OpenClaw weekly: 3.12 and 3.13, memory fix, and upstream shifts

Two stable releases, one beta, a memory regression fixed in under 24 hours, and a week of upstream news that changes how you should think about running agentic systems at home. Here's what happened between 13 and 20 March 2026, and what to do about it.

OpenClaw 2026.3.12: dashboard, safety, and new primitives

Three releases shipped this window. 2026.3.12 arrived on 13 March. 2026.3.13-beta.1 followed on 14 March, and stable 2026.3.13 shipped the same day — published as v2026.3.13-1 because GitHub won't let you reuse an immutable tag after publication.

The npm version stays 2026.3.13. If you pin via git tags, you're pinning v2026.3.13-1. Check your deployment scripts now.

Dashboard v2: the surface, not the story

The visible headline in 3.12 is a refactored Control UI — modular views (Overview, Chat, Config, Agent, Sessions), a command palette, slash commands, search, export, and pinned messages. If you manage your gateway via browser, you'll notice immediately.

But the more operationally important work is elsewhere.

/fast becomes a real cross-provider contract

Fast mode now works as a consistent toggle across TUI, Control UI, and ACP. On OpenAI paths it shapes requests for fast-tier behaviour. On Anthropic paths it maps to service_tier. Critically, the UI verifies whether your account actually has tier access rather than silently degrading.

That last detail matters. "Silent degradation" is how you end up debugging weird latency characteristics for an afternoon before realising the toggle did nothing.

For a self-hosted gateway routing across providers, one mental model for latency-cost tradeoffs is worth more than a dozen per-provider knobs.

Provider plugins get modular

Ollama, vLLM, and SGLang move to a provider-plugin architecture with provider-owned onboarding and discovery hooks. This is structural work. Future day-one model support lands less brittlely, because the core no longer absorbs every provider-specific edge case directly.

sessions_yield: a small primitive with real consequences

For anyone building multi-agent workflows, sessions_yield lets an orchestrator end a turn immediately, skip queued tool work, and carry a hidden follow-up payload into the next session turn.

This gives you clean interrupt and pre-emption patterns without prompt hacks or waiting for a runaway tool chain to finish. Three patterns you can build this weekend:

• Priority interrupt — stop the current tool chain when a higher-priority event arrives. Your "doorbell camera triggered" message overrides "clean up my notes".
• Guardrail fail-fast — if a policy check fails, yield immediately rather than letting tools run and then trying to roll back.
• Chunked long jobs — break expensive workflows into discrete turns (scan → plan → execute → validate), yielding between steps so the system can re-evaluate context and budgets.

You don't need a scheduler to get value from this. One orchestration agent that knows when to stop is enough.

Slack Block Kit: messages as UI

3.12 adds support for channelData.slack.blocks in the standard reply delivery path. Agents can now emit Block Kit payloads through the normal mechanism. This is the difference between a chat bot and a workflow UI — structured messages users can click, expand, and route.

A practical weekend build: one agent handling a recurring operational loop — home server status, for instance — posting a structured Slack message with buttons for "Show logs", "Restart service", "Silence alerts for 2 hours", "Open incident note". Users stay in one thread without memorising commands.

3.13 extends this further with opt-in Slack interactive reply directives.

Security: read this before anything else

3.12 includes two security changes that should be mandatory reading for anyone running a shared gateway.

Bootstrap tokens for pairing. /pair and openclaw qr now issue short-lived bootstrap tokens instead of embedding shared gateway credentials in pairing payloads. A QR code screenshotted into a chat log is no longer a permanent credential risk.

Implicit plugin auto-load disabled (GHSA-99qw-6mr3-36qr). Workspace plugins no longer run automatically when you clone a repository. An explicit trust decision is now required. This is a breaking change if you relied on automatic execution in freshly cloned workspaces.

The conceptual model here is correct: treat agent plugins like CI scripts. A repository is a delivery vehicle, and you should decide consciously what runs in your environment.

Beyond these two, 3.12 bundles hardenings around exec-approval rendering (Unicode normalisation and invisible character detection), scope enforcement for owner-only commands like /config and /debug, restrictions on persistent browser profile management via browser.request, and guardrails against external callers overriding workspace boundaries.

