chore(deps): bump openclaw from 2026.5.7 to 2026.6.8

[dependabot]

Bumps openclaw from 2026.5.7 to 2026.6.8.

Release notes

Sourced from openclaw's releases.

openclaw 2026.6.8

2026.6.8

Highlights

• Richer channel delivery: Telegram and WhatsApp are less brittle: Telegram renders structured text with tables, lists, expandable blockquotes, preserved intentional line breaks, and CLI-backed replies, while WhatsApp now honors configured ACP bindings. (#92679, #93164, #84082, #89421, #92513) Thanks @​obviyus, @​vincentkoc, @​jzakirov, @​spacegeologist, @​TurboTheTurtle, @​mcaxtr, @​myrzka, and @​dmorn.
• More reliable agent runs: account-scoped DM sends, generated media completions, auto-reply message-tool final replies, reset archive fallback reads, restart shutdown aborts, yielded subagent pauses, and session identity prompts all stay on the correct recovery path. (#92788, #91246, #92879, #91357, #92631, #92468) Thanks @​yetval, @​TurboTheTurtle, @​masatohoshino, @​CadanHu, @​vincentkoc, @​ooiuuii, @​openperf, @​zhangguiping-xydt, @​QQSHI13, @​kumaxs, and @​aleps001.
• Safer model routing: new GLM-5.2 and Claude Haiku 4.5 catalog support arrives with normalized provider IDs, managed SecretRef auth, bounded model browsing, and safer OpenAI/Anthropic tool-schema recovery. (#92796, #90116, #92627, #90686, #92247, #92941) Thanks @​arkyu2077, @​liuhao1024, @​lijenhsin, @​rohitjavvadi, @​samson910022, @​maaron34, @​syfvb, and @​samson1357924.
• Useful usage footers: /usage and reply payload hooks now have a native full footer renderer, default template, fixed-decimal formatting, credential-aware limits, better partial-count handling, and warnings for broken templates instead of silent bad output. (#92657, #89835, #89629) Thanks @​Marvinthebored.
• Predictable web search defaults: key-free providers such as Parallel Free, DuckDuckGo, Ollama, and Codex Hosted Search remain explicit opt-ins rather than surprising automatic fallbacks. (#93616) Thanks @​davemorin and @​vincentkoc.
• Calmer UI and mobile sessions: workspace files start collapsed, WebChat backscroll survives streaming, the desktop session picker remains interactive, reset arguments survive dispatch, and iOS reconnects stale foreground Gateways. (#92779, #92622, #92705, #91353, #92552) Thanks @​shakkernerd, @​TurboTheTurtle, @​NianJiuZst, @​zhouhe-xydt, @​Solvely-Colin, @​MaBeitian, @​vincentkoc, @​Chang2020618, and @​DrtyMorty.
• Resilient memory and state: oversized OpenAI embedding batches split before 431s, QMD search stays available in transient mode, SQLite avoids WAL on NFS volumes, and full reindexes preserve rollback/cache recovery. (#92650, #92618, #92639, #91247, #92881) Thanks @​mushuiyu886, @​BrettHamlin, @​zhbcher, @​TurboTheTurtle, @​Takhoffman, @​849261680, @​TSHOGX, @​vincentkoc, and @​AFabyTWE.

Changes

• Providers/models: add GLM-5.2 support and Claude Haiku 4.5 catalog entries while keeping provider-qualified model IDs normalized across OpenRouter and Google Vertex paths. (#92796, #90116, #92627, #91218) Thanks @​arkyu2077, @​liuhao1024, @​bymle, @​maaron34, @​lijenhsin, @​davemorin, and @​vincentkoc.
• Web search: keep key-free providers such as Parallel Free, DuckDuckGo, Ollama, and Codex Hosted Search as explicit opt-ins instead of selecting them automatically when no API-backed provider is configured. (#93616) Thanks @​davemorin and @​vincentkoc.
• Channel plugins: ship Telegram rich-message delivery and WhatsApp ACP binding support, including preserved intentional line breaks, rich prompt handoff to CLI backends, and transport fixtures for richer drafts. (#92679, #93164, #92513) Thanks @​obviyus, @​TurboTheTurtle, @​vincentkoc, @​mcaxtr, and @​dmorn.
• Agent commands: support /btw in CLI-backed sessions and keep CLI usage-error exits classified as usage failures instead of successful runs. (#92669, #92162) Thanks @​joshavant, @​Pandah97, @​marcospaulo, @​davemorin, and @​vincentkoc.
• Usage hooks: add built-in full footer rendering, default footer templates, per-turn usage state, credential-aware limits, and fixed-decimal formatting for usage-bar templates. (#92657, #89835, #89629) Thanks @​Marvinthebored.

