Changelog

Notable changes to the Lobster project — doc revisions, architecture updates, and new capabilities.

2026-05-13

Voice Channel

Lobster reachable by phone call. A new voice channel routes calls into the main agent session through OpenAI Realtime over Twilio Media Streams (gpt-realtime-2 model — OpenAI’s May 7, 2026 release with GPT-5-class reasoning and 128K context, μ-law passthrough on both sides). The Realtime model handles small talk inline (~300ms first audio) and delegates substantive turns — calendar, email, travel, packages, anything factual — back into the main agent session through openclaw_agent_consult, so the call shares the agent’s tools, memory, and conversation history. Per-caller session scope means each call continues where the last one left off. Built on the @openclaw/voice-call plugin running inside the gateway process; webhook routed through the existing Cloudflare Tunnel via a new hostname → 127.0.0.1:3334. Config: plugins.entries.voice-call.
Inbound call gating. Three layers: caller-ID allowlist on the plugin’s inboundPolicy: "allowlist" (low-assurance per-spec — caller-ID is spoofable); a spoken-passphrase challenge enforced inside realtime.instructions (the Realtime model refuses tool calls, refuses to share any owner context, and refuses to acknowledge its own name until the caller speaks the passphrase, with a two-strike hang-up); and realtime.toolPolicy: "safe-read-only" clamping the consult agent to read/web/memory tools as a final blast-radius bound for the targeted-attack case.
Cloudflare Tunnel hostname multiplexing. Same tunnel, new ingress rule per service. Pattern established for future plugin endpoints — point a new hostname at the local plugin port, add a CNAME (proxied), kickstart cloudflared. Five-second reconnect blip on the existing webhook route during reload; CF edge queued and replayed.

Outbound Call Hardening

Outbound voice carries a meaningful exploit surface: an attacker who can chat-message the agent might trick it into dialing an arbitrary number and leaking owner-context into either the notify TTS or a live Realtime conversation with the recipient. Lockdown is layered defense-in-depth:

Notify-only by default — outbound.defaultMode: "notify" makes outbound calls one-shot speak-and-hang-up. No Realtime conversation engagement on outbound, so a recipient can’t ask the Realtime model leading questions and harvest answers via the consult tool.
voice_call agent tool explicitly denied for the main agent, the groups agent, and the family agent. Added to tools.deny in both config/security-policy.json and live ~/.openclaw/openclaw.json. The tool was already implicitly blocked by profile: "minimal" (it isn’t in any agent’s alsoAllow), but explicit denial guards against a future profile change silently re-exposing it. Means no chat message — by any path, on any channel — can trigger an outbound call. To enable outbound for a specific use case, drop the deny entry and add voice_call to that agent’s alsoAllow.
safe-read-only consult clamp — already in place from inbound hardening; bounds blast radius for any path that does engage Realtime tools.

Inbound is unaffected — calls hit the plugin’s webhook directly, not through any agent tool, and openclaw_agent_consult (a Realtime-side tool, distinct from voice_call) still delegates into the main session.

Plugin Schema Gotcha

@openclaw/[email protected] (npm latest) rejects fields the published docs advertise. The docs page describes realtime.consultPolicy, realtime.consultThinkingLevel, realtime.consultFastMode, realtime.agentContext, and a top-level agentId — none of which exist in the npm release’s schema. They ship only in the unreleased upstream source. Setting any of them sends the gateway into a launchd crash-loop because the plugin schema is additionalProperties: false and unknown fields hard-fail config validation. Workaround: inline the persona + gate prompt into a single realtime.instructions string, and put agentId under the per-number routing map (numbers["+1XXXXXXXXXX"].agentId) which IS in the schema. Pre-flight any new install by diffing node_modules/@openclaw/voice-call/openclaw.plugin.json configSchema.properties against the docs example before writing config.

Security

process tool security baseline synced with live state. Yesterday’s exec-approvals change added the process tool to alsoAllow for the main agent and two delegate agents, but config/security-policy.json — the baseline used by security-audit.sh — still listed process under deny, flagging a policy mismatch on every audit. Moved process from deny → alsoAllow in all three agent stanzas so the baseline matches live (commit 4ecf13e).

