3.22 tore out the old architecture and rebuilt the foundations. Twelve breaking changes. A new plugin registry. Thirty security patches. It was the biggest release in OpenClaw's history.
It also broke things.
3.23 is the release that makes sure the patient survives the surgery. Three breaking changes — all forward-looking. Over forty fixes — most of them cleaning up what 3.22 exposed. One day between releases, because some of these couldn't wait.
Breaking Changes
Only three this time, and none of them are removing things you depend on.
Qwen Gets Proper DashScope Endpoints
The Qwen provider now ships standard pay-as-you-go DashScope endpoints for both China and global API keys, alongside the existing Coding Plan endpoints. The provider group is relabeled to Qwen (Alibaba Cloud Model Studio).
This matters because the previous Qwen integration only supported Coding Plan keys — a subset of Alibaba Cloud's offering. If you're in China or using a global DashScope API key with standard billing, Qwen models now work out of the box without workaround configurations.
Control UI Overhaul
Button primitives are consolidated (btn--icon, btn--ghost, btn--xs). The Knot theme shifts to a black-and-red palette with WCAG 2.1 AA contrast ratios. Config sections — Diagnostics, CLI, Secrets, ACP, MCP — get dedicated icons. The roundness slider is replaced with discrete stops. Accessibility improves across the board with aria-labels on usage filters.
If you have custom CSS targeting the old button classes or Knot theme variables, check your overrides.
CSP Script Hashing
Inline <script> blocks in the served index.html now get SHA-256 hashes included in the script-src CSP directive. Inline scripts remain blocked by default — only explicitly hashed bootstrap code is allowed. If you were injecting custom inline scripts into Control UI, they will now be blocked unless hashed.
The Auth Credential Overhaul
Eight fixes in the auth and credential system. This was the most broken area after 3.22, and the fixes tell a story about what happens when you rebuild infrastructure under a running system.
The headline fix: live gateway auth-profile writes were reverting freshly saved credentials back to stale in-memory values. You'd paste a new OpenAI token, save it, and watch it snap back to the expired one. The Configure flow, Onboard flow, and token-paste flow all suffered from the same root cause. Fixed.
Operator scope preservation: the device-auth bypass path was silently dropping operator scopes, causing operator sessions to fail or show blank pages on read-backed routes. Cached under-scoped tokens are now ignored, and a clear fallback message appears when a connection genuinely lacks read scope.
CLI channel auth: single-channel setups now auto-select the only available login-capable channel. Channel IDs are hardened against prototype-chain and control-character abuse. On-demand channel installs fall back cleanly to catalog-backed installs.
ClawHub macOS authentication (three related fixes): the ClawHub login token is now read from the macOS Application Support path, with XDG config honored as a fallback. Gateway skill browsing uses the signed-in auth state instead of silently falling back to unauthenticated mode. Browse-all requests switch to search to avoid hitting unauthenticated 429 rate limits.
OAuth proxy support: the env-configured HTTP/HTTPS proxy dispatcher is now initialized before token exchange and preflight requests, so proxy-required environments can complete MiniMax and OpenAI Codex sign-in flows. Previously, expired Codex OAuth tokens would lock users out after the first expiry in proxy setups.
Slash-command authorization: authorization no longer crashes or drops valid allowlists when channel allowFrom resolution hits unresolved SecretRef-backed accounts. The system fails closed only for the affected provider inference path.
Browser Stability: Stop Rushing the Handshake
Two fixes, one theme: don't declare victory before the browser is actually ready.
macOS Chrome attach: when attaching to an existing Chrome session via MCP, the initial handshake was being treated as "ready" before the browser tabs were actually usable. This caused user-profile timeouts and repeated consent pop-ups in macOS Chrome attach flows. The fix waits for existing-session tabs to become fully usable after attach before proceeding.
Headless Linux CDP: on slower headless Linux setups, a brief initial reachability miss during CDP detection would immediately trigger a full browser relaunch. This caused second-run browser start/open regressions — the fix reuses the already-running loopback browser after a short reachability miss instead of falling back to relaunch detection.
Both bugs share the same pattern: the system was too eager to judge state transitions. A brief delay in response was treated as failure, triggering expensive recovery paths that made things worse.
Plugin Ecosystem: Post-ClawHub Cleanup
3.22 migrated the plugin ecosystem to ClawHub. 3.23 finishes sweeping up.
- •Bundled runtime sidecars ship again: WhatsApp
light-runtime-api.js, Matrixruntime-api.js, and other plugin runtime entry files were missing from the npm package. Global installs were failing on missing bundled plugin runtime surfaces. Fixed. - •ClawHub install compatibility: plugin API compatibility is now resolved against the active runtime version at install time. The stale
1.2.0constant that was blocking installs for>=2026.3.22ClawHub packages is replaced with regression coverage. - •Uninstall accepts ClawHub specs:
openclaw plugins uninstall clawhub:<package>works again even when the recorded install was pinned to a version. - •LanceDB bootstraps on first use: the
memory-lancedbplugin now bootstraps LanceDB into plugin runtime state when the bundled npm install doesn't have it, soplugins.slots.memory="memory-lancedb"works after global npm installs. - •Stale config is non-fatal: unknown
plugins.allowIDs are treated as warnings instead of fatal config errors, soplugins install,doctor --fix, andstatusstill run when a plugin is missing locally. - •Doctor cleanup:
openclaw doctor --fixremoves staleplugins.allowandplugins.entriesrefs left behind after plugin removal, and stops appending built-in channel IDs likewhatsapptoplugins.allow. - •Matrix and LINE runtime fixes: duplicate runtime-api exports under Jiti no longer crash bundled Matrix installs at startup. LINE pre-exports overlapping runtime symbols before the star export to avoid
TypeError: Cannot redefine property.
