v0.10.0

Changelog

Added

• Media: allow media download --read-only when --output is explicit, so synced media can be fetched without opening the WhatsApp session store or recording download state. (#250 - thanks @mbelinky)

Fixed

• Release: publish target-specific macOS/Linux/Windows archives with one combined checksum file and update the OpenClaw Homebrew tap.
• Connect: send an available presence after authenticated connect so the server records the linked-device pushname; without it, downstream recipients receive notify="" and Cloud API verified-business webhooks silently drop the message at the gateway. (#252 - thanks @ceifa)

Artifacts

• macOS: wacli_0.10.0_darwin_amd64.tar.gz, wacli_0.10.0_darwin_arm64.tar.gz, wacli_0.10.0_darwin_universal.tar.gz
• Linux: wacli_0.10.0_linux_amd64.tar.gz, wacli_0.10.0_linux_arm64.tar.gz
• Windows: wacli_0.10.0_windows_amd64.zip
• Checksums: https://github.com/openclaw/wacli/releases/download/v0.10.0/checksums.txt

Verification

• Release workflow: https://github.com/openclaw/wacli/actions/runs/26171174346
• Homebrew tap workflow: https://github.com/openclaw/homebrew-tap/actions/runs/26171417265
• Local pre-release gate: pnpm format:check && pnpm lint && pnpm test && pnpm build && git diff --check
• Download verification: shasum -a 256 -c checksums.txt; darwin arm64 archive reports wacli version as 0.10.0.

v0.9.2

Changelog

Added

• Send: add wacli send status for WhatsApp status broadcasts, including text statuses with optional background/font and media statuses with captions. (#247 - thanks @dovocoder)
• Store: persist synced and locally sent status broadcasts separately in status_messages instead of mixing them into normal chat messages.

Security

• CI: pin GitHub Actions and Docker base images to immutable refs and pin GoReleaser to an exact version.
• Send: block automatic link previews from fetching localhost, private, link-local, multicast, and other non-public addresses.
• Sync: validate webhook URLs, redact webhook errors, disable private-network webhook targets by default, and add --webhook-allow-private for trusted local endpoints.

Fixed

• Accounts: serialize account config mutations with a config lock and save through unique temporary files.
• CLI: strip terminal control characters from human/table/error output.
• CLI: open the local store through SQLite read-only mode for --read-only commands instead of initializing writer state.
• Media: enforce regular-file and size limits for sends, stickers, voice notes, profile pictures, contacts imports, thumbnails, and unknown-length downloads.
• Messages: make --delete-media --for-me remove the stored local media file when present.
• Store: count all chats and groups in store stats instead of the first 50 entries.
• Sync: warn when bootstrap contact/group/channel refresh fails instead of silently ignoring it.
• Sync: bound each webhook delivery request so shutdown is not stuck behind a slow endpoint.
• History: unwrap edited WhatsApp messages during history sync and backfill so stored/searchable text shows the edited body instead of (message). (#246 - thanks @hiasinho)
• Polls: use WhatsApp's single-select poll creation field for outbound single-select polls and preserve unmatched poll vote hashes in poll show --json. (#248 - thanks @dovocoder)
• Sync: canonicalize @lid chat JIDs before enqueuing media downloads so sync --follow --download-media finds the correct DB row for live one-to-one messages. (#244 - thanks @Daniel1of1)

v0.9.1

0.9.1 - 2026-05-15

Fixed

• Accounts: reject invalid account configs before saving and ignore relative XDG_STATE_HOME for default state paths.
• CLI: honor canceled store-lock waits before acquiring locks and stop reporting non-contention lock failures as ordinary contention.
• Media: fail before downloading when the output directory exists but is not writable.
• Media: sanitize #, control-wrapped blanks, and single-dot path components in generated media paths.
• Store: remove starred-message metadata when deleting chat-local data so cleanup cannot leave stale starred state behind.

Artifacts

• wacli-macos-universal.tar.gz
• wacli-linux-amd64.tar.gz
• wacli-linux-arm64.tar.gz
• wacli-windows-amd64.zip
• checksums.txt
• checksums-linux-windows.txt

Verification

• Release workflow: https://github.com/openclaw/wacli/actions/runs/25933387657
• Homebrew tap workflow: https://github.com/steipete/homebrew-tap/actions/runs/25933490222
• Local gate: pnpm docs:site && pnpm format:check && pnpm lint && pnpm test && pnpm build && git diff --check
• Downloaded wacli-macos-universal.tar.gz and verified wacli version prints 0.9.1.

