What's new for you
Security fix for WebSocket hijacking, Discord thread auto-archive config, Gemini memory embeddings, first-class Ollama setup, OpenCode Go, cron notification tightening, and macOS/iOS onboarding improvements.
- Security — enforce browser origin validation for WebSocket connections, closing cross-site hijacking in trusted-proxy mode (GHSA-5wcw-8jjv-m286)
- Discord auto-archive — autoArchiveDuration channel config for threads (1h, 1d, 3d, 1 week) instead of always 1h
- Memory — gemini-embedding-2-preview support with configurable dimensions, opt-in multimodal image/audio indexing
- Ollama first-class — Local or Cloud + Local modes, browser cloud sign-in, curated model suggestions in onboarding
- OpenCode Go — new provider, shared OpenCode key for Zen and Go, unified setup in wizard/docs
- macOS onboarding — detect remote gateway auth needs, explain where to find token on gateway host
- Cron breaking — isolated cron jobs no longer notify via ad hoc agent sends; run openclaw doctor --fix for legacy migration
- iOS Home canvas — docked toolbar, welcome screen with live agent overview, chat opens in main session
Release highlights
| Feature | Details |
|---|---|
| WebSocket Origin Validation | Security fix: enforce browser origin validation for all WebSocket connections, closing cross-site hijacking in trusted-proxy mode. |
| Discord autoArchiveDuration | channels.discord.autoArchiveDuration — 1h, 1d, 3d, or 1 week for auto-created threads instead of 1h default. |
| Gemini Memory Embeddings | memorySearch supports gemini-embedding-2-preview with configurable output dimensions and auto-reindex on dimension change. |
| Multimodal Memory Indexing | Opt-in image and audio indexing for memorySearch.extraPaths with Gemini embeddings. |
| Ollama First-Class Setup | Onboarding: Local or Cloud + Local modes, browser cloud sign-in, curated model suggestions. |
| OpenCode Go Provider | New OpenCode Go provider. Zen and Go share one OpenCode key. Wizard treats them as unified setup. |
| macOS Remote Gateway Auth | Onboarding detects when remote gateways need shared token and explains where to find it on the host. |
| Cron Notification Changes | Breaking: isolated cron jobs no longer notify via ad hoc agent sends. Run openclaw doctor --fix for legacy migration. |
⚠️ Breaking changes
Cron/doctor: Isolated cron jobs can no longer notify through ad hoc agent sends or fallback main-session summaries. Run openclaw doctor --fix to migrate legacy cron storage and notify/webhook delivery metadata.
Feature deep dives
Learn more about the changes that matter most. Bug fixes and minor improvements are listed on GitHub.
WebSocket Origin Validation
Security fix: enforce browser origin validation for all browser-originated WebSocket connections regardless of proxy headers, closing cross-site WebSocket hijacking in trusted-proxy mode (GHSA-5wcw-8jjv-m286).
Read more →Discord autoArchiveDuration
channels.discord.autoArchiveDuration — configure auto-created thread archiving to 1 hour, 1 day, 3 days, or 1 week instead of the default 1 hour.
Read more →Gemini Memory Embeddings
memorySearch supports gemini-embedding-2-preview with configurable output dimensions and automatic reindexing when dimensions change.
Read more →Multimodal Memory Indexing
Opt-in image and audio indexing for memorySearch.extraPaths using Gemini gemini-embedding-2-preview, with strict fallback gating and scope-based reindexing.
Read more →Ollama First-Class Setup
Onboarding adds first-class Ollama setup: Local or Cloud + Local modes, browser-based cloud sign-in, curated model suggestions, and cloud-model handling that skips unnecessary local pulls.
Read more →OpenCode Go Provider
New OpenCode Go provider. Zen and Go treated as one OpenCode setup in wizard/docs with one shared key. Built-in opencode-go catalog routing preserved.
Read more →macOS Remote Gateway Auth
macOS onboarding detects when remote gateways need a shared auth token, explains where to find it on the gateway host, and clarifies when paired-device auth was used instead.
Read more →Cron Notification Changes
Breaking: Isolated cron jobs can no longer notify through ad hoc agent sends or fallback main-session summaries. Run openclaw doctor --fix to migrate legacy cron storage and notify/webhook metadata.
Read more →Full release notes
The complete changelog with all changes, fixes, and technical details is on the official GitHub release page.
Open v2026.3.11 on GitHub →