You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document tracks feature parity between IronClaw (Rust implementation) and OpenClaw (TypeScript reference implementation). Use this to coordinate work across developers.
Legend:
✅ Implemented
🚧 Partial (in progress or incomplete)
❌ Not implemented
🔮 Planned (in scope but not started)
🚫 Out of scope (intentionally skipped)
➖ N/A (not applicable to Rust implementation)
Last reviewed against OpenClaw PRs: 2026-05-02 (merged 2026-03-11 through 2026-04-30, OpenClaw releases 2026.3.11 → 2026.4.30)
1. Architecture
Feature
OpenClaw
IronClaw
Notes
Hub-and-spoke architecture
✅
✅
Web gateway as central hub
WebSocket control plane
✅
✅
Gateway with WebSocket + SSE
Single-user system
✅
✅
Explicit instance owner scope for persistent routines, secrets, jobs, settings, extensions, and workspace memory
Multi-agent routing
✅
❌
Workspace isolation per-agent
Session-based messaging
✅
✅
Owner scope is separate from sender identity and conversation scope
Loopback-first networking
✅
✅
HTTP binds to 0.0.0.0 but can be configured
Owner: Unassigned
2. Gateway System
Feature
OpenClaw
IronClaw
Notes
Gateway control plane
✅
✅
Web gateway with 40+ API endpoints
HTTP endpoints for Control UI
✅
✅
Web dashboard with chat, memory, jobs, logs, extensions
SSE broadcast manager exists (SseManager). Reborn has a transport-neutral projection EventStreamManager with access/admission/rebase/lag/redaction contracts, product-safe capability activity events plus bounded display-preview events, live thinking projection updates, and the local-dev WebUI serve path now wires it into /events and /ws through the WebUI product facade; local-dev WebUI also persists terminal tool previews as ordered transcript items and includes their timeline message ids on live preview events. Production durable/live fanout remains follow-up work.
Channel health monitor
✅
❌
Auto-restart with configurable interval
Presence system
✅
❌
Beacons on connect, system presence for agents
Trusted-proxy auth mode
✅
❌
Header-based auth for reverse proxies; trustedProxy.allowLoopback for same-host reverse proxies
APNs push pipeline
✅
❌
Wake disconnected iOS nodes via push; iOS push relay with App Attest verification
Oversized payload guard
✅
🚧
HTTP webhook has 64KB body limit + Content-Length check; no chat.history cap
Pre-prompt context diagnostics
✅
🚧
Token breakdown logged before LLM call (conversational dispatcher path); other LLM entry points not yet covered
OpenAI-compat /v1/models, /v1/embeddings
✅
❌
Discovery + embeddings on top of /v1/chat/completions
WASM channel with Event Subscription v2.0; Bitable/Docx tools planned
WeCom
✅
🚧
P2
Standalone WASM channel focused on WeCom intelligent bot WebSocket inbound/outbound, pairing, group sessions, inbound media hydration, and direct Bot media upload/send; self-built app callback + Agent API deferred
LINE
✅
❌
P3
WeChat (iLink bot)
✅
🚧
P2
Extension-first channel (channels-src/wechat), single-account DM flow with QR login, typing, image send/receive, inbound file/voice/video handling, outbound image/video/file media, and SILK-to-WAV voice fallback; multi-account remains deferred
WebChat
✅
✅
-
Web gateway chat
Matrix
✅
❌
P3
E2EE support
Mattermost
✅
❌
P3
Emoji reactions, interactive buttons, model picker
channels.discord.voice.model LLM override; voice mode auto-rejoin after RESUMED
CJK reply chunking
✅
❌
Splits long CJK replies at punctuation/code-point-safe boundaries
Slack-Specific Features (since Feb 2025)
Feature
OpenClaw
IronClaw
Notes
Streaming draft replies
✅
❌
Partial replies via draft message updates
Configurable stream modes
✅