2026-05-12

Knowledge Vault

Vault migrated to a continuous-learning layout — the previous dump/-centric pipeline (manual shred routing URLs, action text, raw archive, and a hand-maintained wiki) was retired in favor of the codex-knowledge-llm kit conventions. The Obsidian vault now has top-level inbox/, notes/, ideas/, and projects/ folders. dump/wiki/ → notes/ (89 files), dump/inbox/ → inbox/ (10 files), dump/raw/ deleted (92 files), dump.md (single-file freeform inbox) → inbox/quick-capture.md. Vault AGENTS.md rewritten end-to-end with the new vault map and contract.
Daily Brief — a new OpenClaw cron at 04:00 PT reads everything new in inbox/ (last 24h) and notes/ (last 7d), then writes inbox/session-summary-YYYY-MM-DD.md with three sections: 3 cross-reference Connections, 1 Pattern across the week, and 1 Question worth sitting with today. First step routes action-verb lines (I need to…, Remind me to…, TODO, etc.) into Apple Reminders via a separate inbox-to-reminders script. Runs in an isolated agent session with light-context, no chat delivery, vault-only output. Model: openai/gpt-5.5.
Weekly Synthesis — new OpenClaw cron at Sunday 09:00 PT covers the last 7 days across inbox/, notes/, and ideas/ and produces an Emerging Thesis / Contradictions / Knowledge Gaps / One Action report. Writes the markdown to inbox/weekly-synthesis-YYYY-MM-DD.md and an inline-styled HTML rendering to /tmp/, then emails both via iCloud SMTP (multipart/alternative) to the owner’s email. Same model and isolation as Daily Brief, 900s timeout.
codex-knowledge-llm skill installed in the main agent workspace — provides source-routing for captures (persuasive → Original+Index+Teardown, tutorial → Implementation Notes, transcript → Concept Synthesis, book → Book Notes), with a “Lobster Vault Overrides” section pinning the no-H1 / cite-source / “don’t move existing files” rules from the vault’s AGENTS.md. Note templates adapted (# Title → ## Title) to match the vault’s no-H1 convention.
Global dump skills rewritten — both the Claude Code and OpenClaw dump skills are now thin “extract and stash” surfaces. dump <url> extracts via trafilatura, dump <podcast-url> via the podcast-transcript wrapper, and the result lands as a single file in inbox/YYYY-MM-DD-<slug>.md. No more wiki/index/log maintenance — the Daily Brief loop owns synthesis.
X (Twitter) bookmark capture overhaul — x-bookmarks-daily now writes one digest per day to inbox/YYYY-MM-DD-x-bookmarks.md (author, full tweet text, permalink, public metrics) instead of N per-tweet files plus a separate ideas/x-bookmarks/ digest. System crontab at 03:00 PT, sources the per-host secrets file so vault path resolves correctly. Underlying CLI: x-twitter-pp-cli from Printing Press, OAuth read-only scopes (tweet.read, users.read, bookmark.read, offline.access), token at ~/.config/x-oauth-token.json with refresh-token-based silent refresh.

Channels

Group iMessage send delegation playbook — the message tool’s group-GUID resolver was misresolving group targets as direct phone numbers and returning fake messageId:"ok" with empty platform receipts. Updated AGENTS.md send playbook so the main agent now delegates family DM and group-chat sends to the responsible specialized agent (which uses its own message tool and retains conversation context). Direct imsg send --chat-id <rowid> is now an explicit fallback when delegation is unavailable; AGENTS.md spells out the detection rules (via: "direct", phone-looking to, empty receipt) so future agents recognize the silent-failure case.

Reliability

Codex $HOME rewrite unwrapped in agent scripts — the Codex runtime rewrites $HOME to a sandbox path (~/.codex-home/home/...), which broke any agent script using $HOME/.openclaw/.... Unwrapped via dscl . -read /Users/<user> NFSHomeDirectory at the top of security-audit.sh (9ab3c61) and across check-openclaw-release.sh, instapaper-podcast-run.sh, and sync-config-to-repo.sh (290b328).
wacli store flag pinned — the WhatsApp local helpers were polling the Codex home store (empty) instead of the real one, returning messages=null for hours. Patched ~/.local/bin/wa-peek, wa-react, and wa-post to pass --store /Users/<user>/.wacli explicitly.
mail-cli --body frontmatter gotcha — mail-cli smtp-send --body "$(cat md_file)" silently fails when the body starts with --- because Swift ArgumentParser interprets it as a new flag (Error: Invalid option: ---). Two test fires of Weekly Synthesis hit this; the ## Email Delivery fallback section in the markdown was the only signal of the failure. Cron prompt patched to strip frontmatter via Python re.sub before invoking mail-cli, and to cap the error-logging fallback to one line so a future failure can’t recursively dump the body back into itself.
Reminders extraction decoupled from dump-process — the old shred.py Reminders branch is gone; replaced with a standalone inbox-to-reminders Python script that the Daily Brief cron invokes as Step 1 via exec. State at ~/.config/inbox-to-reminders-state.json (hash-dedupes per line). Allowlisted under the ~/.local/bin/* exec pattern, so the cron runs without approval prompts.

2026-05-10

Reliability

Emoji reactions no longer surface “Something went wrong” — a 👍 on a Lobster reply was triggering a fresh model turn that produced no text and no tool call; the gateway’s default silentReply.direct: "disallow" policy treated the empty turn as a failure and delivered the canonical incomplete-turn error back to the user. Set agents.defaults.silentReply.direct: "allow" and silentReplyRewrite.direct: false so empty model turns in DMs stay quiet, matching how a human ignores a 👍. The agent still receives every reaction, so 👎 (or anything the model wants to address) still gets a normal reply. Config: agents.defaults.silentReply and agents.defaults.silentReplyRewrite.

Channels

iMessage moved off BlueBubbles and onto the native imsg private-API bridge — no separate server process, no API password, no webhook URL. Outbound goes through channels.imessage.cliPath; inbound flows through the bridge dylib injected into Messages.app. Faster, cleaner, and the channel now auto-reattaches after a gateway restart.
Group targeting fixed — bare group GUIDs were falling into phone-number normalization and producing fake messageId:"ok" silent successes. Cron prompts targeting groups now use the chat_guid: prefix.
Inbound iMessage attachments enabled — channels.imessage.includeAttachments defaulted off; photos and media weren’t reaching the model. Now on.
imsg mode switcher — a single command swaps between the live repo build and the brew-installed release in one shot, keeping binary, bridge dylib, Messages.app injection, gateway config, and the running gateway in sync.

