Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

0.20.1 - 2026-04-23

Fixed

(memory) memory_write crashes with InvalidParameters when old_string is an empty string — the tool incorrectly entered patch mode whenever any old_string key was present in the JSON payload, including "". LLMs that omit the field sometimes pass "" instead; this caused every new-file write from those models to fail. The fix treats "" the same as absent: it falls through to normal write/append mode. (7c46329a)
(docker) Container startup crash on Windows-built images: migration checksum mismatch — On Windows hosts with core.autocrlf=true, SQL migration files had CRLF line endings embedded into the image at compile time via embed_migrations! / include_str!. The SipHash-1-3 checksum computed over CRLF content differs from the LF-based checksum stored by a Linux-built GHCR image, causing refinery to abort on startup: Migration failed: applied migration V1__initial is different than filesystem one V1__initial. The fix adds a sed -i 's/\r$//' pass over all migrations/*.sql files in the Docker builder stage, before cargo build, so checksums are always LF-based regardless of the build host OS. A .gitattributes rule (*.sql text eol=lf) is also added as an advisory guard for future clones. (f316b47e)

0.20.0 - 2026-04-23

Fixed

(sandbox) mount /var/run/docker.sock and add ironclaw-worker service to docker-compose.yml so Docker sandbox execution works out of the box (20b1e6e5)
(channels) suppress Docker-socket warning from WASM channels (e.g. Telegram); warning is now sent only to local channels (REPL/TUI/web) (20b1e6e5)

0.26.0 - 2026-04-21

Added

(engine-v2) add per-project sandbox with mission lifecycle and cost tracking (#2211) (#2660)
(llm) hot-reload provider chain from settings (#2673)
(bridge) add workspace-backed project registration and mission result retrieval (#2533) (#2549)
(engine) require a tool attempt for explicit user commands and add code execution failure categorization (#2539) (#2483)
(gate) persist "always approve" decisions in the v2 engine path (#2428)
(memory) add configurable insights interval, session summaries, and reasoning-augmented recall (#2336)
(gateway) add attachment flows, document uploads, rich history tool cards, debug inspector, and admin tooling UI (#2385) (#2332) (#2477) (#1873) (#1963)
(tui) support multiline drafting and input handling improvements (#2449) (#2462)
(skills) add new-project/template resolution, setup-marker lifecycle, working-directory source discovery, and activation feedback pipeline (#2353) (#2268) (#2396) (#2530)
(portfolio) complete the portfolio tool, widget, and share-gains flow (#2368)
(cli) add logs --grep, profile list, user-facing temperature setting, and local-profile onboarding prompts (#1533) (#2288) (#2275) (#2389)
(runtime) default CLI_MODE to TUI and show the commit hash in non-tagged gateway builds (#2329) (#2486)

Fixed

(gateway) repair web login, onboarding, pairing, and v2 extension auth resume flows; the web API now uses unified onboarding state events instead of the older auth/pairing event split (#2592) (#2594) (#2515) (#2622)
(gateway) fix disappearing messages, stale in-progress state, assistant-thread routing, approval scoping, reconnect history reloads, browser crashers, and chat refresh issues (#2498) (#2517) (#2444) (#2267) (#2415) (#2441) (#2330)
(gateway) fix slash autocomplete, attachment rendering, missions navigation, settings search/auth state, active-work pills, tool output timing, and historical/live tool call correlation (#2763) (#2745) (#2518) (#2709) (#2671) (#2555) (#2182)
(engine) harden the v2 orchestrator, improve action failure handling, preserve paused auth leases, avoid orphaned approval gates, and prevent runaway or no-op mission execution paths (#1958) (#2326) (#2338) (#2458) (#2531) (#2570) (#2631) (#2347) (#2328) (#2460)
(llm) fix image generation and image-detail handling, normalize NEAR AI tool schemas, surface 413s as context-length errors, and remove duplicate reasoning_content fields (#1819) (#2380) (#1940) (#2463) (#2339) (#2493)
(security) add inbound secret scanning, redact HTTP credentials in recordings, fail closed on WASM scope fallback, harden approval thread safety, and scan pre-injection channel headers for leaks (#2494) (#2529) (#2465) (#2366) (#1377)
(channels) fix active WASM channel restore/status tracking plus Slack, Telegram, and Feishu auth/routing edge cases (#2563) (#2562) (#2420) (#2471) (#2512) (#1540) (#2513) (#1943) (#2652) (#2349) (#2443) (#2454)
(cli/setup) improve auth UX, avoid UTF-8 panics, suppress non-CLI listeners under --cli-only, validate strict MCP server names, install the NEAR AI MCP server from env config, and run migrations during onboarding when DATABASE_URL is preset (#2315) (#2008) (#1869) (#2400) (#2181) (#2309)
(sandbox/docker) improve Docker and deployment behavior by preferring the Docker socket when available and restoring the staging runtime target for Railway builds (#2467) (#2244)

Other

(gateway) continue the web gateway slice extraction and boundary cleanup across platform, chat, oauth, settings, jobs, and routines modules (#2628) (#2643) (#2644) (#2645) (#2665) (#2680) (#2683) (#2687) (#2704) (#2706) (#2712) (#2647)
(types) adopt typed mission, external-thread, event-status, onboarding, and ownership models across the runtime (#2681) (#2685) (#2678) (#2607) (#2677) (#2611) (#2617)
(ci) add replay snapshot gating, speed up feedback loops, improve cache reuse, validate release versions in Docker workflows, and stabilize staging promotion checks (#2621) (#2566) (#2609) (#2610) (#2742) (#2576) (#2661) (#2773)
(docker/ops) add hourly image builds, release-process image builds, and historical image rebuild workflows (#2519) (#2507) (#2509) (#2321)
(docs) expand MCP, hosting, Responses API, setup, contributor-review, and architecture documentation (#1138) (#2262) (#2440) (#2427) (#2714) (#2365)

