Skip to main content
Edition No. 1

The Git Gazette

Your weekly repo roundup

·openclaw/openclaw·Last 3 days

Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞

50 commits30 PRs6 issues5 releases
summarize

Authentication Apocalypse: 5 Critical CLI/OAuth Issues Hit v2026.3.13

Here's what matters this week: 1 emergency release recovery, 5 authentication failures all pointing to v2026.3.13, and 24 PRs trying to fix the mess.

The Big Story: Version 2026.3.13 shipped with catastrophic auth problems. CLI handshakes fail completely (#48167), OAuth tools won't execute (#49503), and localhost tokens get scope-limited (#46650). @ArisMontclair's CLI is "completely dead" while @JH72515's OAuth chat works but tools are silent. The pattern is clear: this version broke multiple authentication pathways.

Recovery Operations: Emergency release v2026.3.13-1 deployed on 15 March after the original v2026.3.13 tag failed. GitHub gets the -1 suffix, npm stays at 2026.3.13.

Critical Fixes in Progress: @kunalk16's Azure OpenAI custom provider fix (#49543), @gaohongxiang's Feishu SecretRefs resolution (#47406), and @ademczuk's security env injection blocks (#49702). @LivingGhost leads multiple gateway/plugin fixes (#49560, #49559, #49558).

Security Alert: If you're running v2026.3.11+, you got the WebSocket origin validation fix (GHSA-5wcw-8jjv-m286). If you're on v2026.3.13, expect authentication headaches.

Bottom line: Skip v2026.3.13, wait for the auth fixes to land, or roll back to v2026.3.12.

Sources: #48167, #49503, #46650, #49543, #47406, #49702
Tone:
1 tone change remaining
theater_comedy
The Drama DeskBy Rita Conflictsón

DEVELOPING: OpenClaw CLI Meltdown Sparks Seven-Thread Investigation

BREAKING: The OpenClaw community is witnessing what can only be described as a perfect storm of authentication chaos, with five separate issues all pointing fingers at the same villain: version 2026.3.13.

The star witness? @ArisMontclair's #48167, a seven-comment saga where the CLI is "completely dead" while the gateway hums along perfectly. But plot twist! @Hollychou924 swooped in with forensic-level diagnostics, revealing this isn't your garden-variety "gateway is down" scenario. No, folks—HTTP works, channels work, but that CLI WebSocket handshake? Stone cold dead.

Meanwhile, in the wings, @DmytroVolodymyrson's #46650 tells a parallel tale of scope-limited operator nightmares. Three witnesses have testified to missing operator.read/write permissions, with @sashakhar1 delivering the crushing blow: "This is not just a missing env var."

But wait, there's more! @JH72515's #49503 brings us a two-act tragedy where OAuth works for chat but tools refuse to execute, complete with @Ryce's technical autopsy: "auth-state-drift with persistence layer failure."

The pattern is undeniable. Version 2026.3.13 has left a trail of broken handshakes, missing scopes, and silent tool failures. Will the maintainers rise to address this multi-front authentication revolt?

Stay tuned—this story is far from over.

Sources: #48167, #46650, #49503, #49711, #49708
Tone:
1 tone change remaining
rate_review

A Renaissance of Remediation: From Crustacean Theatrics to Provider Profundity

This week's gallery presents a fascinating study in the art of the fix — a collection that spans from the sublime to the meticulously technical, each Pull Request a brushstroke in OpenClaw's ever-evolving masterpiece.

One observes with particular interest @kunalk16's work in #49543, a piece that addresses the theatrical failures of Azure OpenAI endpoints when summoned through custom providers. The TUI and agent components, one notes, were suffering from what can only be described as an identity crisis — a most undignified state for any respectable AI assistant. The fix, while modest in scope (size: S), demonstrates that elegant craftsmanship.

@gaohongxiang's contribution in #47406 presents a more substantial canvas (size: L), tackling the delicate matter of SecretRefs resolution during Feishu plugin registration. The discerning reviewer will appreciate the surgical precision with which this artist has excised the problematic resolution logic, preventing those most unseemly plugin registration failures.

Perhaps most noteworthy is @ademczuk's security-focused miniature in #49702 — a follow-up work that extends the host execution environment blocklist with six additional injection vectors. One must admire the methodical attention to detail, each blocked variable (GLIBC_TUNABLES, MAVEN_OPTS, et al.) verified against official documentation. Exquisite.

In summary: a week of thoughtful restoration work, with nary a careless merge to be found. Chef's kiss

Sources: #49543, #47406, #49702
Tone:
1 tone change remaining
sailing
The Shipping ForecastBy Captain Semver

Recovery Flotilla Launches After Tag Storm Damages Release Channel

SHIPPING FORECAST, issued Monday 1200 UTC: Emergency recovery operations concluded successfully in openclaw waters following last week's release channel disaster.

The merchant vessel v2026.3.13 suffered catastrophic tag failure shortly after launch, forcing harbor masters to deploy emergency recovery release v2026.3.13-1 on 15 March. Navigation warning: this recovery craft carries GitHub tag suffix -1 but maintains npm registry position at standard 2026.3.13 — a proper maritime salvage operation.

Weather conditions remain active with steady patch-level winds. Recent fleet movements include v2026.3.12 (13 March) delivering Control UI dashboard upgrades and OpenAI GPT-5.4 fast mode configurations, while v2026.3.11 (12 March) deployed critical security repairs addressing WebSocket origin validation vulnerabilities (GHSA-5wcw-8jjv-m286).

Current sea state shows heavy commit activity from @vincentkoc's engineering crew — Plugin SDK hardening, provider auth seams, and registry loading repairs dominating the logbook. Multiple hands on deck with @obviyus managing Telegram test stabilization and @sudie-codes addressing channel serialization (#49583).

Navigation advisory: All vessels should review the OpenRouter model catalog additions before departure. Hunter Alpha and Healer Alpha entries now available for testing runs during their limited operational window.

Next tide: Plugin SDK consolidation expected by week's end.

Sources: #49583, #44894, #41503, GHSA-5wcw-8jjv-m286
Tone:
1 tone change remaining
group
The Community PulseBy Flo Stargazer

Heavy Hitters Hard at Work: Vincent & the Core Crew Keep OpenClaw Humming

What a powerhouse week in the OpenClaw community! The activity dial is turned up to eleven with 22 unique contributors making moves across the repository.

@vincentkoc is absolutely on fire this week — dominating the commit log with provider auth improvements, plugin SDK hardening, and configuration alignment work. With 868 total contributions under his belt, Vincent's become our #2 most active contributor and shows no signs of slowing down. His focus on infrastructure work is exactly what a project of this scale needs.

@obviyus is keeping pace nicely, tackling testing improvements and config fixes while maintaining his #4 spot with 436 total contributions. I love seeing the collaboration between these two — @obviyus fixing the qwen-chat-template schema while @vincentkoc aligns the broader model compatibility thinking.

Big shout-out to @sudie-codes for landing their contribution via #49583! Every fix counts, and it's great to see community members stepping up to tackle serialization issues.

With 14 pull request review comments and 11 reviews this week, our maintainers are staying on top of quality control while keeping the merge pipeline flowing. The 9 new watchers joining us shows OpenClaw's momentum isn't slowing down — welcome to all our new community members keeping tabs on this AI assistant revolution!

Sources: #49583
Tone:
1 tone change remaining
Git Gazette: openclaw/openclaw — March 18, 2026 | The Git Gazette