Changelog — June 17, 2026

Parameter-matching permission rules. Permission rules now support Tool(param:value) syntax (with a * wildcard) to match a tool's input parameters, not just its name — for example Agent(model:opus) to block Opus subagents, or matching on a specific argument shape. This is a meaningful expansion of the permission model: previously a rule could only allow or deny a tool wholesale. Anyone hardening an agent's allowlist should look at re-expressing broad tool grants as parameter-scoped ones.

Nested .claude/skills directories now load. Skills in a nested .claude/skills directory load when you're working on files there; on a name clash with a higher-level skill, the nested one appears as <dir>:<name> so both stay available. Relatedly, when nested .claude/ directories collide, the agent, workflow, and output-style closest to the working directory now wins, and project-scope workflow saves target the closest existing .claude/workflows/.

Auto mode evaluates subagent spawns before launch. Subagent spawns are now run through the auto-mode classifier before they launch, closing a gap where a subagent could request a blocked action without review. A security-relevant tightening for anyone running auto mode.

Smaller fixes & polish. /doctor gets a consistent flat tree layout with clearer status icons; the workflow prompt keyword now uses a purple shimmer and triggers only on explicit phrases like "run a workflow" (not any mention of the word); Remote Control connection errors show a persistent footer indicator and clearer "not yet enabled" reasons; /bug now requires a description and no longer uses refusal text as the issue title; an OOM crash from a stale websocket/OAuth file descriptor is fixed; and Claude in Chrome no longer silently fails to connect when the OAuth token belongs to a different account.

Release notes → Affects: /openclaw/, /openclaw/security/, /openclaw/configuration/, /openclaw/skills-guide/

availableModels enforcement hardened. Alias model picks can no longer be redirected to a blocked model via ANTHROPIC_DEFAULT_*_MODEL environment variables, and /fast now refuses to toggle when doing so would switch to a model outside the allowlist. This complements the enforceAvailableModels setting from v2.1.175 — together they close the remaining env-var and fast-mode escape hatches around managed model allowlists.

Conversation-language session titles + footer link badges. Session titles are now generated in the language of your conversation (pin one with the language setting), and a new footerLinksRegexes setting adds regex-matched link badges to the footer row via user or managed settings.

Hook path conditions and sandbox fixes. Hook if conditions for Read/Edit/Write tool paths now match correctly for documented patterns like Edit(src/**), Read(~/.ssh/**), and Read(.env); the Linux sandbox no longer fails to start when .claude/settings.json is a symlink with an absolute target; and auto mode no longer fails on Fable 5 for orgs without Opus 4.8 (the classifier falls back to the best available Opus). Plus Bedrock credential caching honors the real Expiration, several Remote Control fixes (no more silent model switches from web/mobile), and /copy reaching the clipboard inside tmux over SSH.

Release notes → Affects: /openclaw/, /openclaw/configuration/, /openclaw/security/, /openclaw/cost-optimisation/

Stability fix batch. Mid-stream connection drops now preserve the partial response instead of showing a raw error, and the spinner no longer sticks at "running tool". Mouse-wheel scrolling is fixed in WSL2 under Windows Terminal and VS Code (a regression from 2.1.172). A sandbox denyRead/allowRead glob over a large directory tree could balloon the Bash tool description and make sessions unusable on Linux — fixed. Also: the feedback survey no longer captures a single-digit reply as a session rating, the welcome screen shows at most one promo banner, Ctrl+O shows a subagent's transcript correctly, remote-session background tasks no longer appear stuck "still running" between turns, and plugin loading is faster in remote sessions. (v2.1.177 shipped with no published notes.)

Release notes → Affects: /openclaw/, /openclaw/troubleshooting/, /openclaw/setup/

Embedded LanceDB is now the default semantic-search store. Codebase indexing for semantic search now uses an embedded LanceDB vector store out of the box, so it works without standing up a separate Qdrant server — a real simplification of the search setup. Existing Qdrant users and Intel Mac users can still select qdrant via indexing.vectorStore. (v7.3.44, pre-release.)

Onboarding autonomy preset + Gateway deep links. v7.3.45 lets you choose an agent autonomy preset during VS Code onboarding and select Kilo Gateway catalog models from VS Code deep links. It also shows submitted review comments as interactive message cards, lets Escape stop Agent Manager prompts while sessions are still starting, and hides turn-outcome warnings caused only by unfinished to-dos.

Per-subagent reasoning overrides. v7.3.46 adds model-specific reasoning overrides for task subagents, including custom subagents with their own model and variant settings, and allows reasoning to be removed from custom provider models after it's been enabled. It also restores reverted sessions on the first Redo click and routes question responses back to the worktree where the question was created. Separately, JetBrains 7.0.1-rc.9 adds prompt-enhancement support and prompt/transcript attachments (paste, drop, preview).

Release notes → Affects: /kilocode/, /kilocode/setup/, /kilocode/models/, /kilocode/orchestrator/

NemoClaw published v0.0.65 release notes and merged a large batch. Most commits are the continuing migration of legacy shell E2E tests to live Vitest scenarios (full-e2e, cloud-onboard, gpu-double-onboard, onboard-resume) and cognitive-complexity refactors of onboard.ts/rebuild.ts — no user-visible behavior change. The user-facing changes:

v0.0.65 release notes published (#5519): The release notes now cover deadline-based gateway wait reliability, re-exec'd OpenClaw gateway health-check recovery, safer uninstall TTY confirmation, fail-closed config-restore merges, WeChat QR token redaction, and model-router teardown during uninstall, with the generated nemoclaw-user-* skills regenerated from source docs.

Insecure temp-file creation hardened (#5517): Predictable host SSH-config temp files now live inside private mkdtemp-backed directories, and the startup log, gateway/auto-pair log, health-marker, and PID writes in nemoclaw-start.sh now use same-directory temp files plus atomic rename. A focused least-privilege/security fix against predictable-temp-file races, with regression coverage added.

Contributor PRs now require DCO + verified commits (#5523): Contributor agents must include a PR-body DCO sign-off declaration and have every pushed commit show as GitHub-Verified before opening a PR; the contributor PR-creation skill now verifies signatures before running gh pr create and stops if either is missing. Relevant if you run a NemoClaw contributor agent against this repo.

Enterprise-readiness reference + sub-agent setup clarified (#5372, #5521): A new enterprise-readiness reference classifies what's supported today vs. manual/admin-only vs. partner-owned vs. roadmap. The task-specific sub-agent setup guide now states its prerequisites (an installed host and a running sandbox) up front and adds the missing runnable steps for patching openclaw.json, uploading sub-agent credentials, and verifying hot reload.

Commit log → Affects: /nemoclaw/, /nemoclaw/setup/, /nemoclaw/skills/

Anthropic release-notes pages updated. Both the Claude apps and Claude API release-notes pages changed again. The monitor detected the updates, but the pages render their entries client-side and expose no machine-readable content to the poller — check the apps and API pages directly for specifics.

Release notes → Affects: /claude-cowork/, /claude-cowork/pricing/, /claude-cowork/vs-api/