0.25.0 - 2026-04-11

Added

(tools) production-grade coding tools, file history, and skills (#2025)
add extensible deployment profiles (IRONCLAW_PROFILE) (#2203)
(skills) commitments system — active intake for personal AI assistant (#1736)
add native Composio tool for third-party app integrations (#920)
(gateway) extract gateway frontend into ironclaw_gateway crate with widget system (#1725)
(railway) build staging target with pre-bundled WASM extensions (#2219)
(docker) pre-bundle WASM extensions in staging image (#2210)
(tui) ship TUI in default binary (#2195)
(admin) admin tool policy to disable tools for users (#2154)
(web) add scroll-to-bottom arrow in gateway chat (#2202)
unified tool dispatch + schema-validated workspace (#2049)
(workspace) admin system prompt shared with all users (#2109)
(engine) restage skill repair learning loop on staging (#1962)
(tui) port full-featured Ratatui terminal UI onto staging (#1973)
(slack) implement on_broadcast and fix message tool hints (#2113)
(i18n) add Korean translation, fix zh-CN drift, and prevent future drift via pre-commit hook (#2065)
NEAR AI MCP server (#2009)
(test) dual-mode live/replay test harness with LLM judge (#2039)
add AWS Bedrock embeddings provider (#1568)
(ownership) centralized ownership model with typed identities, DB-backed pairing, and OwnershipCache (#1898)
(tools) persistent per-user tool permission system (#1911)
(engine) Unified Thread-Capability-CodeAct execution engine (v2 architecture) (#1557)
(auth) direct OAuth/social login with Google, GitHub, Apple, and NEAR wallet (#1798)
Add ACP (Agent Client Protocol) job mode for delegating to any compatible coding agent (#1600)
(workspace) metadata-driven indexing/hygiene, document versioning, and patch (#1723)
(jobs) per-job MCP server filtering and max_iterations cap (#1243)
(config) unify all settings to DB > env > default priority (#1722)
(telegram) add sendVoice support for audio/ogg attachments (#1314)
(setup) build ironclaw-worker Docker image in setup wizard (#1757)

Fixed

(ci) bump 5 channel versions + fix lifetime desync in panics check (#2300)
(test) case-insensitive hint matching in TraceLlm step_matches (#2292)
(v2) tool naming, auth gates, schema flatten, WASM traps, workspace race (#2209)
(ci) resolve 4 staging test failures (#2273)
(docker) copy profiles/ into build stages (#2289)
(engine) mission cron scheduling + timezone propagation (#1944) (#1957)
(oauth) use localhost for redirect URI when bound to 0.0.0.0 (#2247)
(bridge) sanitize auth_url on engine v2 path (#2206) (#2215)
(docs) explain in more details activation block & installation steps for skills (#2216)
(docker) consume CACHE_BUST arg so BuildKit invalidates cache
(gateway) suppress duplicate text response during auth flow and unify extension config modal (#2172)
(agent) stop intercepting bare yes/no/always as approval when nothing pending (#2178)
(ci) resolve 3 staging test failures (#2207)
(wasm) upgrade Wasmtime to 43.0.1 and restore CI (#2224)
fix(auth) first-pass Gmail OAuth auth prompt in chat (#2038)
(db) repair V6 migration checksum and guard against re-modification (#1328) (#2101)
(ci) target wasm32-wasip2 in WASM build script (#2175)
(test) use canonical extension name in setup submit test (#2158)
fix (skills) installs for invalid catalog names (#2040)
universal engine-version tool visibility filtering (#2132)
(ownership) remove silent cross-tenant credential fallback (#2099)
(e2e) canonicalize extension names + fix remaining test failures (#2129)
(ownership) unify ownership checks via Owned trait and fix mission visibility bug (#2126)
(web) intercept approval text input in chat (#2124)
(staging) repair 4 categories of CI test failures (#2091)
(web) emit Done after response — SSE ordering fix (#2079) (#2104)
(tools) gate claude_code and acp modes behind enabled flags (#2003)
(acp) propagate follow-up prompt failures as job errors (#1981)
color for tools use (#2096)
(registry) use canonical underscore names in manifests to fix WASM install (#2029)
(safety) add credential patterns and sensitive path blocklist (#1675)
(channels) allow telegram wasm channel name (#2051)
(staging) repair broken test build and macOS-incompatible SSRF tests (#2064)
honor auto-approve tools in engine v2 (#2013)
(bridge) sanitize orphaned tool results in v2 adapter (#1975)
(docker) ensure ironclaw runtime home exists (#1918)
(agent) prevent self-repair notification spam for stuck jobs (#1867)
(self-repair) skip built-in tools in broken tool detection and repair (#1991)
unblock bootstrap ownership on dynamic_tools (#2005)
(llm) invert reasoning default — unknown models skip think/final tags (#1952)
(llm) add sanitize_tool_messages to OpenAiCodexProvider (#1971)
update CLI help snapshots for --auto-approve and acp command (#1966)
(docker) switch to glibc to fix libSQL segfault on DB reopen (#1930)
(db) swap V16/V17 to match production PG (document_versions before user_identities) (#1931)
(db) keep V15=conversation_source_channel to match production PG (#1928)
(db) resolve V15 migration numbering conflict (#1923)
(routines) add bounded retry for transient lightweight failures (#1471)
(relay) thread responses under original message in Slack channels (#1848)
(worker) Improve command execution parameter validation (#1692)
(telegram) auto-generate webhook secret during setup (#1536)
(builder) accept inline-table and object-map dependency formats from LLM (#1748)
(gemini) preserve and echo thoughtSignature for Gemini 3.x function calls (#1752)
(relay) route async Slack messages to correct channel instead of DMs (#1845)
(security) block cross-channel approval thread hijacking (#1590)
(builder) add approval context propagation for sub-tool execution (#1125)

Other

trigger ironclaw-dind image build (#2190)
add amazon tutorial (#2261)
Create QA Bug Report issue template (#2228)
[codex] Stabilize auth readiness and gate flows (#2050)
Add mintlify docs (#2189)
[codex] allow private local llm endpoints (#1955)
(ci) add Dependabot and pin GitHub Actions by SHA (#2043)
Fix routine Telegram notification summaries (#2033)
(channels) add Slack E2E tests, integration tests, and smoke runner (#2042)
(engine) rename ENGINE_V2_TRACE to IRONCLAW_RECORD_TRACE (#2114)
fix multi-tenant inference latency (per-conversation locking + workspace indexing) (#2127)
Improve channel onboarding and Telegram pairing flow (#2103)
(e2e) expand SSE resilience coverage (#1897)
add Telegram E2E tests and Rust integration tests (#2037)
(fix) WASM channel HTTP SSRF protections (#1976)
Ignore default model override and empty WASM polls (#1914)
(workspace) add direct regression tests for scoped_to_user rebinding (#1652) (#1875)
Fix turn cost footer and per-turn usage accounting (#1951)
Publish ironclaw-worker image from Dockerfile.worker (#1979)
[codex] Move safety benches into ironclaw_safety crate (#1954)
Fix bootstrap paths and webhook defaults
Only tag :latest/:version on release, allow :staging via manual dispatch [skip-regression-check] (#1925)
Add Docker Hub workflow and optimize Dockerfile for size (#1886)
(e2e) add agent loop recovery coverage (#1854)
disable cooldown in gateway webhook workflow test (#1889)
Expand GitHub WASM tool surface (#1884)
(e2e) cover chat approval parity across channels (#1858)
add routine coverage for issue 1781 (#1856)

0.24.0 - 2026-03-31

Added

(gateway) OIDC JWT authentication for reverse-proxy deployments (#1463)
support custom LLM provider configuration via web UI (#1340)
(skills) recursive bundle directory scanning for skill discovery (#1667)
(discord) add gateway channel flow in wasm (#944)
DB-backed user management, admin secrets provisioning, and multi-tenant isolation (#1626)
(gateway) add OpenAI Responses API endpoints (#1656)

