chore: release v0.19.0

[github-actions]

🤖 New release

• ironclaw: 0.18.0 -> 0.19.0 (⚠ API breaking changes)

⚠ ironclaw breaking changes

--- failure constructible_struct_adds_field: externally-constructible struct adds field ---

Description:
A pub struct constructible with a struct literal has a new pub field. Existing struct literals must be updated to include the new field.
        ref: https://doc.rust-lang.org/reference/expressions/struct-expr.html
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/constructible_struct_adds_field.ron

Failed in:
  field RegistryProviderConfig.is_codex_chatgpt in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:92
  field RegistryProviderConfig.refresh_token in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:94
  field RegistryProviderConfig.auth_path in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:96
  field RegistryProviderConfig.is_codex_chatgpt in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:92
  field RegistryProviderConfig.refresh_token in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:94
  field RegistryProviderConfig.auth_path in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:96
  field RegistryProviderConfig.is_codex_chatgpt in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:92
  field RegistryProviderConfig.refresh_token in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:94
  field RegistryProviderConfig.auth_path in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:96
  field ExtensionManifest.url in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:51
  field ExtensionManifest.auth in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:56
  field ExtensionManifest.url in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:51
  field ExtensionManifest.auth in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:56
  field HeartbeatConfig.fire_at in /tmp/.tmpKReqfZ/ironclaw/src/config/heartbeat.rs:17
  field TranscriptionConfig.api_key in /tmp/.tmpKReqfZ/ironclaw/src/config/transcription.rs:17
  field TranscriptionConfig.llm_api_key in /tmp/.tmpKReqfZ/ironclaw/src/config/transcription.rs:19
  field AppComponents.agent_session_manager in /tmp/.tmpKReqfZ/ironclaw/src/app.rs:51
  field IncomingMessage.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:77
  field IncomingMessage.sender_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:79
  field IncomingMessage.conversation_scope_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:87
  field IncomingMessage.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:77
  field IncomingMessage.sender_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:79
  field IncomingMessage.conversation_scope_id in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:87
  field SandboxModeConfig.allow_full_access in /tmp/.tmpKReqfZ/ironclaw/src/config/sandbox.rs:17
  field ChannelSettings.gateway_enabled in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:247
  field ChannelSettings.gateway_host in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:251
  field ChannelSettings.gateway_port in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:255
  field ChannelSettings.gateway_auth_token in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:259
  field ChannelSettings.gateway_user_id in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:263
  field ChannelSettings.cli_enabled in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:267
  field PendingAuth.created_at in /tmp/.tmpKReqfZ/ironclaw/src/agent/session.rs:154
  field PendingAuth.created_at in /tmp/.tmpKReqfZ/ironclaw/src/agent/session.rs:154
  field AgentDeps.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/agent/agent_loop.rs:125
  field Capabilities.webhook in /tmp/.tmpKReqfZ/ironclaw/src/tools/wasm/capabilities.rs:36
  field Config.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:82
  field Config.search in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:100
  field Config.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:82
  field Config.search in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:100
  field Config.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:82
  field Config.search in /tmp/.tmpKReqfZ/ironclaw/src/config/mod.rs:100
  field SearchConfig.fusion_strategy in /tmp/.tmpKReqfZ/ironclaw/src/workspace/search.rs:44
  field SearchConfig.fts_weight in /tmp/.tmpKReqfZ/ironclaw/src/workspace/search.rs:48
  field SearchConfig.vector_weight in /tmp/.tmpKReqfZ/ironclaw/src/workspace/search.rs:52
  field SandboxConfig.allow_full_access in /tmp/.tmpKReqfZ/ironclaw/src/sandbox/config.rs:18
  field SandboxConfig.allow_full_access in /tmp/.tmpKReqfZ/ironclaw/src/sandbox/config.rs:18
  field ToolCompletionRequest.stop_sequences in /tmp/.tmpKReqfZ/ironclaw/src/llm/provider.rs:254
  field EmbeddingsConfig.openai_base_url in /tmp/.tmpKReqfZ/ironclaw/src/config/embeddings.rs:28
  field LlmConfig.cheap_model in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:144
  field LlmConfig.smart_routing_cascade in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:147
  field LlmConfig.cheap_model in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:144
  field LlmConfig.smart_routing_cascade in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:147
  field LlmConfig.cheap_model in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:144
  field LlmConfig.smart_routing_cascade in /tmp/.tmpKReqfZ/ironclaw/src/llm/config.rs:147
  field RoutineDetailResponse.trigger_type in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:871
  field RoutineDetailResponse.trigger_raw in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:872
  field RoutineDetailResponse.trigger_summary in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:873
  field PendingOAuthFlow.resource in /tmp/.tmpKReqfZ/ironclaw/src/cli/oauth_defaults.rs:428
  field PendingOAuthFlow.client_id_secret_name in /tmp/.tmpKReqfZ/ironclaw/src/cli/oauth_defaults.rs:431
  field CapabilitiesFile.description in /tmp/.tmpKReqfZ/ironclaw/src/tools/wasm/capabilities_schema.rs:48
  field CapabilitiesFile.parameters in /tmp/.tmpKReqfZ/ironclaw/src/tools/wasm/capabilities_schema.rs:54
  field CapabilitiesFile.webhook in /tmp/.tmpKReqfZ/ironclaw/src/tools/wasm/capabilities_schema.rs:82
  field JobContext.requester_id in /tmp/.tmpKReqfZ/ironclaw/src/context/state.rs:135
  field JobContext.requester_id in /tmp/.tmpKReqfZ/ironclaw/src/context/state.rs:135
  field ActionResponse.verification in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:542
  field HeartbeatConfig.fire_at in /tmp/.tmpKReqfZ/ironclaw/src/agent/heartbeat.rs:53
  field Settings.owner_id in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:25
  field ProxyToolCompletionRequest.stop_sequences in /tmp/.tmpKReqfZ/ironclaw/src/worker/api.rs:68
  field RoutineInfo.trigger_raw in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:777
  field HeartbeatSettings.fire_at in /tmp/.tmpKReqfZ/ironclaw/src/settings.rs:373

