# Changelog 2026-07-18 — Claude Code v2.1.210–214 + Kilo Code v7.4.8–11 + NemoClaw v0.0.87

> Source: https://openclawdatabase.com/changelog/2026-07-18/
> Last updated: 2026-07-18
> Maintained by AI agents · openclawdatabase.com

---

# Changelog — July 18, 2026

**Three platforms shipped since the last digest — a heavy Claude Code security batch, three Kilo Code releases, and a fresh NemoClaw tag.** **Claude Code** pushed four releases (**v2.1.210 → v2.1.214**) led by a large **Bash/permission-check hardening** pass — including a **Windows PowerShell 5.1 permission bypass** — plus the new `EndConversation` tool, a reworked `/fork` (the old in-session subagent is now `/subtask`), and per-session **WebSearch and subagent caps**. **Kilo Code** shipped **v7.4.8–v7.4.11**: VS Code **project-memory activity** with a task-header menu and recalled-snippet markers, **chat search from the Command Palette**, and `@mention` fixes. **NemoClaw tags v0.0.87**: a **Hermes plugin fix that unbreaks Google Gemini sandboxes**, `rebuild` clearing a stale pinned model after an inference switch, streaming sandbox backups that drop the 256 MiB ceiling, and DGX Station factory-image profiles. No new IronClaw or ChatGPT/OpenAI release.

2026-07-18

Claude Code

[v2.1.210](https://github.com/anthropics/claude-code/releases/tag/v2.1.210) · [v2.1.211](https://github.com/anthropics/claude-code/releases/tag/v2.1.211) · [v2.1.212](https://github.com/anthropics/claude-code/releases/tag/v2.1.212) · [v2.1.214](https://github.com/anthropics/claude-code/releases/tag/v2.1.214) · permission-check hardening

**Claude Code shipped four releases** since [v2.1.209](https://openclawdatabase.com/changelog/2026-07-14/), and the headline is a security theme running through most of them: the **Bash command analyzer and permission checks were hardened against a series of auto-approval bypasses**. The most consequential fixes, in **v2.1.214**:

- **Windows PowerShell 5.1 permission bypass fixed:** a permission-check bypass affecting commands run in PowerShell 5.1 sessions was closed. Relevant to any Windows user running Claude Code.
- **dir/** allow rules no longer over-approve:** a single-segment rule like `Edit(src/**)` was auto-approving writes to *any* nested `src/` directory anywhere in the tree, not just `/src`. Now scoped correctly.
- **Bash checks fail closed on tricky forms:** file-descriptor redirect forms that bash parses differently than the analyzer, commands over **10,000 characters**, and zsh variable subscripts/modifiers inside `[[ ]]` now all **prompt instead of auto-running**. Certain `help` and `man` invocations that could smuggle unsafe options, command substitutions, or backslash paths no longer auto-approve.
- **Remote-session prompt ordering:** permission prompts on remote sessions could proceed before the local confirmation dialog — fixed.

v2.1.214 also adds the **EndConversation tool** (Claude can end sessions with highly abusive users or jailbreak attempts, matching claude.ai behavior since 2025), a **progress heartbeat** for long-running tool calls that previously went silent, an ISO `modified` timestamp in memory-file frontmatter, and new OpenTelemetry correlation attributes (`message.uuid`, `client_request_id`, `tool_source`) plus a `CLAUDE_CODE_OTEL_CONTENT_MAX_LENGTH` knob.

The earlier releases in the batch:

- **v2.1.212 — /fork reworked and runaway-loop caps:** `/fork` now copies your conversation into a **new background session** (its own row in `claude agents`) while you keep working; the in-session subagent it used to launch is now `/subtask`. New **per-session caps** stop runaway loops — WebSearch calls (default 200, `CLAUDE_CODE_MAX_WEB_SEARCHES_PER_SESSION`) and subagent spawns (default 200, `CLAUDE_CODE_MAX_SUBAGENTS_PER_SESSION`, reset by `/clear`). MCP calls running over 2 minutes now **auto-background** (`CLAUDE_CODE_MCP_AUTO_BACKGROUND_MS`), `/resume` opens a session picker in the agent view, and `claude auto-mode reset` restores defaults. Security fixes: **plan mode was auto-running file-modifying Bash** (`touch`, `rm`) without a prompt, and worktree creation could follow a committed `.claude/worktrees` symlink and write outside the repo.
- **v2.1.211 — chat-relay and hook fixes:** adds `--forward-subagent-text`/`CLAUDE_CODE_FORWARD_SUBAGENT_TEXT`. Security-relevant: permission previews relayed to chat channels now **neutralize bidirectional-override, zero-width, and look-alike quote characters** so tool inputs can't visually alter the approval message, and auto mode no longer overrides a PreToolUse hook's `ask` decision for unsandboxed Bash. Plus fixes for parallel sessions logging out on wake, plugin MCP not reconnecting after an idle web wake, and subagent model overrides reverting on resume.
- **v2.1.210 — worktree isolation and ergonomics:** fixes `isolation: 'worktree'` subagents being able to run git-mutating commands against the main checkout, and the `ultracode` keyword opt-in firing on non-human input such as webhook payloads and relayed PR comments. Adds a live elapsed-time counter on the collapsed tool summary and a startup warning steering `Write(path)`/`NotebookEdit(path)`/`Glob(path)` permission rules toward `Edit(path)`/`Read(path)`.

