Changelog - Moltis

[gateway]Embedded web chat UI at root endpoint
[gateway]Add services, pairing, expanded methods and auth
[agents]Add LLM chat with streaming, multi-provider support and feature flags
[gateway]Add Tailwind-based chat UI with dark/light theme
[config]Add multi-format config file with provider enable/disable support
[gateway]Add model selector and WebSocket auto-reconnect
[oauth]Add OpenAI Codex OAuth provider and reusable OAuth infrastructure
[tools]Add LLM code execution with agent loop, tool calling, and security layers
[agents]Add debug logging and end-to-end exec tool test
[agents]Text-based tool calling fallback for non-native providers
[gateway]Log user message on chat.send
[memory]Implement memory management system with hybrid search
[tools]Wire approval gating into exec tool with UI
[brew]Add Homebrew formula for tap-based installation
[website]Add static site and roadmap for moltis features
[website]Rewrite with Tailwind CSS, Inter/JetBrains fonts, and polish
[packaging]Add Debian package builds for amd64 and arm64
[packaging]Add Arch Linux package builds for x86_64 and aarch64
[packaging]Add RPM, Flatpak, Snap, AppImage, Nix, and Homebrew packaging
[agents]Register all Codex models in provider registry
[gateway]Structured error handling, exec cards, and approval UI
[gateway]Add provider management UI with multi-model support
[gateway]Persist API keys and add session management
[gateway]Add session sidebar UI and fix session management
[gateway]Route chat events by session key, add unread dots and thinking restore
[agents]Add missing LLM providers and GitHub Copilot OAuth
[gateway]Add session search with autocomplete, scroll-to and highlight
[gateway]Include model and provider name in chat final events
[claude]Save plans and sessions to prompts/ via hooks
[gateway]Multi-page SPA with nav panel, crons page and methods page
[cron]Wire cron callbacks and register CronTool for LLM use
[cron]Implement production-grade cron scheduling system
[projects]Add project management with context loading and session binding
[gateway]Searchable model selector, per-session model, chat history
[gateway]Persist model/provider in chat history and style model footer
[gateway]Add token usage display per-message and per-session
[gateway]Move model selector to chat page, add providers to nav panel
[projects,sessions]Migrate project and session metadata storage to SQLite
[gateway]Reorganize navigation, move providers to dedicated page
[sandbox]Per-session sandbox toggle with sandbox-on-by-default
[gateway]Show LLM thinking text, persist token usage, fix chat scroll
[gateway]Add slash commands (/clear, /compact, /context) with autocomplete
[context]Display sandbox details in /context command
[providers]Add Kimi Code OAuth (device flow) provider
[gateway]Add Channels navigation page
[gateway]Move enabled toggle to last column in cron job table
[telegram]Add username allowlist matching and message log store
[compact]Auto-compact on context limit, use session provider, show summary card
[worktree]Implement workspace worktree lifecycle features
[ui]Project selector combo in chat header with session filtering
[telegram]Per-channel sessions, slash commands, and default model config
[gateway]Add logs/forensic page with real-time streaming and persistence
[telegram]Command autocomplete, /new session, /sessions with inline keyboard
[gateway]Live session updates, channel icons, and active session indicator
[gateway]Add amber ping dot indicator for active sessions
[gateway]UI improvements and provider/context enhancements
[skills]Add agent skills system crate with discovery, registry, and CLI
[gateway]Add Skills navigation page to web UI
[skills]Repository-based skills with per-skill enable/disable
[skills]Accept GitHub URLs in skill source input
[gateway]Add native HTTPS/TLS support behind tls cargo feature
[gateway]Hybrid asset serving with filesystem dev and embedded release
[sandbox]Configurable images, on-demand caching, Apple Container auto-detection
[onboarding]Replace wizard with inline identity editing in Settings
[plugins]Add plugins crate with format adapters, install, and chat integration
[gateway]Add Images page for managing sandbox container images
[telegram]Add /model, /sandbox commands and improve /context display
[gateway]Add setup code at startup and configurable config/data dirs
[gateway]Clean auth state separation, gon pattern, and identity improvements
[env]Add write-only environment variables with sandbox injection
[security]Wrap secrets in secrecy::Secret<String> to prevent leaks
[hooks]Add hook dispatch system with native and shell handlers
[hooks]Add hook discovery, eligibility, metadata, CLI commands, and bundled hooks
[memory]Wire memory system into gateway with tools, compaction, and session hooks
[memory]Add embedding cache, local GGUF, fallback chain, batch API, file watcher, and pre-compaction flush
[tools]Add web_search and web_fetch agent tools
[sandbox]Add tracing to Apple Container and exec tool lifecycle
[ui]Show container name in /context sandbox section
[web]Forward client Accept-Language to web_fetch and web_search
[sandbox]Auto-provision curl, python3, nodejs, npm in containers
[sandbox]Expand default packages inspired by GitHub runner images
[sandbox]Apple Container pre-built images, CLI commands, default config
[sandbox]Expand packages from GitHub runner images, use Secret for web search keys
[hooks]Wire all 15 hook events and add examples
[chat]Add per-session run serialization to prevent history corruption
[chat]Add configurable agent-level timeout enforcement
[agents]Retry agent loop after compaction on context window overflow
[tools]Add SpawnAgentTool for sub-agent / nested agent support
[chat]Add message queue modes for concurrent send handling
[agents]Sanitize tool results before appending to LLM message history
[agents]Execute tool calls concurrently with join_all
[mcp]Add MCP client support with discovery UI
[gateway]Add nav sidebar count badges and MCP UI improvements
[mcp]MCP context in chat, duplicate name handling, and misc improvements
[mcp]Add McpTransport and McpClientTrait trait abstractions
[mcp]Wire MCP tool bridges into agent ToolRegistry
[mcp]SSE transport, health polling, auto-restart, and edit config
[gateway]Add tailscale serve/funnel management, UI consistency overhaul, and HTTP/2 support
[memory]Log status with DB size after initial sync
[tailscale]Add Start Tailscale button when daemon is not running
[channels]Assign default model to new telegram sessions
[agents]Add model failover with per-provider circuit breakers
[gateway]Add report an issue link to nav sidebar
[config]Support MOLTIS_* env var overrides for all config fields
[cron]Add heartbeat feature with persistent run history
[cli]Add cargo-binstall support for binary installation
Add Homebrew tap and auto-update workflow
Generate random port on first run and make gateway the default command
[ci]Add multi-arch Docker build workflow
[agents]Enable streaming responses with tool support
[metrics]Add Prometheus metrics with feature-gated support
[metrics]Expand metrics to all crates with tracing feature
[metrics]Add provider alias support for metrics differentiation
[metrics]Add SQLite persistence and per-provider charts
[db]Add sqlx migrations with per-crate ownership
[local-llm]Add local LLM provider with GGUF/MLX backend selection
[local-llm]Add MLX models and filter by backend
[local-llm]Add HuggingFace search and custom model support
[agents]Add unified local-llm provider with pluggable backends
[ui]Add auto-search with debounce for HuggingFace search
[ui]Show chat-only mode notice when selecting model without tools
[ui]Show all configured models in providers page
[providers]Add per-model removal and disable support
[local-llm]Add tracing and metrics to GGUF provider
[cli]Add database management commands (db reset, clear, migrate)
[telegram]Auto-disable channel when another bot instance is running
Add install script and update URLs to moltis.org
Add Pi-inspired features — skill state, self-extension, branching, hot-reload
[auth]Add scope support to API keys
Typed ToolSource, per-session MCP toggle, debug panel convergence, docs & changelog
[gateway]Add Fork button to chat header
[gateway]Show warning banner when running on non-main git branch
[gateway]Add mobile PWA support with push notifications (#40)
[tls]Default HTTP redirect port to gateway port + 1 (#49)
[memory]Add QMD backend support, citations, session export, and LLM reranking (#27)
[deploy]Add --no-tls flag and one-click cloud deploy configs
[gateway]Display process and system memory usage in header
[ui]Red favicon and branch-prefixed title for non-main branches
[ui]Add security warnings to MCP and Plugins pages
[ui]Add click-to-view-source detail panel to enabled plugins table
[deploy]Add MOLTIS_DEPLOY_PLATFORM env var to hide local-only providers on cloud
[ui]Add allowlist field to onboarding channel step
[ui]Prefill agent name and emoji in onboarding identity step
[hooks]Add hooks web UI page
[hooks]Seed example hook on first run
[hooks]Add Preview/Source tabs for HOOK.md content
[hooks]Click-to-copy hook source path
[hooks]Show built-in hooks in the web UI
[hooks]Wire up built-in hooks (boot-md, command-logger, session-memory)
[channels]Replace allowlist textarea with tag-style input
[workspace]Move persona and startup context to markdown files
[browser]Add full browser automation support via CDP
[browser]Enable browser tool by default
[settings]Add Load Template button and docs link
[browser]Display screenshot thumbnails in chat UI
Add restart API and improve browser tool integration
[browser]Add fullscreen lightbox for screenshot thumbnails
[local-llm]Auto-detect backend based on model type
[local-llm]Support Homebrew-installed mlx-lm
[local-llm]Download and cache MLX models locally
[local-llm]Notify user when downloading missing models
[ui]Show download progress in chat when model is missing
[browser]Add sandboxed browser support using Docker containers
[browser]Add sandbox mode visibility in logs and response
[browser]Pre-pull container image at startup with UI feedback
[browser]Include page content in snapshot response
[cli]Add browser command for managing browser configuration
[browser]Add detailed logging for browser execution mode
[ui]Show browser action and execution mode in chat
[browser]Add screenshot download functionality
[browser]Increase default viewport to 1920x1080
[browser]Increase viewport to 2560x1440 with 2x Retina scaling
[telegram]Add screenshot support for browser tool
[browser,telegram]Improve screenshot handling and display
[browser]Memory-based pool limits instead of fixed count
[telegram]Send tool execution status during chat
[logs]Show crate/module target in log output
[ci]Add local validation gate with CI fallback
[security]Add emergency disable for third-party skills
[security]Surface commit provenance in skills UI
[skills]Add websocket install progress and loading states
[skills]Use websocket install status with honest UI messaging
[scripts]Support local-only validation without a PR
[workspace]Align context files with OpenClaw semantics
[heartbeat]Skip LLM turns when HEARTBEAT.md is empty
[heartbeat]Surface empty-file skip status in UI
[gateway]Surface GitHub release update banner
[voice]Add voice crate with TTS and STT providers
[gateway]Integrate voice services with TTS and STT support
[voice]Add voice UI with feature flag support
[voice]Add multiple STT providers
[voice]Add voice provider management UI with auto-detection
[voice]Add ElevenLabs Scribe STT provider
[voice]Integrate ElevenLabs Scribe STT and upgrade to v2
[voice]Improve STT/TTS testing UX and fix ElevenLabs API
[voice]Send voice messages directly to chat
[telegram]Transcribe voice messages before dispatching to chat
[telegram]Add info logging for unhandled media types
[telegram]Add image support for multimodal LLM messages
[channels]Improve voice handling and typed STT config
[voice]Add typed provider metadata and voice preference flows
[chat]Prefer same reply medium with text fallback
[voice]Add provider list allowlists and narrow template defaults
[chat]Add runtime host+sandbox prompt context
[chat]Add Prompt button to inspect full system prompt
[sandbox]Add tmux to default packages
[tools]Add process tool and tmux skill for interactive terminal sessions
Ship provider onboarding and model discovery improvements
[ui]Redesign Voice onboarding step with settings-like experience
[ui]Personalize TTS test phrases with user and bot names
[gateway]Voice pending UI, TTS phrase generation, and empty message filtering
[gateway]Persist TTS audio, per-session media, and silent replies
[gateway]Add Context button showing full LLM messages array
[gateway]Add queued message UI with cancel support
[gateway]Add Copy button to full context panel
[gateway]Add client-side message sequence number for ordering diagnostics
[gateway]Add run_id and seq to persisted messages for parent/child linking
[channels]Add reply threading support for Telegram messages
[gateway]Auto-detect browser timezone via Intl.DateTimeFormat
[metrics]Populate cache token counters from provider responses
[tools]Add get_user_location tool with browser geolocation
[sandbox]Add image, audio, media, and data processing packages
[sandbox]Add document, office, and search packages
[sandbox]Add GIS and OpenStreetMap packages
[tools]Add sandbox_packages tool for on-demand package discovery
[sandbox]Add communication packages, hybrid sandbox query, and mise
[telegram]Add location sharing with live location tracking
[onboarding]Redesign provider step as multi-provider list
[gateway]Show no-providers card when no LLM models available
[gateway]Validate-first provider setup in onboarding and settings
[oauth]Import auto-detected tokens into central store at startup
[providers]Add model selection for auto-detected providers
[onboarding]Add summary step and improve channel UX
[gateway]Add Telegram-style waveform audio player
[gateway]Add generic session upload endpoint replacing base64-over-WS
[gateway]Add drag-and-drop image upload to chat and auth tests
[voice]Add TTS text sanitization and voice-friendly LLM prompting
[tools]Reverse geocode user location to human-readable place names
[agents]Retry once on transient LLM provider errors
[tools]Add show_map tool and location precision modes
[telegram]Consolidate bot responses into single message with logbook
[auth]Passkey UX improvements and mDNS origin support
[benchmarks]Add boot-path performance benchmarks for CodSpeed
[cli]Add moltis memory subcommand with search and status
[telegram]Send native location pin for show_map tool
[telegram]Send voice replies with text transcript
[gateway]Add search to project filter and fix button alignment
[gateway]Attach project to new sessions from filtered view
[sessions]Add server-side unread tracking via last_seen_message_count
[gateway]Auto-detect models after saving provider API key (#83)
[sessions]Add entity versioning to prevent stale updates
[gateway]Improve logs filter UX and branch favicon contrast
[gateway]Add logout button to header bar (#86)
[gateway]Add comprehensive e2e test suite for web UI (#87)
[gateway]Add auth-aware endpoint throttling and login retry UX
[gateway]Auto-detect WebAuthn RP ID from PaaS environment variables
[cli]Add --version flag
[gateway]Centralize SPA routes and preserve config TOML comments
[models]Tighten allowlist matching and support probe output (#91)
[config]Add moonshot to default offered providers
[onboarding]Preselect passkey auth method when available
[config]Auto-create SOUL.md with default content on first run
[gateway]Disconnect all WS clients on credential changes
[providers]Prefer configured models and merge live model discovery
[providers]Multi-select preferred models, keyOptional, createdAt sorting
[providers]Filter non-chat models and fix per-model tool support
[providers]Show model dates, probe on select, spacebar pause
[onboarding]Multi-select model picker with probe badges
[memory]Inject MEMORY.md into system prompt and fix file watcher
Auto-select and install browser tool backends (#130)
[agents]Strip <think> tags from OpenAI-compatible providers and add MiniMax
[chat]Preserve reasoning text in tool cards across page reloads
[agents]Add Z.AI (Zhipu) as OpenAI-compatible provider
Env injection, sandbox recovery, UI fixes, provider improvements (#108)
[gateway]Show server start time at bottom of onboarding
[browser]Auto-inject low-memory Chromium flags on constrained systems
[gateway]Add generic OpenAI-compatible provider support
[tools]SSRF allowlist for Docker inter-container networking (#146)
[config]Enable openrouter in default offered providers
[mcp]Add OAuth 2.1 support for remote MCP servers (#148)
[telegram]Add channel streaming with stream_mode fallback (#165)
[tools]Add calc tool for safe arithmetic evaluation
[cron]Add per-job model and execution target controls (#170)
[gateway]Cache session histories and show switch loader
[map]Add provider-aware show_map links
[gateway]Render markdown and ansi tables in chat
[browser]Persist Chrome profile across sessions (#162)
[memory]Reduce baseline memory footprint for lightweight devices
[telegram]Save voice audio to session media for web UI playback
[cron]Add event-driven heartbeat wake with system events queue
[telegram]Render markdown tables as formatted pre blocks
[gateway]Static file caching for public share pages
[cron]Deliver agent turn output to Telegram channels
[gateway]Seed dcg-guard hook and polish onboarding badges
[graphql]Add GraphQL API exposing all RPC methods (#200)
[tools]Add send_image tool for channel image delivery (#224)
[gateway]Expand identity emoji picker options (#206)
[web]Browsable skills list in repo cards
[providers]Add configurable OpenAI websocket stream transport (#227)
[sandbox]Install latest gogcli in default sandbox images (#232)
[agents]Add multi-agent personas with CRUD UI (#97)
[caldav]Add CalDAV integration for calendar CRUD (#84)
[channels]Add Microsoft Teams channel integration (#231)
[import]Add OpenClaw import crate, CLI, gateway RPC, and UI (#217)
[web]Add vault algorithm description to encryption settings page
[web]Internationalization (i18n) with English and French locales (#237)
[whatsapp]Add WhatsApp channel support (#73)
[web]Add sandbox shared-home settings UI and config
[protocol]Upgrade WebSocket protocol from v3 to v4 (#247)
[agents,providers,chat]Universal tool support for all models
[openclaw-import]Import workspace files and add safety messaging
[providers]Promote Gemini to first-class OpenAI-compatible provider
[i18n]Add full zh-CN (Simplified Chinese) localization (#260)
Add channel-aware heartbeat delivery and send_message agent tool (#270)
[memory]Add tree-sitter code splitter and RRF search merge
[web]Add Shiki syntax highlighting to code blocks
[sandbox]Add GitHub runner parity packages and enable corepack (#284)
[providers]Add first-class LM Studio provider (#286)
[agents]Enrich spawn_agent presets with identity, policies, memory (#271)
[web]Show running version at bottom of identity settings
[channels]Channel architecture phase 5, contract suites, and observability baseline (#289)
[ci]Add release dry-run mode
[browser]Add container_host for Docker-in-Docker connectivity (#300)
[ios]Auto-discover server identity and show emojis (#297)
[website]Migrate cloudflare website into monorepo (#302)
[local-llm]Allow arbitrary HuggingFace model IDs for MLX models
[web,tools]AOT WASM pre-compilation and Shiki CDN loading
[cli]Remove wasm from default features to reduce memory
[gateway]Make provider discovery startup non-blocking
[monitoring]Track memory history and improve local-llm memory reporting (#325)
[ios]Add local llama cpp memory field to GraphQL schema
[providers]Include reasoning fields for kimi models (#323)
[chat]Tabs to filter chats between sessions and cron (#338)
[oauth]Support pasted callback URL fallback (#365)
[providers]Add reasoning effort support for models with extended thinking (#363)
[providers]Add Responses API support to GitHub Copilot provider (#393)
[release]Migrate to date-based versioning (YYYYMMDD.NN) (#394)
Support secret remote MCP URLs and headers (#416)
[docker]Support generic provider env bootstrap (#401)
[skills]Support safe agent-written sidecar files (#413)
[mcp]Add custom display names for MCP servers
[mcp]Add displayName to iOS GraphQL schema
[skills]Gate installer behind install feature
[gateway]Embedded web chat UI at root endpoint
[gateway]Add services, pairing, expanded methods and auth
[agents]Add LLM chat with streaming, multi-provider support and feature flags
[gateway]Add Tailwind-based chat UI with dark/light theme
[config]Add multi-format config file with provider enable/disable support
[gateway]Add model selector and WebSocket auto-reconnect
[oauth]Add OpenAI Codex OAuth provider and reusable OAuth infrastructure
[tools]Add LLM code execution with agent loop, tool calling, and security layers
[agents]Add debug logging and end-to-end exec tool test
[agents]Text-based tool calling fallback for non-native providers
[gateway]Log user message on chat.send
[memory]Implement memory management system with hybrid search
[tools]Wire approval gating into exec tool with UI
[brew]Add Homebrew formula for tap-based installation
[website]Add static site and roadmap for moltis features
[website]Rewrite with Tailwind CSS, Inter/JetBrains fonts, and polish
[packaging]Add Debian package builds for amd64 and arm64
[packaging]Add Arch Linux package builds for x86_64 and aarch64
[packaging]Add RPM, Flatpak, Snap, AppImage, Nix, and Homebrew packaging
[agents]Register all Codex models in provider registry
[gateway]Structured error handling, exec cards, and approval UI
[gateway]Add provider management UI with multi-model support
[gateway]Persist API keys and add session management
[gateway]Add session sidebar UI and fix session management
[gateway]Route chat events by session key, add unread dots and thinking restore
[agents]Add missing LLM providers and GitHub Copilot OAuth
[gateway]Add session search with autocomplete, scroll-to and highlight
[gateway]Include model and provider name in chat final events
[claude]Save plans and sessions to prompts/ via hooks
[gateway]Multi-page SPA with nav panel, crons page and methods page
[cron]Wire cron callbacks and register CronTool for LLM use
[cron]Implement production-grade cron scheduling system
[projects]Add project management with context loading and session binding
[gateway]Searchable model selector, per-session model, chat history
[gateway]Persist model/provider in chat history and style model footer
[gateway]Add token usage display per-message and per-session
[gateway]Move model selector to chat page, add providers to nav panel
[projects,sessions]Migrate project and session metadata storage to SQLite
[gateway]Reorganize navigation, move providers to dedicated page
[sandbox]Per-session sandbox toggle with sandbox-on-by-default
[gateway]Show LLM thinking text, persist token usage, fix chat scroll
[gateway]Add slash commands (/clear, /compact, /context) with autocomplete
[context]Display sandbox details in /context command
[providers]Add Kimi Code OAuth (device flow) provider
[gateway]Add Channels navigation page
[gateway]Move enabled toggle to last column in cron job table
[telegram]Add username allowlist matching and message log store
[compact]Auto-compact on context limit, use session provider, show summary card
[worktree]Implement workspace worktree lifecycle features
[ui]Project selector combo in chat header with session filtering
[telegram]Per-channel sessions, slash commands, and default model config
[gateway]Add logs/forensic page with real-time streaming and persistence
[telegram]Command autocomplete, /new session, /sessions with inline keyboard
[gateway]Live session updates, channel icons, and active session indicator
[gateway]Add amber ping dot indicator for active sessions
[gateway]UI improvements and provider/context enhancements
[skills]Add agent skills system crate with discovery, registry, and CLI
[gateway]Add Skills navigation page to web UI
[skills]Repository-based skills with per-skill enable/disable
[skills]Accept GitHub URLs in skill source input
[gateway]Add native HTTPS/TLS support behind tls cargo feature
[gateway]Hybrid asset serving with filesystem dev and embedded release
[sandbox]Configurable images, on-demand caching, Apple Container auto-detection
[onboarding]Replace wizard with inline identity editing in Settings
[plugins]Add plugins crate with format adapters, install, and chat integration
[gateway]Add Images page for managing sandbox container images
[telegram]Add /model, /sandbox commands and improve /context display
[gateway]Add setup code at startup and configurable config/data dirs
[gateway]Clean auth state separation, gon pattern, and identity improvements
[env]Add write-only environment variables with sandbox injection
[security]Wrap secrets in secrecy::Secret<String> to prevent leaks
[hooks]Add hook dispatch system with native and shell handlers
[hooks]Add hook discovery, eligibility, metadata, CLI commands, and bundled hooks
[memory]Wire memory system into gateway with tools, compaction, and session hooks
[memory]Add embedding cache, local GGUF, fallback chain, batch API, file watcher, and pre-compaction flush
[tools]Add web_search and web_fetch agent tools
[sandbox]Add tracing to Apple Container and exec tool lifecycle
[ui]Show container name in /context sandbox section
[web]Forward client Accept-Language to web_fetch and web_search
[sandbox]Auto-provision curl, python3, nodejs, npm in containers
[sandbox]Expand default packages inspired by GitHub runner images
[sandbox]Apple Container pre-built images, CLI commands, default config
[sandbox]Expand packages from GitHub runner images, use Secret for web search keys
[hooks]Wire all 15 hook events and add examples
[chat]Add per-session run serialization to prevent history corruption
[chat]Add configurable agent-level timeout enforcement
[agents]Retry agent loop after compaction on context window overflow
[tools]Add SpawnAgentTool for sub-agent / nested agent support
[chat]Add message queue modes for concurrent send handling
[agents]Sanitize tool results before appending to LLM message history
[agents]Execute tool calls concurrently with join_all
[mcp]Add MCP client support with discovery UI
[gateway]Add nav sidebar count badges and MCP UI improvements
[mcp]MCP context in chat, duplicate name handling, and misc improvements
[mcp]Add McpTransport and McpClientTrait trait abstractions
[mcp]Wire MCP tool bridges into agent ToolRegistry
[mcp]SSE transport, health polling, auto-restart, and edit config
[gateway]Add tailscale serve/funnel management, UI consistency overhaul, and HTTP/2 support
[memory]Log status with DB size after initial sync
[tailscale]Add Start Tailscale button when daemon is not running
[channels]Assign default model to new telegram sessions
[agents]Add model failover with per-provider circuit breakers
[gateway]Add report an issue link to nav sidebar
[config]Support MOLTIS_* env var overrides for all config fields
[cron]Add heartbeat feature with persistent run history
[cli]Add cargo-binstall support for binary installation
Add Homebrew tap and auto-update workflow
Generate random port on first run and make gateway the default command
[ci]Add multi-arch Docker build workflow
[agents]Enable streaming responses with tool support
[metrics]Add Prometheus metrics with feature-gated support
[metrics]Expand metrics to all crates with tracing feature
[metrics]Add provider alias support for metrics differentiation
[metrics]Add SQLite persistence and per-provider charts
[db]Add sqlx migrations with per-crate ownership
[local-llm]Add local LLM provider with GGUF/MLX backend selection
[local-llm]Add MLX models and filter by backend
[local-llm]Add HuggingFace search and custom model support
[agents]Add unified local-llm provider with pluggable backends
[ui]Add auto-search with debounce for HuggingFace search
[ui]Show chat-only mode notice when selecting model without tools
[ui]Show all configured models in providers page
[providers]Add per-model removal and disable support
[local-llm]Add tracing and metrics to GGUF provider
[cli]Add database management commands (db reset, clear, migrate)
[telegram]Auto-disable channel when another bot instance is running
Add install script and update URLs to moltis.org
Add Pi-inspired features — skill state, self-extension, branching, hot-reload
[auth]Add scope support to API keys
Typed ToolSource, per-session MCP toggle, debug panel convergence, docs & changelog
[gateway]Add Fork button to chat header
[gateway]Show warning banner when running on non-main git branch
[gateway]Add mobile PWA support with push notifications (#40)
[tls]Default HTTP redirect port to gateway port + 1 (#49)
[memory]Add QMD backend support, citations, session export, and LLM reranking (#27)
[skills]Show confirmation hint after skill creation/update
[skills]Add skill editing and forking from the web UI
[skills]Show confirmation hint after skill creation/update
[skills]Add skill editing and forking from the web UI
[mcp]Make request timeout configurable
[agents]Lazy tool registry with tool_search meta-tool
[local-llm]Add opt-in vulkan gguf support
[providers]Add MiniMax M2.7 and missing M2.1 highspeed models
[prompt]Stabilize system prompt for local LLM KV cache
[scripts]Skip local-validate.sh when commit already passed
[docker]Add Node.js/npm to Docker image for MCP servers
[ci]Add pre_release option to release workflow

