Releases: MuhammadHasbiAshshiddieqy/OpenClawn
Release list
v0.11.0 — Trust mode, dynamic workdir via chat, chat history, PM routing fix
Rilis otonomi & riwayat chat: agent butuh lebih sedikit approval untuk aksi yang sudah aman lewat sandbox, bisa pindah folder lewat percakapan, dan chat tidak lagi reset saat reload. Ditambah dua bug fix dari laporan pengguna langsung. Semua backward-compatible, tanpa dependency baru.
Added — Trust mode & shell_run tanpa approval
shell_run tak lagi requires_approval — Docker sandbox (--network none, --read-only, non-root) sudah jadi pertahanan nyata. code_run TETAP selalu approval (CLAUDE.md §1, tidak bisa ditawar), ditegakkan di dua titik untuk defense-in-depth. AgentConfig.trust_mode adalah toggle per-sesi di UI yang tidak persist antar reload.
Added — Pindah folder kerja lewat chat (persist sepanjang sesi)
Agent kini bisa pindah folder saat diminta di tengah percakapan (set_workdir tool baru), dan perubahan bertahan untuk sisa sesi lewat session_workspace.
Added — Riwayat chat: sidebar, sesi baru, lanjutkan, hapus
session_id sekarang persist lintas reload. Sidebar baru menampilkan riwayat dikelompokkan waktu×role, dengan tombol sesi baru, lanjutkan, dan hapus. Judul chat dibuat otomatis oleh LLM ringan.
Added — QA bisa menyimpan test case sebagai Word/Excel/PDF
doc_write/pdf_write ditambahkan ke akses role QA.
Fixed — Error "No answer" saat generate contoh PRD (role PM)
Direproduksi live: model lokal merencanakan tool call yang benar di dalam reasoning tapi stream berhenti natural sebelum sempat bertindak — bukan soal token budget. Fix: PRD/dokumen di-reroute ke tier cloud lewat routing keyword.
Fixed — Indikator "sedang berpikir" selalu di paling atas chat
#status-line dipindah agar position: sticky-nya punya containing block yang benar terhadap area scroll chat.
Tests
622 test hijau (naik dari 578), ruff bersih, dokumentasi disinkronkan.
Full changelog: https://github.com/MuhammadHasbiAshshiddieqy/OpenClawn/blob/main/CHANGELOG.md#0110--2026-07-02
v0.10.0 — Adaptive workdir, session memory, SSE heartbeat, approval UI + fixes
Rilis UX & memori: perbaikan alur chat yang membuat agent terasa "lupa" dan
"macet". Semua backward-compatible, tanpa dependency baru.
Added — Working directory adaptif per-sesi (ala Claude Code/OpenClaw)
Folder kerja bisa dipilih per-sesi dari UI, bukan hanya OPENCLAWN_WORKSPACE global.
infra/workspace.py—CURRENT_WORKSPACE_ROOTContextVar +effective_workspace_root
/resolve_in_current_workspace(tanpa mengubah signatureTool.execute).tools/{file_ops,document,search,shell,git}.py— hormatiworkspace_overrideper-sesi.web/main.py—_validate_workdir(fail-closed) +GET /workdir/check(validasi live).- Web UI — field workdir di mode-bar dengan umpan balik valid/invalid saat mengetik.
Added — Riwayat percakapan per-sesi (agent ingat konteks)
Sebelumnya AgentLoop dibuat baru tiap request → self.history kosong, sehingga
"Mana file-nya?" tak punya rujukan walau di sesi yang sama.
session_turns(tabel baru) +MemoryManager.load_turns/append_turn.core/agent_loop.py— muat transkrip sesi di awalrun(), persist di finalize;
AgentConfig.persist_history(single-agent True, multi-agent False).infra/config.py—session_history_turns(default 20).
Added — Heartbeat SSE (hentikan "Server not responding" palsu)
web/main.py—_with_heartbeatkirim komentar: pingtiap 10 dtk selama agent
diam; koneksi tak pernah putus (tak perlu reconnect). Watchdog frontend dinaikkan ke
25 dtk & di-reword jadi "masih bekerja".