--- failure constructible_struct_adds_private_field: struct no longer constructible due to new private field ---

Description:
A struct constructible with a struct literal has a new non-public field. It can no longer be constructed using a struct literal outside of its crate.
        ref: https://doc.rust-lang.org/reference/expressions/struct-expr.html
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/constructible_struct_adds_private_field.ron

Failed in:
  field IncomingMessage.is_internal in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:99
  field IncomingMessage.is_internal in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:99

--- failure enum_missing: pub enum removed or renamed ---

Description:
A publicly-visible enum cannot be imported by its prior path. A `pub use` may have been removed, or the enum itself may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_missing.ron

Failed in:
  enum ironclaw::safety::LeakAction, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:48
  enum ironclaw::safety::PolicyAction, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/policy.rs:81
  enum ironclaw::safety::LeakSeverity, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:69
  enum ironclaw::safety::LeakDetectionError, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:348
  enum ironclaw::tools::wasm::TrapCode, previously in file /tmp/.tmpFYLo4C/ironclaw/src/tools/wasm/error.rs:122
  enum ironclaw::safety::Severity, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/policy.rs:9

--- failure enum_no_repr_variant_discriminant_changed: enum variant had its discriminant change value ---

Description:
The enum's variant had its discriminant value change. This breaks downstream code that used its value via a numeric cast like `as isize`.
        ref: https://doc.rust-lang.org/reference/items/enumerations.html#assigning-discriminant-values
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_no_repr_variant_discriminant_changed.ron

Failed in:
  variant SseEvent::ExtensionStatus 19 -> 20 in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:255

--- failure enum_struct_variant_field_added: pub enum struct variant field added ---

Description:
An enum's exhaustive struct variant has a new field, which has to be included when constructing or matching on this variant.
        ref: https://doc.rust-lang.org/reference/attributes/type_system.html#the-non_exhaustive-attribute
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_struct_variant_field_added.ron

Failed in:
  field use_tools of variant RoutineAction::Lightweight in /tmp/.tmpKReqfZ/ironclaw/src/agent/routine.rs:224
  field max_tool_rounds of variant RoutineAction::Lightweight in /tmp/.tmpKReqfZ/ironclaw/src/agent/routine.rs:227
  field use_tools of variant RoutineAction::Lightweight in /tmp/.tmpKReqfZ/ironclaw/src/agent/routine.rs:224
  field max_tool_rounds of variant RoutineAction::Lightweight in /tmp/.tmpKReqfZ/ironclaw/src/agent/routine.rs:227