Changed

[website]Extract inline CSS to separate styles.css file
[gateway]Split monolithic app.js into 24 ES modules
[gateway]Extract inline JS styles to CSS and add message dedup
[gateway]Preact skills page, REST APIs, biome linting, perf fixes
[gateway]Reduce cognitive complexity in JS modules and add biome CI
[gateway]Faster log loading with memory-first reads and batch rendering
Simplify auth, onboarding, and settings code
Simplify hooks and memory code
[env]Wrap env var values in secrecy::Secret
Remove all unsafe code and add workspace-wide deny(unsafe_code)
Keep API keys wrapped in Secret<String> through provider construction
[agents]Simplify tool result sanitization
[mcp]Remove dead code and deduplicate config parsing
[memory]Skip redundant work on sync restart
[gateway]Use inline script for identity instead of server-side HTML replace
[api]Split /api/skills and /api/plugins into separate endpoints
[ui]Use CSS classes for tailscale status bar, single line layout
[ui]Rename ts-status-bar to generic info-bar classes and fix image page font size
[tailscale]Remove Start Tailscale button and up endpoint
[ui]Move session rename/delete to chat header and clean up
Remove unsafe set_var in detect.rs tests, resolve merge conflicts
[gateway]Reorder nav items alphabetically with Chat first
[ci]Extract signing logic into composite action
[ui]Move install hint markup to HTML template
[ui]Move model notice card HTML to template
Rename crate moltis-cli to moltis
[deps]Centralize all dependency versions in workspace root
[ci]Run lightweight lint jobs on GitHub-hosted runners
[ci]Restore Docker jobs to release workflow, remove docker.yml
[plugins]Replace hand-rolled date arithmetic with time crate
[gateway]Use time::Duration::days in tls expiry check
Use moltis_config::data_dir() for all path resolution
[browser]Add browser detection and simplify session handling
[settings]Rename Tools to Configuration and edit full config
[browser]Use typed structs for OpenAI tool schemas
[local-llm]Add modular ResponseParser trait for output parsing
[browser]Use unified sandbox infrastructure for browser containers
[gateway]Add defense-in-depth auth checks and DRY server.rs
[browser]Send execution mode from server in tool_call_start
[channels]Use ChannelType enum instead of string matching
[browser]Sandbox mode follows session, fix tall screenshot lightbox
[ci]Move local status check logic into script
[ci]Avoid blocking lint and test on local zizmor
[security]Use gitoxide metadata and improve trust UX
[scripts]Rename local-validate-pr.sh to local-validate.sh
[chat]Simplify runtime host+sandbox prompt context
[sandbox]Remove redundant mkdir exec from ensure_ready
Simplify branch review fixes across UI, gateway, and config
[gateway]Use typed structs for chat broadcast payloads
[ui]Rename /images and /api/images routes to /sandboxes
[gateway]Consolidate GatewayState per-field RwLocks into single RwLock<GatewayInner>
[mcp]Consolidate McpManager per-field RwLocks into single RwLock<McpManagerInner>
[gateway]Replace project select with custom combo dropdown
[gateway]Unify auth into single check_auth() gate
[browser]Make stale cleanup path expression-based
[ci]Move E2E job into CI workflow
[build]Enable thin LTO and binary stripping in release profile
[gateway]Extract shared voice, identity, and channel utils
[tools]Resolve browser sandbox mode from SandboxRouter directly
[gateway]Reorder onboarding screens
[session]Typed params for patch and voice_generate (#131)
[gateway]Remove standalone /crons route, use /settings/crons
[agents]Simplify prompt builder and runtime context
[prompt]Compact prompt sections and add server runtime time
[web]Extract web UI into dedicated moltis-web crate
[identity]Consolidate creature+vibe into single theme field
[gateway]Extract moltis-service-traits crate (Phase 0)
[gateway]Extract moltis-tls and moltis-tailscale crates (Phase 1)
[gateway]Extract moltis-auth crate (Phase 2)
[gateway]Extract moltis-provider-setup crate (Phase 3)
[gateway]Extract moltis-chat crate (Phase 4)
[web]Move share_render.rs from gateway to moltis-web (Phase 1c)
[providers]Extract provider implementations into new crate
[errors]Move crates to typed thiserror enums (#226)
[tools]Replace anyhow bridge with crate::Result for internal APIs (#257)
[ffi]Tighten unsafe_code allowances
[channels]Registry-driven dispatch for cheap new channels (#277)
[gateway]Fetch updates from releases manifest instead of GitHub API
[web]Move settings nav icons from JS to CSS
Externalize web/wasm assets and reduce memory footprint (#321)
[web]Move chat history hydration to paged HTTP
[web]Paginate sessions and auto-load older history
[tools]Split sandbox.rs into sandbox/ module directory
[website]Extract inline CSS to separate styles.css file
[gateway]Split monolithic app.js into 24 ES modules
[gateway]Extract inline JS styles to CSS and add message dedup
[gateway]Preact skills page, REST APIs, biome linting, perf fixes
[gateway]Reduce cognitive complexity in JS modules and add biome CI
[gateway]Faster log loading with memory-first reads and batch rendering
Simplify auth, onboarding, and settings code
Simplify hooks and memory code
[env]Wrap env var values in secrecy::Secret
Remove all unsafe code and add workspace-wide deny(unsafe_code)
Keep API keys wrapped in Secret<String> through provider construction
[agents]Simplify tool result sanitization
[mcp]Remove dead code and deduplicate config parsing
[memory]Skip redundant work on sync restart
[gateway]Use inline script for identity instead of server-side HTML replace
[api]Split /api/skills and /api/plugins into separate endpoints
[ui]Use CSS classes for tailscale status bar, single line layout
[ui]Rename ts-status-bar to generic info-bar classes and fix image page font size
[tailscale]Remove Start Tailscale button and up endpoint
[ui]Move session rename/delete to chat header and clean up
Remove unsafe set_var in detect.rs tests, resolve merge conflicts
[gateway]Reorder nav items alphabetically with Chat first
[ci]Extract signing logic into composite action
[ui]Move install hint markup to HTML template
[ui]Move model notice card HTML to template
Rename crate moltis-cli to moltis
[media]Replace manual MIME lookup with mime_guess crate
[auth]Extract GatewayState::is_secure() to centralise cookie Secure logic
[browser]Use match instead of nested if/else for dir creation
[httpd]Extract moltis-httpd crate as HTTP transport facade
[ci]Restore release.yml clippy runner to self-hosted
[tools]Unify rescue helper, add tracing, exclude action-level keys
[docker]Split runtime installs into separate layers
[dev]Deduplicate release-preflight by delegating to lint

Removed

Merge branch 'main' into claude/remove-unsafe-code-ehZlQ
[ui]Remove decimal digits from memory display
[ci]Add latest Docker tag on tag pushes, remove unused branch tag
[ci]Remove template-expanded gate debug output
[gateway]Use danger button for session delete
[gateway]Size-match delete button with fork and add danger style
[gateway]Match delete button size to fork button
[browser]Remove linux-only unused mut in stale cleanup
[codspeed]Remove noisy n=1 session_store_list case
Remove cargo-binstall install path
[browser]Remove needless return in match arm
[gateway]Remove unnecessary path qualification flagged by clippy
[cron]Remove oneOf from tool schema for OpenAI responses
[readme]Drop logo icon to save vertical space
[readme]Restore 64px favicon, remove link from title
Remove trailing whitespace in validate.rs
[cli]Remove binstall metadata and fix feature indentation
[sandbox]Remove redundant error conversions
[web]Remove nested onboarding scroll and restore settings nav icons
[web]Declutter chat controls and fix dropdown positioning
Merge branch 'main' into claude/remove-unsafe-code-ehZlQ
[local-llm]Remove unused gguf runtime helper