Fixed — Agent menulis file berulang untuk task simpel
Model lokal (Gemma/DeepSeek) memanggil file_write berulang karena giliran assistant
yang MEMANGGIL tool tak pernah ditulis balik ke messages.
core/agent_loop.py— writeback giliranassistant+toolke messages,
_format_tool_result(teks sukses eksplisit), deteksi loop tulis-path-sama.
Fixed — Form approval chat tak bisa disetujui
Dulu tak ada tombol; semua tool butuh-approval timeout diam-diam.
security/approval.py—request(..., approval_id=None)agarAgentLoopbisa
pre-generate ID & emit ke UI sebelum blocking → kartu Approve/Reject dengan preview
parameter (path/command) & aksen "menunggu".
Fixed — Model hanya mencetak kode, tak membuat file
roles/{dev,pm,qa}/soul.toml— instruksi eksplisit: permintaan buat/simpan file
WAJIB panggilfile_write; cetak-di-chat tak dianggap selesai. Ditambah alur download
file yang berhasil ditulis (GET /workspace/download).
Tests
test_agent_tool_loop.py, test_session_history.py, test_heartbeat.py,
test_file_download.py — total 578 test hijau.
v0.9.0 — Self-host production hardening (auth, CSRF, rate limit)
Added — Self-host production hardening (opt-in auth, CSRF, rate limiting)
Answers the valid P0 findings from a production-readiness audit (no auth/HTTPS/CSRF/rate-limit = blockers for exposing OpenCLAWN to the internet). Everything defaults off (OPENCLAWN_AUTH_TOKEN unset) — the old no-login behavior still works for localhost/VPN use. No new dependencies: auth uses stdlib hmac/secrets instead of Starlette's SessionMiddleware (which needs itsdangerous), and rate limiting is in-memory (single-process is enough for single-user, per the project's design).
security/auth.py— single-user shared-secret login, HMAC-signed session cookie (7-day expiry, constant-time verification), CSRF token generation.security/rate_limit.py— sliding-window limiter for/chat/streamand/converse/stream(default 20 req/60s), independent of whether auth is enabled.web/main.py— auth+CSRF+rate-limit middleware,/login+/logoutroutes, custom 404/500 exception handlers (no leaked stack traces), startup health check (logs Ollama/API-key/auth status without blocking boot),/healthnow reportsollama/cloud_keys/auth_enabled.- New
login.html/404.html/500.htmltemplates + a Sign out button in the sidebar (shown only when auth is enabled). Caddyfile.examplefor a TLS reverse proxy, plus adocker-compose.ymlhealthcheck (stdliburllib, notcurl— avoids adding a package to the slim image).- Documentation (README,
docs/security.md,docs/web.md,docs/infra.md,docs/tests.md) updated to match — README's old "Authentication: Not included" claim was stale now that it's available as opt-in.
Bug found and fixed via test-first development: the rate limiter was fully bypassed whenever auth was disabled, because the auth middleware's early-return also skipped the independent rate-limit check. Fixed, with a regression test.
Tests: 550 passing (32 new), ruff clean.
v0.8.0 — Gated curation, English-default UI, refactor
Added — Gated Skill Curator (I1 completion, §8)
curation_auto (default False) was defined in config but never read — the curator always merged immediately once judge confidence passed the threshold, breaking the "propose first, human applies" philosophy already used for router calibration. Default now only proposes merges (curation_log.status='pending') and waits for a Terapkan (Apply) click on /skills; curation_auto=True still allows direct auto-merge.
memory/curator.py: new_propose()/apply_pending_merge(),_merge()refactored into shared_apply_merge();revert_last_merge()only looks atstatus='applied'rows.- New endpoint
POST /skills/apply-merge+ Apply button in the UI.
