Netclaw 0.17.2

0.17.2 2026-05-06

Netclaw v0.17.2 — Session stability fixes, MCP reconnection, and schema packaging

Bug Fixes

• Fixed binding actor stream crashes on shutdown — SignalR, Slack, and Discord binding actors now drain their Akka.Streams pipeline before stopping, eliminating AbruptTerminationException / StreamDetachedException crash logs on graceful shutdown and idle timeout. (#895)

• Fixed thinking-only LLM responses being classified as empty — the empty response guard now checks TextReasoningContent in addition to TextContent, so models that emit thinking tokens without text (e.g., Qwen 3) are no longer incorrectly retried with a nudge. (#895)

• Fixed dropped tool calls from llama.cpp-compatible providers — OpenAiCompatibleChatClient now emits accumulated tool calls when finish_reason is "stop", not just "tool_calls", since llama.cpp often sends "stop" even when structured tool calls are present. (#895)

• Fixed netclaw doctor schema validation failing on Search.Backend — the config schema used PascalCase enum values but the wizard writes lowercase via ToWireValue(). Schema now matches wire format (duckduckgo, brave, searxng). (#894)

• Embedded config schema as assembly resource — the tar.gz/zip CLI archives only shipped the single-file binary, silently dropping the Schemas/ directory. netclaw doctor now always has access to the schema regardless of distribution format. (#894)

• Added CursorAdvanced serialization bindings — replaced private nested cursor types in Slack and Discord binding actors with a shared, protobuf-serializable CursorAdvanced(string Cursor) record. Fixes persistence recovery failures when cursor state was written by the old unregistered type. Closes #887. (#890)

• MCP servers that become unreachable (DNS failure, server down) no longer stay permanently stuck in Unreachable state — a new McpReconnectionService polls every 30 seconds with per-server exponential backoff (30s → 300s cap) and emits an operational alert on recovery. (#884)

Documentation

• Refocused README on end-user content — moved architecture, design goals, and build-from-source sections to CONTRIBUTING.md; added Docker quickstart, netclaw.dev documentation links, and Discord link. (#888)

Netclaw 0.17.1

0.17.1 2026-05-06

Netclaw v0.17.1 — First public release with Docker support, non-interactive approval, and open-source infrastructure

This is the first release of Netclaw published as an open-source project under netclaw-dev/netclaw. It includes the first official Docker image for netclawd, new agent autonomy features, and the infrastructure changes needed to support public distribution.

Docker

• Official multi-arch Docker image for netclawd is now published to GHCR (ghcr.io/netclaw-dev/netclaw) on every release, supporting both linux/amd64 and linux/arm64. (#858)

• The netclawd Docker container now runs as a non-root user (netclaw, UID 1654) instead of root — the entrypoint creates the data directory with correct ownership and su-execs into the unprivileged user. (#874)

• Schema files are now included in the Docker image so netclaw doctor works correctly inside containers. (#863)

• Exposure mode validation now accepts container and reverse-proxy deployments — the daemon no longer rejects https exposure mode when bound to a loopback address, since TLS termination is handled externally in these topologies. (#862, #864)

Features

• Non-interactive approval, sub-agent approval chaining, and shell trust zone enforcement — operators can now pre-approve tool categories in netclaw.yaml so the daemon can execute tools without interactive confirmation. Sub-agents inherit their parent's approval grants. A new shell trust zone restricts which directories and commands the agent can use in autonomous mode. (#851)

• Improved ambient skill activation for small models — skill keyword matching now uses normalized scoring so smaller-context models (Haiku, Gemini Flash) trigger the right skills without requiring exact phrasing. (#856)

Bug Fixes

• Fixed cancel_reminder deleting config files instead of disabling them — reminder cancellation now sets a disabled flag rather than removing the underlying file, so reminder metadata is preserved for audit and re-enable. (#848)

• Fixed provider-reported context window being ignored — the LLM session now uses the context window size reported by the provider instead of falling back to a hardcoded 32k default. (#865)