If you run OpenClaw anywhere other than a single-user laptop, treat the full advisory list as required reading and prioritise this upgrade.

Long tail fixes worth naming

Several fixes that sound niche are exactly the ones that cause weekend yak-shaving:

• Telegram model picker persistence and validation improvements
• Cron proactive delivery dedupe to avoid replay after restarts
• Main-session routing fixes so internal UI sends don't inherit an external delivery route
• Windows: openclaw update no longer dies early on missing git or node-llama-cpp setup — it now mirrors the installer behaviour using npm update flows

OpenClaw 2026.3.13: stabilisation and the memory fix

The regression that mattered

The most operationally important change in 3.13 is a fix for a plugin SDK chunk deduplication issue introduced in 3.12 that caused roughly 2× memory usage. The fix deduplicates plugin-sdk chunks in the build pipeline.

On a constrained VPS or small ARM box, 2× memory usage isn't a metric. It's the difference between a stable agent and swap death. If you upgraded to 3.12 and noticed RAM pressure, this is your explanation and your fix.

A practical validation approach: capture baseline RSS and swap activity on 3.12 under your worst-case workload, upgrade to 3.13, rerun the same pattern, compare. On Raspberry Pi-class devices, this upgrade is likely to determine whether your gateway survives load spikes.

Compaction: continuity, not just cost control

3.13 adds a full-session token count sanity check after compaction, preserves persona and language continuity through compaction summaries, keeps lastAccountId and lastThreadId on session reset, and ensures transcripts exist when chat.inject runs.

If your gateway runs continuously, compaction is identity preservation, not just cost management. An agent that slowly drifts in persona and language across compaction boundaries is unreliable in ways that are hard to debug. This work directly addresses that failure mode.

OPENCLAW_TZ: fix Docker cron once

3.13 adds an OPENCLAW_TZ environment variable so Docker deployments can pin an IANA timezone instead of inheriting the daemon default.

services:
  openclaw:
    environment:
      - OPENCLAW_TZ=Europe/Zurich

If you've ever scheduled "weekday morning reminders" and discovered your container runs in UTC while you think in local time, this is the fix. It also makes log timestamps line up with your mental model, which matters when you're debugging something at 11pm.

3.13 also updates Dockerfiles to run apt-get upgrade during build. Not glamorous. Important baseline hardening.

Mobile: actual maintenance

3.13 includes a redesigned Android chat settings UI, improved QR onboarding using Google Code Scanner, an Android HttpURLConnection leak fix, and an iOS onboarding welcome pager.

These matter for "always-on pocket gateway" setups — old phone in a drawer, always plugged in, always connected. Less fragile is the only kind of always-on that holds up.

Agent reliability: small fixes, compounding effect

Several changes in 3.13 address silent failures in long sessions:

• Thinking blocks dropped on replay for Anthropic sessions
• Memory files no longer injected twice on case-insensitive mounts
• Explicit user compatibility overrides respected more consistently
• Cross-agent workspace resolution corrected

Each item is small. Together they reduce token waste, context pollution, and the kind of "my agent is acting weird" behaviour that's hard to reproduce and harder to explain.

Known issues to track

openclaw status false "missing scope" on 3.13. A GitHub issue filed 16 March reports that openclaw status may claim the loopback gateway is unreachable due to "missing scope: operator.read" even when it's reachable. A fix is already on main. Until it reaches stable, use openclaw gateway status or openclaw health as your verification path.

node-llama-cpp optional peer dependency. Filed 17 March: node-llama-cpp is marked optional, so npm may not install it automatically, causing local memorySearch embedding workloads to run CPU-only. If you depend on local embedding models and expect GPU acceleration, verify your dependency installation explicitly.

Upgrade mechanics

The recommended path:

openclaw update
openclaw health

openclaw update detects install type, fetches the latest version, runs openclaw doctor, and restarts the gateway. This keeps upgrades routine rather than special.

One version note from 3.13: the minimum supported Node.js version is now aligned to 22.16.0 in the runtime guard. If you manage Node manually or run source installs, audit your Node version before upgrading the gateway. The docs recommend Node 24.

