Skip to content

Releases: MuhammadHasbiAshshiddieqy/OpenClawn

v0.11.0 — Trust mode, dynamic workdir via chat, chat history, PM routing fix

Choose a tag to compare

@MuhammadHasbiAshshiddieqy MuhammadHasbiAshshiddieqy released this 02 Jul 09:13

Rilis otonomi & riwayat chat: agent butuh lebih sedikit approval untuk aksi yang sudah aman lewat sandbox, bisa pindah folder lewat percakapan, dan chat tidak lagi reset saat reload. Ditambah dua bug fix dari laporan pengguna langsung. Semua backward-compatible, tanpa dependency baru.

Added — Trust mode & shell_run tanpa approval

shell_run tak lagi requires_approval — Docker sandbox (--network none, --read-only, non-root) sudah jadi pertahanan nyata. code_run TETAP selalu approval (CLAUDE.md §1, tidak bisa ditawar), ditegakkan di dua titik untuk defense-in-depth. AgentConfig.trust_mode adalah toggle per-sesi di UI yang tidak persist antar reload.

Added — Pindah folder kerja lewat chat (persist sepanjang sesi)

Agent kini bisa pindah folder saat diminta di tengah percakapan (set_workdir tool baru), dan perubahan bertahan untuk sisa sesi lewat session_workspace.

Added — Riwayat chat: sidebar, sesi baru, lanjutkan, hapus

session_id sekarang persist lintas reload. Sidebar baru menampilkan riwayat dikelompokkan waktu×role, dengan tombol sesi baru, lanjutkan, dan hapus. Judul chat dibuat otomatis oleh LLM ringan.

Added — QA bisa menyimpan test case sebagai Word/Excel/PDF

doc_write/pdf_write ditambahkan ke akses role QA.

Fixed — Error "No answer" saat generate contoh PRD (role PM)

Direproduksi live: model lokal merencanakan tool call yang benar di dalam reasoning tapi stream berhenti natural sebelum sempat bertindak — bukan soal token budget. Fix: PRD/dokumen di-reroute ke tier cloud lewat routing keyword.

Fixed — Indikator "sedang berpikir" selalu di paling atas chat

#status-line dipindah agar position: sticky-nya punya containing block yang benar terhadap area scroll chat.

Tests

622 test hijau (naik dari 578), ruff bersih, dokumentasi disinkronkan.

Full changelog: https://github.com/MuhammadHasbiAshshiddieqy/OpenClawn/blob/main/CHANGELOG.md#0110--2026-07-02

v0.10.0 — Adaptive workdir, session memory, SSE heartbeat, approval UI + fixes

Choose a tag to compare

@MuhammadHasbiAshshiddieqy MuhammadHasbiAshshiddieqy released this 02 Jul 03:39

Rilis UX & memori: perbaikan alur chat yang membuat agent terasa "lupa" dan
"macet". Semua backward-compatible, tanpa dependency baru.

Added — Working directory adaptif per-sesi (ala Claude Code/OpenClaw)

Folder kerja bisa dipilih per-sesi dari UI, bukan hanya OPENCLAWN_WORKSPACE global.

  • infra/workspace.pyCURRENT_WORKSPACE_ROOT ContextVar + effective_workspace_root
    / resolve_in_current_workspace (tanpa mengubah signature Tool.execute).
  • tools/{file_ops,document,search,shell,git}.py — hormati workspace_override per-sesi.
  • web/main.py_validate_workdir (fail-closed) + GET /workdir/check (validasi live).
  • Web UI — field workdir di mode-bar dengan umpan balik valid/invalid saat mengetik.

Added — Riwayat percakapan per-sesi (agent ingat konteks)

Sebelumnya AgentLoop dibuat baru tiap request → self.history kosong, sehingga
"Mana file-nya?" tak punya rujukan walau di sesi yang sama.

  • session_turns (tabel baru) + MemoryManager.load_turns/append_turn.
  • core/agent_loop.py — muat transkrip sesi di awal run(), persist di finalize;
    AgentConfig.persist_history (single-agent True, multi-agent False).
  • infra/config.pysession_history_turns (default 20).