Fixed

[oauth]Use correct OpenAI client_id, add config layer and tests
[agents]Prefer tool-capable provider when tools are registered
[agents]Register builtin providers before genai to enable tool calling
[gateway]Auto-focus chat input on page load
[sessions]Add missing sandbox_enabled column migration, stop swallowing errors
[gateway]Move sandbox button next to model select, fix default state
Resolve all clippy warnings (collapsible_if, map_flatten, or_default, unused imports)
[gateway]Open nav panel by default
[gateway]Add session icons and replace spinner in-place
[gateway]Add missing renderCompactCard export to page-chat.js
[gateway]Fix routing, styling, and layout issues in JS modules
[telegram]Remove channel prefix from user messages and log LLM responses
[ci]Fix biome version and worktree test default branch
[ci]Restore biome version pin and fix cargo fmt
Update CLAUDE.md pre-commit checks and fix clippy warnings
[ci]Update setup-biome to v2.7.0 and fix sort_by_key clippy lint
[tests]Configure git user in worktree test setup for CI
Replace sort_by with sort_by_key in project store
[assets]Fix biome formatting and empty catch block in sandbox.js
[ui]Match settings nav item height and style to main navigation
[security]Wrap API keys in Secret<String> for memory subsystem
Use RecommendedCache for cross-platform watcher, sort_by_key for clippy
[hooks]Ignore broken pipe on stdin write when child doesn't read it
[ui]Show URL and query in web tool call cards
[sandbox]Restart stopped Apple containers in ensure_ready
[sandbox]Pass sleep infinity to Apple Container run
[sandbox]Promote exec routing and container logs to info level
[sandbox]Handle Apple Container inspect returning empty for nonexistent containers
[sandbox]Default working_dir to "/" when running inside container
[security]Reject cross-origin WebSocket upgrades (CSWSH protection)
[sandbox]Inject env vars in Apple Container backend
[exec]Redact env var values from command output
[exec]Redact base64 and hex encoded env var values from output
[config]Use correct defaults for ToolsConfig when not deserialized
[gateway]Nav badge counts and cron page instant load
[memory]Write memory files to data dir instead of cwd
[gateway]Eliminate identity flash on page load
[ui]Use consistent button class for skills Remove button
[ui]Fix skills Disable button style and add error feedback
[skills]Route disable to correct RPC for plugin-sourced skills
[ui]Use inline style for tailscale status green dot
[ui]Use status-dot connected class for tailscale green dot
[ui]Replace Tailwind arbitrary classes with inline styles in tailscale templates
[ui]Make tailscale status bar fit-content width
[ui]Make info-bar full width to match warning/error divs
[ui]Constrain info-bar to max-width 600px matching alert divs
[ui]Add alert-info-text to shared alert base styles
[ui]Add btn-row and btn-row-mt CSS classes for button spacing
[ui]Space cancel/create buttons apart and normalize height
[ui]Improve tailscale loading message to set expectations
[tailscale]Open Tailscale.app on macOS instead of running tailscale up
[ui]Preserve funnel security warning when rebuilding tailscale DOM
[ui]Use alert-warning-text style for funnel auth warning
[ui]Replace auth text with green button linking to security settings
[ui]Move auth button below the funnel security warning panel
[ui]Remove @layer components wrapper to fix nav specificity
[ui]Update session list after /clear and select next on delete
[ui]Format environment variable timestamps with luxon
[gateway]Stop echoing web UI messages to Telegram channel
Collapse nested if statements in config loader
[ci]Fix package build failures
[ci]Correct cargo-deb assets order
[local-llm]Detect available package managers for MLX install
[local-llm]Detect mlx-lm installed via brew
[ui]Show install commands on separate lines
[local-llm]Rename provider from local-gguf to local-llm
[local-llm]Fix HuggingFace API response parsing
[ui]Show searching state on HuggingFace search button
[ui]Close modal and prevent multiple clicks on HF model selection
[chat]Remove per-message tools warning broadcast
[ui]Remove scroll from local model list
[ci]Install cmake for llama.cpp build and fix Biome errors
[ci]Fix local-llm build in CI
[migrations]Use set_ignore_missing to allow multi-crate migrations
[cli]Run gateway migrations from db migrate command
[telegram]Don't delete channel from database on conflict
[gateway]Load images nav count async to avoid blocking page serve
[gateway]Replace branch icon, fix fork UX issues
Streaming tool calls, skill directory, skills page UX
[skills]Handle disable for personal/project skills
[skills]Use app modal for delete confirmation instead of system confirm()
[skills]Danger button on delete modal, fix disable routing for SkillsService
[ui]Use decimal units (MB, GB) for memory display
[ui]Strengthen skills security warning
[ui]Prevent branch banner error from blanking the page
[ci]Deploy docs to gh-pages branch instead of using deploy-pages action
[ci]Use GitHub-hosted runners for PRs to protect self-hosted runners
[ci]Add persist-credentials: false to docs workflow checkout
[ci]Use macOS runners for apple-darwin builds
[ci]Use project-local cargo config for cross-compilation
[ci]Fix all build failures in release workflow
[ci]Migrate release builds to GitHub-hosted runners
[ci]Build Docker images natively per arch instead of QEMU emulation
[ci]Only build Docker images on release tags, not main pushes
[deploy]Persist config directory on cloud providers
[ci]Use ubuntu-24.04-arm for Linux ARM jobs
[ci]Correct cargo-sbom CycloneDX format flag
[ci]Derive release package versions from git tags
[ui]Compact memory info display in header bar
[docker]Add runtime libgomp and image smoke test
[gateway]Route setup through onboarding and stabilize hosted WS auth
[ui]Disable sandbox controls when no backend is available
[ci]Remove gh dependency from homebrew workflow
[ci]Run homebrew update after release assets
[ci]Avoid invalid secrets context in release workflow
[hooks]Show GitHub source link for built-in hooks instead of editor
[hooks]Use checked_div for avg latency calculation
[gateway]Keep telegram typing active until reply send
[sandbox]Skip prebuild when disabled and require daemon access
[gateway]Use instance callback URL for OAuth flows
[ci]Apply nightly rustfmt and clarify formatting checklist
[ci]Add CUDA static libs and linker paths
[ci]Map Debian CUDA libs into CUDA root for static link
[browser]Register BrowserTool in tool registry
[agents]Correctly pass tools through ProviderChain and detect tool result failures
[browser]Include install instructions when browser launch fails
[browser]Check macOS app bundles before PATH for browser detection
[browser]Improve tool description with explicit examples
[agents]Add strict mode to OpenAI-compatible tool schemas
[browser]Default to navigate action when only url is provided
[chat]Preserve message order when tool calls interleave with text
[chat]Hide schema validation error cards from UI
[chat]Show validation errors as muted informational cards
[browser]Recursively add additionalProperties to nested schemas
[browser]Ensure all properties in required for OpenAI strict mode
[browser]Use shared to_openai_tools in openai_codex provider
[browser]Add to_responses_api_tools for Codex API format
[browser]Handle objects without properties in strict mode
[browser]Use data URI format for screenshots
[browser]Handle both raw base64 and data URI in screenshot display
[local-llm]Reject MLX models in GGUF loader with helpful error
[local-llm]Route MLX models to MLX backend via local_llm provider
[local-llm]Allow HuggingFace repo IDs for MLX models
[local-llm]Parse mlx_lm CLI output correctly
[gateway]Use LocalLlmProvider for UI-added models
[local-llm]Check legacy registry for MLX models
[local-llm]Use local cache for MLX models instead of HF repo path
[local-llm]Multiple fixes for model download and registration
[browser]Improve container detection and settings error handling
[lint]Resolve biome errors for CI
[browser]Update deprecated rand API calls
[browser]Improve tool description to trigger on 'browse' keyword
[browser]Don't write screenshot files to disk
[sandbox]Resolve race condition where sandbox shows disabled at startup
[gateway]Add missing config and metrics routes to push-notifications build
[ui]Remove duplicate browser info from result area
[browser]Retry on dead WebSocket connections
[browser]Validate URLs to reject LLM garbage
[browser]Improve screenshot handling and suppress chromiumoxide logs
[browser]Ensure viewport is applied to pages and add debug logging
[browser]Wait for Chrome to be ready before connecting
[browser]Auto-track session_id to prevent pool exhaustion
[browser]Use navigation timeout for sandboxed browser connections
[telegram]Re-send typing indicator after tool status message
[ci]Pin sccache action to commit SHA
[ci]Publish local validation statuses to PR head repo
[ci]Fallback to gh auth token for local status publishing
[ci]Clean stale llama cmake dirs in local validator
[ci]Use non-CUDA local validation defaults on macOS
[ci]Wait for local statuses before failing PR checks
[ci]Correct parallel local check PID handling
[ci]Stabilize local validator output and show run URL
[security]Harden skill execution and web asset safety
[security]Require trust before enabling installed skills
[security]Harden tarball extraction and pin install provenance
[security]Require re-trust when skill source drifts
[security]Block suspicious dependency install commands
[security]Recover orphaned installs and protect seed skills
[skills]Seed template and quiet invalid skill warnings
[memory]Align indexing scope with openclaw defaults
[memory]Coalesce stale-index cleanup logs
[validation]Require clean tree for local PR status
[agents]Replace serde_json::Value with typed ChatMessage in LlmProvider
[scripts]Add lockfile check and enforce clean worktree in all modes
[clippy]Address nested-if and duplicate branch warnings
[ui]Remove redundant heartbeat token-saver panel
[chat]Keep skill management tools available at runtime
[gateway]Support configured GitHub repo for update checks
[update]Disable checks when repo URL is unset
[ci]Pin workflow actions to commit SHAs
[ci]Expose CUDA compat libs for test runtime
[concurrency]Remove Mutex<()> sentinels and harden exec working dir
[startup]Ensure data dir exists and isolate exec tests
[startup]Fail fast when workspace dirs cannot be created
[exec]Satisfy clippy lints in sandbox detection tests
Add voice schema to build_schema_map for validation
[voice]Auto-enable provider and share ElevenLabs key between TTS/STT
[voice]Align transcribing indicator right and fix recording delay
[voice-ui]Align mic state timing and preserve settings scroll
[chat-ui]Show reply medium badge in assistant footer
[sandbox]Create /home/sandbox directory in generated images
[sandbox]Create /home/sandbox at container startup via exec
[sandbox]Default working directory to /home/sandbox
[sandbox]Keep apt index in pre-built images
[gateway]Remove no-op or_else closure flagged by clippy
[ui]Bust Safari cache in dev mode and fix detected providers border
[tools]Handle empty session_name in process tool start action
[gateway]Validate config before restart to prevent crash loops
[gateway]Use YAML list for allowed-tools in seeded tmux skill
[gateway]Auto-enable ElevenLabs counterpart in onboarding voice test
[gateway]Persist empty assistant messages for LLM history coherence
[gateway]Remove separate voice-generating indicator during TTS
[gateway]Enable TTS counterpart when saving ElevenLabs/Google STT key
[gateway]Reconstruct tool messages in full context view
[gateway]Fix queued message detection and ordering
[gateway]Move queued messages to dedicated bottom tray
[gateway]Clear queued tray on session switch and add debug logs
[gateway]Never attach model footer or timestamp to user messages
[gateway]Prevent multi-move race in queued message tray
[gateway]Defer user message persist until after semaphore
[gateway]Move queued messages only after response is rendered
[tools]Fall back to DuckDuckGo when web_search API key is missing
[onboarding]Skip finish screen and redirect to chat directly
[ui]Rename Images nav item to Sandboxes
[ui]Revert API routes to /api/images, remove "live" status text
[cron]Skip heartbeat when no prompt configured, fix duplicate runs
[tools]Collapse nested if in location tool (clippy)
[gateway]Collapse nested if in ws timezone handling (clippy)
[agents]Make openai-codex token refresh async to prevent runtime panic
[gateway]Ensure session row exists before setting channel binding
Sync Cargo.lock with workspace version 0.3.1
[gateway]Use is_none_or instead of map_or for clippy
[sessions]Use blocking file lock to prevent concurrent write failures
Auto-sync Cargo.lock in local-validate.sh
[docker]Resolve deployment errors on DigitalOcean Docker containers
[install]Add missing -1 revision to .deb filename
[gateway]Show real IP in banner when bound to 0.0.0.0
[oauth]Downgrade missing token file log from warn to debug
[oauth]Downgrade routine token store logs to debug
[providers]Show model selector after OAuth in onboarding
[onboarding]Improve scroll padding in channel and summary steps
[gateway]Use route-specific body limit for upload endpoint
[gateway]Reduce global request body limit to 2 MB
[agents]Pass multimodal content to LLM providers instead of stripping images
[gateway]Unlock audio autoplay via AudioContext on user gesture
[tools]Instruct LLM to use lat/lon for searches, not place names
[tools]Use place names in map links and skip Brave when unconfigured
[tools]Block DuckDuckGo fallback for 1h after CAPTCHA
[voice]Add autoplay debug logging, stop audio on mic, Esc cancels
[ci]Move coverage job into CI workflow
[ci]Slim down coverage job to avoid disk space exhaustion
[ci]Exclude moltis-tools from coverage and drop sccache
Collapse nested if blocks per clippy
Collapse nested if blocks in provider_setup per clippy
[tools]Use if-let instead of is_some/unwrap in map test
Deny unwrap/expect in production code via clippy lints
[gateway]Mark boot_time test as ignored for CI coverage
[gateway]Fix session project filter and add clear all sessions
[gateway]Prevent layout shift from active session border
[gateway]Collapse nested if per clippy collapsible_if lint
[ci]Consolidate release uploads into single job
[gateway]Reactive session badge with optimistic updates
[gateway]Bump session badge for channel messages
[gateway]Stop auto-switching session on channel messages
[gateway]Broadcast session_cleared so /clear from channels syncs web UI
[voice]Add media-src to CSP for TTS playback and improve voice diagnostics
[auth]Clear setup_complete when last passkey is removed
[gateway]Bump session badge on every WS event
[gateway]Shrink passkey action buttons and hide danger zone when no auth configured
[ci]Align release clippy with nightly flags and fix test lints
[browser]Add lifecycle management for browser containers (#88)
[auth]Break onboarding redirect loop for non-local connections
[settings]Disable browser password autofill for env fields
[gateway]Reconnect WebSocket after remote onboarding auth
[docker]Bind 0.0.0.0 and expose CA cert port for TLS setup
[ci]Gate release builds on E2E tests and fix onboarding-auth flake
[ci]Gate release builds on E2E tests and fix onboarding-auth regex
[docker]Add chromium and demote codex token warning to debug
[scripts]Skip --all-features for clippy on macOS without CUDA
[scripts]Allow dirty working tree in local-only validation
[exec]Use host data dir when no container runtime is available
[onboarding]Update low memory warning message
[ui]Rename "provider" to "LLM" in navigation and headings
[gateway]Preserve chat stream event order
[auth]Enforce auth after passkey/password setup (#93)
[e2e]Make NoopChatService::clear() succeed and handle no-provider errors in tests
[config]Resolve lock reentrancy deadlock in update_config
[onboarding]Defer WS connection until auth completes
[config]Prevent SOUL.md re-seeding after explicit clear
[onboarding]Update test for save_soul empty-file behavior
[ci]Restore node cache hardening and gate on zizmor
[onboarding]Keep voice step visible in auth-gated flow
[gateway]Stabilize anthropic onboarding model selection
Pin deploy templates to explicit versions and auto-update on release (#98)
[ci]Sync workspace version in Docker build
[gateway]Update session preview immediately after clear
[onboarding]Persist selected llm models on continue
[agents]Cap tool-call IDs to OpenAI 40-char limit
[config]Isolate stale-key test from env overrides
[gateway]Include saveProviderKey extraction in provider-validation
[e2e]Handle pre-configured providers in onboarding tests
[gateway,tools]Fix sessions.patch camelCase, streaming artifacts, and host working dir
[tools]Gate macOS-only sandbox helpers with cfg to fix dead-code errors on Linux CI
[tools]Browser tool falls back to host when no container runtime
[agents]Add memory_save and memory-anchor hints to system prompt
[agents]Guide memory_save toward topic files to keep context lean
[gateway]Fix disabled button rendering and add validation progress hints
[gateway]Restore voicePending state on session reload
[tools]Is_sandboxed() returns false when no container runtime exists
[gateway]Constrain sandbox warnings to max-w-form width
[memory]Normalize embeddings base_url and add disable_rag mode (#147)
[gateway]Hide crons/heartbeat submenu when embedded in settings
[cron]Use data_dir for job storage instead of hardcoded ~/.clawdbot/cron
[plugins]Set working_dir on shell hooks so relative paths resolve correctly
[gateway]Improve onboarding and provider validation flows
[gateway]Allow openrouter model discovery without model id
[chat]Retry provider 429s across web and channel flows (#149)
[gateway]Queue channel replies per message with followup default (#150)
[onboarding]Restore saved model selection and stabilize Anthropic e2e
[tools]Harden apple container sandbox workdir bootstrap
[cron]Normalize shorthand cron tool inputs
[e2e]Avoid response listener race in sandboxes test
[chat]Compact based on next-request context pressure (#166)
[agents]Require explicit /sh for forced exec fallback (#161)
[map]Support show_map multipoints and grouped map links (#168)
[config]Make agent loop limit configurable and sync docs
[skills]Support marketplace skills[] repositories
[onboarding]Persist browser timezone and expose prompt today
[web-search]Make DuckDuckGo fallback opt-in
[gateway]Align show_map listing ratings to the right
[prompt]Clarify sandbox vs data_dir path semantics
[agents]Append runtime datetime at prompt tail
[web-search]Load runtime env keys and robustify brave parsing
[prompt]Preserve datetime tail ordering and add profile plan
[mcp]Strip internal metadata from MCP tool call arguments
[crons]Fix modal default validation and form reset on schedule change (#181)
[gateway]Deduplicate voice replies on Telegram channels (#173)
[browser]Centralize stale CDP connection detection (#172)
[browser]Enable profile persistence on Apple Container
[terminal]Force tmux window resize on client viewport change
[telegram]Default DM policy to allowlist for new channels
Update expired Discord invite link
[telegram]Dispatch voice messages with empty transcription to chat
[gateway]Broadcast voice audio filename over WebSocket for real-time playback
[voice]Improve voice reply prompt and audio player placement
[voice]Deliver TTS audio even when text was streamed
[tools]Don't register web_search tool when API key is missing
[agents]Don't emit regular text as ThinkingText when alongside tool calls
[gateway,telegram,voice]Correct web UI stuck on thinking dots, table rendering, and TTS
[telegram]Use vertical card layout for wide tables, deliver logbook for streamed voice
[telegram]Send activity logbook as raw HTML, not markdown
[e2e]Update share page nonce assertion after script externalization
[cli]Skip jemalloc on Windows
[gateway]Redirect plain HTTP to HTTPS on TLS port and optimize metrics SQLite
[agents]Register DeepSeek via OpenAI-compatible provider for tool support
[gateway]Sync cron modal signals when editing a job
[providers]Prefer subscription OAuth and expose Codex onboarding
[gateway]Surface insufficient_quota without retries
[voice]Reuse OpenAI LLM API key for TTS and STT providers (#198)
[ci]Only tag Docker image as latest for highest semver release (#211)
[e2e]Fix provider selector and onboarding voice step tests
[e2e]Use exact text match for onboarding provider row selection
[graphql]Fix session id type, missing ok fields, chat routing, and add session.active query (#218)
[cron]Document delivery fields in tool description and schema (#213)
Pass speaking_rate, pitch and speed from config to voice providers (#212)
[cli]Forward feature flags to moltis-web optional dependency
[gateway]Harden reverse-proxy tls and websocket handling (#230)
[cli]Skip jemalloc on linux/aarch64 (#229)
[gateway,web]Normalize service error mapping and nav expectations
[e2e]Rebuild gateway when startup binary is stale
[e2e]Harden session creation wait and anthro cargo env
[e2e]Handle no-provider chat state in agent specs
[e2e]Skip openclaw step in onboarding openai flow
[import]Resolve OpenClaw workspace from config and cross-machine paths
[openclaw-import]Collapse nested if chains for clippy
[docker]Use modern Docker CLI in published image (#238)
[web]Update qmd package references to @tobilu/qmd
[ci]Exclude swift-bridge from coverage and increase E2E poll timeout
[e2e]Match error code instead of localized message in full context tests
[gateway]Remove duplicate /certs/ca.pem route in start_gateway
[ci]Unblock clippy and macOS bridge wasm build
[oauth]Make OpenAI Codex callback port 1455 work in Docker (#258)
[tests]Accept restricted-host auto sandbox backend
[ios]Add missing .none case in NWTXTRecord switch
[web]Read DOM value in identity blur handlers to prevent stale closure skip
[ios]Add cancel button to connection banner for unreachable servers
[agents]Resolve clippy collapsible-if and expect-used lints
[ci]Add WASM component build step to all release jobs
[ci]Parallelize macOS app with release package builds
[release]Ship v0.10.2 packaging fixes
[sandbox]Make apple container keepalive portable (#269)
[local-llm]Combine compile-time and runtime Metal detection
[auth]Auto-detect new WebAuthn hosts and prompt passkey refresh (#268)
[web]Replace rg with grep in changelog guard and deduplicate passkey status refresh
[web]Lazy-load Shiki to prevent blocking page mount
[web]Fix Shiki highlighter init failures in E2E tests
[web]Make thinking stop button smaller with left spacing
[chat]Surface error when LLM returns empty response with zero tokens
[providers]Emit StreamEvent::Error on non-success finish_reason
[e2e]Make sandboxes container tests deterministic
[e2e]Replace remaining racy waitForResponse with route interceptors
[mcp]Make optional MCP tool params nullable to prevent empty string errors (#283)
[provider-setup]Reorder validation probes to prefer fast models (#280)
[sandbox]Resolve host gateway IP for Podman < 5.0 (#287)
[e2e]Fix flaky "deleting unmodified fork" test
[ci]Stale lockfile, missing Tailwind in macOS job, OAuth e2e setup
[ci]Use standalone Tailwind binary for macOS app job
[e2e]Fix OAuth token-exchange failure test and add error-context capture
[web]Auto-install node_modules in Tailwind build script
[web]Retry openclaw onboarding scan until ws is ready
[ci]Add Tailwind CSS build step to release workflow, Dockerfile, and snapcraft
[e2e]Wait for session history render before DOM injection in chat-abort
[ci]Harden tailwindcss cli downloads
[swift-bridge]Stabilize gateway migration and stream tests
[config]Support provider url alias for remote Ollama config (#299)
[ci]Make release dry-run job conditions valid
[providers]Use Ollama capabilities for tool support detection (#301)
[scripts]Roll back heavy local validation parallelism
[web]Skip npm install when TAILWINDCSS binary is provided
[ci]Update website/releases.json on release
[web]Add missing i18n button key for preferredModels
[local-llm]Use sampler API for mlx-lm >= 0.20
[gateway]Break redirect loop when onboarded but auth not configured (#310)
[gateway]Reduce idle CPU from metrics loop and log broadcast feedback
[gateway]Speed up startup by deferring tailscale and log scan
[gateway]Improve browser warmup integration
[scripts]Run local nextest with ci timeout profile
[ci]Build macOS app arm64 in fast path
[web]Move session history off websocket and cap payload size
[web]Use combo select for session header selectors
[web]Externalize SVG icons and restore empty-chat centering
[web]Align e2e with controls modal and daily model refresh
[ci]Stage wasm assets for cargo-deb packaging
[packaging]Use cli-relative web assets in cargo-deb
Install rustls CryptoProvider before channel startup (#336)
[ci,tools]Unblock dependabot and support wasmtime 36
[auth]Honor forwarded host for proxy session cookies
[config]Include tmux in default sandbox packages
[mdns]Use stable host label to avoid mDNSResponder conflict and double-.local suffix (#349)
[web]Prevent Enter key from triggering actions during IME composition (#341)
[biome]Update schema to 2.4.6 and move noUnusedExpressions to suspicious
[ci]Update biome version to 2.4.6 in CI workflows
[macos]Extract makeTextView to fix function body length lint violation
[providers]Report compatible client_version for Codex model discovery (#359)
[prompt]Omit sandbox/node info from runtime prompt when disabled (#362)
[web]Allow deleting cron sessions from chat sidebar (#357)
[chat]Skip duplicate text fallback when TTS disabled and voice streamed (#373)
[web]Break redirect loop when accessing via Tailscale Serve (#356)
Node WebSocket connection and UI connection string (#382)
[config]Write IDENTITY.md and SOUL.md to agents/main/ instead of root (#384)
[auth]Bypass auth for local API requests during onboarding (#386)
[whatsapp]Sled persistence, graceful shutdown, and review fixes (#387)
[cron]Add delay_ms to avoid LLM computing absolute timestamps (#377)
[gateway]Retain proxy shutdown sender to prevent immediate proxy exit (#368)
[agents]Include tool_result messages in LLM conversation history (#389)
[sandbox]Auto-detect host data dir for docker-in-docker (#396)
[chat]Compact the active channel session (#399)
[providers]Strip stop tokens from MLX streaming output (#397)
[config]Support legacy memory embedding keys (#400)
[web]Address installation feedback from user testing (#398)
[tools]Harden apple container bootstrap execs (#405)
[telegram]Strip HTML tags from plain fallback (#404)
[web]Clarify cron setup modal copy (#409)
[web]Keep onboarding accessible after auth reset (#415)
[web]Improve onboarding password autofill hints (#406)
[chat]Persist aborted partial history (#418)
[agents]Retry empty structured tool names (#410)
[tools]Make sandbox cfg gates consistent for cross-platform CI
[local-llm]Restore custom GGUF setup without restart (#417)
[browser]Scope cached browser sessions per chat (#412)
[browser]Align sandbox browserless timeout with pool lifecycle (#403)
[providers]Keep minimax system messages in history
[tools]Only expose exec node parameter when nodes are connected
[gateway]Address greptile review feedback
[gateway]Create heartbeat cron job on update when missing
[gateway]Address review feedback on heartbeat cron job creation
[agents]Sanitize model-mangled tool names from parallel calls
[agents]Pass sanitized tool name to hook dispatch
[agents]Add suffix-stripping invariant comment and functions_ edge case test
[mcp]Fix JS bugs in display name edit flow
[mcp]Add missing display_name field to doctor test structs
[mcp]Destructure props in renderServerName and send null for blank display_name
[tools]Replace hand-rolled html_to_text with html2text crate
[tools]Address PR review for html_to_text
[tools]Address second round of PR review
[tools]Collapse consecutive blank lines, fix doc comment
[sessions]Use write(true)+seek instead of append(true) for fd_lock on Windows
[release]Update conditions for jobs to handle dry-run scenarios correctly
[oauth]Use correct OpenAI client_id, add config layer and tests
[agents]Prefer tool-capable provider when tools are registered
[agents]Register builtin providers before genai to enable tool calling
[gateway]Auto-focus chat input on page load
[sessions]Add missing sandbox_enabled column migration, stop swallowing errors
[gateway]Move sandbox button next to model select, fix default state
Resolve all clippy warnings (collapsible_if, map_flatten, or_default, unused imports)
[gateway]Open nav panel by default
[gateway]Add session icons and replace spinner in-place
[gateway]Add missing renderCompactCard export to page-chat.js
[gateway]Fix routing, styling, and layout issues in JS modules
[telegram]Remove channel prefix from user messages and log LLM responses
[ci]Fix biome version and worktree test default branch
[ci]Restore biome version pin and fix cargo fmt
Update CLAUDE.md pre-commit checks and fix clippy warnings
[ci]Update setup-biome to v2.7.0 and fix sort_by_key clippy lint
[tests]Configure git user in worktree test setup for CI
Replace sort_by with sort_by_key in project store
[assets]Fix biome formatting and empty catch block in sandbox.js
[ui]Match settings nav item height and style to main navigation
[security]Wrap API keys in Secret<String> for memory subsystem
Use RecommendedCache for cross-platform watcher, sort_by_key for clippy
[hooks]Ignore broken pipe on stdin write when child doesn't read it
[ui]Show URL and query in web tool call cards
[sandbox]Restart stopped Apple containers in ensure_ready
[sandbox]Pass sleep infinity to Apple Container run
[sandbox]Promote exec routing and container logs to info level
[sandbox]Handle Apple Container inspect returning empty for nonexistent containers
[sandbox]Default working_dir to "/" when running inside container
[security]Reject cross-origin WebSocket upgrades (CSWSH protection)
[sandbox]Inject env vars in Apple Container backend
[exec]Redact env var values from command output
[exec]Redact base64 and hex encoded env var values from output
[config]Use correct defaults for ToolsConfig when not deserialized
[gateway]Nav badge counts and cron page instant load
[memory]Write memory files to data dir instead of cwd
[gateway]Eliminate identity flash on page load
[ui]Use consistent button class for skills Remove button
[ui]Fix skills Disable button style and add error feedback
[skills]Route disable to correct RPC for plugin-sourced skills
[ui]Use inline style for tailscale status green dot
[ui]Use status-dot connected class for tailscale green dot
[ui]Replace Tailwind arbitrary classes with inline styles in tailscale templates
[ui]Make tailscale status bar fit-content width
[ui]Make info-bar full width to match warning/error divs
[ui]Constrain info-bar to max-width 600px matching alert divs
[ui]Add alert-info-text to shared alert base styles
[ui]Add btn-row and btn-row-mt CSS classes for button spacing
[ui]Space cancel/create buttons apart and normalize height
[ui]Improve tailscale loading message to set expectations
[tailscale]Open Tailscale.app on macOS instead of running tailscale up
[ui]Preserve funnel security warning when rebuilding tailscale DOM
[ui]Use alert-warning-text style for funnel auth warning
[ui]Replace auth text with green button linking to security settings
[ui]Move auth button below the funnel security warning panel
[ui]Remove @layer components wrapper to fix nav specificity
[ui]Update session list after /clear and select next on delete
[ui]Format environment variable timestamps with luxon
[gateway]Stop echoing web UI messages to Telegram channel
Collapse nested if statements in config loader
[ci]Fix package build failures
[ci]Correct cargo-deb assets order
[local-llm]Detect available package managers for MLX install
[local-llm]Detect mlx-lm installed via brew
[ui]Show install commands on separate lines
[local-llm]Rename provider from local-gguf to local-llm
[local-llm]Fix HuggingFace API response parsing
[ui]Show searching state on HuggingFace search button
[ui]Close modal and prevent multiple clicks on HF model selection
[chat]Remove per-message tools warning broadcast
[ui]Remove scroll from local model list
[ci]Install cmake for llama.cpp build and fix Biome errors
[ci]Fix local-llm build in CI
[migrations]Use set_ignore_missing to allow multi-crate migrations
[cli]Run gateway migrations from db migrate command
[telegram]Don't delete channel from database on conflict
[gateway]Load images nav count async to avoid blocking page serve
[gateway]Replace branch icon, fix fork UX issues
Streaming tool calls, skill directory, skills page UX
[skills]Handle disable for personal/project skills
[skills]Use app modal for delete confirmation instead of system confirm()
[skills]Danger button on delete modal, fix disable routing for SkillsService
[graphql]Add skill_save to MockSkills trait impl
[gateway]Warm container_cli OnceLock at startup via spawn_blocking
[security]Prevent stored XSS via HTML inline and block script extensions
[e2e]Use correct event bus dispatch for send_document tests
[e2e]Use system-event RPC to dispatch tool events in send_document tests
[sandbox]Fix clippy CI failures on Linux
[sandbox]Gate apple-only tests with cfg(target_os = "macos")
[e2e]Mock slow sandbox APIs in container tests
[e2e]Make send_document icon test more robust on CI
[mcp]Address review feedback on is_alive and timeout field naming
[mcp]Reorder config update to write memory before disk
Add missing request_timeout_secs field and allow expect in test
[agents]Address PR review feedback for lazy tool registry
[e2e]Mock sandbox backend in container e2e tests
[e2e]Add afterEach unrouteAll to sandbox tests
[auth]Add Secure attribute to session cookie when TLS is active
[tools]Make sandbox off test explicit
[ci]Replace glslc with glslang-tools for Ubuntu 22.04
[providers]Address PR #408 review feedback
[ci]Install glslc from LunarG Vulkan SDK on Ubuntu 22.04
[whatsapp]Improve discoverability and debug logging (#460)
[whatsapp]Address PR review feedback
[channels]Redact secrets in channel config API responses
[channels]Address PR review feedback
[channels]Compute serialize_struct field counts dynamically
[providers]Update stale MiniMax context-window comment to include M2.7
[tools]Ignore exec node param when no nodes are connected (#427)
[tools]Error on configured default_node when disconnected, not silent fallthrough
[anthropic]Document system message merging for alternating-role constraint
[chat]Re-inject datetime in context-overflow retry path
[browser]Set world-writable permissions on container profile directory
[browser]Replace expect() with ? in test to satisfy clippy
[server]Support IPv6 bind addresses (#447)
[server]Address PR review feedback on IPv6 bind fix
[server]Include bind address in oauth error, assert address family in test
[import]Preserve config template comments during OpenClaw import
[import]Assert on import report in comment-preservation test
[httpd]Address greptile review findings on PR #465
Address second round of greptile review on PR #465
[node-host]Update systemd unit test for quoted ExecStart args
[web]Allow delete button on cron sessions
Address greptile review round 3 on PR #465
[httpd]Align metrics history window and cleanup interval with gateway
[providers]Address PR review — double-Done, missing ProviderRaw, URL normalization
[tools]Rescue stringified JSON and flat params in cron tool
[tools]Exclude "patch" and "job" from flat-param rescue keys
[ci]Replace non-existent glslc package with glslang-tools
[docker]Use Node 22 LTS via NodeSource, persist npm cache
[docker]Avoid silent curl failure, cache npx in container example
[docker]Use GPG key + apt source instead of NodeSource setup script
[docker]Ensure /etc/apt/keyrings exists before NodeSource GPG import
[web]Await event subscriptions before accepting broadcasts
[ci]Install vulkan-sdk from LunarG instead of Ubuntu's old libvulkan-dev
[dev]Make local checks OS-aware for LLM backends
[dev]Merge main and update OS-aware local-LLM checks
[dev]Address PR review feedback
[skills]Use slug as fallback when skill name fails validation
[skills]Address PR review feedback on slug fallback
[skills]Address second round of PR review feedback
[skills]Use tempdir in slug fallback error tests for isolation
[skills]Improve slug error messages and test isolation
[gateway]Suppress update banner for dev builds

