fix(container): update image ghcr.io/openclaw/openclaw ( 2026.3.2 ➔ 2026.3.12 )

[mortyops]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
ghcr.io/openclaw/openclaw (source)	patch	2026.3.2 → 2026.3.12

---

Release Notes

openclaw/openclaw (ghcr.io/openclaw/openclaw)

v2026.3.12

Compare Source

Changes

• Control UI/dashboard-v2: refresh the gateway dashboard with modular overview, chat, config, agent, and session views, plus a command palette, mobile bottom tabs, and richer chat tools like slash commands, search, export, and pinned messages. (#​41503) Thanks @​BunsDev.
• OpenAI/GPT-5.4 fast mode: add configurable session-level fast toggles across /fast, TUI, Control UI, and ACP, with per-model config defaults and OpenAI/Codex request shaping.
• Anthropic/Claude fast mode: map the shared /fast toggle and params.fastMode to direct Anthropic API-key service_tier requests, with live verification for both Anthropic and OpenAI fast-mode tiers.
• Models/plugins: move Ollama, vLLM, and SGLang onto the provider-plugin architecture, with provider-owned onboarding, discovery, model-picker setup, and post-selection hooks so core provider wiring is more modular.
• Docs/Kubernetes: Add a starter K8s install path with raw manifests, Kind setup, and deployment docs. Thanks @​sallyom @​dzianisv @​egkristi
• Agents/subagents: add sessions_yield so orchestrators can end the current turn immediately, skip queued tool work, and carry a hidden follow-up payload into the next session turn. (#​36537) thanks @​jriff
• Slack/agent replies: support channelData.slack.blocks in the shared reply delivery path so agents can send Block Kit messages through standard Slack outbound delivery. (#​44592) Thanks @​vincentkoc.
• Slack/interactive replies: add opt-in Slack button and select reply directives behind channels.slack.capabilities.interactiveReplies, disabled by default unless explicitly enabled. (#​44607) Thanks @​vincentkoc.

Fixes

• Security/device pairing: switch /pair and openclaw qr setup codes to short-lived bootstrap tokens so the next release no longer embeds shared gateway credentials in chat or QR pairing payloads. Thanks @​lintsinghua.

• Security/plugins: disable implicit workspace plugin auto-load so cloned repositories cannot execute workspace plugin code without an explicit trust decision. (GHSA-99qw-6mr3-36qr)(#​44174) Thanks @​lintsinghua and @​vincentkoc.

• Models/Kimi Coding: send anthropic-messages tools in native Anthropic format again so kimi-coding stops degrading tool calls into XML/plain-text pseudo invocations instead of real tool_use blocks. (#​38669, #​39907, #​40552) Thanks @​opriz.

• TUI/chat log: reuse the active assistant message component for the same streaming run so openclaw tui no longer renders duplicate assistant replies. (#​35364) Thanks @​lisitan.

• Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in /models button validation. (#​40105) Thanks @​avirweb.

• Cron/proactive delivery: keep isolated direct cron sends out of the write-ahead resend queue so transient-send retries do not replay duplicate proactive messages after restart. (#​40646) Thanks @​openperf and @​vincentkoc.

• Models/Kimi Coding: send the built-in User-Agent: claude-code/0.1.0 header by default for kimi-coding while still allowing explicit provider headers to override it, so Kimi Code subscription auth can work without a local header-injection proxy. (#​30099) Thanks @​Amineelfarssi and @​vincentkoc.

• Models/OpenAI Codex Spark: keep gpt-5.3-codex-spark working on the openai-codex/* path via resolver fallbacks and clearer Codex-only handling, while continuing to suppress the stale direct openai/* Spark row that OpenAI rejects live.

• Ollama/Kimi Cloud: apply the Moonshot Kimi payload compatibility wrapper to Ollama-hosted Kimi models like kimi-k2.5:cloud, so tool routing no longer breaks when thinking is enabled. (#​41519) Thanks @​vincentkoc.

• Moonshot CN API: respect explicit baseUrl (api.moonshot.cn) in implicit provider resolution so platform.moonshot.cn API keys authenticate correctly instead of returning HTTP 401. (#​33637) Thanks @​chengzhichao-xydt.

• Kimi Coding/provider config: respect explicit models.providers["kimi-coding"].baseUrl when resolving the implicit provider so custom Kimi Coding endpoints no longer get overwritten by the built-in default. (#​36353) Thanks @​2233admin.

• Gateway/main-session routing: keep TUI and other mode:UI main-session sends on the internal surface when deliver is enabled, so replies no longer inherit the session's persisted Telegram/WhatsApp route. (#​43918) Thanks @​obviyus.

• BlueBubbles/self-chat echo dedupe: drop reflected duplicate webhook copies only when a matching fromMe event was just seen for the same chat, body, and timestamp, preventing self-chat loops without broad webhook suppression. Related to #​32166. (#​38442) Thanks @​vincentkoc.