Fixed

(routines) clone Arc before await in web handler event cache refresh (#1756)
(slack) respond to thread replies without requiring @mention (#1405)
resolve 11 test failures from multi-tenant bootstrap and sandbox gate regressions (#1746)
(auth) make shared Google tool status scope-aware (#1532)
(wasm) inject Content-Length: 0 for bodyless mutating HTTP requests (#1529)
(bedrock) strip tool blocks from messages when toolConfig is absent (#1630)
prevent UTF-8 panics in byte-index string truncation (#1688)
(gemini) preserve thought signatures on all tool calls (#1565)
pin staging ci jobs to a single tested sha (#1628)
(routines) complete full_job execution reliability overhaul (#1650)
(worker) treat empty LLM response after text output as completion (#1677)
(worker) replace script -qfc with pty-process for injection-safe PTY (#1678)
(web) redact database error details from API responses (#1711)
(oauth) tighten legacy state validation and fallback handling (#1701)
(db) add tracing warn for naive timestamp fallback and improve parse_timestamp tests (#1700)
(wasm) use typed WASM schema as advertised schema when available (#1699)
sanitize tool error results before llm injection (#1639)
require Feishu webhook authentication (#1638)
(llm) prevent UTF-8 panic in line_bounds() (fixes #1669) (#1679)
downgrade excessive debug logging in hot path (closes #1686) (#1694)

Other

Stabilize MCP refresh regression tests (#1772)
Fix hosted MCP OAuth refresh flow (#1767)
Track routine verification state across updates (#1716)
(e2e) align WASM reinstall expectation with uninstall cleanup (#1762)
Handle empty tool completions in autonomous jobs (#1720)
Clarify message tool vs channel setup guidance (#1715)
tighten contribution and PR guidance (#1704)
Clean up extension credentials on uninstall (#1718)

0.23.0 - 2026-03-27

Added

complete multi-tenant isolation — phases 2–4 (#1614)

Fixed

(routines) recover delete name after failed update fallback (#1108)
(mcp) handle 202 Accepted and wire session manager for Streamable HTTP (#1437)
(extensions) channel-relay auth dead-end, observability, and URL override (#1681)
(agent) discard truncated tool calls when finish_reason == Length (#1631) (#1632)
(llm) filter XML tool-call recovery by context (#1641)

Other

Support direct hosted OAuth callbacks with proxy auth token (#1684)

0.22.0 - 2026-03-25

Added

(agent) thread per-tool reasoning through provider, session, and all surfaces (#1513)
(cli) show credential auth status in tool info (#1572)
multi-tenant auth with per-user workspace isolation (#1118)
(cli) add ironclaw models subcommands (list/status/set/set-provider) (#1043)
(workspace) multi-scope workspace reads (#1117)
(ux) complete UX overhaul — design system, onboarding, web polish (#1277)
(gemini_oauth) full Gemini CLI OAuth integration with Cloud Code API (#1356)
(shell) add Low/Medium/High risk levels for graduated command approval (closes #172) (#368)
(agent) queue and merge messages during active turns (#1412)
(cli) add ironclaw hooks list subcommand (#1023)
(extensions) support text setup fields in web configure modal (#496)
(llm) add GitHub Copilot as LLM provider (#1512)
(workspace) layered memory with sensitivity-based privacy redirect (#1112)
(webhooks) add public webhook trigger endpoint for routines (#736)
(llm) Add OpenAI Codex (ChatGPT subscription) as LLM provider (#1461)
(web) add light theme with dark/light/system toggle (#1457)
(agent) activate stuck_threshold for time-based stuck job detection (#1234)
chat onboarding and routine advisor (#927)

Fixed

ensure LLM calls always end with user message (closes #763) (#1259)
restore owner-scoped gateway startup (#1625)
remove stale stream_token gate from channel-relay activation (#1623)
(agent) case-insensitive channel match and user_id filter for event triggers (#1211)
(routines) normalize status display across web and CLI (#1469)
(tunnel) managed tunnels target wrong port and die from SIGPIPE (#1093)
(agent) persist /model selection to .env, TOML, and DB (#1581)
post-merge review sweep — 8 fixes across security, perf, and correctness (#1550)
generate Mistral-compatible 9-char alphanumeric tool call IDs (#1242)
(mcp) handle empty 202 notification acknowledgements (#1539)
(tests) eliminate env mutex poison cascade (#1558)
(safety) escape tool output XML content and remove misleading sanitized attr (#1067)
(oauth) reject malformed ic2.* states in decode_hosted_oauth_state (#1441) (#1454)
parameter coercion and validation for oneOf/anyOf/allOf schemas (#1397)
persist startup-loaded MCP clients in ExtensionManager (#1509)
(deps) patch rustls-webpki vulnerability (RUSTSEC-2026-0049)
(routines) add missing extension_manager field in trigger_manual EngineContext
(ci) serialize env-mutating OAuth wildcard tests with ENV_MUTEX (#1280) (#1468)
(setup) remove redundant LLM config and API keys from bootstrap .env (#1448)
resolve wasm broadcast merge conflicts with staging (#395) (#1460)
skip credential validation for Bedrock backend (#1011)
register sandbox jobs in ContextManager for query tool visibility (#1426)
prefer execution-local message routing metadata (#1449)
(security) validate embedding base URLs to prevent SSRF (#1221)
f32→f64 precision artifact in temperature causes provider 400 errors (#1450)
(routines) surface errors when sandbox unavailable for full_job routines (#769)
restore libSQL vector search with dynamic dimensions (#1393)
staging CI triage — consolidate retry parsing, fix flaky tests, add docs (#1427)

Other

Merge branch 'main' into staging-promote/455f543b-23329172268
Merge pull request #1655 from nearai/codex/fix-staging-promotion-1451-version-bumps
Merge pull request #1499 from nearai/staging-promote/9603fefd-23364438978
Fix libsql prompt scope regressions (#1651)
Normalize cron schedules on routine create (#1648)
Fix MCP lifecycle trace user scope (#1646)
Fix REPL single-message hang and cap CI test duration (#1643)
extract AppEvent to crates/ironclaw_common (#1615)
Fix hosted OAuth refresh via proxy (#1602)
(agent) optimize approval thread resolution (UUID parsing + lock contention) (#1592)
(tools) auto-compact WASM tool schemas, add descriptions, improve credential prompts (#1525)
Default new lightweight routines to tools-enabled (#1573)
Google OAuth URL broken when initiated from Telegram channel (#1165)
add gitcgr code graph badge (#1563)
Fix owner-scoped message routing fallbacks (#1574)
(tools) remove unconditional params clone in shared execution (fix #893) (#926)
(llm) move transcription module into src/llm/ (#1559)
(agent) avoid preview allocations for non-truncated strings (fix #894) (#924)
Expand AGENTS.md with coding agents guidance (#1392)
Fix CI approval flows and stale fixtures (#1478)
Use live owner tool scope for autonomous routines and jobs (#1453)
use Arc in embedding cache to avoid clones on miss path (#1438)
Add owner-scoped permissions for full-job routines (#1440)

