0.19.0 - 2026-03-17

Release Notes

Added

• verify telegram owner during hot activation (#1157)
• (config) unify config resolution with Settings fallback (Phase 2, #1119) (#1203)
• (sandbox) add retry logic for transient container failures (#1232)
• (heartbeat) fire_at time-of-day scheduling with IANA timezone (#1029)
• Reuse Codex CLI OAuth tokens for ChatGPT backend LLM calls (#693)
• add pre-push git hook with delta lint mode (#833)
• (cli) add logs command for gateway log access (#1105)
• add Feishu/Lark WASM channel plugin (#1110)
• add Criterion benchmarks for safety layer hot paths (#836)
• (routines) human-readable cron schedule summaries in web UI (#1154)
• (web) add follow-up suggestion chips and ghost text (#1156)
• (ci) include commit history in staging promotion PRs (#952)
• (tools) add reusable sensitive JSON redaction helper (#457)
• configurable hybrid search fusion strategy (#234)
• (cli) add cron subcommand for managing scheduled routines (#1017)
• adds context-llm tool support (#616)
• (web-chat) add hover copy button for user/assistant messages (#948)
• add Slack approval buttons for tool execution in DMs (#796)
• enhance HTTP tool parameter parsing (#911)
• (routines) enable tool access in lightweight routine execution (#257) (#730)
• add MiniMax as a built-in LLM provider (#940)
• (cli) add ironclaw channels list subcommand (#933)
• (cli) add ironclaw skills list/search/info subcommands (#918)
• add cargo-deny for supply chain safety (#834)
• (setup) display ASCII art banner during onboarding (#851)
• (extensions) unify auth and configure into single entrypoint (#677)
• (i18n) Add internationalization support with Chinese and English translations (#929)
• Import OpenClaw memory, history and settings (#903)

Fixed

• jobs limit (#1274)
• misleading UI message (#1265)
• bump channel registry versions for promotion (#1264)
• cover staging CI all-features and routine batch regressions (#1256)
• resolve merge conflict fallout and missing config fields
• web/CLI routine mutations do not refresh live event trigger cache (#1255)
• (jobs) make completed->completed transition idempotent to prevent race errors (#1068)
• (llm) persist refreshed Anthropic OAuth token after Keychain re-read (#1213)
• (worker) prevent orphaned tool_results and fix parallel merging (#1069)
• Telegram bot token validation fails intermittently (HTTP 404) (#1166)
• (security) prevent metadata spoofing of internal job monitor flag (#1195)
• (security) default webhook server to loopback when tunnel is configured (#1194)
• (auth) avoid false success and block chat during pending auth (#1111)
• (config) unify ChannelsConfig resolution to env > settings > default (#1124)
• (web-chat) normalize chat copy to plain text (#1114)
• (skill) treat empty url param as absent when installing skills (#1128)
• preserve AuthError type in oauth_http_client cache (#1152)
• (web) prevent Safari IME composition Enter from sending message (#1140)
• (mcp) handle 400 auth errors, clear auth mode after OAuth, trim tokens (#1158)
• eliminate panic paths in production code (#1184)
• N+1 query pattern in event trigger loop (routine_engine) (#1163)
• (llm) add stop_sequences parity for tool completions (#1170)
• (channels) use live owner binding during wasm hot activation (#1171)
• Non-transactional multi-step context updates between metadata/to… (#1161)
• (webhook) avoid lock-held awaits in server lifecycle paths (#1168)
• Google Sheets returns 403 PERMISSION_DENIED after completing OAuth (#1164)
• HTTP webhook secret transmitted in request body rather than via header, docs inconsistency and security concern (#1162)
• (ci) exclude ironclaw_safety from release automation (#1146)
• (registry) bump versions for github, web-search, and discord extensions (#1106)
• (mcp) address 14 audit findings across MCP module (#1094)
• (http) replace .expect() with match in webhook handler (#1133)
• (time) treat empty timezone string as absent (#1127)
• 5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth) (#1083)
• (ci) checkout promotion PR head for metadata refresh (#1097)
• (ci) add missing attachments field and crates/ dir to Dockerfiles (#1100)
• (registry) bump telegram channel version for capabilities change (#1064)
• (ci) repair staging promotion workflow behavior (#1091)
• (wasm) address #1086 review followups -- description hint and coercion safety (#1092)
• (ci) repair staging-ci workflow parsing (#1090)
• (extensions) fix lifecycle bugs + comprehensive E2E tests (#1070)
• add tool_info schema discovery for WASM tools (#1086)
• resolve bug_bash UX/logging issues (#1054 #1055 #1058) (#1072)
• (http) fail closed when webhook secret is missing at runtime (#1075)
• (service) set CLI_ENABLED=false in macOS launchd plist (#1079)
• relax approval requirements for low-risk tools (#922)
• (web) make approval requests appear without page reload (#996) (#1073)
• (routines) run cron checks immediately on ticker startup (#1066)
• (web) recompute cron next_fire_at when re-enabling routines (#1080)
• (memory) reject absolute filesystem paths with corrective routing (#934)
• remove all inline event handlers for CSP script-src compliance (#1063)
• (mcp) include OAuth state parameter in authorization URLs (#1049)
• (mcp) open MCP OAuth in same browser as gateway (#951)
• (deploy) harden production container and bootstrap security (#1014)
• release lock guards before awaiting channel send (#869) (#1003)
• (registry) use versioned artifact URLs and checksums for all WASM manifests (#1007)
• (setup) preserve model selection on provider re-run (#679) (#987)
• (mcp) attach session manager for non-OAuth HTTP clients (#793) (#986)
• (security) migrate webhook auth to HMAC-SHA256 signature header (#970)
• (security) make unsafe env::set_var calls safe with explicit invariants (#968)
• (security) require explicit SANDBOX_ALLOW_FULL_ACCESS to enable FullAccess policy (#967)
• (security) add Content-Security-Policy header to web gateway (#966)
• (test) stabilize openai compat oversized-body regression (#839)
• (ci) disambiguate WASM bundle filenames to prevent tool/channel collision (#964)
• (setup) validate channel credentials during setup (#684)
• drain tunnel pipes to prevent zombie process (#735)
• (mcp) header safety validation and Authorization conflict bug from #704 (#752)
• (agent) block thread_id-based context pollution across users (#760)
• (mcp) stdio/unix transports skip initialize handshake (#890) (#935)
• (setup) drain residual events and filter key kind in onboard prompts (#937) (#949)
• (security) load WASM tool description and schema from capabilities.json (#520)
• (security) resolve DNS once and reuse for SSRF validation to prevent rebinding (#518)
• (security) replace regex HTML sanitizer with DOMPurify to prevent XSS (#510)
• (ci) improve Claude Code review reliability (#955)
• (ci) run gated test jobs during staging CI (#956)
• (ci) prevent staging-ci tag failure and chained PR auto-close (#900)
• (ci) WASM WIT compat sqlite3 duplicate symbol conflict (#953)
• resolve deferred review items from PRs #883, #848, #788 (#915)
• (web) improve UX readability and accessibility in chat UI (#910)

