This release adds 5 notable features for engineering teams evaluating rollout.
Published 10h
Network Security
✓ No known CVEs patched
✓ No known CVEs patched in this version
Affected surfaces
auth
rbac
Summary
AI summaryUpdates extplugin, HostControl, and relay across a mixed release.
Full changelog
What's Changed
- Sandbox external plugins with a permission lockfile and brokered dial by @piscisaureus in https://github.com/denoland/clawpatrol/pull/681
- Add GitHub-based plugin distribution with semver and provenance by @piscisaureus in https://github.com/denoland/clawpatrol/pull/687
- Add a persistent state service for external plugins (v2 M1) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/690
- Let external credentials rewrite the request URL and body (v2 M2) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/691
- Make external HTTPS plugin endpoints work end to end by @piscisaureus in https://github.com/denoland/clawpatrol/pull/695
- Record a plugin's deferred egress on first load by @piscisaureus in https://github.com/denoland/clawpatrol/pull/696
- Derive async grant TTL from approver and sync-wait timeouts by @arnauorriols in https://github.com/denoland/clawpatrol/pull/697
- Add OTel GenAI telemetry export with optional message content by @arnauorriols in https://github.com/denoland/clawpatrol/pull/684
- extplugin: deliver all bound credentials to conn endpoints by @piscisaureus in https://github.com/denoland/clawpatrol/pull/698
- tailscale tunnel: wait for the node to join in Dial by @piscisaureus in https://github.com/denoland/clawpatrol/pull/699
- extplugin: map the sql built-in family for external endpoints (v2 M3) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/700
- extplugin: host-served control plane (HostControl) for plugin Evaluate by @piscisaureus in https://github.com/denoland/clawpatrol/pull/701
- extplugin: plugin-declared "privileged" capability (run unsandboxed, explicit approval) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/704
- relay: fail open when the auto-expose relay dies (#688) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/708
- Extend OTel GenAI telemetry to OpenAI providers by @arnauorriols in https://github.com/denoland/clawpatrol/pull/711
- run: sanitize nsswitch hosts line in the sandbox by @piscisaureus in https://github.com/denoland/clawpatrol/pull/716
- extplugin: brokered transport dial for tunnel plugins (via + UDP) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/714
- example: SOCKS5 tunnel + brokered passthrough (example is network=none) by @piscisaureus in https://github.com/denoland/clawpatrol/pull/719
- extplugin: honor via/share/keepalive/credential on plugin tunnel blocks by @piscisaureus in https://github.com/denoland/clawpatrol/pull/722
- docs: plugin tunnel transport dial + plugin-docs audit corrections by @piscisaureus in https://github.com/denoland/clawpatrol/pull/721
- gateway: clear error when state_dir isn't writable by @piscisaureus in https://github.com/denoland/clawpatrol/pull/723
Full Changelog: https://github.com/denoland/clawpatrol/compare/v0.2.12...v0.3.0
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Claw Patrol
All releases →Beta — feedback welcome: [email protected]