v0.3.30 — Security Hardening

Security Hardening

Comprehensive security audit and fixes in response to responsible disclosure:

Shell Execution Sandbox (CRITICAL)

• Allowlist mode now uses direct argv execution via shlex — no shell interpreter invoked
• Commands are split into program + arguments and passed to execve() directly
• Eliminates entire class of injection attacks: encoding tricks, $IFS, glob expansion, variable expansion
• Full mode (user opt-in) still uses sh -c with metacharacter filtering as defense-in-depth
• Metacharacter filter blocks: ; | > < {} \0 & && ||

API Auth Hardening (CRITICAL)

• All public endpoints are now GET-only — POST/PUT/DELETE always require authentication
• Prevents unauthenticated cron job creation, skill installation, integration reload, agent spawning
• WebSocket auth now uses constant-time comparison (fixes timing side-channel)

OFP Wire Protocol (HIGH)

• send_to_peer() derives session key and uses per-message HMAC authenticated I/O
• broadcast_notification() requires shared secret and uses authenticated writes
• connection_loop() uses authenticated reads/writes for all post-handshake messages
• No plaintext message paths exist after any successful handshake

Audit Trail Persistence (MEDIUM)

• V8 migration adds audit_entries SQLite table with Merkle chain fields
• Entries persisted immediately on every write
• Boot-time integrity verification detects tampering

Bug Fixes

• #437 Gemini API key sent as query parameter + enhanced error parsing
• #429 CJK IME composition no longer triggers send on Enter key
• #434 OpenClaw migration handles nested JSON objects in tool config
• #403 Discord ignore_bots config option (default true)
• #407 Browser Hand requires chromium instead of obsolete python3/playwright

Stats

• 24 files changed, 957 insertions, 224 deletions
• 1,886 tests passing, 0 clippy warnings

v0.3.29

9 Bug Fixes

• #420 Doctor command shows ✔ for connected database (was showing ✘ despite healthy status)
• #385 Remove fake OpenRouter models (optimus/nitro/auto) — replaced with real model IDs like openrouter/anthropic/claude-sonnet-4
• #387 Model change via /model command now correctly updates the provider in the dashboard UI
• #380 Gemini 2.5+ thinking models: parse thoughtSignature field on functionCall parts
• #384 ZHIPU/GLM API: empty tool result content replaced with "(empty)" to avoid format rejection
• #389 Linux: suppress Chromium sandbox EPERM error on xdg-open, always print dashboard URL as fallback
• #388 model_studio recognized as DashScope/Qwen provider alias — custom provider_urls work again
• #408 IMAP email channel: fallback to AUTHENTICATE PLAIN when server rejects LOGIN (fixes Lark/Larksuite)
• #402 Hand activation state persists across daemon restarts — no more manual reactivation after reboot

Stats: 1863 tests passing, 0 clippy warnings, 13 files changed across 9 crates

v0.3.28

v0.3.28 — 8 GitHub issue fixes

- #416: ResourceQuota default max_cost=0.0 (unlimited, stops blocking fresh agents)
- #411: Session reset clears scheduler usage tracking
- #414: Web search returns errors not fake success
- #399: MCP stdio Content-Length framing + correct version
- #400: Non-TTY init auto-falls back to quick mode
- #405: python3→python fallback for Windows Browser Hand
- #395: Embedding driver passes custom base URL from provider_urls
- #404: Bluesky seenAt parameter URL-encoded

v0.3.27

Fixes:
- Auto-detect LLM provider on fresh install — scans env for any configured API key instead of failing when Anthropic key is missing
- Strip temperature parameter for o-series reasoning models (o1/o3/o4) — fixes 400 errors from OpenAI
- Auto-retry on temperature rejection for any model that returns unsupported_parameter
- Serde alias on ModelConfig.model field — TOML manifests with name = "..." under [model] now work correctly
- Image display preserved in dashboard session history — images no longer lost on page reload
- Custom provider setup UI in Settings tab — add any OpenAI-compatible endpoint from the dashboard
- Claude Code added to wizard popular providers with install instructions

v0.3.26

v0.3.26 — Community Batch

Fixes from community PRs, rewritten from scratch:

Boot fallback driver now passes correct model names to secondary providers (#202)
ExecPolicy accepts string shorthand in TOML/JSON configs (#222)
HSTS security header added (#251)
ClawHub search queries properly URL-encoded (#149)
Clear history returns 404 for nonexistent agents (#180)
Installer shell detection improved with fish_add_path support (#75)
PATCH /api/agents/{id} for partial agent updates (#124)
Dashboard CSS fixes for cards, badges, nested lists (#267)
Config gear button on agent chips in chat (#232)
Model switcher filter by provider dropdown (#217)
system_time built-in tool for agents (#250)
Kimi K2 and K2.5 models added to catalog (#223)
Lemonade local AI provider added (#298)
171 models across 37 providers

v0.3.25

- UTF-8 safe string truncation for nostr pubkey, init wizard, and kernel summary (fixes production panics)
- Mastodon HTML sanitizer upgraded to html-escape crate (handles all named/numeric/hex entities)
- Telegram photo, document, voice, and location media support with file URL resolution
- Venice.ai provider with 3 models (venice-uncensored, llama-3.3-70b, qwen3-235b)
- A2A protocol compat: status wrapper for string/object forms, artifact field relaxation, agent URL fix
- ToolUse/ToolResult cross-message correlation fix in session display
- Channel config deserialization: integer IDs in Vec<String> fields no longer crash on reload
- /api/status now includes version field
- Light theme logo visibility (CSS invert filter)
- macOS Apple Silicon ad-hoc codesign in release CI and install script

v0.3.24

- Default model from config.toml now applied to restored agents on boot
- Doctor command and wizard auto-detect best available provider instead of hardcoding Groq
- Added 5 new Qwen models (qwen3-235b-a22b, qwen3-30b-a3b, qwen-coder-plus-latest, qwen2.5-coder-32b-instruct, qwen-vl-max)
- Model entry aliases auto-registered in catalog (fixes qwen3, qwen-coder alias resolution)
- Added GitHub issue templates, PR template, and dependabot config

v0.3.23

Fixes:
- Discord/Telegram/Slack channel test now sends real test messages when channel_id/chat_id is provided (#291)
- Channel hot-reload now re-reads secrets.env so API tokens persist across daemon restarts (#333)
- Tool call recovery supports 3 new patterns: <tool> tags, markdown code blocks, and backtick-wrapped calls (#332)

Features:
- Fallback model chain per agent — configure via PATCH /api/agents/{id}/config or dashboard UI (#229)
- Dashboard shows fallback chain on agent detail with add/remove controls

v0.3.22

Fixes:
- Model catalog now uses composite key (id + provider) so the same model ID can exist under different providers (#336)
- WhatsApp gateway help text updated — no longer references unpublished npm package, explains auto-start behavior (#337)

v0.3.21

Fixes:
- OpenAI-compat driver: auto-retry without tools when model returns 500/internal error (fixes GLM-5 on DashScope, #334)
- OpenAI-compat driver: temperature now optional in request body for strict providers
- Agent identity (emoji, color, avatar) now persists to SQLite across daemon restarts (#335)
- Identity PATCH endpoint now saves to database immediately