v0.2.0

What's Changed

• sqlite: force clawpatrol.db + WAL/SHM to mode 0600 by @ry in #405
• clickhouse: per-database endpoint routing by @arnauorriols in #404
• sql_rule: add database match facet by @arnauorriols in #403
• ops: drop auto-deploy workflow by @ry in #409
• wg: drop default tunnel MTU 1420 → 1220 (over-Tailscale fix) by @ry in #411
• Database-aware credential dispatch + sql.database facet by @piscisaureus in #410
• agents table: drop integrations column, fold needs-setup into status dot by @ry in #418
• hitl: add async grant config schema by @magurotuna in #414
• hitl: add async operation store by @magurotuna in #419
• hitl: add request fingerprint binding by @magurotuna in #417
• action download: include verb / tables / functions / database for SQL actions by @arnauorriols in #416
• fix(test): drop invalid database arg from postgres endpoint HCL by @ry in #422
• test: reject SQL fixture facets that disagree with the parser by @ry in #423
• Add MIT LICENSE.md by @ry in #424
• site: drop stripe from flow diagram, add k8s + notion by @ry in #425
• site: drop 'foundation' section, rewrite competitor comparison as boundary cards by @ry in #427
• hitl: add async operation status API by @magurotuna in #420
• hitl: show async approval state in dashboard by @magurotuna in #421
• feat: add async HITL runtime fallback by @magurotuna in #429
• hitl: add retry grant relay by @magurotuna in #426
• hitl: maintain async operation lifecycle by @magurotuna in #431
• fix: use remapped HITL retry principal by @magurotuna in #432
• site: comparison section follow-up polish by @ry in #428
• site: landing-page reshape — hero, deploy, run-it, validated HCL examples by @ry in #438
• hitl: add async grant e2e docs by @magurotuna in #434
• feat: Tailscale exit-node MITM via SO_ORIGINAL_DST + clawpatrol run in tsnet mode by @littledivy in #413
• fix(tsnet): WG-mode parity, gateway port, CA fetch over tailnet by @littledivy in #440
• site: copy + structure pass on landing by @ry in #442
• macOS clawpatrol run on tsnet by @littledivy in #441
• docs: drop glossary's Configuration vocabulary section by @arnauorriols in #437
• docs(glossary): merge Facet/Family entries; add Facet field by @arnauorriols in #433
• embedded tsnet in gateway. no iptables setup required by @littledivy in #443
• cleanup(tsnet): drop dead system-tailscale paths; dedup tsnet device rows by @littledivy in #444
• doc: explain inspection-buffer overflow in approval-rules by @arnauorriols in #430
• clickhouse_native: parse CTE-prefixed INSERTs by @arnauorriols in #407
• dashboard: credentials redesign — type cards + expanding details table by @arnauorriols in #445
• site: add favicon links by @magurotuna in #447
• tsnet: ephemeral runs, Funnel allowlist, parent-IP attribution by @littledivy in #446
• Fix tsnet macOS NE register by @littledivy in #450
• docs: refresh for tsnet-as-default by @littledivy in #451
• Initial redesign pass by @josh-collinsworth in #453
• Prep repo for launch: README rewrite + cmd/clawpatrol move by @ry in #452
• dashboard auth: mandatory root password + optional tailnet allowlist by @piscisaureus in #454
• dashboard auth: make login-page assets reachable without a cookie by @piscisaureus in #456
• fix: update Slack HITL resolution guidance by @magurotuna in #449
• Move config/ to internal/config/ by @ry in #455
• dashboard auth: opaque session cookies + whoami + log out by @piscisaureus in #458
• Revert "wg: drop default tunnel MTU 1420 → 1220" by @ry in #459
• build: switch dashboard/ and site/ from npm/node to deno by @ry in #460
• hitl: update Slack prompts for async states by @magurotuna in #462
• join: fix double install + dnsvip self-relay loop by @littledivy in #457
• join: pin resolv.conf on non-resolved hosts + dedupe v6 agent rows by @littledivy in #463
• sparkline: lerp between polls by @littledivy in #464
• sparkline: scroll on update instead of reconstruct by @littledivy in #466
• persist ephemeral peer attribution across gateway restarts by @littledivy in #467
• sparkline: revert animation by @littledivy in #468
