Pulled from GitHub Releases

Changelog

Every release of netclaw-dev/netclaw. Pick a version from the sidebar — this page rebuilds whenever a new release is published.

v0.18.0

Netclaw 0.18.0

0.18.0 2026-05-14

Netclaw v0.18.0 — Directory-scoped approvals, sub-agent reloads, vLLM support, channel reliability, and security hardening

Features

  • Directory-scoped shell command approval patterns — approve a shell command rooted at a parent directory and it automatically applies to all subdirectories, eliminating redundant prompts. Approval entries now use a (verb, directory) model with proper path hierarchy. (#896)

  • netclaw approvals CLI — new CLI subcommand for listing, revoking, and managing shell command approvals with a TUI interface. Closes #921. (#927)

  • vLLM-aware capability resolver + timings split — the provider system now detects vLLM endpoints and resolves capabilities accordingly, with separate prompt/decode timing metrics. (#619, #986)

  • File-based sub-agent hot reload — file-defined sub-agents under ~/.netclaw/agents/ now reload automatically when modified, and spawned sub-agents inherit parent session context (session_dir, project_dir). Invalid edits fail closed. (#984)

  • Serialization marker interface + test-time verification — new ISerializableMessage marker interface with compile-time and test-time verification to catch unregistered serialization types early. Closes #961. (#978)

  • SearXNG backend hardening — improved SearXNG search with custom User-Agent, 429 retry logic, configurable timeouts, and 403 detection. (#914)

  • Container/proxy exposure mode relaxation — daemon no longer rejects https exposure mode when bound to loopback, supporting TLS-termination-at-proxy topologies. (#864)

Bug Fixes

  • Button approvals route by SessionId — approval button clicks now route via the deterministic session actor path instead of the per-thread binding's in-memory lookup, fixing silently-dropped approvals when channel adapters passivate. Closes #979. (#982)

  • Thread history hydration — bot messages from thread history now hydrate only once per actor lifetime, with media properly accounted for in compaction size calculations. (#990)

  • Passivation race fix — sessions now use a post-snapshot grace window to close the passivation race condition where messages could be lost during shutdown. (#985)

  • ModelReference modality schema alignment — config schema now matches scalar binding for ModelReference.Modality. (#988, #989)

  • Reminder execution fixes — removed spurious 5-minute execution timeout that was killing long-running reminders, and prevented duplicate concurrent execution of the same reminder. (#970)

  • Config watcher atomic-replace handling — file system watcher now handles atomic-replace writes (Renamed events) from editors like VS Code. Closes #959. (#960)

  • Thread history backfill — bot messages are now included in thread history backfill, and hydration happens only at thread root. (#954, #958)

  • Memory provenance — adopted-context provenance is now separated from third-party memory policy. (#952)

  • netclaw doctor warning suppression — no longer warns about explicitly-configured Personal posture and tool profile. (#950)

  • Systemd PATH fix — systemd unit now bakes PATH so the shell tool can resolve the netclaw CLI. (#948)

  • Thinking-only retry guard — three-layer SSE/middleware/actor diagnostics prevent retries on thinking-only responses, plus RollingFileLogger Debug-level fix. (#947)

  • Watchdog two-phase timeout — watchdog now consumes prompt_progress keepalives from llama.cpp and uses a two-phase timeout to prevent false-positive watchdog kills. (#946)

  • MCP personal mode defaults — personal mode now defaults all tools to Auto and the toggle grants all tools properly. (#942, #943)

  • Approval button label truncation — button labels are now truncated to fit Slack/Discord character limits. Closes #931. (#937)

  • DailyStatsActor SQLite DDL cleanup — removed SQLite DDL from PreStart, and wizard poll-timeout now surfaces crash logs. Closes #925. (#938)

  • Session diagnostics logging — all session diagnostics now route into a single session log file, with sidecar IChatClient calls wrapped in SessionDiagnosticsContext. (#916, #926)

  • TUI context window display — status bar now uses daemon-reported context window size. (#906, #913)

  • Wizard Personal posture fix — init wizard with Personal posture no longer silently disables all features. (#907)

Security

  • Filesystem root tilde expansion~ and $HOME in configured filesystem roots are now properly expanded. (#975)

  • Skill scanner NoOp for system skills — swapped skill content scanner to NoOp to unblock system skills from loading. (#976, #977)

  • Non-loopback Daemon.Host rejection — Local exposure mode now rejects non-loopback Daemon.Host values. (#901)

  • Reverted trust-zones — stayed on the simpler (verb, directory) ApprovalEntry model instead of the trust-zone approach. (#962)

Dependencies

  • Bumped Microsoft.SourceLink.GitHub from 10.0.203 to 10.0.300. (#983)
  • Bumped Microsoft platform/AI packages and added Dependabot groups. (#980)
  • Bumped Netclaw.SkillClient from 0.2.1 to 0.3.0. (#936)