❌
Per-channel stream behavior
Thread ownership
✅
🚧
Reply participation memory is restart-stable and TTL-bounded; once the bot joins a thread, follow-ups inherit channel visibility. Full thread-level ownership tracking is still missing
Download-file action
✅
❌
On-demand attachment downloads via message actions
App Home tab views
✅
❌
Default Home view on app_home_opened, included in setup manifests
Persistent thread participation
✅
❌
Bot-participated threads tracked across restarts
Block Kit limit hardening
✅
❌
Auto-truncates buttons/selects/values, drops oversized link URLs while preserving valid blocks
Per-group/per-direct system prompts injected via GroupSystemPrompt (Telegram, Discord, WhatsApp, BlueBubbles)
Visible reply enforcement
✅
❌
messages.visibleReplies requires output via message(action=send); group-scope override available
Active-run steering queue
✅
❌
messages.queuesteer mode (default) drains queued messages at next model boundary; queue legacy one-at-a-time
Tool-progress streaming into previews
✅
❌
Tool progress shown in live preview edits (Discord/Slack/Telegram/Mattermost/Matrix)
dmPolicy="open" semantics
✅
🚧
Public open-DM only with effective wildcard; pairing-store senders no longer count for DM audits (OpenClaw fixed across all channels)
Owner: Unassigned
4. CLI Commands
Command
OpenClaw
IronClaw
Priority
Notes
run (agent)
✅
✅
-
Default command
tool install/list/remove
✅
✅
-
WASM tools
gateway start/stop
✅
❌
P2
onboard (wizard)
✅
✅
-
Interactive setup
tui
✅
✅
-
Ratatui TUI
config
✅
✅
-
Read/write config plus validate/path helpers
backup
✅
❌
P3
Create/verify local backup archives
channels
✅
🚧
P2
list implemented; enable/disable/status deferred pending config source unification
models
✅
🚧
P1
Reborn now uses a shared composition provider-admin facade for CLI models list [<provider>] (--verbose, --json), models status, models set <model>, models set-provider <provider> [--model model], plus Product Workflow typed model set-provider ... parsing without touching v1 state. Remaining: live model fetching, OAuth/API-key login flows, and wiring the provider-admin ProductCommandService into product surfaces.
status
✅
✅
-
System status (enriched session details)
agents
✅
❌
P3
Multi-agent management
sessions
✅
❌
P3
Session listing (shows subagent models)
memory
✅
✅
-
Memory search CLI
skills
✅
✅
-
CLI subcommands (list, search, info) + agent tools + web API endpoints
pairing
✅
✅
-
list/approve, account selector
nodes
✅
❌
P3
Device management, remove/clear flows
plugins
✅
❌
P3
Plugin management
hooks
✅
✅
P2
hooks list (bundled + plugin discovery, --verbose, --json)
logs (gateway.log tail), --follow (SSE live stream), --level (get/set). WebUI v2 exposes bounded in-memory log projection at /api/webchat/v2/logs for non-operators and /api/webchat/v2/operator/logs for operators, both with level/target and run/thread/turn/tool/source scoped filters. No DB-persisted log history.
traces
➖
🚧
-
IronClaw-native Trace Commons client MVP, not an OpenClaw parity feature.
Local opt-in capture, redaction, queueing, queue-status diagnostics, scoped web APIs, revocation, and periodic credit notices.
CLI opt-in writes the runtime/web user-scope policy that autonomous capture reads, and credentialed submit/status/revoke calls use bounded no-redirect HTTP.
Authenticated web paths are user-scoped and keep ingestion endpoint/credential settings out of user-managed policy updates.
Private TraceDAO server ingest/review/export/audit/retention/vector/credit infrastructure now lives in the standalone tracedao-server repository, with IronClaw retaining CLI/client integration wrappers.