• Fixed health check state not resetting on re-entry — the netclaw init wizard's go-back-and-retry flow now resets health check state so a previously-failed check can succeed on retry without restarting the wizard. Closes #859. (#871)

• Fixed daemon bootstrap pairing in non-local modes — the daemon now preserves the bootstrap pairing token when running in container or remote exposure modes, fixing a regression where pairing failed after switching away from local mode. (#872)

• Consolidated duplicated path utilities into a single PathUtility class, eliminating three independent copies of home-directory and config-path resolution logic. Closes #852. (#873)

Open-Source Infrastructure

• Migrated all repository references from Aaronontheweb/netclaw to netclaw-dev/netclaw. (#838)

• Migrated CI from self-hosted ARC runners to GitHub-hosted runners. (#837)

• Prepared README and documentation for open-source launch — added CONTRIBUTING.md with build instructions and smoke sandbox docs, clarified secrets encryption, and added netclaw.dev website links. (#843, #846, #847, #878)

Dependencies

• Bumped Netclaw.SkillClient from 0.2.0 to 0.2.1. (#836)

• Bumped NSec.Cryptography from 24.4.0 to 26.4.0. (#840)

Netclaw 0.16.2

0.16.2 2026-04-30

Netclaw v0.16.2 — Apache 2.0 license, security hardening, and stability fixes

License

• Migrated from AGPL v3.0 + Commons Clause to Apache License 2.0 — all source files now carry Petabridge LLC copyright headers, a new scripts/Add-FileHeaders.ps1 script manages header enforcement with a -Verify mode for CI, and the PR validation workflow includes a copyright-headers job that fails builds missing headers. (#790)

Security

• Fixed privilege escalation bypass in ShellCommandPolicy — sudo, su, and doas commands now receive a categorical deny regardless of what follows, closing a bypass where prepending sudo to any denied command evaded all deny patterns because matching only operated on the first token. Closes finding S4-20 from the 2026-04-29 audit. (#830)

• Moved SecretOutputRedactor to DispatchingToolExecutor so all tool outputs are redacted before reaching the LLM — previously only shell and background job outputs were covered. Extended redaction patterns now cover AWS access keys (AKIA...), JWT tokens, and other structured secrets. Closes finding S5-01. (#830)

• Gated raw OAuth token values in the provider status endpoint to loopback connections only — remote paired devices now receive boolean flags instead of raw access and refresh token values. Closes finding S7-5.5. (#830)

• Enforced SubAgentToolPolicy at spawn time and auto-granted safe-list tools — user-facing subagents are now restricted to the safe-list (attach_file, file_read, web_fetch, web_search) at tool resolution time. Safe-list tools are auto-granted in non-interactive contexts instead of being denied by the approval gate, fixing subagents that had zero usable tools. Closes #831. (#830)

Bug Fixes

• Fixed daemon crash logs from unobserved AbruptTerminationException on actor shutdown — SessionPipelineHandle.Dispose() was disposing the materializer in PostStop while stream stage actors (children of the materializer's actor context) had already been killed by Akka's child-first shutdown, producing AbruptTerminationException as unobserved tasks that triggered DaemonCrashMonitor. Output streams now use WatchTermination, and ReminderExecutionActor / WebhookExecutionActor call a new DrainAsync() before stopping so all stream stages complete gracefully while the parent actor is still alive. (#802)

• Fixed erratic navigation during netclaw init caused by duplicated channel picker subscriptions — ChannelPickerStepView.BuildContent() was adding new Submitted subscriptions on every re-render without disposing old ones, causing multiple AdvanceStep() calls per Enter key and erratic step navigation. Subscriptions are now cleared at the top of BuildContent() and focus state is reset before sub-step delegation. Closes #792. (#797)

Dependencies

• Bumped Akka.Persistence.Sql.Hosting from 1.5.62 to 1.5.67 (patch update). (#799)

Netclaw 0.16.1

0.16.1 2026-04-28

Netclaw v0.16.1 — Private skill feed sync, MCP permissions navigation fix, and dependency update

