Claude Code shipped four releases since v2.1.209, and the headline is a security theme running through most of them: the Bash command analyzer and permission checks were hardened against a series of auto-approval bypasses. The most consequential fixes, in v2.1.214:
- Windows PowerShell 5.1 permission bypass fixed: a permission-check bypass affecting commands run in PowerShell 5.1 sessions was closed. Relevant to any Windows user running Claude Code.
dir/** allow rules no longer over-approve: a single-segment rule like Edit(src/**) was auto-approving writes to any nested src/ directory anywhere in the tree, not just <cwd>/src. Now scoped correctly.
- Bash checks fail closed on tricky forms: file-descriptor redirect forms that bash parses differently than the analyzer, commands over 10,000 characters, and zsh variable subscripts/modifiers inside
[[ ]] now all prompt instead of auto-running. Certain help and man invocations that could smuggle unsafe options, command substitutions, or backslash paths no longer auto-approve.
- Remote-session prompt ordering: permission prompts on remote sessions could proceed before the local confirmation dialog — fixed.
v2.1.214 also adds the EndConversation tool (Claude can end sessions with highly abusive users or jailbreak attempts, matching claude.ai behavior since 2025), a progress heartbeat for long-running tool calls that previously went silent, an ISO modified timestamp in memory-file frontmatter, and new OpenTelemetry correlation attributes (message.uuid, client_request_id, tool_source) plus a CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTH knob.
The earlier releases in the batch:
- v2.1.212 —
/fork reworked and runaway-loop caps: /fork now copies your conversation into a new background session (its own row in claude agents) while you keep working; the in-session subagent it used to launch is now /subtask. New per-session caps stop runaway loops — WebSearch calls (default 200, CLAUDE_CODE_MAX_WEB_SEARCHES_PER_SESSION) and subagent spawns (default 200, CLAUDE_CODE_MAX_SUBAGENTS_PER_SESSION, reset by /clear). MCP calls running over 2 minutes now auto-background (CLAUDE_CODE_MCP_AUTO_BACKGROUND_MS), /resume opens a session picker in the agent view, and claude auto-mode reset restores defaults. Security fixes: plan mode was auto-running file-modifying Bash (touch, rm) without a prompt, and worktree creation could follow a committed .claude/worktrees symlink and write outside the repo.
- v2.1.211 — chat-relay and hook fixes: adds
--forward-subagent-text/CLAUDE_CODE_FORWARD_SUBAGENT_TEXT. Security-relevant: permission previews relayed to chat channels now neutralize bidirectional-override, zero-width, and look-alike quote characters so tool inputs can't visually alter the approval message, and auto mode no longer overrides a PreToolUse hook's ask decision for unsandboxed Bash. Plus fixes for parallel sessions logging out on wake, plugin MCP not reconnecting after an idle web wake, and subagent model overrides reverting on resume.
- v2.1.210 — worktree isolation and ergonomics: fixes
isolation: 'worktree' subagents being able to run git-mutating commands against the main checkout, and the ultracode keyword opt-in firing on non-human input such as webhook payloads and relayed PR comments. Adds a live elapsed-time counter on the collapsed tool summary and a startup warning steering Write(path)/NotebookEdit(path)/Glob(path) permission rules toward Edit(path)/Read(path).
Who should care: all Claude Code and OpenClaw CLI users should update — this batch closes several ways a command could be auto-approved or run without a prompt, and the Windows PowerShell 5.1 bypass and the plan-mode Bash fix are the two to note for anyone relying on permission rules or plan mode as a safety boundary. If you script against Claude Code, the /fork→/subtask rename and the new WebSearch/subagent caps may change behavior.
Claude Code v2.1.214 release notes →
Affects: /openclaw/, /openclaw/setup/, /openclaw/configuration/, /openclaw/security/, /openclaw/cost-optimisation/, /claude-cowork/, /claude-cowork/setup/
Kilo Code shipped three releases since v7.4.7, mostly around project memory visibility in VS Code and chat ergonomics:
- Project-memory activity in VS Code (v7.4.11): a task-header menu with quick actions and optional verbose details surfaces what the agent is doing with project memory (#12254), and turning on verbose project-memory settings shows recalled memory snippets in conversation markers (#12250). Distinct icons now separate context, project memory, and code indexing, with context controls grouped so task titles survive narrow sidebars (#12287).