• iMessage/self-chat echo dedupe: drop reflected duplicate copies only when a matching is_from_me event was just seen for the same chat, text, and created_at, preventing self-chat loops without broad text-only suppression. Related to #​32166. (#​38440) Thanks @​vincentkoc.

• Subagents/completion announce retries: raise the default announce timeout to 90 seconds and stop retrying gateway-timeout failures for externally delivered completion announces, preventing duplicate user-facing completion messages after slow gateway responses. Fixes #​41235. Thanks @​vasujain00 and @​vincentkoc.

• Mattermost/block streaming: fix duplicate message delivery (one threaded, one top-level) when block streaming is active by excluding replyToId from the block reply dedup key and adding an explicit threading dock to the Mattermost plugin. (#​41362) Thanks @​mathiasnagler and @​vincentkoc.

• Mattermost/reply media delivery: pass agent-scoped mediaLocalRoots through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#​44021) Thanks @​LyleLiu666.

• macOS/Reminders: add the missing NSRemindersUsageDescription to the bundled app so apple-reminders can trigger the system permission prompt from OpenClaw.app. (#​8559) Thanks @​dinakars777.

• Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated session.store roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#​44176) thanks @​gumadeiras.

• Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process HOME/OPENCLAW_HOME changes no longer reuse stale plugin state or misreport ~/... plugins as untracked. (#​44046) thanks @​gumadeiras.

• Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and models list --plain, and migrate legacy duplicated openrouter/openrouter/... config entries forward on write.

• Windows/native update: make package installs use the npm update path instead of the git path, carry portable Git into native Windows updates, and mirror the installer's Windows npm env so openclaw update no longer dies early on missing git or node-llama-cpp download setup.

• Sandbox/write: preserve pinned mutation-helper payload stdin so sandboxed write no longer reports success while creating empty files. (#​43876) Thanks @​glitch418x.

• Security/exec approvals: escape invisible Unicode format characters in approval prompts so zero-width command text renders as visible \u{...} escapes instead of spoofing the reviewed command. (GHSA-pcqg-f7rg-xfvv)(#​43687) Thanks @​EkiXu and @​vincentkoc.

• Hooks/loader: fail closed when workspace hook paths cannot be resolved with realpath, so unreadable or broken internal hook paths are skipped instead of falling back to unresolved imports. (#​44437) Thanks @​vincentkoc.

• Hooks/agent deliveries: dedupe repeated hook requests by optional idempotency key so webhook retries can reuse the first run instead of launching duplicate agent executions. (#​44438) Thanks @​vincentkoc.

• Security/exec detection: normalize compatibility Unicode and strip invisible formatting code points before obfuscation checks so zero-width and fullwidth command tricks no longer suppress heuristic detection. (GHSA-9r3v-37xh-2cf6)(#​44091) Thanks @​wooluo and @​vincentkoc.

• Security/exec allowlist: preserve POSIX case sensitivity and keep ? within a single path segment so exact-looking allowlist patterns no longer overmatch executables across case or directory boundaries. (GHSA-f8r2-vg7x-gh8m)(#​43798) Thanks @​zpbrent and @​vincentkoc.

• Security/commands: require sender ownership for /config and /debug so authorized non-owner senders can no longer reach owner-only config and runtime debug surfaces. (GHSA-r7vr-gr74-94p8)(#​44305) Thanks @​tdjackey and @​vincentkoc.

• Security/gateway auth: clear unbound client-declared scopes on shared-token WebSocket connects so device-less shared-token operators cannot self-declare elevated scopes. (GHSA-rqpp-rjj8-7wv8)(#​44306) Thanks @​LUOYEcode and @​vincentkoc.

• Security/browser.request: block persistent browser profile create/delete routes from write-scoped browser.request so callers can no longer persist admin-only browser profile changes through the browser control surface. (GHSA-vmhq-cqm9-6p7q)(#​43800) Thanks @​tdjackey and @​vincentkoc.

• Security/agent: reject public spawned-run lineage fields and keep workspace inheritance on the internal spawned-session path so external agent callers can no longer override the gateway workspace boundary. (GHSA-2rqg-gjgv-84jm)(#​43801) Thanks @​tdjackey and @​vincentkoc.

• Security/session_status: enforce sandbox session-tree visibility and shared agent-to-agent access guards before reading or mutating target session state, so sandboxed subagents can no longer inspect parent session metadata or write parent model overrides via session_status. (GHSA-wcxr-59v9-rxr8)(#​43754) Thanks @​tdjackey and @​vincentkoc.

• Security/agent tools: mark nodes as explicitly owner-only and document/test that canvas remains a shared trusted-operator surface unless a real boundary bypass exists.