Features

• Added private skill server feed sync via Netclaw.SkillClient — operators can now configure private skill-server instances under SkillFeeds.Feeds in netclaw.yaml; a new ServerFeedSkillSyncService syncs skills from those feeds at startup using the Cloudflare Agent Skills RFC discovery protocol, with per-feed error isolation, SHA-256 verification, and content security scanning. Skills follow three-tier precedence (native > server-feed > external) so server-feed skills can extend but never override built-in capabilities. A new "Skill Feeds" step in the netclaw init wizard supports live probe validation and error recovery. Closes #532. (#785)

Bug Fixes

• Fixed MCP permissions page navigation — Up/Down now navigates all configurable rows (Audience, Server Enabled, Server Default, Tools) using a unified grid cursor, and Left/Right performs context-sensitive cycling per row. The footer is simplified to the six most common shortcuts; legacy shortcuts still work. The *unsaved* indicator now clears reliably after saving. Closes #786. (#788)

Dependencies

• Bumped Cronos from 0.8.4 to 0.12.0 — includes support for schedule jitter via the H character, nullable reference type annotations, strong-named assembly signing, removal of the year 2499 limitation, and several bug fixes across the 0.9–0.12 release series. (#572)

Netclaw 0.16.0

0.16.0 2026-04-27

Netclaw v0.16.0 — Discord session continuity, public audience hardening, reminder expiration, and init wizard overhaul

Features

• Added reminder expiration, self-cancellation guidance, and delivery timeout fix — recurring reminders now support an optional ExpiresIn parameter on set_reminder (also available as --expires-in in the CLI and REST API) that automatically disables the reminder after the specified duration. Recurring reminder prompts now include self-cancellation guidance telling the agent to call cancel_reminder when the task's purpose is permanently fulfilled (e.g., PR merged, deploy completed). DeliveryObservedTimeout is aligned with ExecutionTimeoutSeconds (300s) so delivery-required reminders are no longer marked as failed when the LLM turn legitimately takes longer than 30 seconds to complete. (#752)

• Added public audience security hardening — Public sessions are now fully amnesic (no memory read or write access by default), the startup tool index is filtered by effective audience so Public sessions do not see capabilities they cannot use, and the system prompt is rebuilt on the first inbound turn once the resolved channel audience is known. File-access denials no longer include root path hints for public sessions. Closes #755, #756. (#758)

• Added Discord approval button clearing after decision — Discord approval prompt messages are now updated in-place after a user clicks an approval button or types a text response (A/B/C/D), replacing the buttons with a resolved status showing the tool name, action, decision, and who approved. This matches the existing Slack behavior. (#768)

• Added configuration-driven channel statistics — netclaw stats and netclaw status now only display channel panels for channels that are actually enabled in configuration. A Discord-only deployment no longer shows an empty Slack section, and the underlying telemetry registry is now extensible per channel type via ChannelTelemetry.For(ChannelType). Closes #773. (#774)

• Streamed attachment downloads to disk instead of buffering in memory — attachment downloads from Slack and Discord no longer buffer entire files in managed heap memory. A shared StreamingAttachmentDownloader streams HTTP responses directly to a temp file using a pooled 81 KB buffer and enforces the operator-configured MaxFileBytes ceiling mid-stream via Content-Length header check and byte-counting fallback. Content scanning reads only the first 64 bytes from disk. Closes #757. (#770)

• Added unified channel picker step for the init wizard — the netclaw init wizard now presents a single "Communication Channels" checklist step replacing the previous sequential Slack (step 3) and Discord (step 4) steps. Users navigate with ↑/↓, toggle channels with Space, configure with Enter, and advance with [d]. Adding additional channel adapters in the future only requires implementing IChannelAdapterViewModel. Closes #742. (#763)

• Resolved Discord channel IDs to human-readable names in the init wizard — Discord channel entries in the Channels wizard step now display as "GuildName / #channelName" instead of raw snowflake IDs. Channel resolution runs as a background task while the user completes other sub-steps, adding no blocking delay. Closes #743. (#762)

