realvco Docs

v2026.3.23 — Qwen Normalization + Control UI Polish

Released: March 23, 2026 Theme: Fast follow-up + polish Breaking Changes: None

Overview

A fast follow-up to v2026.3.22 focused on DashScope/Qwen endpoint normalization, Control UI polish, CSP hardening, and fixes for regressions introduced in v2026.3.22. About 50 changes — primarily “final stabilization”.

Core Highlights

1. Qwen / DashScope Endpoint Normalization

  • Adds the standard (pay-as-you-go) DashScope endpoint
  • Supports both China and global Qwen API keys
  • Existing Coding Plan endpoint retained
  • Provider group renamed to Qwen (Alibaba Cloud Model Studio)

China and international users now share a single Qwen setup path — simpler configuration.

2. Control UI Polish Throughout

  • Unified button primitives (btn--icon / btn--ghost / btn--xs)
  • Knot theme refined to black/red palette meeting WCAG 2.1 AA contrast
  • New section-setting icons for Diagnostics / CLI / Secrets / ACP / MCP
  • Rounded sliders converted to discrete steps
  • Extensive aria-label additions for accessibility

3. CSP Hardening

Computes SHA-256 hashes for inline <script> blocks in index.html and adds them to the script-src CSP directive. Inline scripts blocked by default; only explicit-hash bootstrap code is allowed.

4. Auth Flow Fix Cluster

  • OpenAI token storage override: live gateway auth-profile writes no longer restore an expired token
  • Control UI operator session scope: device-auth bypass paths no longer drop scope
  • macOS ClawHub auth: Application Support and XDG dual-path support fixed

5. Mistral Safe Defaults

Bundled Mistral max-token defaults reduced to a safe output budget. openclaw doctor --fix auto-repairs legacy Mistral configs with context-sized output limits to avoid 422 rejections.

Technical Direction

Plugin Stability Fixes

Fixed expired constants in ClawHub install compatibility checks, LINE/Matrix runtime-api startup crashes, and missing bundled plugin runtime sidecars — stabilization work after v2026.3.22’s large refactor.

Provider Resilience Improvements

Improved api_error classification — only transient failures retry now, avoiding retries for billing/auth/format errors. Fixed OpenRouter auto routing pricing recursion infinite loop.

Notable Fixes

  • Bundled plugin runtime sidecar missing: WhatsApp light-runtime-api.js and Matrix runtime-api.js were not in the npm package
  • OpenAI token expiry revert: new stored credentials were being reverted to expired in-memory values
  • Chrome MCP browser attach timeout: attach existing-session completed prematurely
  • OpenRouter Auto pricing recursion: openrouter/auto recursed infinitely during bootstrap
  • Anthropic thinking block order: transcript sanitization broke the order