Fixes

• Channels and delivery: preserve account-scoped DM channel send policy, intentional rich-message line breaks in Telegram and status output, rich Telegram final replies, rich Telegram tables and lists, Telegram thread-create CLI remapping, Feishu dynamic-agent routes after persisted binding reuse, Slack outbound message_sent hooks, contributed message-tool schema optionality, same-channel generated media completions, and channel chunking around surrogate pairs and Infinity limits. (#92788, #93164, #92679, #89421, #89943, #42837, #92814, #91137, #91246, #92735) Thanks @​yetval, @​obviyus, @​spacegeologist, @​rishitamrakar, @​liuhao1024, @​lundog, @​TurboTheTurtle, @​yhterrance, @​vincentkoc, @​myrzka, @​cwlong163-afk, @​kumaxs, @​shakkernerd, and @​RewardsPal.
• Gemini CLI: use the selected OpenClaw OAuth/API-key auth profile in an isolated Gemini CLI runtime home, preventing ambient Google machine credentials from overriding the chosen profile. (#88748) Thanks @​jason-allen-oneal and @​shakkernerd.
• Discord: give generated auto-thread titles a 60-second timeout and 4,096-token reasoning-model output budget, clamped to the selected model output cap. (#64734) Thanks @​hanamizuki.
• Agent, cron, and Gateway runtime: mark active main sessions before restart shutdown aborts, pause yielded subagent runs whose terminal also signals abort, clamp trusted subagent thinking overrides through provider/model fallback, preserve yielded media completions, deliver channel message-tool final replies through auto-reply while hiding internal delivery hints, restore reset archive fallback reads when active async transcripts are missing, de-duplicate main-session heartbeat events, expose session identity in runtime prompts, reject unknown OpenAI agent selectors, keep generated media completions, slash-command block replies, and trajectory export commands in WebChat, and require admin privileges for HTTP session/model override surfaces. (#91357, #92631, #92412, #92146, #92879, #91287, #92468, #92510, #91246, #92651, #92646) Thanks @​ooiuuii, @​openperf, @​IWhatsskill, @​masatohoshino, @​CadanHu, @​ZengWen-DT, @​zhangguiping-xydt, @​TurboTheTurtle, @​oiGaDio, @​aleps001, @​vincentkoc, @​GSL-R, @​QQSHI13, @​ryanhelms, @​kumaxs, @​steipete-oai, @​hxy91819, @​davemorin, and @​nailujac.
• Providers and model replay: preserve storeless OpenAI Responses replay compatibility, recover invalid OpenAI reasoning signatures and genericized Anthropic thinking-signature replay errors, route OAuth image defaults through Codex for eligible OpenAI profiles, avoid eager tool streaming for Claude 4.5 in Copilot, quarantine unreadable and post-hook OpenAI/Anthropic-family tool schemas without broadening allowed tool choices, deliver explicit thinking-off requests to LM Studio binary-thinking models, honor profile auth for SecretRef model entries, bound model browsing, strip provider prefixes where runtimes need bare IDs, and surface nested embedding fetch failures. (#90706, #92941, #92201, #92916, #92824, #75393, #92908, #92921, #92928, #92002, #90686, #92247, #92627, #91218, #92628) Thanks @​snowzlm, @​mmyzwl, @​CarlCapital, @​bek91, @​Kailigithub, @​vincentkoc, @​rohitjavvadi, @​samson910022, @​nxmxbbd, @​liuhao1024, @​bymle, @​mushuiyu886, @​finchinslc, @​syfvb, @​lijenhsin, @​crsnpalmer-art, @​samson1357924, @​shakkernerd, and @​mlaihk.
• Memory, state, diagnostics, and config: split header-too-large embedding batches, keep QMD memory search enabled in transient mode, avoid SQLite WAL on NFS volumes, preserve recovery scheduling outside stuck-session warning backoff, preserve full-reindex rollback/cache recovery, and treat raw Memory Wiki source pages as source evidence. (#92650, #92618, #92639, #91247, #92752, #92881, #59137, #92876) Thanks @​mushuiyu886, @​TurboTheTurtle, @​849261680, @​gnanam1990, @​TSHOGX, @​vincentkoc, @​arlen8411, @​BrettHamlin, @​zhbcher, @​Takhoffman, @​AFabyTWE, @​davemorin, and @​zhuyankarl.
• UI/mobile/TUI: preserve dashboard session parent lineage, WebChat backscroll, reset soft command args, sidebar session picker interactivity, collapsed workspace files, resolved /model confirmation refs, stale foreground iOS Gateway reconnects, and paused setup-parent stdin after inherited-stdio child exit. (#90658, #92622, #91353, #92705, #92779, #92773, #92552, #93159) Thanks @​luoyanglang, @​TurboTheTurtle, @​zhouhe-xydt, @​NianJiuZst, @​shakkernerd, @​NarahariRaghava, @​Solvely-Colin, @​fuller-stack-dev, @​lily-oc, @​MaBeitian, @​vincentkoc, @​obviyus, @​DrtyMorty, and @​Chang2020618.
• Plugins and updates: repair missing required platform packages during managed plugin installs and updates, including omitted Codex platform binaries. Thanks @​vincentkoc.
• Dependencies: update Hono to 4.12.25 so published OpenClaw and ACPX packages use the patched runtime. Thanks @​vincentkoc.
• Updates: avoid a false downgrade prompt when the latest tag cannot resolve. (#92911) Thanks @​Andy312432 and @​vincentkoc.

