OpenClaw Update: Security Hardening, Heartbeat Reliability, and Codex Migration Enhancements

Merged PRs

• fix(config-audit): scrub pre-redactor argv values from historical config-audit.jsonl entries [Original PR]
• feat(onboard): offer codex migration after harness install [Original PR]
• fix: improve Codex migration selector enter [Original PR]
• fix(heartbeat): multi-agent cadence — parallel broadcast, per-agent busy check, prompt assembly, connect-timeout, doctor warning [Original PR]
• fix(agents/harness): pass tool results through tool-result middleware safely [Original PR]
• fix(memory-core): prevent staged dream candidates from leaking into MEMORY.md [Original PR]
• Handle generic provider internal errors [Original PR]
• docs: split plugin docs navigation [Original PR]
• build(canvas): stop tracking a2ui bundle hash [Original PR]
• fix(codex): gate migration on app readiness [Original PR]

Key Changes

Security & Data Integrity

Configuration Audit Scrubbing Previously, OpenClaw implemented forward redaction for credential-bearing values in config-audit.jsonl. However, historical entries created before this fix remained in plaintext. A new scrubConfigAuditLog function has been introduced, integrated into the openclaw doctor --fix flow. This allows users to atomically rewrite their audit logs, masking sensitive tokens (e.g., Slack, Telegram) while preserving forensic metadata and file permissions (0600).

Memory Core Hardening To prevent MEMORY.md from bloating and being truncated in the agent's context, the dreaming promotion logic was hardened. The system now detects and rejects "contaminated" dream candidates—specifically those with inline metadata or those residing within managed dreaming fences—ensuring only clean, durable notes are promoted to long-term memory.

Orchestration & Reliability

Multi-Agent Heartbeat Overhaul Significant fixes were applied to the heartbeat runner to resolve silent failures in multi-agent setups:

• Parallel Broadcast: Heartbeats are now dispatched in parallel via Promise.all, preventing a single slow agent from starving others.
• Per-Agent Busy Checks: The skipWhenBusy logic is now attributed to specific agents rather than using a global subagent lane, ensuring one stuck subagent doesn't disable all heartbeats.
• Prompt Assembly: HEARTBEAT.md directives are now consistently appended to the dispatch prompt, reducing the need for the model to perform manual read calls.
• Connection Timeouts: A watchdog now aborts SDK requests stuck at connection establishment after the configured idle timeout.

Tool Result Middleware Safety A bug was fixed where tool results were silently discarded if a pi runtime middleware (like tokenjuice) was registered. The harness now sanitizes incoming tool results—dropping functions, symbols, and cycles—before passing them to middleware, ensuring that complex dependency payloads from tool emitters no longer trigger validation failures.

Codex Integration & DX

Streamlined Onboarding Users are now prompted to migrate their personal Codex CLI state (skills, config, hooks) immediately after the Codex harness plugin is installed during onboarding. This is handled via a generic seam, allowing future plugins (like Claude or Hermes) to offer similar migrations.

Migration Robustness Codex migration is now gated on "app readiness." The system verifies that app-backed plugins are actually available via isolated source app-server probes before planning their migration. This prevents the migration of unavailable plugins and avoids auth conflicts by isolating source and destination profiles.

UI/UX Improvements

• Migration Selector: The openclaw migrate codex multi-select prompt now correctly treats Enter as activation for command rows (like "Skip for now") while preserving explicit deselections made with Space.
• Error Handling: Generic OpenAI-compatible provider internal errors are now normalized into user-friendly messages, hiding raw provider request IDs and classifying the errors as transient for better failover handling.

Impact

These changes collectively move OpenClaw toward a more production-ready state for multi-agent deployments. The heartbeat fixes eliminate a critical class of silent failures where autonomous wakes would simply stop firing, while the security scrub addresses a lingering vulnerability regarding credentials at rest.

For users migrating from Codex, the onboarding experience is now more intuitive and less prone to failure due to missing app dependencies. Additionally, the hardening of MEMORY.md ensures that agent context remains high-signal, preventing the silent loss of durable memories caused by file bloat and subsequent truncation.