• Security/exec approvals: fail closed for Ruby approval flows that use -r, --require, or -I so approval-backed commands no longer bind only the main script while extra local code-loading flags remain outside the reviewed file snapshot.

• Security/device pairing: cap issued and verified device-token scopes to each paired device's approved scope baseline so stale or overbroad tokens cannot exceed approved access. (GHSA-2pwv-x786-56f8)(#​43686) Thanks @​tdjackey and @​vincentkoc.

• Docs/onboarding: align the legacy wizard reference and openclaw onboard command docs with the Ollama onboarding flow so all onboarding reference paths now document --auth-choice ollama, Cloud + Local mode, and non-interactive usage. (#​43473) Thanks @​BruceMacD.

• Models/secrets: enforce source-managed SecretRef markers in generated models.json so runtime-resolved provider secrets are not persisted when runtime projection is skipped. (#​43759) Thanks @​joshavant.

• Security/WebSocket preauth: shorten unauthenticated handshake retention and reject oversized pre-auth frames before application-layer parsing to reduce pre-pairing exposure on unsupported public deployments. (GHSA-jv4g-m82p-2j93)(#​44089) (GHSA-xwx2-ppv2-wx98)(#​44089) Thanks @​ez-lbz and @​vincentkoc.

• Security/proxy attachments: restore the shared media-store size cap for persisted browser proxy files so oversized payloads are rejected instead of overriding the intended 5 MB limit. (GHSA-6rph-mmhp-h7h9)(#​43684) Thanks @​tdjackey and @​vincentkoc.

• Security/host env: block inherited GIT_EXEC_PATH from sanitized host exec environments so Git helper resolution cannot be steered by host environment state. (GHSA-jf5v-pqgw-gm5m)(#​43685) Thanks @​zpbrent and @​vincentkoc.

• Security/Feishu webhook: require encryptKey alongside verificationToken in webhook mode so unsigned forged events are rejected instead of being processed with token-only configuration. (GHSA-g353-mgv3-8pcj)(#​44087) Thanks @​lintsinghua and @​vincentkoc.

• Security/Feishu reactions: preserve looked-up group chat typing and fail closed on ambiguous reaction context so group authorization and mention gating cannot be bypassed through synthetic p2p reactions. (GHSA-m69h-jm2f-2pv8)(#​44088) Thanks @​zpbrent and @​vincentkoc.

• Security/LINE webhook: require signatures for empty-event POST probes too so unsigned requests no longer confirm webhook reachability with a 200 response. (GHSA-mhxh-9pjm-w7q5)(#​44090) Thanks @​TerminalsandCoffee and @​vincentkoc.

• Security/Zalo webhook: rate limit invalid secret guesses before auth so weak webhook secrets cannot be brute-forced through unauthenticated churned requests without pre-auth 429 responses. (GHSA-5m9r-p9g7-679c)(#​44173) Thanks @​zpbrent and @​vincentkoc.

• Security/Zalouser groups: require stable group IDs for allowlist auth by default and gate mutable group-name matching behind channels.zalouser.dangerouslyAllowNameMatching. Thanks @​zpbrent.

• Security/Slack and Teams routing: require stable channel and team IDs for allowlist routing by default, with mutable name matching only via each channel's dangerouslyAllowNameMatching break-glass flag.

• Security/exec approvals: fail closed for ambiguous inline loader and shell-payload script execution, bind the real script after POSIX shell value-taking flags, and unwrap pnpm/npm exec/npx script runners before approval binding. (GHSA-57jw-9722-6rf2)(GHSA-jvqh-rfmh-jh27)(GHSA-x7pp-23xv-mmr4)(GHSA-jc5j-vg4r-j5jx)(#​44247) Thanks @​tdjackey and @​vincentkoc.

• Doctor/gateway service audit: canonicalize service entrypoint paths before comparing them so symlink-vs-realpath installs no longer trigger false "entrypoint does not match the current install" repair prompts. (#​43882) Thanks @​ngutman.

• Doctor/gateway service audit: earlier groundwork for this fix landed in the superseded #​28338 branch. Thanks @​realriphub.

• Gateway/session stores: regenerate the Swift push-test protocol models and align Windows native session-store realpath handling so protocol checks and sync session discovery stop drifting on Windows. (#​44266) thanks @​jalehman.

• Context engine/session routing: forward optional sessionKey through context-engine lifecycle calls so plugins can see structured routing metadata during bootstrap, assembly, post-turn ingestion, and compaction. (#​44157) thanks @​jalehman.

• Agents/failover: classify z.ai network_error stop reasons as retryable timeouts so provider connectivity failures trigger fallback instead of surfacing raw unhandled-stop-reason errors. (#​43884) Thanks @​hougangdev.

• Config/Anthropic startup: inline Anthropic alias normalization during config load so gateway startup no longer crashes on dated Anthropic model refs like anthropic/claude-sonnet-4-20250514. (#​45520) Thanks @​BunsDev.

