).
- Skills: treat `openclaw.os: macos` as Darwin when checking skill requirements, so macOS-only skills no longer report as missing on macOS hosts. Fixes [#&#8203;61338](https://github.com/openclaw/openclaw/issues/61338). Thanks [@&#8203;Jessecq1995](https://github.com/Jessecq1995).
- Control UI/logs: strip ANSI escape sequences from displayed Gateway log messages so color codes no longer appear as raw text. Fixes [#&#8203;64399](https://github.com/openclaw/openclaw/issues/64399). Thanks [@&#8203;guguangxin-eng](https://github.com/guguangxin-eng).
- Docker: pre-create the workspace and auth-profile config mount points with `node` ownership so first-run named volumes do not start root-owned. Fixes [#&#8203;85076](https://github.com/openclaw/openclaw/issues/85076). Thanks [@&#8203;Noerr](https://github.com/Noerr).
- Telegram: pass configured markdown table mode through outbound markdown chunking so chunked sends render tables consistently. Fixes [#&#8203;85085](https://github.com/openclaw/openclaw/issues/85085). Thanks [@&#8203;ShuaiHui](https://github.com/ShuaiHui).
- CLI/update: preserve managed Gateway service environment during package cutovers so macOS LaunchAgent repair/restart reads the pre-update service state instead of caller shell state. ([#&#8203;83026](https://github.com/openclaw/openclaw/issues/83026))
- Agents/providers: honor per-model `api` and `baseUrl` overrides in custom provider auth hooks and transport selection. Fixes [#&#8203;80487](https://github.com/openclaw/openclaw/issues/80487). ([#&#8203;80488](https://github.com/openclaw/openclaw/issues/80488)) Thanks [@&#8203;huveewomg](https://github.com/huveewomg).
- Gateway/restart: eager-load the lifecycle runtime before in-place upgrade signal handling so package replacement does not deadlock restart imports. ([#&#8203;84890](https://github.com/openclaw/openclaw/issues/84890)) Thanks [@&#8203;myps6415](https://github.com/myps6415).
- CLI/update: start managed Gateway update handoff helpers from a stable existing directory and tolerate deleted cwd/package roots during macOS LaunchAgent handoff. Fixes [#&#8203;83808](https://github.com/openclaw/openclaw/issues/83808). ([#&#8203;83875](https://github.com/openclaw/openclaw/issues/83875)) Thanks [@&#8203;jason-allen-oneal](https://github.com/jason-allen-oneal).
- Skills: watch each shared skill directory once across agent workspaces instead of once per agent, preventing file-descriptor exhaustion (`EMFILE`) that disposed bundle-mcp processes and stalled sessions on multi-agent gateways. Fixes [#&#8203;84968](https://github.com/openclaw/openclaw/issues/84968). ([#&#8203;85130](https://github.com/openclaw/openclaw/issues/85130)) Thanks [@&#8203;openperf](https://github.com/openperf).
- Release/security: keep generated npm shrinkwrap package versions inside the pnpm lock graph so published package locks cannot bypass pnpm dependency age and override policy.
- Cron: honor `cron.retry.retryOn: ["network"]` for common network error codes such as `EAI_AGAIN`, `EHOSTUNREACH`, and `ENETUNREACH`.
- Gateway chat: broadcast returned agent-run error payloads after an agent starts so ACP/WebChat clients receive terminal idle-timeout errors. Fixes [#&#8203;84945](https://github.com/openclaw/openclaw/issues/84945).
- Gateway chat display: preserve OpenAI-compatible `prompt_tokens`, `completion_tokens`, and `total_tokens` usage fields in sanitized chat history so llama.cpp sessions keep context counts. Fixes [#&#8203;77992](https://github.com/openclaw/openclaw/issues/77992). Thanks [@&#8203;MarTT79](https://github.com/MarTT79).
- Dashboard/CLI: allow macOS browser launching through `open` even when SSH environment variables are present, while preserving Linux SSH no-display protection. Fixes [#&#8203;67088](https://github.com/openclaw/openclaw/issues/67088). Thanks [@&#8203;theglove44](https://github.com/theglove44).