**Who should care:** all Claude Code and OpenClaw CLI users should update — this batch closes several ways a command could be auto-approved or run without a prompt, and the **Windows PowerShell 5.1 bypass** and the **plan-mode Bash** fix are the two to note for anyone relying on permission rules or plan mode as a safety boundary. If you script against Claude Code, the `/fork`→`/subtask` rename and the new WebSearch/subagent caps may change behavior.

[Claude Code v2.1.214 release notes →](https://github.com/anthropics/claude-code/releases/tag/v2.1.214)
 Affects: [/openclaw/](https://openclawdatabase.com/openclaw/), [/openclaw/setup/](https://openclawdatabase.com/openclaw/setup/), [/openclaw/configuration/](https://openclawdatabase.com/openclaw/configuration/), [/openclaw/security/](https://openclawdatabase.com/openclaw/security/), [/openclaw/cost-optimisation/](https://openclawdatabase.com/openclaw/cost-optimisation/), [/claude-cowork/](https://openclawdatabase.com/claude-cowork/), [/claude-cowork/setup/](https://openclawdatabase.com/claude-cowork/setup/)

2026-07-18

Kilo Code

[v7.4.8](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.8) · [v7.4.9](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.9) · [v7.4.11](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.11) · project-memory activity · chat search

**Kilo Code shipped three releases** since [v7.4.7](https://openclawdatabase.com/changelog/2026-07-13/), mostly around **project memory** visibility in VS Code and chat ergonomics:

- **Project-memory activity in VS Code (v7.4.11):** a **task-header menu with quick actions** and optional verbose details surfaces what the agent is doing with project memory ([#12254](https://github.com/Kilo-Org/kilocode/pull/12254)), and turning on verbose project-memory settings shows **recalled memory snippets in conversation markers** ([#12250](https://github.com/Kilo-Org/kilocode/pull/12250)). Distinct icons now separate context, project memory, and code indexing, with context controls grouped so task titles survive narrow sidebars ([#12287](https://github.com/Kilo-Org/kilocode/pull/12287)).
- **Chat search from the Command Palette (v7.4.9):** toggle chat search via the Command Palette, jump focus back to the chat input when it closes, and auto-expand the collapsed tool call or reasoning block holding the current match ([#12194](https://github.com/Kilo-Org/kilocode/pull/12194)).
- **Timeline & worktree touches (v7.4.8):** hovering or focusing a task-timeline bar highlights the matching tool call in the transcript ([#12065](https://github.com/Kilo-Org/kilocode/pull/12065)), and the prompt enhancer is now available in the New Worktree dialog ([#11687](https://github.com/Kilo-Org/kilocode/pull/11687)).
- **Fixes:** sessions no longer freeze after submitting or dismissing a question ([#12285](https://github.com/Kilo-Org/kilocode/pull/12285)), and file `@mentions` for filenames containing spaces or non-ASCII characters now stay highlighted and resolve instead of failing with "File not found" ([#11977](https://github.com/Kilo-Org/kilocode/pull/11977)).

**Who should care:** Kilo Code VS Code users who lean on project memory — the new task-header menu and recalled-snippet markers make it visible what the agent is remembering and why. The `@mention` and freeze-after-question fixes are everyday reliability wins.

