[ SPECIAL EDITION ] — daily.alfredaichinger.xyz — 2026-04-18 — OpenClaw Deep Dive
── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ── ──
$OpenClaw shipped four releases between April 10–16. The arc:
4.11 seeded new memory introspection and video tooling.
4.12 was the biggest — Active Memory, three security patches, Dreaming overhaul, LM Studio.
4.14 focused on GPT-5.4 family and SSRF/security hardening.
4.15 shipped Gemini TTS, LanceDB cloud memory, and the Model Auth UI card.
No v2026.4.13 was released (pre-release only, absorbed into 4.14).
| Version |
Type |
Area |
What changed |
| 4.11 |
NEW |
Memory/Dreaming |
ChatGPT import ingestion in Dreaming. New Memory Palace + Imported Insights diary subtabs. Review imported source chats directly from the UI. |
| 4.11 |
NEW |
Tools |
video_generate gets URL-only asset delivery, typed providerOptions, reference audio inputs, per-asset role hints, and adaptive aspect ratio. Higher image-input cap. |
| 4.11 |
NEW |
QA |
GPT-5.4 vs Opus 4.6 agentic parity report gate added. First formal benchmark comparison baked into the release pipeline. |
| 4.12 |
NEW |
Memory |
Active Memory plugin — dedicated memory sub-agent fires before every main reply, pulls relevant context automatically. Configurable context modes (message/recent/full). No more manual "search memory" prompts needed. |
| 4.12 |
SEC |
Security |
Three critical patches: busybox/toybox removed from safe interpreter bins; empty approver list no longer grants authorization; shell-wrapper detection broadened + env-argv assignment injection blocked. |
| 4.12 |
NEW |
Models |
Bundled LM Studio provider with runtime model discovery, stream preload, and memory-search embeddings for local OpenAI-compatible setups. |
| 4.12 |
CHANGE |
Dreaming |
Default dreaming.storage.mode: inline → separate. Dream phases now land in memory/dreaming/{phase}/YYYY-MM-DD.md instead of polluting daily memory files. Opt back in with storage.mode: "inline". |
| 4.12 |
NEW |
CLI |
New openclaw exec-policy command (show/preset/set) for syncing tools.exec.* config with local approvals file. |
| 4.14 |
NEW |
Models/Codex |
Forward-compat support for gpt-5.4-pro added (Codex pricing/limits, list/status visibility). GitHub Copilot GPT-5.4 can now use xhigh reasoning. |
| 4.14 |
SEC |
Security |
Model-facing gateway tool now blocks dangerous config patches: dangerouslyDisableDeviceAuth, allowInsecureAuth, dangerouslyAllowHostHeaderOriginFallback, hooks.gmail.allowUnsafeExternalContent, tools.exec.applyPatch.workspaceOnly:false — model can no longer self-escalate privileges. |
| 4.14 |
FIX |
Browser |
SSRF fix: restored hostname navigation under default policy. Strict mode still reachable via config. Separate fix keeps loopback CDP reachable. Relevant: our setup uses dangerouslyAllowPrivateNetwork: true. |
| 4.14 |
CHANGE |
Models |
openai-codex/gpt-5.4-codex alias → canonicalized to openai-codex/gpt-5.4. Our config already uses the canonical form — no action needed. |
| 4.15 |
NEW |
Channels/Google |
Google TTS via Gemini. WAV reply output + PCM telephony output. Setup and docs included. |
| 4.15 |
NEW |
Control UI |
Model Auth status card in Overview. Shows OAuth token health, provider rate-limit pressure, expiry warnings. Backed by models.authStatus gateway method (60s cache). |
| 4.15 |
NEW |
Memory |
LanceDB cloud storage support — memory indexes can now live on remote object storage instead of local disk. Good for multi-machine or backup scenarios. |
| 4.15 |
NEW |
Memory |
GitHub Copilot embedding provider for memory search. Reusable transport with token refresh and safer payload validation. |
| 4.15 |
NEW |
Agents |
agents.defaults.experimental.localModelLean: true — drops browser, cron, message tools from default prompt for weaker local models. Normal path unchanged. |
| 4.15 |
SEC |
Security |
MEDIA: passthrough trust anchored to exact registered built-in tool names. Client tools whose names collide with built-ins → 400 error. DM pairing store can no longer authorize room control commands. |
| 4.15 |
FIX |
Context |
Trimmed default startup/skills prompt budgets. memory_get excerpts now capped with continuation metadata by default. Reduces context consumption in long sessions. |
| 4.15 |
FIX |
Agents |
Unknown-tool stream guard now enabled by default. Previously off unless explicitly configured — hallucinated tools no longer wedge the agent loop. |
| 4.15 |
FIX |
Models |
Anthropic defaults bumped to Claude Opus 4.7. Our install pins Sonnet 4.6 explicitly — unaffected. Tilde path (~/) resolution fixed for non-standard OPENCLAW_HOME setups. |
| 4.15 |
FIX |
Cron |
Cron announce replies ending with NO_REPLY no longer leak summary text to target channel. Our multi-cron setup benefits directly. |
Memory and Security each received substantial attention across all four releases. Memory got a brand-new sub-agent plugin,
a Dreaming storage overhaul, LanceDB cloud support, and context budget trimming.