• Memory/session sync: add mode-aware post-compaction session reindexing with agents.defaults.compaction.postIndexSync plus agents.defaults.memorySearch.sync.sessions.postCompactionForce, so compacted session memory can refresh immediately without forcing every deployment into synchronous reindexing. (#​25561) thanks @​rodrigouroz.

• Telegram/model picker: make inline model button selections persist the chosen session model correctly, clear overrides when selecting the configured default, and include effective fallback models in /models button validation. (#​40105) Thanks @​avirweb.

• Telegram/native command sync: suppress expected BOT_COMMANDS_TOO_MUCH retry error noise, add a final fallback summary log, and document the difference between command-menu overflow and real Telegram network failures.

• Mattermost/reply media delivery: pass agent-scoped mediaLocalRoots through shared reply delivery so allowed local files upload correctly from button, slash-command, and model-picker replies. (#​44021) Thanks @​LyleLiu666.

• Plugins/env-scoped roots: fix plugin discovery/load caches and provenance tracking so same-process HOME/OPENCLAW_HOME changes no longer reuse stale plugin state or misreport ~/... plugins as untracked. (#​44046) thanks @​gumadeiras.

• Gateway/session discovery: discover disk-only and retired ACP session stores under custom templated session.store roots so ACP reconciliation, session-id/session-label targeting, and run-id fallback keep working after restart. (#​44176) thanks @​gumadeiras.

• Browser/existing-session: stop reporting fake CDP ports/URLs for live attached Chrome sessions, render transport: chrome-mcp in CLI/status output instead of port: 0, and keep timeout diagnostics transport-aware when no direct CDP URL exists.

• Models/OpenRouter native ids: canonicalize native OpenRouter model keys across config writes, runtime lookups, fallback management, and models list --plain, and migrate legacy duplicated openrouter/openrouter/... config entries forward on write.

• Feishu/event dedupe: keep early duplicate suppression aligned with the shared Feishu message-id contract and release the pre-queue dedupe marker after failed dispatch so retried events can recover instead of being dropped until the short TTL expires. (#​43762) Thanks @​yunweibang.

• Gateway/hooks: bucket hook auth failures by forwarded client IP behind trusted proxies and warn when hooks.allowedAgentIds leaves hook routing unrestricted.

• Agents/compaction: skip the post-compaction cache-ttl marker write when a compaction completed in the same attempt, preventing the next turn from immediately triggering a second tiny compaction. (#​28548) thanks @​MoerAI.

• Native chat/macOS: add /new, /reset, and /clear reset triggers, keep shared main-session aliases aligned, and ignore stale model-selection completions so native chat state stays in sync across reset and fast model changes. (#​10898) Thanks @​Nachx639.

• Agents/compaction safeguard: route missing-model and missing-API-key cancellation warnings through the shared subsystem logger so they land in structured and file logs. (#​9974) Thanks @​dinakars777.

• Cron/doctor: stop flagging canonical agentTurn and systemEvent payload kinds as legacy cron storage, while still normalizing whitespace-padded and non-canonical variants. (#​44012) Thanks @​shuicici.

• ACP/client final-message delivery: preserve terminal assistant text snapshots before resolving end_turn, so ACP clients no longer drop the last visible reply when the gateway sends the final message body on the terminal chat event. (#​17615) Thanks @​pjeby.

• Telegram/Discord status reactions: show a temporary compacting reaction during auto-compaction pauses and restore thinking afterward so the bot no longer appears frozen while context is being compacted. (#​35474) thanks @​Cypherm.

• Delivery/dedupe: trim completed direct-cron delivery cache correctly and keep mirrored transcript dedupe active even when transcript files contain malformed lines. (#​44666) thanks @​frankekn.

• CLI/thinking help: add the missing xhigh level hints to openclaw cron add, openclaw cron edit, and openclaw agent so the help text matches the levels already accepted at runtime. (#​44819) Thanks @​kiki830621.

• Agents/Anthropic replay: drop replayed assistant thinking blocks for native Anthropic and Bedrock Claude providers so persisted follow-up turns no longer fail on stored thinking blocks. (#​44843) Thanks @​jmcte.

• Docs/Brave pricing: escape literal dollar signs in Brave Search cost text so the docs render the free credit and per-request pricing correctly. (#​44989) Thanks @​keelanfh.

• Feishu/file uploads: preserve literal UTF-8 filenames in im.file.create so Chinese and other non-ASCII filenames no longer appear percent-encoded in chat. (#​34262) Thanks @​fabiaodemianyang and @​KangShuaiFu.

• Agents/compaction safeguard: trim large kept toolResult payloads consistently for budgeting, pruning, and identifier seeding, then restore preserved payloads after prune so oversized safeguard summaries stay stable. (#​44133) thanks @​SayrWolfridge.