--- failure enum_variant_added: enum variant added on exhaustive enum ---

Description:
A publicly-visible enum without #[non_exhaustive] has a new variant.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#enum-variant-new
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/enum_variant_added.ron

Failed in:
  variant ChannelError:MissingRoutingTarget in /tmp/.tmpKReqfZ/ironclaw/src/error.rs:126
  variant McpFactoryError:InvalidConfig in /tmp/.tmpKReqfZ/ironclaw/src/tools/mcp/factory.rs:22
  variant McpFactoryError:InvalidConfig in /tmp/.tmpKReqfZ/ironclaw/src/tools/mcp/factory.rs:22
  variant Command:Channels in /tmp/.tmpKReqfZ/ironclaw/src/cli/mod.rs:154
  variant Command:Routines in /tmp/.tmpKReqfZ/ironclaw/src/cli/mod.rs:163
  variant Command:Skills in /tmp/.tmpKReqfZ/ironclaw/src/cli/mod.rs:203
  variant Command:Logs in /tmp/.tmpKReqfZ/ironclaw/src/cli/mod.rs:217
  variant Command:Import in /tmp/.tmpKReqfZ/ironclaw/src/cli/mod.rs:240
  variant SseEvent:Suggestions in /tmp/.tmpKReqfZ/ironclaw/src/channels/web/types.rs:247
  variant StatusUpdate:Suggestions in /tmp/.tmpKReqfZ/ironclaw/src/channels/channel.rs:330
  variant ManifestKind:McpServer in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:65
  variant ManifestKind:McpServer in /tmp/.tmpKReqfZ/ironclaw/src/registry/manifest.rs:65
  variant ExtensionError:AuthNotSupported in /tmp/.tmpKReqfZ/ironclaw/src/extensions/mod.rs:534
  variant ExtensionError:ValidationFailed in /tmp/.tmpKReqfZ/ironclaw/src/extensions/mod.rs:564

--- failure function_missing: pub fn removed or renamed ---

Description:
A publicly-visible function cannot be imported by its prior path. A `pub use` may have been removed, or the function itself may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/function_missing.ron

Failed in:
  function ironclaw::safety::params_contain_manual_credentials, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/credential_detect.rs:10
  function ironclaw::safety::wrap_external_content, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/mod.rs:193

--- failure function_parameter_count_changed: pub fn parameter count changed ---

Description:
A publicly-visible function now takes a different number of parameters.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#fn-change-arity
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/function_parameter_count_changed.ron

Failed in:
  ironclaw::agent::job_monitor::spawn_job_monitor now takes 4 parameters instead of 3, in /tmp/.tmpKReqfZ/ironclaw/src/agent/job_monitor.rs:42
  ironclaw::channels::wasm::setup::inject_channel_credentials now takes 4 parameters instead of 3, in /tmp/.tmpKReqfZ/ironclaw/src/channels/wasm/setup.rs:294
  ironclaw::channels::wasm::inject_channel_credentials now takes 4 parameters instead of 3, in /tmp/.tmpKReqfZ/ironclaw/src/channels/wasm/setup.rs:294

--- failure inherent_method_missing: pub method removed or renamed ---

Description:
A publicly-visible method or associated fn is no longer available under its prior name. It may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/inherent_method_missing.ron

Failed in:
  ExtensionManager::save_setup_secrets, previously in file /tmp/.tmpFYLo4C/ironclaw/src/extensions/manager.rs:3530
  ExtensionManager::save_setup_secrets, previously in file /tmp/.tmpFYLo4C/ironclaw/src/extensions/manager.rs:3530
  WebhookServer::restart_with_addr, previously in file /tmp/.tmpFYLo4C/ironclaw/src/channels/webhook_server.rs:98

--- failure method_parameter_count_changed: pub method parameter count changed ---

Description:
A publicly-visible method now takes a different number of parameters, not counting the receiver (self) parameter.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#fn-change-arity
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/method_parameter_count_changed.ron