Owner-only diagnostics export with sensitive-data preamble
/codex computer-use status/install
✅
❌
P3
Codex desktop control setup with marketplace discovery
/dock-* route switches
✅
❌
P3
Switch active session reply route through session.identityLinks
--container / OPENCLAW_CONTAINER
✅
❌
P3
Run process commands inside running Docker/Podman container
Trace Commons incremental note: reviewer quarantine and active-learning queues now surface prioritization metadata, including review_age_hours, review_escalation_state, and review_escalation_reasons, so CLI non-JSON output can show SLA pressure and escalation causes during triage. DB-backed review leases now let reviewer/admin principals claim, release, claim the next available tenant-scoped quarantined trace, or claim a bounded prioritized batch through POST /v1/review/leases/claim-next, POST /v1/review/leases/claim-batch, ironclaw traces review-lease-claim-next, and ironclaw traces review-lease-claim-batch, using review escalation/SLA priority ordering before writing DB lease state and typed claim/release audit rows; they also expose lease assignment metadata in review queues, support all, mine, available, active, and expired lease filters in API/CLI/web operator queues, and block other reviewers from finalizing while a lease is active. Analytics can now suppress aggregate cells below a configured minimum count while reporting the suppression threshold and number of hidden buckets. Tenant token entries can now carry optional RFC3339 expires_at/expires attributes, and the ingest service can accept optional HS256 signed tenant claims that bind tenant id, actor principal, role, issuer/audience when configured, allowed consent scopes/uses, and expiry without enumerating every bearer token; claim allow-lists now constrain submission, replay exports, benchmark/ranker dataset generation, process-evaluation workers, and utility-credit jobs. Operator docs now pin production asymmetric upload-claim governance to managed issuer/key rotation with EdDSA/Ed25519, leaving static tokens and HS256 claims as internal bridge paths, and TRACE_COMMONS_REQUIRE_EDDSA_SIGNED_TOKENS now rejects those bridge credentials on every authenticated route when enabled. Keyed signed-token secrets and EdDSA public-key files support kid-selected rotation, deployments can cap signed-claim lifetimes by requiring iat and bounding exp - iat, require JWT IDs before accepting signed claims, emergency-denylist signed-claim JWT IDs by jti, and config status exposes only key/EdDSA-key/denylist/max-TTL/JTI-policy counts plus the EdDSA-required auth gate while submitted audit rows record only the safe auth method plus hashed principal. Retention maintenance also honors TRACE_COMMONS_LEGAL_HOLD_RETENTION_POLICIES so configured policy classes are skipped for new expiration and purge passes, and DB-backed maintenance runs now write durable retention job/item ledger rows for resumable expire/purge/revoke bookkeeping with admin-only API plus CLI and web-operator reads for tenant-scoped jobs and per-submission lifecycle items. Maintenance DB reconciliation now runs after the retention ledger write and reports DB retention job/item counts plus current-run retention job or item-count gaps as promotion blockers. Process-evaluation workers have a CLI submit helper for POST /v1/workers/process-evaluation, store bounded rubric metadata under the process_evaluation worker kind, mirror typed hash/count-only audit metadata, can optionally append idempotent training_utility delayed credit for the evaluated accepted submission using an external reference, preserve separate DB derived rows per evaluator version while feeding content-free process-evaluation analytics by label, rating, and score band without double-counting DB-backed submissions, and now require tenant policy or signed-claim evaluation-use ABAC before reading or labeling accepted trace bodies. Utility-credit workers now also require the source trace plus tenant policy or signed claim to allow the requested regression/evaluation, model-training, or ranking-training utility use before appending delayed credit. Object-primary envelope writes now use unique encrypted artifact object ids per logical snapshot so review/process-evaluation writes do not overwrite ciphertext behind older submitted-envelope object refs, terminal-trace status sync can explain retained-but-excluded delayed ledger rows without exposing them through contributor credit-event reads, web enqueue/submit and CLI queue writes reject crafted requests/envelopes that try to include message text or tool payloads disallowed by the standing policy, DB stores now reject derived rows, vector entries, and export manifest items whose object, derived, or vector refs do not belong to the same tenant/submission, periodic local credit notices now include delayed ledger deltas plus credit-event counts and a scoped durable retry outbox with safe delivery attempt hashes, CLI status sync resets credit notices when delayed-credit explanations change even without a numeric delta, and autonomous runtime capture skips ineligible current traces instead of leaving held queue files while preserving queue flush/credit notices.