• Agents/compaction: compare post-compaction token sanity checks against full-session pre-compaction totals and skip the check when token estimation fails, so sessions with large bootstrap context keep real token counts instead of falling back to unknown. (#​28347) thanks @​efe-arv.

• Discord/gateway startup: treat plain-text and transient /gateway/bot metadata fetch failures as transient startup errors so Discord gateway boot no longer crashes on unhandled rejections. (#​44397) Thanks @​jalehman.

• Agents/Ollama overflow: rewrite Ollama prompt too long API payloads through the normal context-overflow sanitizer so embedded sessions keep the friendly overflow copy and auto-compaction trigger. (#​34019) thanks @​lishuaigit.

• Control UI/auth: restore one-time legacy ?token= imports for shared Control UI links while keeping #token= preferred, and carry pending query tokens through gateway URL confirmation so compatibility links still authenticate after confirmation. (#​43979) Thanks @​stim64045-spec.

• Plugins/context engines: retry legacy lifecycle calls once without sessionKey when older plugins reject that field, memoize legacy mode after the first strict-schema fallback, and preserve non-compat runtime errors without retry. (#​44779) thanks @​hhhhao28.

v2026.3.11

Compare Source

Security

• Gateway/WebSocket: enforce browser origin validation for all browser-originated connections regardless of whether proxy headers are present, closing a cross-site WebSocket hijacking path in trusted-proxy mode that could grant untrusted origins operator.admin access. (GHSA-5wcw-8jjv-m286)

Changes

• OpenRouter/models: add temporary Hunter Alpha and Healer Alpha entries to the built-in catalog so OpenRouter users can try the new free stealth models during their roughly one-week availability window. (#​43642) Thanks @​ping-Toven.
• iOS/Home canvas: add a bundled welcome screen with a live agent overview that refreshes on connect, reconnect, and foreground return, and move the compact connection pill off the top-left canvas overlay. (#​42456) Thanks @​ngutman.
• iOS/Home canvas: replace floating controls with a docked toolbar, make the bundled home scaffold adapt to smaller phones, and open chat in the resolved main session instead of a synthetic ios session. (#​42456) Thanks @​ngutman.
• macOS/chat UI: add a chat model picker, persist explicit thinking-level selections across relaunch, and harden provider-aware session model sync for the shared chat composer. (#​42314) Thanks @​ImLukeF.
• Onboarding/Ollama: add first-class Ollama setup with Local or Cloud + Local modes, browser-based cloud sign-in, curated model suggestions, and cloud-model handling that skips unnecessary local pulls. (#​41529) Thanks @​BruceMacD.
• OpenCode/onboarding: add new OpenCode Go provider, treat Zen and Go as one OpenCode setup in the wizard/docs while keeping the runtime providers split, store one shared OpenCode key for both profiles, and stop overriding the built-in opencode-go catalog routing. (#​42313) Thanks @​ImLukeF and @​vincentkoc.
• Memory: add opt-in multimodal image and audio indexing for memorySearch.extraPaths with Gemini gemini-embedding-2-preview, strict fallback gating, and scope-based reindexing. (#​43460) Thanks @​gumadeiras.
• Memory/Gemini: add gemini-embedding-2-preview memory-search support with configurable output dimensions and automatic reindexing when the configured dimensions change. (#​42501) Thanks @​BillChirico and @​gumadeiras.
• macOS/onboarding: detect when remote gateways need a shared auth token, explain where to find it on the gateway host, and clarify when a successful check used paired-device auth instead. (#​43100) Thanks @​ngutman.
• Discord/auto threads: add autoArchiveDuration channel config for auto-created threads so Discord thread archiving can stay at 1 hour, 1 day, 3 days, or 1 week instead of always using the 1-hour default. (#​35065) Thanks @​davidguttman.
• iOS/TestFlight: add a local beta release flow with Fastlane prepare/archive/upload support, canonical beta bundle IDs, and watch-app archive fixes. (#​42991) Thanks @​ngutman.
• ACP/sessions_spawn: add optional resumeSessionId for runtime: "acp" so spawned ACP sessions can resume an existing ACPX/Codex conversation instead of always starting fresh. (#​41847) Thanks @​pejmanjohn.
• Gateway/node pending work: add narrow in-memory pending-work queue primitives (node.pending.enqueue / node.pending.drain) and wake-helper reuse as a foundation for dormant-node work delivery. (#​41409) Thanks @​mbelinky.
• Git/runtime state: ignore the gateway-generated .dev-state file so local runtime state does not show up as untracked repo noise. (#​41848) Thanks @​smysle.
• Exec/child commands: mark child command environments with OPENCLAW_CLI so subprocesses can detect when they were launched from the OpenClaw CLI. (#​41411) Thanks @​vincentkoc.
• LLM Task/Lobster: add an optional thinking override so workflow calls can explicitly set embedded reasoning level with shared validation for invalid values and unsupported xhigh modes. (#​15606) Thanks @​xadenryan and @​ImLukeF.
• Mattermost/reply threading: add channels.mattermost.replyToMode for channel and group messages so top-level posts can start thread-scoped sessions without the manual reply-then-thread workaround. (#​29587) Thanks @​teconomix.
• iOS/push relay: add relay-backed official-build push delivery with App Attest + receipt verification, gateway-bound send delegation, and config-based relay URL setup on the gateway. (#​43369) Thanks @​ngutman.