Added — UI locale (English default, switchable to Indonesian)
All static text across the 9 web pages (nav, buttons, titles, status messages — previously a mix of hardcoded Indonesian) now goes through infra/i18n.py (t()/translator(), ~180 keys). Default English; switch to Indonesian via a dropdown on /settings, stored server-side (ui_locale). Agent response language is untouched — the agent still always replies in whatever language the user writes in; this only affects UI chrome.
Changed — Web UI technical-debt cleanup (from a UI/UX audit)
- Sidebar DRY: markup previously duplicated across 9 templates now lives in
web/templates/_sidebar.html, included via apagecontext var — bonusaria-current="page"on the active nav item. - CSS split by concern: the 1082-line monolithic
style.cssis now organized underweb/static/css/*.css(base/layout/chat/pages/activity/autopilots/skills/conversations/toast);style.cssis a thin@importentry point. - JS extracted: ~700 lines of inline JS in
index.htmlmoved to a cacheableweb/static/chat.js, with server-rendered data passed viawindow.OPENCLAWN_DATA. - Accessibility/security polish: real SRI
integrityhashes (computed from the actual pinned CDN files) formarked/DOMPurify,prefers-reduced-motionsupport, improved--text-faintcontrast (#6f6690→#7d73a0),aria-live="polite"on SSE-updated regions.
Fixed — Column migration for existing installs
CREATE TABLE IF NOT EXISTS is a no-op on tables that already exist, so columns added after initial release (curation_log.status/merged_content, skills.merged_into/version) never reached older databases — causing a 500 on /skills (no such column: status). DatabaseManager now patches missing columns on existing tables at every startup (PRAGMA table_info + ALTER TABLE ADD COLUMN, idempotent, no data loss).
Fixed — Activity timeline label overlap
A regression from the earlier "evidence" framing: kind labels got longer ("Routing" → "Routing evidence" etc.) but the grid column width wasn't adjusted, so the longest labels overflowed into the title column. Column widened, label allowed to wrap.
Tests: 513 passing, ruff clean.
v0.7.0 — Guardrails (NeMo-style) + FTS5 fix
First stable release — exits the -alpha pre-release phase.
Added — Guardrails (NeMo-style input/output rails)
Adopts the NVIDIA NeMo Guardrails architecture natively (no LangChain/heavy deps), closing OpenCLAWN's biggest gap: nothing previously checked LLM output.
security/guardrails.py— pure-stdlibGuardrailEngine+ rails (extractable):- input:
PromptInjectionRail(wraps Shield, BLOCK) - output:
PromptLeakRail(BLOCK system-prompt leak),PIIRail(REDACT email/card/api-key)
- input:
core/guardrails_config.py— per-rail on/off inapp_settings, read per-turn (live UI toggles), fail-safe default-onagent_loopintegration: redacts/blocks before storing to history/memory; emitsguardrailSSE event
Streaming note: already-streamed tokens can't be unsent; output rails operate on the full
turn.contentto keep PII out of stored memory and flag the UI.
Fixed — FTS5 query sanitization (memory L4)
Raw user queries hit FTS5 MATCH; punctuation (. , : ( ) ") is FTS5 operator syntax, so ordinary queries like "bug login: OAuth." always errored → L4 cross-session search failed silently. New fts5_query() tokenizes + quotes + ORs terms; punctuated queries now find matches.
Tests: 490 passing, ruff clean.
v0.6.0-alpha — Web UI enhancements + audit fixes
Added — UI enhancements (Web UI)
Sepuluh peningkatan UX di halaman chat utama: tool call cards (kartu visual
nama tool + input + status approval), copy button otomatis di code block,
smart auto-scroll (diam saat user scroll ke atas, lanjut saat ada konten baru),
collapsible sidebar untuk layar kecil, toast notifications, drag & drop
file ke composer, keyboard shortcut (Ctrl+K fokus composer, Escape blur), dan
syntax highlighting (highlight.js) untuk code block.