Added — Heartbeat SSE (hentikan "Server not responding" palsu)

  • web/main.py_with_heartbeat kirim komentar : ping tiap 10 dtk selama agent
    diam; koneksi tak pernah putus (tak perlu reconnect). Watchdog frontend dinaikkan ke
    25 dtk & di-reword jadi "masih bekerja".

Fixed — Agent menulis file berulang untuk task simpel

Model lokal (Gemma/DeepSeek) memanggil file_write berulang karena giliran assistant
yang MEMANGGIL tool tak pernah ditulis balik ke messages.

  • core/agent_loop.py — writeback giliran assistant+tool ke messages,
    _format_tool_result (teks sukses eksplisit), deteksi loop tulis-path-sama.

Fixed — Form approval chat tak bisa disetujui

Dulu tak ada tombol; semua tool butuh-approval timeout diam-diam.

  • security/approval.pyrequest(..., approval_id=None) agar AgentLoop bisa
    pre-generate ID & emit ke UI sebelum blocking → kartu Approve/Reject dengan preview
    parameter (path/command) & aksen "menunggu".

Fixed — Model hanya mencetak kode, tak membuat file

  • roles/{dev,pm,qa}/soul.toml — instruksi eksplisit: permintaan buat/simpan file
    WAJIB panggil file_write; cetak-di-chat tak dianggap selesai. Ditambah alur download
    file yang berhasil ditulis (GET /workspace/download).

Tests

test_agent_tool_loop.py, test_session_history.py, test_heartbeat.py,
test_file_download.py — total 578 test hijau.

v0.9.0 — Self-host production hardening (auth, CSRF, rate limit)

Choose a tag to compare

@MuhammadHasbiAshshiddieqy MuhammadHasbiAshshiddieqy released this 01 Jul 16:27

Added — Self-host production hardening (opt-in auth, CSRF, rate limiting)

Answers the valid P0 findings from a production-readiness audit (no auth/HTTPS/CSRF/rate-limit = blockers for exposing OpenCLAWN to the internet). Everything defaults off (OPENCLAWN_AUTH_TOKEN unset) — the old no-login behavior still works for localhost/VPN use. No new dependencies: auth uses stdlib hmac/secrets instead of Starlette's SessionMiddleware (which needs itsdangerous), and rate limiting is in-memory (single-process is enough for single-user, per the project's design).

  • security/auth.py — single-user shared-secret login, HMAC-signed session cookie (7-day expiry, constant-time verification), CSRF token generation.
  • security/rate_limit.py — sliding-window limiter for /chat/stream and /converse/stream (default 20 req/60s), independent of whether auth is enabled.
  • web/main.py — auth+CSRF+rate-limit middleware, /login + /logout routes, custom 404/500 exception handlers (no leaked stack traces), startup health check (logs Ollama/API-key/auth status without blocking boot), /health now reports ollama/cloud_keys/auth_enabled.
  • New login.html/404.html/500.html templates + a Sign out button in the sidebar (shown only when auth is enabled).
  • Caddyfile.example for a TLS reverse proxy, plus a docker-compose.yml healthcheck (stdlib urllib, not curl — avoids adding a package to the slim image).
  • Documentation (README, docs/security.md, docs/web.md, docs/infra.md, docs/tests.md) updated to match — README's old "Authentication: Not included" claim was stale now that it's available as opt-in.

Bug found and fixed via test-first development: the rate limiter was fully bypassed whenever auth was disabled, because the auth middleware's early-return also skipped the independent rate-limit check. Fixed, with a regression test.


Tests: 550 passing (32 new), ruff clean.

v0.8.0 — Gated curation, English-default UI, refactor

Choose a tag to compare

@MuhammadHasbiAshshiddieqy MuhammadHasbiAshshiddieqy released this 01 Jul 15:35

Added — Gated Skill Curator (I1 completion, §8)

curation_auto (default False) was defined in config but never read — the curator always merged immediately once judge confidence passed the threshold, breaking the "propose first, human applies" philosophy already used for router calibration. Default now only proposes merges (curation_log.status='pending') and waits for a Terapkan (Apply) click on /skills; curation_auto=True still allows direct auto-merge.