• Made AllowedUserIds an explicit allow/restrict choice in the init wizard — the plain text AllowedUserIds input in both Discord and Slack wizard steps is replaced with a two-phase flow: an explicit binary selection ("Restrict to specific users" vs "Allow anyone in allowed channels"), then conditionally a mandatory user ID text input. This prevents accidental open access from pressing Enter on a blank field, enforcing the default-deny security posture. Closes #760. (#778)

• Disabled System.Object serialization fallback — WithNetclawSerialization() now calls WithStrictSerialization() to disable the JSON fallback for unregistered types. Unregistered types now throw a SerializationException instead of silently producing JSON output, making serialization misconfigurations immediately visible. Closes #706. (#777)

• Blocked self-update in container deployments and hardened NSec initialization — a new Daemon.DisableSelfUpdate config option (automatically set to true in the official Docker image via NETCLAW_Daemon__DisableSelfUpdate=true) blocks netclaw update from replacing binaries in-place while keeping update availability checks running so operators know when a new image is available. All update notifications when self-update is disabled now advise pulling a newer container image instead. Also added libsodium23 to the Dockerfile so NSec Ed25519 signature verification works correctly in Ubuntu 24.04 self-contained containers, and hardened MinisignVerifier.Verify() to catch NSec platform initialization failures and return PlatformUnavailable instead of throwing. Closes #771, #772. (#776)

Bug Fixes

• Fixed Discord thread sessions dropping messages after daemon restart — after a daemon restart, messages sent to an existing Discord thread were silently dropped unless the user @mentioned the bot again, because the in-memory session binding actor was lost and threadExists was false, matching the ChannelMentionRequired routing policy path. DiscordRoutingPolicy now returns StartOrContinue for in-thread messages regardless of whether a binding actor exists, matching the existing Slack behavior and allowing Akka Persistence to recover prior session state seamlessly. (#779)

• Fixed dead OwnerIdentity sub-step appearing in Slack init wizard — a no-longer-needed OwnerIdentity sub-step was still included in the Slack wizard's step sequence, causing an extra blank step to appear during netclaw init. Closes #761. (#764)

Netclaw 0.15.1

0.15.1 2026-04-24

Netclaw v0.15.1 — Project directory tracking and automatic context loading

Features

• Added set_working_directory tool and project directory tracking — sessions now track a mutable ProjectDirectory in WorkingContext that persists across crash and restart. When a project directory is set, the session automatically discovers and loads the project's identity file (.netclaw/AGENTS.md, CLAUDE.md, AGENTS.md, or CONTEXT.md — first match wins) into the system prompt alongside global identity layers. The loaded project context is stable across turns and benefits from prompt caching. The set_working_directory tool validates that the target path exists and is within the audience's allowed file access roots; Public and Team audiences cannot use it by default. Also adds session_dir to the [session] context block so the agent knows its full session directory path. Closes #595, #596. (#734)

Dependencies

• Bumped Microsoft.Extensions.AI.Abstractions from 10.4.1 to 10.5.0. (#736)

Netclaw 0.15.0

0.15.0 2026-04-24

Netclaw v0.15.0 — Session crash recovery hardening, unified streaming timeout, and dependency security updates

Bug Fixes

• Fixed session amnesia after daemon crash — SlackThreadBindingActor was advancing its persistence cursor (marking messages as "seen") at enqueue time via PersistAsync, before the downstream LlmSessionActor durably recorded the completed turn. On a crash between those two writes the message was permanently lost: the cursor said "seen" but no turn was recorded, and thread history hydration skipped it on restart. The cursor now advances only when TurnCompleted(Completed) confirms the turn is durably persisted. Additionally, when identity files are missing on recovery, the last-known system prompt is retained as a fallback instead of being actively deleted. Fixes #733. (#733)

• Fixed false streaming timeout on GPU-contended inference servers — the two-phase watchdog (FirstTokenTimeout 600 s → StreamIdleTimeout 120 s) was causing spurious timeouts on self-hosted inference servers where requests are preempted mid-stream by concurrent sessions, triggering the 120-second idle cutoff even while tokens were actively generating. The two timers are now unified into a single FirstTokenTimeout (600 s) that resets on every streaming delta, eliminating false positives under load. StreamIdleTimeout / StreamIdleTimeoutSeconds are removed from config; netclaw doctor --fix auto-removes the stale key from existing configurations. Fixes #731. (#732)