Security

[ci]Add zizmor workflow security scan to deb-packages workflow (#8)
[skills]Add requirements system, spec compliance, and markdown rendering
[gateway]Add passkey/password auth, API key support, and protected API routes
Update README/CLAUDE.md, add From impl for SandboxConfig
[readme]Rewrite with introduction, quickstart, how-it-works, and security sections
[ui]Replace inline alert/width styles with CSS classes
[ui]Replace inline style with ml-2 class and add funnel security warning
[ui]Merge funnel security warning into auth warning banner
[ui]Split funnel warning into always-visible security text and conditional auth text
[ci]Add supply chain security and Docker documentation
[ci]Switch to Sigstore keyless signing for all artifacts
[ci]Require signed commits
[ci]Remove redundant signed commits workflow
Update repository URLs from penso/moltis to moltis-org/moltis
[security]Add cron rate limiting, job notifications, and fix method auth
[cli]Add moltis config check command
[ui]Add multi-step onboarding wizard at /onboarding
[ui]Hide auth banner during onboarding, show auth step for remote users
[telegram]OTP self-approval for non-allowlisted DM users
[tools]Add BrowserTool for LLM agents with documentation
[browser]Add security features and tools settings UI
Update CHANGELOG and browser-automation docs
Merge remote-tracking branch 'origin/main' into security-skills
[security]Add append-only skill security audit log
[security]Add third-party skills hardening guide
Merge remote-tracking branch 'origin/main' into security-skills
Unify plugins and skills into single system
Add voice services documentation
[gateway]Add logs download, compression, CORS security, and tower middleware stack
[onboarding]Add passkey as default auth option in security step
[cli]Add moltis doctor health check command
[hooks]Add BeforeLLMCall/AfterLLMCall hooks and nonce-based CSP
[gateway]Consolidate navigation into settings page
Gate workflows on zizmor security checks
[docs]Update Docker image references from penso/moltis to moltis-org/moltis
Keep security controls after auth reset on localhost
Unify localhost auth-disabled security warning
[tools]Add dangerous command blocklist as approval safety floor
[readme]Restructure with comparison matrix and crate architecture
[vault]Add encryption-at-rest vault for environment variables (#219)
[discord]Add Discord channel integration (#239)
[sandbox]Add Wasmtime WASM sandbox, Docker hardening, generic failover (#243)
[sandbox]Trusted network mode with domain-filtering proxy (#15)
[ios,courier]IOS companion app and APNS push relay (#248)
[macos]Wire settings UI to rust config backend (#267)
[channels]Shared channel webhook middleware pipeline (#290)
[nodes]Add multi-node support with device pairing, remote exec, and UI (#291)
[security]Add direct nginx websocket proxy example (#364)
[ci]Add zizmor workflow security scan to deb-packages workflow (#8)
[skills]Add requirements system, spec compliance, and markdown rendering
[gateway]Add passkey/password auth, API key support, and protected API routes
Update README/CLAUDE.md, add From impl for SandboxConfig
[readme]Rewrite with introduction, quickstart, how-it-works, and security sections
[ui]Replace inline alert/width styles with CSS classes
[ui]Replace inline style with ml-2 class and add funnel security warning
[ui]Merge funnel security warning into auth warning banner
[ui]Split funnel warning into always-visible security text and conditional auth text
[ci]Add supply chain security and Docker documentation
[ci]Switch to Sigstore keyless signing for all artifacts
[ci]Require signed commits
[ci]Remove redundant signed commits workflow
Update repository URLs from penso/moltis to moltis-org/moltis
[security]Add cron rate limiting, job notifications, and fix method auth
[tools]Add send_document tool for file sharing to channels

0.10.18 - 2026-03-09

Added

[gateway]Make provider discovery startup non-blocking
[monitoring]Track memory history and improve local-llm memory reporting (#325)
[ios]Add local llama cpp memory field to GraphQL schema
[providers]Include reasoning fields for kimi models (#323)
[chat]Tabs to filter chats between sessions and cron (#338)
[oauth]Support pasted callback URL fallback (#365)
[providers]Add reasoning effort support for models with extended thinking (#363)

Changed

Externalize web/wasm assets and reduce memory footprint (#321)
[web]Move chat history hydration to paged HTTP
[web]Paginate sessions and auto-load older history

Removed

[web]Remove nested onboarding scroll and restore settings nav icons
[web]Declutter chat controls and fix dropdown positioning

Fixed

[gateway]Speed up startup by deferring tailscale and log scan
[gateway]Improve browser warmup integration
[scripts]Run local nextest with ci timeout profile
[ci]Build macOS app arm64 in fast path
[web]Move session history off websocket and cap payload size
[web]Use combo select for session header selectors
[web]Externalize SVG icons and restore empty-chat centering
[web]Align e2e with controls modal and daily model refresh
[ci]Stage wasm assets for cargo-deb packaging
[packaging]Use cli-relative web assets in cargo-deb
Install rustls CryptoProvider before channel startup (#336)
[ci,tools]Unblock dependabot and support wasmtime 36
[auth]Honor forwarded host for proxy session cookies
[config]Include tmux in default sandbox packages
[mdns]Use stable host label to avoid mDNSResponder conflict and double-.local suffix (#349)
[web]Prevent Enter key from triggering actions during IME composition (#341)
[biome]Update schema to 2.4.6 and move noUnusedExpressions to suspicious
[ci]Update biome version to 2.4.6 in CI workflows
[macos]Extract makeTextView to fix function body length lint violation
[providers]Report compatible client_version for Codex model discovery (#359)
[prompt]Omit sandbox/node info from runtime prompt when disabled (#362)
[web]Allow deleting cron sessions from chat sidebar (#357)
[chat]Skip duplicate text fallback when TTS disabled and voice streamed (#373)
[web]Break redirect loop when accessing via Tailscale Serve (#356)