0.21.0 - 2026-03-20

Added

structured fallback deliverables for failed/stuck jobs (#236)
LRU embedding cache for workspace search (#1423)
receive relay events via webhook callbacks (#1254)

Fixed

bump Feishu channel version for promotion
(approval) make "always" auto-approve work for credentialed HTTP requests (#1257)
skip NEAR AI session check when backend is not nearai (#1413)

Other

Make hosted OAuth and MCP auth generic (#1375)

0.20.0 - 2026-03-19

Added

(self-repair) wire stuck_threshold, store, and builder (#712)
(testing) add FaultInjector framework for StubLlm (#1233)
(gateway) unified settings page with subtabs (#1191)
upgrade MiniMax default model to M2.7 (#1357)

Fixed

navigate telegram E2E tests to channels subtab (#1408)
add missing builder field and update E2E extensions tab navigation (#1400)
remove debug_assert guards that panic on valid error paths (#1385)
address valid review comments from PR #1359 (#1380)
full_job routine runs stay running until linked job completion (#1374)
full_job routine concurrency tracks linked job lifetime (#1372)
remove -x from coverage pytest to prevent suite-blocking failures (#1360)
add debug_assert invariant guards to critical code paths (#1312)
(mcp) retry after missing session id errors (#1355)
(telegram) preserve polling after secret-blocked updates (#1353)
(llm) cap retry-after delays (#1351)
(setup) remove nonexistent webhook secret command hint (#1349)
Rate limiter returns retry after None instead of a duration (#1269)

Other

bump telegram channel version to 0.2.5 (#1410)
(ci) enforce test requirement for state machine and resilience changes (#1230) (#1304)
Fix duplicate LLM responses for matched event routines (#1275)
add Japanese README (#1306)
(ci) add coverage gates via codecov.yml (#1228) (#1291)
Redesign routine create requests for LLMs (#1147)

0.19.0 - 2026-03-17

Added

verify telegram owner during hot activation (#1157)
(config) unify config resolution with Settings fallback (Phase 2, #1119) (#1203)
(sandbox) add retry logic for transient container failures (#1232)
(heartbeat) fire_at time-of-day scheduling with IANA timezone (#1029)
Reuse Codex CLI OAuth tokens for ChatGPT backend LLM calls (#693)
add pre-push git hook with delta lint mode (#833)
(cli) add logs command for gateway log access (#1105)
add Feishu/Lark WASM channel plugin (#1110)
add Criterion benchmarks for safety layer hot paths (#836)
(routines) human-readable cron schedule summaries in web UI (#1154)
(web) add follow-up suggestion chips and ghost text (#1156)
(ci) include commit history in staging promotion PRs (#952)
(tools) add reusable sensitive JSON redaction helper (#457)
configurable hybrid search fusion strategy (#234)
(cli) add cron subcommand for managing scheduled routines (#1017)
adds context-llm tool support (#616)
(web-chat) add hover copy button for user/assistant messages (#948)
add Slack approval buttons for tool execution in DMs (#796)
enhance HTTP tool parameter parsing (#911)
(routines) enable tool access in lightweight routine execution (#257) (#730)
add MiniMax as a built-in LLM provider (#940)
(cli) add ironclaw channels list subcommand (#933)
(cli) add ironclaw skills list/search/info subcommands (#918)
add cargo-deny for supply chain safety (#834)
(setup) display ASCII art banner during onboarding (#851)
(extensions) unify auth and configure into single entrypoint (#677)
(i18n) Add internationalization support with Chinese and English translations (#929)
Import OpenClaw memory, history and settings (#903)

Fixed

jobs limit (#1274)
misleading UI message (#1265)
bump channel registry versions for promotion (#1264)
cover staging CI all-features and routine batch regressions (#1256)
resolve merge conflict fallout and missing config fields
web/CLI routine mutations do not refresh live event trigger cache (#1255)
(jobs) make completed->completed transition idempotent to prevent race errors (#1068)
(llm) persist refreshed Anthropic OAuth token after Keychain re-read (#1213)
(worker) prevent orphaned tool_results and fix parallel merging (#1069)
Telegram bot token validation fails intermittently (HTTP 404) (#1166)
(security) prevent metadata spoofing of internal job monitor flag (#1195)
(security) default webhook server to loopback when tunnel is configured (#1194)
(auth) avoid false success and block chat during pending auth (#1111)
(config) unify ChannelsConfig resolution to env > settings > default (#1124)
(web-chat) normalize chat copy to plain text (#1114)
(skill) treat empty url param as absent when installing skills (#1128)
preserve AuthError type in oauth_http_client cache (#1152)
(web) prevent Safari IME composition Enter from sending message (#1140)
(mcp) handle 400 auth errors, clear auth mode after OAuth, trim tokens (#1158)
eliminate panic paths in production code (#1184)
N+1 query pattern in event trigger loop (routine_engine) (#1163)
(llm) add stop_sequences parity for tool completions (#1170)
(channels) use live owner binding during wasm hot activation (#1171)
Non-transactional multi-step context updates between metadata/to… (#1161)
(webhook) avoid lock-held awaits in server lifecycle paths (#1168)
Google Sheets returns 403 PERMISSION_DENIED after completing OAuth (#1164)
HTTP webhook secret transmitted in request body rather than via header, docs inconsistency and security concern (#1162)
(ci) exclude ironclaw_safety from release automation (#1146)
(registry) bump versions for github, web-search, and discord extensions (#1106)
(mcp) address 14 audit findings across MCP module (#1094)
(http) replace .expect() with match in webhook handler (#1133)
(time) treat empty timezone string as absent (#1127)
5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth) (#1083)
(ci) checkout promotion PR head for metadata refresh (#1097)
(ci) add missing attachments field and crates/ dir to Dockerfiles (#1100)
(registry) bump telegram channel version for capabilities change (#1064)
(ci) repair staging promotion workflow behavior (#1091)
(wasm) address #1086 review followups -- description hint and coercion safety (#1092)
(ci) repair staging-ci workflow parsing (#1090)
(extensions) fix lifecycle bugs + comprehensive E2E tests (#1070)
add tool_info schema discovery for WASM tools (#1086)
resolve bug_bash UX/logging issues (#1054 #1055 #1058) (#1072)
(http) fail closed when webhook secret is missing at runtime (#1075)
(service) set CLI_ENABLED=false in macOS launchd plist (#1079)
relax approval requirements for low-risk tools (#922)
(web) make approval requests appear without page reload (#996) (#1073)
(routines) run cron checks immediately on ticker startup (#1066)
(web) recompute cron next_fire_at when re-enabling routines (#1080)
(memory) reject absolute filesystem paths with corrective routing (#934)
remove all inline event handlers for CSP script-src compliance (#1063)
(mcp) include OAuth state parameter in authorization URLs (#1049)
(mcp) open MCP OAuth in same browser as gateway (#951)
(deploy) harden production container and bootstrap security (#1014)
release lock guards before awaiting channel send (#869) (#1003)
(registry) use versioned artifact URLs and checksums for all WASM manifests (#1007)
(setup) preserve model selection on provider re-run (#679) (#987)
(mcp) attach session manager for non-OAuth HTTP clients (#793) (#986)
(security) migrate webhook auth to HMAC-SHA256 signature header (#970)
(security) make unsafe env::set_var calls safe with explicit invariants (#968)
(security) require explicit SANDBOX_ALLOW_FULL_ACCESS to enable FullAccess policy (#967)
(security) add Content-Security-Policy header to web gateway (#966)
(test) stabilize openai compat oversized-body regression (#839)
(ci) disambiguate WASM bundle filenames to prevent tool/channel collision (#964)
(setup) validate channel credentials during setup (#684)
drain tunnel pipes to prevent zombie process (#735)
(mcp) header safety validation and Authorization conflict bug from #704 (#752)
(agent) block thread_id-based context pollution across users (#760)
(mcp) stdio/unix transports skip initialize handshake (#890) (#935)
(setup) drain residual events and filter key kind in onboard prompts (#937) (#949)
(security) load WASM tool description and schema from capabilities.json (#520)
(security) resolve DNS once and reuse for SSRF validation to prevent rebinding (#518)
(security) replace regex HTML sanitizer with DOMPurify to prevent XSS (#510)
(ci) improve Claude Code review reliability (#955)
(ci) run gated test jobs during staging CI (#956)
(ci) prevent staging-ci tag failure and chained PR auto-close (#900)
(ci) WASM WIT compat sqlite3 duplicate symbol conflict (#953)
resolve deferred review items from PRs #883, #848, #788 (#915)
(web) improve UX readability and accessibility in chat UI (#910)