  • memory/curator.py: new _propose()/apply_pending_merge(), _merge() refactored into shared _apply_merge(); revert_last_merge() only looks at status='applied' rows.
  • New endpoint POST /skills/apply-merge + Apply button in the UI.

Added — UI locale (English default, switchable to Indonesian)

All static text across the 9 web pages (nav, buttons, titles, status messages — previously a mix of hardcoded Indonesian) now goes through infra/i18n.py (t()/translator(), ~180 keys). Default English; switch to Indonesian via a dropdown on /settings, stored server-side (ui_locale). Agent response language is untouched — the agent still always replies in whatever language the user writes in; this only affects UI chrome.

Changed — Web UI technical-debt cleanup (from a UI/UX audit)

  • Sidebar DRY: markup previously duplicated across 9 templates now lives in web/templates/_sidebar.html, included via a page context var — bonus aria-current="page" on the active nav item.
  • CSS split by concern: the 1082-line monolithic style.css is now organized under web/static/css/*.css (base/layout/chat/pages/activity/autopilots/skills/conversations/toast); style.css is a thin @import entry point.
  • JS extracted: ~700 lines of inline JS in index.html moved to a cacheable web/static/chat.js, with server-rendered data passed via window.OPENCLAWN_DATA.
  • Accessibility/security polish: real SRI integrity hashes (computed from the actual pinned CDN files) for marked/DOMPurify, prefers-reduced-motion support, improved --text-faint contrast (#6f6690#7d73a0), aria-live="polite" on SSE-updated regions.

Fixed — Column migration for existing installs

CREATE TABLE IF NOT EXISTS is a no-op on tables that already exist, so columns added after initial release (curation_log.status/merged_content, skills.merged_into/version) never reached older databases — causing a 500 on /skills (no such column: status). DatabaseManager now patches missing columns on existing tables at every startup (PRAGMA table_info + ALTER TABLE ADD COLUMN, idempotent, no data loss).

Fixed — Activity timeline label overlap

A regression from the earlier "evidence" framing: kind labels got longer ("Routing" → "Routing evidence" etc.) but the grid column width wasn't adjusted, so the longest labels overflowed into the title column. Column widened, label allowed to wrap.


Tests: 513 passing, ruff clean.

v0.7.0 — Guardrails (NeMo-style) + FTS5 fix

Choose a tag to compare

@MuhammadHasbiAshshiddieqy MuhammadHasbiAshshiddieqy released this 24 Jun 22:38

First stable release — exits the -alpha pre-release phase.

Added — Guardrails (NeMo-style input/output rails)

Adopts the NVIDIA NeMo Guardrails architecture natively (no LangChain/heavy deps), closing OpenCLAWN's biggest gap: nothing previously checked LLM output.

  • security/guardrails.py — pure-stdlib GuardrailEngine + rails (extractable):
    • input: PromptInjectionRail (wraps Shield, BLOCK)
    • output: PromptLeakRail (BLOCK system-prompt leak), PIIRail (REDACT email/card/api-key)
  • core/guardrails_config.py — per-rail on/off in app_settings, read per-turn (live UI toggles), fail-safe default-on
  • agent_loop integration: redacts/blocks before storing to history/memory; emits guardrail SSE event

Streaming note: already-streamed tokens can't be unsent; output rails operate on the full turn.content to keep PII out of stored memory and flag the UI.

Fixed — FTS5 query sanitization (memory L4)

Raw user queries hit FTS5 MATCH; punctuation (. , : ( ) ") is FTS5 operator syntax, so ordinary queries like "bug login: OAuth." always errored → L4 cross-session search failed silently. New fts5_query() tokenizes + quotes + ORs terms; punctuated queries now find matches.


Tests: 490 passing, ruff clean.

v0.6.0-alpha — Web UI enhancements + audit fixes

Choose a tag to compare

Added — UI enhancements (Web UI)

Sepuluh peningkatan UX di halaman chat utama: tool call cards (kartu visual
nama tool + input + status approval), copy button otomatis di code block,
smart auto-scroll (diam saat user scroll ke atas, lanjut saat ada konten baru),
collapsible sidebar untuk layar kecil, toast notifications, drag & drop
file
ke composer, keyboard shortcut (Ctrl+K fokus composer, Escape blur), dan
syntax highlighting (highlight.js) untuk code block.