Docs

iMessage setup docs rewritten for the imsg path — the setup guide and plugin docs no longer describe BlueBubbles. They now cover OpenClaw’s imessage plugin backed by channels.imessage.cliPath, with no server URL, webhook URL, or channel password. The docs call out that this behavior is on Lobster main and has not yet shipped in a tagged OpenClaw release.
Workflows and Skills registry pages — new public-facing guides at guides/workflows.md and guides/skills/ index every cron-driven automation and every slash-command/agent skill, privacy-scrubbed. The use-cases doc now has a story-shaped entry for the daily Instapaper-to-Spotify podcast (each episode tagged with its source publication derived from the article URL, HTML headers, or first non-tracker outbound link).

Reliability — scheduled tasks

auth-drift-heal moved from agent cron to launchd — runs every 15 minutes via a system LaunchAgent calling a deterministic shell runner. Pure shell-on-schedule no longer goes through the cron-via-agent path, where models occasionally mangle exec calls. Cron-via-agent is now reserved for jobs that genuinely need LLM reasoning.
backup-slim also moved to launchd — daily 3am via LaunchAgent, same reasoning as above.
Self-heal helper for imsg — gateway restart un-injects the Messages.app dylib, so outbound silently fails. Self-heal now auto-reruns imsg launch and bumps a stale catchup cursor on restart.

Security

tts.apiKey externalized to SecretRef — the TTS provider key was sitting as a literal in the gateway config. Moved to a SecretRef reference and re-synced the security-audit baseline. (talk.providers.<id>.apiKey stays literal because SecretRef there is currently broken on the gateway side; tracked separately.)
Approvals defaults.security: deny — every gateway upgrade was resetting the value to full, masking allowlist mismatches. Heal now detects the upgrade-induced clobber and re-applies the desired deny state. The config-sync script also refuses to mirror an exec-approvals file smaller than the legitimate baseline, blocking a vitest stub from leaking into live state when test isolation regresses upstream.

Features

Twitter / X URL expansion in the daily Obsidian “shred” — the daily Obsidian shred now expands x.com and twitter.com URLs into per-post summaries via a small bun + X API skill, gated on a Bearer Token env var. Without the token, the shred falls open to the existing meta path.
Desktop automation skill enabled — a bundled OpenClaw skill that lets agents control macOS apps (cursor, screenshots, app windows) is now active.
FileVault authrestart helper — a one-double-click command file reboots the Mac with FileVault unlocked at next boot, so Lobster auto-starts without needing to enter the disk password at the login screen.

2026-05-04

Features

Image generation is now wired up across all agents — generated images deliver as media attachments on iMessage, WhatsApp, and Telegram replies. Reuses the existing OpenAI auth profile, no new keys.
iMessage rich text formatting for **bold**, *italic*, and ~~strike~~ now renders as proper attributed text on macOS 15+ recipients (opt-in, gracefully falls back on older devices).

Architecture

Each cron job now declares the model tier it actually needs (heavy / mid / light) instead of inheriting the heaviest default. The most-frequent jobs run on the lightest tier, cutting per-day inference cost without affecting heavy synthesis jobs.

2026-05-03

Architecture

Moved off the Pi runtime onto the native Codex harness for the four primary agents. Pi was a useful bootstrap, but the native Codex harness is the path forward for everything sitting on gpt-5.5 — fewer translation layers between the model and tool calls, and full alignment with how the Codex provider expects to be driven.

Upgrades

Upgraded OpenClaw to v2026.5.2 — picks up the perf-fix release for stalled embedded runs, repeated plugin scans, and the missing semantic-memory index. Channels back online after gateway restart.

2026-04-26

Features

Daily Obsidian “shred” — once a day, a cron processes the freeform Obsidian inbox and routes each entry to the right home: articles to Instapaper, podcasts and tasks to Reminders, bare reference links rewritten in place with a title and short summary, everything else parked. Each line gets a status glyph (✅ instapaper, 🎧 podcast, 📝 reminder, 🔗 link, 📥 inbox) so already-processed lines are skipped.
The high-water mark lives in the note’s own frontmatter — no separate state file. Daily backup written before the first edit of the day.

2026-04-25

Upgrades

Upgraded OpenClaw to v2026.4.24. Notable pickups: stuck-session recovery from stale transcript locks, macOS LaunchAgent restart hardening, exec-approval bare-name allowlist tightened, MCP loopback now enforces owner-only tool policy.

2026-04-24

Upgrades

Upgraded OpenClaw to v2026.4.23. Most relevant for Lobster: per-WhatsApp-group system prompts shipped upstream, OpenAI image generation works through Codex OAuth (no separate key), memory writes decoupled from heartbeat, prompt-injection hardening on inbound WhatsApp metadata.

