chore(deps): bump openclaw from 2026.5.7 to 2026.6.10

[dependabot]

Bumps openclaw from 2026.5.7 to 2026.6.10.

Release notes

Sourced from openclaw's releases.

openclaw 2026.6.10

Highlights

• Automatic fast mode for talks: OpenClaw can enable fast mode for short conversational turns, then return to normal mode for longer runs with bounded fallback and delivery behavior. (#85104) Thanks @​alexph-dev and @​vincentkoc.
• More reliable model routing: Zai model synthesis, GLM overload failover, and native reasoning-level selection now follow the active model catalog more consistently. (#94461, #93241, #94067, #94136) Thanks @​Pandah97, @​chrysb, @​0xghost42, @​zhengli0922, @​openperf, @​civiltox, and @​BorClaw.
• Safer session and channel state: channel switches reset stale origin fields, and cron delivery awareness stays attached to the target session. (#95328, #93580) Thanks @​ZengWen-DT, @​jalehman, @​gorkem2020, and @​scotthuang.
• Trusted policies survive hook composition: composed hook registries keep the trusted tool policies required by approval-sensitive flows. (#94545) Thanks @​jesse-merhi.

Changes

• Agent and channel runtime: fast-mode state now survives retries, fallback transitions, progress events, and embedded/CLI/ACP normalization; session and channel routing retain the current target and delivery context. (#85104, #93580, #95328) Thanks @​alexph-dev, @​vincentkoc, @​scotthuang, @​ZengWen-DT, @​jalehman, and @​gorkem2020.
• Provider behavior: model catalogs now supply the correct Zai base URL, overload classification, and native reasoning controls for live-discovered models. (#94461, #93241, #94067, #94136) Thanks @​Pandah97, @​chrysb, @​0xghost42, @​zhengli0922, @​openperf, @​civiltox, and @​BorClaw.

Fixes

• Fast-mode and policy correctness: fallback cutoffs and reset notices are bounded, repeated progress events remain visible, Codex service-tier state is normalized, and trusted policies are not lost when hook registries are composed. (#85104, #94545) Thanks @​alexph-dev, @​vincentkoc, and @​jesse-merhi.
• Model and delivery edge cases: Zai and GLM failover paths use the right runtime metadata, while stale channel-origin state no longer leaks across session changes. (#94461, #93241, #95328) Thanks @​Pandah97, @​chrysb, @​0xghost42, @​zhengli0922, @​ZengWen-DT, @​jalehman, and @​gorkem2020.
• Provider plugin onboarding: setup refreshes provider plugin registry metadata after installing setup-selected provider plugins, so auth continuation uses the newly installed provider instead of stale registry state. (#95792) Thanks @​snowzlmbot.

Complete contribution record

This audited record covers the complete v2026.6.9..HEAD history: 12 merged PRs. The generation manifest also supplies direct commits as editorial input; the grouped notes above prioritize user impact.

Pull requests

• PR #86627 Keep core doctor health in contribution order. Thanks @​giodl73-repo.
• PR #93580 fix: preserve cron delivery awareness for target sessions. Thanks @​scotthuang and @​jalehman.
• PR #95030 refactor: add SDK transcript identity target API. Thanks @​jalehman.
• PR #94838 refactor(copilot): complete harness lifecycle parity. Thanks @​vincentkoc.
• PR #95328 fix(sessions): reset stale per-channel origin fields on channel switch. Related #95325. Thanks @​ZengWen-DT and @​jalehman and @​gorkem2020.
• PR #94461 fix(zai): fall back to manifest baseUrl for synthesized GLM-5 models. Related #94269. Thanks @​Pandah97 and @​chrysb.
• PR #93241 fix(agents): classify Zhipu GLM overload as overloaded for failover. Related #93211. Thanks @​0xghost42 and @​zhengli0922.
• PR #94067 fix(channels): resolve native /think menu levels via runtime catalog for live-discovered models. Related #93835. Thanks @​openperf and @​civiltox.
• PR #94136 fix(zai): expose GLM-5.2 reasoning levels [AI-assisted]. Thanks @​BorClaw.
• PR #85104 feat: fast talks auto mode. Related #85087. Thanks @​alexph-dev.
• PR #94545 fix: keep trusted policies with hook registry. Thanks @​jesse-merhi.
• PR #95792 fix(onboard): refresh provider plugin registry after setup installs. Related #95765. Thanks @​snowzlmbot.

Release verification

• npm package: https://www.npmjs.com/package/openclaw/v/2026.6.10
• registry tarball: https://registry.npmjs.org/openclaw/-/openclaw-2026.6.10.tgz
• integrity: sha512-LcooND2tBQw8A+kc1Ujltu3lg30bJ0w7XaeRy7eYzobb8BBdcW6DOGbwJL4vpj1vl9+gjRceOtlh5nh9OARcug==
• release SHA: aa69b12d0086b631b139c1435c9621a5783e3a40
• full release CI report: https://github.com/openclaw/releases/blob/main/evidence/2026.6.10/release-evidence.md
• release publish: https://github.com/openclaw/openclaw/actions/runs/28071368306
• npm preflight: https://github.com/openclaw/openclaw/actions/runs/28068484614
• full release validation: https://github.com/openclaw/openclaw/actions/runs/28068476120
• plugin npm publish: https://github.com/openclaw/openclaw/actions/runs/28071564667

... (truncated)

Commits

• aa69b12 docs(changelog): refresh 2026.6.10 notes
• 3521a01 chore(release): prepare 2026.6.10 stable
• 5ed8323 test(e2e): refresh docker setup fixture
• e42b914 fix(ci): keep release branch CI shard bundles compatible
• 51459a4 docs(changelog): include provider onboarding fix
• 8b5527b fix(onboard): refresh provider plugin registry after setup installs (#95792)
• 87b40c7 test(release): align beta2 validation expectations
• b8108e4 test(telegram): add progress preview helper
• dec86fe chore(release): refresh beta2 validation baselines
• a2e5553 test(agents): cover fallback probe attempt position
• Additional commits viewable in compare view

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2aec6d53e9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate the invalid nested lock entries

This lock entry resolves @types/retry to 0.12.5, but the same updated OpenClaw tree declares p-retry's dependency as the exact version 0.12.0 at package-lock.json:3566; it also resolves tar to 7.5.16 while @openclaw/fs-safe requests exact 7.5.13 at package-lock.json:1401. I checked the package-lock tree with the documented npm ls --package-lock-only --all options, and npm exits with ELSPROBLEMS for these invalid packages, so dependency-tree validation fails even before tests run. Regenerate or pin the nested entries to versions that satisfy the exact constraints before landing the bump.

Useful? React with 👍 / 👎.