OpenClaw Update: Enhancing Codex Stability, Security, and Plugin Architecture

The latest set of merged pull requests for OpenClaw introduces significant improvements across the agent runtime, security boundaries, and plugin extensibility. The primary focus of this window was stabilizing the Codex app-server, particularly regarding memory management and process lifecycles, while simultaneously hardening the gateway against credential leakage in logs.

Beyond stability, the introduction of a formal embedding provider contract marks a strategic shift toward a more modular plugin architecture, decoupling embedding capabilities from the core memory system to allow for broader provider integration.

Merged PRs

• fix(exec): return approved WebChat gateway exec output inline Original PR
• Validate Codex app-server command overrides Original PR
• fix codex memory flush tool surface Original PR
• revert(models): drop auth-profiles.json fs watcher Original PR
• perf(models): make provider auth checks non-blocking Original PR
• fix(codex): extend message tool timeout Original PR
• fix(channels): pass allowBootstrap from channel-selection so in-agent message tool resolves channels in --local processes Original PR
• [codex] add color mode tooltips Original PR
• [codex] Clarify inherited thinking off label Original PR
• [codex] fix control ui chat session picker history Original PR
• fix(telegram): dedupe replayed message dispatches Original PR
• fix(auto-reply): preserve sessions after compaction failures Original PR
• fix(models): provider auth pre-warm Original PR
• fix(slack): keep approvals in app conversation threads Original PR
• fix: constrain Windows task script names [AI] Original PR
• fix(agent): await local agent_end hooks Original PR
• fix(channels): bypass debounce for bare abort triggers [AI-assisted] Original PR
• fix(anthropic): preserve unsafe integer tool inputs Original PR
• fix(codex): block progress-only completions [AI-assisted] Original PR
• fix(codex): unsubscribe app-server thread after runs Original PR
• feat(plugins): add embedding provider contract Original PR
• [AI-assisted] fix(reply): wait for block replies before tools Original PR
• fix(agent): support explicit CLI session keys Original PR
• fix(codex): recover final text after prompt timeout Original PR
• fix(codex): surface native compaction failures Original PR
• feat(tui): coalesce repeated idle TUI abort notices Original PR
• fix: require configured subagent allowlist targets Original PR
• fix(codex): make post-tool raw assistant timeout configurable Original PR
• fix(agents): preserve accepted spawn terminal success Original PR
• fix: redact denied exec failure params Original PR

Key Changes

Codex Runtime & Stability

Several PRs targeted the Codex app-server to resolve critical resource leaks and runtime failures. A major fix addresses the accumulation of chrome-devtools-mcp sidecars, which were driving cgroup memory growth by failing to unsubscribe from threads after runs. Additionally, the system now surfaces native compaction failures rather than silently continuing when over budget, preventing the "poisoned session" state where usage exceeds the model's context window without triggering compaction.

To improve the user experience, the Codex dynamic message tool timeout was extended to 120s to accommodate slow Telegram text sends, and a new configuration option appServer.postToolRawAssistantCompletionIdleTimeoutMs allows for fine-tuning the post-tool raw assistant completion guard.

Security Hardening

Security was a primary focus, particularly regarding log safety and process isolation. A critical fix was implemented to redact raw_params in denied exec failure logs. Previously, if an agent attempted to inline credentials (e.g., export API_KEY=...), these were written in cleartext to gateway.err.log. The system now omits command text and environment values in these failure logs while retaining safe metadata for debugging.

Furthermore, Windows task script names are now constrained to bare file names, preventing path-traversal attempts when constructing task script paths under the gateway state directory.

Plugin Architecture & Core Logic

OpenClaw has introduced a new Embedding Provider Contract. This provides a standardized API (api.registerEmbeddingProvider) and manifest key (contracts.embeddingProviders) for future plugins to implement embedding capabilities independently of the core memory system.

Other core improvements include:

• Non-blocking Auth Checks: Provider authentication checks are now asynchronous, preventing the event loop from blocking for up to 22 seconds during model-listing sweeps.
• Telegram Idempotency: Added account-scoped dispatch deduplication for Telegram to prevent duplicate agent turns when ingress updates are replayed after a gateway restart.
• Anthropic Precision: A new JSON helper ensures that large integer literals (e.g., Discord snowflakes) are quoted as strings before parsing, preventing precision loss in Anthropic tool inputs.

Impact

User Experience

Users will notice a more responsive UI and more reliable agent behavior. The TUI now coalesces repeated "no active run" notices to reduce terminal spam, and the Web chat UI has clearer labeling for inherited thinking settings. The fix for "block replies" ensures that narration text is delivered to the channel before the next tool executes, eliminating the lag where users would see tools run without the preceding explanation.

Operational Reliability

For operators, the reduction in memory growth for Codex users and the elimination of credential leaks in logs significantly improve the security and stability posture of the gateway. The ability to use explicit --session-key selectors in the CLI provides better precision for scripting and automation.

Developer Extensibility

With the new embedding provider contract, developers can now build standalone embedding plugins, paving the way for OpenAI-compatible embeddings and more flexible memory backends without modifying the core OpenClaw codebase.