Breaking

• Cron/doctor: tighten isolated cron delivery so cron jobs can no longer notify through ad hoc agent sends or fallback main-session summaries, and add openclaw doctor --fix migration for legacy cron storage and legacy notify/webhook delivery metadata. (#​40998) Thanks @​mbelinky.

Fixes

• Windows/install: stop auto-installing node-llama-cpp during normal npm CLI installs so openclaw@latest no longer fails on Windows while building optional local-embedding dependencies.
• Windows/update: mirror the native installer environment during global npm updates, including portable Git fallback and Windows-safe npm shell settings, so openclaw update works again on native Windows installs.
• Gateway/status: expose runtimeVersion in gateway status output so install/update smoke tests can verify the running version before and after updates.
• Windows/onboarding: explain when non-interactive local onboarding is waiting for an already-running gateway, and surface native Scheduled Task admin requirements more clearly instead of failing with an opaque gateway timeout.
• Windows/gateway install: fall back from denied Scheduled Task creation to a per-user Startup-folder login item, so native openclaw gateway install and --install-daemon keep working without an elevated PowerShell shell.
• Agents/text sanitization: strip leaked model control tokens (<|...|> and full-width <｜...｜> variants) from user-facing assistant text, preventing GLM-5 and DeepSeek internal delimiters from reaching end users. (#​42173) Thanks @​imwyvern.
• iOS/gateway foreground recovery: reconnect immediately on foreground return after stale background sockets are torn down, so the app no longer stays disconnected until a later wake path happens. (#​41384) Thanks @​mbelinky.
• Gateway/Control UI: keep dashboard auth tokens in session-scoped browser storage so same-tab refreshes preserve remote token auth without restoring long-lived localStorage token persistence, while scoping tokens to the selected gateway URL and fragment-only bootstrap flow. (#​40892) thanks @​velvet-shark.
• Gateway/macOS launchd restarts: keep the LaunchAgent registered during explicit restarts, hand off self-restarts through a detached launchd helper, and recover config/hot reload restart paths without unloading the service. Fixes #​43311, #​43406, #​43035, and #​43049.
• macOS/LaunchAgent install: tighten LaunchAgent directory and plist permissions during install so launchd bootstrap does not fail when the target home path or generated plist inherited group/world-writable modes.
• Discord/reply chunking: resolve the effective maxLinesPerMessage config across live reply paths and preserve chunkMode in the fast send path so long Discord replies no longer split unexpectedly at the default 17-line limit. (#​40133) thanks @​rbutera.
• Feishu/local image auto-convert: pass mediaLocalRoots through the sendText local-image shim so allowed local image paths upload as Feishu images again instead of falling back to raw path text. (#​40623) Thanks @​ayanesakura.
• Models/Kimi Coding: send anthropic-messages tools in native Anthropic format again so kimi-coding stops degrading tool calls into XML/plain-text pseudo invocations instead of real tool_use blocks. (#​38669, #​39907, #​40552) Thanks @​opriz.
• Telegram/outbound HTML sends: chunk long HTML-mode messages, preserve plain-text fallback and silent-delivery params across retries, and cut over to plain text when HTML chunk planning cannot safely preserve the full message. (#​42240) thanks @​obviyus.
• Telegram/final preview delivery: split active preview lifecycle from cleanup retention so missing archived preview edits avoid duplicate fallback sends without clearing the live preview or blocking later in-place finalization. (#​41662) thanks @​hougangdev.
• Telegram/final preview delivery followup: keep ambiguous missing-message_id finals only when a preview was already visible, while first-preview/no-id cases still fall back so Telegram users do not lose the final reply. (#​41932) thanks @​hougangdev.
• Telegram/final preview cleanup follow-up: clear stale cleanup-retain state only for transient preview finals so archived-preview retains no longer leave a stale partial bubble beside a later fallback-sent final. (#​41763) Thanks @​obviyus.
• Telegram/poll restarts: scope process-level polling restarts to real Telegram getUpdates failures so unrelated network errors, such as Slack DNS misses, no longer bounce Telegram polling. (#​43799) Thanks @​obviyus.
• Gateway/auth: allow one trusted device-token retry on shared-token mismatch with recovery hints to prevent reconnect churn during token drift. (#​42507) Thanks @​joshavant.
• Gateway/config errors: surface up to three validation issues in top-level config.set, config.patch, and config.apply error messages while preserving structured issue details. (#​42664) Thanks @​huntharo.
• Agents/Azure OpenAI Responses: include the azure-openai provider in the Responses API store override so Azure OpenAI multi-turn cron jobs and embedded agent runs no longer fail with HTTP 400 "store is set to false". (#​42934, fixes #​42800) Thanks @​ademczuk.
• Agents/error rendering: ignore stale assistant errorMessage fields on successful turns so background/tool-side failures no longer prepend synthetic billing errors over valid replies. (#​40616) Thanks @​ingyukoh.
• Agents/billing recovery: probe single-provider billing cooldowns on the existing throttle so topping up credits can recover without a manual gateway restart. (#​41422) thanks @​altaywtf.
• Agents/fallback: treat HTTP 499 responses as transient in both raw-text and structured failover paths so Anthropic-style client-closed overload responses trigger model fallback reliably. (#​41468) thanks @​zeroasterisk.
• Agents/fallback: recognize Venice 402 Insufficient USD or Diem balance billing errors so configured model fallbacks trigger instead of surfacing the raw provider error. (#​43205) Thanks @​Squabble9.
• Agents/fallback: recognize Poe 402 You've used up your points! billing errors so configured model fallbacks trigger instead of surfacing the raw provider error. (#​42278) Thanks @​CryUshio.