Fixes

Dump regression: when a URL is sent as a separate iMessage following a Dump text, the URL still gets dropped. Root-caused upstream — the fix is in v2026.4.22+ behind an opt-in flag. Until upgrade, send the URL inline (or paired with an image).

2026-04-23

Architecture

All lobster-* agents now explicitly pinned to gpt-5.5. Previously the alias chain was silently resolving to 5.4 on startup.

2026-04-22

Upgrades

Upgraded OpenClaw to v2026.4.21. Notable pickups: iMessage-vs-SMS priority fix, stricter tapback fallback, plain-text send recovery on macOS 26, SSRF consolidation that unblocks reactions on private-IP iMessage deployments.

Reliability

OAuth token drift heal — every morning, a wave of EXPIRED alerts was firing across the sub-agents (homeclaw, kira, lobster-family, lobster-groups, lobster-node, lobster-wa, mail-router, social-planner, travel-hub). Root cause: when OpenAI rotates a refresh token, the gateway only mirrors the new credential into the main agent’s auth store. Peer sub-agents keep stale copies and get invalidated server-side on the next rotation. New script scans every per-agent auth store, picks the credential with the latest expiry per profile, and copies it out to every peer holding the same profile. Silent on no-drift, one-line summary when it heals — ready to wire into a recurring job once the pattern is observed a few more times.

2026-04-20

Features

Quotes from The Office — outbound messages from select crons (Miles tennis pickup, weekly social commitments) now end with a random line from the show, properly attributed to the speaker. Example: “Bears. Beets. Battlestar Galactica.” — Jim Halpert impersonating Dwight. Small dose of personality on otherwise transactional reminders.
Birthday-card skill promoted to a full skill with image generation and a dedicated cron.

2026-04-19

Features

Car wash booking — new shared skill books appointments at Park Place Auto Salon via browser automation. Checks the calendar for Mon/Wed drop-off conflicts, prompts for confirm before submit, and drops a 1-hour calendar hold.

Architecture

Moved the iMessage threaded-reply / tapback rules out of soft “lessons” memory and into the agent’s system prompt. The agent now reliably uses tapbacks for short acknowledgments and threaded replies for specific inbound messages instead of plain sends.

2026-04-18

Features

Restaurant reservations via the new restaurant-cli plugin — pluggable provider model covering Resy, OpenTable, Tock, and SevenRooms. Destructive actions always confirm; OpenTable bookings hand off to a pre-filled deep link in the user’s browser.
Group contact name resolution — group chats now show participant names (resolved against the local Contacts database) instead of raw phone numbers.

Architecture

The travel-aware cron that flips Eight Sleep’s Away mode now respects trip status, so completed trips no longer keep the bed cold all evening.
Fresh-machine setup now clones, builds, and configures every third-party plugin Lobster depends on (restaurant-cli, easypost, travel-hub, fastmail) idempotently in one run.

2026-04-17

Ops Tooling

lobster-ops Claude Code plugin — 38 /lobster-* slash commands consolidated into a single installable plugin, grouped by domain: system (/lobster-status, /lobster-logs, /lobster-investigate), healing (/lobster-heal, /lobster-watchdog, /lobster-harden), sessions, cron, channels, agents, auth, digests, and lifecycle (/lobster-upgrade, /lobster-release). Replaces a sprawling collection of one-off scripts and ad-hoc playbooks. Scripts symlink-install so edits go live immediately — no re-install loop.
22 ops scripts ported from upstream and 19 reference docs mirrored in alongside the skills, so any agent that loads the plugin can self-diagnose without leaving the session.

Features

Seattle events monthly digest — new skill queries Ticketmaster for upcoming concerts, comedy, theatre, opera, and Seahawks home games at ~15 Seattle venues. Long residencies collapse to a single line with a date range. Emailed on the 1st of each month as a styled HTML digest.
HTML email send helper — closes a long-standing gap where Mail.app sends couldn’t carry HTML formatting. Used by the events digest cron.

Documentation

Project CLAUDE.md cut by ~85% — reference content moved out to docs/private/ so the system prompt stays lean.

2026-04-16

Upgrades

Upgraded OpenClaw to v2026.4.15. Most impactful: stuck-session recovery from stale transcript locks, heartbeat fixes, cron isolated-session cleanup, exec-approvals bare-name patterns no longer trust ambiguous paths, MCP loopback owner-only enforcement.

Reliability

Visible token refresh — Cloudflare-backed Fastmail and Travel Hub workers now tell the CLI when they renew the token. As long as either CLI is invoked once per 30 days, the token never expires. Manual rotation is gone for the steady state.
Auth health check now covers JWT expiry, GitHub PAT expiry/revocation, and the freshness of MCP CLI sidecar tokens.

2026-04-15

Reliability

Travel Hub token rotation is now a single command that updates every storage location, restarts the gateway, and verifies end-to-end. Replaces the previous five-file manual process.
Auth health check extended to probe plugin credentials directly and scan gateway logs for silent SecretRef resolution failures.

Architecture

Travel Hub MCP moved off mcporter onto Claude Code’s native MCP config.

2026-04-13

Architecture

WhatsApp family thread updates and an evening digest now route reliably to the owner’s iMessage — steady-state cross-channel coordination.