Other

• Fix Telegram auto-verify flow and routing (#1273)
• (e2e) fix approval waiting regression coverage (#1270)
• isolate heavy integration tests (#1266)
• Merge branch 'main' into fix/resolve-conflicts
• Refactor owner scope across channels and fix default routing fallback (#1151)
• (extensions) document relay manager init order (#928)
• (setup) extract init logic from wizard into owning modules (#1210)
• mention MiniMax as built-in provider in all READMEs (#1209)
• Fix schema-guided tool parameter coercion (#1143)
• Make no-panics CI check test-aware (#1160)
• (mcp) avoid reallocating SSE buffer on each chunk (#1153)
• (routines) avoid full message history clone each tool iteration (#1172)
• (registry) align manifest versions with published artifacts (#1169)
• remove pycache from repo and add to .gitignore (#1177)
• (registry) move MCP servers from code to JSON manifests (#1144)
• improve routine schema guidance (#1089)
• add event-trigger routine e2e coverage (#1088)
• enforce no .unwrap(), .expect(), or assert!() in production code (#1087)
• periodic sync main into staging (resolved conflicts) (#1098)
• fix formatting in cli/mod.rs and mcp/auth.rs (#1071)
• Expose the shared agent session manager via AppComponents (#532)
• (agent) remove unnecessary Worker re-export (#923)
• Fix UTF-8 unsafe truncation in WASM emit_message (#1015)
• extract safety module into ironclaw_safety crate (#1024)
• Add Z.AI provider support for GLM-5 (#938)
• (html_to_markdown) refresh golden files after renderer bump (#1016)
• Migrate GitHub webhook normalization into github tool (#758)
• Fix systemctl unit (#472)
• add Russian localization (README.ru.md) (#850)
• Add generic host-verified /webhook/tools/{tool} ingress (#757)

Install ironclaw 0.19.0

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/nearai/ironclaw/releases/download/v0.19.0/ironclaw-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/nearai/ironclaw/releases/download/v0.19.0/ironclaw-installer.ps1 | iex"

Install prebuilt binaries into your npm project

npm install ironclaw@0.19.0

Download ironclaw 0.19.0

File	Platform	Checksum
ironclaw-aarch64-apple-darwin.tar.gz	Apple Silicon macOS	checksum
ironclaw-x86_64-apple-darwin.tar.gz	Intel macOS	checksum
ironclaw-x86_64-pc-windows-msvc.tar.gz	x64 Windows	checksum
ironclaw-x86_64-pc-windows-msvc.msi	x64 Windows	checksum
ironclaw-aarch64-unknown-linux-gnu.tar.gz	ARM64 Linux	checksum
ironclaw-x86_64-unknown-linux-gnu.tar.gz	x64 Linux	checksum