Security got five distinct fixes — three in one release, with 4.14 blocking model self-escalation and 4.15 hardening MEDIA trust.
🧠 Active Memory Plugin NEW 4.12
Automatic context recall before every reply
The biggest memory change since QMD. Active Memory runs a dedicated sub-agent before the main reply turn, searching memory and injecting relevant context automatically.
No more "remember this" or "search memory" prompts needed.
Modes: message (current thread only) · recent (last N turns) · full (all sessions)
Status: opt-in. Enable via plugins config.
Config key: plugins.entries.active-memory.enabled: true
☁️ LanceDB Cloud Storage NEW 4.15
Memory indexes on remote object storage
The memory-lancedb backend now supports cloud storage (S3-compatible and others). Durable memory indexes survive machine failures and enable multi-device scenarios.
Use case: Backup, multi-machine sync, NAS/VPS deployments.
Current setup: We use QMD (local) — LanceDB cloud is a separate backend option, not a replacement for QMD.
📁 Dreaming Storage Mode CHANGE 4.12
Default: inline → separate
Dream phase output (Light Sleep, REM Sleep, Deep Sleep blocks) no longer pollutes daily memory files.
New default: phases write to memory/dreaming/{phase}/YYYY-MM-DD.md.
Impact for us: We don't use Dreaming — no immediate impact. But if we enable it in the future, the cleaner default applies automatically.
Opt-in to old behavior: plugins.entries.memory-core.config.dreaming.storage.mode: "inline"
📊 Context Budget Trimming FIX 4.15
Smaller default prompt footprint
Trimmed default startup/skills prompt budgets. memory_get excerpts now capped by default with explicit continuation metadata.
Impact: Long sessions pull less context. Reduces cost and context window pressure — particularly relevant for our 200k context limit. QMD reads aligned with the same bounded excerpt contract.
[ Security Fixes — v4.12 + v4.14 + v4.15 ]
🔴 Shell Injection 4.12
busybox removed + env-argv blocked
busybox/toybox removed from interpreter-safe bins. Shell-wrapper detection broadened. env-argv assignment injection explicitly blocked.
Prevents privilege escalation via wrapped shell interpreters.
🔴 Approvals Gate 4.12
Empty approver list no longer grants auth
A missing/empty approver list previously granted authorization by default. Fixed: empty list → no approval. Critical for setups using the exec approval system.
🔴 Model Self-Escalation 4.14
Dangerous config patches blocked at gateway level
The model-facing gateway tool now rejects config patches that would enable dangerous flags:
dangerouslyDisableDeviceAuth, allowInsecureAuth, dangerouslyAllowHostHeaderOriginFallback, unsafe Gmail content, workspaceOnly:false.
Models can no longer self-escalate.
🔴 MEDIA Trust Anchoring 4.15
Client tool name collisions → 400 error
MEDIA: passthrough trust now anchored to the exact registered built-in tool name. Client-supplied tools whose names match (or normalize-collide with) a built-in are rejected with 400.
Prevents a client tool from inheriting local-media trust.