2026-04-12

Features

Memory now indexes session transcripts for semantic search. Past conversations are queryable via memory_search, reducing the need to re-explain context the agent already encountered.
Active Memory plugin surfaces relevant recent context at session start without overwhelming the system prompt.
Browser-use skill for headless browser automation (navigate, fill, click, extract) — available to any skill that needs it.
YouTube transcript skill broken out as a standalone capability.

Upgrades

Upgraded OpenClaw to v2026.4.11. Notable pickups: Codex OAuth flow fixes, vector search index repair, heartbeat timeout/spread fixes, Active Memory timeout handling.
New openclaw-upgrade skill automates the full upgrade lifecycle (backup → update → patches → smoke tests → docs refresh).

Architecture

Codex native web search — Codex models now use OpenAI’s native web search tool instead of falling back to Brave. Cached mode, high context budget, location-aware. Brave remains the fallback for non-Codex models.

2026-04-07

Features

EasyPost shipping plugin — 9 tools spanning shipment creation, rate compare, label purchase, tracking, address verification, refunds, and label printing to a local Brother thermal printer. The agent looks up recipients via Apple PIM contacts and sets the sender based on who’s chatting.
Dump skill captures URLs, podcasts, images, and text into an Obsidian “second brain.” Wiki pages are evergreen and cross-link automatically. Podcasts get full transcription (YouTube captions first, then web transcripts, then Whisper API as last resort).
Instapaper plugin — 16 tools for reading-list management (add, archive, list, star, folders, highlights, tags, text extraction).
Podcast transcript CLI handles the full pipeline as a standalone tool: resolve Apple Podcasts URLs, download audio, chunk via ffmpeg, transcribe via Whisper.

2026-04-05

Features

Daily memory log writer — a cron writes each day’s memory file at 21:55 PT, before the daily Obsidian note is generated. Closes the gap on idle days where heartbeats correctly stayed silent and left no log.

Security

Zero hardcoded plaintext secrets remain in config — every sensitive value resolves at runtime from the secrets store or an env var. Rotation is now homogeneous: edit the secrets file, restart the gateway, run smoke tests.
Added explicit Trakt cadence rules (no retry, no fallback, ≥5s between calls) after a brief rate-limit incident.

2026-04-04

Architecture

Lossless context management is back online for long-lived sessions after an 18-day silent outage caused by an unset plugin slot. Slot is now explicitly assigned in config.
Memory subsystem got the same explicit-slot fix and the canonical memoryFlush configuration. Daily memory file creation now has three independent mechanisms.

Reliability

scripts/local-bin/ is back as the single source of truth for ~/.local/bin/ CLI wrappers — drifted scripts synced back to the repo and re-symlinked.

2026-04-03

Architecture

Remote node agent — new lobster-node agent routes shell commands to a separate MacBook via OpenClaw’s node host. Browser proxy enabled so browser tool calls are handled on the remote node’s local Chrome.

Documentation

Remote Access guide rewritten to cover both node types (device vs. core), CLI node host setup, and selective execution patterns. Published.

2026-04-01

Upgrades

Upgraded OpenClaw to v2026.4.1. Several local patches retired now that they shipped upstream.

Security

Per-cron tool allowlists — each cron job now declares exactly which tools it needs (least-privilege at the cron layer). A note-writer can’t send messages; an audit can’t modify memory.

Features

Event-driven package matcher replaces the polling cron — when the mail agent forwards a doorbell-camera email, the main agent cross-references active deliveries and alerts on confident match.

2026-03-31

Features

Auto-dream memory consolidation — community skill runs nightly dream cycles that scan unconsolidated daily logs, extract decisions/facts/lessons, and route them into five structured memory layers. Importance scoring with forgetting curves so older unreferenced memories decay naturally; PERMANENT markers protect critical knowledge.
/agent-review skill scans session transcripts, gateway logs, and cron history across all agents, then produces prioritized improvement suggestions.
Social dashboard over Tailscale — responsive HTML at /social/ on the tailnet, alongside the existing PNG variant for iMessage.

2026-03-29

Architecture

Social-planner agent — ninth agent in the multi-agent setup, dedicated to dining/social coordination. Tracks friends across three circuits, monitors engagement recency, and proposes concrete dinner plans with date + restaurant pairings.
Visual dashboard rendered as a mobile-optimized PNG (390px @2x) with color-coded recency dots. Sent as iMessage attachment or inline email.
Monthly review email on the 1st of each month: 2-month forward view, overdue prospects matched with restaurant suggestions.

2026-03-27

Architecture

Mail-agent delegation timeout increased from 30s to 60s — the search-then-read flow takes ~33s end-to-end and was just exceeding the default.

2026-03-26

Architecture

HomeClaw plugin v1.0.0 — upgraded from a skill-only stub to a full native plugin with 16 registered tools. Plugin tools run inside the gateway process, bypassing exec approvals (faster, no prompts). Mutation tools (set, trigger, rename) are opt-in per agent.
Plugin smoke-test infrastructure — verifies all testable plugins load and respond to a basic call. Runs weekly; integrated into the release skill so plugin regressions are caught before production.
Workspace files deduplicated — 23% token reduction across 6 files by removing cross-file repetition (the family table appeared three times). No behavioral changes.