• Agents/failover: treat Gemini MALFORMED_RESPONSE stop reasons as retryable timeouts so preview-model enum drift falls back cleanly instead of crashing the run, without also reclassifying malformed function-call errors. (#​42292) Thanks @​jnMetaCode.
• Agents/cooldowns: default cooldown windows with no recorded failure history to unknown instead of rate_limit, avoiding false API rate-limit warnings while preserving cooldown recovery probes. (#​42911) Thanks @​VibhorGautam.
• Auth/cooldowns: reset expired auth-profile cooldown error counters before computing the next backoff so stale on-disk counters do not re-escalate into long cooldown loops after expiry. (#​41028) thanks @​zerone0x.
• Agents/memory flush: forward memoryFlushWritePath through runEmbeddedPiAgent so memory-triggered flush turns keep the append-only write guard without aborting before tool setup. Follows up on #​38574. (#​41761) Thanks @​frankekn.
• Agents/context pruning: prune image-only tool results during soft-trim, align context-pruning coverage with the new tool-result contract, and extend historical image cleanup to the same screenshot-heavy session path. (#​43045) Thanks @​MoerAI.
• Sessions/reset model recompute: clear stale runtime model, context-token, and system-prompt metadata before session resets recompute the replacement session, so resets pick up current defaults and explicit overrides instead of reusing old runtime model state. (#​41173) thanks @​PonyX-lab.
• Channels/allowlists: remove stale matcher caching so same-array allowlist edits and wildcard replacements take effect immediately, with regression coverage for in-place mutation cases.
• Discord/Telegram outbound runtime config: thread runtime-resolved config through Discord and Telegram send paths so SecretRef-based credentials stay resolved during message delivery. (#​42352) Thanks @​joshavant.
• Tools/web search: treat Brave llm-context grounding snippets as plain strings so web_search no longer returns empty snippet arrays in LLM Context mode. (#​41387) thanks @​zheliu2.
• Tools/web search: recover OpenRouter Perplexity citation extraction from message.annotations when chat-completions responses omit top-level citations. (#​40881) Thanks @​laurieluo.
• CLI/skills JSON: strip ANSI and C1 control bytes from skills list --json, skills info --json, and skills check --json so machine-readable output stays valid for terminals and skill metadata with embedded control characters. Fixes #​27530. Related #​27557. Thanks @​Jimmy-xuzimo and @​vincentkoc.
• CLI/tables: default shared tables to ASCII borders on legacy Windows consoles while keeping Unicode borders on modern Windows terminals, so commands like openclaw skills stop rendering mojibake under GBK/936 consoles. Fixes #​40853. Related #​41015. Thanks @​ApacheBin and @​vincentkoc.
• CLI/memory teardown: close cached memory search/index managers in the one-shot CLI shutdown path so watcher-backed memory caches no longer keep completed CLI runs alive after output finishes. (#​40389) thanks @​Julbarth.
• Control UI/Sessions: restore single-column session table collapse on narrow viewport or container widths by moving the responsive table override next to the base grid rule and enabling inline-size container queries. (#​12175) Thanks @​benjipeng.
• Telegram/network env-proxy: apply configured transport policy to proxied HTTPS dispatchers as well as direct NO_PROXY bypasses, so resolver-scoped IPv4 fallback and network settings work consistently for env-proxied Telegram traffic. (#​40740) Thanks @​sircrumpet.
• Mattermost/Markdown formatting: preserve first-line indentation when stripping bot mentions so nested list items and indented code blocks keep their structure, and render Mattermost tables natively by default instead of fenced-code fallback. (#​18655) thanks @​echo931.
• Mattermost/plugin send actions: normalize direct replyTo fallback handling so threaded plugin sends trim blank IDs and reuse the correct reply target again. (#​41176) Thanks @​hnykda.
• MS Teams/allowlist resolution: use the General channel conversation ID as the resolved team key (with Graph GUID fallback) so Bot Framework runtime channelData.team.id matching works for team and team/channel allowlist entries. (#​41838) Thanks @​BradGroux.
• Signal/config schema: accept channels.signal.accountUuid in strict config validation so loop-protection configs no longer fail with an unrecognized-key error. (#​35578) Thanks @​ingyukoh.
• Telegram/config schema: accept channels.telegram.actions.editMessage and createForumTopic in strict config validation so existing Telegram action toggles no longer fail as unrecognized keys. (#​35498) Thanks @​ingyukoh.
• Telegram/docs: clarify that channels.telegram.groups allowlists chats while groupAllowFrom allowlists users inside those chats, and point invalid negative chat IDs at the right config key. (#​42451) Thanks @​altaywtf.
• Discord/config typing: expose channel-level autoThread on the canonical guild-channel config type so strict config loading matches the existing Discord schema and runtime behavior. (#​35608) Thanks @​ingyukoh.
• fix(models): guard optional model.input capability checks (#​42096) thanks @​andyliu
• Models/Alibaba Cloud Model Studio: wire MODELSTUDIO_API_KEY through shared env auth, implicit provider discovery, and shell-env fallback so onboarding works outside the wizard too. (#​40634) Thanks @​pomelo-nwu.
• Resolve web tool SecretRefs atomically at runtime. (#​41599) Thanks @​joshavant.
• Secret files: harden CLI and channel credential file reads against path-swap races by requiring direct regular files for *File secret inputs and rejecting symlink-backed secret files.
• Archive extraction: harden TAR and external tar.bz2 installs against destination symlink and pre-existing child-symlink escapes by extracting into staging first and merging into the canonical destination with safe file opens.
• Secrets/SecretRef: reject exec SecretRef traversal ids across schema, runtime, and gateway. (#​42370) Thanks @​joshavant.
• Sandbox/fs bridge: pin staged writes to verified parent directories so temporary write files cannot materialize outside the allowed mount before atomic repla