Agent Reliability
Six fixes that make agents behave more predictably:
- •web_search provider: agent turns now use the active runtime
web_searchprovider instead of a stale or default selection. If you configured a specific search provider, it actually gets used now. - •Failover classification: generic
api_errorpayloads are retryable only when they include transient failure signals. MiniMax-style backend failures still trigger model fallback, but billing, auth, and format errors no longer do. - •Subagent timeout accuracy: timed-out worker waits are rechecked against the latest runtime snapshot before sending completion events, so fast-finishing workers stop being falsely reported as timed out.
- •Anthropic thinking blocks: assistant thinking and
redacted-thinkingblock ordering is preserved during transcript image sanitization, preventing follow-up turns from tripping Anthropic's unmodified-thinking validation. - •Replay recovery: malformed assistant transcript content is canonicalized before session-history sanitization, so legacy or corrupted turns stop crashing Pi replay and subagent recovery paths.
- •Skill config injection: embedded skill config and env use the active resolved runtime snapshot, so
skills.entries.<skill>.apiKeySecretRefs resolve correctly during embedded startup.
Gateway Hardening
Four fixes for gateway reliability:
- •Probe accuracy: successful gateway handshakes no longer time out as "unreachable" while post-connect detail RPCs are still loading. Slow devices report a reachable RPC failure instead of a false-negative dead gateway.
- •Supervision stability: lock conflicts under
launchdandsystemdno longer crash-loop. The duplicate process stays in a retry wait instead of exiting as a failure while the healthy gateway still holds the lock. - •Auth enforcement: canvas routes now require authentication. Agent session reset requires admin scope. Anonymous canvas access and non-admin reset requests fail closed.
- •OpenRouter pricing: the
openrouter/autopricing refresh no longer recurses indefinitely during bootstrap, so auto routes can populate cached pricing andusage.costagain.
Channel Fixes
Telegram gets three fixes: DM topic threading context is populated correctly when main thread metadata is missing. Same-chat inbound debounce ordering is preserved without stranding stale busy-session followups. And asDocument is added as a user-facing alias for forceDocument on image and GIF sends.
Discord: privileged native slash commands now return an explicit unauthorized reply instead of falling through to Discord's misleading generic completion when auth gates reject the sender.
Plivo voice: replay keys are stabilized so webhook retries and replay protection stop colliding on valid follow-up deliveries.
External channel catalogs can now override shipped fallback metadata and honor overridden npm specs during channel setup, so custom catalogs no longer fall back to bundled packages when a channel ID matches.
Everything Else
- •Mistral: bundled max-token defaults lowered to safe output budgets.
openclaw doctor --fixrepairs old persisted configs that still carry context-sized output limits, avoiding deterministic 422 rejects. - •CLI cron:
openclaw cron add|edit --at ... --tz <iana>now honors the requested local wall-clock time for offset-less one-shot datetimes, including DST boundaries. - •Config warnings: the confusing "newer OpenClaw" warning is suppressed when a config written by a same-base correction release (like
2026.3.23-2) is read by2026.3.23. - •Exec trust: shell-multiplexer wrapper binaries are preserved for policy checks without breaking approved-command reconstruction, keeping BusyBox/ToyBox allowlist and audit flows coherent.
- •Security/exec approvals: shell-wrapper allowlist matching rejects single-quoted
$0/$ntokens, disallows newline-separated exec, and still acceptsexec -- carrierforms. - •Cache diagnostics: credential fields are stripped from cache-trace JSONL output while preserving non-sensitive diagnostic fields and image redaction metadata.
- •Feishu docs: channel config examples now use
nameinstead ofbotNameto match the strict account schema. - •Release packaging: bundled plugins and Control UI assets are retained in published npm installs, with release checks that fail when shipped artifacts are missing.
Contributors
Sixteen contributors landed fixes in 3.23. Special recognition to @vincentkoc with fourteen fixes spanning browser, gateway, agent, plugin, security, and release infrastructure — the kind of across-the-board contribution that holds a project together after a major release.
Thanks to @BunsDev (4 fixes), @scoootscooob, @openperf, @futhgar, @07akioni, @Drickon, @osolmaz, @bakhtiersizhaev, @Lukavyi, @ayushozha, @RolfHegr, @drobison00, @haroldfabla2-hue, @jzakirov, and @sallyom.
Upgrade Notes
- •Qwen users: check your provider configuration. If you were using workaround configs for standard DashScope keys, you can now switch to the native endpoints.
- •Mistral users: run
openclaw doctor --fixto repair old configs with context-sized output limits. - •Custom CSS users: the Knot theme palette and button class names have changed. Review your overrides.
- •Control UI script injectors: inline scripts now require CSP SHA-256 hashes.
---
3.22 opened the chest and replaced the engine. 3.23 made sure every suture holds.
Forty-plus fixes, eight auth patches, two browser regressions resolved, and a plugin ecosystem that finally works cleanly after the ClawHub migration. Not glamorous work. But this is the release that turns 3.22's architectural ambition into something you can actually run in production without filing bug reports.
The lobster is recovering well. Sutures are holding.