This push also adds local autonomous queue diagnostics/status surfaces: CLI traces queue-status reports readiness, bearer-token environment presence, queue/held counts, retry/manual-review/policy hold counts, next retry time, durable flush/status-sync telemetry, retryable submission failure counters, last compaction reclaimed count, duplicate envelopes removed, orphan hold sidecars removed, malformed envelopes quarantined, sanitized held-reason counts, safe queue warning aggregates, warning severity, production-promotion blocking flags, safe recommended actions, sanitized failure classes, and local credit summaries; authenticated web /api/traces/queue-status reports scoped queue/held diagnostics plus the same durable telemetry, and /api/traces/credit-notice marks due notices. Due credit notices now carry local acknowledge/snooze state: CLI traces credit --notice --ack and authenticated POST /api/traces/credit-notice acknowledgement suppress the current credit fingerprint until credit changes, while --snooze-hours and the matching web action suppress it until a bounded deadline without exposing trace bodies or explanation text in the fingerprint. The agent loop now runs a periodic Trace Commons queue worker for opted-in owner/active-user scopes, stores retryable submission failures as typed redacted sidecars with capped backoff, skips retry-held envelopes until due, records durable scoped telemetry for queue/status-sync attempts, writes queue JSON through atomic temp-file replacement, compacts duplicate queued contribution envelopes and orphan held sidecars before submission, quarantines malformed active queue files locally instead of blocking later valid uploads, and broadcasts returned credit notices. Diagnostics warn on schema-version, consent-policy, redaction-pipeline, trace-card-redaction-pipeline, and malformed-envelope mismatches without raw bodies or raw observed mismatch values, and classify local failures into sanitized Endpoint, Credential, Network, NetworkOffline, NetworkDns, NetworkTimeout, NetworkConnectionRefused, HttpRejection, Policy, Queue, StatusSync, Submission, and Unknown buckets. EdDSA/Ed25519 public-key verification is available through default or kid-selected key config and JSON/file/guarded-HTTPS keysets with optional activation windows, with safe total/active/inactive/managed EdDSA config-status counts; managed EdDSA-required mode now accepts only active managed-keyset claims with issuer/audience checks. Autonomous clients can refresh short-lived EdDSA upload claims from guarded HTTPS issuers for queue flush, explicit submit, status sync, and remote revoke calls, and ingestion services now refresh guarded HTTPS issuer-managed Ed25519 keysets live with last-good preservation and optional max-stale fail-closed enforcement.
Trace Commons hardening note: required DB mirror mode, object refs, PostgreSQL/libSQL storage, RLS diagnostics, and encrypted artifact storage now live in the public zmanian/tracedao-server repo rather than Ironclaw's shared DB abstraction. Ironclaw retains local-first trace contribution capture, upload-claim fetching/validation, queue/status/credit notice behavior, and client-facing CLI/web helpers behind the Reborn-aligned TraceClientHost product facade for local redaction, queueing, status sync, and credit-notice delivery.
Trace Commons production-boundary note: PostgreSQL/libSQL now include a durable tenant-scoped revocation-propagation ledger for downstream invalidation and retry work across object refs, exports, vectors, derived artifacts, benchmark/ranker artifacts, credit settlements, and physical delete receipts. The revocation worker can now reverse exact tenant-scoped delayed-credit settlements with deterministic negative ledger rows, verify and physically delete exact service-local encrypted submitted/review envelope, vector worker-intermediate, benchmark artifact, and ranker export provenance object payloads for tenant-scoped object-ref items, mark matching object refs deleted, and upsert durable physical-delete receipt rows with evidence hashes, while marking unsupported stores and artifact kinds as skipped. Export call sites for replay, benchmark, and ranker slices now create and validate short-lived tenant/principal/purpose/dataset-kind access grants before producing artifacts. TRACE_COMMONS_OBJECT_STORE=remote_service parses production remote object-store intent but deliberately fails closed behind a disabled service-owned provider instead of falling back to plaintext files. Local autonomous status sync now keeps append-only safe history events and sanitizes server-returned credit explanations before periodic credit notices persist them, and local credit notice delivery now drains a scoped retry outbox so channel failures leave retry state instead of consuming the notice.
Trace Commons revocation-worker note: the ingest service now recognizes a scoped revocation_worker role and exposes POST /v1/workers/revocation-propagation for DB-backed propagation runs. The worker claims due tenant-scoped ledger items, performs idempotent metadata/vector/export invalidation actions, reverses exact delayed-credit settlement targets with deterministic audit-safe ledger rows, physically deletes hash-verified service-local submitted/review envelope, vector worker-intermediate, benchmark artifact, and ranker export provenance payloads for exact object-ref targets, records durable physical-delete receipt items after successful or already-recorded service-local payload deletion, records unsupported physical-delete stores/artifact kinds as explicit skipped items, preserves other tenants' due work, and emits safe audit counts.