2026-03-23

Security

Email delegate agent — new lobster-mail isolates all Fastmail access. Email bodies are the highest-risk prompt-injection vector, so all 36 mail tools moved off the main agent. The main agent delegates via sessions_send and the mail agent returns structured summaries (never raw bodies). Adversarial testing passed both obvious and subtle social-engineering attempts.
Session tool lockdown — sessions_list and sessions_history are now main-agent-only. Other agents can still send to known targets but can’t enumerate sessions they shouldn’t know about.
Token expiry reminders added as recurring crons for Codex OAuth and Fastmail CLI.

2026-03-22

Reliability

WhatsApp channel resilience — fixed a silent outage where the listener registered in a different runtime realm after reconnect, causing “no active listener” errors while the channel probe falsely reported connected. Channel health monitor re-enabled at 5 minutes; auto-recovery within ~35 minutes of a real outage.

2026-03-16

Features

Trakt skill — view watch history, watchlist, and search movies/shows on Trakt.tv. Forked the upstream CLI to add watchlist, --type filters, and history add --watched-at for backdating.
Eight Sleep skill controls the Pod 4 Ultra (bed temperature, alarm scheduling, sleep tracking).
Eight Sleep Away mode automation flips based on travel — when both family members leave Seattle, Away on; when either returns, Away off.
Porsche climate skill schedules delayed pre-conditioning via one-shot crons (“warm up the car in 20 minutes”).

Architecture

Browser tool moved to OpenClaw’s managed Chrome profile — no more manual Chrome launch with debug flags. Auto-launches an isolated instance via browser start / browser stop.
SecretRef migration complete for runtime-resolvable credentials. Three values remain as env vars by design (CLI commands read them directly without the gateway’s secrets runtime).

Reliability

Cron delivery leak fixed — five conditional crons were using announce-mode delivery, which auto-delivers any text the model emits before NO_REPLY. Switched all five to silent delivery with explicit sessions_send calls.

2026-03-15

Documentation

TOOLS.md rewritten to drive exec discipline: complete absolute-path lookup table for every allowlisted binary, a “DO NOT EXEC” table mapping common bare names to native tool alternatives, and clearer rules around multiline arguments.

Reliability

Calendar bug guidance — the calendar CLI silently mangles ISO timestamps with timezone offsets (drops the offset, falls back to noon). Skill now warns against the format and recommends wall-clock strings; agents must verify-after-write on every event change.

2026-03-14

Architecture

Dedicated WhatsApp agent — new lobster-wa isolates all WhatsApp traffic with its own workspace, exec allowlist, and tool policy. WhatsApp groups run in shadow/observe mode (the agent observes and reacts but doesn’t send unprompted text). Main agent monitors via sessions_history during heartbeats.

2026-03-13

Security

Webhook hooks hardened — all three critical findings from the security audit cleared. Webhooks can now only target two specific agents, session keys are constrained to the hook:* namespace, and request payloads can no longer override mapping-level session keys.
Security audit now verifies model OAuth token status, flags expiring profiles, and detects auth-failure fallbacks in gateway logs.

Reliability

Tailscale MagicDNS fixed on the agent Mac — Homebrew tailscaled wasn’t creating the resolver entry. New self-healing LaunchDaemon ensures the file exists on boot and re-creates it after Tailscale or OS updates wipe it.
Replaced the hardcoded PST offset in the meeting-check script with proper timezone handling (correctly follows DST now).

2026-03-12

Reliability

WhatsApp family group fix — requireMention: true was silently filtering every message before it reached the agent (nobody @mentions the agent in family chat). Set to false for the family group; the wildcard default remains strict.
Exec approval spam reduction — replaced compound shell chains with single workspace scripts and added a “DENIED → FIX” reference to TOOLS.md so agents avoid obfuscation-detector triggers.

Features

New debug skills: /debug-approvals, /debug-homeclaw, /debug-travel-hub.

2026-03-08

Features

Obsidian Vault native plugin — 11 gateway tools wrapping the upstream MCP server (read, write, patch, search). Runs in-process, no exec, no approval prompts. Read/write/search only; destructive operations intentionally excluded.
Family location tracker — cron on the travel-hub agent runs twice daily, queries the itinerary, and writes per-member city/country/timezone to heartbeat state. All agents now read family locations during their heartbeat cycles.

Architecture

Compaction now preserves the last 5 user-initiated turns verbatim instead of summarizing them — better continuity for multi-step tasks that span compaction boundaries.

2026-03-07

Architecture

Claude Code commands → skills — migrated all 13 to the skills surface. Skills auto-discover, so diagnostic playbooks load when context matches without an explicit slash command.
Cross-channel sessions_send pattern documented — when the message tool is bound to the current channel, the agent can delegate via sessions_send to a session on a different channel without losing channel binding.

Features

Travel Hub convenience tools: trips_get_details returns a trip with all linked records (flights, hotels, activities, ground) in one call; itinerary returns all items for a date or range.
Headless Obsidian Sync — obsidian-headless running as a LaunchAgent provides direct bidirectional sync with the Obsidian Sync service, replacing iCloud Drive.

