Netclaw 0.18.0
0.18.0 2026-05-14
Netclaw v0.18.0 — Directory-scoped approvals, sub-agent reloads, vLLM support, channel reliability, and security hardening
Features
Directory-scoped shell command approval patterns — approve a shell command rooted at a parent directory and it automatically applies to all subdirectories, eliminating redundant prompts. Approval entries now use a
(verb, directory)model with proper path hierarchy. (#896)netclaw approvalsCLI — new CLI subcommand for listing, revoking, and managing shell command approvals with a TUI interface. Closes #921. (#927)vLLM-aware capability resolver + timings split — the provider system now detects vLLM endpoints and resolves capabilities accordingly, with separate prompt/decode timing metrics. (#619, #986)
File-based sub-agent hot reload — file-defined sub-agents under
~/.netclaw/agents/now reload automatically when modified, and spawned sub-agents inherit parent session context (session_dir, project_dir). Invalid edits fail closed. (#984)Serialization marker interface + test-time verification — new
ISerializableMessagemarker interface with compile-time and test-time verification to catch unregistered serialization types early. Closes #961. (#978)SearXNG backend hardening — improved SearXNG search with custom User-Agent, 429 retry logic, configurable timeouts, and 403 detection. (#914)
Container/proxy exposure mode relaxation — daemon no longer rejects
httpsexposure mode when bound to loopback, supporting TLS-termination-at-proxy topologies. (#864)
Bug Fixes
Button approvals route by SessionId — approval button clicks now route via the deterministic session actor path instead of the per-thread binding's in-memory lookup, fixing silently-dropped approvals when channel adapters passivate. Closes #979. (#982)
Thread history hydration — bot messages from thread history now hydrate only once per actor lifetime, with media properly accounted for in compaction size calculations. (#990)
Passivation race fix — sessions now use a post-snapshot grace window to close the passivation race condition where messages could be lost during shutdown. (#985)
ModelReference modality schema alignment — config schema now matches scalar binding for
ModelReference.Modality. (#988, #989)Reminder execution fixes — removed spurious 5-minute execution timeout that was killing long-running reminders, and prevented duplicate concurrent execution of the same reminder. (#970)
Config watcher atomic-replace handling — file system watcher now handles atomic-replace writes (Renamed events) from editors like VS Code. Closes #959. (#960)
Thread history backfill — bot messages are now included in thread history backfill, and hydration happens only at thread root. (#954, #958)
Memory provenance — adopted-context provenance is now separated from third-party memory policy. (#952)
netclaw doctorwarning suppression — no longer warns about explicitly-configured Personal posture and tool profile. (#950)Systemd PATH fix — systemd unit now bakes PATH so the shell tool can resolve the
netclawCLI. (#948)Thinking-only retry guard — three-layer SSE/middleware/actor diagnostics prevent retries on thinking-only responses, plus
RollingFileLoggerDebug-level fix. (#947)Watchdog two-phase timeout — watchdog now consumes
prompt_progresskeepalives from llama.cpp and uses a two-phase timeout to prevent false-positive watchdog kills. (#946)MCP personal mode defaults — personal mode now defaults all tools to Auto and the toggle grants all tools properly. (#942, #943)
Approval button label truncation — button labels are now truncated to fit Slack/Discord character limits. Closes #931. (#937)
DailyStatsActor SQLite DDL cleanup — removed SQLite DDL from
PreStart, and wizard poll-timeout now surfaces crash logs. Closes #925. (#938)Session diagnostics logging — all session diagnostics now route into a single session log file, with sidecar
IChatClientcalls wrapped inSessionDiagnosticsContext. (#916, #926)TUI context window display — status bar now uses daemon-reported context window size. (#906, #913)
Wizard Personal posture fix — init wizard with Personal posture no longer silently disables all features. (#907)
Security
Filesystem root tilde expansion —
~and$HOMEin configured filesystem roots are now properly expanded. (#975)Skill scanner NoOp for system skills — swapped skill content scanner to NoOp to unblock system skills from loading. (#976, #977)
Non-loopback Daemon.Host rejection — Local exposure mode now rejects non-loopback
Daemon.Hostvalues. (#901)Reverted trust-zones — stayed on the simpler
(verb, directory) ApprovalEntrymodel instead of the trust-zone approach. (#962)
Dependencies