Netclaw 0.21.0
0.21.0 2026-05-27
Netclaw v0.21.0 — Venice.ai provider, security hardening, approval prompt reliability, and ARM support
Features
Venice.ai provider support — full end-to-end integration for the Venice.ai chat client. Venice is now discoverable in the provider picker and callable through the daemon. (#1197)
Venice.ai system-prompt override — by default, Venice silently prepends their own system prompt which breaks Netclaw identity grounding. This release forces
include_venice_system_prompt = falseto keep SOUL.md / AGENTS.md as the first system message. Operators can opt in to Venice's default prefix viaVendorOptions:IncludeVeniceSystemPrompt = true. (#1197)Mattermost container ARM support — the Mattermost Docker container now correctly pulls and runs on ARM hosts (e.g., Apple Silicon Macs) with explicit
--platform linux/amd64specification. (#1182)
Security
- Closed tunnel loopback auth bypass (SEC-005) — the loopback authentication handler previously auto-issued Operator tickets to anyone on loopback in tunnel modes (tailscale-serve, tailscale-funnel, cloudflare-tunnel), allowing remote attackers to bypass authentication. The handler now requires remote authentication in all tunnel modes. Additionally, session pairing codes are now rejected from loopback connections in tunnel modes to prevent the local tunnel forwarder from minting new pairing codes. (#1185)
Bug Fixes
Provider secrets decryption restored — provider API keys saved to secrets.json were previously sent scrambled to LLM providers, causing 401 errors across OpenRouter, Anthropic, and OpenAI. Keys are now properly decrypted before use. (#1195)
Approval prompts redraw after passivation — when channel binding actors passivated between posting an approval prompt and the user clicking a button, the in-memory pending-approval state was lost and buttons stayed live indefinitely. Prompts now correctly redraw (clearing to "resolved") using the prompt message identifier from the interaction payload. (#939)
Approval callbacks hardened against forgery — Mattermost callbacks now verify the post ID against the actual prompt post, preventing token holders from redirecting the bot's edit to any post they had permissions to modify. (#1193)
Oversized approval prompts truncated — multi-KB shell commands (like
gh issue createwith embedded reports) previously blew past Slack's 3000-char, Discord's 2000-char, and Mattermost's caps, causing auto-deny fallbacks. Prompts are now truncated per-platform budget (Slack 2500, Discord 1700, Mattermost 12000) so the user can see and approve them. (#1186)
Improvements
Ollama sample pinned to 0.24.0 — the Aspire demo now pins Ollama to 0.24.0 (was 0.13.0) to support qwen3.5 models, which require a newer manifest format. (#1194)
Unified provider config loading — the daemon's capability-resolver startup probe now uses the same
ProviderConfigurationLoaderas the main config path, removing an asymmetry that hid the #1195 regression. (#1196)
Documentation
- Local binary swap skill updated — the local-binary-swap skill now explicitly requires a daemon re-launch after the binary swap to prevent leaving the install in a broken state. (#1192)