Skip to content

Claw Patrol

v0.1.21 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo Network Security
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Affected surfaces

auth rbac crypto_tls

Summary

AI summary

Broad release touches fix, site, feat, and analytics.

Full changelog

What's Changed

  • env pushdown: silence anthropic_manual_key + add DENO_CERT/PIP_CERT + opt-out by @littledivy in https://github.com/denoland/clawpatrol/pull/77
  • linux run: split v4+v6 Address; drop fd77 ghost rows on boot by @littledivy in https://github.com/denoland/clawpatrol/pull/78
  • codex: WS upgrade detection + device-code OAuth + chatgpt-account-id + uTLS for chatgpt.com by @littledivy in https://github.com/denoland/clawpatrol/pull/79
  • gofmt by @littledivy in https://github.com/denoland/clawpatrol/pull/80
  • sessions: persist across restarts; auto-sweep idle; tighter title heuristic by @littledivy in https://github.com/denoland/clawpatrol/pull/81
  • oauth: match Anthropic token endpoint by URL, not hardcoded ID by @ry in https://github.com/denoland/clawpatrol/pull/82
  • codex: env pushdown via synthesized Agent Identity JWT + JWKS MITM by @piscisaureus in https://github.com/denoland/clawpatrol/pull/83
  • feat: add --profile flag to join command by @crowlKats in https://github.com/denoland/clawpatrol/pull/85
  • feat: add --hostname flag to join by @crowlKats in https://github.com/denoland/clawpatrol/pull/88
  • env-pushdown: source vars from gateway, not local plugin set by @piscisaureus in https://github.com/denoland/clawpatrol/pull/87
  • Analytics: per-device latency chart, expandable request detail by @ry in https://github.com/denoland/clawpatrol/pull/52
  • rename action_samples migration to 0006 by @ry in https://github.com/denoland/clawpatrol/pull/89
  • Add SSH endpoint plugin with DNS-MitM virtual IPs by @piscisaureus in https://github.com/denoland/clawpatrol/pull/90
  • Apple-aligned NE hardening and dashboard perf by @littledivy in https://github.com/denoland/clawpatrol/pull/84
  • analytics: count-by charts, top routes, filtering by @ry in https://github.com/denoland/clawpatrol/pull/91
  • analytics: count-by charts, top routes, filtering by @ry in https://github.com/denoland/clawpatrol/pull/92
  • fix: drop port-specific UDP rules in NE provider by @littledivy in https://github.com/denoland/clawpatrol/pull/93
  • mac ext: bypass non-tunnel UDP via host socket by @littledivy in https://github.com/denoland/clawpatrol/pull/94
  • Add layered glossary doc by @arnauorriols in https://github.com/denoland/clawpatrol/pull/75
  • Analytics polish + cross-page consistency by @littledivy in https://github.com/denoland/clawpatrol/pull/95
  • Fix broken cross-links between glossary and architecture docs by @arnauorriols in https://github.com/denoland/clawpatrol/pull/96
  • ui: bump breadcrumb to 13px; fix per-device stat grid by @littledivy in https://github.com/denoland/clawpatrol/pull/97
  • fix: SSE backlog ships as one event, no per-row flood by @littledivy in https://github.com/denoland/clawpatrol/pull/98
  • Add ClickHouse native protocol gateway by @arnauorriols in https://github.com/denoland/clawpatrol/pull/71
  • dnsvip: synthesise A/AAAA from gateway resolver for non-VIP names by @arnauorriols in https://github.com/denoland/clawpatrol/pull/101
  • bump request page breadcrumb to 13px by @littledivy in https://github.com/denoland/clawpatrol/pull/99
  • relay: emit dashboard events + bigger pipe buffer by @littledivy in https://github.com/denoland/clawpatrol/pull/103
  • relay: feed agent activity sparkline from wgRelay by @littledivy in https://github.com/denoland/clawpatrol/pull/104
  • relay/splice: stream activity track per-second, not at end by @littledivy in https://github.com/denoland/clawpatrol/pull/105
  • ssh: accept the none userauth method so no-credential clients connect cleanly by @piscisaureus in https://github.com/denoland/clawpatrol/pull/106
  • ssh: drop OpenSSH UpdateHostKeys global requests at the gateway by @piscisaureus in https://github.com/denoland/clawpatrol/pull/107
  • join: preserve SSH on linux --whole-machine via PostUp source-route by @littledivy in https://github.com/denoland/clawpatrol/pull/108
  • clickhouse_native: sslmode for self-signed upstreams by @arnauorriols in https://github.com/denoland/clawpatrol/pull/102
  • join: lower SSH-exempt PostUp pref 10 → 5 so it beats wg-quick by @littledivy in https://github.com/denoland/clawpatrol/pull/109