Trace Commons vector-lifecycle note: vector indexing now writes deterministic local redacted-summary feature embeddings into encrypted service-local WorkerIntermediate vector payload objects while keeping relational vector rows metadata-only. PostgreSQL/libSQL storage can invalidate one vector entry for a tenant/submission/vector id, revocation propagation requires a vector-entry target for vector invalidation instead of broad accidental invalidation, and service-local vector payload deletes verify the encrypted object as a vector artifact before marking the object ref deleted and recording a physical-delete receipt.
Trace Commons export-job note: replay dataset, benchmark conversion, ranker-candidate, and ranker-pair export call sites now mirror their short-lived one-shot access grants plus running/complete export job lifecycle rows into the PostgreSQL/libSQL DB control plane. Required DB mirror mode now fails closed if a durable export job cannot be started or completed, replay exports now mark already-started DB job rows failed when metadata or required object-ref body reads fail before publication, benchmark/ranker exports do the same for metadata/source collection, source object-ref revalidation, and source-read audit failures before artifact publication, and tests cover tenant-scoped grant/job persistence plus replay and benchmark/ranker failure terminalization.
Trace Commons worker-export note: export-worker automation now has dedicated replay and ranker export routes, GET|POST /v1/workers/replay-export, GET|POST /v1/workers/ranker/training-candidates, and GET|POST /v1/workers/ranker/training-pairs, plus matching CLI helpers. These routes reuse the same consent/use ABAC, access-grant, export-job, source-hash, audit, and delayed-credit behavior as the reviewer/admin routes while keeping scheduled automation off reviewer endpoints.
Trace Commons export-control observability note: admins can now list tenant-scoped durable export access grants and export jobs through GET /v1/admin/export/access-grants and GET /v1/admin/export/jobs, with status and dataset-kind filters plus matching CLI helpers. GET /v1/admin/operational-summary and ironclaw traces operational-summary now add an admin-only, tenant-scoped aggregate rollout view for submission status/risk, review SLA pressure, DB export manifests/jobs, retention jobs, vector coverage, and delayed-credit totals. Reads are DB-backed where applicable, admin-only, tenant-scoped, and audited without exposing trace bodies.
Trace Commons tenant-access grant note: PostgreSQL/libSQL now include a durable tenant-scoped trace_tenant_access_grants storage surface for issuer-authorized principals, roles, consent scopes, allowed uses, issuer/audience/subject attribution, status, expiry, revocation metadata, and safe metadata. Admin-token routes and CLI helpers can create, list, and revoke the current tenant's grants while writing safe hash/count-only grant-update audit metadata, and the local tenant-principal-ref CLI helper derives stored static-token or signed-claim principal refs without printing raw credentials. TRACE_COMMONS_REQUIRE_TENANT_ACCESS_GRANTS=true now fails closed on trace submission, contributor credit/status readback, reviewer/audit reads, review mutations, dataset/export paths, non-revocation worker mutations, maintenance, and admin ledger/observability reads unless the authenticated tenant/principal has an active exact-role grant. Signed EdDSA/Ed25519 claims must also match any issuer, audience, and JWT sub subject bindings configured on the grant before scope/use narrowing is applied, while static-token bridge grants ignore those signed-claim-only bindings. Grant consent/use allow-lists intersect with static-token or EdDSA claim allow-lists and cannot upgrade the request role; revocation/self-delete, revocation propagation, config-status, tenant-policy admin, and grant-management routes stay available for deprovisioning and recovery.
