Home › Changelog › 2026-07-09
Last updated: 2026-07-09
Changelog — July 9, 2026
A feature-heavy few days across four platforms. Claude Code shipped three releases (v2.1.203–v2.1.205) — a login-expiry warning and MCP roots/list additions on top of a big reliability sweep. Kilo Code v7.4.4 adds experimental AI image generation, project memory in the VS Code extension, and first-class sandbox settings. Hermes cut two infrastructure patch tags (v0.18.2). And NemoClaw's main landed first-class OpenRouter onboarding plus a batch of network-policy hardening. No new IronClaw release.
Three releases in two days — a few genuinely useful additions, then a deep reliability sweep. The new features worth knowing:
- Login-expiry warning (v2.1.203): Claude Code now warns you before your login expires, so you can re-authenticate before a long-running background session is interrupted mid-task.
- Manual-mode badge (v2.1.203): a grey ⏸ badge appears in the footer whenever you're in Manual (approve-each-action) permission mode, so the active mode is always visible at a glance.
- MCP
roots/list (v2.1.203): the session's additional working directories are now exposed to MCP servers via roots/list, with a notifications/roots/list_changed sent when the set changes — MCP servers can finally see every directory you've added, not just the launch dir.
- Transcript-tampering guard (v2.1.205): auto mode now blocks tampering with session transcript files — a small but meaningful hardening for auto-approved runs.
The rest is bug fixes, and there are a lot of them:
- Background agents: agents resumed with
SendMessage no longer stay stuck showing "failed"/"completed" in the list; jobs no longer flip from "needs input" back to "working" when a turn has no readable text; claude attach now waits for an agent that's mid-upgrade restart instead of erroring; and on macOS, opening/switching background sessions no longer stalls 15–20s from a false low-memory detection (a 2.1.196 regression). A session whose daemon token went stale now recovers automatically instead of becoming permanently unresponsive, and returning to claude agents no longer silently stops running subagents and re-runs the prompt from scratch.
- Windows: worktree removal no longer deletes files outside the worktree when an NTFS junction or directory symlink exists inside it; a crash when the launch directory is deleted, locked, or unmounted mid-command is fixed; and background agents no longer inherit a stale
PATH from the daemon (which caused missing tools).
- Schema & turns:
--json-schema no longer silently produces unstructured output when the schema is invalid, and schemas using the format keyword are no longer rejected; a message sent while Claude was working is no longer lost when the turn ends at the --max-turns limit.
- Config & environment: background and agent-view sessions no longer drop a shell-exported
ANTHROPIC_BASE_URL (which had sent API keys to the default endpoint and failed with 401); claude mcp add-from-claude-desktop no longer gets stuck on a server name with unsupported characters; and Bash no longer fails with "argument list too long" in repos with many git worktrees.
- Worktree isolation: worktree-isolated subagents no longer sometimes run shell commands in the parent checkout; worktree creation no longer rejects nested repositories in multi-repo workspaces; and background agents no longer crash-loop when their working directory is deleted or replaced — they now fail once with a clear error.
- Misc: SessionStart hooks now stream in headless sessions (v2.1.204 — previously remote workers could be idle-reaped mid-hook); project verify skills are only rewritten when a documented command changes, not every session; and session-to-PR linking now catches a PR created in a Bash call whose output exceeded the 30K inline limit.
Who should care: anyone running Claude Code as a background/remote agent (most of the fixes land there), Windows users (the NTFS-junction worktree fix is a real data-safety bug), and anyone scripting with --json-schema or custom ANTHROPIC_BASE_URL gateways. Nothing here is breaking — it's an incremental reliability run on the 2.1 line.
Release notes →
Affects: /openclaw/, /openclaw/setup/, /openclaw/configuration/, /openclaw/security/, /claude-cowork/
A genuinely feature-packed pair of releases (v7.4.3 rolls up the v7.4.2 pre-release; v7.4.4 adds sandboxing on top):
- Experimental AI image generation (#11826): a new text-to-image and image-editing tool, enabled via
experimental.image_generation in config. It works through the Kilo Gateway or a BYO OpenRouter API key.
- Inline image rendering (#12010): when the agent reads an image file, it now renders inline in the chat view below the read-tool card, clickable to open a full-size preview.
- Project memory in the VS Code extension (#11954): memory status and controls in the Context settings tab, task-header and assistant-message affordances, a
/memory prompt command, and Show/Toggle Project Memory command-palette entries.
