OpenClaw 2026.3.2
Stable Release - PDF, Secrets, Attachments & Security
Production-ready release with first-class PDF support
📊 Release Overview
Stable release with major feature additions
Stable
Production Ready (Not Beta)
20+
New Features
4
Breaking Changes
15+
Bug Fixes & Security Hardening
🔴 Breaking Changes
Important migration notes — review before upgrading
- Default tools.profile → messaging (was coding) — affects tool availability
- ACP dispatch now enabled by default — check your config if you disabled it
- Plugin SDK: registerHttpHandler removed — migrate to new HTTP API
- Zalo Personal: no external CLI dependency — native JS integration replaces old flow
⚠️ Test in staging before production deployment
📄 PDF Analysis Tool
First-class PDF support for document intelligence
Native Support
Anthropic + Google providers with native PDF parsing
Extraction Fallback
Automatic text extraction for other models
Configurable Limits
pdfModel, pdfMaxBytesMb, pdfMaxPages settings
Production Ready
Handle contracts, reports, research papers seamlessly
🔐 Secrets Management
SecretRef expansion across the platform
64
Targets Now Support SecretRef
100%
Runtime Collectors Covered
Fast Fail
Unresolved Refs Caught Early
Better UX
Improved Onboarding Flow
Covers runtime collectors, planning, apply, and audit phases
📎 Sub-Agent Attachments
Pass files directly to spawned agents
File Attachments
sessions_spawn now accepts file attachments for context
Flexible Encoding
Base64 or UTF8 encoding support
Transcript Redaction
Sensitive attachment data redacted from logs
Configurable Limits
Size and count limits prevent abuse
Perfect for document analysis, code review, and data processing pipelines
💬 Telegram Enhancements
Better streaming and interaction controls
Streaming Default: Partial
Changed from "off" — see responses as they generate
DM Streaming
sendMessageDraft enables streaming in direct messages
Voice Mention Gating
Optional control over voice message mentions
Reasoning Preview
Better formatting for reasoning mode output
🔌 Plugin SDK Improvements
More power for plugin developers
📡
channelRuntime Exposed
Plugins can now access the full channel runtime context for deeper integrations.
🎤
STT Transcription API
Built-in speech-to-text transcription API available to all plugins.
🔄
Session Lifecycle Hooks
New sessionKey hooks let plugins track and respond to session lifecycle events.
📢
Event Subscriptions
Subscribe to agent events via onAgentEvent for real-time monitoring and automation.
Breaking: registerHttpHandler removed from SDK. Migrate to new routing patterns.
🤖 Model & Memory Updates
New models and smarter memory
MiniMax
M2.5-highspeed Support
Ollama
Embeddings for Memory
Zalo
Native JS Integration
- MiniMax M2.5-highspeed provider added with full support
- Legacy M2.5-Lightning compatibility maintained for existing users
- Ollama embeddings now available for local memory search operations
- Zalo Personal rewritten with native JavaScript — no external CLI dependency
More model choices, better memory search, cleaner integrations. The platform keeps expanding.
🛠️ CLI & Tools
Better developer experience
✅
Config Validation
New openclaw config validate --json command for CI/CD pipelines and automated checks.
🚨
Better Error Paths
Invalid API keys now show clearer error messages with actionable guidance.
🎨
Banner Tagline Modes
Choose random, default, or off for startup banner taglines. Customize your experience.
📄
PDF Diff Output
PDF analysis results now support diff output format for version comparisons.
Small improvements that add up. Better validation, clearer errors, more control.
🔒 Security Hardening
Production-grade security improvements
Multiple security layers hardened across Gateway, Plugin system, WebSocket connections, and TLS pairing. Auth-before-body validation prevents resource exhaustion attacks.
- 🔐 Gateway/Plugin HTTP Hardening — Request validation tightened, input sanitization improved
- 🛡️ Webhook Auth-Before-Body — Authentication checked before parsing request body to prevent DoS
- 🔌 WebSocket Security — Now loopback-only by default. Explicit config required for network exposure
- 🔑 TLS Pairing Fixes — Docker and LAN pairing now work reliably with proper certificate validation
These aren't flashy features, but they're critical for production deployments. Security first.
🐛 Bug Fixes: Messaging Platforms
Feishu, Discord, and Telegram improvements
- 🔌 Plugin Command Validation — Fixed edge cases where malformed plugin commands caused crashes
- 📱 Telegram Token Normalization — Bot tokens now properly normalized, fixing auth failures with certain formats
- 💬 Discord Lifecycle Status — Connection status now accurately reflects gateway state during reconnects
- 🏢 Feishu Multi-App Mention Routing — Fixed mention routing when multiple Feishu apps are configured
- 👥 Feishu Group System Prompts — System prompts now correctly apply in group chat contexts
Messaging reliability matters. These fixes ensure smoother operations across all three platforms.
🐛 More Fixes: Gateway & Browser
Core infrastructure improvements
- 🔗 Gateway Subagent TLS Pairing — Fixed TLS certificate validation issues when subagents connect to gateway
- 🌐 Browser CDP Startup Diagnostics — Better error messages when Chrome DevTools Protocol fails to connect
- 📞 Voice-Call Runtime Lifecycle — Fixed cleanup issues where voice call sessions weren't properly terminated
- 🔧 Browser Profile Defaults — Profile selection now correctly falls back to defaults when custom profiles are missing
Infrastructure fixes that make the whole system more reliable. Less debugging, more building.
⚠️ Migration Guide
Breaking changes require action
4 breaking changes in this release. Review these carefully before upgrading to avoid disruption.
- 🔧 Check tools.profile setting — Default changed from "coding" to "messaging". Explicitly set if you need coding tools.
- 📡 Review ACP dispatch config — ACP dispatch now enabled by default. Disable explicitly if not using.
- 🔌 Update plugin HTTP routes — registerHttpHandler removed from SDK. Migrate to new routing patterns.
- 📱 Test Zalo Personal login flow — Native JS implementation may behave differently. Test your auth flow.
- 🔒 Review security settings — WebSocket now loopback-only by default. Update config for network access.
Take 10 minutes to review these changes. It'll save hours of debugging later.