realvco Docs

v2026.4.23 — Image Generation Expansion + GPT-5.5 + Security Batch

Released: April 23, 2026 Theme: Image provider expansion + GPT-5.5 prep + security hardening Breaking Changes: None

Core Highlights

1. OpenAI Codex OAuth Image Generation

openai/gpt-image-2 now works through Codex OAuth:

  • No OPENAI_API_KEY needed
  • Use your ChatGPT account directly for image gen
  • Reference-image edits supported

2. OpenRouter Image Generation

OpenRouter gains image generation and reference-image editing:

  • Use OPENROUTER_API_KEY to run OpenRouter image models
  • Invoked through the image_generate tool

3. Image Generation: More Control

Agents can request provider-supported quality and output format hints:

  • OpenAI-specific background, moderation, compression, and user hints flow through the image_generate tool
  • Multi-reference edits switch to guarded multipart uploads, restoring complex gpt-image-2 edits

4. Subagents: Optional Forked Context

Native sessions_spawn runs gain optional forked context:

  • Child agents can inherit the requester transcript when needed
  • Default still keeps clean isolated sessions
  • Includes prompt guidance, context engine hook metadata, docs, QA coverage

5. Pi 0.70.0 + GPT-5.5 Prep

Bundled Pi packages updated to 0.70.0. OpenAI and OpenAI Codex use Pi’s upstream gpt-5.5 catalog metadata; only local gpt-5.5-pro forward-compat handling stays.

6. Dreaming as Isolated Lightweight Agent

Managed dreaming cron decouples from heartbeat, runs as isolated lightweight agent turn:

  • Dreaming runs even when heartbeat is disabled for the default agent
  • No longer skipped by heartbeat.activeHours
  • openclaw doctor --fix migrates stale main-session dreaming jobs in persisted cron configs to the new shape

7. WebChat Image Attachments Preserved

WebChat offloads image attachments as media refs for text-only primary models:

  • Images no longer dropped
  • Configured image tools can still inspect the original file
  • Fixes #68513, #44276, #51656, #70212

8. Big Security Batch (12+ items)

  • Discord: native slash-command channel policy can’t bypass owner/member restrictions
  • Teams: Bot Framework audience tokens must match the configured Teams app via appid or azp (cross-bot replay blocked)
  • WhatsApp: contact / vCard / location structured-object free text rendered through fenced untrusted metadata JSON, limiting hidden prompt-injection
  • Group chat: channel-sourced group names and participant labels rendered through fenced untrusted metadata JSON
  • Android: ASK_OPENCLAW intents no longer auto-send injected prompts; external app actions only prefill the draft
  • Pairing: cleartext mobile pairing requires private-IP or loopback; .local no longer treated as safe cleartext
  • Approvals: agent-driven config.apply/config.patch switches to a narrow allowlist instead of denylist
  • Webhooks: SecretRef-backed webhook secrets re-resolve per-request — secrets reload revokes immediately
  • MCP/tools: ACPX OpenClaw tools bridge can’t list or invoke owner-only tools like cron
  • QQBot: /bot-approve requires framework auth
  • Anthropic CLI: bypassPermissions derives from OpenClaw’s existing YOLO exec policy, preserves explicit --permission-mode overrides
  • Secrets/Windows: file-backed secrets strip UTF-8 BOMs, ACL checks fail closed

9. WebChat / Conversation Reliability

  • WebChat preserves recoverable image attachments for text-only model replies
  • Stop button queues across Gateway reconnects — disconnected active runs cancel on reconnect
  • Active assistant-generated images persist as authenticated managed media; paired-device tokens accepted for fetches
  • WebChat session-mutation guard extends to sessions.compact and sessions.compaction.restore

10. Channel Fixes

  • Telegram media replies parse markdown image syntax ![...](...) into outbound media payloads (not just URLs)
  • Slack MPIM group DMs classified as group chat context; internal “Working…” traces don’t leak into rooms
  • BlueBubbles prefers iMessage over SMS, no silent downgrade
  • Voice-call realtime waits for OpenAI session configuration before greeting or forwarding buffered audio

Upgrade Recommendations

  • ChatGPT Plus / Pro users wanting image gen without API keys: Codex OAuth path
  • OpenRouter users: image generation now available
  • Dreaming users: upgrade to avoid cron path gaps
  • WebChat with multimodal: image attachments no longer dropped
  • Everyone: contains big security batch — recommended upgrade

← v2026.4.22 · v2026.4.24 → · Back to list