Fixed — UI batch (audit pasca-merge)
Audit batch UI menemukan beberapa cacat nyata yang langsung diperbaiki:
- Drag & drop semula memakai
file.path(API Electron — selaluundefined
di browser) lalu auto-mengirim prompt rusak. Kini membaca isi file via
FileReaderke composer (tanpa auto-send, batas 256 KiB, guardFiles-only agar
drag teks ke textarea tetap normal) dengan umpan balik toast. - Syntax highlight + copy button tak pernah jalan untuk jawaban streaming:
MutationObserverhanya terpicu saat node.msg-bodybaru, padahal streaming
me-rewriteinnerHTMLpada node yang sama. DigantifinalizeBody()yang
dipanggil sekali per giliran setelah stream selesai (mode single & conversation). - Hapus override
renderMarkdownno-op (dead code) danMutationObserverboros. - highlight.js v11.9.0 kini di-host lokal di
web/static/(local-first,
tanpa dependency CDN runtime); load bersifat opsional —finalizeBody()men-skip
highlight secara senyap bilahljstak tersedia. - Cabut typing indicator (titik-tiga): status line sudah meng-cover state
menunggu, dua indikator "sedang bekerja" terasa berlebih.
v0.5.0-alpha — MCP client, skill scanner, context compaction
Added — skill scanner (terinspirasi nvidia/skillspector)
Skill packs sudah membuka jalur "terima skill dari URL/file eksternal", tapi scanner-nya
hanya 4 regex Shield kosmetik — tak sepadan dengan ancaman skill yang membawa kode.
security/skill_scanner.py— pemindai dua lapis MURNI stdlib (ast+re):
AST mendeteksiexec/eval/subprocess/os.system/__import__/open(write)pada
blok kode; pola leksikal menangkap eksfiltrasi (curl|sh), path kredensial (~/.ssh,
id_rsa), URL ber-kredensial, endpoint metadata cloud. Skor 0–100 → verdict
clean/flag/reject.- Wiring impor (§1 keamanan-dulu): risiko tinggi → DITOLAK total (tak masuk DB,
keputusan owner); risiko sedang → tetap draft tapi dicatatflagged; bersih → draft.
SELALU aktif (keamanan, bukan optimasi — tak bisa dimatikan dari UI). Berlaku impor
file & URL.Shield.DANGER_PATTERNSjuga diperluas (eksfiltrasi instruksi/jailbreak). - Tak pernah crash (input eksternal) & tak false-positive pada prosa biasa. +12 test.
Added — context compaction "headroom" (opt-in, terinspirasi chopratejas/headroom)
Saat context window penuh, compactor default MEMOTONG turn terlama (truncation — jujur
tapi yang hilang benar-benar hilang). Compaction MERINGKAS turn lama jadi satu blok
alih-alih membuang — hemat token tanpa kehilangan konteks total (§1.4).
- OPT-IN, default OFF (§8): diatur di
/settings(off|local|cloud).off=
truncation aman;local= ringkas via model lokal kecil (gratis/privat);cloud=
via model cloud (kualitas untuk history kompleks). Peringkasan via LLM bisa membuang
nuansa & menambah latensi — karenanya tak dipaksakan. ContextCompactor.compact()(async, pre-pass sebelumbuild()): ringkas turn lama
jadi[compacted] …, sisakan N turn terbaru UTUH. Fail-safe (§1.3): muat budget /
summarizer error / ringkasan kosong / sudah ringkasan → history asli (truncation lama).
Summarizer di-inject (seam bersih) → testable tanpa LLM. +9 test.
Added — single-user production polish
Setelah review pihak ketiga (yang sebagian keliru menilai OpenCLAWN sebagai produk
multi-user), dua gap yang BENAR-BENAR valid untuk self-hosted single-user ditutup:
/healthendpoint — JSON status + cek konektivitas DB, untuk monitoring self-hosted.- Stale-draft cleanup — draft yang tua (
draft_stale_days, default 14) & tak pernah
terbukti (draft_success_count=0) diarsipkan saat decay pass — cegah menumpuk. ARSIP,
bukan hapus (konsisten "tak ada kehilangan data senyap").draft_stale_days=0→ nonaktif. - README: section Scope & Production Posture — menegaskan auth/Postgres/scaling DI LUAR
scope secara SADAR (§7 single-user), bukan utang teknis. +5 test.
