Last updated: 2026-07-09

Changelog — July 9, 2026

A feature-heavy few days across four platforms. Claude Code shipped three releases (v2.1.203v2.1.205) — a login-expiry warning and MCP roots/list additions on top of a big reliability sweep. Kilo Code v7.4.4 adds experimental AI image generation, project memory in the VS Code extension, and first-class sandbox settings. Hermes cut two infrastructure patch tags (v0.18.2). And NemoClaw's main landed first-class OpenRouter onboarding plus a batch of network-policy hardening. No new IronClaw release.

2026-07-09 Claude Code v2.1.203 · v2.1.204 · v2.1.205

Three releases in two days — a few genuinely useful additions, then a deep reliability sweep. The new features worth knowing:

  • Login-expiry warning (v2.1.203): Claude Code now warns you before your login expires, so you can re-authenticate before a long-running background session is interrupted mid-task.
  • Manual-mode badge (v2.1.203): a grey badge appears in the footer whenever you're in Manual (approve-each-action) permission mode, so the active mode is always visible at a glance.
  • MCP roots/list (v2.1.203): the session's additional working directories are now exposed to MCP servers via roots/list, with a notifications/roots/list_changed sent when the set changes — MCP servers can finally see every directory you've added, not just the launch dir.
  • Transcript-tampering guard (v2.1.205): auto mode now blocks tampering with session transcript files — a small but meaningful hardening for auto-approved runs.

The rest is bug fixes, and there are a lot of them:

  • Background agents: agents resumed with SendMessage no longer stay stuck showing "failed"/"completed" in the list; jobs no longer flip from "needs input" back to "working" when a turn has no readable text; claude attach now waits for an agent that's mid-upgrade restart instead of erroring; and on macOS, opening/switching background sessions no longer stalls 15–20s from a false low-memory detection (a 2.1.196 regression). A session whose daemon token went stale now recovers automatically instead of becoming permanently unresponsive, and returning to claude agents no longer silently stops running subagents and re-runs the prompt from scratch.
  • Windows: worktree removal no longer deletes files outside the worktree when an NTFS junction or directory symlink exists inside it; a crash when the launch directory is deleted, locked, or unmounted mid-command is fixed; and background agents no longer inherit a stale PATH from the daemon (which caused missing tools).
  • Schema & turns: --json-schema no longer silently produces unstructured output when the schema is invalid, and schemas using the format keyword are no longer rejected; a message sent while Claude was working is no longer lost when the turn ends at the --max-turns limit.
  • Config & environment: background and agent-view sessions no longer drop a shell-exported ANTHROPIC_BASE_URL (which had sent API keys to the default endpoint and failed with 401); claude mcp add-from-claude-desktop no longer gets stuck on a server name with unsupported characters; and Bash no longer fails with "argument list too long" in repos with many git worktrees.
  • Worktree isolation: worktree-isolated subagents no longer sometimes run shell commands in the parent checkout; worktree creation no longer rejects nested repositories in multi-repo workspaces; and background agents no longer crash-loop when their working directory is deleted or replaced — they now fail once with a clear error.
  • Misc: SessionStart hooks now stream in headless sessions (v2.1.204 — previously remote workers could be idle-reaped mid-hook); project verify skills are only rewritten when a documented command changes, not every session; and session-to-PR linking now catches a PR created in a Bash call whose output exceeded the 30K inline limit.

Who should care: anyone running Claude Code as a background/remote agent (most of the fixes land there), Windows users (the NTFS-junction worktree fix is a real data-safety bug), and anyone scripting with --json-schema or custom ANTHROPIC_BASE_URL gateways. Nothing here is breaking — it's an incremental reliability run on the 2.1 line.

Release notes → Affects: /openclaw/, /openclaw/setup/, /openclaw/configuration/, /openclaw/security/, /claude-cowork/

2026-07-09 Kilo Code v7.4.4 · v7.4.3

A genuinely feature-packed pair of releases (v7.4.3 rolls up the v7.4.2 pre-release; v7.4.4 adds sandboxing on top):

  • Experimental AI image generation (#11826): a new text-to-image and image-editing tool, enabled via experimental.image_generation in config. It works through the Kilo Gateway or a BYO OpenRouter API key.
  • Inline image rendering (#12010): when the agent reads an image file, it now renders inline in the chat view below the read-tool card, clickable to open a full-size preview.
  • Project memory in the VS Code extension (#11954): memory status and controls in the Context settings tab, task-header and assistant-message affordances, a /memory prompt command, and Show/Toggle Project Memory command-palette entries.
  • First-class sandbox settings (#12049, v7.4.4): sandboxing is now configured through dedicated settings with its controls on a new Sandboxing page for all supported macOS and Linux users — disabled by default. Ships with an @kilocode/[email protected] bump.

Who should care: Kilo Code users on VS Code who want persistent project memory, anyone experimenting with in-editor image generation, and macOS/Linux users who want to sandbox agent file/command execution. Image generation and sandboxing are both opt-in.

