v2026.618.0

Paperclip v2026.618.0

Released: 2026-06-18

Highlights

• Skills Store - Browse, install, and manage agent skills from a dedicated in-app store, so you can give your agents new capabilities without hand-wiring files. Skills are now a first-class, installable unit with install counts and a company-scoped catalog. (#7990, @cryppadotta)
• Self-hostable sandbox execution - Cloud/sandboxed agent execution matures: a self-hostable Kubernetes sandbox provider plugin lands alongside server-side Kubernetes execution integration and hardened agent-runtime images, plus a new Novita sandbox provider. Run your agents in an isolated sandbox on your own infrastructure or a cloud provider. (#5790, #7938, #7934, @stubbi; #7595, @Alex-yang00)
• Per-company multi-tenant isolation - A major security foundation for shared and cloud deployments: each company now gets its own JWT signing keys, cloud tenants are strictly company-scoped (never instance-admin), and plugin tables carry a company_id foreign key so plugin data is isolated per tenant. (#5864, #7525, #5865, @stubbi)
• Workspace file viewer and artifact links - Inspect the files your agents produced directly from the issue — a built-in workspace file viewer plus artifact links mean you can open work products without leaving the thread. (#7681, @cryppadotta)
• Env-driven gateway routing for local adapters - The codex, pi, opencode, and gemini local adapters can now route through custom providers and gateways via environment configuration (custom providers, small/cheap model selection, remote allow-all) — a key prerequisite for running your own model gateways. (#7919, #7920, #7837, #7918, @stubbi)

Improvements

• Harder-working agents - A large batch of heartbeat, recovery, and execution-lock fixes makes your instance more resilient: execution locks release on cross-agent reassignment, stale executionRunId/checkoutRunId are cleared on release, reassignment, checkout, and run finalization (with a backstop sweeper), orphan execution locks are cleared when a run finalizes, and stale checkout run ownership is safely adopted. (#5110, @vbalko-claimate; #2482, @alcylu; #6008, @nicorodrigues; #4318, @AyeletMorris-ShieldFC; #5413, @ivasuy)
• Smarter recovery - Stranded-issue recovery now skips issues with a pending wake interaction and exempts escalation when the assignee shows recent visible progress, so agents aren't yanked off work they're actively doing. (#4854, @ming0627; #5213, @sunghere)
• Routine detail page - The routine detail page gets a redesigned sub-sidebar layout plus follow-up polish, making it easier to read and tune a recurring routine. (#7848, #7858, @cryppadotta)
• Follow your system theme - First-time visitors now default to their OS prefers-color-scheme, and there's a theme toggle right on the unauthenticated auth page. (#5873, #5874, @stubbi)
• OpenTelemetry auto-instrumentation - The server supports opt-in OpenTelemetry auto-instrumentation, so you can wire Paperclip into your existing observability stack. (#3735, @stubbi)
• Proxy-aware trust config - TRUST_PROXY now accepts a CIDR list and named subnets, making correct client-IP handling behind load balancers and reverse proxies much easier to configure. (#5872, @stubbi)
• GPT-5.5 for Codex local - GPT-5.5 is now available in the codex_local adapter's model options. (#5575, @Buywatermelon)
• Auto-built bundled plugins - Bundled plugins are now built automatically on install, so they work out of the box without a manual build step. (#8254, @devinfoley)
• Read-only agent config without elevated grants - Read-only agent config and skill endpoints no longer require the agents:create permission, so lower-privileged principals can inspect configuration. (#3725, @stubbi)
• Auto-complete approved review comments - Review comments that are approved now auto-complete, removing a manual step from the review loop. (#5839, @tommypoltev)
• Secrets stay out of the logs - HTTP error log lines now redact passwords and tokens so credentials don't leak into your logs. (#8013, @devinfoley)
• Account menu Feedback shortcut - There's now a Feedback item in the account flyout menu for quick, in-context feedback. (#7854, @scotttong)
• Hermes custom providers - The Hermes adapter now passes custom providers through as args, so your provider configuration is respected. (#8231, @cryppadotta)