Security

[nodes]Add multi-node support with device pairing, remote exec, and UI (#291)
[security]Add direct nginx websocket proxy example (#364)

0.10.17 - 2026-03-05

Fixed

[config]Include tmux in default sandbox packages

0.10.16 - 2026-03-05

Fixed

[ci,tools]Unblock dependabot and support wasmtime 36
[auth]Honor forwarded host for proxy session cookies

0.10.15 - 2026-03-05

Fixed

Install rustls CryptoProvider before channel startup (#336)

0.10.14 - 2026-03-05

Fixed

[packaging]Use cli-relative web assets in cargo-deb

0.10.13 - 2026-03-04

Fixed

[ci]Stage wasm assets for cargo-deb packaging

0.10.12 - 2026-03-04

Added

[ci]Add release dry-run mode
[browser]Add container_host for Docker-in-Docker connectivity (#300)
[ios]Auto-discover server identity and show emojis (#297)
[website]Migrate cloudflare website into monorepo (#302)
[local-llm]Allow arbitrary HuggingFace model IDs for MLX models
[web,tools]AOT WASM pre-compilation and Shiki CDN loading
[cli]Remove wasm from default features to reduce memory
[gateway]Make provider discovery startup non-blocking
[monitoring]Track memory history and improve local-llm memory reporting (#325)
[ios]Add local llama cpp memory field to GraphQL schema

Changed

[web]Move settings nav icons from JS to CSS
Externalize web/wasm assets and reduce memory footprint (#321)
[web]Move chat history hydration to paged HTTP
[web]Paginate sessions and auto-load older history

Removed

[web]Remove nested onboarding scroll and restore settings nav icons
[web]Declutter chat controls and fix dropdown positioning

Fixed

[config]Support provider url alias for remote Ollama config (#299)
[ci]Make release dry-run job conditions valid
[providers]Use Ollama capabilities for tool support detection (#301)
[scripts]Roll back heavy local validation parallelism
[web]Skip npm install when TAILWINDCSS binary is provided
[ci]Update website/releases.json on release
[web]Add missing i18n button key for preferredModels
[local-llm]Use sampler API for mlx-lm >= 0.20
[gateway]Break redirect loop when onboarded but auth not configured (#310)
[gateway]Reduce idle CPU from metrics loop and log broadcast feedback
[gateway]Speed up startup by deferring tailscale and log scan
[gateway]Improve browser warmup integration
[scripts]Run local nextest with ci timeout profile
[ci]Build macOS app arm64 in fast path
[web]Move session history off websocket and cap payload size
[web]Use combo select for session header selectors
[web]Externalize SVG icons and restore empty-chat centering
[web]Align e2e with controls modal and daily model refresh

Security

[nodes]Add multi-node support with device pairing, remote exec, and UI (#291)

0.10.10 - 2026-03-02

Fixed

[swift-bridge]Stabilize gateway migration and stream tests

0.10.9 - 2026-03-02

Fixed

[ci]Harden tailwindcss cli downloads

0.10.8 - 2026-03-02

Changed

[gateway]Fetch updates from releases manifest instead of GitHub API

Fixed

[ci]Add Tailwind CSS build step to release workflow, Dockerfile, and snapcraft
[e2e]Wait for session history render before DOM injection in chat-abort

0.10.7 - 2026-03-02

Added

[sandbox]Add GitHub runner parity packages and enable corepack (#284)
[providers]Add first-class LM Studio provider (#286)
[agents]Enrich spawn_agent presets with identity, policies, memory (#271)
[web]Show running version at bottom of identity settings
[channels]Channel architecture phase 5, contract suites, and observability baseline (#289)

Changed

[channels]Registry-driven dispatch for cheap new channels (#277)

Fixed

[e2e]Make sandboxes container tests deterministic
[e2e]Replace remaining racy waitForResponse with route interceptors
[mcp]Make optional MCP tool params nullable to prevent empty string errors (#283)
[provider-setup]Reorder validation probes to prefer fast models (#280)
[sandbox]Resolve host gateway IP for Podman < 5.0 (#287)
[e2e]Fix flaky "deleting unmodified fork" test
[ci]Stale lockfile, missing Tailwind in macOS job, OAuth e2e setup
[ci]Use standalone Tailwind binary for macOS app job
[e2e]Fix OAuth token-exchange failure test and add error-context capture
[web]Auto-install node_modules in Tailwind build script
[web]Retry openclaw onboarding scan until ws is ready

Security

[macos]Wire settings UI to rust config backend (#267)
[channels]Shared channel webhook middleware pipeline (#290)

0.10.6 - 2026-03-01

Fixed

[web]Fix Shiki highlighter init failures in E2E tests
[web]Make thinking stop button smaller with left spacing
[chat]Surface error when LLM returns empty response with zero tokens
[providers]Emit StreamEvent::Error on non-success finish_reason

0.10.5 - 2026-03-01

Fixed

[web]Lazy-load Shiki to prevent blocking page mount

0.10.4 - 2026-03-01

Added

[web]Add Shiki syntax highlighting to code blocks

0.10.3 - 2026-03-01

Added

Add channel-aware heartbeat delivery and send_message agent tool (#270)
[memory]Add tree-sitter code splitter and RRF search merge

Changed

[ffi]Tighten unsafe_code allowances

Fixed

[sandbox]Make apple container keepalive portable (#269)
[local-llm]Combine compile-time and runtime Metal detection
[auth]Auto-detect new WebAuthn hosts and prompt passkey refresh (#268)
[web]Replace rg with grep in changelog guard and deduplicate passkey status refresh

0.10.2 - 2026-02-28

Added Changed Deprecated Removed Fixed

Release packaging now installs cross-compilation targets on the active nightly toolchain in the Homebrew binary job, fixing error[E0463]: can't find crate for core during macOS binary builds.
Docker release builds now copy apps/courier into the image build context so Cargo workspace metadata resolves correctly during WASM component builds.

Security

0.10.1 - 2026-02-28

Added Changed Deprecated Removed Fixed Security

0.10.0 - 2026-02-28

Added

Gemini first-class provider: Google Gemini is now registered via the OpenAI-compatible endpoint with native tool calling, vision/multimodal support, streaming, and model discovery. Replaces the previous genai-backed fallback that lacked tool support. Supports both GEMINI_API_KEY and GOOGLE_API_KEY environment variables
Podman sandbox backend — Podman as a first-class sandbox backend. Set backend = "podman" or let auto-detection prefer it over Docker (Apple Container → Podman → Docker → restricted-host). Uses the podman CLI directly (no socket compatibility needed)
Trusted network mode: sandbox containers now default to sandbox.network = "trusted", routing outbound traffic through an HTTP CONNECT proxy with full audit logging. When trusted_domains is empty (the default), all domains are allowed (audit-only mode); when configured, only listed domains pass without approval. Includes real-time network audit log with domain, protocol, and action filtering via Settings > Network Audit. Configurable via sandbox.trusted_domains in moltis.toml. Proxy env vars (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) are now automatically injected into both Docker and Apple Container sandboxes, and the proxy binds to 0.0.0.0 so it is reachable from container VMs. The proxy rejects connections from non-private IPs (only loopback, RFC 1918, link-local, and CGNAT ranges are accepted)
New moltis-network-filter crate: domain filtering, proxy, and audit buffer logic extracted from moltis-tools and moltis-gateway into a standalone crate with feature flags (proxy, service, metrics). The macOS app can now depend on it directly for network audit log display via moltis-swift-bridge
macOS Network Audit pane: new Settings > Network Audit section with real-time log display, action filtering (allowed/denied), search, pause/resume, clipboard export, and JSONL download — matching the web UI pattern. New FFI callback moltis_set_network_audit_callback bridges Rust audit entries to Swift
Proxy-compliant HTTP tools: all HTTP tools (web_fetch, web_search, location, map) now route through the trusted-network proxy when active, so their traffic appears in the Network Audit log and respects domain filtering. The shared reqwest client is initialized with proxy config at gateway startup; web_fetch uses a per-tool proxy setting for its custom redirect-following client
Network policy rename: sandbox.network = "open" has been renamed to "bypass" to make explicit that traffic bypasses the proxy entirely (no audit logging)
Real WASM sandbox (wasm feature, default on) — Wasmtime + WASI sandbox with filesystem isolation, fuel metering, epoch-based timeouts, and ~20 built-in coreutils (echo, cat, ls, mkdir, rm, cp, mv, etc.). Two execution tiers: built-in commands operate on a sandboxed directory tree; .wasm modules run via Wasmtime with preopened dirs and captured I/O. Backend: "wasm" in config
Restricted-host sandbox — new "restricted-host" backend (extracted from the old WasmtimeSandbox) providing honest naming for what it does: env clearing, restricted PATH, and ulimit resource wrappers without containers or WASM. Always compiled (no feature gate)
Docker security hardening — containers now launch with --cap-drop ALL, --security-opt no-new-privileges, tmpfs mounts for /tmp and /run, and --read-only root filesystem for prebuilt images
Generic sandbox failover chain — auto-detection now tries Apple Container → Docker → Restricted Host. Failover uses restricted-host as the final fallback instead of NoSandbox
Discord channel integration via new moltis-discord crate using serenity Gateway API (persistent WebSocket, no public URL required). Supports DM and group messaging with allowlist/OTP gating, mention mode, guild allowlist, and 2000-char message chunking. Web UI: connect/edit/remove Discord bots in Settings > Channels and onboarding flow
Discord reply-to-message support: set reply_to_message = true to have the bot send responses as Discord threaded replies to the user's message
Discord ack reactions: set ack_reaction = "👀" to add an emoji reaction while processing (removed on completion)
Discord bot token import from OpenClaw installations during onboarding (both flat and multi-account configs)
Discord bot presence/activity: configure activity, activity_type (playing/listening/watching/competing/custom), and status (online/idle/dnd/invisible) in bot config
Discord OTP self-approval for DMs: non-allowlisted users receive a 6-digit challenge code (visible in web UI) to self-approve access, matching Telegram's existing OTP flow
Discord native slash commands: /new, /clear, /compact, /context, /model, /sessions, /agent, /help registered as Discord application commands with ephemeral responses
OTP module moved from moltis-telegram to shared moltis-channels crate for cross-platform reuse
Real-time session sync between macOS app and web UI via SessionEventBus (tokio::sync::broadcast). Sessions created, deleted, or patched in one UI instantly appear in the other. New FFI callback moltis_set_session_event_callback and WebSocket "session" events for create/delete/fork operations.
Swift bridge: persistent session storage via FFI — moltis_list_sessions, moltis_switch_session, moltis_create_session, moltis_session_chat_stream functions backed by JSONL files and shared SQLite metadata (moltis.db) across all UIs (macOS app, web, TUI)
Internationalization (i18n): web UI now supports runtime language switching via i18next with English and French locales. Error codes use structured constants with locale-aware error messages across API handlers, terminal, chat, and environment routes. Onboarding step labels, navigation buttons, and page strings use translation keys (t() calls)
Vault UI: recovery key display during onboarding password setup, vault status/unlock controls in Settings > Security, encrypted/plaintext badges on environment variables
Encryption-at-rest vault (vault feature, default on) — environment variables are encrypted with XChaCha20-Poly1305 AEAD using Argon2id-derived keys. Vault is initialized on first password setup and auto-unsealed on login. Recovery key provided at initialization for emergency access. API: /api/auth/vault/status, /api/auth/vault/unlock, /api/auth/vault/recovery
send_image tool for sending local image files (PNG, JPEG, GIF, WebP) to channel targets like Telegram, with optional caption support
GraphQL API at /graphql (GET serves GraphiQL playground and WebSocket subscriptions, POST handles queries/mutations) exposing all RPC methods as typed operations
New moltis-graphql crate with queries, mutations, subscriptions, custom Json scalar, and ServiceCaller trait abstraction
New moltis-providers crate that owns provider integrations and model registry/catalog logic (OpenAI, Anthropic, OpenAI-compatible, OpenAI Codex, GitHub Copilot, Kimi Code, local GGUF, local LLM)
graphql feature flag (default on) in gateway and CLI crates for compile-time opt-out
Settings > GraphQL page embedding GraphiQL playground at /settings/graphql
Gateway startup now seeds a built-in dcg-guard hook in ~/.moltis/hooks/dcg-guard/ (manifest + handler), so destructive command guarding is available out of the box once dcg is installed
Swift embedding POC scaffold with a new moltis-swift-bridge static library crate, XcodeGen YAML project (apps/macos/project.yml), and SwiftLint wiring for SwiftUI frontend code quality
New moltis-openclaw-import crate for detecting OpenClaw installations and selectively importing identity, providers, skills, memory files, Telegram channels, sessions, and MCP servers
New onboarding RPC methods: openclaw.detect, openclaw.scan, and openclaw.import
New moltis import CLI commands (detect, all, select) with --dry-run and --json output options
Onboarding now includes a conditional OpenClaw Import step with category selection, import execution, and detailed per-category results/TODO reporting
Settings now includes an OpenClaw Import section (shown only when OpenClaw is detected) for scan-and-import workflows after onboarding
Microsoft Teams channel integration via new moltis-msteams plugin crate with webhook ingress and OAuth client-credentials outbound messaging
Teams channel management in the web UI (add/edit/remove accounts, sender review, session/channel badges)
Guided Teams bootstrap tooling via moltis channels teams bootstrap plus an in-UI endpoint generator in Settings → Channels
Multi-agent personas with per-agent workspaces (data_dir()/agents/<id>/), agents.* RPC methods, and session-level agent_id binding/switching across web + Telegram flows
chat.peek RPC method returning real-time session state (active flag, thinking text, active tool calls) for any session key
Active tool call tracking per-session in LiveChatService with camelCase-serialized ActiveToolCall structs
Web UI: inline red "Stop" button inside thinking indicator, aborted broadcast handler that cleans up streaming state
Channel commands: /peek (shows thinking text and active tool calls) and /stop (aborts active generation)

Changed

Crate restructure: gateway crate reduced from ~42K to ~29K lines by extracting moltis-chat (chat engine, agent orchestration), moltis-auth (password + passkey auth), moltis-tls (TLS/HTTPS termination), moltis-service-traits (shared service interfaces), and moving share rendering into moltis-web
Provider wiring now routes through moltis-providers instead of moltis-agents::providers, and local LLM feature flags (local-llm, local-llm-cuda, local-llm-metal) now resolve via moltis-providers
Voice now auto-selects the first configured TTS/STT provider when no explicit

provider is set.

Default voice template/settings now favor OpenAI TTS and Whisper STT in

onboarding-ready configs.

Updated the dcg-guard example hook docs and handler behavior to gracefully no-op when dcg is missing, instead of hard-failing
Automatic model/provider selection now prefers subscription-backed providers (OpenAI Codex, GitHub Copilot) ahead of API-key providers, while still honoring explicit model priorities
GraphQL gateway now builds its schema once at startup and reuses it for HTTP and WebSocket requests
GraphQL resolvers now share common RPC helper macros and use typed response objects for node.describe, voice.config, voice.voxtral_requirements, skills.security_status, skills.security_scan, and memory.config
GraphQL logs.ack mutation now matches backend behavior and no longer takes an ids argument
Gateway startup diagnostics now report OpenClaw detection status and pass detection state to web gon data for conditional UI rendering
Gateway and CLI now enable the openclaw-import feature in default builds
Providers now support stream_transport = "sse" | "websocket" | "auto" in config. OpenAI can stream via Responses API WebSocket mode, and auto falls back to SSE when WebSocket setup is unavailable.
Agent Identity emoji picker now includes 🐰 🐹 🦀 🦞 🦝 🦭 🧠 🧭 options
Added architecture docs for a native Swift UI app embedding Moltis Rust core through a C FFI bridge (docs/src/native-swift-embedding.md)
Channel persistence and message-log queries are now channel-type scoped (channel_type + account_id) so Telegram and Teams accounts can share the same account IDs safely
Chat/system prompt resolution is now agent-aware, loading IDENTITY.md, SOUL.md, MEMORY.md, AGENTS.md, and TOOLS.md from the active session agent workspace with backward-compatible fallbacks
Memory tool operations and compaction memory writes are now agent-scoped, preventing cross-agent memory leakage during search/read/write flows
Default sandbox package set now includes golang-go, and pre-built sandbox images install the latest gog (steipete/gogcli) as gog and gogcli
Sandbox config now supports /home/sandbox persistence strategies (off, session, shared), with shared as the default and a shared host folder mounted from data_dir()/sandbox/home/shared
Settings → Sandboxes now includes shared-home controls (enabled + folder path), and sandbox config supports tools.exec.sandbox.shared_home_dir for custom shared persistence location

Deprecated Removed Fixed

OpenAI Codex OAuth in Docker: the web UI no longer overrides the provider's pre-registered redirect_uri, which caused OpenAI to reject the authorization request with unknown_error. The OAuth callback server now also respects the gateway bind address (0.0.0.0 in Docker) so the callback port (1455) is reachable from the host. Docker image now exposes port 1455 for OAuth callbacks (#207)
Slow SQLite writes: moltis.db and memory.db now use journal_mode=WAL and synchronous=NORMAL (matching metrics.db), eliminating multi-second write contention that caused 3–10 s INSERT times under concurrent access
Channel image delivery now parses the actual MIME type from data URIs instead of hardcoding image/png
Docker image now installs Docker CLI from Docker’s official Debian repository (docker-ce-cli), avoiding API mismatches with newer host daemons during sandbox builds/exec
Chat UI now shows a first-run sandbox preparation status message before container/image setup begins, so startup delays are visible while sandbox resources are created
OpenAI TTS and Whisper STT now correctly reuse OpenAI credentials from

voice config, OPENAI_API_KEY, or the LLM OpenAI provider config.

Voice provider parsing now accepts openai-tts and google-tts aliases

sent by the web UI.

Chat welcome card is now hidden as soon as the thinking indicator appears.
Onboarding summary loading state now keeps modal sizing stable with a

centered spinner.