Trace Commons issuer/TenantCtx note: the server-side zmanian/tracedao-server split now owns the standalone EdDSA/Ed25519-only tracedao-upload-claim-issuer binary that signs short-lived contributor upload claims, authenticates workload JWTs with EdDSA only, enforces workload issuer/audience/expiry plus consent/use narrowing, optionally connects to PostgreSQL/libSQL from deployment config to require DB-backed contributor tenant-access grants using the same signed-principal hash shape as ingest, rejects RSA key material, and publishes the ingest-compatible kid/public_key_pem keyset shape. The ingest compatibility layer also now fails closed when file-backed submission metadata, derived rows, credit ledger rows, audit rows, revocation tombstones, replay manifests, export provenance, or benchmark artifacts are read from one authenticated tenant directory but carry a different embedded tenant id or tenant storage ref; service-local object-ref reads/deletes also verify tenant key refs, encrypted benchmark artifact reads verify the decrypted body tenant, and vector payload deletes verify the encrypted payload body's tenant storage ref before physical deletion.
Owner: Unassigned
5. Agent System
Feature
OpenClaw
IronClaw
Notes
Pi agent runtime
✅
➖
IronClaw uses custom runtime
RPC-based execution
✅
✅
Orchestrator/worker pattern
Multi-provider failover
✅
✅
FailoverProvider tries providers sequentially on retryable errors
Per-sender sessions
✅
✅
Global sessions
✅
❌
Optional shared context
Session pruning
✅
❌
Auto cleanup old sessions; oversized sessions.json rotation removed; entry/age caps enforced at load
Context compaction
✅
✅
Auto summarization
Compaction model override
✅
❌
Use a dedicated provider/model for summarization only; agents.defaults.compaction.memoryFlush.model exact override
Compaction mid-turn precheck
✅
❌
agents.defaults.compaction.midTurnPrecheck triggers before next tool call instead of end-of-turn
Post-compaction read audit
✅
❌
Layer 3: workspace rules appended to summaries
Post-compaction context injection
✅
❌
Workspace context as system event
Compaction start/end notices
✅
❌
Opt-in lifecycle notices during compaction
Custom system prompts
✅
✅
Template variables, safety guardrails
Skills (modular capabilities)
✅
✅
Prompt-based skills with trust gating, attenuation, activation criteria, catalog, selector; Reborn local-dev now uses catalog/list-first model-selected activation before loading full skill context
Skill Workshop plugin
✅
❌
Captures reusable workflow corrections as pending or auto-applied workspace skills, threshold-based reviewer
Grouped skill directories
✅
✅
skills/<group>/<skill>/SKILL.md discovery
Skill installer metadata
✅
❌
One-click install recipes (npm/pip), API key entry, source metadata
Skill routing blocks
✅
🚧
ActivationCriteria (keywords, patterns, tags) but no "Use when / Don't use when" blocks
Native Codex sub-agent session metadata without nested gateway patch
Codex context-engine integration
✅
❌
Bootstrap, assembly, post-turn maintenance, engine-owned compaction in Codex sessions
Active Memory plugin
✅
❌
Dedicated memory sub-agent right before main reply; configurable message/recent/full context modes; partial-recall on timeout; per-conversation allowedChatIds/deniedChatIds filters
Orchestrators end current turn immediately, skip queued tool work, carry hidden follow-up payload to next turn
Subagent forked context
✅
❌
Optional inherit-requester-transcript for native sessions_spawn
agents.defaults.contextInjection: "never"
✅
❌
Disable workspace bootstrap injection per-agent
agents.defaults.experimental.localModelLean
✅
❌
Drop heavyweight default tools for weaker local models
agents.files.get/set workspace tools
✅
🚧
First-party scoped read/write/list/glob/grep/apply_patch capabilities exist through Reborn HostRuntime; OpenClaw-compatible agents.files.* aliases and realpath-via-fd hardening still pending
Trajectory export
✅
❌
Default-on local trajectory capture; /export-trajectory bundles with redacted transcripts/events/artifacts
Block-level streaming
✅
❌
Tool-level streaming
✅
❌
Z.AI tool_stream
✅
❌
Real-time tool call streaming
Plugin tools
✅
✅
WASM tools
