Changes

• Memory/dreaming: add a grounded REM backfill lane with historical rem-harness --path, diary commit/reset flows, cleaner durable-fact extraction, and live short-term promotion integration so old daily notes can replay into Dreams and durable memory without a second memory stack. Thanks @mbelinky.
• Control UI/dreaming: add a structured diary view with timeline navigation, backfill/reset controls, traceable dreaming summaries, and a grounded Scene lane with promotion hints plus a safe clear-grounded action for staged backfill signals. (#63395) Thanks @mbelinky.
• QA/lab: add character-vibes evaluation reports with model selection and parallel runs so live QA can compare candidate behavior faster.
• Plugins/provider-auth: let provider manifests declare providerAuthAliases so provider variants can share env vars, auth profiles, config-backed auth, and API-key onboarding choices without core-specific wiring.
• iOS: pin release versioning to an explicit CalVer in apps/ios/version.json, keep TestFlight iteration on the same short version until maintainers intentionally promote the next gateway version, and add the documented pnpm ios:version:pin -- --from-gateway workflow for release trains. (#63001) Thanks @ngutman.

Fixes

• Browser/security: re-run blocked-destination safety checks after interaction-driven main-frame navigations from click, evaluate, hook-triggered click, and batched action flows, so browser interactions cannot bypass the SSRF quarantine when they land on forbidden URLs. (#63226) Thanks @eleqtrizit.
• Security/dotenv: block runtime-control env vars plus browser-control override and skip-server env vars from untrusted workspace .env files, and reject unsafe URL-style browser control override specifiers before lazy loading. (#62660, #62663) Thanks @eleqtrizit.
• Gateway/node exec events: mark remote node exec.started, exec.finished, and exec.denied summaries as untrusted system events and sanitize node-provided command/output/reason text before enqueueing them, so remote node output cannot inject trusted System: content into later turns. (#62659) Thanks @eleqtrizit.
• Plugins/onboarding auth choices: prevent untrusted workspace plugins from colliding with bundled provider auth-choice ids during non-interactive onboarding, so bundled provider setup keeps operator secrets out of untrusted workspace plugin handlers unless those plugins are explicitly trusted. (#62368) Thanks @pgondhi987.
• Security/dependency audit: force basic-ftp to 5.2.1 for the CRLF command-injection fix and bump Hono plus @hono/node-server in production resolution paths.
• Android/pairing: clear stale setup-code auth on new QR scans, bootstrap operator and node sessions from fresh pairing, prefer stored device tokens after bootstrap handoff, and pause pairing auto-retry while the app is backgrounded so scan-once Android pairing recovers reliably again. (#63199) Thanks @obviyus.
• Matrix/gateway: wait for Matrix sync readiness before marking startup successful, keep Matrix background handler failures contained, and route fatal Matrix sync stops through channel-level restart handling instead of crashing the whole gateway. (#62779) Thanks @gumadeiras.
• Slack/media: preserve bearer auth across same-origin files.slack.com redirects while still stripping it on cross-origin Slack CDN hops, so url_private_download image attachments load again. (#62960) Thanks @vincentkoc.
• Reply/doctor: use the active runtime snapshot for queued reply runs, resolve reply-run SecretRefs before preflight helpers touch config, surface gateway OAuth reauth failures to users, and make openclaw doctor call out exact reauth commands. (#62693, #63217) Thanks @mbelinky.
• Control UI: guard stale session-history reloads during fast session switches so the selected session and rendered transcript stay in sync. (#62975) Thanks @scoootscooob.
• Gateway/chat: suppress exact and streamed ANNOUNCE_SKIP / REPLY_SKIP control replies across live chat updates and history sanitization so internal agent-to-agent control tokens no longer leak into user-facing gateway chat surfaces. (#51739) Thanks @Pinghuachiu.
• Auto-reply/NO_REPLY: strip glued leading NO_REPLY tokens before reply normalization and ACP-visible streaming so silent sentinel text no longer leaks into user-visible replies while preserving substantive NO_REPLY ... text. Thanks @frankekn.
• Sessions/routing: preserve established external routes on inter-session announce traffic so sessions_send follow-ups do not steal delivery from Telegram, Discord, or other external channels. (#58013) Thanks @duqaXxX.