Other

Fix Telegram auto-verify flow and routing (#1273)
(e2e) fix approval waiting regression coverage (#1270)
isolate heavy integration tests (#1266)
Merge branch 'main' into fix/resolve-conflicts
Refactor owner scope across channels and fix default routing fallback (#1151)
(extensions) document relay manager init order (#928)
(setup) extract init logic from wizard into owning modules (#1210)
mention MiniMax as built-in provider in all READMEs (#1209)
Fix schema-guided tool parameter coercion (#1143)
Make no-panics CI check test-aware (#1160)
(mcp) avoid reallocating SSE buffer on each chunk (#1153)
(routines) avoid full message history clone each tool iteration (#1172)
(registry) align manifest versions with published artifacts (#1169)
remove pycache from repo and add to .gitignore (#1177)
(registry) move MCP servers from code to JSON manifests (#1144)
improve routine schema guidance (#1089)
add event-trigger routine e2e coverage (#1088)
enforce no .unwrap(), .expect(), or assert!() in production code (#1087)
periodic sync main into staging (resolved conflicts) (#1098)
fix formatting in cli/mod.rs and mcp/auth.rs (#1071)
Expose the shared agent session manager via AppComponents (#532)
(agent) remove unnecessary Worker re-export (#923)
Fix UTF-8 unsafe truncation in WASM emit_message (#1015)
extract safety module into ironclaw_safety crate (#1024)
Add Z.AI provider support for GLM-5 (#938)
(html_to_markdown) refresh golden files after renderer bump (#1016)
Migrate GitHub webhook normalization into github tool (#758)
Fix systemctl unit (#472)
add Russian localization (README.ru.md) (#850)
Add generic host-verified /webhook/tools/{tool} ingress (#757)

0.18.0 - 2026-03-11

Other

Merge pull request #907 from nearai/staging-promote/b0214fef-22930316561
promote staging to main (2026-03-10 15:19 UTC) (#865)
Merge pull request #830 from nearai/staging-promote/3a2989d0-22888378864
update WASM artifact SHA256 checksums [skip ci] (#876)

0.17.0 - 2026-03-10

Added

(llm) per-provider unsupported parameter filtering (#749, #728) (#809)
persist user_id in save_job and expose job_id on routine runs (#709)
(ci) chained promotion PRs with multi-agent Claude review (#776)
add background sandbox reaper for orphaned Docker containers (#634)
(wasm) lazy schema injection on WASM tool errors (#638)
add AWS Bedrock LLM provider via native Converse API (#713)
full image support across all channels (#725)
(skills) exclude_keywords veto in skill activation scoring (#688)
(mcp) transport abstraction, stdio/UDS transports, and OAuth fixes (#721)
add PID-based gateway lock to prevent multiple instances (#717)
configurable LLM request timeout via LLM_REQUEST_TIMEOUT_SECS (#615) (#630)
(timezone) add timezone-aware session context (#671)
(setup) Anthropic OAuth onboarding with setup-token support (#384)
(llm) add Google Gemini, AWS Bedrock, io.net, Mistral, Yandex, and Cloudflare WS AI providers (#676)
unified thread model for web gateway (#607)
WASM channel attachments with LLM pipeline integration (#596)
enable Anthropic prompt caching via automatic cache_control injection (#660)
(routines) approval context for autonomous job execution (#577)
(llm) declarative provider registry (#618)
(gateway) show IronClaw version in status popover [skip-regression-check] (#636)
Wire memory hygiene retention policy into heartbeat loop (#629)

Fixed

(ci) run fmt + clippy on staging PRs, skip Windows clippy [skip-regression-check] (#802)
(ci) clean up staging pipeline — remove hacks, skip redundant checks [skip-regression-check] (#794)
(ci) secrets can't be used in step if conditions [skip-regression-check] (#787)
prevent irreversible context loss when compaction archive write fails (#754)
button styles (#637)
(mcp) JSON-RPC spec compliance — flexible id, correct notification format (#685)
preserve tool-call history across thread hydration (#568) (#670)
CLI commands ignore runtime DATABASE_BACKEND when both features compiled (#740)
(web) prevent fetch error when hostname is an IP address in TEE check (#672)
add timezone conversion support to time tool (#687)
standardize libSQL timestamps as RFC 3339 UTC (#683)
(docker) bind postgres to localhost only (#686)
(repl) skip /quit on EOF when stdin is not a TTY (#724)
(web) prevent Enter key from sending message during IME composition (#715)
(config) init_secrets no longer overwrites entire config (#726)
(cli) status command ignores config.toml and settings.json (#354) (#734)
(setup) preserve model name when re-running onboarding with same provider (#600) (#694)
(setup) initialize secrets crypto for env-var security option (#666) (#706)
persist /model selection across restarts (#707)
(routines) resolve message tool channel/target from per-job metadata (#708)
sanitize HTML error bodies from MCP servers to prevent web UI white screen (#263) (#656)
prevent Instant duration overflow on Windows (#657) (#664)
enable libsql remote + tls features for Turso cloud sync (#587)
(tests) replace hardcoded /tmp paths with tempdir + add 300 unit tests (#659)
(llm) nudge LLM when it expresses tool intent without calling tools (#653)
(llm) report zero cost for OpenRouter free-tier models (#463) (#613)
reliable network tests and improved tool error messages (#626)
(wasm) use per-engine cache dirs on Windows to avoid file lock error (#624)
(libsql) support flexible embedding dimensions (#534)