Fixed — UI batch (audit pasca-merge)

Audit batch UI menemukan beberapa cacat nyata yang langsung diperbaiki:

  • Drag & drop semula memakai file.path (API Electron — selalu undefined
    di browser) lalu auto-mengirim prompt rusak. Kini membaca isi file via
    FileReader ke composer (tanpa auto-send, batas 256 KiB, guard Files-only agar
    drag teks ke textarea tetap normal) dengan umpan balik toast.
  • Syntax highlight + copy button tak pernah jalan untuk jawaban streaming:
    MutationObserver hanya terpicu saat node .msg-body baru, padahal streaming
    me-rewrite innerHTML pada node yang sama. Diganti finalizeBody() yang
    dipanggil sekali per giliran setelah stream selesai (mode single & conversation).
  • Hapus override renderMarkdown no-op (dead code) dan MutationObserver boros.
  • highlight.js v11.9.0 kini di-host lokal di web/static/ (local-first,
    tanpa dependency CDN runtime); load bersifat opsional — finalizeBody() men-skip
    highlight secara senyap bila hljs tak tersedia.
  • Cabut typing indicator (titik-tiga): status line sudah meng-cover state
    menunggu, dua indikator "sedang bekerja" terasa berlebih.

v0.5.0-alpha — MCP client, skill scanner, context compaction

Choose a tag to compare

Added — skill scanner (terinspirasi nvidia/skillspector)

Skill packs sudah membuka jalur "terima skill dari URL/file eksternal", tapi scanner-nya
hanya 4 regex Shield kosmetik — tak sepadan dengan ancaman skill yang membawa kode.

  • security/skill_scanner.py — pemindai dua lapis MURNI stdlib (ast + re):
    AST mendeteksi exec/eval/subprocess/os.system/__import__/open(write) pada
    blok kode; pola leksikal menangkap eksfiltrasi (curl|sh), path kredensial (~/.ssh,
    id_rsa), URL ber-kredensial, endpoint metadata cloud. Skor 0–100 → verdict
    clean/flag/reject.
  • Wiring impor (§1 keamanan-dulu): risiko tinggi → DITOLAK total (tak masuk DB,
    keputusan owner); risiko sedang → tetap draft tapi dicatat flagged; bersih → draft.
    SELALU aktif (keamanan, bukan optimasi — tak bisa dimatikan dari UI). Berlaku impor
    file & URL. Shield.DANGER_PATTERNS juga diperluas (eksfiltrasi instruksi/jailbreak).
  • Tak pernah crash (input eksternal) & tak false-positive pada prosa biasa. +12 test.

Added — context compaction "headroom" (opt-in, terinspirasi chopratejas/headroom)

Saat context window penuh, compactor default MEMOTONG turn terlama (truncation — jujur
tapi yang hilang benar-benar hilang). Compaction MERINGKAS turn lama jadi satu blok
alih-alih membuang — hemat token tanpa kehilangan konteks total (§1.4).

  • OPT-IN, default OFF (§8): diatur di /settings (off|local|cloud). off =
    truncation aman; local = ringkas via model lokal kecil (gratis/privat); cloud =
    via model cloud (kualitas untuk history kompleks). Peringkasan via LLM bisa membuang
    nuansa & menambah latensi — karenanya tak dipaksakan.
  • ContextCompactor.compact() (async, pre-pass sebelum build()): ringkas turn lama
    jadi [compacted] …, sisakan N turn terbaru UTUH. Fail-safe (§1.3): muat budget /
    summarizer error / ringkasan kosong / sudah ringkasan → history asli (truncation lama).
    Summarizer di-inject (seam bersih) → testable tanpa LLM. +9 test.

Added — single-user production polish

Setelah review pihak ketiga (yang sebagian keliru menilai OpenCLAWN sebagai produk
multi-user), dua gap yang BENAR-BENAR valid untuk self-hosted single-user ditutup:

  • /health endpoint — JSON status + cek konektivitas DB, untuk monitoring self-hosted.
  • Stale-draft cleanup — draft yang tua (draft_stale_days, default 14) & tak pernah
    terbukti (draft_success_count=0) diarsipkan saat decay pass — cegah menumpuk. ARSIP,
    bukan hapus (konsisten "tak ada kehilangan data senyap"). draft_stale_days=0 → nonaktif.
  • README: section Scope & Production Posture — menegaskan auth/Postgres/scaling DI LUAR
    scope secara SADAR (§7 single-user), bukan utang teknis. +5 test.