v0.9.0

Changelog

• 0437291 ci: add Docker image smoke coverage
• de9a3dd feat: implement WhatsApp polls (#230)
• 7b6896c feat: preserve interactive message buttons end-to-end (#226)
• 2ab69c3 fix: canonicalize send phone recipients
• 3a51aca fix: harden audited file writes
• c05122f fix: include ephemeral context for text sends (#238)
• cac5f20 fix: parse NativeFlow interactive buttons
• add0d82 fix: warm up recipients before send to reduce privacy-token failures (#234)
• ea2acd8 refactor: generate typed store queries with sqlc
• b3527a6 send: support ephemeral text messages

v0.8.1

Changelog

• 2a9193e ci: add linux release build checks
• 1f7c6fa ci: harden release tap handoff after move
• 42ce683 ci: pin goreleaser action version
• a0166a8 ci: update goreleaser archive schema
• 0796db5 feat: improve interactive sync status
• 3909781 fix: apply history coverage filters before limit
• b9ba3b3 fix: extract shared contact card text
• 3015051 fix: let max-messages zero override env
• 0e1a4d0 fix: route whatsmeow diagnostics to stderr
• 5a6fce1 fix: truncate table output by rune

v0.8.0

Changelog

• 6f3ba57 feat: add named accounts

v0.7.0

Changelog

• f77044b bug: recover per media job so a panic no longer kills the worker (#176)
• 9fff67c build: add docs site deployment
• b122dfe build: update go dependencies
• 866e1b5 build: update pnpm metadata
• d9fb426 build: update whatsmeow
• 4517528 ci: opt into Node 24 action runtime
• 78794f9 ci: sync the Homebrew tap on release
• 5c24523 ci: update GitHub actions to Node 24 runtime
• 1b52970 enhance: log stack trace, event type, and counter when recovering sync panics (#178)
• 108da98 feat(cli): add NDJSON lifecycle events
• b24bfc1 feat(messages): add JSON export filters
• f1cb39f feat(send): add sticker messages
• 352caa8 feat(store): migrate historical LID rows to phone numbers
• b0b7786 feat(sync): add webhook signatures
• 2c9fe08 feat: add WhatsApp channels support
• 4aa3ef3 feat: add chat state commands
• f6a9454 feat: add command safety controls
• a2c7803 feat: add history coverage dry-run planning
• af671e1 feat: add local store cleanup commands
• dffcda4 feat: add message list filters (#153) (thanks @draix)
• de84bd2 feat: add opt-in message escape decoding
• 120805d feat: add presence commands (#76) (thanks @redemerco)
• d08620a feat: add profile set-picture command
• 782c290 feat: add quoted text replies (#154) (thanks @draix)
• 91d240a feat: add resilient message reactions
• ed4df0b feat: add send text link previews
• 09b2efb feat: add send text mentions
• da9134e feat: add sent message edit and delete
• cd311e8 feat: add starred message filters
• d0752db feat: add voice note sending
• ec60822 feat: enrich auth and doctor status (#149)
• 7533e4b feat: expose forwarded message metadata
• 403fda0 feat: import system contacts
• 1e8342f feat: improve auth identity and recipient parsing
• a3a620a feat: parse WhatsApp Business message text (#79) (thanks @terry-li-hm)
• 9856075 feat: persist group community hierarchy
• eabf8d6 feat: print raw auth QR payload
• 56f9c26 feat: resolve send recipients by name
• 372e1fc feat: show full message IDs in table output (#13) (thanks @rickhallett)
• 70e5a20 feat: store structured reaction metadata
• 31504a8 feat: support delete-for-me tombstones
• e2bebf6 feat: support phone pairing auth
• 3ce15af feat: support quoted file sends
• 0826cd4 fix(cli): emit event errors under events mode
• eaa7a1b fix(send): delegate sends during sync
• 03e5364 fix(send): store sent reactions locally
• 1b46490 fix(sync): request app-state recovery on lthash mismatch
• a59b960 fix: add sync panic telemetry (#181) (thanks @shaun0927)
• ff63348 fix: add windows lock implementation (#188) (thanks @dinakars777)
• 4f45138 fix: align docs home CTA heights
• 40330f6 fix: allow media downloads to shared output dirs
• e73dba0 fix: attribute LID group history senders (#19) (thanks @entropyy0)
• 515cd43 fix: avoid initial history sync during backfill
• 12e8e1a fix: bound media enqueue backpressure (#121) (thanks @jyothepro)
• 6fac72e fix: decrypt history sync reactions
• 65c9be4 fix: detect FTS5 on existing databases after migration already applied
• 3dfd4f9 fix: detect existing FTS tables after reopen (#185) (thanks @iamhitarth)
• 70f2afd fix: enable UseRetryMessageStore so retry-receipts are handled
• 6076deb fix: enforce private directory permissions
• 999461c fix: escape wildcard list queries
• 7c42182 fix: guard WA client lazy initialization
• b4ca2e3 fix: include image metadata for sends
• 4481fc8 fix: include mapped LID chats in message filters
• 42eb626 fix: keep media workers alive after panics (#179) (thanks @shaun0927)
• ad1f477 fix: keep send alive for retry receipts
• 894bc5d fix: keep sync idle timer on message events (#119) (thanks @jyothepro)
• b2935c1 fix: make message ordering deterministic
• 95f2136 fix: mark missing groups left on refresh
• 21063d8 fix: normalize identities and group left state
• 3e17ff0 fix: normalize phone recipients with plus prefix (#74) (thanks @FrederickStempfle)
• 4eaad5f fix: persist retry messages (#186) (thanks @SimDamDev)
• 3a633d5 fix: reject cgo-disabled cli builds
• 787cfd5 fix: resolve historical LID sender names
• fca5b96 fix: resolve live LID messages before storage
• 66c6d41 fix: resolve mapped LID chats in chat output
• 87095bd fix: resolve mapped chat aliases for message show
• 716e7a8 fix: restrict sqlite database file permissions (#147) (thanks @draix)
• 3031a34 fix: retry transient auth pairing drops
• 3077e62 fix: send OGG audio with WhatsApp codec
• a022c49 fix: show display text in message context (#183) (thanks @fuleinist)
• 6400f5d fix: show rich message details
• 02f98c3 fix: show stored sender names in messages
• 9568cbf fix: surface QR pairing failures
• 0ce9208 fix: surface doctor lock owner state (#105) (thanks @artemgetmann)
• fa1c800 fix: use XDG state dir on Linux
• 54d44b3 fix: validate message search media filters (#128)
• f8ce9ee fix: warn on encrypted reaction decrypt failures
• 2f294e2 fix: warn on rapid send commands
• 259bcf2 messages context: prefer DisplayText over raw Text (issue #173)
• cd98a9d refactor: centralize table output helpers
• 86a43de refactor: split WhatsApp message parsing
• 3c8de4d refactor: split core store schema
• a03b0e9 refactor: split message output formatting
• bd92cc4 refactor: split store chat contact and group methods
• 668d7e5 refactor: split sync event and idle loops
• fae308a refactor: split whatsapp jid and session helpers
• 83d89da security: cap media transfer sizes
• d410e9f security: cap sync storage growth
• ea4ca18 security: reject '?' and '#' in StorePath for whatsmeow session store (#177)
• 2c09f12 security: reject session store URI injection (#180) (thanks @shaun0927)
• 318421d security: validate phone recipients (#144)