Onboarding voice provider rows now use a dedicated needs-key badge class and styling, with E2E coverage to verify the badge pill rendering
OpenAI Codex OAuth token handling now preserves account context across refreshes and resolves ChatGPT-Account-Id from additional JWT/auth.json shapes to avoid auth failures with Max-style OAuth flows
Onboarding/provider setup now surfaces subscription OAuth providers (OpenAI Codex, GitHub Copilot) as configured when local OAuth tokens are present, even if they are omitted from providers.offered
GraphQL WebSocket upgrade detection now accepts clients that provide Upgrade/Sec-WebSocket-Key without Connection: upgrade
GraphQL channel and memory status bridges now return schema-compatible shapes for channels.status, channels.list, and memory.status
Provider errors with insufficient_quota now surface as explicit quota/billing failures (with the upstream message) instead of generic retrying/rate-limit behavior
Linux aarch64 builds now skip jemalloc to prevent startup aborts on 16 KiB page-size kernels (for example Raspberry Pi 5 Debian images)
Gateway startup now blocks the common reverse-proxy TLS mismatch (MOLTIS_BEHIND_PROXY=true with Moltis TLS enabled) and explains using --no-tls; HTTPS-upstream proxy setups can explicitly opt in with MOLTIS_ALLOW_TLS_BEHIND_PROXY=true
WebSocket same-origin checks now accept proxy deployments that rewrite Host by using X-Forwarded-Host in proxy mode, and treat implicit :443/:80 as equivalent to default ports

Security

0.9.10 - 2026-02-21

Added Changed Deprecated Removed Fixed Security

0.9.9 - 2026-02-21

Added Changed Deprecated Removed Fixed Security

0.9.8 - 2026-02-21

Added Changed Deprecated Removed Fixed Security

0.9.7 - 2026-02-20

Added Changed Deprecated Removed Fixed Security

0.9.6 - 2026-02-20

Added

Cron jobs can now deliver agent turn output to Telegram channels via the deliver, channel, and to payload fields

Changed Deprecated Removed Fixed

Accessing http:// on the HTTPS port now returns a 301 redirect to https:// instead of a garbled TLS handshake page
SQLite metrics store now uses WAL journal mode and synchronous=NORMAL to fix slow INSERT times (1-3s) on Docker/WSL2

Security

0.9.5 - 2026-02-20

Added Changed Deprecated Removed Fixed

Skip jemalloc on Windows (platform-specific dependency gate)

Security

0.9.4 - 2026-02-20

Added Changed Deprecated Removed Fixed Security

0.9.3 - 2026-02-20

Added Changed Deprecated Removed Fixed Security

0.9.2 - 2026-02-20

Added

Event-driven heartbeat wake system: cron jobs can now trigger immediate

heartbeat runs via a wakeMode field ("now" or "nextHeartbeat").

System events queue: in-memory bounded buffer that collects events (exec

completions, cron triggers) and drains them into the heartbeat prompt so the agent sees what happened while it was idle.

Exec completion callback: command executions automatically enqueue a summary

event and wake the heartbeat, giving the agent real-time awareness of background task results.

Changed Deprecated Removed Fixed Security

0.9.1 - 2026-02-19

Added

lightweight feature profile for memory-constrained devices (Raspberry Pi, etc.)

with only essential features: jemalloc, tls, web-ui.

jemalloc allocator behind jemalloc feature flag for lower memory fragmentation.
Configurable history_points (metrics) and log_buffer_size (server) settings

to tune in-memory buffer sizes.

Persistent browser profiles: cookies, auth state, and local storage now persist

across sessions by default. Disable with persist_profile = false in [tools.browser], or set a custom path with profile_dir. (#162)

Added examples/docker-compose.coolify.yml plus Docker/cloud deploy docs for

self-hosted Coolify (e.g. Hetzner), including reverse-proxy defaults and Docker socket mount guidance for sandboxed exec support.

Markdown and ANSI table rendering in chat messages.
Provider-aware show_map links for multi-provider map display.
Session history caching with visual switch loader for faster session

transitions.

Changed

MetricsHistory default reduced from 60,480 to 360 points (~170x less memory).
LogBuffer default reduced from 10,000 to 1,000 entries.
Shared reqwest::Client singleton in moltis-agents and moltis-tools replaces

per-call client creation, saving connection pools and TLS session caches.

WebSocket client channels changed from unbounded to bounded (512), adding

backpressure for slow consumers.

Release profile: panic = "abort" and codegen-units = 1 for smaller binaries.

Deprecated Removed Fixed

Onboarding identity save now captures browser timezone and persists it to

USER.md via user_timezone, so first-run profile setup records the user's timezone alongside their name.

Runtime prompt host metadata now prefers user/browser timezone over server

local fallback and includes an explicit today=YYYY-MM-DD field so models can reliably reason about the user's current date.

Skills installation now supports Claude marketplace repos that define skills

directly via .claude-plugin/marketplace.json plugins[].skills[] paths (for example anthropics/skills), including loading SKILL.md entries under skills/* and exposing them through the existing plugin-skill workflow.

Web search no longer falls back to DuckDuckGo by default when search API keys

are missing, avoiding repeated CAPTCHA failures; fallback is now opt-in via tools.web.search.duckduckgo_fallback = true.

Terminal: force tmux window resize on client viewport change to prevent

stale dimensions after reconnect.

Browser: profile persistence now works correctly on Apple Container

(macOS containerized sandbox).

Browser: centralized stale CDP connection detection prevents ghost browser

sessions from accumulating. (#172)

Gateway: deduplicate voice replies on Telegram channels to prevent echo

loops. (#173)

Cron job editor: fix modal default validation and form reset when switching

schedule type. (#181)

MCP: strip internal metadata from tool call arguments before forwarding to

MCP servers.

Web search: load runtime env keys and improve Brave search response

parsing robustness.

Prompt: clarify sandbox vs data_dir path semantics in system prompts.
Gateway: align show_map listing ratings to the right for consistent

layout.

Security

0.9.0 - 2026-02-17

Added

Settings > Cron job editor now supports per-job LLM model selection and

execution target selection (host or sandbox), including optional sandbox image override when sandbox execution is selected.

Changed

Configuration documentation examples now match the current schema

([server], [identity], [tools], [hooks.hooks], [mcp.servers.<name>], and [channels.telegram.<account>]), including updated provider and local-LLM snippets.

Deprecated Removed Fixed

Agent loop iteration limit is now configurable via

tools.agent_max_iterations in moltis.toml (default 25) instead of being hardcoded at runtime.

Security

0.8.38 - 2026-02-17

Added

show_map now supports multi-point maps via points[], rendering all

destinations in one screenshot with auto-fit zoom/centering, while keeping legacy single-point fields for backward compatibility.

Telegram channel reply streaming via edit-in-place updates, with per-account

stream_mode gating so off keeps the classic final-message delivery path.

Telegram per-account stream_notify_on_complete option to send a final

non-silent completion message after edit-in-place streaming finishes.

Telegram per-account stream_min_initial_chars option (default 30) to

delay the first streamed message until enough text has accumulated.

Changed Deprecated Removed Fixed Security

0.8.37 - 2026-02-17

Added

Settings > Terminal now includes tmux window tabs for the managed

moltis-host-terminal session, plus a + Tab action to create new tmux windows from the UI.

New terminal window APIs: GET /api/terminal/windows and

POST /api/terminal/windows to list and create host tmux windows.

Host terminal websocket now supports ?window=<id|index> targeting and

returns activeWindowId in the ready payload.

Changed

Web chat now supports /sh command mode: entering /sh toggles a dedicated

command input state, command sends are automatically prefixed with /sh, and the token bar shows effective execution route (sandboxed vs host) plus prompt symbol (# for root, $ for non-root).

Settings > Terminal now polls tmux windows and updates tabs automatically,

so windows created inside tmux (for example Ctrl-b c) appear in the web UI.

Host terminal tmux integration now uses a dedicated tmux socket and applies

a Moltis-friendly profile (status off, mouse off, stable window naming).

Settings > Terminal subtitle now omits the prompt symbol hint so it does not

show stale $/# information after privilege changes inside the shell.

Deprecated Removed Fixed

Apple Container sandbox startup now pins --workdir /tmp, bootstraps

/home/sandbox before sleep infinity, and uses explicit exec workdirs to avoid WORKDIR chdir failures when image metadata directories are missing.

Cron tool job creation/update now accepts common shorthand schedule/payload

shapes (including cron expression strings) and normalizes them before validation, reducing model-side schema mismatch failures.

Force-exec fallback now triggers only for explicit /sh ... input (including

/sh@bot ...), preventing casual chat messages like hey from being treated as shell commands while still allowing normal model-driven exec tool use.

Tool-mode system prompt guidance is now conversation-first and documents the

/sh explicit shell prefix.

Chat auto-compaction now uses estimated next-request prompt tokens (current

context pressure) instead of cumulative session token totals, and chat context UI now separates cumulative usage from current/estimated request context.

Settings > Terminal tab switching now uses in-band tmux window switching over

the active websocket, reducing redraw/cursor corruption when switching between tmux windows (including fullscreen apps like vim).

Host terminal tmux attach now resets window sizing to auto (resize-window -A)

to prevent stale oversized window dimensions across reconnects.

Settings > Terminal tmux window polling now continues after tab switches, so

windows closed with Ctrl-D are removed from the tab strip automatically.

Settings > Terminal now recovers from stale ?window= reconnect targets

after a tmux window is closed, attaching to the current window instead of getting stuck in a reconnect loop.

Settings > Terminal host PTY output is now transported as raw bytes

(base64-encoded over websocket) instead of UTF-8-decoded text, fixing rendering/control-sequence corruption in full-screen terminal apps like vim.

Settings > Terminal now force-syncs terminal size on connect/window switch so

newly created tmux windows attach at full viewport size instead of a smaller default geometry.

Settings > Terminal now ignores OSC color/palette mutation sequences from

full-screen apps to avoid invisible-text redraw glitches when switching tmux tabs (notably seen with vim).

Settings > Terminal now re-sends forced resize updates during a short

post-connect settle window, fixing initial page-reload cases where tmux windows stayed at stale dimensions until a manual tab switch.

Security

0.8.36 - 2026-02-16

Added

OAuth 2.1 support for remote MCP servers — automatic discovery (RFC 9728/8414), dynamic client registration (RFC 7591), PKCE authorization code flow, and Bearer token injection with 401 retry
McpOAuthOverride config option for servers that don't implement standard OAuth discovery
mcp.reauth RPC method to manually trigger re-authentication for a server
Persistent storage of dynamic client registrations at ~/.config/moltis/mcp_oauth_registrations.json
SSRF allowlist: tools.web.fetch.ssrf_allowlist config field to exempt trusted

CIDR ranges from SSRF blocking, enabling Docker inter-container networking.

Memory config: add memory.disable_rag to force keyword-only memory search while keeping markdown indexing and memory tools enabled
Generic OpenAI-compatible provider support: connect any OpenAI-compatible endpoint via the provider setup UI, with domain-derived naming (custom- prefix), model auto-discovery, and full model selection

Changed Deprecated Removed Fixed

Telegram queued replies: route channel reply targets per queued message so

chat.message_queue_mode = "followup" delivers replies one-by-one instead of collapsing queued channel replies into a single batch delivery.

Queue mode default: make one-by-one replay (followup) explicit as the

ChatConfig default, with config-level tests to prevent regressions.

MCP OAuth dynamic registration now uses the exact loopback callback URI selected for the current auth flow, improving compatibility with providers that require strict redirect URI matching (for example Linear).
MCP manager now applies [mcp.servers.<name>.oauth] override settings when building the OAuth provider for SSE servers.
Streamable HTTP MCP transport now persists and reuses Mcp-Session-Id, parses text/event-stream responses, and sends best-effort DELETE on shutdown to close server sessions.
MCP docs/config examples now use the current table-based config shape and /mcp endpoint examples for remote servers.
Memory embeddings endpoint composition now avoids duplicated path segments like /v1/v1/embeddings and accepts base URLs ending in host-only, /v1, versioned paths (for example /v4), or /embeddings

Security

0.8.35 - 2026-02-15

Added

Add memory target routing guidance to memory_save prompt hint — core facts go to MEMORY.md, everything else to memory/<topic>.md to keep context lean

Changed Deprecated Removed Fixed Security

0.8.34 - 2026-02-15

Added

Add explicit memory_save hint in system prompt so weaker models (MiniMax, etc.) call the tool when asked to remember something
Add anchor text after memory content so models don't ignore known facts when memory_search returns empty
Add zai to default offered providers in config template

Changed Deprecated Removed Fixed Security

0.8.33 - 2026-02-15

Added Changed Deprecated Removed Fixed

CI: remove unnecessary std::path:: qualification in gateway server flagged

by nightly clippy.

Security

0.8.32 - 2026-02-15

Added Changed Deprecated Removed Fixed

CI: gate macOS-only sandbox helper functions with #[cfg] to fix dead-code

errors on Linux CI.

Security

0.8.31 - 2026-02-15

Added

Sandbox toggle notification: when the sandbox is enabled or disabled

mid-session, a system message is injected into the conversation history so the LLM knows the execution environment changed. A chat notice also appears in the UI immediately.

Config [env] section: environment variables defined in [env] in

moltis.toml are injected into the Moltis process at startup. This makes API keys (Brave, OpenRouter, etc.) available to features that read from std::env::var(). Process env vars (docker -e, host env) take precedence. Closes #107.

Browser auto-detection and install: automatically detect all installed

Chromium-family browsers (Chrome, Chromium, Edge, Brave, Opera, Vivaldi, Arc) and auto-install via the system package manager when none is found. Requests can specify a preferred browser ("browser": "brave") or let the system pick the first available one.

Z.AI provider: add Z.AI (Zhipu) as an OpenAI-compatible provider with

static model catalog (GLM-5, GLM-4.7, GLM-4.6, GLM-4.5 series) and dynamic model discovery via /models endpoint. Supports tool calling, streaming, vision (GLM-4.6V/4.5V), and reasoning content.

Running Containers panel: the Settings > Sandboxes page now shows a

"Running Containers" section listing all moltis-managed containers with live state (running/stopped/exited), backend type (Apple Container/Docker), resource info, and Stop/Delete actions. Includes disk usage display (container/image counts, sizes, reclaimable space) and a "Clean All" button to stop and remove all stale containers at once.

Startup container GC: the gateway now automatically removes orphaned

session containers on startup, preventing disk space accumulation from crashed or interrupted sessions.

Download full context as JSONL: the full context panel now has a

"Download" button that exports the conversation (including raw LLM responses) as a timestamped .jsonl file.

Sandbox images in cached images list: the Settings > Images page

now merges sandbox-built images into the cached images list so all container images are visible in one place.

Changed

Sandbox image identity: image tags now use SHA-256 instead of

DefaultHasher for deterministic, cross-run hashing of base image + packages.

Deprecated Removed Fixed

Thinking indicator lost on reload: reloading the page while the model

was generating no longer loses the "thinking" dots. The backend now includes replying state in sessions.list and sessions.switch RPC responses so the frontend can restore the indicator after a full page reload.

Thinking text restored after reload: reloading the page during extended

thinking (reasoning) now restores the accumulated thinking text instead of showing only bouncing dots. The backend tracks thinking text per session and returns it in the sessions.switch response.

Apple Container recovery: simplify container recovery to a single flat

retry loop (3 attempts max, down from up to 24). Name rotation now only triggers on AlreadyExists errors, preventing orphan containers. Added notFound error matching so exec readiness probes retry correctly. Diagnostic info (running container count, service health, container logs) is now included in failure messages. Detect stale Virtualization.framework state (NSPOSIXErrorDomain EINVAL) and automatically restart the daemon (container system stop && container system start) before retrying; bail with a clear remediation message only if automatic restart fails. Exec-level recovery retries reduced from 3 to 1.

Ghost Apple Containers: failed container deletions are now tracked

in a zombie set and filtered from list output, preventing stale entries from reappearing in the Running Containers panel.

Container action errors preserved: failed delete/clean/restart

operations now surface the original error message to the UI instead of silently swallowing it.

Usage parsing across OpenAI-compatible providers: token counts now

handle Anthropic-style (input_tokens/output_tokens), camelCase variants, cache token fields, and multiple response nesting structures across diverse providers.

Think tag whitespace: leading whitespace after </think> close

tags is now stripped, preventing extra blank lines in streamed output.

Token bar visible at zero: the token usage bar no longer disappears

when all counts are zero; it stays visible as a baseline indicator.

Security

0.8.30 - 2026-02-15

Added Changed

Assistant reasoning persistence: conversation reasoning is now persisted

in assistant messages and shared snapshots so resumed sessions retain reasoning context instead of dropping it after refresh/share operations.

Deprecated Removed Fixed Security

0.8.29 - 2026-02-14

Added

Memory bootstrap: inject MEMORY.md content directly into the system

prompt (truncated at 20,000 chars) so the agent always has core memory available without needing to call memory_search first. Matches OpenClaw's bootstrap behavior

Memory save tool: new memory_save tool lets the LLM write to long-term

memory files (MEMORY.md or memory/<name>.md) with append/overwrite modes and immediate re-indexing for search

Changed

Memory writing: MemoryManager now implements the MemoryWriter trait

directly, unifying read and write paths behind a single manager. The silent memory turn and MemorySaveTool both delegate to the manager, which handles path validation, size limits, and automatic re-indexing after writes

Deprecated Removed Fixed

Memory file watcher: the file watcher now covers MEMORY.md at the data

directory root, which was previously excluded because the filter only matched directories

Security

0.8.28 - 2026-02-14

Added Changed

Browser sandbox resolution: BrowserTool now resolves sandbox mode

directly from SandboxRouter instead of relying on a _sandbox flag injected via tool call params.

Deprecated Removed Fixed

E2E onboarding failures: Fixed missing saveProviderKey export in

provider-validation.js that was accidentally left unstaged in the DRY refactoring commit.

Security

0.8.27 - 2026-02-14

Added Changed

DRY voice/identity/channel utils: Extracted shared RPC wrappers and

validation helpers from onboarding-view.js and page-settings.js / page-channels.js into dedicated voice-utils.js, identity-utils.js, and channel-utils.js modules.

Deprecated Removed Fixed

Config test env isolation: Fixed spurious

save_config_to_path_removes_stale_keys_when_values_are_cleared test failure caused by MOLTIS_IDENTITY__NAME environment variable leaking into the test via apply_env_overrides.

Security

0.8.26 - 2026-02-14

Added

Rustls/OpenSSL migration roadmap: Added

plans/2026-02-14-rustls-migration-and-openssl-reduction.md with a staged plan to reduce OpenSSL coupling, isolate feature gates, and move default TLS networking paths toward rustls.

Changed Deprecated Removed Fixed

Windows release build reliability: The .exe release workflow now forces

Strawberry Perl (OPENSSL_SRC_PERL/PERL) so vendored OpenSSL builds do not fail due to missing Git Bash Perl modules.

OpenAI tool-call ID length: Remap tool-call IDs that exceed OpenAI's

40-character limit during message serialization, and generate shorter synthetic IDs in the agent runner to prevent API errors.

Onboarding credential persistence: Provider credentials are now saved

before opening model selection during onboarding, aligning behavior with the Settings > LLM flow.

Security

0.8.25 - 2026-02-14

Added Changed Deprecated Removed Fixed Security

0.8.24 - 2026-02-13

Added Changed Deprecated Removed Fixed Security

0.8.23 - 2026-02-13

Added

Multi-select preferred models per provider: The LLMs page now has a

"Preferred Models" button per provider that opens a multi-select modal. Selected models are pinned at the top of the session model dropdown. New providers.save_models RPC accepts multiple model IDs at once.