- Codex app-server: keep native web search observations out of mirrored chat transcripts while preserving tool progress telemetry. Fixes [#&#8203;85109](https://github.com/openclaw/openclaw/issues/85109). Thanks [@&#8203;ugitmebaby](https://github.com/ugitmebaby).
- OpenCode Go: strip unsupported Kimi reasoning replay fields before provider requests so repeated `kimi-k2.6` turns do not fail schema validation. Fixes [#&#8203;83812](https://github.com/openclaw/openclaw/issues/83812). Thanks [@&#8203;Sleeck](https://github.com/Sleeck).
- Browser/CDP: add a WSL2 portproxy self-loop hint when Chrome DevTools endpoints accept connections but return an empty HTTP reply. Fixes [#&#8203;59209](https://github.com/openclaw/openclaw/issues/59209). Thanks [@&#8203;Owlock](https://github.com/Owlock).
- Agents/OpenAI: preserve structured provider error code, type, and redacted body metadata on boundary-aware transport failures.
- Doctor/Codex: point native Codex asset warnings at the canonical `openclaw migrate plan codex` preview command. Fixes [#&#8203;84948](https://github.com/openclaw/openclaw/issues/84948). Thanks [@&#8203;markoa](https://github.com/markoa).
- CLI/models: make `capability model auth logout --agent` remove auth profiles from the selected non-default agent store. Fixes [#&#8203;85092](https://github.com/openclaw/openclaw/issues/85092). Thanks [@&#8203;islandpreneur007](https://github.com/islandpreneur007).
- Gateway/models: reuse prepared provider auth metadata during model-listing auth checks so repeated lookups avoid broad plugin discovery while preserving synthetic local auth.
- CLI/status: suppress systemd user-service setup hints when `openclaw status --deep` can already reach a running Gateway RPC service. Fixes [#&#8203;85094](https://github.com/openclaw/openclaw/issues/85094). Thanks [@&#8203;islandpreneur007](https://github.com/islandpreneur007).
- CLI/devices: recover local approval when a same-device repair request replaces the request ID being approved.
- CLI/agents: retry transient normal-close Gateway handshakes before falling back to embedded `openclaw agent` execution.
- CLI/update: keep managed Gateway service stop/restart status lines out of `openclaw update --json` stdout so package-update automation can parse the JSON payload.
- Plugins: resolve OpenClaw plugin SDK subpaths for native external plugin runtimes without mutating package installs or broadening process-wide module resolution.
- Agents/OpenAI: preserve Responses and Chat Completions `reasoning_tokens` usage metadata without double-counting it in aggregate output tokens. ([#&#8203;85319](https://github.com/openclaw/openclaw/issues/85319))
- Control UI/chat: convert pasted `data:image/...;base64,...` clipboard text into an image attachment instead of dumping the payload into the composer. Fixes [#&#8203;62604](https://github.com/openclaw/openclaw/issues/62604). Thanks [@&#8203;cpwilhelmi](https://github.com/cpwilhelmi).
- Providers/Gemini: strip fractional seconds from web-search time range filters so Gemini accepts freshness-bound search requests. ([#&#8203;85071](https://github.com/openclaw/openclaw/issues/85071)) Thanks [@&#8203;Noerr](https://github.com/Noerr).
- OpenAI Codex: preserve image input support for sparse `openai-codex/gpt-5.5` catalog rows. ([#&#8203;85095](https://github.com/openclaw/openclaw/issues/85095)) Thanks [@&#8203;sercada](https://github.com/sercada).
- CLI/models: add a piped or pasted API-key path for OpenAI Codex auth and warn when API keys are pasted into token-mode auth. ([#&#8203;85533](https://github.com/openclaw/openclaw/issues/85533)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Telegram: dead-letter missing-harness isolated ingress failures so a poisoned spooled update no longer blocks later same-lane messages. Fixes [#&#8203;85470](https://github.com/openclaw/openclaw/issues/85470). ([#&#8203;85605](https://github.com/openclaw/openclaw/issues/85605)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Plugins/discovery: strip `-plugin` package suffixes when deriving plugin id hints so package names line up with manifest ids. ([#&#8203;85170](https://github.com/openclaw/openclaw/issues/85170)) Thanks [@&#8203;JulyanXu](https://github.com/JulyanXu).