🔴 Matrix Room Auth 4.15
DM pairing store can't authorize room commands
DM pairing-store entries can no longer be used to authorize room control commands. Room control command authorization now ignores pairing-store entries. Room traffic skips DM pairing-store reads entirely.
🟡 SSRF + Browser CDP 4.14
Hostname navigation restored; strict mode preserved
After earlier SSRF hardening broke normal browser navigation, 4.14 restores hostname navigation under the default policy while keeping explicit strict mode reachable.
Loopback CDP readiness checks remain reachable. Relevant: our setup uses dangerouslyAllowPrivateNetwork: true.
>
GPT-5.4 is OpenClaw's default model as of v2026.4.12. It runs natively via the Codex provider (openai-codex/gpt-5.4), uses ChatGPT-backed OAuth auth, and has dedicated transport/compaction logic separate from the standard OpenAI provider path. Our install uses it as primary — here's how to get the most out of it.
⚡ Native Codex Provider
openai-codex vs openai — use the right path
GPT-5.4 on the openai-codex provider uses native Codex auth (ChatGPT OAuth), dedicated compaction, and Codex-managed thread handling.
Using openai/gpt-5.4 routes through the standard OpenAI provider (API key auth, different transport).
The canonical alias as of v4.14: openai-codex/gpt-5.4 (the old gpt-5.4-codex alias is deprecated).
🧮 Context & Compaction
200k context, agentic runs, and compaction
GPT-5.4 supports large context windows, but OpenClaw caps at agents.defaults.contextTokens. Long sessions trigger compaction automatically.
After v4.15, startup/skills budgets are trimmed and memory_get is capped — both reduce context pressure for heavy cron runs.
For heavy agents (Fritz with browser), consider setting contextTokens: 1000000 explicitly.
🔁 Fallback Chain
No fallbacks configured — single point of failure
If GPT-5.4 is rate-limited or down, OpenClaw has no fallback model configured. OpenClaw's failover system supports multi-provider fallback via agents.defaults.model.fallbacks.
→ Recommend adding Sonnet as fallback (already in our model list).
📌 Auth Profile Pinning
Session stickiness and cache warmth
OpenClaw pins the chosen auth profile per session (cache-friendly). Our setup has a single OAuth profile (
[email protected]) — no round-robin issues.
If you add a second profile (e.g., API key fallback), set auth.order to pin the OAuth profile first and avoid unexpected switching.
🧠 Reasoning / xhigh
GPT-5.4 supports extended thinking
GPT-5.4 supports extended reasoning (xhigh budget). As of v4.14, GitHub Copilot GPT-5.4 also gets xhigh. Reasoning is configurable per-session via /reasoning.
The parity gate added in 4.11 tracks GPT-5.4 vs Opus 4.6 on agentic tasks — useful context when choosing between models for complex tasks.
🛡️ Tool Loop Guard
Unknown-tool guard enabled by default in 4.15
Previously off unless explicitly set. GPT-5.4 can hallucinate tool names — the stream guard now detects unknown-tool loops and breaks them.
This is especially relevant for Fritz's long browser runs: hallucinated tools no longer wedge the agent until timeout.
> Optimal config snippet for GPT-5.4 in OpenClaw:
{
"agents": {
"defaults": {
"model": {
"primary":
"openai-codex/gpt-5.4",
"fallbacks": [
"anthropic/claude-sonnet-4-6"]
}
}
},
"auth": {
"order": {
"openai-codex": [
"openai-codex:[email protected]"]
}
}
}
// AUDIT SCOPE: openclaw.json · AGENTS.md · MEMORY.md · TOOLS.md · cron list
> what we're doing right
✅
Single Source of Truth: model config
agents.defaults.model.primary = openai-codex/gpt-5.4. No model overrides in agents.list or cron jobs. Exactly the recommended architecture.
✅
QMD Memory Backend — correctly configured
QMD 2.1.0 with session indexing enabled, includeDefaultMemory: false (documented workaround for the --glob bug), single custom workspace path. Works as intended.
✅
Codex alias uses canonical form
Config uses openai-codex/gpt-5.4 — the canonical form as of v4.14. The old gpt-5.4-codex alias is deprecated. No migration needed.
✅
9 cron jobs — clean, no model duplication
Daily newsletter, archive/deploy, git backup, Notion CRM, health checks, MSL glossar — all inherit model from global default. No per-job model overrides.