Multi-select model picker in onboarding: The onboarding provider step now

uses a multi-select model picker matching the Settings LLMs page. Toggle models on/off, see per-model probe status badges, and batch-save with a single Save button. Previously-saved preferred models are pre-selected when re-opening the model selector.

Changed

Model discovery uses DiscoveredModel struct: Replaced (String, String)

tuples with a typed DiscoveredModel struct across all providers (OpenAI, GitHub Copilot, OpenAI Codex). The struct carries an optional created_at timestamp from the /v1/models API, enabling discovered models to be sorted newest-first. Preferred/configured models remain pinned at the top.

Removed OpenAI-specific model name filtering from discovery: The

/v1/models response is no longer filtered by OpenAI naming conventions (gpt-*, o1, etc.). All valid model IDs from any provider are now accepted. This fixes model discovery for third-party providers like Moonshot whose model IDs don't follow OpenAI naming.

Disabled automatic model probe at startup: The background chat

completion probe that checked which models are supported is now triggered on-demand by the web UI instead of running automatically 2 seconds after startup. With dynamic model discovery, the startup probe was expensive and noisy (non-chat models like image, audio, and video would log spurious warnings).

Model test uses streaming for faster feedback: The "Testing..."

probe when selecting a model now uses streaming and returns on the first token instead of waiting for a full non-streaming response. Timeout reduced from 20s to 10s.

Chosen models merge with config-defined priority: Models selected

via the UI are prepended to the saved models list and merged with config-defined preferred models, so both sources contribute to ordering.

Dynamic cross-provider priority list: The model dropdown priority

is now a shared Arc<RwLock<Vec<String>>> updated at runtime when models are saved, instead of a static HashMap built once at startup.

Replaced hardcoded Ollama checks with keyOptional metadata: JS

files no longer check provider.name === "ollama" for behavior. Instead, the backend exposes a keyOptional field on provider metadata, making the UI provider-agnostic.

Fixed

Settings UI env vars now available process-wide: environment variables

set via Settings > Environment were previously only injected into sandbox commands. They are now also injected into the Moltis process at startup, making them available to web search, embeddings, and provider API calls.

0.8.14 - 2026-02-11

Security

Disconnect all WS clients on credential change: WebSocket connections

opened before auth setup are now disconnected when credentials change (password set/changed, passkey registered during setup, auth reset, last credential removed). An auth.credentials_changed event notifies browsers to redirect to /login. Existing sessions are also invalidated on password change for defense-in-depth.

Fixed

Onboarding test for SOUL.md clear behavior: Fixed identity_update_partial

test to match the new empty-file behavior from v0.8.13.

0.8.13 - 2026-02-11

Added

Auto-create SOUL.md on first run: SOUL.md is now seeded with the

default soul text when the file doesn't exist, mirroring how moltis.toml is auto-created. If deleted, it re-seeds on next load.

Fixed

SOUL.md clear via settings: Clearing the soul textarea in settings no

longer re-creates the default on the next load. An explicit clear now writes an empty file to distinguish "user cleared soul" from "file never existed".

Onboarding WS connection timing: Deferred WebSocket connection until

authentication completes, preventing connection failures during onboarding.

Changed

Passkey auth preselection: Onboarding now preselects the passkey

authentication method when a passkey is already registered.

Moonshot provider: Added Moonshot to the default offered providers list.

0.8.12 - 2026-02-11

Fixed

E2E test CI stability: NoopChatService::clear() now returns Ok instead

of an error when no LLM providers are configured, fixing 5 e2e test failures in CI environments. Hardened websocket, chat-input, and onboarding-auth e2e tests against startup race conditions and flaky selectors.

0.8.8 - 2026-02-11

Changed

Sessions sidebar layout: Removed the top Sessions title row and moved

the new-session + action next to the session search field for a more compact list header.

Identity autosave UX: Name fields in Settings > Identity now autosave on

input blur, matching the quick-save behavior used for emoji selection.

Favicon behavior by browser: Identity emoji changes now update favicon

live; Safari-specific reload guidance is shown only when Safari is detected.

Page title format: Browser title now uses the configured assistant name

only, without appending AI assistant suffix text.

0.8.7 - 2026-02-11

Added

Model allowlist probe output support: Model allowlist matching now handles

provider probe output more robustly and applies stricter matching semantics.

Ship helper command: Added a just ship task and scripts/ship-pr.sh

helper to streamline commit, push, PR update, and local validation workflows.

Changed

Gateway titles and labels: Login/onboarding page titles now consistently

use configured values and identity emoji; UI copy now labels providers as LLM where appropriate.

Release binary profile: Enabled ThinLTO and binary stripping in the

release profile to reduce artifact size.

SPA route handling: Centralized SPA route definitions and preserved TOML

comments during config updates.

Fixed

Auth setup hardening: Enforced authentication immediately after password

or passkey setup to prevent unintended post-setup unauthenticated access.

Streaming event ordering: Preserved gateway chat stream event ordering to

avoid out-of-order UI updates during streaming responses.

Sandbox fallback pathing: Exec fallback now uses the host data directory

when no container runtime is available.

0.8.6 - 2026-02-11

Changed

Release workflow gates E2E tests: Build Packages workflow now runs E2E

tests and blocks all package builds (deb, rpm, arch, AppImage, snap, Homebrew, Docker) if they fail.

Added

XML tag stripping: Strip internal XML tags from LLM responses to prevent

tag leakage in chat (thinking, reasoning, scratchpad, etc.)

Runtime model metadata: Fetch model metadata from provider APIs for

accurate context window detection during auto-compaction

Run detail UI: Panel showing tool calls and message flow for agent runs,

accessible via expandable button on assistant messages

Fixed

Docker TLS setup: All Docker examples now expose port 13132 for CA

certificate download with instructions to trust the self-signed cert, fixing HTTPS access in Safari and other strict browsers.

E2E onboarding-auth test: The auth Playwright project's testMatch

regex /auth\.spec/ also matched onboarding-auth.spec.js, causing it to run against the default gateway (wrong server) instead of the onboarding-auth gateway. Tightened regex to /\/auth\.spec/.

0.8.5 - 2026-02-11

Added

CLI --version flag: moltis --version now prints the version.
Askama HTML rendering: SPA index and social metadata templates use

Askama instead of string replacement.

Fixed

WebSocket reconnect after remote onboarding auth: Connection now

reconnects immediately after auth setup instead of waiting for the backoff timer, fixing "WebSocket not connected" errors during identity save.

Passkeys on Fly.io: Auto-detect WebAuthn RP ID from FLY_APP_NAME

environment variable (constructs {app}.fly.dev).

PaaS proxy detection: Added explicit MOLTIS_BEHIND_PROXY=true to

render.yaml and fly.toml so auth middleware reliably detects remote connections behind the platform's reverse proxy.

WebAuthn origin scheme on PaaS: Non-localhost RP IDs now default to

https:// origin since PaaS platforms terminate TLS at the proxy.

Security

Compaction prompt injection hardening: Session compaction now passes

typed ChatMessage objects to the summarizer LLM instead of concatenated {role}: {content} text, preventing role-spoofing prompt injection where user content could mimic role prefixes (similar to GHSA-g8p2-7wf7-98mq).

0.8.4 - 2026-02-11

Changed

Session delete UX: Forked sessions with no new messages beyond the fork

point are deleted immediately without a confirmation dialog.

Fixed

Localhost passkey compatibility: Gateway startup URLs and TLS redirect

hints now use localhost for loopback hosts, while WebAuthn also allows moltis.localhost as an additional origin when RP ID is localhost.

0.8.3 - 2026-02-11

Fixed

Linux clippy unused_mut failure: Fixed a target-specific unused_mut

warning in browser stale-container cleanup that failed release clippy on Linux with -D warnings.

0.8.2 - 2026-02-11

Fixed

Release clippy environment parity: The release workflow clippy job now

runs in the same CUDA-capable environment as main CI, includes the llama source git bootstrap step, and installs rustfmt alongside clippy. This fixes release clippy failures caused by missing CUDA toolchain/runtime.

0.8.1 - 2026-02-11

Fixed

Clippy validation parity: Unified local validation, CI (main), and

release workflows to use the same clippy command and flags (--workspace --all-features --all-targets --timings -D warnings), which prevents release-only clippy failures from command drift.

0.8.0 - 2026-02-11

Added

Instance-scoped container naming: Browser and sandbox container/image

prefixes now derive from the configured instance name, so multiple Moltis instances do not collide.

Changed

Stale container cleanup targeting: Startup cleanup now removes only

containers that belong to the active instance prefix instead of sweeping unrelated containers.

Apple container runtime probing: Browser container backend checks now use

the modern Apple container CLI flow (container image pull --help) without legacy fallback behavior.

Fixed

Release workflow artifacts: Disabled docker build record artifact uploads

in release CI to avoid release workflow failures from missing artifact paths.

Release preflight consistency: Pinned nightly toolchain and aligned

release preflight checks with CI formatting/lint gates.

0.7.1 - 2026-02-11

Fixed

Release format gate: Included missing Rust formatting updates in release

history so the release workflow cargo fmt --all -- --check passes for tagged builds.

0.7.0 - 2026-02-11

Added

HTTP endpoint throttling: Added gateway-level per-IP rate limits for

login (/api/auth/login), auth API routes, general API routes, and WebSocket upgrades, with 429 responses, Retry-After headers, and JSON retry_after_seconds.

Login retry UX: The login page now disables the password Sign In button

while throttled and shows a live Retry in Xs countdown.

Changed

Auth-aware throttling policy: IP throttling is now bypassed when auth is

not required for the current request (authenticated requests, auth-disabled mode, and local Tier-2 setup mode). This keeps brute-force protection for unauthenticated/auth-required traffic while avoiding localhost friction.

Login error copy: During throttled login retries, the error message stays

static while the retry countdown is shown only on the button.

Documentation

Added throttling/security notes to README.md, docs/src/index.md,

docs/src/authentication.md, and docs/src/security.md.

0.6.1 - 2026-02-10

Fixed

Release clippy: Aligned release workflow clippy command with nightly

flags (-Z unstable-options, --timings).

Test lint attributes: Fixed useless outer #[allow] on test module

use statement; replaced .unwrap() with .expect() in auth route tests.

0.6.0 - 2026-02-10

Added

CalDAV integration: New moltis-caldav crate providing calendar CRUD

operations (list calendars, list/create/update/delete events) via the CalDAV protocol. Supports Fastmail, iCloud, and generic CalDAV servers with multi-account configuration under [caldav.accounts.<name>]. Enabled by default via the caldav feature flag.

BeforeLLMCall / AfterLLMCall hooks: New modifying hook events that fire

before sending prompts to the LLM provider and after receiving responses (before tool execution). Enables prompt injection filtering, PII redaction, and response auditing via shell hooks.

Config template: The generated moltis.toml template now lists all 17

hook events with correct PascalCase names and one-line descriptions.

Hook event validation: moltis config check now warns on unknown hook

event names in the config file.

Authentication docs: Comprehensive docs/src/authentication.md with

decision matrix, credential types, API key scopes, session endpoints, and WebSocket auth documentation.

Fixed

Browser container lifecycle: Browser containers (browserless/chrome)

now have proper lifecycle management — periodic cleanup removes idle instances every 30 seconds, graceful shutdown stops all containers on Ctrl+C, and sessions.clear_all immediately closes all browser sessions. A Drop safety net ensures containers are stopped even on unexpected exits.

Changed

Unified auth gate: All auth decision logic is now in a single

check_auth() function called by one auth_gate middleware. This fixes the split-brain bug where passkey-only setups (no password) were treated differently by 4 out of 5 auth code paths — the middleware used is_setup_complete() (correct) while the others used has_password() (incorrect for passkey-only setups).

Hooks documentation: Rewritten docs/src/hooks.md with complete event

reference, corrected ToolResultPersist classification (modifying, not read-only), and new "Prompt Injection Filtering" section with examples.

Logs level filter UI: Settings -> Logs now shows DEBUG/TRACE level

options only when they are enabled by the active tracing filter (including target-specific directives). Default view remains INFO and above.

Logs level filter control: Settings -> Logs now uses the same combo

dropdown pattern as the chat model selector for consistent UX.

Branch favicon contrast: Non-main branches now use a high-contrast purple

favicon variant so branch sessions are visually distinct from main.

Security

Content-Security-Policy header: HTML pages now include a nonce-based CSP

header (script-src 'self' 'nonce-<UUID>'), preventing inline script injection (XSS defense-in-depth). The OAuth callback page also gets a restrictive CSP.

Passkey-only auth fix: Fixed authentication bypass where passkey-only

setups (without a password) would incorrectly allow unauthenticated access on local connections, because the has_password() check returned false even though is_setup_complete() was true.

0.5.0 - 2026-02-09

Added

moltis doctor command: Comprehensive health check that validates config,

audits security (file permissions, API keys in config), checks directory and database health, verifies provider readiness (API keys via config or env vars), inspects TLS certificates, and validates MCP server commands on PATH.

Security

npm install --ignore-scripts: Skill dependency installation now passes

--ignore-scripts to npm, preventing supply chain attacks via malicious postinstall scripts in npm packages.

API key scope enforcement: API keys with empty/no scopes are now denied

access instead of silently receiving full admin privileges. Keys must specify at least one scope explicitly (least-privilege by default).

0.4.1 - 2026-02-09

Fixed

Clippy lint in map test: Replace is_some()/unwrap() with if let Some to

fix clippy::unnecessary_unwrap that broke the v0.4.0 release build.

0.4.0 - 2026-02-09

Added

Auto-import external OAuth tokens: At startup, auto-detected provider

tokens (e.g. Codex CLI ~/.codex/auth.json) are imported into the central oauth_tokens.json store so users can manage all providers from the UI.

Passkey onboarding: The security setup step now offers passkey registration

(Touch ID, Face ID, security keys) as the recommended default, with password as a fallback option.

providers.validate_key RPC method: Test provider credentials without

saving them — builds a temporary registry, probes with a "ping" message, and returns validation status with available models.

providers.save_model RPC method: Save the preferred model for any

configured provider without changing credentials.

models.test RPC method: Test a single model from the live registry with

a real LLM request before committing to it.

Model selection for auto-detected providers: The Providers settings page

now shows a "Select Model" button for providers that have available models but no preferred model set. This lets users pick their favorite model for auto-detected providers (e.g. OpenAI Codex detected from ~/.codex/auth.json).

show_map tool: New LLM-callable tool that composes a static map image

from OSM tiles with red/blue marker pins (destination + user location), plus clickable links to Google Maps, Apple Maps, and OpenStreetMap. Supports user_latitude/user_longitude to show both positions with auto-zoom. Solves the "I can't share links" problem in voice mode.

Location precision modes: The get_user_location tool now accepts a

precision parameter — "precise" (GPS-level, default) for nearby places and directions, or "coarse" (city-level, faster) for flights, weather, and time zones. The LLM picks the appropriate mode based on the user's query.

Changed

Show "No LLM Providers Connected" card instead of welcome greeting when no

providers are configured.

Onboarding provider setup: Credentials are now validated before saving.

After successful validation, a model selector shows available models for the provider. The selected model is tested with a real request before completing setup. Clear error messages are shown for common failures (invalid API key, rate limits, connection issues).

Settings provider setup: The main Providers settings page now uses the

same validate-first flow as onboarding. Credentials are validated before saving (bad keys are never persisted), a model selector appears after validation, and OAuth flows show model selection after authentication.

Fixed

Docker RAM detection: Fall back to /proc/meminfo when sysinfo returns

0 bytes for memory inside Docker/cgroup environments.

MLX model suggested on Linux: Use backend-aware model suggestion so MLX

models are only suggested on Apple Silicon, not on Linux servers.

Host package provisioning noise: Skip apt-get when running as non-root

with no passwordless sudo, instead of failing with permission denied warnings.

Browser image pull without runtime: Guard browser container image pull to

skip when no usable container runtime is available (backend = "none").

OAuth token store logging: Replace silent .ok()? chains with explicit

warn!/info! logging in TokenStore load/save/delete for diagnosability.

Provider warning noise: Downgrade "tokens not found" log from warn! to

debug! for unconfigured providers (GitHub Copilot, OpenAI Codex).

models.detect_supported noise: Downgrade UNAVAILABLE RPC errors from

warn! to debug! since they indicate expected "not ready yet" states.

0.3.8 - 2026-02-09

Changed

Release CI parallelization: Split clippy and test into separate parallel

jobs in the release workflow for faster feedback on GitHub-hosted runners.

Fixed

CodSpeed workflow zizmor audit: Pinned CodSpeedHQ/action@v4 to commit

SHA to satisfy zizmor's unpinned-uses audit.

0.3.7 - 2026-02-09

Fixed

Clippy warnings: Fixed MutexGuard held across await in telegram

test, field assignment outside initializer in provider setup test, and items after test module in gateway services.

0.3.6 - 2026-02-09

Fixed

Release CI zizmor audit: Removed rust-cache from the release workflow's

clippy-test job entirely instead of using save-if: false, which zizmor does not recognize as a cache-poisoning mitigation.

0.3.5 - 2026-02-09

Fixed

Release CI cache-poisoning: Set save-if: false on rust-cache in the

release workflow to satisfy zizmor's cache-poisoning audit for tag-triggered workflows that publish artifacts.

0.3.4 - 2026-02-09

Fixed

Session file lock contention: Replaced non-blocking try_write() with

blocking write() in SessionStore::append() and replace_history() so concurrent tool-result persists wait for the file lock instead of failing with EAGAIN (OS error 35).

Changed

Release CI quality gates: The Build Packages workflow now runs biome,

format, clippy, and test checks before building any packages, ensuring code correctness before artifacts are produced.

0.3.3 - 2026-02-09

Fixed

OpenAI Codex token refresh panic: Made get_valid_token() async to fix

block_on inside async runtime panic when refreshing expired OAuth tokens.

Channel session binding: Ensure session row exists before setting channel

binding, fixing get_user_location failures on first Telegram message.

Cargo.lock sync: Lock file now matches workspace version.

0.3.0 - 2026-02-08

Added

Silent replies: The system prompt instructs the LLM to return an empty

response when tool output speaks for itself, suppressing empty chat bubbles, push notifications, and channel replies. Empty assistant messages are not persisted to session history.

Persist TTS audio to session media: When TTS is enabled and the reply

medium is voice, the server generates TTS audio, saves it to the session media directory, and includes the media path in the persisted assistant message. On session reload the frontend renders an <audio> player from the media API instead of re-generating audio via RPC.

Per-session media directory: Screenshots from the browser tool are now

persisted to sessions/media/<key>/ and served via GET /api/sessions/:key/media/:filename. Session history reload renders screenshots from the API instead of losing them. Media files are cleaned up when a session is deleted.