GSuite WASM tools
✅
🚧
Reborn bundles operation-level Google Drive/Docs/Sheets/Slides WASM packages with host-mediated HTTP egress, product-auth scoped bearer injection, and manifest-declared Google OAuth setup metadata; full live-recorded parity remains follow-up
Hosted MCP extensions
✅
🚧
Reborn composes host-mediated MCP runtime, bundles the current Notion MCP supported tool set, wires Notion ProductAuth OAuth exchange/refresh, can use Reborn ProductAuth DCR OAuth setup through the host callback origin, and can activate hosted MCP packages with live tools/list schema discovery through host-staged product-auth credentials
NEAR AI MCP extension
✅
🚧
Host-bundled Reborn MCP extension exposes nearai.web_search via host-mediated HTTP and llm_nearai_api_key; local-dev startup now auto-seeds product-auth and activates the bundled MCP extension when NEARAI_BASE_URL plus NEARAI_API_KEY are configured, and WebChat v2 no longer projects that host-managed credential as extension setup work while NEAR remains a static supported-tool adapter
Tool policies (allow/deny)
✅
✅
Reborn now stores scoped persistent AlwaysAllow approval policies for manifest-allow capabilities and replays them at the current sandbox scope; WebChat v2 exposes authenticated caller-scoped tool approval settings at /api/webchat/v2/settings/tools so regular multi-user sessions do not need operator config access; product-facing revoke paths remain follow-up while the policy-store revoke interface is available
Exec approvals (/approve)
✅
✅
TUI approval overlay
Tool inventory cache
✅
❌
Coalesced effective-tool inventory cache with channel-registry invalidation
Pending exec approval errorMessage cleanup
✅
❌
Failed restart-interrupted approval-pending sessions instead of replaying stale ids
Elevated mode
✅
❌
Privileged execution
Subagent support
✅
✅
Task framework; spawn-by-account-aware bindings, model overrides preserved; Reborn spawn_subagent is blocking-only while background delivery is deferred (#4147)
English, Chinese, Portuguese; expanded with Persian (fa), Dutch (nl), Vietnamese (vi), Italian (it), Arabic (ar), Thai (th), Traditional Chinese (zh-TW)
WebChat theme sync
✅
❌
P3
Sync with system dark/light mode
Partial output on abort
✅
❌
P2
Preserve partial output when aborting
PWA + Web Push
✅
❌
P3
PWA install + Web Push notifications for Gateway chat
Talk Mode (browser realtime voice)
✅
❌
P3
OpenAI Realtime + Google Live WebSocket; Gateway-minted ephemeral secrets; backend realtime relay
Steer queued messages
✅
❌
P3
Steer action on queued messages injects follow-up into active run without retyping
Lazy markdown preview + @create-markdown/preview v2 system theme
Cron job dashboard
✅
❌
P3
Cron prompts/run summaries as sanitized markdown
Personal identity (operator)
✅
❌
P3
Browser-local operator name + avatar through shared chat/avatar path
Trajectory export UI
✅
❌
P3
Owner-private export approval flow
Restart-impacting Dreaming confirm
✅
❌
P3
Restart warning before applying Dreaming mode changes
Mobile chat settings sheet
✅
❌
P3
Persists mobile state through Lit-managed view-state
Owner: Unassigned
14. Automation
Feature
OpenClaw
IronClaw
Priority
Notes
Cron jobs
✅
✅
-
Routines with cron trigger; runtime state split into jobs-state.json; sessionTarget: "current"/session:<id> bindings
Reborn scheduled trigger loop
➖
🚧
P2
Reborn-native trigger persistence, backend parity, atomic fire claim/update APIs, poller core, caller-level harness, first-party trigger_* capabilities, and composition-owned worker lifecycle are in progress; automation panel runs now link canonical thread ids; trigger-owned threads are openable, watchable, approvable, and cancelable by automation owners via automation-visibility authorization; scoped pause/resume/delete state transitions are available through first-party capabilities and WebUI v2 controls; first-class one-shot triggers (TriggerSchedule::Once, schedule.kind = once) are implemented (completion is derived from the schedule; the old year-pinned-cron + completion_policy workaround was removed); remaining follow-ups: legacy pre-fix rows without a stored thread_id remain unopenable, external result delivery, production readiness policy, active-run retention/tombstone semantics, and production jitter source selection