Dependencies

• Bumped OpenTelemetry packages from 1.13.1 to 1.15.3 — resolves three moderate-severity GitHub Security Advisories (GHSA-g94r-2vxg-569j, GHSA-mr8r-92fq-pj8p, GHSA-q834-8qmm-v933) affecting OpenTelemetry.Api and OpenTelemetry.Exporter.OpenTelemetryProtocol. Transitive pinning is enabled to override the older 1.9.0 pull from Akka.Hosting. (#737)

• Bumped Anthropic SDK from 12.13.0 to 12.16.0. (#724)

• Bumped Microsoft.AspNetCore.DataProtection and System.Security.Cryptography.Xml to 10.0.7 (routine patch update). (#725)

Netclaw 0.14.3

0.14.3 2026-04-22

Netclaw v0.14.3 — Webhooks CLI, scheduling audience gating, proactive check-back guidance, and security/reliability fixes

Features

• Added netclaw webhooks CLI command group for managing inbound webhook routes — webhooks list, webhooks show, webhooks set, webhooks delete, and webhooks validate commands provide full CRUD management of webhook route configuration from the terminal. Supports multiple secret input methods (--secret, --secret-file, --secret-env) to avoid shell history exposure, --dry-run preview mode, and --create-only / --update-only flags for explicit upsert control. Closes #529. (#711)

• Added scheduling audience gating — set_reminder, list_reminders, cancel_reminder, and get_reminder_history now respect the session's audience AllowedTools list. Public and Team audiences no longer have scheduling access by default; only Personal sessions (with ToolsMode=All) retain it. Operators can grant Team access by explicitly adding the tool names to AllowedTools. Closes #710. (#714)

• Added proactive check-back guidance to AGENTS.md template — the agent now automatically schedules current_session reminders when it kicks off async work (builds, CI pipelines, deployments) instead of waiting for the user to ask for status. New installations pick this up via the init wizard; existing users can copy the "Proactive Check-Back" block into ~/.netclaw/identity/AGENTS.md manually. (#714)

Bug Fixes

• Fixed false StreamIdleTimeout when ToolCallTextFilter suppresses SSE events — when the filter detects <tool_call> XML in streaming text it suppresses subsequent SSE updates, creating a watchdog blackout where ProcessingWatchdog.Refresh() is never called and the 120-second idle timeout fires even while the GPU is actively generating tokens. The fix yields a content-free keepalive ChatResponseUpdate when text is suppressed so the watchdog resets unconditionally. Fixes #717. (#720)

• Fixed skill index missing descriptions, causing skill auto-loading failures — the skill discovery index only showed file paths without context about when to load each skill, leaving the model unable to decide which skills were relevant. GenerateIndex() now includes skill descriptions on each line, and AGENTS.md skill reference guidance uses action-oriented "BEFORE you..." language to improve auto-loading accuracy. Fixes #696. (#712)

• Fixed MIME type rejection for markdown files sent from Slack — Slack reports .md files with MIME type text/plain instead of text/markdown, causing the content scanner to reject them. Extension-based MIME normalization now corrects known mismatches (.md/.markdown, .json, .yaml/.yml, .csv, .xml) before validation. Fixes #716. (#719)

• Fixed *unsaved* indicator visibility in netclaw mcp permissions TUI — the status message is now positioned above the tool list so it remains visible regardless of list length, and the unsaved indicator color is changed from gray to yellow for better contrast. (#709)

Netclaw 0.14.2

0.14.2 2026-04-21

Netclaw v0.14.2 — Structured reminder delivery, protobuf serialization, subagent robustness, and web-content-retrieval skill