Other

Restructure CLAUDE.md into modular rules + add pr-shepherd command (#750)
make src/llm/ self-contained for crate extraction (#767)
add simplified Chinese (zh-CN) README translation (#488)
(job) cover job tool validation and state transitions (#681)
(agent) wire TestRig job tools through the scheduler (#716)
Fix single-message mode to exit after one turn when background channels are enabled (#719)
remove dead code (#648) (#703)
add reviewer-feedback guardrails (CLAUDE.md, pre-commit hook, skill) (#665)
update WASM artifact SHA256 checksums [skip ci] (#631)
add explanatory comments to coverage workflow (#610)
build system prompt once per turn, skip tools on force-text (#583)
add comprehensive subdirectory CLAUDE.md files and update root (#589)
Improve test infrastructure: StubChannel, gateway helpers, security tests, search edge cases (#623)
(workspace) regression test for document_path in search results (#509)

Added

AWS Bedrock LLM provider via native Converse API with IAM and SSO auth support (feature-gated: --features bedrock)

0.16.1 - 2026-03-06

Fixed

revert WASM artifact SHA256 checksums to null (#627)

0.16.0 - 2026-03-06

Added

(e2e) extensions tab tests, CI parallelization, and 3 production bug fixes (#584)
WASM extension versioning with WIT compat checks (#592)
Add HMAC-SHA256 webhook signature validation for Slack (#588)
restart (#531)
merge http/web_fetch tools, add tool output stash for large responses (#578)
integrate 13-dimension complexity scorer into smart routing (#529)

Fixed

(llm) fix reasoning model response parsing bugs (#564) (#580)
(ci) fix three coverage workflow failures (#597)
Telegram channel accepts group messages from all users if owner_… (#590)
(ci) anchor coverage/ gitignore rule to repo root (#591)
(security) use OsRng for all security-critical key and token generation (#519)
prevent concurrent memory hygiene passes and Windows file lock errors (#535)
sort tool_definitions() for deterministic LLM tool ordering (#582)
(ci) persist all cargo-llvm-cov env vars for E2E coverage (#559)

Other

(llm) complete response cache — set_model invalidation, stats logging, sync mutex (#290)
add 29 E2E trace tests for issues #571-575 (#593)
add 26 tests for multi-thread safety, db CRUD, concurrency, errors (#442)
update WASM artifact SHA256 checksums [skip ci] (#560)
add WIT compatibility tests for WASM extensions (#586)
Trajectory benchmarks and e2e trace test rig (#553)

0.15.0 - 2026-03-04

Added

(oauth) route callbacks through web gateway for hosted instances (#555)
(web) show error details for failed tool calls (#490)
(extensions) improve auth UX and add load-time validation (#536)
add local-test skill and Dockerfile.test for web gateway testing (#524)

Fixed

(security) restrict query-token auth to SSE endpoints only (#528)
(ci) flush profraw coverage data in E2E teardown (#550)
(wasm) coerce string parameters to schema-declared types (#498)
(agent) strip leaked [Called tool ...] text from responses (#497)
(web) reset job list UI on restart failure (#499)
(security) replace .unwrap() panics in pairing store with proper error handling (#515)

Other

Fix UTF-8 unsafe truncation in sandbox log capture (#359)
enhance coverage with feature matrix, postgres, and E2E (#523)

0.14.0 - 2026-03-04

Added

remove the okta tool (#506)
add OAuth support for WASM tools in web gateway (#489)
(web) fix jobs UI parity for non-sandbox mode (#491)
(workspace) add TOOLS.md, BOOTSTRAP.md, and disk-to-DB import (#477)

Fixed

(web) mobile browser bar obscures chat input (#508)
(web) assign unique thread_id to manual routine triggers (#500)
(web) refresh routine UI after Run Now trigger (#501)
(skills) use slug for skill download URL from ClawHub (#502)
(workspace) thread document path through search results (#503)
(workspace) import custom templates before seeding defaults (#505)
use std::sync::RwLock in MessageTool to avoid runtime panic (#411)
wire secrets store into all WASM runtime activation paths (#479)

Other

enforce regression tests for fix commits (#517)
add code coverage with cargo-llvm-cov and Codecov (#511)
Remove restart infrastructure, generalize WASM channel setup (#493)

0.13.1 - 2026-03-02

Added

add Brave Web Search WASM tool (#474)

Fixed

(web) auto-scroll and Enter key completion for slash command autocomplete (#475)
correct download URLs for telegram-mtproto and slack-tool extensions (#470)

0.13.0 - 2026-03-02

Added

(cli) add tool setup command + GitHub setup schema (#438)
add web_fetch built-in tool (#435)
(web) DB-backed Jobs tab + scheduler-dispatched local jobs (#436)
(extensions) add OAuth setup UI for WASM tools + display name labels (#437)
(bootstrap) auto-detect libsql when ironclaw.db exists (#399)
(web) slash command autocomplete + /status /list + fix chat input locking (#404)
(routines) deliver notifications to all installed channels (#398)
(web) persist tool calls, restore approvals on thread switch, and UI fixes (#382)
add IRONCLAW_BASE_DIR env var with LazyLock caching (#397)
feat(signal) attachment upload + message tool (#375)

Fixed

(channels) add host-based credential injection to WASM channel wrapper (#421)
pre-validate Cloudflare tunnel token by spawning cloudflared (#446)
batch of quick fixes (#417, #338, #330, #358, #419, #344) (#428)
persist channel activation state across restarts (#432)
init WASM runtime eagerly regardless of tools directory existence (#401)
add TLS support for PostgreSQL connections (#363) (#427)
scan inbound messages for leaked secrets (#433)
use tailscale funnel --bg for proper tunnel setup (#430)
normalize secret names to lowercase for case-insensitive matching (#413) (#431)
persist model name to .env so dotted names survive restart (#426)
(setup) check cloudflared binary and validate tunnel token (#424)
(setup) validate PostgreSQL version and pgvector availability before migrations (#423)
guard zsh compdef call to prevent error before compinit (#422)
(telegram) remove restart button, validate token on setup (#434)
web UI routines tab shows all routines regardless of creating channel (#391)
Discord Ed25519 signature verification and capabilities header alias (#148) (#372)
prevent duplicate WASM channel activation on startup (#390)

