openclaw 2026.2.19

Changes

• iOS/Watch: add an Apple Watch companion MVP with watch inbox UI, watch notification relay handling, and gateway command surfaces for watch status/send flows. (#20054) Thanks @mbelinky.
• iOS/Gateway: wake disconnected iOS nodes via APNs before nodes.invoke and auto-reconnect gateway sessions on silent push wake to reduce invoke failures while the app is backgrounded. (#20332) Thanks @mbelinky.
• Gateway/CLI: add paired-device hygiene flows with device.pair.remove, plus openclaw devices remove and guarded openclaw devices clear --yes [--pending] commands for removing paired entries and optionally rejecting pending requests. (#20057) Thanks @mbelinky.
• iOS/APNs: add push registration and notification-signing configuration for node delivery. (#20308) Thanks @mbelinky.
• Gateway/APNs: add a push-test pipeline for APNs delivery validation in gateway flows. (#20307) Thanks @mbelinky.
• Security/Audit: add gateway.http.no_auth findings when gateway.auth.mode="none" leaves Gateway HTTP APIs reachable, with loopback warning and remote-exposure critical severity, plus regression coverage and docs updates.
• Skills: harden coding-agent skill guidance by removing shell-command examples that interpolate untrusted issue text directly into command strings.
• Dev tooling: align oxfmt local/CI formatting behavior. (#12579) Thanks @vincentkoc.

Fixes

• Agents/Streaming: keep assistant partial streaming active during reasoning streams, handle native thinking_* stream events consistently, dedupe mixed reasoning-end signals, and clear stale mutating tool errors after same-target retry success. (#20635) Thanks @obviyus.
• iOS/Screen: move WKWebView lifecycle ownership into ScreenWebView coordinator and explicit attach/detach flow to reduce gesture/lifecycle crash risk (__NSArrayM insertObject:atIndex: paths) during screen tab updates. (#20366) Thanks @ngutman.
• iOS/Onboarding: prevent pairing-status flicker during auto-resume by keeping resumed state transitions stable. (#20310) Thanks @mbelinky.
• iOS/Onboarding: stabilize pairing and reconnect behavior by resetting stale pairing request state on manual retry, disconnecting both operator and node gateways on operator failure, and avoiding duplicate pairing loops from operator transport identity attachment. (#20056) Thanks @mbelinky.
• iOS/Signing: restore local auto-selected signing-team overrides during iOS project generation by wiring .local-signing.xcconfig into the active signing config and emitting OPENCLAW_DEVELOPMENT_TEAM in local signing setup. (#19993) Thanks @ngutman.
• Telegram: unify message-like inbound handling so message and channel_post share the same dedupe/access/media pipeline and remain behaviorally consistent. (#20591) Thanks @obviyus.
• Telegram/Agents: gate exec/bash tool-failure warnings behind verbose mode so default Telegram replies stay clean while verbose sessions still surface diagnostics. (#20560) Thanks @obviyus.
• Telegram/Cron/Heartbeat: honor explicit Telegram topic targets in cron and heartbeat delivery (<chatId>:topic:<threadId>) so scheduled sends land in the configured topic instead of the last active thread. (#19367) Thanks @Lukavyi.
• Gateway/Daemon: forward TMPDIR into installed service environments so macOS LaunchAgent gateway runs can open SQLite temp/journal files reliably instead of failing with SQLITE_CANTOPEN. (#20512) Thanks @Clawborn.
• Agents/Billing: include the active model that produced a billing error in user-facing billing messages (for example, OpenAI (gpt-5.3)) across payload, failover, and lifecycle error paths, so users can identify exactly which key needs credits. (#20510) Thanks @echoVic.
• Gateway/TUI: honor agents.defaults.blockStreamingDefault for chat.send by removing the hardcoded block-streaming disable override, so replies can use configured block-mode delivery. (#19693) Thanks @neipor.
• UI/Sessions: accept the canonical main session-key alias in Chat UI flows so main-session routing stays consistent. (#20311) Thanks @mbelinky.