Complete contribution record

This audited record covers the complete v2026.6.6..v2026.6.8 history: 192 merged PRs. The generation manifest also supplies direct commits as editorial input; the grouped notes above prioritize user impact.

Pull requests

• PR #92144 fix(cron): report SQLite storage path in cron.status instead of legacy jobs.json. Related #91766. Thanks @​liuhao1024 and @​AaronFaby.
• PR #92175 fix(channel): harden local setup trust. Thanks @​hxy91819.
• PR #91528 fix #73837: stop after failed Node package installs. Thanks @​mushuiyu886 and @​ItsMeForLua.
• PR #91561 fix(wizard): report keyless web_search providers as ready, not missing a key. Thanks @​NormallyGaussian.
• PR #92073 fix: handle explicit silent assistant replies. Related #92038. Thanks @​sallyom and @​vultusv.
• PR #91311 Allow Skill Workshop apply through trusted skill symlinks. Thanks @​abnershang.
• PR #88245 refactor(whatsapp): introduce inbound message contexts. Thanks @​mcaxtr.
• PR #92212 refactor: move workspace skill writes to lifecycle. Thanks @​shakkernerd.
• PR #92248 Remove ClawHub owner preflight. Thanks @​Patrick-Erichsen.
• PR #91617 test(sqlite): add state perf query plan harness. Related #91616. Thanks @​galiniliev.

... (truncated)

Commits

• 844f405 docs(changelog): note patched Hono runtime
• 71fbd3e fix(deps): update Hono security pin
• 6a49346 docs(changelog): refresh 2026.6.8 notes
• 94c72ac Keep key-free web search providers opt-in (#93616)
• 6af6e1e fix(ci): require billable Anthropic release key
• 6c375c7 fix(ci): prefer Anthropic OAuth in live validation
• b1e925f fix(ci): support Anthropic OAuth release validation
• cf9dea7 fix(release): satisfy retry delay lint
• 780373f chore(release): prepare 2026.6.8 stable
• 11af11a fix(release): tolerate npm propagation after publish
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43792333fa

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate the lockfile with satisfiable subdeps

The updated lockfile makes OpenClaw's nested dependency tree invalid: @google/genai still declares protobufjs: ^7.5.4 earlier in this same lockfile, but the only nested protobufjs it can resolve under node_modules/openclaw is the out-of-range 8.x version here. I checked this with npm ls --package-lock-only --all, which now exits with ELSPROBLEMS (the parent commit's lock exits 0) and also reports other out-of-range nested entries, so any dependency-tree validation or OpenClaw path that loads the Gemini SDK can fail until the lock is regenerated or corrected to satisfy the declared ranges.

Useful? React with 👍 / 👎.

[dependabot]

Superseded by #29.