  • doc: collect repo-internal architecture notes under /doc by @ry in https://github.com/denoland/clawpatrol/pull/110
  • slack body token replacement and codex http sessions by @littledivy in https://github.com/denoland/clawpatrol/pull/115
  • fix: strip legacy body token for Slack so Authorization header takes precedence by @littledivy in https://github.com/denoland/clawpatrol/pull/116
  • fix: add SecretSlots to notion_oauth so dashboard shows token input by @littledivy in https://github.com/denoland/clawpatrol/pull/117
  • fix: stable session ID for codex HTTP sessions by @littledivy in https://github.com/denoland/clawpatrol/pull/119
  • ci: bump deploy health-check sleep 2→5s by @littledivy in https://github.com/denoland/clawpatrol/pull/121
  • fix: kubectl exec/portforward through k8s mTLS endpoints by @littledivy in https://github.com/denoland/clawpatrol/pull/123
  • clickhouse_native: SQL parsing + per-query matching/events by @arnauorriols in https://github.com/denoland/clawpatrol/pull/100
  • feat: HITL Slack thread context + OAuth credential reuse for LLM approver by @littledivy in https://github.com/denoland/clawpatrol/pull/132
  • remove OAuthInjectAny. LLM approver must use per-profile credentials only by @littledivy in https://github.com/denoland/clawpatrol/pull/133
  • Rewrite architecture doc to match current Go implementation by @arnauorriols in https://github.com/denoland/clawpatrol/pull/72
  • feat: add additional scope selection for github plugin by @crowlKats in https://github.com/denoland/clawpatrol/pull/131
  • clickhouse_native: track agent compression on every Query, allow or deny by @arnauorriols in https://github.com/denoland/clawpatrol/pull/134
  • Initial design explorations by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/135
  • More design exploration by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/136
  • site: fix ProtocolDepth section to show real HCL rules by @ry in https://github.com/denoland/clawpatrol/pull/137
  • fix: request body truncation >1MiB + stale idle connections by @littledivy in https://github.com/denoland/clawpatrol/pull/138
  • site: reframe landing page around production access by @ry in https://github.com/denoland/clawpatrol/pull/139
  • fix: WireGuard/gVisor TCP throughput (backpressure + TCP tuning) by @littledivy in https://github.com/denoland/clawpatrol/pull/140
  • fix: assign action ids to persisted live events by @magurotuna in https://github.com/denoland/clawpatrol/pull/120
  • site: glossary entries for Action and Facet by @arnauorriols in https://github.com/denoland/clawpatrol/pull/146
  • fix: gVisor netTun throughput — blockingChanEP + minRTO + diagnostics by @littledivy in https://github.com/denoland/clawpatrol/pull/147
  • docs: WireGuard/gVisor diagnostics guide by @littledivy in https://github.com/denoland/clawpatrol/pull/148
  • fix: bring down clawpatrol tunnel before poll in whole-machine rejoin by @littledivy in https://github.com/denoland/clawpatrol/pull/149
  • fix: revert blockingChanEP to fix memory leak by @littledivy in https://github.com/denoland/clawpatrol/pull/150
  • analytics: real top-stat counts, legend hover, color fixes by @ry in https://github.com/denoland/clawpatrol/pull/151
  • analytics: stable scatter sample, exact bar counts, gated polling by @ry in https://github.com/denoland/clawpatrol/pull/152
  • Fonts and docs overhaul by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/153
  • request body: pretty-print SSE streams by @ry in https://github.com/denoland/clawpatrol/pull/154
  • Tunnel primitive + plugin system by @piscisaureus in https://github.com/denoland/clawpatrol/pull/111
  • telemetry: worker, design doc, gateway-side ping by @ry in https://github.com/denoland/clawpatrol/pull/155
  • postgres: emit allow event when no rule matches by @piscisaureus in https://github.com/denoland/clawpatrol/pull/158
  • Docs overhaul and some design/logo testing by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/159
  • slack: add missing space between host and path in HITL title by @piscisaureus in https://github.com/denoland/clawpatrol/pull/160
  • join: take gateway URL as positional arg by @ry in https://github.com/denoland/clawpatrol/pull/161
  • hitl: compact Slack message + matching dashboard labels by @ry in https://github.com/denoland/clawpatrol/pull/162
  • ci: add golangci-lint by @magurotuna in https://github.com/denoland/clawpatrol/pull/122