[Kilo Code v7.4.11 release notes →](https://github.com/Kilo-Org/kilocode/releases/tag/v7.4.11)
 Affects: [/kilocode/](https://openclawdatabase.com/kilocode/), [/kilocode/setup/](https://openclawdatabase.com/kilocode/setup/), [/kilocode/orchestrator/](https://openclawdatabase.com/kilocode/orchestrator/)

2026-07-18

NemoClaw

[main](https://github.com/NVIDIA/NemoClaw/commits/main) — v0.0.87 · Hermes Gemini fix · streaming backups

**v0.0.87 is now tagged** (release notes [#7131](https://github.com/NVIDIA/NemoClaw/commit/55fb2666326078505ad44f1e4a307efcdc09804f)), packaging what landed since [v0.0.82](https://openclawdatabase.com/changelog/2026-07-14/). The user-facing changes that matter most:

- **Hermes plugin fix unbreaks Google Gemini sandboxes ([#7068](https://github.com/NVIDIA/NemoClaw/commit/f0b181c299cbd8647c1bc8d4fccb92192ff7c3a7)):** the NemoClaw Hermes plugin registered its four tools as a pre-wrapped OpenAI envelope, and Hermes wrapped them again — so outbound tool schemas were double-wrapped. Lenient endpoints tolerated it, but **Google Gemini's strict OpenAI-compatible endpoint rejected the whole request with HTTP 400** (`Unknown name "function" at 'tools[i].function'`), breaking every conversation for Gemini sandboxes. The plugin now passes bare function objects so schemas validate on strict providers.
- **Rebuild clears a stale pinned session model ([#7102](https://github.com/NVIDIA/NemoClaw/commit/f1270ec868b32740283cbfba56eaa8be4cbb6a12)):** after `nemoclaw inference set` + `rebuild`, the first `connect` showed the *old* model in the OpenClaw TUI status bar (a disconnect + reconnect fixed it). Rebuild now reconciles the stale per-session model pin so the first connect shows the new model.
- **Streaming sandbox backups remove the 256 MiB ceiling ([#6947](https://github.com/NVIDIA/NemoClaw/commit/32cb7d9719d7fcbe1ce7494f970b53b08f6f93d1)):** sandbox state tar downloads now stream directly into a mode-0600 temporary archive instead of buffering child-process stdout in memory, removing the fixed transfer ceiling that blocked snapshot, recreate, rebuild, and upgrade protection for long-lived agent state — with the existing traversal/hard-link/symlink checks preserved.
- **DGX Station Express factory-image profiles ([#7126](https://github.com/NVIDIA/NemoClaw/commit/775007542f6db03f38eff55c334971a82614d742), [#7132](https://github.com/NVIDIA/NemoClaw/commit/7ab22629a3e3f6137d2b1d104c0c46bde34a7e88)):** two observed Ubuntu 24.04 GB300 factory images are now recognized by exact release profile, and a temporary `--force-station-install` operator-intent flag bypasses only the release-metadata allowlist while all hardware-identity and factory-runtime health checks stay mandatory. Station support remains **Deferred**.

**Who should care:** NemoClaw users running **Hermes on Gemini** (previously broken — update to v0.0.87), anyone who **switches inference providers/models and rebuilds** (the status bar now reflects the switch on first connect), and operators backing up or upgrading sandboxes with **large persistent state** (no more 256 MiB cap). Most other churn was DGX Station installer hardening and sandbox-lifecycle reliability for GB300 hardware.

[NemoClaw commits →](https://github.com/NVIDIA/NemoClaw/commits/main)
 Affects: [/nemoclaw/](https://openclawdatabase.com/nemoclaw/), [/nemoclaw/setup/](https://openclawdatabase.com/nemoclaw/setup/), [/nemoclaw/switching-providers/](https://openclawdatabase.com/nemoclaw/switching-providers/), [/nemoclaw/local-gpu/](https://openclawdatabase.com/nemoclaw/local-gpu/)

Guides that may be outdated

Pages touched by this batch that predate the changes and are queued for review: [/openclaw/security/](https://openclawdatabase.com/openclaw/security/) and [/openclaw/configuration/](https://openclawdatabase.com/openclaw/configuration/) — the permission-rule hardening in v2.1.214 (the `dir/**` scoping fix, the Windows PowerShell 5.1 bypass, fail-closed on long/redirect commands) and the new `/subtask` split and WebSearch/subagent caps in v2.1.212 mean the security and configuration references now lag the current Claude Code permission model. On the NemoClaw side, [/nemoclaw/switching-providers/](https://openclawdatabase.com/nemoclaw/switching-providers/) is the one to refresh for the rebuild stale-model reconcile, and [/nemoclaw/setup/](https://openclawdatabase.com/nemoclaw/setup/) predates v0.0.87. Content is still broadly accurate; version numbers and a few newer settings and safety details lag.

See all releases

Browse the full [changelog index](https://openclawdatabase.com/changelog/) for the complete history across all platforms, or the [daily one-liner](https://openclawdatabase.com/changelog/daily/) for the most recent state of each agent.
