OpenClaw: Transport Revolution & Mobile Security Wins
A massive infrastructure upgrade with 17 merged PRs focused on transport overrides and security improvements. Vincent Koc led the charge with provider request transport overrides, while the team tackled mobile pairing security, Discord proxy fixes, and session lifecycle improvements. Major wins in configuration management and test performance tooling round out this release.
Duration: PT4M25S
Transcript
Hey there, fellow developers! Welcome back to another episode of OpenClaw - I'm your host, and wow, do we have an exciting episode for you today. Grab your favorite beverage because we're diving into what I'm calling the "Transport Revolution" - April 3rd brought us 17 merged pull requests and 30 additional commits that are genuinely reshaping how OpenClaw handles connections and security.
Let's start with the star of the show - Vincent Koc has been absolutely crushing it with transport overrides. We got two massive PRs that are game-changers for enterprise users. First up, PR 59848 adds request transport overrides for media endpoints. This is huge because if you're running self-hosted media servers or working behind enterprise proxies, you can now configure custom headers, auth, and TLS settings just like you could with other provider paths. We're talking about 9,843 lines added across 19 files - this isn't a small tweak, this is foundational infrastructure.
Then Vincent followed up with PR 60200, bringing the same transport override magic to model providers. No more worrying about OpenRouter attribution leaking onto your custom proxy routes, and SecretRefs now resolve at runtime like they should. The consistency here is beautiful - you get the same powerful request policy surface across media, tools, and now model providers.
But transport isn't the only story today. The mobile experience got some serious love from obviyus with PR 60128. Android now properly enforces TLS for non-loopback gateway endpoints, which means no more vague QR code errors when you're trying to set up remote pairing. The fix is elegant - it fails closed on insecure remote websocket URLs instead of letting you think everything's fine until it isn't.
Speaking of connections, geekhuashan tackled a pain point that anyone using Discord behind restrictive networks will appreciate. PR 57465 fixes Discord's REST and webhook paths to honor your configured proxy settings. Before this, your gateway login could work perfectly while message sending failed silently. Not fun to debug, but now it just works.
Here's something I love - jalehman enriched our session lifecycle hooks with PR 59715. The new session_end hook now includes transcript metadata and replacement info, giving plugins a stable way to handle session transitions. It's one of those changes that makes the whole system feel more mature and thoughtful.
We also got some fantastic reliability wins. BradGroux improved WebSocket handshake reliability on Windows with slower startup environments, and fixed that annoying temporal dead zone error with CHANNEL_IDS that was causing startup failures. These might not sound glamorous, but they're the kind of fixes that make developers' lives better every single day.
And can we talk about the testing improvements? Vincent added GitHub Actions integration to the memory hotspot tooling, making it dead simple to regenerate memory profiles from CI runs. This is the kind of developer experience polish that shows a project is maturing beautifully.
Oh, and StepFun users, you're going to love this - hengm3467 added a bundled StepFun provider plugin. No more separate installs or restart friction - it's all there out of the box with both China and global onboarding flows.
Today's Focus - if you're running OpenClaw in an enterprise environment or behind proxies, definitely check out those new transport override configurations. The documentation has been updated with examples, and honestly, this opens up deployment scenarios that were painful before. If you've been waiting for better proxy support or custom header handling, your time has come.
For plugin developers, take a look at those enriched session lifecycle hooks. The new metadata in session_end events could unlock some really interesting use cases for transcript processing and session analytics.
That's a wrap on today's episode! Seventeen PRs, massive infrastructure improvements, and a codebase that keeps getting more robust and flexible. The momentum on this project is incredible, and I can't wait to see what you all build with these new capabilities. Until next time, keep shipping great code, and remember - every commit is a step forward. Catch you soon!