Other

rename WasmBuildable::repo_url to source_dir (#445)
Improve --help: add detailed about/examples/color, snapshot test (clo… (#371)
Add automated QA: schema validator, CI matrix, Docker build, and P1 test coverage (#353)

0.12.0 - 2026-02-26

Added

(web) improve WASM channel setup flow (#380)
(web) inline tool activity cards with auto-collapsing (#376)
(web) display logs newest-first in web gateway UI (#369)
(signal) tool approval workflow and status updates (#350)
add OpenRouter preset to setup wizard (#270)
(channels) add native Signal channel via signal-cli HTTP daemon (#271)

Fixed

correct MCP registry URLs and remove non-existent Google endpoints (#370)
resolve_thread adopts existing session threads by UUID (#377)
resolve telegram/slack name collision between tool and channel registries (#346)
make onboarding installs prefer release artifacts with source fallback (#323)
copy missing files in Dockerfile to fix build (#322)
fall back to build-from-source when extension download fails (#312)

Other

Add --version flag with clap built-in support and test (#342)
Update FEATURE_PARITY.md (#337)
add brew install ironclaw instructions (#310)
Fix skills system: enable by default, fix registry and install (#300)

0.11.1 - 2026-02-23

Other

Ignore out-of-date generated CI so custom release.yml jobs are allowed

0.11.0 - 2026-02-23

Fixed

auto-compact and retry on ContextLengthExceeded (#315)

Other

(README) Adding badges to readme (#316)
Feat/completion (#240)

0.10.0 - 2026-02-22

Added

update dashboard favicon (#309)
add web UI test skill for Chrome extension (#302)
implement FullJob routine mode with scheduler dispatch (#288)
hot-activate WASM channels, channel-first prompts, unified artifact resolution (#297)
add pairing/permission system to all WASM channels and fix extension registry (#286)
group chat privacy, channel-aware prompts, and safety hardening (#285)
embedded registry catalog and WASM bundle install pipeline (#283)
show token usage and cost tracker in gateway status popover (#284)
support custom HTTP headers for OpenAI-compatible provider (#269)
add smart routing provider for cost-optimized model selection (#281)

Fixed

persist user message at turn start before agentic loop (#305)
block send until thread is selected (#306)
reload chat history on SSE reconnect (#307)
map Esc to interrupt and Ctrl+C to graceful quit (#267)

Other

Fix tool schema OpenAI compatibility (#301)
simplify config resolution and consolidate main.rs init (#287)
Update image source in README.md
Add files via upload
remove ExtensionSource::Bundled, use download-only install for WASM channels (#293)
allow OAuth callback to work on remote servers (fixes #186) (#212)
add rate limiting for built-in tools (closes #171) (#276)
add LLM providers guide (OpenRouter, Together AI, Fireworks, Ollama, vLLM) (#193)
Feat/html to markdown #106 (#115)
adopt agent-market design language for web UI (#282)
speed up startup from ~15s to ~2s (#280)
consolidate tool approval into single param-aware method (#274)

0.9.0 - 2026-02-21

Added

add TEE attestation shield to web gateway UI (#275)
configurable tool iterations, auto-approve, and policy fix (#251)

Fixed

add X-Accel-Buffering header to SSE endpoints (#277)

0.8.0 - 2026-02-20

Added

extension registry with metadata catalog and onboarding integration (#238)
(models) add GPT-5.3 Codex, full GPT-5.x family, Claude 4.x series, o4-mini (#197)
wire memory hygiene into the heartbeat loop (#195)

Fixed

persist WASM channel workspace writes across callbacks (#264)
consolidate per-module ENV_MUTEX into crate-wide test lock (#246)
remove auto-proceed fake user message injection from agent loop (#255)
onboarding errors reset flow and remote server auth (#185, #186) (#248)
parallelize tool call execution via JoinSet (#219) (#252)
prevent pipe deadlock in shell command execution (#140)
persist turns after approval and add agent-level tests (#250)

Other

add automated PR labeling system (#253)
update CLAUDE.md for recently merged features (#183)

0.7.0 - 2026-02-19

Added

extend lifecycle hooks with declarative bundles (#176)
support per-request model override in /v1/chat/completions (#103)

Fixed

harden openai-compatible provider, approval replay, and embeddings defaults (#237)
Network Security Findings (#201)

Added

Refactored OpenAI-compatible chat completion routing to use the rig adapter and RetryProvider composition for custom base URL usage.
Added Ollama embeddings provider support (EMBEDDING_PROVIDER=ollama, OLLAMA_BASE_URL) in workspace embeddings.
Added migration V9__flexible_embedding_dimension.sql for flexible embedding vector dimensions.

Changed

Changed default sandbox image to ironclaw-worker:latest in config/settings/sandbox defaults.
Improved tool-message sanitization and provider compatibility handling across NEAR AI, rig adapter, and shared LLM provider code.

Fixed

Fixed approval-input aliases (a, /approve, /always, /deny, etc.) in submission parsing.
Fixed multi-tool approval resume flow by preserving and replaying deferred tool calls so all prior tool_use IDs receive matching tool_result messages.
Fixed REPL quit/exit handling to route shutdown through the agent loop for graceful termination.

0.6.0 - 2026-02-19

Added

add issue triage skill (#200)
add PR triage dashboard skill (#196)
add OpenRouter usage examples (#189)
add Tinfoil private inference provider (#62)
shell env scrubbing and command injection detection (#164)
Add PR review tools, job monitor, and channel injection for E2E sandbox workflows (#57)
Secure prompt-based skills system (Phases 1-4) (#51)
Add benchmarking harness with spot suite (#10)
10 infrastructure improvements from zeroclaw (#126)

Fixed

(rig) prevent OpenAI Responses API panic on tool call IDs (#182)
(docs) correct settings storage path in README (#194)
OpenAI tool calling — schema normalization, missing types, and Responses API panic (#132)
(security) prevent path traversal bypass in WASM HTTP allowlist (#137)
persist OpenAI-compatible provider and respect embeddings disable (#177)
remove .expect() calls in FailoverProvider::try_providers (#156)
sentinel value collision in FailoverProvider cooldown (#125) (#154)
skills module audit cleanup (#173)

Other

Fix division by zero panic in ValueEstimator::is_profitable (#139)
audit feature parity matrix against codebase and recent commits (#202)
architecture improvements for contributor velocity (#198)
fix rustfmt formatting from PR #137
add .env.example examples for Ollama and OpenAI-compatible (#110)

0.5.0 - 2026-02-17

Added

add cooldown management to FailoverProvider (#114)