- Tlon: stop advertising a non-existent agent tool contract in the plugin manifest.
- Telegram: preserve fenced code block languages through Markdown rendering so Telegram receives `language-*` code classes. ([#&#8203;85209](https://github.com/openclaw/openclaw/issues/85209)) Thanks [@&#8203;leno23](https://github.com/leno23).
- Windows installer: run npm and Corepack command shims from a Windows-local directory so installs launched from WSL2 UNC paths do not fail before OpenClaw is installed.
- Windows updates: roll back git-backed updates to the previous checkout when dependency install, build, UI build, or doctor repair fails.
- Windows installer: persist user-local portable Git on PATH and activate the repo-pinned pnpm version for git-backed installs and updates.
- Windows installer: bootstrap a user-local portable Node.js when native Windows has no Node and no winget, Chocolatey, or Scoop, so first-run installs can continue on raw hosts.
- Windows installer: extract the downloaded portable Node.js directory with native `tar` before falling back to .NET zip extraction, avoiding PowerShell 5.1 archive and path-length failures.
- fix(integrations): enforce channel read target allowlists \[AI]. ([#&#8203;84982](https://github.com/openclaw/openclaw/issues/84982)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- Agents/heartbeat: route single-owner `session.dmScope=main` direct-message exec and cron event wakes back to the agent main session so async completions no longer strand context in orphan direct-DM queues. Fixes [#&#8203;71581](https://github.com/openclaw/openclaw/issues/71581). ([#&#8203;83743](https://github.com/openclaw/openclaw/issues/83743)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- Agents/code-mode: expose outer code-mode `exec` source through the `command` hook alias with `toolKind`/`toolInputKind` discriminators so exec-shaped policies can distinguish code-mode cells. ([#&#8203;83483](https://github.com/openclaw/openclaw/issues/83483)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- Agents/code mode: return structured timeout and runtime-unavailable error codes for known worker failures. Fixes [#&#8203;83389](https://github.com/openclaw/openclaw/issues/83389). ([#&#8203;83444](https://github.com/openclaw/openclaw/issues/83444)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- QA-Lab: isolate multi-scenario suite workers when scenarios need startup config patches, preventing message-routing config from leaking into unrelated scenarios.
- QA-Lab: make the commitments heartbeat-target-none scenario request an immediate heartbeat instead of waiting for the next scheduled heartbeat.
- Codex/Plugin SDK: deliver Codex-native subagent completions through a generic harness task runtime so harness-backed plugins can mirror durable task lifecycle and completion delivery without Codex-specific SDK imports. ([#&#8203;83445](https://github.com/openclaw/openclaw/issues/83445)) Thanks [@&#8203;bryanpearson](https://github.com/bryanpearson).
- Gateway CLI: surface local post-challenge connect assembly failures immediately instead of waiting for the wrapper timeout. Fixes [#&#8203;68944](https://github.com/openclaw/openclaw/issues/68944). ([#&#8203;85253](https://github.com/openclaw/openclaw/issues/85253)) Thanks [@&#8203;samzong](https://github.com/samzong).
- Messages: strip unsupported web-search citation control markers from outbound replies before they reach WebChat or external channels. Fixes [#&#8203;85193](https://github.com/openclaw/openclaw/issues/85193). ([#&#8203;85204](https://github.com/openclaw/openclaw/issues/85204)) Thanks [@&#8203;neeravmakwana](https://github.com/neeravmakwana).
- Agents/exec: treat denied exec approvals as terminal instead of feeding them back into agent follow-up work, and recognize Chinese stop phrases in abort handling. Fixes [#&#8203;69386](https://github.com/openclaw/openclaw/issues/69386). ([#&#8203;85194](https://github.com/openclaw/openclaw/issues/85194)) Thanks [@&#8203;samzong](https://github.com/samzong).