2026-03-06

Architecture

Dedicated webhook agents — homeclaw for HomeKit events, travel-hub for travel data changes. Each receives events at a mapped endpoint, classifies routine vs. meaningful, and notifies the main agent via sessions_send only when action is needed. Routine events log silently. Each has its own auth profile and minimal tool surface.
Cron skill — comprehensive reference for creating cron jobs (main vs. isolated, tool API templates, delivery-mode guidance).

2026-03-04

Features

QMD memory backend — switched from SQLite to a local-first sidecar combining BM25 full-text search, vector embeddings, and reranking. Fully offline, auto-indexes every 5 minutes, scoped to DMs.
Blue Bottle Coffee skill manages the subscription via browser automation: magic-link auth (email → browser) → skip / pause / edit. Family members can request a skip; the agent confirms with the owner before acting.
Travel Concierge program generates comprehensive trip briefings from Travel Hub data via a three-agent fan-out (orchestrator + research + logistics).
Agent-browser replaces the built-in browser — Rust-based headless Chromium with bundled binary, optimized for AI agents (snapshot/ref-based interaction).

2026-03-03

Architecture

Workspace write access for the main agent (write, edit, apply_patch scoped to workspace only). The agent can directly manage its own memory, skills, and reference docs without exec workarounds. Restricted agents unchanged.

Reliability

WhatsApp groups silently blocked for 13 days — groupAllowFrom had been populated with a group JID instead of phone numbers, so the gateway dropped every message at the access-control layer. The blocking only logged at verbose level. Fixed and added a troubleshooting entry.

2026-03-02

Features

Obsidian vault integration — full read/edit/create/search/list via the obsidian-note CLI wrapper. Daily notes are auto-created from a template at 10 PM and the agent appends entries throughout the day. Trip journals and structured reference docs use a surgical replace workflow.

Security

Agent-to-agent re-enabled for restricted agents after defense-in-depth enforcement landed. Six red-team tests passed (Fastmail privacy, social engineering, exec escalation, sessions_spawn blocking, provenance tagging). Original escalation paths now blocked at two independent hard layers plus two soft layers. See Agent-to-Agent Communications.

2026-03-01

Reliability

Binding wildcards — discovered that peer.id: "*" does not work as a wildcard; OpenClaw bindings use strict equality. Inverted the catch-all so unmatched group chats reach lobster-groups instead of falling through to the main agent.
Tapback reactions must use text names (love, like, etc.), not emoji characters — emoji silently fail. Fixed across all agent docs.
iMessage edit confirmed broken on macOS Tahoe — Apple silently regressed the API in macOS 26. The iMessage extension correctly blocks edits with a clear error; unsend still works.

Features

Agents now use iMessage tapback reactions naturally — love photos, like acknowledgments, laugh at jokes, react instead of replying when a reaction says it all.

2026-02-28

Features

Flight Radar skill — added IATA-to-tail resolution via Flightera, plus callsign-based tracking. Handles IATA / ICAO / tail-number lookup with a curl fallback when the MCP path fails.
iMessage feature reference for restricted agents — they can now react, unsend, send threaded replies, attach files, and apply message effects (previously they only knew about send).

Reliability

Restricted agents now have read in alsoAllow — they couldn’t load skill references on demand without it.

2026-02-27

Architecture

Apple PIM v3.1.0 factory pattern — restricted agents now use the native plugin directly with per-agent workspace config. Eliminated all PIM wrapper scripts (eight removed) and consolidated config.

Security

Critical exec-allowlist fix — restricted agents had host: "sandbox" defaulting in, which (with sandbox off) ran commands directly and bypassed allowlist enforcement. Added explicit host: "gateway" and lowered elevatedDefault to off. Audit script extended to catch this drift in the future.

Features

Telegram approval buttons — community plugin replaces text-based exec approvals with one-tap inline buttons. Messages auto-update after the decision and expire after 10 minutes.

2026-02-26

Security

Adversarial review workflow — GitHub Actions runs on every push to main and analyzes commits for security-sensitive changes. File classification by severity tier (critical / suspicious / memory / routine), Gitleaks + custom secret scanning, policy drift detection against the config baseline, and a two-layer memory-injection scanner (regex patterns + LLM semantic analysis). Findings open GitHub issues with severity labels and remediation. Self-protection: the workflow hash is stored as a secret, so the agent can push code but can’t disable its own checks.

2026-02-25

Reliability

Deep idle / power management — the M1 host was entering deep standby despite sleep=0, dropping Tailscale. Disabled standby, enabled networkoversleep, and added a caffeinate -s LaunchAgent that survives reboots. Display still sleeps normally.

Architecture

Restricted agent identities rewritten — lobster-family and lobster-groups had inherited boilerplate from the main agent’s SOUL/USER/IDENTITY/MEMORY files describing themselves as “Chief of Staff” with elevated access. Both rewritten with their actual capabilities, limits, and contexts.
iMessage relay for restricted agents — added explicit “Sending Messages to Owner” syntax to restricted agent docs. They had the iMessage message tool all along but thought A2A was the only path.

2026-02-24

Features

HomeClaw plugin — HomeKit smart-home control across 104 devices (Basement, Main Floor, Upstairs, Outdoor). Skill teaches the agent to resolve device names from the device map before acting.