Features

• Added structured reminder delivery contract — set_reminder now uses a delivery object with a required kind field (current_session, channel, or none) that directly selects the execution mode, replacing the previous implicit inference from optional fields. A new deliveryRequired boolean controls policy; deliveryInstructions carries content guidance only. Transport-keyed resolver dispatch uses ChannelType.ToWireValue() for reliable routing across Slack and future transports. Closes #690. (#692)

• Added protobuf-net serializer with stable manifests — NetclawProtobufSerializer uses constant manifest strings (sid-v1, sum-v1, tr-v1, etc.) decoupled from .NET type names, enabling safe schema evolution without migration steps. The WithNetclawSerialization() extension disables the System.Object JSON fallback so unregistered types fail loudly instead of silently falling back. Existing persisted events remain readable; new events use the more efficient binary format. (#705)

• Added web-content-retrieval system skill — the agent now loads a built-in skill covering URL handling, browser automation guidance, and social media content retrieval so it can advise on web fetch workflows without requiring a custom skill. (#702)

• Made subagent tools optional — omitting the tools field in a subagent's YAML frontmatter now causes the subagent to inherit all session tools, including MCP tools (Notion, GitHub, etc.). Previously the field was required and restricted to four built-in tools, making MCP-powered subagents impossible to define. When tools is specified it acts as a whitelist; when omitted all session tools are available. (#703)

• Migrated webhook notification policy to deliveryRequired boolean — the NotifyPolicy enum on set_webhook and webhook config is replaced by a deliveryRequired boolean that is consistent with the reminder delivery contract. (#704)

Bug Fixes

• Fixed daemon crash on subagent timeout — the subagent cancellation callback was capturing Self at registration time instead of before registration, causing a NotSupportedException when the callback fired on a thread-pool thread with no active actor context. The resulting unhandled AggregateException terminated the entire daemon, killing all active sessions. The fix also converts the scheduling to the IWithTimers pattern per project conventions. (#707)

• Fixed netclaw-operations skill hidden from agent skill index — the skill had an incorrect disable-model-invocation: true flag that prevented it from appearing in the agent's skill discovery index, causing the agent to be unaware of operations guidance. (#702)

Netclaw 0.14.1

0.14.0 2026-04-15

Netclaw v0.14.0 — Skill-defined subagent routing, Mode B reminder session re-entry, fail-closed MCP add, and security patch

Features

• Added metadata.subagent routing for skill-defined activations — skills can now declare a subagent field in their YAML frontmatter to route activations to a named subagent instead of executing inline. The router fails loudly when the target subagent is missing or misconfigured, matching the project's no-silent-fallback policy. A new subagent-authoring system skill documents the frontmatter contract and guides operators through defining file-based subagents. (#672)

• Added Mode B reminder session re-entry — reminders fired from Slack or SignalR sessions can now check back into the originating session when they fire instead of requiring a report_to_channel target. Omitting report_to_channel from set_reminder enables session check-back; the reminder re-enters the session as if the user sent a follow-up message. Fixes #660. (#670)

• Added fail-closed mcp add, server-default approval policy, and netclaw mcp permissions TUI — netclaw mcp add now assigns empty grants and an Approval default to every newly registered server, preventing new tools from executing without explicit operator authorization. The new netclaw mcp permissions command provides a terminal UI for managing per-server and per-tool approval modes without editing config files directly. (#679)

Security

• Patched CVE-2026-26171 and CVE-2026-33116 — System.Security.Cryptography.Xml is pinned to 10.0.6 to address two vulnerabilities in XML cryptography handling. (#681)

Bug Fixes

• Fixed false daemon crash alerts from SlackNet dispose race — SlackNet's ReconnectingWebSocket can throw a TaskCanceledException during disposal while the daemon is shutting down, which was being surfaced as a crash alert to operators. This exception is now swallowed on the shutdown path so config hot-reloads and daemon restarts no longer generate spurious alerts. (#680)

• Fixed Slack routing drops logging no reason — when the routing policy silently dropped a message, operators had no way to determine which policy rule caused the drop. Routing decisions now carry a structured IgnoreReason that is surfaced in the structured log at the point of discard, making policy debugging actionable without source inspection. (#682)