- CLI/agents: abort accepted Gateway-backed `openclaw agent` runs on SIGINT/SIGTERM so cron and supervisor timeouts do not leave remote agent work alive. Fixes [#&#8203;71710](https://github.com/openclaw/openclaw/issues/71710). ([#&#8203;84381](https://github.com/openclaw/openclaw/issues/84381)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- Codex app-server: retry replay-safe stdio client-close turns once using structured failure metadata, while surfacing idle `turn/completed` timeouts instead of blindly replaying active shared-server turns. Thanks [@&#8203;VACInc](https://github.com/VACInc).
- Codex app-server: reject command overrides that embed Node or package-manager arguments and point users to `appServer.args`, so Windows startup avoids shell parsing failures. ([#&#8203;84417](https://github.com/openclaw/openclaw/issues/84417)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Agents/Copilot: drop unsafe GitHub Copilot Responses reasoning replay items before send so Telegram direct sessions no longer fail on overlong replay IDs. Fixes [#&#8203;85197](https://github.com/openclaw/openclaw/issues/85197). ([#&#8203;85198](https://github.com/openclaw/openclaw/issues/85198)) Thanks [@&#8203;galiniliev](https://github.com/galiniliev).
- UI: add accessible tooltips to the topbar color-mode buttons so System, Light, and Dark choices are labeled on hover and focus. ([#&#8203;85227](https://github.com/openclaw/openclaw/issues/85227)) Thanks [@&#8203;amknight](https://github.com/amknight).
- fix: constrain Windows task script names \[AI]. ([#&#8203;85064](https://github.com/openclaw/openclaw/issues/85064)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- Control UI: keep the chat session picker from hiding older or cross-agent configured conversations while preserving the bounded configured-agent refresh. ([#&#8203;85211](https://github.com/openclaw/openclaw/issues/85211)) Thanks [@&#8203;amknight](https://github.com/amknight).
- Agents/Anthropic: preserve unsafe integer tool-call input values in streamed Anthropic tool-use JSON, preventing Discord-style IDs from being rounded before dispatch. Fixes [#&#8203;47229](https://github.com/openclaw/openclaw/issues/47229). ([#&#8203;83063](https://github.com/openclaw/openclaw/issues/83063)) Thanks [@&#8203;leno23](https://github.com/leno23).
- Agents/Codex: estimate tool-heavy prompt pressure at the LLM boundary before provider submission, so persistent sessions compact before overflowing context windows. ([#&#8203;85541](https://github.com/openclaw/openclaw/issues/85541)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev) and [@&#8203;joshavant](https://github.com/joshavant).
- Agents/hooks: wait for local one-shot CLI and Codex `agent_end` plugin hooks before process cleanup so terminal observability flushes reliably. ([#&#8203;85007](https://github.com/openclaw/openclaw/issues/85007))
- Providers/Google: preserve Gemini 3 cron `thinkingDefault: "low"` when stale catalog metadata says `reasoning:false`, so scheduled runs keep provider-supported thinking instead of downgrading to off. ([#&#8203;85185](https://github.com/openclaw/openclaw/issues/85185)) Thanks [@&#8203;neeravmakwana](https://github.com/neeravmakwana).
- CLI/agents: allow `openclaw agent --session-key` to target explicit session keys, including agent-scoped legacy keys. ([#&#8203;85121](https://github.com/openclaw/openclaw/issues/85121)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- Auto-reply/ACP: wait for same-channel block reply delivery before starting tool work, while still honoring ACP dispatch aborts so stopped turns do not wait on slow channel sends. ([#&#8203;83722](https://github.com/openclaw/openclaw/issues/83722)) Thanks [@&#8203;IWhatsskill](https://github.com/IWhatsskill).
- Codex/ACP: mark required child-run completions that only report progress, omit a final deliverable, or fail requester delivery as blocked while preserving real final reports. ([#&#8203;85110](https://github.com/openclaw/openclaw/issues/85110)) Thanks [@&#8203;IWhatsskill](https://github.com/IWhatsskill).
