Claw Patrol

What's Changed

• sqlite: force clawpatrol.db + WAL/SHM to mode 0600 by @ry in https://github.com/denoland/clawpatrol/pull/405
• clickhouse: per-database endpoint routing by @arnauorriols in https://github.com/denoland/clawpatrol/pull/404
• sql_rule: add database match facet by @arnauorriols in https://github.com/denoland/clawpatrol/pull/403
• ops: drop auto-deploy workflow by @ry in https://github.com/denoland/clawpatrol/pull/409
• wg: drop default tunnel MTU 1420 → 1220 (over-Tailscale fix) by @ry in https://github.com/denoland/clawpatrol/pull/411
• Database-aware credential dispatch + sql.database facet by @piscisaureus in https://github.com/denoland/clawpatrol/pull/410
• agents table: drop integrations column, fold needs-setup into status dot by @ry in https://github.com/denoland/clawpatrol/pull/418
• hitl: add async grant config schema by @magurotuna in https://github.com/denoland/clawpatrol/pull/414
• hitl: add async operation store by @magurotuna in https://github.com/denoland/clawpatrol/pull/419
• hitl: add request fingerprint binding by @magurotuna in https://github.com/denoland/clawpatrol/pull/417
• action download: include verb / tables / functions / database for SQL actions by @arnauorriols in https://github.com/denoland/clawpatrol/pull/416
• fix(test): drop invalid database arg from postgres endpoint HCL by @ry in https://github.com/denoland/clawpatrol/pull/422
• test: reject SQL fixture facets that disagree with the parser by @ry in https://github.com/denoland/clawpatrol/pull/423
• Add MIT LICENSE.md by @ry in https://github.com/denoland/clawpatrol/pull/424
• site: drop stripe from flow diagram, add k8s + notion by @ry in https://github.com/denoland/clawpatrol/pull/425
• site: drop 'foundation' section, rewrite competitor comparison as boundary cards by @ry in https://github.com/denoland/clawpatrol/pull/427
• hitl: add async operation status API by @magurotuna in https://github.com/denoland/clawpatrol/pull/420
• hitl: show async approval state in dashboard by @magurotuna in https://github.com/denoland/clawpatrol/pull/421
• feat: add async HITL runtime fallback by @magurotuna in https://github.com/denoland/clawpatrol/pull/429
• hitl: add retry grant relay by @magurotuna in https://github.com/denoland/clawpatrol/pull/426
• hitl: maintain async operation lifecycle by @magurotuna in https://github.com/denoland/clawpatrol/pull/431
• fix: use remapped HITL retry principal by @magurotuna in https://github.com/denoland/clawpatrol/pull/432
• site: comparison section follow-up polish by @ry in https://github.com/denoland/clawpatrol/pull/428
• site: landing-page reshape — hero, deploy, run-it, validated HCL examples by @ry in https://github.com/denoland/clawpatrol/pull/438
• hitl: add async grant e2e docs by @magurotuna in https://github.com/denoland/clawpatrol/pull/434
• feat: Tailscale exit-node MITM via SO_ORIGINAL_DST + clawpatrol run in tsnet mode by @littledivy in https://github.com/denoland/clawpatrol/pull/413
• fix(tsnet): WG-mode parity, gateway port, CA fetch over tailnet by @littledivy in https://github.com/denoland/clawpatrol/pull/440
• site: copy + structure pass on landing by @ry in https://github.com/denoland/clawpatrol/pull/442
• macOS clawpatrol run on tsnet by @littledivy in https://github.com/denoland/clawpatrol/pull/441
• docs: drop glossary's Configuration vocabulary section by @arnauorriols in https://github.com/denoland/clawpatrol/pull/437
• docs(glossary): merge Facet/Family entries; add Facet field by @arnauorriols in https://github.com/denoland/clawpatrol/pull/433
• embedded tsnet in gateway. no iptables setup required by @littledivy in https://github.com/denoland/clawpatrol/pull/443
• cleanup(tsnet): drop dead system-tailscale paths; dedup tsnet device rows by @littledivy in https://github.com/denoland/clawpatrol/pull/444
• doc: explain inspection-buffer overflow in approval-rules by @arnauorriols in https://github.com/denoland/clawpatrol/pull/430
• clickhouse_native: parse CTE-prefixed INSERTs by @arnauorriols in https://github.com/denoland/clawpatrol/pull/407
• dashboard: credentials redesign — type cards + expanding details table by @arnauorriols in https://github.com/denoland/clawpatrol/pull/445
• site: add favicon links by @magurotuna in https://github.com/denoland/clawpatrol/pull/447