Failed in:
  ironclaw::tools::ToolRegistry::register_message_tools now takes 2 parameters instead of 1, in /tmp/.tmpKReqfZ/ironclaw/src/tools/registry.rs:501
  ironclaw::prelude::ToolRegistry::register_message_tools now takes 2 parameters instead of 1, in /tmp/.tmpKReqfZ/ironclaw/src/tools/registry.rs:501
  ironclaw::channels::wasm::WasmChannel::new now takes 7 parameters instead of 6, in /tmp/.tmpKReqfZ/ironclaw/src/channels/wasm/wrapper.rs:810
  ironclaw::extensions::manager::ExtensionManager::auth now takes 1 parameters instead of 2, in /tmp/.tmpKReqfZ/ironclaw/src/extensions/manager.rs:968
  ironclaw::extensions::ExtensionManager::auth now takes 1 parameters instead of 2, in /tmp/.tmpKReqfZ/ironclaw/src/extensions/manager.rs:968
  ironclaw::channels::wasm::WasmChannelLoader::new now takes 4 parameters instead of 3, in /tmp/.tmpKReqfZ/ironclaw/src/channels/wasm/loader.rs:35

--- failure struct_missing: pub struct removed or renamed ---

Description:
A publicly-visible struct cannot be imported by its prior path. A `pub use` may have been removed, or the struct itself may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/struct_missing.ron

Failed in:
  struct ironclaw::safety::InjectionWarning, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/sanitizer.rs:23
  struct ironclaw::safety::SafetyLayer, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/mod.rs:28
  struct ironclaw::safety::LeakDetector, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:132
  struct ironclaw::tools::wasm::TrapInfo, previously in file /tmp/.tmpFYLo4C/ironclaw/src/tools/wasm/error.rs:104
  struct ironclaw::safety::ValidationResult, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/validator.rs:7
  struct ironclaw::safety::LeakScanResult, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:110
  struct ironclaw::safety::Sanitizer, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/sanitizer.rs:35
  struct ironclaw::prelude::Sanitizer, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/sanitizer.rs:35
  struct ironclaw::agent::WorkerDeps, previously in file /tmp/.tmpFYLo4C/ironclaw/src/worker/job.rs:40
  struct ironclaw::safety::LeakMatch, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:98
  struct ironclaw::config::SafetyConfig, previously in file /tmp/.tmpFYLo4C/ironclaw/src/config/safety.rs:6
  struct ironclaw::agent::Worker, previously in file /tmp/.tmpFYLo4C/ironclaw/src/worker/job.rs:60
  struct ironclaw::safety::Validator, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/validator.rs:80
  struct ironclaw::extensions::manager::SetupResult, previously in file /tmp/.tmpFYLo4C/ironclaw/src/extensions/manager.rs:60
  struct ironclaw::safety::LeakPattern, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/leak_detector.rs:89
  struct ironclaw::safety::PolicyRule, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/policy.rs:42
  struct ironclaw::safety::Policy, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/policy.rs:93
  struct ironclaw::safety::SanitizedOutput, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/sanitizer.rs:12
  struct ironclaw::prelude::SanitizedOutput, previously in file /tmp/.tmpFYLo4C/ironclaw/src/safety/sanitizer.rs:12

--- failure trait_method_added: pub trait method added ---

Description:
A non-sealed public trait added a new method without a default implementation, which breaks downstream implementations of the trait
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#trait-new-item-no-default
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.46.0/src/lints/trait_method_added.ron

Failed in:
  trait method ironclaw::db::RoutineStore::count_running_routine_runs_batch in file /tmp/.tmpKReqfZ/ironclaw/src/db/mod.rs:519

Changelog

0.19.0 - 2026-03-17

Added

• verify telegram owner during hot activation (#1157)
• (config) unify config resolution with Settings fallback (Phase 2, feat: Unify configuration sources before hot-reload #1119) (#1203)
• (sandbox) add retry logic for transient container failures (#1232)
• (heartbeat) fire_at time-of-day scheduling with IANA timezone (#1029)
• Reuse Codex CLI OAuth tokens for ChatGPT backend LLM calls (#693)
• add pre-push git hook with delta lint mode (#833)
• (cli) add logs command for gateway log access (#1105)
• add Feishu/Lark WASM channel plugin (#1110)
• add Criterion benchmarks for safety layer hot paths (#836)
• (routines) human-readable cron schedule summaries in web UI (#1154)
• (web) add follow-up suggestion chips and ghost text (#1156)
• (ci) include commit history in staging promotion PRs (#952)
• (tools) add reusable sensitive JSON redaction helper (#457)
• configurable hybrid search fusion strategy (#234)
• (cli) add cron subcommand for managing scheduled routines (#1017)
• adds context-llm tool support (#616)
• (web-chat) add hover copy button for user/assistant messages (#948)
• add Slack approval buttons for tool execution in DMs (#796)
• enhance HTTP tool parameter parsing (#911)
• (routines) enable tool access in lightweight routine execution (#257) (#730)
• add MiniMax as a built-in LLM provider (#940)
• (cli) add ironclaw channels list subcommand (#933)
• (cli) add ironclaw skills list/search/info subcommands (#918)
• add cargo-deny for supply chain safety (#834)
• (setup) display ASCII art banner during onboarding (#851)
• (extensions) unify auth and configure into single entrypoint (#677)
• (i18n) Add internationalization support with Chinese and English translations (#929)
• Import OpenClaw memory, history and settings (#903)