  • chore: add oxc for frontend format and lint by @magurotuna in https://github.com/denoland/clawpatrol/pull/130
  • test: cover HTTP body forwarding after match buffering by @magurotuna in https://github.com/denoland/clawpatrol/pull/163
  • Add safe gateway.hcl save review flow by @magurotuna in https://github.com/denoland/clawpatrol/pull/125
  • test: cover k8s parser edge cases by @magurotuna in https://github.com/denoland/clawpatrol/pull/126
  • test: cover header redaction by @magurotuna in https://github.com/denoland/clawpatrol/pull/127
  • test: cover protocol parser edge cases by @magurotuna in https://github.com/denoland/clawpatrol/pull/128
  • chore: update dashboard build dependencies by @magurotuna in https://github.com/denoland/clawpatrol/pull/164
  • telemetry: reject oversized payloads with 413 by @magurotuna in https://github.com/denoland/clawpatrol/pull/165
  • site: update deps to clear npm audit by @magurotuna in https://github.com/denoland/clawpatrol/pull/166
  • Fix Postgres pump context cancellation by @ry in https://github.com/denoland/clawpatrol/pull/169
  • Log HTTP server startup failures by @ry in https://github.com/denoland/clawpatrol/pull/174
  • Stop accepting dashboard secret in query string by @ry in https://github.com/denoland/clawpatrol/pull/172
  • Require dashboard auth for onboarding approvals in non-tailscale modes by @magurotuna in https://github.com/denoland/clawpatrol/pull/176
  • Centralize dashboard auth policy by @magurotuna in https://github.com/denoland/clawpatrol/pull/178
  • site: fix landing page mobile layout by @ry in https://github.com/denoland/clawpatrol/pull/181
  • Fix settings editor render after dependency update by @magurotuna in https://github.com/denoland/clawpatrol/pull/184
  • Use context diffs for realistic gateway configs by @magurotuna in https://github.com/denoland/clawpatrol/pull/186
  • Don't block internet on wake/captive portal by @littledivy in https://github.com/denoland/clawpatrol/pull/187
  • doc: add tailscale mode guide by @littledivy in https://github.com/denoland/clawpatrol/pull/188
  • fix(ne): rename sleepWithCompletionHandler for Xcode 16.4 by @littledivy in https://github.com/denoland/clawpatrol/pull/189
  • fix(macos): bypassUDP silently drops all IPv4 UDP — AF_UNSPEC/AF_INET6 sockaddr mismatch by @littledivy in https://github.com/denoland/clawpatrol/pull/190
  • debug(macos): log errno for session socket failures by @littledivy in https://github.com/denoland/clawpatrol/pull/192
  • Test Postgres client frame forwarding by @ry in https://github.com/denoland/clawpatrol/pull/175
  • fix(darwin): resolve golangci-lint warnings in run_darwin.go by @ry in https://github.com/denoland/clawpatrol/pull/196
  • doc: document wg-go PreallocatedBuffersPerPool and upstream PR #69 by @divybot in https://github.com/denoland/clawpatrol/pull/170
  • fix: gateway init defaults to ~/.clawpatrol when not root by @littledivy in https://github.com/denoland/clawpatrol/pull/168
  • Match default-port TLS hosts by bare SNI by @magurotuna in https://github.com/denoland/clawpatrol/pull/183
  • Add facet plugin system for per-protocol-family behaviour by @piscisaureus in https://github.com/denoland/clawpatrol/pull/198
  • site: add Download button to header + rewrite getting-started by @ry in https://github.com/denoland/clawpatrol/pull/197
  • Route browser TLS through endpoint tunnels by @magurotuna in https://github.com/denoland/clawpatrol/pull/180
  • Add --read-only-config flag to gateway by @ry in https://github.com/denoland/clawpatrol/pull/203
  • mitm: strip credential-bearing response headers by @piscisaureus in https://github.com/denoland/clawpatrol/pull/199
  • dashboard: render facets like the headers list by @piscisaureus in https://github.com/denoland/clawpatrol/pull/206
  • Design & doc rendering iterations by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/210
  • Add clawpatrol validate <config.hcl> by @ry in https://github.com/denoland/clawpatrol/pull/211
  • Linux per-run ephemeral WG identity by @littledivy in https://github.com/denoland/clawpatrol/pull/215
  • chore(ci): remove golangci-lint by @littledivy in https://github.com/denoland/clawpatrol/pull/217
  • deploy: --read-only-config, rename gateway.hcl -> deno.hcl by @ry in https://github.com/denoland/clawpatrol/pull/207
  • deploy.yml: rename clawall -> clawpatrol, poll for active by @ry in https://github.com/denoland/clawpatrol/pull/218
