OpenClaw v2026.5.12-beta.8 Release Summary

Key Changes

Security Hardening & Sandbox Improvements

OpenClaw has implemented several critical security updates to protect host environments and restrict unauthorized access:

• Windows Sandbox Protection: The sandbox now explicitly blocks USERPROFILE roots to prevent credential-bearing binds (such as .ssh or .codex) from being accessed even when the HOME environment variable is redirected.
• Device Pairing & Auth:
  • Setup-code bootstrap now requires explicit pairing approval before granting durable node tokens, preventing silent operator-scope escalation.
  • Browser-origin Control UI sessions now require explicit pairing approval rather than silent local pairing.
  • Trusted-proxy authentication has been hardened to reject non-loopback peers that are local interface addresses.
• Tool & Command Gating:
  • Delegated sessions now inherit tool-deny restrictions from their caller, ensuring security policies remain consistent across subagent and ACP delegation paths.
  • Gateway command scopes are now enforced by caller context, ensuring privileged commands are denied regardless of the resolved command channel.
  • PowerShell -ec (encoded command) aliases are now recognized as inline payloads, forcing them through the stricter inline-payload approval path.

Runtime & Stability Enhancements

• Telegram Resilience:
  • Polling ingress has been moved to an isolated worker to prevent main event-loop saturation from stalling getUpdates calls, which previously led to lost messages.
  • Bot token rotation is now detected via fingerprinted offset state, preventing bots from going "deaf" after a token revoke.
• Codex Harness & ACP:
  • Context Engine Rotation: Lossless-managed Codex sessions now rotate to a fresh native thread if the existing sidecar is incompatible, preventing context-window overflows caused by stale hidden history.
  • Cron Compatibility: Codex cron turns now execute automation payloads directly, skipping expensive workspace bootstrap reads to prevent timeouts.
  • ACP Failover: Added acp.fallbacks to allow ACP turns to try backup runtime backends when the primary is unavailable.
• General Stability: A startup grace window (default 60s) has been added to diagnostic heartbeats to suppress false liveness warnings during cold starts.

New Features & Capabilities

• Cron Inspection: Added openclaw cron get <id> and a corresponding Gateway RPC, allowing users and agents to inspect a single stored cron job without fetching the entire list.
• Session Lineage: ACP session listings and snapshots now expose Gateway lineage metadata (e.g., parentSessionId, spawnDepth), enabling the rendering of parent-child session graphs in ACP clients.
• Context Mapping: Introduced the /context map command, which generates a WinDirStat-style treemap image of current session context contributors.
• User-Specific Tooling: Added tools.toolsBySender, allowing operators to define different tool capability tiers based on the sender's identity (e.g., restricting destructive tools for guests).

Fixes

• Config Data Loss: Fixed a critical issue where doctor --fix during version upgrades could strip user-authored config fields. A pre-update persistent snapshot is now created to prevent data loss.
• Subagent Model Precedence: Fixed a bug where agents.defaults.subagents.model was ignored in favor of the target agent's primary model, which previously caused subagents to bypass the claude-cli runtime.
• OpenAI Schema Normalization: Tool schemas with arrays that omit items are now normalized to include items: {}, preventing rejection by OpenAI-compatible providers.
• Telegram Formatting: Fixed an issue where cron announce delivery could double-render Markdown links, resulting in literal HTML anchors in the chat.

Impact

This release significantly reduces the risk of privilege escalation through device pairing and sandbox escapes on Windows. For users of the Codex harness and ACP, the improved thread rotation and failover mechanisms provide a more reliable experience for long-running sessions. Telegram users will see improved reliability under high system load due to the isolated polling worker. Operators can now implement more granular security policies using the new per-sender tool capabilities.

Upgrade Guide

Breaking Changes & Migration

• iMessage Sender Allowlist: Sender allowlist matching now only accepts normalized sender handles. Conversation-scoped IDs (chat IDs/GUIDs) are no longer accepted as proof of sender identity. Users must update their allowFrom configurations to use sender handles.
• Trusted-Proxy Config: Deployments that listed the gateway host's own non-loopback interface address in gateway.trustedProxies will no longer authenticate direct requests from that address. These should be moved to a distinct proxy peer address or the loopback path.
• Pnpm Upgrade: The workspace has been upgraded to pnpm 11. Users performing git source installs will find that bootstrap and build allowlists are now managed via pnpm-workspace.yaml.