v0.6.0

This release contains a massive security sweep resolving multiple underlying vulnerabilities in the SQLite store and path sanitization constraints, as well as fixing the critical sync/reconnect deadlocks.

Huge thanks to @draix for the security patches, and tying off the backlog sweep for @steipete!

What's Changed

• chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in the go_modules group across 1 directory by @dependabot[bot] in #69
• security: validate SQLite URI path against '?' and '#' injection (#59) by @draix in #141
• security: guard tableHasColumn against empty table name (#58) by @draix in #142
• security: strip null bytes and control chars in path sanitization (#60) by @draix in #140
• bug: escape LIKE wildcard chars in search queries (#56) by @draix in #145
• bug: sanitize FTS5 user queries to prevent query-syntax injection (#57) by @draix in #146
• security: add panic recovery to event handler and media workers (#52) by @draix in #143
• feat: add WACLI_STORE_DIR env variable to configure store directory (#36) by @draix in #150
• fix: force exit on second SIGINT during long-running commands by @dinakars777 in #112
• fix: bound reconnect duration to prevent indefinite lock holding by @dinakars777 in #113

New Contributors

• @dependabot[bot] made their first contribution in #69
• @draix made their first contribution in #141
• @dinakars777 made their first contribution in #112

Full Changelog: v0.5.0...v0.6.0

v0.5.0

WhatsApp Protocol Fix

This release patches a critical bug where WhatsApp rejected the client version with a 405 (Client Outdated) error, breaking connectivity for all users.

• Bumps the underlying whatsmeow library to match recent WhatsApp protocol changes.
• Contains all previous unreleased fixes by @steipete currently residing in main.

What's Changed

• fix: update whatsmeow to fix 405 client outdated error by @alitala2009 in #117

New Contributors

• @alitala2009 made their first contribution in #117

Full Changelog: v0.2.0...v0.5.0

v0.2.0

Changelog

• 85e2e98 Add display text for reactions and replies
• 7175062 Add linked device label
• c0c9067 Merge pull request #4 from zats/device-label
• d3bf6fe Merge pull request #5 from zats/display-text
• 5ef1a52 Merge pull request #7 from plattenschieber/feature/add-filename-flag
• 75d649e Merge pull request #8 from ramarivera/fix/gcc15-cgo-werror
• 8783647 ci: add multi-os release workflow
• aa82566 feat: add --filename flag to override display name when sending files
• 6c764ac fix: add CGO_CFLAGS for GCC 15+ compatibility
• ed1ca55 fix: add changelog entry for send filename (#7) (thanks @plattenschieber)
• e187327 fix: only override device platform when set (#4) (thanks @zats)
• b5daa57 fix: preserve CGO_CFLAGS in build script (#8) (thanks @ramarivera)
• aa07a0d fix: use filePath for MIME detection instead of display name