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[mortyops]

--- HelmRelease: ai/openclaw Deployment: ai/openclaw

+++ HelmRelease: ai/openclaw Deployment: ai/openclaw

@@ -160,13 +160,13 @@

 
           echo "Tool installation complete"
           echo "brew packages: $(brew list --formula | tr '\n' ' ')"
         envFrom:
         - secretRef:
             name: openclaw-skills-secret
-        image: ghcr.io/openclaw/openclaw:2026.3.2
+        image: ghcr.io/openclaw/openclaw:2026.3.12
         name: install-tools
         resources:
           limits:
             memory: 4Gi
           requests:
             cpu: 100m
@@ -279,13 +279,13 @@

           value: null
         envFrom:
         - secretRef:
             name: openclaw-secret
         - secretRef:
             name: openclaw-skills-secret
-        image: ghcr.io/openclaw/openclaw:2026.3.2
+        image: ghcr.io/openclaw/openclaw:2026.3.12
         livenessProbe:
           failureThreshold: 3
           httpGet:
             path: /healthz
             port: 18789
           initialDelaySeconds: 10

[mortyops]

--- kubernetes/apps/ai/openclaw/app Kustomization: ai/openclaw HelmRelease: ai/openclaw

+++ kubernetes/apps/ai/openclaw/app Kustomization: ai/openclaw HelmRelease: ai/openclaw

@@ -111,13 +111,13 @@

             - secretRef:
                 name: openclaw-secret
             - secretRef:
                 name: openclaw-skills-secret
             image:
               repository: ghcr.io/openclaw/openclaw
-              tag: 2026.3.2
+              tag: 2026.3.12
             probes:
               liveness:
                 custom: true
                 enabled: true
                 spec:
                   failureThreshold: 3
@@ -283,13 +283,13 @@

               echo "brew packages: $(brew list --formula | tr '\n' ' ')"
             envFrom:
             - secretRef:
                 name: openclaw-skills-secret
             image:
               repository: ghcr.io/openclaw/openclaw
-              tag: 2026.3.2
+              tag: 2026.3.12
             resources:
               limits:
                 memory: 4Gi
               requests:
                 cpu: 100m
                 memory: 256Mi

[Aviator-Coding]

🤖 Auto-approved: safe container update