Fixes

• Agent config save toast - Saving an agent configuration now shows a success toast so you get clear confirmation the change landed. (#1931, @bluzername)
• Extra args field no longer mangles commas - The extra-args field stops corrupting comma-separated values while you type. (#2125, @tvskart)
• Desktop shell stays put - The desktop shell no longer window-scrolls when scrollIntoView walks past the body, and stays pinned on comment submit. (#8071, @devinfoley; #8041, @dosthcpp)
• Routine variable detection - Routine variables are now detected even when their underscores are markdown-escaped. (#8056, @devinfoley)
• Railway compatibility - The VOLUME keyword was removed from the image for Railway compatibility. (#2619, @br-creative)
• Skip gosu when already correct user - Startup skips gosu when the process is already running as the target user. (#2908, @stubbi)
• OpenClaw Gateway - The OpenClaw Gateway integration is now complete and stabilized. (#2322, @DissidentAI)
• Watchdog noise - The watchdog now suppresses repeat alerts when the source issue is blocked or the evaluation is board-closed. (#5942, @dbezar)
• Session continuity across adapter/model swaps - Heartbeats no longer reuse a stale runtime sessionId across an adapter swap or when the agent's model changes, and session IDs are validated as UUIDs before --resume. (#4109, @kengraversen; #4195, @nirarazi; #1742, @nydamon)
• Adapter session self-healing - Local adapters recover more gracefully: gemini_local treats token-overflow as a fresh-session signal, claude_local recovers from a poisoned previous_message_id 400, and runs auto-retry on Claude "Could not process image" 400s during resume. (#4932, @sherifkozman; #5972, @redmutex; #3276, @nullEFFORT)
• Codex local auth handling - codex_local replaces a stale auth.json copy with a symlink on prepare, omits the default model so the CLI picks per auth mode, and there's added test coverage for the EEXIST symlink race. (#5240, @HKTITAN; #7971, @devinfoley; #5269, @abhishekgahlot2)
• No more zombie runs - Zombie run coalescing is prevented and the startup reap completes before the heartbeat timer ticks. (#1731, @carmandale)
• Self-comment reopen guards - Same-run self-comments are skipped and terminal issues are guarded against an assignee's self-comment reopening them. (#4973, @roy493; #4346, @NiViGaHo)
• Defer fresh-session wakes - Same-issue force-fresh-session wakes are deferred into follow-up runs instead of disrupting the current one. (#4080, @xidui)
• Status filter accepts arrays - The issues list endpoint now accepts an array-form ?status= filter and no longer crashes on repeated keys. (#4890, @Lempkey)
• Board member visibility actions - Board members can now perform the null-mapped visibility actions that agents already had. (#7935, @HKTITAN)
• Cron minute-stepper performance - Intl.DateTimeFormat is now cached per timezone in the cron minute-stepper, reducing per-tick overhead. (#8034, @aronprins)
• Managed sandbox dedup - A partial unique index now dedups managed sandbox rows, and the Kubernetes provider resolves sandbox pods by exact name; sandbox workspaces are tarred by entry to avoid EPERM on unowned target dirs. (#8247, @devinfoley; #7982, #7836, @stubbi)
• Orphan-sweep regression - Fixed an orphan-sweep null-assignee filter regression so the sweeper targets the right issues. (#8018, @devinfoley)

Contributors

Thank you to everyone who contributed to this release!

@abhishekgahlot2, @alcylu, @Alex-yang00, @aronprins, @AyeletMorris-ShieldFC, @bluzername, @br-creative, @Buywatermelon, @carmandale, @dbezar, @DissidentAI, @dosthcpp, @HKTITAN, @ivasuy, @kengraversen, @Lempkey, @ming0627, @nicorodrigues, @nirarazi, @nullEFFORT, @nydamon, @redmutex, @roy493, @sherifkozman, @stubbi, @sunghere, @tommypoltev, @tvskart, @vbalko-claimate, @xidui