A release weighted toward permissions, telemetry, and background-agent reliability. Two changes are worth acting on before you upgrade — one telemetry default, one new permission control:
- New
claude_code.assistant_response OpenTelemetry event — read this if you log telemetry: a new OTEL log event carries the model's response text. It's redacted unless OTEL_LOG_ASSISTANT_RESPONSES=1, but when that var is unset it inherits OTEL_LOG_USER_PROMPTS. So any deployment that already logs prompt content will start logging response content on upgrade. If you want to keep logging prompts but not responses, set OTEL_LOG_ASSISTANT_RESPONSES=0 explicitly.
autoMode.classifyAllShell (new setting): routes all Bash/PowerShell commands through the auto-mode classifier, instead of only the arbitrary-code-execution patterns it checked before. A tighter net for teams running auto-accept with guardrails.- Auto-mode denial reasons are now visible: when auto-mode blocks something, the reason shows up in the transcript, the denial toast, and the
/permissions "recently denied" list — so you can see why a command was refused instead of guessing.
- Idle background shells get reaped under memory pressure: long-lived background shell commands are now cleaned up automatically when memory is tight. Disable with
CLAUDE_CODE_DISABLE_BG_SHELL_PRESSURE_REAP=1 if you depend on them staying alive.
- MCP auth is easier to discover: a startup notice now appears when MCP servers need authentication, pointing you at
/mcp; and the headersHelper auth helper re-runs and reconnects automatically when a tool call returns 401/403.
- Background-agent fixes: backgrounding (←←) no longer spuriously cancels with "N background tasks would be abandoned" when everything carries over; pinned background agents stop being re-prompted to "Continue from where you left off" after every auto-update; backgrounding the main turn no longer spawns a phantom "general-purpose (resumed)" subagent that re-ran the conversation; and the agent panel no longer hides sibling agents while you view a subagent.
- Smaller niceties: live file-path autocomplete in bash mode (
!); /model and other client-data-gated UI no longer show stale/empty state right after /login; marketplace plugin renames maps are followed automatically; and a clearer /add-dir message when the directory is already a working directory.
Release notes →
Affects: /openclaw/, /openclaw/configuration/, /openclaw/security/, /claude-cowork/, /claude-cowork/setup/
Two Team/Enterprise-plan additions to the Claude apps, both about how Claude shows up in shared work.
- Admin-mandated device verification for remote Claude Code sessions (June 25): admins on Team and Enterprise plans can now require members to pass device verification before they access or control a remote Claude Code session. A control for orgs that let people drive Claude Code from a phone or a second machine.
- Tag Claude in Slack (June 23): Team and Enterprise members can
@-mention Claude directly inside a Slack conversation to hand it a task and keep working while it runs — a lighter-weight entry point than opening the app.
Claude apps release notes →
Affects: /claude-cowork/, /claude-cowork/setup/
A heavy day on main centered on making LangChain Deep Agents Code (dcode) a first-class terminal runtime. No new version tag landed (NemoClaw stays at v0.0.67), but these merged commits are what readers running or evaluating Deep Agents Code will feel:
- Opt-in Tavily web-search preset for Deep Agents Code (#5621/#5651): a new maintained
tavily policy preset opens egress to api.tavily.com:443 only, scoped to the python3/node/curl binaries. Enable with nemoclaw <name> policy-add tavily and supply the Tavily key at runtime (it isn't baked into the image). LangSmith tracing is explicitly not supported — no preset opens its endpoint.
dcode now dispatches correctly (#5815): nemoclaw <name> agent on a Deep Agents Code sandbox now routes bare dcode and dcode --help through the manifest command instead of being short-circuited by OpenClaw-only help handling.- Secret-shaped env injection is rejected before
dcode starts (#5767): a pre-flight guard refuses to launch if a credential-shaped value (e.g. sk-, nvapi-, ghp_) is injected at runtime or persisted to the DeepAgents .env, before any network IO. It names the offending variable without echoing its value and points you at nemoclaw credentials.
- Honest status for drifted terminal sandboxes (#5833, #5731):
status now live-probes the agent version so stale Deep Agents Code sandboxes surface the Update:/rebuild hint instead of looking healthy, and dashboard-url says terminal runtimes have no dashboard by design instead of failing with a misleading "sandbox is down" error.
- macOS onboarding no longer hangs (#5768): on macOS VM-driver hosts, a Deep Agents Code sandbox that reached Ready without emitting gateway-style startup output used to stall for minutes; onboarding now detaches once OpenShell reports Ready.
- Messaging fail-closed + sturdier CLI: channel support is now derived from channel manifests so unsupported agent/channel pairs (e.g. DeepAgents messaging) are rejected before any mutation (#5777);
list recovers live sandboxes when the local registry is empty (#5786); connect restores the terminal after an abrupt SSH disconnect (#5834); rebuild aborts before backup/delete when the gateway provider is missing (#5831); and onboard --agent help now lists the valid runtime names (#5781).
Commit log →
Affects: /nemoclaw/, /nemoclaw/setup/, /nemoclaw/policy/, /nemoclaw/skills/