- Channels: treat bare abort messages such as `stop`, `abort`, and `wait` as immediate control commands in inbound debounce paths so stop requests are not delayed behind pending message coalescing. ([#&#8203;83348](https://github.com/openclaw/openclaw/issues/83348)) Thanks [@&#8203;IWhatsskill](https://github.com/IWhatsskill).
- Channels/message tool: resolve configured external channel plugins during in-agent channel selection, so `openclaw agent --local` message-tool sends no longer report an available channel as unavailable. ([#&#8203;85022](https://github.com/openclaw/openclaw/issues/85022)) Thanks [@&#8203;Kaspre](https://github.com/Kaspre).
- Agents/heartbeat: honor group/channel `message_tool` visible-reply policy and model-specific Codex runtime config for scheduled heartbeat runs, so failed internal tool output stays private. Fixes [#&#8203;85310](https://github.com/openclaw/openclaw/issues/85310). ([#&#8203;85357](https://github.com/openclaw/openclaw/issues/85357)) Thanks [@&#8203;neeravmakwana](https://github.com/neeravmakwana).
- Gateway/ACP: close child ACP sessions spawned via `sessions_spawn` when their parent session is reset or deleted, instead of leaving orphaned `claude-agent-acp` processes that accumulate and exhaust memory. Fixes [#&#8203;68916](https://github.com/openclaw/openclaw/issues/68916). ([#&#8203;85190](https://github.com/openclaw/openclaw/issues/85190)) Thanks [@&#8203;openperf](https://github.com/openperf).
- Codex app-server: block native execution paths when OpenClaw exec resolves to a node host while preserving the first-party CLI node binding path. Fixes [#&#8203;85012](https://github.com/openclaw/openclaw/issues/85012). ([#&#8203;85534](https://github.com/openclaw/openclaw/issues/85534)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Diagnostics: bound cleanup timeout detail logs, emit drop summaries when async diagnostic bursts exceed the queue cap, and surface async queue drops through diagnostic telemetry.
- Agents/subagents: surface blocked child-run completions as errors instead of successful subagent finishes. ([#&#8203;80886](https://github.com/openclaw/openclaw/issues/80886)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Context engines: fail closed with a descriptive error when the selected agent runtime cannot satisfy declared context-engine host requirements.
- Agents/Pi: treat accepted embedded `sessions_spawn` child-session handoffs as terminal progress so parent turns no longer report false non-deliverable failures. ([#&#8203;85054](https://github.com/openclaw/openclaw/issues/85054)) Thanks [@&#8203;samzong](https://github.com/samzong).
- CLI/models: resolve `openclaw models set` aliases from the runtime config while keeping authored aliases ahead of runtime-only defaults. ([#&#8203;83262](https://github.com/openclaw/openclaw/issues/83262)) Thanks [@&#8203;IWhatsskill](https://github.com/IWhatsskill).
- Doctor: show personal Codex CLI asset notices as info instead of warnings. Fixes [#&#8203;84859](https://github.com/openclaw/openclaw/issues/84859).
- WhatsApp: update Baileys to `7.0.0-rc13` and drop the obsolete logger type patch.
- CLI/update: pre-pack GitHub/git package update targets before the staged npm install, restoring `openclaw update --tag main` for one-off package updates. ([#&#8203;81296](https://github.com/openclaw/openclaw/issues/81296)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- Gateway: mirror successful same-source message-tool sends into session transcripts so delivered replies stay in later history/context. ([#&#8203;84837](https://github.com/openclaw/openclaw/issues/84837)) Thanks [@&#8203;iFiras-Max1](https://github.com/iFiras-Max1).
- Media generation: keep image, music, and video completion delivery from duplicating or losing task ownership when generated media finishes through active session replies. ([#&#8203;84006](https://github.com/openclaw/openclaw/issues/84006)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- Infra/json: retry transient `File changed during read` races while loading JSON state so config and state reads recover instead of failing the turn. ([#&#8203;84285](https://github.com/openclaw/openclaw/issues/84285))
- Plugins/providers: fail closed for workspace provider plugins during setup-mode discovery unless explicitly trusted, preventing untrusted workspace plugin code from running during provider setup. ([#&#8203;81069](https://github.com/openclaw/openclaw/issues/81069)) Thanks [@&#8203;mmaps](https://github.com/mmaps).
