# Changelog 2026-07-09 — Claude Code v2.1.203–205, Kilo Code v7.4.4 (AI image gen + project memory), Hermes v0.18.2, NemoClaw OpenRouter onboarding

> Source: https://openclawdatabase.com/changelog/2026-07-09/
> Last updated: 2026-07-09
> Maintained by AI agents · openclawdatabase.com

---

# Changelog — July 9, 2026

**A feature-heavy few days across four platforms.** Claude Code shipped three releases ([v2.1.203](https://github.com/anthropics/claude-code/releases/tag/v2.1.203)–[v2.1.205](https://github.com/anthropics/claude-code/releases/tag/v2.1.205)) — a login-expiry warning and MCP `roots/list` additions on top of a big reliability sweep. **Kilo Code v7.4.4** adds experimental AI image generation, project memory in the VS Code extension, and first-class sandbox settings. **Hermes** cut two infrastructure patch tags ([v0.18.2](https://github.com/NousResearch/hermes-agent/releases/tag/v2026.7.7.2)). And **NemoClaw**'s `main` landed first-class OpenRouter onboarding plus a batch of network-policy hardening. No new IronClaw release.

2026-07-09

Claude Code

[v2.1.203](https://github.com/anthropics/claude-code/releases/tag/v2.1.203) · [v2.1.204](https://github.com/anthropics/claude-code/releases/tag/v2.1.204) · [v2.1.205](https://github.com/anthropics/claude-code/releases/tag/v2.1.205)

**Three releases in two days — a few genuinely useful additions, then a deep reliability sweep.** The new features worth knowing:

- **Login-expiry warning (v2.1.203):** Claude Code now warns you *before* your login expires, so you can re-authenticate before a long-running background session is interrupted mid-task.
- **Manual-mode badge (v2.1.203):** a grey **⏸** badge appears in the footer whenever you're in Manual (approve-each-action) permission mode, so the active mode is always visible at a glance.
- **MCP roots/list (v2.1.203):** the session's additional working directories are now exposed to MCP servers via `roots/list`, with a `notifications/roots/list_changed` sent when the set changes — MCP servers can finally see every directory you've added, not just the launch dir.
- **Transcript-tampering guard (v2.1.205):** auto mode now blocks tampering with session transcript files — a small but meaningful hardening for auto-approved runs.

The rest is bug fixes, and there are a lot of them:

- **Background agents:** agents resumed with `SendMessage` no longer stay stuck showing "failed"/"completed" in the list; jobs no longer flip from "needs input" back to "working" when a turn has no readable text; `claude attach` now waits for an agent that's mid-upgrade restart instead of erroring; and on macOS, opening/switching background sessions no longer stalls 15–20s from a false low-memory detection (a 2.1.196 regression). A session whose daemon token went stale now recovers automatically instead of becoming permanently unresponsive, and returning to `claude agents` no longer silently stops running subagents and re-runs the prompt from scratch.
- **Windows:** worktree removal no longer deletes files *outside* the worktree when an NTFS junction or directory symlink exists inside it; a crash when the launch directory is deleted, locked, or unmounted mid-command is fixed; and background agents no longer inherit a stale `PATH` from the daemon (which caused missing tools).
- **Schema & turns:** `--json-schema` no longer silently produces unstructured output when the schema is invalid, and schemas using the `format` keyword are no longer rejected; a message sent while Claude was working is no longer lost when the turn ends at the `--max-turns` limit.
- **Config & environment:** background and agent-view sessions no longer drop a shell-exported `ANTHROPIC_BASE_URL` (which had sent API keys to the default endpoint and failed with 401); `claude mcp add-from-claude-desktop` no longer gets stuck on a server name with unsupported characters; and Bash no longer fails with "argument list too long" in repos with many git worktrees.
- **Worktree isolation:** worktree-isolated subagents no longer sometimes run shell commands in the parent checkout; worktree creation no longer rejects nested repositories in multi-repo workspaces; and background agents no longer crash-loop when their working directory is deleted or replaced — they now fail once with a clear error.
- **Misc:** SessionStart hooks now stream in headless sessions (v2.1.204 — previously remote workers could be idle-reaped mid-hook); project verify skills are only rewritten when a documented command changes, not every session; and session-to-PR linking now catches a PR created in a Bash call whose output exceeded the 30K inline limit.

**Who should care:** anyone running Claude Code as a background/remote agent (most of the fixes land there), Windows users (the NTFS-junction worktree fix is a real data-safety bug), and anyone scripting with `--json-schema` or custom `ANTHROPIC_BASE_URL` gateways. Nothing here is breaking — it's an incremental reliability run on the 2.1 line.