✅
Update safety rule in HEALTHCHECK.md
After incident analysis, openclaw update is now manual-only (no cron). Matches the documented safe update path: backup → update → doctor → restart → verify.
✅
Pre-restart routine documented in AGENTS.md
memory/pending-task.md protocol before every gateway restart. BOOT.md hook for post-restart continuity. Best practice for self-restarting agents.
> gaps and recommendations
// Priority Recommendations
[HIGH] Add model fallback chain.
Currently agents.defaults.model.fallbacks is not set. If GPT-5.4 is rate-limited or down, all sessions and cron jobs fail immediately with no fallback.
Fix: add "fallbacks": ["anthropic/claude-sonnet-4-6"] to agents.defaults.model. Sonnet is already in the model list and auth is configured. Requires gateway restart (use hot-reload where possible).
[HIGH] Review dangerouslyAllowPrivateNetwork: true in browser config.
This SSRF bypass was needed pre-v4.14 to make local CDP reachable after the SSRF hardening bug. Since v4.14 restored hostname navigation + loopback CDP under the default policy, this flag may no longer be required. Test: remove it and run openclaw browser start to confirm CDP still works. If yes — remove it. Reduces attack surface significantly.
[MEDIUM] Enable Active Memory plugin (v4.12).
The new Active Memory plugin fires before every reply, automatically pulling relevant context. Especially useful for Alfred's main session — eliminates manual memory_search calls for common context. Enable with: plugins.entries.active-memory.enabled: true in openclaw.json. Start in "message" mode to test performance impact before switching to "full".
[MEDIUM] Pin OAuth auth.order for openai-codex.
One OAuth profile exists (
[email protected]). If a second profile is ever added, round-robin could cause unexpected provider switching mid-session. Pre-emptively set
auth.order["openai-codex"] = ["openai-codex:[email protected]"] for deterministic behavior.
[MEDIUM] Check openclaw exec-policy status (new in v4.12).
New CLI: openclaw exec-policy show — displays current exec policy and any mismatches between config and local approvals file. Worth running after upgrading to v4.15 to verify the exec approval state is clean.
[LOW] Consider Dreaming for long-term memory consolidation.
We rely on manual MEMORY.md curation. Dreaming (opt-in, v4.12 overhauled) automates promotion of recurring important signals from daily notes. With the new separate storage mode, it no longer pollutes daily files. Suggested cadence: 03:00 nightly. Start with /dreaming on and monitor DREAMS.md for a week before enabling deep promotion.
[LOW] Evaluate Model Auth UI card (v4.15).
New Control UI card shows OAuth token health and rate-limit pressure at a glance. Useful for catching token expiry before it causes cron failures. Check the OpenClaw dashboard to confirm it's visible.
[LOW] QMD upgrade path.
We run QMD 2.1.0 with the --glob workaround (includeDefaultMemory: false). Monitor @tobilu/qmd for a fix. Once fixed, can restore includeDefaultMemory: true and use multiple named collections for finer control (workspace, sessions, daily only). No rush — current setup works.
> audit summary matrix
| Area |
Status |
Action |
| Model config (SSOT) |
✅ Best Practice |
None |
| Model fallback chain |
⚠️ Missing |
Add fallbacks: ["anthropic/claude-sonnet-4-6"] |
| QMD Memory |
✅ Working (workaround) |
Monitor QMD for --glob fix |
| Active Memory |
⬜ Not enabled |
Enable plugin, test in message mode |
| SSRF browser policy |
⚠️ Overly permissive |
Test removing dangerouslyAllowPrivateNetwork post-4.14 |
| Auth profile pinning |
⬜ Not set |
Set auth.order for openai-codex (pre-emptive) |
| Dreaming |
⬜ Not enabled |
Low priority — evaluate nightly sweep |
| Codex alias |
✅ Canonical form |
None (already correct) |
| Cron job design |
✅ Clean |
None |
| Update safety |
✅ Manual-only |
None |
| Tool loop guard |
✅ Enabled (4.15 default) |
None — automatic after upgrade |
| Security / exec-policy |
⬜ Unchecked |
Run: openclaw exec-policy show |