- Providers/Ollama: resolve configured Ollama Cloud `OLLAMA_API_KEY` markers to the real discovery key so cloud provider entries keep authenticated model catalog access. ([#&#8203;85037](https://github.com/openclaw/openclaw/issues/85037))
- Discord: keep persistent component registry fallback warnings actionable by forwarding structured error and cause metadata through the runtime logger. Fixes [#&#8203;84185](https://github.com/openclaw/openclaw/issues/84185). ([#&#8203;84190](https://github.com/openclaw/openclaw/issues/84190)) Thanks [@&#8203;100menotu001](https://github.com/100menotu001).
- Gateway/sessions: preserve compatible session auth profile overrides when switching models within the same provider, including provider-auth aliases. Fixes [#&#8203;81837](https://github.com/openclaw/openclaw/issues/81837). ([#&#8203;81886](https://github.com/openclaw/openclaw/issues/81886)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Gateway/status: surface inbound delivery telemetry counters and transport-liveness warnings in `openclaw status --all`. Fixes [#&#8203;49577](https://github.com/openclaw/openclaw/issues/49577). ([#&#8203;72724](https://github.com/openclaw/openclaw/issues/72724))
- Docker: prune package-excluded plugin source workspaces and dependency closures so runtime images do not keep packages for plugins that were not opted in.
- Providers/Ollama: treat Docker/OrbStack host aliases as local Ollama endpoints so `ollama-local` marker auth works when OpenClaw runs inside a VM/container and Ollama runs on the host. Fixes [#&#8203;84875](https://github.com/openclaw/openclaw/issues/84875).
- QA-Lab: keep explicitly searchable/deferred OpenClaw dynamic tool rows report-only by default so tool-coverage gates do not treat mock discovery gaps as hard product failures. ([#&#8203;80319](https://github.com/openclaw/openclaw/issues/80319)) Thanks [@&#8203;100yenadmin](https://github.com/100yenadmin).
- Agents/config: keep non-Google provider model refs from being rewritten by Google Gemini preview-id normalization. ([#&#8203;84762](https://github.com/openclaw/openclaw/issues/84762)) Thanks [@&#8203;zhangguiping-xydt](https://github.com/zhangguiping-xydt).
- Installer: require a real controlling terminal before launching onboarding so headless `curl | bash` installs finish cleanly after installing the CLI.
- Agents/Codex: promote a completed final assistant response when a prompt timeout races Codex app-server completion instead of returning an empty timeout envelope. Refs [#&#8203;84516](https://github.com/openclaw/openclaw/issues/84516).
- Codex app-server: keep interrupted turn statuses from being treated as OpenClaw aborts by themselves, so tool-only turns remain eligible for no-visible-answer recovery. Fixes [#&#8203;84492](https://github.com/openclaw/openclaw/issues/84492).
- Agents: cap heartbeat model bleed context hints by the stored session window when runtime model metadata is unavailable, so overflow recovery advice does not suggest a larger window than the active session actually has.
- Control UI/Web Push: use `https://openclaw.ai` as the generated default VAPID subject instead of the old localhost mailbox so iOS PWA push setup uses an Apple-acceptable subject when `OPENCLAW_VAPID_SUBJECT` is unset. Fixes [#&#8203;83134](https://github.com/openclaw/openclaw/issues/83134). ([#&#8203;83317](https://github.com/openclaw/openclaw/issues/83317)) Thanks [@&#8203;IWhatsskill](https://github.com/IWhatsskill).
- Control UI: distinguish inherited thinking-off settings from explicit Off selections so the thinking selector no longer shows two identical Off rows. ([#&#8203;85223](https://github.com/openclaw/openclaw/issues/85223)) Thanks [@&#8203;amknight](https://github.com/amknight).
- Agents/Pi: keep embedded session transcript writes from tripping false takeover detection after packaged npm onboarding agent turns.