• Gateway/sessions: clear auto-fallback-pinned model overrides on /reset and /new while still preserving explicit user model selections, including legacy sessions created before override-source tracking existed. (#63155) Thanks @frankekn.
• Slack/ACP: treat Slack ACP block replies as visible delivered output so OpenClaw stops re-sending the final fallback text after Slack already rendered the reply. (#62858) Thanks @gumadeiras.
• Slack/partial streaming: key turn-local dedupe by dispatch kind and keep the final fallback reply path active when preview finalization fails so stale preview text cannot suppress the actual final answer. (#62859) Thanks @gumadeiras.
• Matrix/doctor: migrate legacy channels.matrix.dm.policy: "trusted" configs back to compatible DM policies during openclaw doctor --fix, preserving explicit allowFrom boundaries as allowlist and defaulting empty legacy configs to pairing. (#62942) Thanks @lukeboyett.
• npm packaging: mirror bundled channel runtime deps, stage Nostr runtime deps, derive required root mirrors from manifests and built chunks, and test packed release tarballs without repo node_modules so fresh installs fail fast on missing plugin deps instead of crashing at runtime. (#63065) Thanks @scoootscooob.
• QA/live auth: fail fast when live QA scenarios hit classified auth or runtime failure replies, including raw scenario wait paths, and sanitize missing-key guidance so gateway auth problems surface as actionable errors instead of timeouts. (#63333) Thanks @shakkernerd.
• Providers/OpenAI: default missing reasoning effort to high on OpenAI Responses, WebSocket, and compatible completions transports, while still honoring explicit per-run reasoning levels.
• Providers/Ollama: allow Ollama models using the native api: "ollama" path to optionally display thinking output when /think is set to a non-off level. (#62712) Thanks @hoyyeva.
• Codex CLI: pass OpenClaw's system prompt through Codex's model_instructions_file config override so fresh Codex CLI sessions receive the same prompt guidance as Claude CLI sessions.
• Auth/profiles: persist explicit auth-profile upserts directly and skip external CLI sync for local writes so profile changes are saved without stale external credential state.
• Agents/timeouts: make the LLM idle timeout inherit agents.defaults.timeoutSeconds when configured, disable the unconfigured idle watchdog for cron runs, and point idle-timeout errors at agents.defaults.llm.idleTimeoutSeconds. Thanks @drvoss.
• Agents/failover: classify Z.ai vendor code 1311 as billing and 1113 as auth, including long wrapped 1311 payloads, so these errors stop falling through to generic failover handling. (#49552) Thanks @1bcMax.
• QQBot/media-tags: support HTML entity-encoded angle brackets (</>), URL slashes in attributes, and self-closing media tags so upstream <qqimg> payloads are correctly parsed and normalized. (#60493) Thanks @ylc0919.
• Memory/dreaming: harden grounded backfill inputs, diary writes, status payloads, and diary action classification by preserving source-day labels, rejecting missing or symlinked targets cleanly, normalizing diary headings in gateway backfills, and tightening claim splitting plus diary source metadata. Thanks @mbelinky.
• Memory/dreaming: accept embedded heartbeat trigger tokens so light and REM dreaming still run when runtime wrappers include extra heartbeat text.
• Android/manual connect: allow blank port input only for TLS manual gateway endpoints so standard HTTPS Tailscale hosts default to 443 without silently changing cleartext manual connects. (#63134) Thanks @Tyler-RNG.
• Windows/update: add heap headroom to Windows pnpm build steps during dev updates so update preflight builds stop failing on low default Node memory.
• Plugin SDK: export the channel plugin base and web-search config contract through the public package so plugins can use them without private imports.
• Plugins/contracts: keep test-only helpers out of production contract barrels, load shared contract harnesses through bundled test surfaces, and harden guardrails so indirect re-exports and canonical *.test.ts files stay blocked. (#63311) Thanks @altaywtf.
• Control UI/models: preserve provider-qualified refs for OpenRouter catalog models whose ids already contain slashes so picker selections submit allowlist-compatible model refs instead of dropping the openrouter/ prefix. (#63416) Thanks @sallyom.
• Plugin SDK/command auth: split command status builders onto the lightweight openclaw/plugin-sdk/command-status subpath while preserving deprecated command-auth compatibility exports, so auth-only plugin imports no longer pull status/context warmup into CLI onboarding paths. (#63174) Thanks @hxy91819.