• tsnet: ephemeral runs, Funnel allowlist, parent-IP attribution by @littledivy in https://github.com/denoland/clawpatrol/pull/446
• Fix tsnet macOS NE register by @littledivy in https://github.com/denoland/clawpatrol/pull/450
• docs: refresh for tsnet-as-default by @littledivy in https://github.com/denoland/clawpatrol/pull/451
• Initial redesign pass by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/453
• Prep repo for launch: README rewrite + cmd/clawpatrol move by @ry in https://github.com/denoland/clawpatrol/pull/452
• dashboard auth: mandatory root password + optional tailnet allowlist by @piscisaureus in https://github.com/denoland/clawpatrol/pull/454
• dashboard auth: make login-page assets reachable without a cookie by @piscisaureus in https://github.com/denoland/clawpatrol/pull/456
• fix: update Slack HITL resolution guidance by @magurotuna in https://github.com/denoland/clawpatrol/pull/449
• Move config/ to internal/config/ by @ry in https://github.com/denoland/clawpatrol/pull/455
• dashboard auth: opaque session cookies + whoami + log out by @piscisaureus in https://github.com/denoland/clawpatrol/pull/458
• Revert "wg: drop default tunnel MTU 1420 → 1220" by @ry in https://github.com/denoland/clawpatrol/pull/459
• build: switch dashboard/ and site/ from npm/node to deno by @ry in https://github.com/denoland/clawpatrol/pull/460
• hitl: update Slack prompts for async states by @magurotuna in https://github.com/denoland/clawpatrol/pull/462
• join: fix double install + dnsvip self-relay loop by @littledivy in https://github.com/denoland/clawpatrol/pull/457
• join: pin resolv.conf on non-resolved hosts + dedupe v6 agent rows by @littledivy in https://github.com/denoland/clawpatrol/pull/463
• sparkline: lerp between polls by @littledivy in https://github.com/denoland/clawpatrol/pull/464
• sparkline: scroll on update instead of reconstruct by @littledivy in https://github.com/denoland/clawpatrol/pull/466
• persist ephemeral peer attribution across gateway restarts by @littledivy in https://github.com/denoland/clawpatrol/pull/467
• sparkline: revert animation by @littledivy in https://github.com/denoland/clawpatrol/pull/468
• fix: delimit async HITL raw 202 responses by @magurotuna in https://github.com/denoland/clawpatrol/pull/465
• fix: write async HITL raw response atomically by @magurotuna in https://github.com/denoland/clawpatrol/pull/470
• join: persist --hostname so clawpatrol run uses it instead of os.Hostname by @littledivy in https://github.com/denoland/clawpatrol/pull/473
• feat: add async HITL status capability URLs by @magurotuna in https://github.com/denoland/clawpatrol/pull/472
• hitl: sort pending approvals deterministically by @divybot in https://github.com/denoland/clawpatrol/pull/476
• dashboard: copy buttons work over plain HTTP by @ry in https://github.com/denoland/clawpatrol/pull/477
• cleanup: drop unused funcs + stale comments by @divybot in https://github.com/denoland/clawpatrol/pull/478
• Final font stack by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/481
• dashboard: fix analytics range buttons routing back to device list by @ry in https://github.com/denoland/clawpatrol/pull/483
• dashboard: fix device-page crash + credential card legibility by @ry in https://github.com/denoland/clawpatrol/pull/484
• drop stale npm package-lock.json files by @ry in https://github.com/denoland/clawpatrol/pull/486
• Another style pass by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/488
• endpoints: support *.suffix wildcards in hosts list by @piscisaureus in https://github.com/denoland/clawpatrol/pull/485
• config: switch HCL refs from bare names to typed traversals by @ry in https://github.com/denoland/clawpatrol/pull/487
• drop site/doc/skill.md in favor of auto-generated llms-full.txt by @ry in https://github.com/denoland/clawpatrol/pull/491
• hitl: update Slack prompt on sync timeout by @magurotuna in https://github.com/denoland/clawpatrol/pull/495
• docs: refine introduction.md by @arnauorriols in https://github.com/denoland/clawpatrol/pull/469
• site: keep inline atomic on line wrap by @arnauorriols in https://github.com/denoland/clawpatrol/pull/496
• Implement #348: invert credential→endpoint→profile by @arnauorriols in https://github.com/denoland/clawpatrol/pull/368