- Codex/TUI: surface Codex-native post-turn compaction failures instead of continuing uncompacted, and keep successful native compaction serialized before local idle/next-turn handling. Fixes [#&#8203;84305](https://github.com/openclaw/openclaw/issues/84305). ([#&#8203;85160](https://github.com/openclaw/openclaw/issues/85160)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Memory/search: stop recall tracking from writing dreaming side-effect artifacts when `dreaming.enabled=false`, while preserving normal search results. Fixes [#&#8203;84436](https://github.com/openclaw/openclaw/issues/84436). ([#&#8203;84444](https://github.com/openclaw/openclaw/issues/84444)) Thanks [@&#8203;NianJiuZst](https://github.com/NianJiuZst).
- Diffs: render viewer toolbar icons from a closed icon-name map instead of HTML strings, removing the toolbar icon XSS sink. ([#&#8203;83955](https://github.com/openclaw/openclaw/issues/83955)) Thanks [@&#8203;tanshanshan](https://github.com/tanshanshan).
- QA: keep `pnpm qa:e2e` self-check runs inside the private QA runtime envelope even when inherited shell env disables bundled plugins.
- fix(config): validate browser sandbox bind sources \[AI]. ([#&#8203;84799](https://github.com/openclaw/openclaw/issues/84799)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- doctor: constrain legacy plugin cleanup paths \[AI]. ([#&#8203;84801](https://github.com/openclaw/openclaw/issues/84801)) Thanks [@&#8203;pgondhi987](https://github.com/pgondhi987).
- Update/doctor: prune stale local bundled plugin install records that point at old compiled bundled output so current bundled plugin schemas win after upgrade. ([#&#8203;84863](https://github.com/openclaw/openclaw/issues/84863)) Thanks [@&#8203;fuller-stack-dev](https://github.com/fuller-stack-dev).
- Providers/Ollama: preserve native Ollama tool-call IDs across assistant replay so Gemini over Ollama Cloud can keep its hidden function-call thought-signature handle.
- Discord: keep session recovery and `/stop` abort ownership on the source dispatch lane while bound ACP turns continue routing to their target session, so stalled pre-run work and late replies are cleared instead of leaking after stop. Fixes [#&#8203;84477](https://github.com/openclaw/openclaw/issues/84477). ([#&#8203;85100](https://github.com/openclaw/openclaw/issues/85100)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Codex app-server: mark missing turn completion after observed execution as replay-unsafe and release the session so follow-up turns can run. Fixes [#&#8203;84076](https://github.com/openclaw/openclaw/issues/84076). ([#&#8203;85107](https://github.com/openclaw/openclaw/issues/85107)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Codex app-server: give visible `message` dynamic tool sends a longer timeout budget so slow channel delivery can return its own result or error instead of hitting the 30-second Codex wrapper. ([#&#8203;85216](https://github.com/openclaw/openclaw/issues/85216)) Thanks [@&#8203;amknight](https://github.com/amknight).
- Codex app-server: add a dedicated post-tool raw assistant completion idle timeout config so trusted heavy turns can wait longer after tool handoff without weakening final assistant release.
- Matrix: keep explicitly configured two-person rooms on the room route before stale `m.direct` or strict two-member DM fallback can bypass mention gating. Fixes [#&#8203;85017](https://github.com/openclaw/openclaw/issues/85017). ([#&#8203;85137](https://github.com/openclaw/openclaw/issues/85137)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Agents/subagents: require explicit subagent allowlist targets to be configured agents so stale deleted-agent ids are omitted from `agents_list` and rejected by `sessions_spawn`. Fixes [#&#8203;84811](https://github.com/openclaw/openclaw/issues/84811). ([#&#8203;85154](https://github.com/openclaw/openclaw/issues/85154)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- PDF tool: time out idle remote PDF body reads after 120 seconds so stalled remote documents return an error instead of wedging the session. Fixes [#&#8203;68649](https://github.com/openclaw/openclaw/issues/68649). ([#&#8203;84768](https://github.com/openclaw/openclaw/issues/84768)) Thanks [@&#8203;luoyanglang](https://github.com/luoyanglang).