Added — MCP (Model Context Protocol) client
OpenCLAWN kini dapat memakai tool dari server MCP eksternal (GitHub, filesystem,
dll) — sebelumnya hanya 26 tool bawaan. Via SDK resmi mcp (CLAUDE.md §7: MCP bukan
SDK vendor-LLM, jadi tak melanggar transparansi jalur LLM).
- Transport: stdio (subprocess lokal) + HTTP streamable (remote).
- Keamanan (§1): tool MCP SELALU butuh approval (HITL; di autopilot jadi
proposal) — server eksternal tak terkendali. Remote di-guard SSRF sebelum konek.
Role harus opt-in viasoul.tomlwildcardmcp__*/mcp__<server>__*. - Tool MCP tak dapat jalur istimewa: dibungkus
MCPTool(subclassTool), lewat
pagar yang sama (izin/validasi/telemetri/timeout). Discover fail-safe (server error
di-skip, tak jatuhkan startup). Kelola via halaman/mcp(tabelmcp_servers). core/mcp_client.py·core/mcp_registry.py·tools/mcp_tool.py. +19 test (420→439).
v0.4.0-alpha — compounding, autopilots, skill packs, multilingual
Pre-release kedua OpenCLAWN. Membangun di atas 4 inovasi inti — masih fase research (single-user, API dapat berubah, test memakai mock LLM).
Highlights sejak v0.3.0-alpha
- Skill compounding — library skill merapikan & memperbaiki dirinya: draft naik kelas saat terbukti, skill diperbaiki saat dikoreksi, duplikat digabung. Semua gated, versioned, revertible.
- Autopilots — tugas agent terjadwal yang aman by design: read-only; aksi butuh-approval jadi proposal, bukan eksekusi diam-diam.
- Skill packs — export/import skill antar-instalasi (Markdown + hash) di balik guard SSRF + anti-injection, masuk sebagai draft.
- Activity timeline — linimasa kronologis aksi agent + blocker terbuka.
- Multi-agent conversation — pipeline/debate/orchestrator dengan handoff tervalidasi, live stop & interject.
- Multilingual routing — sinyal kompleksitas bahasa-agnostik + tier bump sadar-script (opt-in).
- Keamanan — anti-SSRF pada web tools; guarded auto-apply kalibrasi (opt-in, clamp ±1).
- Ops — 26 tools, CI dengan uv.lock, 420 tests passing, ruff clean.
Lihat CHANGELOG.md untuk daftar lengkap.
🤝 Kontribusi sangat ditunggu — fase pengembangan aktif.
v0.3.0-alpha — first pre-release
OpenCLAWN's first tagged pre-release. Feature-complete against the v0.3 core spec, but still in the research/experiment phase — single-user, no auth, APIs may shift before a stable 0.3.0. All tests mock the LLM/Docker/Ollama layers, so validate your own local setup end-to-end.
Highlights
- 4 core innovations: routing audit + self-calibration, skill decay, confidence-gated crystallization, role output contracts.
- Multi-agent conversation: pipeline / debate / orchestrator over one loop, with live stop & interject.
- Hybrid LLM: local-first fallback (Ollama → Gemini → Claude), raw httpx (no vendor SDKs). Editable tier→model map.
- 25 tools: files, sandboxed code/shell, documents (docx/pptx/xlsx/pdf), read-only git, web.
- Security: Docker-only code execution, Vault-injected credentials (never in context/logs), anti-SSRF guard on web tools.
- Observability: /metrics, /skills, /conversations. CI with enforced uv.lock.
- 325 tests passing, ruff clean.
See CHANGELOG.md for the full list.
🤝 Contributions welcome — this is an active development phase.