• fix: delimit async HITL raw 202 responses by @magurotuna in #465
• fix: write async HITL raw response atomically by @magurotuna in #470
• join: persist --hostname so clawpatrol run uses it instead of os.Hostname by @littledivy in #473
• feat: add async HITL status capability URLs by @magurotuna in #472
• hitl: sort pending approvals deterministically by @divybot in #476
• dashboard: copy buttons work over plain HTTP by @ry in #477
• cleanup: drop unused funcs + stale comments by @divybot in #478
• Final font stack by @josh-collinsworth in #481
• dashboard: fix analytics range buttons routing back to device list by @ry in #483
• dashboard: fix device-page crash + credential card legibility by @ry in #484
• drop stale npm package-lock.json files by @ry in #486
• Another style pass by @josh-collinsworth in #488
• endpoints: support *.suffix wildcards in hosts list by @piscisaureus in #485
• config: switch HCL refs from bare names to typed traversals by @ry in #487
• drop site/doc/skill.md in favor of auto-generated llms-full.txt by @ry in #491
• hitl: update Slack prompt on sync timeout by @magurotuna in #495
• docs: refine introduction.md by @arnauorriols in #469
• site: keep inline atomic on line wrap by @arnauorriols in #496
• Implement #348: invert credential→endpoint→profile by @arnauorriols in #368
• test engine + downloaded actions: typed endpoint references (cl-kls0) by @arnauorriols in #497
• rules: support matching on all action's facets by @arnauorriols in #435
• Restore sync HITL Slack terminal updates by @magurotuna in #501
• [codex] improve config and rules docs by @ry in #502
• sec: hide tsnet auth key from agent process tree by @littledivy in #503
• docs: refine getting-started, split out configure-gateway by @arnauorriols in #471
• fix: move PR_SET_DUMPABLE=0 to after child.Start by @littledivy in #505
• cleanup: redact internal hostnames and repo references by @piscisaureus in #506
• fix: restore wildcard hosts + small regressions from #368 squash by @piscisaureus in #507
• Dashboard design pass by @josh-collinsworth in #508
• Homepage touch-ups by @josh-collinsworth in #514
• docs: surface control-mode coupling in dashboard bind sectione by @arnauorriols in #512
• fix: scope device credential cards to the profile's own declared list by @arnauorriols in #513
• config: inline llm_approver policy text, drop policy block by @ry in #511
• Linux self-forking daemon + exit-node routing, no more PROXY v1 by @piscisaureus in #510
• Linux daemon: unify WireGuard mode, drop ephemeral peers by @piscisaureus in #517
• Drop the clawpatrol login subcommand by @piscisaureus in #518
• Re-block gateway config under gateway {} / defaults {} by @piscisaureus in #521
• Mint Tailscale auth keys as single-use by @piscisaureus in #519
• home: show 10 devices instead of 5 by @littledivy in #522
• site: simplify RunSection to two commands by @ry in #524
• dashboard: prefix logo src with import.meta.env.BASE_URL by @littledivy in #523
• chore: consolidate HCL examples under examples/ by @littledivy in #526
• ci: PR preview deploys to demo.clawpatrol.dev by @littledivy in #527
• chore: drop committed data/gateway.hcl, gitignore data/ by @littledivy in #529
• home: sort devices by activity, bucketed to the hour by @littledivy in #525
• site: tighten ProblemSection copy, add Download action screenshot by @ry in #528
• site: replace AnalyticsSection with a DemoSection by @ry in #530
• dashboard: rename user 'profile' page to 'account' by @arnauorriols in #533
• ssh: fix BlobStore wiring + log per-channel intent by @littledivy in #531
• fix: route clawpatrol env through the daemon in tsnet mode by @littledivy in #537
• daemon: refresh env-pushdown cache on START / ENV by @littledivy in #538
• fix: route clawpatrol-run DNS through the gateway in tsnet mode by @littledivy in #539
• fix: update Slack copy for sync HITL disconnects by @magurotuna in #536
• site: drop pre-launch basic-auth gate by @ry in #541
• chore: switch releases from GH Pages to gh release by @littledivy in #542

Full Changelog: v0.1.23...v0.2.0