• OpenClawKit/Protocol: preserve JSON boolean literals (true/false) when bridging through AnyCodable so Apple client RPC params no longer re-encode booleans as 1/0. Thanks @mbelinky.
• Commands/Doctor: skip embedding-provider warnings when memory.backend is qmd, because QMD manages embeddings internally and does not require memorySearch providers. (#17263) Thanks @miloudbelarebia.
• Canvas/A2UI: improve bundled-asset resolution and empty-state handling so UI fallbacks render reliably. (#20312) Thanks @mbelinky.
• Commands/Doctor: avoid rewriting invalid configs with new gateway.auth.token defaults during repair and only write when real config changes are detected, preventing accidental token duplication and backup churn.
• Gateway/Auth: default unresolved gateway auth to token mode with startup auto-generation/persistence of gateway.auth.token, while allowing explicit gateway.auth.mode: "none" for intentional open loopback setups. (#20686) thanks @gumadeiras.
• Channels/Matrix: fix mention detection for formatted_body Matrix-to links by handling matrix.to mention formats consistently. (#16941) Thanks @zerone0x.
• Heartbeat/Cron: skip interval heartbeats when HEARTBEAT.md is missing or empty and no tagged cron events are queued, while preserving cron-event fallback for queued tagged reminders. (#20461) thanks @vikpos.
• Browser/Relay: reuse an already-running extension relay when the relay port is occupied by another OpenClaw process, while still failing on non-relay port collisions to avoid masking unrelated listeners. (#20035) Thanks @mbelinky.
• Scripts: update clawdock helper command support to include docker-compose.extra.yml where available. (#17094) Thanks @zerone0x.
• Lobster/Config: remove Lobster executable-path overrides (lobsterPath), require PATH-based execution, and add focused Windows wrapper-resolution tests to keep shell-free behavior stable.
• Gateway/WebChat: block sessions.patch and sessions.delete for WebChat clients so session-store mutations stay restricted to non-WebChat operator flows. Thanks @allsmog for reporting.
• Gateway: clarify launchctl GUI domain bootstrap failure on macOS. (#13795) Thanks @vincentkoc.
• Lobster/CI: fix flaky test Windows cmd shim script resolution. (#20833) Thanks @vincentkoc.
• Browser/Relay: require gateway-token auth on both /extension and /cdp, and align Chrome extension setup to use a single gateway.auth.token input for relay authentication. Thanks @tdjackey for reporting.
• Gateway/Hooks: run BOOT.md startup checks per configured agent scope, including per-agent session-key resolution, startup-hook regression coverage, and non-success boot outcome logging for diagnosability. (#20569) thanks @mcaxtr.
• Protocol/Apple: regenerate Swift gateway models for push.test so pnpm protocol:check stays green on main. Thanks @mbelinky.
• Sandbox/Registry: serialize container and browser registry writes with shared file locks and atomic replacement to prevent lost updates and delete rollback races from desyncing sandbox list, prune, and recreate --all. Thanks @kexinoh.
• OTEL/diagnostics-otel: complete OpenTelemetry v2 API migration. (#12897) Thanks @vincentkoc.
• Cron/Webhooks: protect cron webhook POST delivery with SSRF-guarded outbound fetch (fetchWithSsrFGuard) to block private/metadata destinations before request dispatch. Thanks @Adam55A-code.
• Security/Voice Call: harden voice-call telephony TTS override merging by blocking unsafe deep-merge keys (__proto__, prototype, constructor) and add regression coverage for top-level and nested prototype-pollution payloads.
• Security/Windows Daemon: harden Scheduled Task gateway.cmd generation by quoting cmd metacharacter arguments, escaping %/! expansions, and rejecting CR/LF in arguments, descriptions, and environment assignments (set "KEY=VALUE"), preventing command injection in Windows daemon startup scripts. This ships in the next npm release. Thanks @tdjackey for reporting.