Added — MCP (Model Context Protocol) client

OpenCLAWN kini dapat memakai tool dari server MCP eksternal (GitHub, filesystem,
dll) — sebelumnya hanya 26 tool bawaan. Via SDK resmi mcp (CLAUDE.md §7: MCP bukan
SDK vendor-LLM, jadi tak melanggar transparansi jalur LLM).

  • Transport: stdio (subprocess lokal) + HTTP streamable (remote).
  • Keamanan (§1): tool MCP SELALU butuh approval (HITL; di autopilot jadi
    proposal) — server eksternal tak terkendali. Remote di-guard SSRF sebelum konek.
    Role harus opt-in via soul.toml wildcard mcp__* / mcp__<server>__*.
  • Tool MCP tak dapat jalur istimewa: dibungkus MCPTool (subclass Tool), lewat
    pagar yang sama (izin/validasi/telemetri/timeout). Discover fail-safe (server error
    di-skip, tak jatuhkan startup). Kelola via halaman /mcp (tabel mcp_servers).
  • core/mcp_client.py · core/mcp_registry.py · tools/mcp_tool.py. +19 test (420→439).

v0.4.0-alpha — compounding, autopilots, skill packs, multilingual

Choose a tag to compare

Pre-release kedua OpenCLAWN. Membangun di atas 4 inovasi inti — masih fase research (single-user, API dapat berubah, test memakai mock LLM).

Highlights sejak v0.3.0-alpha

  • Skill compounding — library skill merapikan & memperbaiki dirinya: draft naik kelas saat terbukti, skill diperbaiki saat dikoreksi, duplikat digabung. Semua gated, versioned, revertible.
  • Autopilots — tugas agent terjadwal yang aman by design: read-only; aksi butuh-approval jadi proposal, bukan eksekusi diam-diam.
  • Skill packs — export/import skill antar-instalasi (Markdown + hash) di balik guard SSRF + anti-injection, masuk sebagai draft.
  • Activity timeline — linimasa kronologis aksi agent + blocker terbuka.
  • Multi-agent conversation — pipeline/debate/orchestrator dengan handoff tervalidasi, live stop & interject.
  • Multilingual routing — sinyal kompleksitas bahasa-agnostik + tier bump sadar-script (opt-in).
  • Keamanan — anti-SSRF pada web tools; guarded auto-apply kalibrasi (opt-in, clamp ±1).
  • Ops — 26 tools, CI dengan uv.lock, 420 tests passing, ruff clean.

Lihat CHANGELOG.md untuk daftar lengkap.

🤝 Kontribusi sangat ditunggu — fase pengembangan aktif.

v0.3.0-alpha — first pre-release

Pre-release

Choose a tag to compare

OpenCLAWN's first tagged pre-release. Feature-complete against the v0.3 core spec, but still in the research/experiment phase — single-user, no auth, APIs may shift before a stable 0.3.0. All tests mock the LLM/Docker/Ollama layers, so validate your own local setup end-to-end.

Highlights

  • 4 core innovations: routing audit + self-calibration, skill decay, confidence-gated crystallization, role output contracts.
  • Multi-agent conversation: pipeline / debate / orchestrator over one loop, with live stop & interject.
  • Hybrid LLM: local-first fallback (Ollama → Gemini → Claude), raw httpx (no vendor SDKs). Editable tier→model map.
  • 25 tools: files, sandboxed code/shell, documents (docx/pptx/xlsx/pdf), read-only git, web.
  • Security: Docker-only code execution, Vault-injected credentials (never in context/logs), anti-SSRF guard on web tools.
  • Observability: /metrics, /skills, /conversations. CI with enforced uv.lock.
  • 325 tests passing, ruff clean.

See CHANGELOG.md for the full list.

🤝 Contributions welcome — this is an active development phase.