OpenClaw 2026.5.20 Ships Discord Voice Follow-Mode, Headless xAI OAuth, and a Security-First Policy Engine

OpenClaw dropped version 2026.5.20 on May 21, 2026. The release is a stable rollup that includes the 2026.5.19 beta train plus final fixes. It spans 208 commits and touches Discord voice, provider authentication, security policy, cron reliability, and the Android app.

---

Discord Voice Follows You Into Channels

The standout feature is Discord voice session mobility. Before this release, an OpenClaw voice session stayed in one channel. Now it can follow configured Discord users as they move between voice channels, with allowed-channel checks, multi-user handoff, bounded reconciliation, and DAVE recovery preservation.

What this means in practice: you can start a voice session in a general channel, move to a private project room, and the agent follows without dropping the conversation. The allowed-channel list keeps it out of restricted spaces. DAVE recovery preservation means end-to-end encrypted voice sessions survive channel hops without forcing a full re-key.

The agent also injects bounded profile context into realtime voice instructions by default. You can disable this with a config option if you want a leaner voice session.

This was contributed by @fuller-stack-dev.

Headless xAI OAuth for Remote Servers

Remote and headless OpenClaw setups can now authorize xAI through device-code OAuth. No localhost browser callback required. You start the flow on the server, get a code, and complete authorization on any device with a browser.

This closes a real gap. Previously, xAI OAuth on a headless VPS meant SSH tunneling a browser or copying tokens manually. Now the CLI handles the device-code exchange directly. Also contributed by @fuller-stack-dev.

Policy Plugin Catches Plaintext Secrets and Channel Misconfigurations

The Policy plugin runs three kinds of checks:

• Channel conformance verifies channel configurations against policy rules before connections go live.
• Doctor lint findings surface policy violations during openclaw doctor runs.
• Workspace repair offers opt-in fixes for policy drift, such as plaintext API keys stored in openclaw.json.

The doctor now warns when openclaw.json stores plaintext secret-bearing fields, including model provider API keys and sensitive provider headers. It also warns when sandbox tool policy hides configured MCP server tools, which has caused silent tool failures in the past.

Another doctor fix removes unrecognized thinkingFormat values during --fix, so stale provider configs validate after upgrades.

The Policy plugin was contributed by @giodl73-repo.

Codex Harness Updated to 0.132.0

The bundled Codex harness moves to version 0.132.0. The app-server model-list docs were refreshed for the new catalog. A related fix gives image_generate dynamic-tool calls a 120-second default watchdog, replacing the previous 30-second bridge timeout that caused image generation to abort on slower providers.

OpenRouter Routing Gets Smarter

OpenRouter requests now honor provider-level routing policy. Model and agent params override the defaults. This matters if you use OpenRouter with multiple upstream providers and want specific models routed to specific backends without duplicating config blocks.

Contributed by @amknight.

Cron Runs on Its Own Lane

Background cron jobs no longer block human main-session chat. The scheduler runs cron work on a cron-owned wake lane while preserving reply delivery context. This fixes a long-standing issue where a busy scheduled task would stall your active conversation until it finished.

Related cron fixes:

• Legacy jobs.json array stores are preserved during upgrades instead of being treated as empty.
• openclaw cron show pagination is bounded so unbounded responses fail instead of hanging.
• Final cron output is delivered even when trailing tool warnings remain in diagnostics.

Exec Approvals Tighten Skill Loading

The old skill wrapper allowlist compatibility path is gone. Skill files must now be loaded with the read tool, and only the real skill executable is auto-allowed. This removes a bypass that could let arbitrary commands run under the guise of skill loading.

Android App Overhauled

The Android app received a full v2 redesign across 30+ commits in this release cycle. Changes include:

• New app shell and gateway onboarding flow.
• Rebuilt chat experience with focused talk sessions and dictation.
• Tightened settings screens with dedicated surfaces for agents, approvals, cron jobs, usage, skills, nodes, canvas, channels, and dreaming.
• Provider model selection surface.
• Command palette and chat starters.
• Image attachment support in chat.

The overhaul makes the Android app feel closer to the macOS and WebChat experiences.

Other Notable Fixes

• Approvals: manual /approve decisions route through the trusted approval runtime instead of showing as unknown or expired.
• Browser: screenshots and labeled snapshots honor the configured image sanitization limit.
• macOS: embedded Peekaboo bridge updated to 3.2.1 for UI automation compatibility.
• Windows: install.ps1 onboarding launches as an attached child process so fresh installs no longer freeze at Starting setup...
• WhatsApp: Baileys updated to 7.0.0-rc12; pending outbound deliveries drain on a 30-second timer instead of waiting for reconnect.
• Memory: local embedding providers close properly when active-memory searches time out, releasing pending model loads.
• Nodes: openclaw nodes approve requests pending surface approval scopes before running, fixing missing scope errors.
• Agents: explicit timeoutSeconds values above the default idle watchdog are honored for cloud and self-hosted providers.
• Subagents: wildcard target allowlists are constrained to configured agents while preserving explicit compatibility targets.

Speed and Performance

Several changes likely contribute to the perceptible speed increase reported by production users: plugin discovery results are now threaded through registry loaders to skip redundant filesystem walks, TUI startup defers plugin metadata and provider catalog loading, and CLI help uses cached stable subcommand data. The Android v2 overhaul also trims UI density and reduces redraw overhead.

How to Upgrade

OpenClaw 2026.5.20 is available now:

• npm: npm install -g [email protected]
• macOS: DMG and ZIP from the GitHub release page
• Docker: official image includes the bundled Codex plugin in keep lists so pruning does not remove it

Run openclaw update if you are on a recent version. The updater now preserves the managed Gateway service Node across protocol skew, so one-version CLI/Gateway mismatches no longer break restart health checks.

---

Release: OpenClaw 2026.5.20 Published: May 21, 2026 Commits: 208 GitHub: https://github.com/openclaw/openclaw/releases/tag/v2026.5.20