  • site: rewrite approval-rules doc around HCL syntax by @arnauorriols in https://github.com/denoland/clawpatrol/pull/144
  • fix(ephemeral): no devices row, correct profile inheritance by @littledivy in https://github.com/denoland/clawpatrol/pull/220
  • docs: auto-generated HCL config reference by @arnauorriols in https://github.com/denoland/clawpatrol/pull/142
  • kubernetes_port_forward: shell out to kubectl, drop k8s.io/client-go by @ry in https://github.com/denoland/clawpatrol/pull/205
  • site/docs: serve raw .md and use toc.json for ordering by @ry in https://github.com/denoland/clawpatrol/pull/223
  • fix: separate map prevents SetExternalIPs leaking device rows by @littledivy in https://github.com/denoland/clawpatrol/pull/224
  • tunnel: refresh always-on pins on config change by @magurotuna in https://github.com/denoland/clawpatrol/pull/212
  • config: flatten gateway {} and defaults {} into top-level fields by @ry in https://github.com/denoland/clawpatrol/pull/225
  • Switch rule matching to CEL expressions by @piscisaureus in https://github.com/denoland/clawpatrol/pull/219
  • chore: drop AWS SDK via ts_omit_identityfederation build tag by @littledivy in https://github.com/denoland/clawpatrol/pull/228
  • config: reject unknown top-level blocks by @ry in https://github.com/denoland/clawpatrol/pull/226
  • dashboard: SQL request rows clickable + per-action SQL detail by @arnauorriols in https://github.com/denoland/clawpatrol/pull/145
  • ci: restore Go build cache explicitly by @magurotuna in https://github.com/denoland/clawpatrol/pull/227
  • k8s: parse non-resource URIs as verb=meta by @piscisaureus in https://github.com/denoland/clawpatrol/pull/230
  • www: format timestamps as yyyy-MM-dd HH:mm:ss.SSS by @ry in https://github.com/denoland/clawpatrol/pull/234
  • audit: gunzip response samples so the dashboard renders plaintext by @ry in https://github.com/denoland/clawpatrol/pull/233
  • fix(ephemeral): guard upsertLocked + fix migration number by @littledivy in https://github.com/denoland/clawpatrol/pull/237
  • doc: replace Node.js runtime references with Go binary by @divybot in https://github.com/denoland/clawpatrol/pull/238
  • Separate HITL operator identity from credential profile selection by @magurotuna in https://github.com/denoland/clawpatrol/pull/182
  • chore: bump Go and x/net for govulncheck by @magurotuna in https://github.com/denoland/clawpatrol/pull/247
  • fix: normalize matcher want-values to lowercase for case-insensitive paths by @littledivy in https://github.com/denoland/clawpatrol/pull/253
  • linux run: test splitWGAddresses for dual-stack peers by @divybot in https://github.com/denoland/clawpatrol/pull/246
  • mitm: trailer / obs-fold / synth-path auth-header strip by @divybot in https://github.com/denoland/clawpatrol/pull/236
  • feat: Discord bot token credential by @magurotuna in https://github.com/denoland/clawpatrol/pull/251
  • fix(ne): fail-fast pumpUDP on WG not ready; log BypassUDP socket errors by @littledivy in https://github.com/denoland/clawpatrol/pull/260
  • fix: accept join flags after gateway URL by @magurotuna in https://github.com/denoland/clawpatrol/pull/261
  • docs: refresh approval-rules for recent landed changes by @arnauorriols in https://github.com/denoland/clawpatrol/pull/229
  • tailscale_oauth credential: design proposal by @arnauorriols in https://github.com/denoland/clawpatrol/pull/221
  • fix(ephemeral): remap agentAddr in handleWSUpgrade by @littledivy in https://github.com/denoland/clawpatrol/pull/265
  • fix(ephemeral): purge ephemeral WG peers on gateway restart by @littledivy in https://github.com/denoland/clawpatrol/pull/262
  • Header revisions by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/270
  • fix: skip orphaned ephemeral sessions on startup (last phantom device source) by @littledivy in https://github.com/denoland/clawpatrol/pull/269
  • ux: detect EUID==0 in join and run, emit actionable errors by @divybot in https://github.com/denoland/clawpatrol/pull/240
  • dashboard: breadcrumb shows UUIDv7 tail, not the timestamp prefix by @ry in https://github.com/denoland/clawpatrol/pull/271
  • docs: clarify uninstall help text by @magurotuna in https://github.com/denoland/clawpatrol/pull/274
  • SEO, a11y, and crawler audits by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/276
  • Tracked logo by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/277