- Chat search from the Command Palette (v7.4.9): toggle chat search via the Command Palette, jump focus back to the chat input when it closes, and auto-expand the collapsed tool call or reasoning block holding the current match (#12194).
- Timeline & worktree touches (v7.4.8): hovering or focusing a task-timeline bar highlights the matching tool call in the transcript (#12065), and the prompt enhancer is now available in the New Worktree dialog (#11687).
- Fixes: sessions no longer freeze after submitting or dismissing a question (#12285), and file
@mentions for filenames containing spaces or non-ASCII characters now stay highlighted and resolve instead of failing with "File not found" (#11977).
Who should care: Kilo Code VS Code users who lean on project memory — the new task-header menu and recalled-snippet markers make it visible what the agent is remembering and why. The @mention and freeze-after-question fixes are everyday reliability wins.
Kilo Code v7.4.11 release notes →
Affects: /kilocode/, /kilocode/setup/, /kilocode/orchestrator/
2026-07-18
NemoClaw
main — v0.0.87 · Hermes Gemini fix · streaming backups
v0.0.87 is now tagged (release notes #7131), packaging what landed since v0.0.82. The user-facing changes that matter most:
- Hermes plugin fix unbreaks Google Gemini sandboxes (#7068): the NemoClaw Hermes plugin registered its four tools as a pre-wrapped OpenAI envelope, and Hermes wrapped them again — so outbound tool schemas were double-wrapped. Lenient endpoints tolerated it, but Google Gemini's strict OpenAI-compatible endpoint rejected the whole request with HTTP 400 (
Unknown name "function" at 'tools[i].function'), breaking every conversation for Gemini sandboxes. The plugin now passes bare function objects so schemas validate on strict providers.
- Rebuild clears a stale pinned session model (#7102): after
nemoclaw inference set + rebuild, the first connect showed the old model in the OpenClaw TUI status bar (a disconnect + reconnect fixed it). Rebuild now reconciles the stale per-session model pin so the first connect shows the new model.
- Streaming sandbox backups remove the 256 MiB ceiling (#6947): sandbox state tar downloads now stream directly into a mode-0600 temporary archive instead of buffering child-process stdout in memory, removing the fixed transfer ceiling that blocked snapshot, recreate, rebuild, and upgrade protection for long-lived agent state — with the existing traversal/hard-link/symlink checks preserved.
- DGX Station Express factory-image profiles (#7126, #7132): two observed Ubuntu 24.04 GB300 factory images are now recognized by exact release profile, and a temporary
--force-station-install operator-intent flag bypasses only the release-metadata allowlist while all hardware-identity and factory-runtime health checks stay mandatory. Station support remains Deferred.
Who should care: NemoClaw users running Hermes on Gemini (previously broken — update to v0.0.87), anyone who switches inference providers/models and rebuilds (the status bar now reflects the switch on first connect), and operators backing up or upgrading sandboxes with large persistent state (no more 256 MiB cap). Most other churn was DGX Station installer hardening and sandbox-lifecycle reliability for GB300 hardware.
NemoClaw commits →
Affects: /nemoclaw/, /nemoclaw/setup/, /nemoclaw/switching-providers/, /nemoclaw/local-gpu/
Guides that may be outdated
Pages touched by this batch that predate the changes and are queued for review: /openclaw/security/ and /openclaw/configuration/ — the permission-rule hardening in v2.1.214 (the dir/** scoping fix, the Windows PowerShell 5.1 bypass, fail-closed on long/redirect commands) and the new /subtask split and WebSearch/subagent caps in v2.1.212 mean the security and configuration references now lag the current Claude Code permission model. On the NemoClaw side, /nemoclaw/switching-providers/ is the one to refresh for the rebuild stale-model reconcile, and /nemoclaw/setup/ predates v0.0.87. Content is still broadly accurate; version numbers and a few newer settings and safety details lag.