$git log --oneline
2026.3.2PATCHReleased: 2026-03-02

Security Hardening + PDF Tool + Streaming Improvements

/** Critical security fixes, a brand-new PDF analysis tool, and Telegram streaming enabled by default. */

#Security#PDF#Telegram#Streaming#MiniMax
whats_new.md

✨ What's New

PDF Analysis Tool

New first-class pdf tool with native Anthropic and Google provider support. Extraction fallback for non-native models. Configurable via agents.defaults.pdfModel, pdfMaxBytesMb, pdfMaxPages.

Telegram Streaming Default

channels.telegram.streaming now defaults to 'partial' for all new Telegram setups, enabling live preview streaming out of the box.

Telegram DM Streaming

Uses sendMessageDraft for private preview streaming and keeps reasoning/answer preview lanes separated in DM reasoning-stream mode.

MiniMax-M2.5-highspeed Support

First-class MiniMax-M2.5-highspeed added across built-in provider catalogs, onboarding flows, and MiniMax OAuth plugin defaults.

security_fixes.md

πŸ”’ Security Fixes

πŸ›‘Sandbox media TOCTOU symlink-retarget escape β€” enforcing root-scoped boundary-safe reads at attachment/image load time
πŸ›‘Sandbox media staging β€” blocking destination symlink escapes in stageSandboxMedia via root-scoped safe writes
πŸ›‘Workspace safe writes β€” hardened writeFileWithinRoot against symlink-retarget TOCTOU races
πŸ›‘ACPX Windows spawn hardening β€” resolving .cmd/.bat wrappers via PATH/PATHEXT without shell parsing
πŸ›‘Browser security β€” failing closed on browser-control auth bootstrap errors
improvements.md

⚑ Improvements

+SecretRef coverage expanded across 64 credential targets with runtime collectors
+PDF tool supports diffs output with PDF file output and rendering quality controls
+Memory Ollama embeddings: memorySearch.provider = 'ollama' support
+Zalo Personal plugin rebuilt with native zca-js integration in-process

πŸ› Bug Fixes

βœ“Fixed Feishu multi-account reply reliability and outbound routing
βœ“Fixed restart sentinel formatting to avoid duplicate Reason: lines
βœ“Fixed failover HTTP 529 classification as rate_limit for Anthropic-compatible APIs
βœ“Fixed logging to use local time instead of UTC for timestamps
upgrade.sh

πŸ“¦ Upgrade to 2026.3.2

# npm global install
$ npm install -g openclaw@2026.3.2
# or update existing install
$ openclaw update

βœ“ No breaking changes from 2026.3.1 β€” safe to upgrade

← Previous:
2026.3.1 β€” OpenAI WS-First + Android
All Releases β†’