Release notes → Affects: /kilocode/, /kilocode/setup/, /kilocode/models/, /kilocode/orchestrator/, /kilocode/security/

2026-07-08 Hermes v0.18.1 · v0.18.2

Two infrastructure patch tags — not a curated feature release. v0.18.1 (2026.7.7) rolls up roughly 667 commits across ~990 files merged since v0.18.0 (July 1) into a stable tag for downstream consumers — Docker images, hosted deployments, and PyPI installs. It includes installer/updater self-healing on Windows, dashboard and gateway fixes, WhatsApp dashboard pairing, and MCP/provider fixes. v0.18.2 (2026.7.7.2) is a same-day follow-up that unpins the WhatsApp Baileys dependency from a git commit to the published 7.0.0-rc13, so tagged-release Docker image builds install reliably (#60643).

Who should care: anyone pulling Hermes from a tagged Docker image or PyPI rather than tracking main — these tags give you a stable checkpoint. The curated, contributor-credited notes for everything since v0.18.0 will ship with v0.19.0; nothing in this window is skipped, just documented later. Update with hermes update or pip install -U hermes-agent.

Hermes releases → Affects: /hermes/, /hermes/setup/, /hermes/vps-install/, /hermes/mcp-tools/

2026-07-09 NemoClaw main · OpenRouter onboarding & policy hardening

A feature-and-security day on main. The headline additions:

  • First-class OpenRouter onboarding (#6461): OpenRouter is now a selectable provider for OpenClaw, Hermes, and LangChain Deep Agents Code, configured through the OpenAI-compatible runtime path with the OpenRouter base URL and OPENROUTER_API_KEY. (Attribution headers are applied to onboarding/catalog/validation probes; runtime sandbox traffic uses OpenShell's openai profile pointed at openrouter.ai/api/v1.)
  • Shell completion (#6271): new nemoclaw completion [bash|zsh|fish] command, generated from the CLI's own command metadata so it stays in sync — including registered sandbox names.
  • Structured logging (#6272): leveled CLI logging (error/warn/info/debug) to stderr, configurable via NEMOCLAW_LOG_LEVEL, NEMOCLAW_DEBUG, or hidden --debug/--quiet flags, with credential redaction built in.

And a batch of network-policy and reliability hardening:

  • Least-privilege git egress (#6541): enabling the brew preset no longer implicitly grants Git access to GitHub — GitHub Git egress now requires the explicit github preset, restoring the intended boundary.
  • Gmail policy preset (#5415): a new least-privilege gmail preset allowing only /usr/bin/python3 to reach imap.gmail.com:993 and smtp.gmail.com:465, with a documented App Password workflow.
  • POSIX-compatible proxy env (#6560): fixes a regression where the generated proxy-env file used Bash-only builtins, causing POSIX login shells to reject the gateway trust anchor and fail lifecycle operations.
  • Honest orphaned-sandbox reporting (#6539): uninstall --yes followed by reinstall no longer reports false "Installation complete" while stranding a sandbox — it now reports "completed with warnings" with concrete remediation.
  • Bounded inference compaction (#6484): each managed remote-inference compaction attempt on inference.local routes is now capped at 120s (was an unbounded ~7-minute wait), with lifecycle notifications enabled.
  • Also: gateway-route drift warning in status (#6465); TOML parsing for dcode config get (#6552); plain OTLP endpoint URLs allowed past the dcode secret guard (#6538); WhatsApp post-pair gateway restart without granting operator.admin (#6496); and quieter local Docker BuildKit progress (#6536).

Who should care: anyone routing NemoClaw sandboxes through OpenRouter (now a supported provider), operators relying on network-policy presets (the brew→git egress change is a real least-privilege tightening — audit any policy that assumed brew granted GitHub access), and POSIX-shell users hit by the proxy-env regression. These are commit-level changes on main, not a tagged release — NemoClaw versions from the changelog, not version tags.

NemoClaw commits → Affects: /nemoclaw/, /nemoclaw/setup/, /nemoclaw/policy/, /nemoclaw/switching-providers/, /nemoclaw/skills/

Guides that may be outdated

Some pages touched by these releases haven't been refreshed in over 30 days and are queued for review: /openclaw/setup/ and /openclaw/security/ (Apr 6), /openclaw/ (Apr 19), /openclaw/configuration/ (May 16), and the Kilo Code and NemoClaw guides — /kilocode/setup/, /kilocode/security/, /nemoclaw/switching-providers/, /nemoclaw/policy/ (May 30). Content is still broadly accurate; version numbers and a few command/flag details may lag — Kilo's image-generation and sandboxing settings and NemoClaw's OpenRouter onboarding are new since those pages were last touched.

See all releases

Browse the full changelog index for the complete history across all platforms, or the daily one-liner for the most recent state of each agent.