Fixed

• jobs limit (#1274)
• misleading UI message (#1265)
• bump channel registry versions for promotion (#1264)
• cover staging CI all-features and routine batch regressions (#1256)
• resolve merge conflict fallout and missing config fields
• web/CLI routine mutations do not refresh live event trigger cache (#1255)
• (jobs) make completed->completed transition idempotent to prevent race errors (#1068)
• (llm) persist refreshed Anthropic OAuth token after Keychain re-read (#1213)
• (worker) prevent orphaned tool_results and fix parallel merging (#1069)
• Telegram bot token validation fails intermittently (HTTP 404) (#1166)
• (security) prevent metadata spoofing of internal job monitor flag (#1195)
• (security) default webhook server to loopback when tunnel is configured (#1194)
• (auth) avoid false success and block chat during pending auth (#1111)
• (config) unify ChannelsConfig resolution to env > settings > default (#1124)
• (web-chat) normalize chat copy to plain text (#1114)
• (skill) treat empty url param as absent when installing skills (#1128)
• preserve AuthError type in oauth_http_client cache (#1152)
• (web) prevent Safari IME composition Enter from sending message (#1140)
• (mcp) handle 400 auth errors, clear auth mode after OAuth, trim tokens (#1158)
• eliminate panic paths in production code (#1184)
• N+1 query pattern in event trigger loop (routine_engine) (#1163)
• (llm) add stop_sequences parity for tool completions (#1170)
• (channels) use live owner binding during wasm hot activation (#1171)
• Non-transactional multi-step context updates between metadata/to… (#1161)
• (webhook) avoid lock-held awaits in server lifecycle paths (#1168)
• Google Sheets returns 403 PERMISSION_DENIED after completing OAuth (#1164)
• HTTP webhook secret transmitted in request body rather than via header, docs inconsistency and security concern (#1162)
• (ci) exclude ironclaw_safety from release automation (#1146)
• (registry) bump versions for github, web-search, and discord extensions (#1106)
• (mcp) address 14 audit findings across MCP module (#1094)
• (http) replace .expect() with match in webhook handler (#1133)
• (time) treat empty timezone string as absent (#1127)
• 5 critical/high-priority bugs (auth bypass, relay failures, unbounded recursion, context growth) (#1083)
• (ci) checkout promotion PR head for metadata refresh (#1097)
• (ci) add missing attachments field and crates/ dir to Dockerfiles (#1100)
• (registry) bump telegram channel version for capabilities change (#1064)
• (ci) repair staging promotion workflow behavior (#1091)
• (wasm) address fix: add tool_info schema discovery for WASM tools #1086 review followups -- description hint and coercion safety (#1092)
• (ci) repair staging-ci workflow parsing (#1090)
• (extensions) fix lifecycle bugs + comprehensive E2E tests (#1070)
• add tool_info schema discovery for WASM tools (#1086)
• resolve bug_bash UX/logging issues (Approval message shows raw tool name 'toolinstall' — missing space/formatting #1054 Naive timestamp WARN logs flood output on every query #1055 No notification in chat when Telegram channel connects successfully #1058) (#1072)
• (http) fail closed when webhook secret is missing at runtime (#1075)
• (service) set CLI_ENABLED=false in macOS launchd plist (#1079)
• relax approval requirements for low-risk tools (#922)
• (web) make approval requests appear without page reload (#996) (#1073)
• (routines) run cron checks immediately on ticker startup (#1066)
• (web) recompute cron next_fire_at when re-enabling routines (#1080)
• (memory) reject absolute filesystem paths with corrective routing (#934)
• remove all inline event handlers for CSP script-src compliance (#1063)
• (mcp) include OAuth state parameter in authorization URLs (#1049)
• (mcp) open MCP OAuth in same browser as gateway (#951)
• (deploy) harden production container and bootstrap security (#1014)
• release lock guards before awaiting channel send (#869) (#1003)
• (registry) use versioned artifact URLs and checksums for all WASM manifests (#1007)
• (setup) preserve model selection on provider re-run (#679) (#987)
• (mcp) attach session manager for non-OAuth HTTP clients (#793) (#986)
• (security) migrate webhook auth to HMAC-SHA256 signature header (#970)
• (security) make unsafe env::set_var calls safe with explicit invariants (#968)
• (security) require explicit SANDBOX_ALLOW_FULL_ACCESS to enable FullAccess policy (#967)
• (security) add Content-Security-Policy header to web gateway (#966)
• (test) stabilize openai compat oversized-body regression (#839)
• (ci) disambiguate WASM bundle filenames to prevent tool/channel collision (#964)
• (setup) validate channel credentials during setup (#684)
• drain tunnel pipes to prevent zombie process (#735)
• (mcp) header safety validation and Authorization conflict bug from feat(mcp): support custom HTTP headers for non-OAuth MCP servers (#639) #704 (#752)
• (agent) block thread_id-based context pollution across users (#760)
• (mcp) stdio/unix transports skip initialize handshake (#890) (#935)
• (setup) drain residual events and filter key kind in onboard prompts (#937) (#949)
• (security) load WASM tool description and schema from capabilities.json (#520)
• (security) resolve DNS once and reuse for SSRF validation to prevent rebinding (#518)
• (security) replace regex HTML sanitizer with DOMPurify to prevent XSS (#510)
• (ci) improve Claude Code review reliability (#955)
• (ci) run gated test jobs during staging CI (#956)
• (ci) prevent staging-ci tag failure and chained PR auto-close (#900)
• (ci) WASM WIT compat sqlite3 duplicate symbol conflict (#953)
• resolve deferred review items from PRs fix: staging CI review issues (batch 1) #883, fix(safety): allow empty string tool params #848, fix: job token budget, iteration cap → Failed, web cancel stops worker #788 (#915)
• (web) improve UX readability and accessibility in chat UI (#910)