Reliability

Inbound iMessage attachments were silently dropped since OpenClaw v2026.2.2 — the SSRF guard blocked private/localhost addresses including iMessage at loopback. Patched the source guard and configured the iMessage attachments root.
Caffeinate LaunchAgent added as a permanent fix for deep idle on Apple Silicon (the pmset change alone wasn’t enough).

Architecture

Control UI over Tailscale — gateway stays bound to loopback; Tailscale Serve proxies HTTPS to it. Browser access via *.ts.net without exposing the gateway externally.

2026-02-23

Reliability

Exec approvals breaking change — OpenClaw v2026.2.22 fixed a long-standing bug where per-agent tools.exec config in openclaw.json was silently ignored. After the fix, agents without an explicit tools.exec block fell through to restrictive defaults and every command needed manual approval. Added explicit blocks to every agent: security: full + ask: off for the main agent, security: allowlist + ask: off for restricted agents.

2026-02-22

Features

ElevenLabs Starter tier — removes free-tier character limits. New default voice: Mark (casual, relaxed).

Reliability

Talk Mode — agent was incorrectly calling the tts tool manually and replying NO_REPLY, bypassing the gateway’s native audio pipeline. Fixed: in Talk Mode sessions, the gateway converts replies to audio automatically — no tts calls needed.

2026-02-21

Features

iMessage Private API enabled on macOS Tahoe — typing indicators, read receipts, tapback reactions, threaded replies, unsend/edit, message effects (slam, loud, gentle, invisible ink), attachments (images, files, voice memos), and group management. Send reliability improved: messages now go through the Private API instead of AppleScript.
ElevenLabs TTS & Talk Mode — voice replies work across TUI, iOS, and Control UI.
OpenClaw iOS app — built from source, paired and connected. Talk Mode working end-to-end with speech-to-text input and voice reply.

Architecture

Fastmail plugin v2.0 — refactored from in-process MCP SDK to CLI shelling. Eliminated ~1,700 lines, removed all runtime dependencies. Same 36 tools, same output, much thinner adapter.

Security

Secrets audit integrated into the daily security audit cron. Checks hardcoded secrets in config, env-var resolution, .env.example coverage, file permissions, CLI auth tokens.

Reliability

Self-healing improvements — agent timeout reduced from 600s to 180s, new stuck-session watchdog detects hung iMessage agent runs by analyzing gateway logs and triggers an automatic gateway restart.

Features

Obsidian integration — obsidian-cli installed for vault management.

2026-02-19

Architecture

Apple PIM native plugin — migrated the primary agent from an MCP server + wrapper scripts to the native apple-pim-cli OpenClaw plugin. Saves ~5K tokens per context window (40 MCP tool definitions consolidated to 5).
Fastmail native plugin — replaced the mcporter-based MCP with the native fastmail-cli plugin. Only the main agent has access; restricted agents are blocked via tools.deny.
Config symlinked to repo — live config now symlinks to the repo copy. Single source of truth with full git history.

Documentation

Updated build guide and architecture docs for the native plugin pattern. New phase added on version-controlling the config via symlinks.

2026-02-18

Documentation Site Launch

Published lobster.shahine.com as a Starlight site on Cloudflare Pages
Added iMessage conversation screenshots to the landing page (proactive reminders, group chat)
Added Apple PIM section documenting native EventKit/Contacts CLI access
Added Open Graph meta tags for rich URL previews in iMessage and social sharing

Architecture

Workspace separation: Each agent now has its own isolated workspace (~/.openclaw/agents/<id>/workspace/), preventing skill context leakage between agents
Shared skills: Common skills (travel-hub, apple-pim, imessage-health, sonos) moved to ~/.openclaw/skills/ for all agents to access
Expanded exec approvals: lobster-groups and lobster-family can now run calendar-cli, reminder-cli, contacts-cli, and mail-inbox/read/list/cli/auth-check

Security

Hardened WhatsApp group policy — added Family Chat JID to groupAllowFrom
Added WhatsApp outbound restrictions for cron jobs
Calendar/reminder visibility rules documented for restricted agents

2026-02-17

Features

FlightRadar24 skill: Real-time aircraft tracking via FR24 API
Travel Hub family access: lobster-family agent can now query trips and calendar events
Messages self-heal: Auto-recovery when Messages.app AppleScript gets wedged

Security

Email authentication spoofing test passed (SPF/DKIM/DMARC verification)
Symlinked Apple PIM Swift CLIs to ~/.local/bin for secure PATH resolution
Fixed mail-auth-check to aggregate iCloud Authentication-Results headers

Documentation

Documented three cron execution modes (sub-agent, main-session, headless)
Added mandatory rules for cron jobs that send messages
Aligned multi-agent docs with actual exec-approvals security model

2026-02-16

Initial Release

Three-agent architecture: lobster (owner DMs), lobster-groups (group chats), lobster-family (family DMs)
Defense-in-depth security model with channel bindings and tool policies
iMessage iMessage bridge with full read/send support
Tailscale SSH remote access
Fastmail MCP for email triage and organization
Travel Hub MCP for trip and flight management
Apple PIM for native calendar, reminder, and contact access
Hardening checklist and security audit framework