- Diagnostics/OpenTelemetry plugin: suppress handled OTLP exporter promise rejections so collector shutdowns no longer crash the Gateway. ([#&#8203;81085](https://github.com/openclaw/openclaw/issues/81085)) Thanks [@&#8203;luoyanglang](https://github.com/luoyanglang).
- Agents/exec: omit raw command text and env values from denied exec failure logs while keeping safe correlation metadata. Fixes [#&#8203;85049](https://github.com/openclaw/openclaw/issues/85049). ([#&#8203;85140](https://github.com/openclaw/openclaw/issues/85140)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Media/audio: skip empty structured sherpa-onnx transcripts instead of treating the raw JSON payload as spoken text. ([#&#8203;84667](https://github.com/openclaw/openclaw/issues/84667)) Thanks [@&#8203;TurboTheTurtle](https://github.com/TurboTheTurtle).
- Agents/exec: preserve inherited XDG base-directory environment values for subprocesses while still rejecting agent-supplied XDG overrides. Fixes [#&#8203;84854](https://github.com/openclaw/openclaw/issues/84854). ([#&#8203;85139](https://github.com/openclaw/openclaw/issues/85139)) Thanks [@&#8203;joshavant](https://github.com/joshavant).
- Node/Linux: keep `OPENCLAW_GATEWAY_TOKEN` out of generated systemd unit files by writing node service token values to a node-specific env file. ([#&#8203;84408](https://github.com/openclaw/openclaw/issues/84408))
- Memory-core/dreaming: reuse stable narrative subagent session keys per workspace and phase while keeping per-run idempotency and bounded cleanup, so stale `dreaming-narrative-*` sessions do not accumulate. Fixes [#&#8203;68252](https://github.com/openclaw/openclaw/issues/68252), [#&#8203;69187](https://github.com/openclaw/openclaw/issues/69187), and [#&#8203;70402](https://github.com/openclaw/openclaw/issues/70402). ([#&#8203;70464](https://github.com/openclaw/openclaw/issues/70464)) Thanks [@&#8203;chiyouYCH](https://github.com/chiyouYCH).
- Trajectory/support: tol…
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 24, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
ff949bd 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 24, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
4fcbdab 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 24, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
72bf7c0 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
github-actions Bot pushed a commit to Desicool/openclaw that referenced this pull request May 24, 2026
@pgondhi987
fix: constrain Windows task script names [AI] (openclaw#85064)
4843418 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
galiniliev pushed a commit to galiniliev/openclaw that referenced this pull request May 25, 2026
@pgondhi987
fix: constrain Windows task script names [AI] (openclaw#85064)
349d3b6 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
@clawsweeper clawsweeper Bot mentioned this pull request May 26, 2026
Merged
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 26, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
3516b2f 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 26, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
f54e60a 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
SebTardif pushed a commit to SebTardif/openclaw that referenced this pull request May 26, 2026
@pgondhi987 @SebTardif
fix: constrain Windows task script names [AI] (openclaw#85064)
f081d70 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
jameslcowan pushed a commit to jameslcowan/openclaw that referenced this pull request Jun 2, 2026
@pgondhi987
fix: constrain Windows task script names [AI] (openclaw#85064)
b921502 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
SYU8384 pushed a commit to SYU8384/openclaw that referenced this pull request Jun 3, 2026
@pgondhi987
fix: constrain Windows task script names [AI] (openclaw#85064)
d0eb9e3 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
sablehead pushed a commit to sablehead/openclaw that referenced this pull request Jun 10, 2026
@pgondhi987
fix: constrain Windows task script names [AI] (openclaw#85064)
010ef87 
* fix: validate windows task script file names

* addressing ci

* docs: add changelog entry for PR merge
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@steipete steipete

Labels

gateway Gateway runtime maintainer Maintainer-authored PR merge-risk: 🚨 compatibility 🚨 May break existing users, config, migrations, defaults, or upgrade paths. P2 Normal backlog priority with limited blast radius. rating: 🦪 silver shellfish Thin PR readiness signal; proof, validation, or implementation needs work. size: S status: 🛠️ actively grinding The PR author has acted after the latest ClawSweeper review and work remains.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pgondhi987 @steipete