realvco Docs

v2026.4.20 — Onboarding Polish + Moonshot Kimi K2.6

Released: April 20, 2026 Theme: First-run experience + multi-model / channel stabilization Breaking Changes: None

Core Highlights

1. Onboarding Wizard Refreshed

Setup wizard redesigned:

  • Security disclaimer becomes a single yellow warning banner, with section headings and bulleted checklists
  • Note body no longer dimmed — easier to scan
  • Loading spinner during initial model catalog load (no more blank wait)
  • Provider API key prompts add an “API key” placeholder

2. Moonshot Kimi K2.6 Default

Moonshot setup, web search, media understanding all default to kimi-k2.6 (K2.5 stays available for compatibility).

  • moonshot/kimi-k2.6 allows thinking.keep = "all"
  • Other Moonshot models or tool_choice-pinned requests skip thinking

3. System Prompt Strengthening

Default system prompt and OpenAI GPT-5 overlay tightened:

  • Clearer completion bias
  • Live-state checks
  • Weak-result recovery
  • Verification-before-final guidance

Reliability of replies improves.

4. Cron Config File Split

Cron splits runtime execution state into jobs-state.json:

  • jobs.json stays git-tracked
  • Run-time state (last run, retry counts) lives in a separate file
  • You can safely commit jobs.json now

5. BlueBubbles Default Timeout Extended

Outbound text send timeout raised from 10s to 30s:

  • On macOS 26, Private API iMessage occasionally takes 60+ seconds
  • Old 10s abort was silently dropping messages
  • New channels.bluebubbles.sendTimeoutMs (also per-account)
  • Probes / health checks keep the shorter 10s

6. Codex Stability Fixes

  • ChatGPT/Codex OAuth Responses requests route through /backend-api/codex
  • Codex app-server releases the session lane after a downstream consumer throws
  • Codex default approval handling becomes on-request (less permissive at start)
  • Image generation tool stops re-exposing on native vision turns

7. Security and Pairing Hardening

  • Non-admin paired-device sessions can only manage their own pairing requests
  • WebSocket broadcasts (chat, agent, tool-result) require operator.read or higher
  • tools.exec and tools.fs no longer implicitly widen messaging / minimal restrictive profiles
  • Workspace .env blocks all OPENCLAW_* keys — no silent inheritance
  • Agent-facing gateway tool rejects model-driven config.patch/config.apply of sandbox, plugin trust, TLS, hook routing, and other operator-trusted paths

8. Practical Stability Fixes

  • /new and /reset clear auto-sourced model / provider / auth-profile overrides
  • estimatedCostUsd snapshot like token counters to avoid compounding costs
  • Mattermost streams thinking, tool activity, and partial reply text into a single draft preview post
  • Telegram polling watchdog raised from 90s to 120s default (configurable)
  • agents.defaults.experimental.localModelLean lets weaker local models drop heavyweight tools

Upgrade Recommendations

  • New OpenClaw users: vastly improved onboarding
  • Kimi users: free upgrade to K2.6
  • BlueBubbles + macOS 26 users: silent message drops fixed
  • Git-workflow-focused users: cron config split lets you commit cleanly
  • Strict-security customers: multiple pairing and RBAC fixes

← v2026.4.15 · v2026.4.21 → · Back to list