- First-class sandbox settings (#12049, v7.4.4): sandboxing is now configured through dedicated settings with its controls on a new Sandboxing page for all supported macOS and Linux users — disabled by default. Ships with an
@kilocode/[email protected] bump.
Who should care: Kilo Code users on VS Code who want persistent project memory, anyone experimenting with in-editor image generation, and macOS/Linux users who want to sandbox agent file/command execution. Image generation and sandboxing are both opt-in.
Release notes →
Affects: /kilocode/, /kilocode/setup/, /kilocode/models/, /kilocode/orchestrator/, /kilocode/security/
Two infrastructure patch tags — not a curated feature release. v0.18.1 (2026.7.7) rolls up roughly 667 commits across ~990 files merged since v0.18.0 (July 1) into a stable tag for downstream consumers — Docker images, hosted deployments, and PyPI installs. It includes installer/updater self-healing on Windows, dashboard and gateway fixes, WhatsApp dashboard pairing, and MCP/provider fixes. v0.18.2 (2026.7.7.2) is a same-day follow-up that unpins the WhatsApp Baileys dependency from a git commit to the published 7.0.0-rc13, so tagged-release Docker image builds install reliably (#60643).
Who should care: anyone pulling Hermes from a tagged Docker image or PyPI rather than tracking main — these tags give you a stable checkpoint. The curated, contributor-credited notes for everything since v0.18.0 will ship with v0.19.0; nothing in this window is skipped, just documented later. Update with hermes update or pip install -U hermes-agent.
Hermes releases →
Affects: /hermes/, /hermes/setup/, /hermes/vps-install/, /hermes/mcp-tools/
2026-07-09
NemoClaw
main · OpenRouter onboarding & policy hardening
A feature-and-security day on main. The headline additions:
- First-class OpenRouter onboarding (#6461): OpenRouter is now a selectable provider for OpenClaw, Hermes, and LangChain Deep Agents Code, configured through the OpenAI-compatible runtime path with the OpenRouter base URL and
OPENROUTER_API_KEY. (Attribution headers are applied to onboarding/catalog/validation probes; runtime sandbox traffic uses OpenShell's openai profile pointed at openrouter.ai/api/v1.)
- Shell completion (#6271): new
nemoclaw completion [bash|zsh|fish] command, generated from the CLI's own command metadata so it stays in sync — including registered sandbox names.
- Structured logging (#6272): leveled CLI logging (error/warn/info/debug) to
stderr, configurable via NEMOCLAW_LOG_LEVEL, NEMOCLAW_DEBUG, or hidden --debug/--quiet flags, with credential redaction built in.
And a batch of network-policy and reliability hardening:
- Least-privilege git egress (#6541): enabling the
brew preset no longer implicitly grants Git access to GitHub — GitHub Git egress now requires the explicit github preset, restoring the intended boundary.
- Gmail policy preset (#5415): a new least-privilege
gmail preset allowing only /usr/bin/python3 to reach imap.gmail.com:993 and smtp.gmail.com:465, with a documented App Password workflow.
- POSIX-compatible proxy env (#6560): fixes a regression where the generated proxy-env file used Bash-only builtins, causing POSIX login shells to reject the gateway trust anchor and fail lifecycle operations.
- Honest orphaned-sandbox reporting (#6539):
uninstall --yes followed by reinstall no longer reports false "Installation complete" while stranding a sandbox — it now reports "completed with warnings" with concrete remediation.
- Bounded inference compaction (#6484): each managed remote-inference compaction attempt on
inference.local routes is now capped at 120s (was an unbounded ~7-minute wait), with lifecycle notifications enabled.
- Also: gateway-route drift warning in
status (#6465); TOML parsing for dcode config get (#6552); plain OTLP endpoint URLs allowed past the dcode secret guard (#6538); WhatsApp post-pair gateway restart without granting operator.admin (#6496); and quieter local Docker BuildKit progress (#6536).
Who should care: anyone routing NemoClaw sandboxes through OpenRouter (now a supported provider), operators relying on network-policy presets (the brew→git egress change is a real least-privilege tightening — audit any policy that assumed brew granted GitHub access), and POSIX-shell users hit by the proxy-env regression. These are commit-level changes on main, not a tagged release — NemoClaw versions from the changelog, not version tags.
NemoClaw commits →
Affects: /nemoclaw/, /nemoclaw/setup/, /nemoclaw/policy/, /nemoclaw/switching-providers/, /nemoclaw/skills/
See all releases
Browse the full changelog index for the complete history across all platforms, or the daily one-liner for the most recent state of each agent.