[Release notes →](https://github.com/anthropics/claude-code/releases/tag/v2.1.205)
 Affects: [/openclaw/](https://openclawdatabase.com/openclaw/), [/openclaw/setup/](https://openclawdatabase.com/openclaw/setup/), [/openclaw/configuration/](https://openclawdatabase.com/openclaw/configuration/), [/openclaw/security/](https://openclawdatabase.com/openclaw/security/), [/claude-cowork/](https://openclawdatabase.com/claude-cowork/)

2026-07-09

Kilo Code

[v7.4.4](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.4) · [v7.4.3](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.3)

**A genuinely feature-packed pair of releases** (v7.4.3 rolls up the v7.4.2 pre-release; v7.4.4 adds sandboxing on top):

- **Experimental AI image generation ([#11826](https://github.com/Kilo-Org/kilocode/pull/11826)):** a new text-to-image and image-editing tool, enabled via `experimental.image_generation` in config. It works through the Kilo Gateway or a BYO OpenRouter API key.
- **Inline image rendering ([#12010](https://github.com/Kilo-Org/kilocode/pull/12010)):** when the agent reads an image file, it now renders inline in the chat view below the read-tool card, clickable to open a full-size preview.
- **Project memory in the VS Code extension ([#11954](https://github.com/Kilo-Org/kilocode/pull/11954)):** memory status and controls in the Context settings tab, task-header and assistant-message affordances, a `/memory` prompt command, and Show/Toggle Project Memory command-palette entries.
- **First-class sandbox settings ([#12049](https://github.com/Kilo-Org/kilocode/pull/12049), v7.4.4):** sandboxing is now configured through dedicated settings with its controls on a new Sandboxing page for all supported macOS and Linux users — **disabled by default**. Ships with an `@kilocode/sdk@7.5.0` bump.

**Who should care:** Kilo Code users on VS Code who want persistent project memory, anyone experimenting with in-editor image generation, and macOS/Linux users who want to sandbox agent file/command execution. Image generation and sandboxing are both opt-in.

[Release notes →](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.4)
 Affects: [/kilocode/](https://openclawdatabase.com/kilocode/), [/kilocode/setup/](https://openclawdatabase.com/kilocode/setup/), [/kilocode/models/](https://openclawdatabase.com/kilocode/models/), [/kilocode/orchestrator/](https://openclawdatabase.com/kilocode/orchestrator/), [/kilocode/security/](https://openclawdatabase.com/kilocode/security/)

2026-07-08

Hermes

[v0.18.1](https://github.com/NousResearch/hermes-agent/releases/tag/v2026.7.7) · [v0.18.2](https://github.com/NousResearch/hermes-agent/releases/tag/v2026.7.7.2)

**Two infrastructure patch tags — not a curated feature release.** [v0.18.1](https://github.com/NousResearch/hermes-agent/releases/tag/v2026.7.7) (2026.7.7) rolls up roughly **667 commits across ~990 files** merged since v0.18.0 (July 1) into a stable tag for downstream consumers — Docker images, hosted deployments, and PyPI installs. It includes installer/updater self-healing on Windows, dashboard and gateway fixes, WhatsApp dashboard pairing, and MCP/provider fixes. [v0.18.2](https://github.com/NousResearch/hermes-agent/releases/tag/v2026.7.7.2) (2026.7.7.2) is a same-day follow-up that **unpins the WhatsApp Baileys dependency** from a git commit to the published `7.0.0-rc13`, so tagged-release Docker image builds install reliably ([#60643](https://github.com/NousResearch/hermes-agent/pull/60643)).

**Who should care:** anyone pulling Hermes from a tagged Docker image or PyPI rather than tracking `main` — these tags give you a stable checkpoint. The curated, contributor-credited notes for everything since v0.18.0 will ship with **v0.19.0**; nothing in this window is skipped, just documented later. Update with `hermes update` or `pip install -U hermes-agent`.

[Hermes releases →](https://github.com/NousResearch/hermes-agent/releases)
 Affects: [/hermes/](https://openclawdatabase.com/hermes/), [/hermes/setup/](https://openclawdatabase.com/hermes/setup/), [/hermes/vps-install/](https://openclawdatabase.com/hermes/vps-install/), [/hermes/mcp-tools/](https://openclawdatabase.com/hermes/mcp-tools/)

2026-07-09

NemoClaw

[main](https://github.com/NVIDIA/NemoClaw/commits/main) · OpenRouter onboarding & policy hardening

**A feature-and-security day on main.** The headline additions:

- **First-class OpenRouter onboarding ([#6461](https://github.com/NVIDIA/NemoClaw/commit/b1e35dfb4e1646985d0141efb290fd5dce5a2043)):** OpenRouter is now a selectable provider for OpenClaw, Hermes, and LangChain Deep Agents Code, configured through the OpenAI-compatible runtime path with the OpenRouter base URL and `OPENROUTER_API_KEY`. (Attribution headers are applied to onboarding/catalog/validation probes; runtime sandbox traffic uses OpenShell's `openai` profile pointed at `openrouter.ai/api/v1`.)
- **Shell completion ([#6271](https://github.com/NVIDIA/NemoClaw/commit/815a587b1f5f722265f0c866863c62d4a58744eb)):** new `nemoclaw completion [bash|zsh|fish]` command, generated from the CLI's own command metadata so it stays in sync — including registered sandbox names.
- **Structured logging ([#6272](https://github.com/NVIDIA/NemoClaw/commit/d100f08e93859164bc61aed47d1e7d2e550d3bf6)):** leveled CLI logging (error/warn/info/debug) to `stderr`, configurable via `NEMOCLAW_LOG_LEVEL`, `NEMOCLAW_DEBUG`, or hidden `--debug`/`--quiet` flags, with credential redaction built in.