0.4.0 - 2026-02-17

Added

move per-invocation approval check into Tool trait (#119)
add polished boot screen on CLI startup (#118)
Add lifecycle hooks system with 6 interception points (#18)

Other

remove accidentally committed .sidecar and .todos directories (#123)

0.3.0 - 2026-02-17

Added

direct api key and cheap model (#116)

0.2.0 - 2026-02-16

Added

mark Ollama + OpenAI-compatible as implemented (#102)
multi-provider inference + libSQL onboarding selection (#92)
add multi-provider LLM failover with retry backoff (#28)
add libSQL/Turso embedded database backend (#47)
Move debug log truncation from agent loop to REPL channel (#65)

Fixed

shell destructive-command check bypassed by Value::Object arguments (#72)
propagate real tool_call_id instead of hardcoded placeholder (#73)
Fix wasm tool schemas and runtime (#42)
flatten tool messages for NEAR AI cloud-api compatibility (#41)
security hardening across all layers (#35)

Other

Explicitly enable cargo-dist caching for binary artifacts building
Skip building binary artifacts on every PR
add module specification rules to CLAUDE.md
add setup/onboarding specification (src/setup/README.md)
deduplicate tool code and remove dead stubs (#98)
Reformat architecture diagram in README (#64)
Add review discipline guidelines to CLAUDE.md (#68)
Bump MSRV to 1.92, add GCP deployment files (#40)
Add OpenAI-compatible HTTP API (/v1/chat/completions, /v1/models) (#31)

0.1.3 - 2026-02-12

Other

Enabled builds caching during CI/CD
Disabled npm publishing as the name is already taken

0.1.2 - 2026-02-12

Other

Added Installation instructions for the pre-built binaries
Disabled Windows ARM64 builds as auto-updater [provided by cargo-dist] does not support this platform yet and it is not a common platform for us to support

0.1.1 - 2026-02-12

Other

Renamed the secrets in release-plz.yml to match the configuration
Make sure that the binaries release CD it kicking in after release-plz

0.1.0 - 2026-02-12

Added

Add multi-provider LLM support via rig-core adapter (#36)
Sandbox jobs (#4)
Add Google Suite & Telegram WASM tools (#9)
Improve CLI (#5)

Fixed

resolve runtime panic in Linux keychain integration (#32)

Other

Skip release-plz on forks
Upgraded release-plz CD pipeline
Added CI/CD and release pipelines (#45)
DM pairing + Telegram channel improvements (#17)
Fixes build, adds missing sse event and correct command (#11)
Codex/feature parity pr hook (#6)
Add WebSocket gateway and control plane (#8)
select bundled Telegram channel and auto-install (#3)
Adding skills for reusable work
Fix MCP tool calls, approval loop, shutdown, and improve web UI
Add auth mode, fix MCP token handling, and parallelize startup loading
Merge remote-tracking branch 'origin/main' into ui
Adding web UI
Rename setup CLI command to onboard for compatibility
Add in-chat extension discovery, auth, and activation system
Add Telegram typing indicator via WIT on-status callback
Add proactivity features: memory CLI, session pruning, self-repair notifications, slash commands, status diagnostics, context warnings
Add hosted MCP server support with OAuth 2.1 and token refresh
Add interactive setup wizard and persistent settings
Rebrand to IronClaw with security-first mission
Fix build_software tool stuck in planning mode loop
Enable sandbox by default
Fix Telegram Markdown formatting and clarify tool/memory distinctions
Simplify Telegram channel config with host-injected tunnel/webhook settings
Apply Telegram channel learnings to WhatsApp implementation
Merge remote-tracking branch 'origin/main'
Docker file for sandbox
Replace hardcoded intent patterns with job tools
Fix router test to match intentional job creation patterns
Add Docker execution sandbox for secure shell command isolation
Move setup wizard credentials to database storage
Add interactive setup wizard for first-run configuration
Add Telegram Bot API channel as WASM module
Add OpenClaw feature parity tracking matrix
Add Chat Completions API support and expand REPL debugging
Implementing channels to be handled in wasm
Support non interactive mode and model selection
Implement tool approval, fix tool definition refresh, and wire embeddings
Tool use
Wiring more
Add heartbeat integration, planning phase, and auto-repair
Login flow
Extend support for session management
Adding builder capability
Load tools at launch
Fix multiline message rendering in TUI
Parse NEAR AI alternative response format with output field
Handle NEAR AI plain text responses
Disable mouse capture to allow text selection in TUI
Add verbose logging to debug empty NEAR AI responses
Improve NEAR AI response parsing for varying response formats
Show status/thinking messages in chat window, debug empty responses
Add timeout and logging to NEAR AI provider
Add status updates to show agent thinking/processing state
Add CLI subcommands for WASM tool management
Fix TUI shutdown: send /shutdown message and handle in agent loop
Remove SimpleCliChannel, add Ctrl+D twice quit, redirect logs to TUI
Fix TuiChannel integration and enable in main.rs
Integrate Codex patterns: task scheduler, TUI, sessions, compaction
Adding LICENSE
Add README with IronClaw branding
Add WASM sandbox secure API extension
Wire database Store into agent loop
Implementing WASM runtime
Add workspace integration tests
Compact memory_tree output format
Replace memory_list with memory_tree tool
Simplify workspace to path-based storage, remove legacy code
Add NEAR AI chat-api as default LLM provider
Add CLAUDE.md project documentation
Add workspace and memory system (OpenClaw-inspired)
Initial implementation of the agent framework

FilesExpand file tree

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Changelog

[Unreleased]

0.20.1 - 2026-04-23

Fixed

0.20.0 - 2026-04-23

Fixed

0.26.0 - 2026-04-21

Added

Fixed

Other

0.25.0 - 2026-04-11

Added

Fixed

Other

0.24.0 - 2026-03-31

Added

Fixed

Other

0.23.0 - 2026-03-27

Added

Fixed

Other

0.22.0 - 2026-03-25

Added

Fixed

Other

0.21.0 - 2026-03-20

Added

Fixed

Other

0.20.0 - 2026-03-19

Added

Fixed

Other

0.19.0 - 2026-03-17

Added

Fixed

Other

0.18.0 - 2026-03-11

Other

0.17.0 - 2026-03-10

Added

Fixed

Other

Added

0.16.1 - 2026-03-06

Fixed

0.16.0 - 2026-03-06

Added

Fixed

Other

0.15.0 - 2026-03-04

Added

Fixed

Other

0.14.0 - 2026-03-04

Added

Fixed

Other

0.13.1 - 2026-03-02

Added

Fixed

0.13.0 - 2026-03-02

Added

Fixed

Other

0.12.0 - 2026-02-26

Added

Fixed

Other

0.11.1 - 2026-02-23

Other

0.11.0 - 2026-02-23

Fixed