Other

• Fix Telegram auto-verify flow and routing (#1273)
• (e2e) fix approval waiting regression coverage (#1270)
• isolate heavy integration tests (#1266)
• Merge branch 'main' into fix/resolve-conflicts
• Refactor owner scope across channels and fix default routing fallback (#1151)
• (extensions) document relay manager init order (#928)
• (setup) extract init logic from wizard into owning modules (#1210)
• mention MiniMax as built-in provider in all READMEs (#1209)
• Fix schema-guided tool parameter coercion (#1143)
• Make no-panics CI check test-aware (#1160)
• (mcp) avoid reallocating SSE buffer on each chunk (#1153)
• (routines) avoid full message history clone each tool iteration (#1172)
• (registry) align manifest versions with published artifacts (#1169)
• remove pycache from repo and add to .gitignore (#1177)
• (registry) move MCP servers from code to JSON manifests (#1144)
• improve routine schema guidance (#1089)
• add event-trigger routine e2e coverage (#1088)
• enforce no .unwrap(), .expect(), or assert!() in production code (#1087)
• periodic sync main into staging (resolved conflicts) (#1098)
• fix formatting in cli/mod.rs and mcp/auth.rs (#1071)
• Expose the shared agent session manager via AppComponents (#532)
• (agent) remove unnecessary Worker re-export (#923)
• Fix UTF-8 unsafe truncation in WASM emit_message (#1015)
• extract safety module into ironclaw_safety crate (#1024)
• Add Z.AI provider support for GLM-5 (#938)
• (html_to_markdown) refresh golden files after renderer bump (#1016)
• Migrate GitHub webhook normalization into github tool (#758)
• Fix systemctl unit (#472)
• add Russian localization (README.ru.md) (#850)
• Add generic host-verified /webhook/tools/{tool} ingress (#757)

---

This PR was generated with release-plz.

Staging promotion batches since v0.18.0

No structured staging promotion merges found since v0.18.0.

Auto-updated from structured staging promotion merge bodies on main.