• test engine + downloaded actions: typed endpoint references (cl-kls0) by @arnauorriols in https://github.com/denoland/clawpatrol/pull/497
• rules: support matching on all action's facets by @arnauorriols in https://github.com/denoland/clawpatrol/pull/435
• Restore sync HITL Slack terminal updates by @magurotuna in https://github.com/denoland/clawpatrol/pull/501
• [codex] improve config and rules docs by @ry in https://github.com/denoland/clawpatrol/pull/502
• sec: hide tsnet auth key from agent process tree by @littledivy in https://github.com/denoland/clawpatrol/pull/503
• docs: refine getting-started, split out configure-gateway by @arnauorriols in https://github.com/denoland/clawpatrol/pull/471
• fix: move PR_SET_DUMPABLE=0 to after child.Start by @littledivy in https://github.com/denoland/clawpatrol/pull/505
• cleanup: redact internal hostnames and repo references by @piscisaureus in https://github.com/denoland/clawpatrol/pull/506
• fix: restore wildcard hosts + small regressions from #368 squash by @piscisaureus in https://github.com/denoland/clawpatrol/pull/507
• Dashboard design pass by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/508
• Homepage touch-ups by @josh-collinsworth in https://github.com/denoland/clawpatrol/pull/514
• docs: surface control-mode coupling in dashboard bind sectione by @arnauorriols in https://github.com/denoland/clawpatrol/pull/512
• fix: scope device credential cards to the profile's own declared list by @arnauorriols in https://github.com/denoland/clawpatrol/pull/513
• config: inline llm_approver policy text, drop policy block by @ry in https://github.com/denoland/clawpatrol/pull/511
• Linux self-forking daemon + exit-node routing, no more PROXY v1 by @piscisaureus in https://github.com/denoland/clawpatrol/pull/510
• Linux daemon: unify WireGuard mode, drop ephemeral peers by @piscisaureus in https://github.com/denoland/clawpatrol/pull/517
• Drop the clawpatrol login subcommand by @piscisaureus in https://github.com/denoland/clawpatrol/pull/518
• Re-block gateway config under gateway {} / defaults {} by @piscisaureus in https://github.com/denoland/clawpatrol/pull/521
• Mint Tailscale auth keys as single-use by @piscisaureus in https://github.com/denoland/clawpatrol/pull/519
• home: show 10 devices instead of 5 by @littledivy in https://github.com/denoland/clawpatrol/pull/522
• site: simplify RunSection to two commands by @ry in https://github.com/denoland/clawpatrol/pull/524
• dashboard: prefix logo src with import.meta.env.BASE_URL by @littledivy in https://github.com/denoland/clawpatrol/pull/523
• chore: consolidate HCL examples under examples/ by @littledivy in https://github.com/denoland/clawpatrol/pull/526
• ci: PR preview deploys to demo.clawpatrol.dev by @littledivy in https://github.com/denoland/clawpatrol/pull/527
• chore: drop committed data/gateway.hcl, gitignore data/ by @littledivy in https://github.com/denoland/clawpatrol/pull/529
• home: sort devices by activity, bucketed to the hour by @littledivy in https://github.com/denoland/clawpatrol/pull/525
• site: tighten ProblemSection copy, add Download action screenshot by @ry in https://github.com/denoland/clawpatrol/pull/528
• site: replace AnalyticsSection with a DemoSection by @ry in https://github.com/denoland/clawpatrol/pull/530
• dashboard: rename user 'profile' page to 'account' by @arnauorriols in https://github.com/denoland/clawpatrol/pull/533
• ssh: fix BlobStore wiring + log per-channel intent by @littledivy in https://github.com/denoland/clawpatrol/pull/531
• fix: route clawpatrol env through the daemon in tsnet mode by @littledivy in https://github.com/denoland/clawpatrol/pull/537
• daemon: refresh env-pushdown cache on START / ENV by @littledivy in https://github.com/denoland/clawpatrol/pull/538
• fix: route clawpatrol-run DNS through the gateway in tsnet mode by @littledivy in https://github.com/denoland/clawpatrol/pull/539
• fix: update Slack copy for sync HITL disconnects by @magurotuna in https://github.com/denoland/clawpatrol/pull/536
• site: drop pre-launch basic-auth gate by @ry in https://github.com/denoland/clawpatrol/pull/541
• chore: switch releases from GH Pages to gh release by @littledivy in https://github.com/denoland/clawpatrol/pull/542