• Security/Gateway/Canvas: replace shared-IP fallback auth with node-scoped session capability URLs for /__openclaw__/canvas/* and /__openclaw__/a2ui/*, fail closed when trusted-proxy requests omit forwarded client headers, and add IPv6/proxy-header regression coverage. This ships in the next npm release. Thanks @aether-ai-agent for reporting.
• Security/Net: enforce strict dotted-decimal IPv4 literals in SSRF checks and fail closed on unsupported legacy forms (octal/hex/short/packed, for example 0177.0.0.1, 127.1, 2130706433) before DNS lookup.
• Security/Discord: enforce trusted-sender guild permission checks for moderation actions (timeout, kick, ban) and ignore untrusted senderUserId params to prevent privilege escalation in tool-driven flows. Thanks @aether-ai-agent for reporting.
• Security/ACP+Exec: add openclaw acp --token-file/--password-file secret-file support (with inline secret flag warnings), redact ACP working-directory prefixes to ~ home-relative paths, constrain exec script preflight file inspection to the effective workdir boundary, and add security-audit warnings when tools.exec.host="sandbox" is configured while sandbox mode is off.
• Security/Plugins/Hooks: enforce runtime/package path containment with realpath checks so openclaw.extensions, openclaw.hooks, and hook handler modules cannot escape their trusted roots via traversal or symlinks.
• Security/Discord: centralize trusted sender checks for moderation actions in message-action dispatch, share moderation command parsing across handlers, and clarify permission helpers with explicit any/all semantics.
• Security/ACP: harden ACP bridge session management with duplicate-session refresh, idle-session reaping, oldest-idle soft-cap eviction, and burst rate limiting on session creation to reduce local DoS risk without disrupting normal IDE usage.
• Security/ACP: bound ACP prompt text payloads to 2 MiB before gateway forwarding, account for join separator bytes during pre-concatenation size checks, and avoid stale active-run session state when oversized prompts are rejected. Thanks @aether-ai-agent for reporting.
• Security/Plugins/Hooks: add optional --pin for npm plugin/hook installs, persist resolved npm metadata (name, version, spec, integrity, shasum, timestamp), warn/confirm on integrity drift during updates, and extend openclaw security audit to flag unpinned specs, missing integrity metadata, and install-record version drift.
• Security/Plugins: harden plugin discovery by blocking unsafe candidates (root escapes, world-writable paths, suspicious ownership), add startup warnings when plugins.allow is empty with discoverable non-bundled plugins, and warn on loaded plugins without install/load-path provenance.
• Security/Gateway: rate-limit control-plane write RPCs (config.apply, config.patch, update.run) to 3 requests per minute per deviceId+clientIp, add restart single-flight coalescing plus a 30-second restart cooldown, and log actor/device/ip with changed-path audit details for config/update-triggered restarts.
• Security/Webhooks: harden Feishu and Zalo webhook ingress with webhook-mode token preconditions, loopback-default Feishu bind host, JSON content-type enforcement, per-path rate limiting, replay dedupe for Zalo events, constant-time Zalo secret comparison, and anomaly status counters.
• Security/Plugins: for the next npm release, clarify plugin trust boundary and keep runtime.system.runCommandWithTimeout available by default for trusted in-process plugins. Thanks @markmusson for reporting.
• Security/Skills: for the next npm release, reject symlinks during skill packaging to prevent external file inclusion in distributed .skill archives. Thanks @aether-ai-agent for reporting.
• Security/Gateway: fail startup when hooks.token matches gateway.auth.token so hooks and gateway token reuse is rejected at boot. (#20813) Thanks @coygeek.
• Security/Network: block plaintext ws:// connections to non-loopback hosts and require secure websocket transport elsewhere. (#20803) Thanks @jscaldwell55.
• Security/Config: parse frontmatter YAML using the YAML 1.2 core schema to avoid implicit coercion of on/off-style values. (#20857) Thanks @davidrudduck.
• Security/Discord: escape backticks in exec-approval embed content to prevent markdown formatting injection via command text. (#20854) Thanks @davidrudduck.