Per-job model fallback override
✅
❌
P2
payload.fallbacks overrides agent-level fallbacks
Cron stagger controls
✅
❌
P3
Default stagger for scheduled jobs
Cron finished-run webhook
✅
❌
P3
Webhook on job completion
--thread-id cron CLI
✅
🚧
P2
Telegram forum topic delivery for scheduled announcements
failureAlert.includeSkipped
✅
❌
P3
Persistently skipped jobs alert without counting skips as exec errors
delivery.threadId (gateway cron schemas)
✅
❌
P2
Telegram forum topics + threaded channel destinations
Cron nested lane
✅
❌
P3
cron.maxConcurrentRuns applies to dedicated cron-nested lane; non-cron flows keep their own lane
Cron stuck-session timeout
✅
❌
P3
Aborts/cleans timed-out isolated turns before recording timeout
Timezone support
✅
✅
-
Via cron expressions; --at honors local wall-clock time across DST
One-shot/recurring jobs
✅
✅
-
Manual + cron triggers; Reborn one-shot uses first-class TriggerSchedule::Once (schedule.kind = once); completion is derived from the schedule
Channel health monitor
✅
❌
P2
Auto-restart with configurable interval
beforeInbound hook
✅
✅
P2
beforeOutbound hook
✅
✅
P2
beforeToolCall hook
✅
✅
P2
before_agent_start hook
✅
❌
P2
Model/provider override
before_agent_finalize hook
✅
❌
P2
Run/message/sender/session/trace correlation
before_message_write hook
✅
❌
P2
Pre-write interception
before_dispatch hook
✅
❌
P2
Canonical inbound metadata; idempotency-key dedupe for hook agent deliveries
before_compaction/after_compaction
✅
❌
P3
Codex-native compaction lifecycle
onMessage hook
✅
✅
-
Routines with event trigger
Structured system-event routines
✅
✅
P2
system_event trigger + event_emit tool for event-driven automation
Orchestrator/worker containers; opt-in sandbox.docker.gpus passthrough; Reborn process sandbox MVP adds typed SandboxProcessPlan, backend-neutral ProcessSandboxBackend, hardened Docker command construction, fail-closed unenforced network hosts, explicit timeout/cancel cleanup, loop-to-host SandboxProcessPlan validation/spawn dispatch, and a host-runtime approval/lease spawn path for system.process_sandbox.run; production MITM broker/product wiring still partial
Podman support
✅
❌
--container accepts both Docker + Podman
WASM sandbox
❌
✅
IronClaw innovation
Sandbox env sanitization
✅
🚧
Shell tool scrubs env vars (secret detection); Reborn process sandbox rejects sensitive raw env values in plans and uses placeholders for brokered credentials, but production secure-capture and MITM transport wiring remain partial
OPENCLAW_* env block
✅
❌
Untrusted workspace .env cannot inject OpenClaw runtime-control vars
Workspace .env injection blocks
✅
❌
Block CLOUDSDK_PYTHON, ambient Homebrew, Windows system PATH vars, MINIMAX_API_HOST, npm_execpath
Tool policies
✅
✅
Elevated mode
✅
❌
Safe bins allowlist
✅
❌
Hardened path trust; non-user-writable absolute helpers for CLI/ffmpeg/OpenSSL
LD*/DYLD* validation
✅
❌
Block Mercurial/Rust/Make env redirects in host exec sanitization
Path traversal prevention
✅
✅
Including config includes (OC-06) + workspace-only tool mounts; realpath-via-fd safety on agents.files.get/set
Credential theft via env injection
✅
🚧
Shell env scrubbing + command injection detection; no full OC-09 defense
🚧 Slack channel (real implementation): Reborn host-beta route can be explicitly mounted by ironclaw-reborn serve with Slack Events API signing, DM/app-mention routing through Product Workflow/Reborn, final-reply delivery, host-state-backed personal binding pairing, WebUI v2 admin-managed allowed-channel picker, durable WebUI channel-route assignment APIs, provider-side default outbound target inventory for shared channels and explicitly provisioned personal DMs, a host-bundled Reborn extension manifest declaring the Slack ProductAdapter host API, and deterministic chat-side connect action metadata; DMs execute as the paired actor, while shared channel turns route to allowed dynamic or static channel subjects and fail closed for unrouted channels in admin-managed mode; production install/setup hardening and fuller E2E coverage remain follow-up.