Ecosystem watch

OpenAI: monitoring agents is now an operational discipline

On 19 March, OpenAI published a detailed write-up on how they monitor internal coding agents using a low-latency system powered by GPT-5.4 Thinking — reviewing chains of thought and producing severity-labelled alerts. The post explicitly frames monitoring as one layer in a defence-in-depth stack and discusses the shift toward synchronous blocking in high-risk settings.

If you run a gateway that can touch your files, your browser, your chat systems, and your home automation, you're already in agentic system territory. The direction is clear: treat long-running agent sessions like production systems. Keep structured logs for tool calls and approvals. Treat unexpected tool-use as an incident worth investigating, not a curiosity.

The security hardening in 3.12 and 3.13 — scope enforcement, plugin trust, compaction sanity checks, token leakage prevention — reflects the same worldview. Tools like UptimeRobot, which offers external uptime monitoring with a free tier covering 50 monitors, become relevant once your gateway is something you rely on daily.

GPT-5.4 mini and nano strengthen the small-model subagent pattern

On 17 March, OpenAI announced GPT-5.4 mini and GPT-5.4 nano. Mini is positioned as more than 2× faster than GPT-5 mini. Nano targets classification, extraction, ranking, and subagent work.

The emerging architecture this points toward: one high-quality model for coordination, policy, and final output; small fast models for parallel chores — grep logs, scan a config tree, summarise docs, draft a Slack Block Kit card.

OpenClaw's direction this week (sessions_yield, fast mode consistency, improved session continuity) directly supports that design. 3.13 also updates Codex test defaults from GPT-5.3 to GPT-5.4, signalling the project is tracking the provider landscape and smoothing the knobs for multi-model setups.

Anthropic: 1M context becomes standard

On 13 March, Anthropic announced that 1M context is generally available for Opus 4.6 and Sonnet 4.6 at standard pricing with no long-context premium, and expands media limits to 600 images or PDF pages.

The right compaction strategy now depends on your routing:

• Route to a 1M-context model — compaction is less frequent, but the cost of a bad compaction when it happens is higher. Continuity preservation matters more per event.
• Route to smaller context windows — compaction is routine, continuity work is mandatory on every cycle.

OpenClaw's investment in making compaction less lossy and less identity-breaking is the correct direction for both cases.

OpenAI Japan: a reminder about shared deployments

OpenAI Japan published a Teen Safety Blueprint on 17 March covering age-aware protections, stronger policies for users under 18, and parental controls.

The self-hosting implication is straightforward: if multiple people access your gateway — family chat, shared Slack, shared Discord — you need a deliberate policy and safety posture for that environment. 3.12 and 3.13's scope enforcement, pairing token design, and owner-only surface work all move in the right direction for multi-user reality.

Three things to do this weekend

Upgrade to 2026.3.13 if you're on 3.12 and care about memory stability or Docker operational polish. The plugin SDK memory regression fix alone justifies this.

Read 3.12's security and plugin trust changes if you run a shared deployment. Make explicit trust decisions part of your onboarding process for new workspaces. Update your docs for teammates.

Build something with the new primitives. A latency-aware agent loop using /fast, an interruptible orchestrator with sessions_yield, a structured Slack workflow message if Slack is your home base. The platform work this week is exactly the kind that makes weekend experiments hold up in daily use.

Next edition covers the week ending Friday, 27 March 2026.

Where to run this

We run our OpenClaw gateway on Hetzner — a CX23 at €4.85/month with €10 sign-up credit. The 3.13 memory fix makes that tier viable again if 3.12 pushed you into swap. For a gateway that stays up, it's hard to beat the price-to-RAM ratio.

If you'd rather not maintain the stack yourself, xCloud offers managed OpenClaw hosting — skip the Docker wrangling and get straight to building agents.

For automations that don't need a full self-hosted gateway — or if you want to prototype multi-agent workflows before committing to infrastructure — ClawTrust is an AI automation platform worth looking at.

(Affiliate links — we get a small cut if you sign up, at no cost to you.)