• Security/Agents: replace shell-based execSync usage with execFileSync in command lookup helpers to eliminate shell argument interpolation risk. (#20655) Thanks @mahanandhi.
• Security/Media: use crypto.randomBytes() for temp file names and set owner-only permissions for TTS temp files. (#20654) Thanks @mahanandhi.
• Security/Gateway: set baseline security headers (X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer) on gateway HTTP responses. (#10526) Thanks @abdelsfane.
• Security/iMessage: harden remote attachment SSH/SCP handling by requiring strict host-key verification, validating channels.imessage.remoteHost as host/user@host, and rejecting unsafe host tokens from config or auto-detection. Thanks @allsmog for reporting.
• Security/Feishu: prevent path traversal in Feishu inbound media temp-file writes by replacing key-derived temp filenames with UUID-based names. Thanks @allsmog for reporting.
• Security/Feishu: escape mention regex metacharacters in stripBotMention so crafted mention metadata cannot trigger regex injection or ReDoS during inbound message parsing. (#20916) Thanks @orlyjamie for the fix and @allsmog for reporting.
• LINE/Security: harden inbound media temp-file naming by using UUID-based temp paths for downloaded media instead of external message IDs. (#20792) Thanks @mbelinky.
• Security/Media: harden local media ingestion against TOCTOU/symlink swap attacks by pinning reads to a single file descriptor with symlink rejection and inode/device verification in saveMediaSource. Thanks @dorjoos for reporting.
• Security/Lobster (Windows): for the next npm release, remove shell-based fallback when launching Lobster wrappers (.cmd/.bat) and switch to explicit argv execution with wrapper entrypoint resolution, preventing command injection while preserving Windows wrapper compatibility. Thanks @allsmog for reporting.
• Security/Exec: require tools.exec.safeBins binaries to resolve from trusted bin directories (system defaults plus gateway startup PATH) so PATH-hijacked trojan binaries cannot bypass allowlist checks. Thanks @jackhax for reporting.
• Security/Exec: remove file-existence oracle behavior from tools.exec.safeBins by using deterministic argv-only stdin-safe validation and blocking file-oriented flags (for example sort -o, jq -f, grep -f) so allow/deny results no longer disclose host file presence. This ships in the next npm release. Thanks @nedlir for reporting.
• Security/Browser: route browser URL navigation through one SSRF-guarded validation path for tab-open/CDP-target/Playwright navigation flows and block private/metadata destinations by default (configurable via browser.ssrfPolicy). This ships in the next npm release. Thanks @dorjoos for reporting.
• Security/Exec: for the next npm release, harden safe-bin stdin-only enforcement by blocking output/recursive flags (sort -o/--output, grep recursion) and tightening default safe bins to remove sort/grep, preventing safe-bin allowlist bypass for file writes/recursive reads. Thanks @nedlir for reporting.
• Security/Gateway/Agents: remove implicit admin scopes from agent tool gateway calls by classifying methods to least-privilege operator scopes, and enforce owner-only tooling (cron, gateway, whatsapp_login) through centralized tool-policy wrappers plus tool metadata to prevent non-owner DM privilege escalation. Ships in the next npm release. Thanks @Adam55A-code for reporting.
• Security/Gateway: centralize gateway method-scope authorization and default non-CLI gateway callers to least-privilege method scopes, with explicit CLI scope handling, full core-handler scope classification coverage, and regression guards to prevent scope drift.
• Security/Net: block SSRF bypass via NAT64 (64:ff9b::/96, 64:ff9b:1::/48), 6to4 (2002::/16), and Teredo (2001:0000::/32) IPv6 transition addresses, and fail closed on IPv6 parse errors. Thanks @jackhax.
• Security/OTEL: sanitize OTLP endpoint URL resolution. (#13791) Thanks @vincentkoc.
• Security: patch Dependabot security issues in pnpm lock. (#20832) Thanks @vincentkoc.
• Security: migrate request dependencies to @cypress/request. (#20836) Thanks @vincentkoc.