openclaw v2026.6.6-beta.2 release notes: what's new & changelog

openclaw v2026.6.6-beta.2 delivers substantial security boundary tightening, expanded model provider support, and significant performance optimizations for the Control UI and memory indexing.

Key Changes

Security Hardening

Security boundaries are now substantially tighter across several critical surfaces:

• Host Environment: The host exec sanitizer now blocks request-scoped Rustup environment overrides and expands the unsafe host environment denylist to reject additional interpreter startup and search-path variables. Git protocol-control environment variables are also blocked to prevent loosening Git transport policy.
• Sandbox & Codex: Sandbox bind sources are now validated in both directions to reject parent sources that cover blocked descendants. The Codex sandbox exec-server HTTP bridge now rejects private or internal HTTP targets and pins validated DNS results to prevent validation/connect drift.
• Access Control: Discord moderation actions and Microsoft Teams group-management actions now require a trusted requester sender. Additionally, the deleted-agent guard now requires ACP metadata for bypasses, ensuring that ACP-shaped session keys alone are not treated as proof of an ACP runtime session.
• Data Protection: Transcript image redaction now preserves validated opaque image payloads to prevent secret patterns from corrupting base64 bytes. Browser tool output now neutralizes line-start MEDIA: directives to prevent them from surfacing in model-facing output.

Provider & Model Support

• Anthropic: Added support for Claude Fable 5 across direct API, Vertex, Bedrock, and Anthropic-compatible deployment aliases, including adaptive-thinking defaults and refusal handling.
• OpenRouter: Integrated OpenRouter PKCE OAuth login into the top-level CLI onboarding process.
• OpenAI: Realtime voice now requires OpenAI Platform API-key credentials instead of OAuth bearer tokens. Additionally, reasoning content replay is now preserved for Gemma 4 openai-completions models.
• Ollama: The SDK session factory now respects the provider's thinking default (e.g., "off" for Ollama), preventing models from spending their output budget on reasoning when not intended.

Performance & UI Optimizations

• Control UI: Startup and first-reply latency are reduced through cached model metadata, removal of the startup catalog wait, and lazy slash-command loading. A new first-assistant-event server timing phase allows for better latency diagnostics.
• Memory Indexing: Memory embedding work is now batched across files for providers that opt into source-wide batch submission (e.g., OpenAI), significantly reducing the number of provider batch jobs.
• TUI: The TUI now prewarms runtime plugins before the first send to eliminate cold-activation spikes, and the footer now displays the connection hostname for URL-backed Gateway connections.

Channel Improvements

• Telegram: Delivery is more coherent with preserved streamed text blocks between tool calls. Account-scoped topic agents are now correctly routed, and the /compact command is restored on generic message ingress.
• iMessage: Inbound recovery and deduplication are now always-on, replacing the opt-in catchup subsystem. Outbound send transport is hardened with a new sendTransport configuration and separate send clients to prevent wedged watch subscriptions from blocking sends.
• Discord: Inbound messages now hydrate missing quoted messages through REST when a message_reference is present. Reply context metadata is now exposed through plugin hook contracts.
• WhatsApp: Captured replies are now routed through the successor controller after a restart, preventing silent reply failures after transient disconnects.

Impact

User Experience

Users will notice faster Control UI load times and more responsive TUI interactions. Telegram and iMessage users will experience more reliable message delivery and better handling of streamed content.

Security Posture

This release significantly reduces the risk of unattended execution and environment escape by failing closed on exec approval timeouts and strictly filtering host environment variables. The hardening of the Codex sandbox and browser tool output further isolates the agent from the host system.

Operational Changes

Operators using local memory embeddings may need to install the new @openclaw/llama-cpp-provider plugin, as the node-llama-cpp dependency has been moved from the core package to this provider plugin.

Upgrade Guide

Breaking Changes & Migration

• Local Memory Embeddings: The local embedding provider is no longer built-in. Users must install the @openclaw/llama-cpp-provider plugin. Run openclaw doctor --fix to automatically map memorySearch.provider: "local" to the official plugin install.
• Exec Approvals: Unanswered exec approval requests now deny by default after the configured timeout. Operators who require auto-approval on timeout must explicitly set askFallback in their exec approvals policy.
• OpenAI Realtime Voice: OAuth-only setups will no longer work for Realtime voice. Users must configure an OpenAI Platform API key or an openai API-key auth profile.
• Android Nodes: The foreground service type for persistent nodes has changed from dataSync to connectedDevice to comply with Android 15 time budgets.

FAQ

What's new in v2026.6.6-beta.2? This release introduces tighter security boundaries for host and sandbox environments, adds support for Claude Fable 5 and OpenRouter OAuth, optimizes Control UI and TUI performance, and improves delivery reliability for Telegram, iMessage, and WhatsApp.

Are there any breaking changes? Yes. Local memory embeddings now require a separate provider plugin, exec approval timeouts now fail closed by default, and OpenAI Realtime voice now requires API-key authentication.

How do I upgrade? Users should update the package and then run openclaw doctor --fix to handle the migration of local memory embedding providers and other state repairs.