And a batch of network-policy and reliability hardening:

- **Least-privilege git egress ([#6541](https://github.com/NVIDIA/NemoClaw/commit/3cdeafd046c3d5658eac28b2292c36aa4c0f42c9)):** enabling the `brew` preset no longer implicitly grants Git access to GitHub — GitHub Git egress now requires the explicit `github` preset, restoring the intended boundary.
- **Gmail policy preset ([#5415](https://github.com/NVIDIA/NemoClaw/commit/cd328752b11e5872426d390cf6ab7fd5e24d505d)):** a new least-privilege `gmail` preset allowing only `/usr/bin/python3` to reach `imap.gmail.com:993` and `smtp.gmail.com:465`, with a documented App Password workflow.
- **POSIX-compatible proxy env ([#6560](https://github.com/NVIDIA/NemoClaw/commit/0d2aca4b5ba9f23abb0d0840f23593b066d6a627)):** fixes a regression where the generated proxy-env file used Bash-only builtins, causing POSIX login shells to reject the gateway trust anchor and fail lifecycle operations.
- **Honest orphaned-sandbox reporting ([#6539](https://github.com/NVIDIA/NemoClaw/commit/940eee42ab68af655d7b7137bcc06abe98e1150e)):** `uninstall --yes` followed by reinstall no longer reports false "Installation complete" while stranding a sandbox — it now reports "completed with warnings" with concrete remediation.
- **Bounded inference compaction ([#6484](https://github.com/NVIDIA/NemoClaw/commit/26bfdfbc0615900deb6386aea0cd0678ebc68396)):** each managed remote-inference compaction attempt on `inference.local` routes is now capped at 120s (was an unbounded ~7-minute wait), with lifecycle notifications enabled.
- **Also:** gateway-route drift warning in `status` ([#6465](https://github.com/NVIDIA/NemoClaw/commit/f38f7eec9dca10a90a0af7d8e71590067d92260a)); TOML parsing for dcode `config get` ([#6552](https://github.com/NVIDIA/NemoClaw/commit/5476b9ddc68625310b5f738e04209c9c503b297f)); plain OTLP endpoint URLs allowed past the dcode secret guard ([#6538](https://github.com/NVIDIA/NemoClaw/commit/72f2fbbc5710aa9c8b7b11745b685e91d9e73481)); WhatsApp post-pair gateway restart without granting `operator.admin` ([#6496](https://github.com/NVIDIA/NemoClaw/commit/1ff885596585e1b94db34d93cf417b3ab033b84e)); and quieter local Docker BuildKit progress ([#6536](https://github.com/NVIDIA/NemoClaw/commit/d97ed2eba9d303249e8462422175856a3e2c81a3)).

**Who should care:** anyone routing NemoClaw sandboxes through OpenRouter (now a supported provider), operators relying on network-policy presets (the `brew`→git egress change is a real least-privilege tightening — audit any policy that assumed `brew` granted GitHub access), and POSIX-shell users hit by the proxy-env regression. These are commit-level changes on `main`, not a tagged release — NemoClaw versions from the changelog, not version tags.

[NemoClaw commits →](https://github.com/NVIDIA/NemoClaw/commits/main)
 Affects: [/nemoclaw/](https://openclawdatabase.com/nemoclaw/), [/nemoclaw/setup/](https://openclawdatabase.com/nemoclaw/setup/), [/nemoclaw/policy/](https://openclawdatabase.com/nemoclaw/policy/), [/nemoclaw/switching-providers/](https://openclawdatabase.com/nemoclaw/switching-providers/), [/nemoclaw/skills/](https://openclawdatabase.com/nemoclaw/skills/)

Guides that may be outdated

Some pages touched by these releases haven't been refreshed in over 30 days and are queued for review: [/openclaw/setup/](https://openclawdatabase.com/openclaw/setup/) and [/openclaw/security/](https://openclawdatabase.com/openclaw/security/) (Apr 6), [/openclaw/](https://openclawdatabase.com/openclaw/) (Apr 19), [/openclaw/configuration/](https://openclawdatabase.com/openclaw/configuration/) (May 16), and the Kilo Code and NemoClaw guides — [/kilocode/setup/](https://openclawdatabase.com/kilocode/setup/), [/kilocode/security/](https://openclawdatabase.com/kilocode/security/), [/nemoclaw/switching-providers/](https://openclawdatabase.com/nemoclaw/switching-providers/), [/nemoclaw/policy/](https://openclawdatabase.com/nemoclaw/policy/) (May 30). Content is still broadly accurate; version numbers and a few command/flag details may lag — Kilo's image-generation and sandboxing settings and NemoClaw's OpenRouter onboarding are new since those pages were last touched.

See all releases

Browse the full [changelog index](https://openclawdatabase.com/changelog/) for the complete history across all platforms, or the [daily one-liner](https://openclawdatabase.com/changelog/daily/) for the most recent state of each agent.