  • Rename HTTPS facet family identifier to "http" by @piscisaureus in https://github.com/denoland/clawpatrol/pull/275
  • feat: clawpatrol test subcommand + per-action JSON fixtures by @ry in https://github.com/denoland/clawpatrol/pull/278
  • Responsive header fix; add icon version by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/280
  • docs: publish clawpatrol test as a user-facing page by @ry in https://github.com/denoland/clawpatrol/pull/279
  • cli: positional gateway config + -v/--version aliases + docs link by @ry in https://github.com/denoland/clawpatrol/pull/283
  • design: ephemeral WG keypair per clawpatrol run session by @arnauorriols in https://github.com/denoland/clawpatrol/pull/216
  • gateway: keep all persistent state in sqlite by @piscisaureus in https://github.com/denoland/clawpatrol/pull/222
  • docs: simplify, correct, and reframe the user-facing docs by @ry in https://github.com/denoland/clawpatrol/pull/285
  • Renumber gateway-state migration 0008 → 0010 by @piscisaureus in https://github.com/denoland/clawpatrol/pull/288
  • gateway: fix --read-only-config position in help text by @piscisaureus in https://github.com/denoland/clawpatrol/pull/289
  • Remove legacy on-disk → sqlite state import by @piscisaureus in https://github.com/denoland/clawpatrol/pull/290
  • fix: support GitHub smart HTTP credentials by @magurotuna in https://github.com/denoland/clawpatrol/pull/291
  • audit: decode br/deflate/zstd response bodies for action samples by @piscisaureus in https://github.com/denoland/clawpatrol/pull/292
  • docs: add skill.md — single-page operator reference by @ry in https://github.com/denoland/clawpatrol/pull/287
  • docs(site): strip YAML frontmatter; render skill page properly by @ry in https://github.com/denoland/clawpatrol/pull/293
  • docs(intro): surface deep-protocol inspection (Postgres / k8s) by @ry in https://github.com/denoland/clawpatrol/pull/286
  • gateway: serve /ca.crt from in-memory CertCache, not disk by @piscisaureus in https://github.com/denoland/clawpatrol/pull/298
  • fix: WireGuard session dies after ~4h with handshakeInitiationCreated, no reconnect by @littledivy in https://github.com/denoland/clawpatrol/pull/299
  • testdata: redact internal database hostnames by @avocet-bot in https://github.com/denoland/clawpatrol/pull/281
  • plugins: fail-closed on inspection-buffer overflow by @arnauorriols in https://github.com/denoland/clawpatrol/pull/200
  • docs: fill generated tunnel config reference by @magurotuna in https://github.com/denoland/clawpatrol/pull/301
  • docs(site): skill page rendering polish + post-sqlite-state cleanup by @ry in https://github.com/denoland/clawpatrol/pull/303
  • Rename sql facet function -> functions by @arnauorriols in https://github.com/denoland/clawpatrol/pull/302
  • site: switch body sans to self-hosted Source Sans 3 by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/307
  • Add Terraform-style external plugin system by @piscisaureus in https://github.com/denoland/clawpatrol/pull/300
  • Cleanup stale scripts by @littledivy in https://github.com/denoland/clawpatrol/pull/324
  • switch releases from GH Pages to gh release by @littledivy in https://github.com/denoland/clawpatrol/pull/328

New Contributors

  • @crowlKats made their first contribution in https://github.com/denoland/clawpatrol/pull/85
  • @arnauorriols made their first contribution in https://github.com/denoland/clawpatrol/pull/75
  • @josh-collinsworth made their first contribution in https://github.com/denoland/clawpatrol/pull/135
  • @magurotuna made their first contribution in https://github.com/denoland/clawpatrol/pull/120
  • @divybot made their first contribution in https://github.com/denoland/clawpatrol/pull/170
  • @avocet-bot made their first contribution in https://github.com/denoland/clawpatrol/pull/281

Full Changelog: https://github.com/denoland/clawpatrol/compare/v0.1.10...v0.1.21

Breaking Changes

  • Removed OAuthInjectAny; LLM approver must use per-profile credentials only.
  • Config: flattened gateway {} and defaults {} blocks into top-level fields; unknown top‑level blocks are now rejected.

Security Fixes

  • Removed OAuthInjectAny – eliminates insecure any‑profile credential injection.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Claw Patrol

Get notified when new releases ship.

Sign up free

About Claw Patrol

All releases →

Related context

Beta — feedback welcome: [email protected]