Process tool for interactive terminal sessions: New process tool lets

the LLM manage interactive/TUI programs (htop, vim, REPLs, etc.) via tmux sessions inside the sandbox. Supports start, poll, send_keys, paste, kill, and list actions. Includes a built-in tmux skill with usage instructions.

Runtime host+sandbox prompt context: Chat system prompts now include a

## Runtime section with host details (hostname, OS, arch, shell, provider, model, session, sudo non-interactive capability) and exec sandbox details (enabled state, mode, backend, scope, image, workspace mount, network policy, session override). Tool-mode prompts also add routing guidance so the agent asks before requesting host installs or changing sandbox mode.

Telegram location sharing: Telegram channels now support receiving shared

locations and live location updates. Live locations are tracked until they expire or the user stops sharing.

Telegram reply threading: Telegram channel replies now use

reply_to_message_id to thread responses under the original user message, keeping conversations visually grouped in the chat.

get_user_location tool: New browser-based geolocation tool lets the LLM

request the user's current coordinates via the Geolocation API, with a permission prompt in the UI.

sandbox_packages tool: New tool for on-demand package discovery inside

the sandbox, allowing the LLM to query available and installable packages at runtime.

Sandbox package expansions: Pre-built sandbox images now include expanded

package groups — GIS/OpenStreetMap, document/office/search, image/audio/media/data-processing, and communication packages. Mise is also available for runtime version management.

Queued message UI: When a message is submitted while the LLM is already

responding, it is shown in a dedicated bottom tray with cancel support. Queued messages are moved into the conversation only after the current response finishes rendering.

Full context view: New "Context" button in the chat header opens a panel

showing the full LLM messages array sent to the provider, with a Copy button for easy debugging.

Browser timezone auto-detection: The gateway now auto-detects the user's

timezone from the browser via Intl.DateTimeFormat and includes it in session context, removing the need for manual timezone configuration.

Logs download: New Download button on the logs page streams the JSONL log

file via GET /api/logs/download with gzip/zstd compression.

Gateway middleware hardening: Consolidated middleware into

apply_middleware_stack() with security and observability layers:

Replace allow_origin(Any) with dynamic host-based CORS validation

reusing the WebSocket CSWSH is_same_origin logic, safe for Docker/cloud deployments with unknown hostnames

CatchPanicLayer to convert handler panics to 500 responses
RequestBodyLimitLayer (16 MiB) to prevent memory exhaustion
SetSensitiveHeadersLayer to redact Authorization/Cookie in traces
Security response headers (X-Content-Type-Options, X-Frame-Options,

Referrer-Policy)

SetRequestIdLayer + PropagateRequestIdLayer for x-request-id

correlation across HTTP request logs

zstd compression alongside gzip for better ratios

Message run tracking: Persisted messages now carry run_id and seq

fields for parent/child linking across multi-turn tool runs, plus a client-side sequence number for ordering diagnostics.

Cache token metrics: Provider responses now populate cache-hit and

cache-miss token counters in the metrics subsystem.

Changed

Provider auto-detection observability: When no explicit provider settings are present in moltis.toml, startup now logs each auto-detected provider with its source (env, config file key, OAuth token file, provider key file, or Codex auth file). Added server.http_request_logs (Axum HTTP traces) and server.ws_request_logs (WebSocket RPC request/response traces) config options (both default false) for on-demand transport debugging without code changes.
Dynamic OpenAI Codex model catalog: OpenAI Codex providers now load model IDs from https://chatgpt.com/backend-api/codex/models at startup (with fallback defaults), and the gateway refreshes Codex models hourly so long-running sessions pick up newly available models (for example gpt-5.3) without restart.
Model availability probing UX: Model support probing now runs in parallel with bounded concurrency, starts automatically after provider connect/startup, and streams live progress (start/progress/complete) over WebSocket so the Providers page can render a progress bar.
Provider-scoped probing on connect: Connecting a provider from the Providers UI now probes only that provider's models (instead of all providers), reducing noise and startup load when adding accounts one by one.
Configurable model ordering: Added chat.priority_models in moltis.toml to pin preferred models at the top of model selectors without rebuilding. Runtime model selectors (models.list, chat model dropdown, Telegram /model) hide unsupported models, while Providers diagnostics continue to show full catalog entries (including unsupported flags).
Configurable provider offerings in UI: Added [providers] offered = [...] allowlist in moltis.toml to control which providers are shown in onboarding/provider-picker UI. New config templates default this to ["openai", "github-copilot"]; setting offered = [] shows all known providers. Configured providers remain visible for management.

Fixed

Web search DuckDuckGo fallback: When no search API key (Brave or

Perplexity) is configured, web_search now automatically falls back to DuckDuckGo HTML search instead of returning an error and forcing the LLM to ask the user about using the browser.

Web onboarding flash and redirect timing: The web server now performs onboarding redirects before rendering the main app shell. When onboarding is incomplete, non-onboarding routes redirect directly to /onboarding; once onboarding is complete, /onboarding redirects back to /. The onboarding route now serves a dedicated onboarding HTML/JS entry instead of the full app bundle, preventing duplicate bootstrap/navigation flashes in Safari.
Local model cache path visibility: Startup logs for local LLM providers now explicitly print the model cache directory and cached model IDs, making MOLTIS_DATA_DIR behavior easier to verify without noisy model-catalog output.
Kimi device-flow OAuth in web UI: Kimi OAuth now uses provider-specific headers and prefers verification_uri_complete (or synthesizes ?user_code= fallback) so mobile-device sign-in links no longer fail with missing user_code.
Kimi Code provider authentication compatibility: kimi-code is now API-key-first in the web UI (KIMI_API_KEY, default base URL https://api.moonshot.ai/v1), while still honoring previously stored OAuth tokens for backward compatibility. Provider errors now include a targeted hint to switch to API-key auth when Kimi returns access_terminated_error.
Provider setup success feedback: API-key provider setup now runs an immediate model probe after saving credentials. The onboarding and Providers modal only show success when at least one model validates, and otherwise display a validation failure message instead of a false-positive "configured" state.
Heartbeat/cron duplicate runs: Skip heartbeat LLM turn when no prompt is

configured, and fix duplicate cron job executions that could fire the same scheduled run twice.

Onboarding finish screen removed: Onboarding now skips the final

"congratulations" screen and redirects straight to the chat view.

User message footer leak: Model name footer and timestamp are no longer

incorrectly attached to user messages in the chat UI.

TTS counterpart auto-enable on STT save: Saving an ElevenLabs or Google

Cloud STT key now automatically enables the matching TTS provider, mirroring the onboarding voice-test behavior.

Voice-generating indicator removed: The separate "voice generating"

spinner during TTS playback has been removed in favor of the unified response indicator.

Config restart crash loop prevention: The gateway now validates the

configuration file before restarting, returning an error to the UI instead of entering a crash loop when the config is invalid.

Safari dev-mode cache busting: Development mode now busts the Safari

asset cache on reload, and fixes a missing border on detected-provider cards.

Refactored

McpManager lock consolidation: Replaced per-field RwLocks in

McpManager with a single RwLock<McpManagerInner> to reduce lock contention and simplify state management.

GatewayState lock consolidation: Replaced per-field RwLocks in

GatewayState with a single RwLock<GatewayInner> for the same reasons.

Typed chat broadcast payloads: Chat WebSocket broadcasts now use typed

Rust structs instead of ad-hoc serde_json::Value maps.

Documentation

Expanded default SOUL.md with the full OpenClaw reference text for agent

personality bootstrapping.

0.2.9 - 2026-02-08

Added

Voice provider policy controls: Added provider-list allowlists so config templates and runtime voice setup can explicitly limit shown/allowed TTS and STT providers.
Typed voice provider metadata: Expanded voice provider metadata and preference handling to use typed flows across gateway and UI paths.

Changed

Reply medium preference handling: Chat now prefers the same reply medium when possible and falls back to text when a medium cannot be preserved.

Fixed

Chat UI reply badge visibility: Assistant footer now reliably shows the selected reply medium badge.
Voice UX polish: Improved microphone timing behavior and preserved settings scroll state in voice configuration views.

0.2.8 - 2026-02-07

Changed

Unified plugins and skills into a single system: Plugins and skills were separate

systems with duplicate code, manifests, and UI pages. They are now merged into one unified "Skills" system. All installed repos (SKILL.md, Claude Code .claude-plugin/, Codex) are managed through a single skills-manifest.json and installed-skills/ directory. The /plugins page has been removed — everything is accessible from the /skills page. A one-time startup migration automatically moves data from the old plugins manifest and directory into the new unified location.

Default config template voice list narrowed: New generated configs now include a

[voice] section with provider-list allowlists limited to ElevenLabs for TTS and Mistral + ElevenLabs for STT.

Fixed

Update checker repository configuration: The update checker now reads

server.update_repository_url from moltis.toml, defaults new configs to https://github.com/moltis-org/moltis, and treats an omitted/commented value as explicitly disabled.

Mistral and other providers rejecting requests with HTTP 422: Session metadata fields

(created_at, model, provider, inputTokens, outputTokens) were leaking into provider API request bodies. Mistral's strict validation rejected the extra created_at field. Replaced Vec<serde_json::Value> with a typed ChatMessage enum in the LlmProvider trait — metadata can no longer leak because the type only contains LLM-relevant fields (role, content, tool_calls). Conversion from persisted JSON happens once at the gateway boundary via values_to_chat_messages().

Chat skill creation not persisting new skills: Runtime tool filtering incorrectly

applied the union of discovered skill allowed_tools to all chat turns, which could hide create_skill/update_skill and leave only a subset (for example web_fetch). Chat runs now use configured tool policy for runtime filtering without globally restricting tools based on discovered skill metadata.

Added

Voice Provider Management UI: Configure TTS and STT providers from Settings > Voice
Auto-detection of API keys from environment variables and LLM provider configs
Toggle switches to enable/disable providers without removing configuration
Local binary detection for whisper.cpp, piper, and sherpa-onnx
Server availability checks for Coqui TTS and Voxtral Local
Setup instructions modal for local provider installation
Shared Google Cloud API key between TTS and STT
Voice provider UI allowlists: Added voice.tts.providers and voice.stt.providers

config lists to control which TTS/STT providers are shown in the Settings UI. Empty lists keep current behavior and show all providers.

New TTS Providers:
Google Cloud Text-to-Speech (380+ voices, 50+ languages)
Piper (fast local neural TTS, runs offline)
Coqui TTS (high-quality neural TTS with voice cloning)

New STT Providers:
ElevenLabs Scribe (90+ languages, word timestamps, speaker diarization)
Mistral AI Voxtral (cloud-based, 13 languages)
Voxtral Local via vLLM (self-hosted with OpenAI-compatible API)

Browser Sandbox Mode: Run browser in isolated Docker containers for security
Automatic container lifecycle management
Uses browserless/chrome image by default (configurable via sandbox_image)
Container readiness detection via HTTP endpoint probing
Browser sandbox mode automatically follows the session's sandbox mode

(no separate browser.sandbox config - sandboxed sessions use sandboxed browser)

Memory-Based Browser Pool Limits: Browser instances now limited by system memory
max_instances = 0 (default) allows unlimited instances, limited only by memory
memory_limit_percent = 90 blocks new instances when system memory exceeds threshold
Idle browsers cleaned up automatically before blocking
Set max_instances > 0 for hard limit if preferred

Automatic Browser Session Tracking: Browser tool automatically reuses sessions
Session ID is tracked internally and injected when LLM doesn't provide one
Prevents pool exhaustion from LLMs forgetting to pass session_id
Session cleared on explicit "close" action

HiDPI Screenshot Support: Screenshots scale correctly on Retina displays
device_scale_factor config (default: 2.0) for high-DPI rendering
Screenshot display in UI scales according to device pixel ratio
Viewport increased to 2560×1440 for sharper captures

Enhanced Screenshot Lightbox:
Scrollable container for viewing long/tall screenshots
Download button at top of lightbox
Visible ✕ close button instead of text hint
Proper scaling for HiDPI displays

Telegram Screenshot Support: Browser screenshots sent to Telegram channels
Automatic retry as document when image dimensions exceed Telegram limits
Error messages sent to channel when screenshot delivery fails
Handles PHOTO_INVALID_DIMENSIONS and PHOTO_SAVE_FILE_INVALID errors

Telegram Tool Status Notifications: See what's happening during long operations
Tool execution messages sent to Telegram (e.g., "🌐 Navigating to...",

"💻 Running: git status", "📸 Taking screenshot...")

Messages sent silently (no notification sound) to avoid spam
Typing indicator automatically re-sent after status messages
Supports browser, exec, web_fetch, web_search, and memory tools

Log Target Display: Logs now include the crate/module path for easier debugging
Example: INFO moltis_gateway::chat: tool execution succeeded tool=browser

Contributor docs: local validation: Added documentation for the ./scripts/local-validate.sh workflow, including published local status contexts, platform behavior, and CI fallback expectations.
Hooks Web UI: New /hooks page to manage lifecycle hooks from the browser
View all discovered hooks with eligibility status, source, and events
Enable/disable hooks without removing files (persisted across restarts)
Edit HOOK.md content in a monospace textarea and save back to disk
Reload hooks at runtime to pick up changes without restarting
Live stats (call count, failures, avg latency) from the hook registry
WebSocket-driven auto-refresh via hooks.status event
RPC methods: hooks.list, hooks.enable, hooks.disable, hooks.save, hooks.reload
Deploy platform detection: New MOLTIS_DEPLOY_PLATFORM env var hides local-only providers (local-llm, Ollama) on cloud deployments. Pre-configured in Fly.io, DigitalOcean, and Render deploy templates.
Telegram OTP self-approval: Non-allowlisted DM users receive a 6-digit verification code instead of being silently ignored. Correct code entry auto-approves the user to the allowlist. Includes flood protection (non-code messages silently ignored), lockout after 3 failed attempts (configurable cooldown), and 5-minute code expiry. OTP codes visible in web UI Senders tab. Controlled by otp_self_approval (default: true) and otp_cooldown_secs (default: 300) config fields.
Update availability banner: The web UI now checks GitHub releases hourly and shows a top banner when a newer version of moltis is available, with a direct link to the release page.

Changed

Documentation safety notice: Added an upfront alpha-software warning on the docs landing page, emphasizing careful deployment, isolation, and strong auth/network controls for self-hosted AI assistants.
Release packaging: Derive release artifact versions from the Git tag (vX.Y.Z) in CI, and sync package metadata during release jobs to prevent filename/version drift.
Versioning: Bump workspace and snap baseline version to 0.2.0.
Onboarding auth flow: Route first-run setup directly into /onboarding and remove the separate /setup web UI page.
Startup observability: Log each loaded context markdown (CLAUDE.md / AGENTS.md / .claude/rules/.md), memory markdown (MEMORY.md and memory/.md), and discovered SKILL.md to make startup/context loading easier to audit.
Workspace root pathing: Standardize workspace-scoped file discovery/loading on moltis_config::data_dir() instead of process cwd (affects BOOT.md, hook discovery, skill discovery, and compaction memory output paths).
Soul storage: Move agent personality text out of moltis.toml into workspace SOUL.md; identity APIs/UI still edit soul, but now persist it as a markdown file.
Identity storage: Persist agent identity fields (name, emoji, creature, vibe) to workspace IDENTITY.md using YAML frontmatter; settings UI continues to edit these fields through the same RPC/API.
User profile storage: Persist user profile fields (name, timezone) to workspace USER.md using YAML frontmatter; onboarding/settings continue to use the same API/UI while reading/writing the markdown file.
Workspace markdown support: Add TOOLS.md prompt injection from workspace root (data_dir), and keep startup injection sourced from BOOT.md.
Heartbeat prompt precedence: Support workspace HEARTBEAT.md as heartbeat prompt source with precedence heartbeat.prompt (config override) → HEARTBEAT.md → built-in default; log when config prompt overrides HEARTBEAT.md.
Heartbeat UX: Expose effective heartbeat prompt source (config, HEARTBEAT.md, or default) via heartbeat.status and display it in the Heartbeat settings UI.
BOOT.md onboarding aid: Seed a default workspace BOOT.md with in-file guidance describing startup injection behavior and recommended usage.
Workspace context parity: Treat workspace TOOLS.md as general context (not only policy) and add workspace AGENTS.md injection support from data_dir.
Heartbeat token guard: Skip heartbeat LLM turns when HEARTBEAT.md exists but is empty/comment-only and there is no explicit heartbeat.prompt override, reducing unnecessary token consumption.
Exec approval policy wiring: Gateway now initializes exec approval mode/security level/allowlist from moltis.toml (tools.exec.*) instead of always using hardcoded defaults.
Runtime tool enforcement: Chat runs now apply configured tool policy (tools.policy) and skill allowed_tools constraints when selecting callable tools.
Skill trust lifecycle: Installed marketplace skills/plugins now track a trusted state and must be trusted before they can be enabled; the skills UI now surfaces untrusted status and supports trust-before-enable.
Git metadata via gitoxide: Gateway now resolves branch names, repo HEAD SHAs, and commit timestamps using gix (gitoxide) instead of shelling out to git for those read-only operations.

Fixed

OAuth callback on hosted deployments: OpenAI Codex OAuth now uses the web app origin callback (/auth/callback) in the UI flow instead of hardcoded localhost loopback, allowing DigitalOcean/Fly/Render deployments to complete OAuth successfully.
Sandbox startup on hosted Docker environments: Skip sandbox image pre-build when sandbox mode is off, and require Docker daemon accessibility (not just Docker CLI presence) before selecting the Docker sandbox backend.
Homebrew release automation: Run the tap update in the release workflow after all package/image jobs complete so formula publishing does not race missing tarball assets.
Docker runtime: Install libgomp1 in the runtime image to satisfy OpenMP-linked binaries and prevent startup failures with libgomp.so.1 missing.
Release CI validation: Add a Docker smoke test step (moltis --help) after image build/push so missing runtime libraries fail in CI before release.
Web onboarding clarity: Add setup-code guidance that points users to the process log (stdout).
WebSocket auth (remote deployments): Accept existing session/API-key auth from WebSocket upgrade headers so browser connections don't immediately close after connect on hosted setups.
Sandbox UX on unsupported hosts: Disable sandbox controls in chat/images when no runtime backend is detected, with a tooltip explaining cloud deploy limitations.
Telegram OTP code echoed to LLM: After OTP self-approval, the verification code message was re-processed as a regular chat message because sender_approve restarted the bot polling loop (resetting the Telegram update offset). Sender approve/deny now hot-update the in-memory config without restarting the bot.
Empty allowlist bypassed access control: When dm_policy = Allowlist and all entries were removed, the empty list was treated as "allow everyone" instead of "deny everyone". An explicit Allowlist policy with an empty list now correctly denies all access.
Browser sandbox timeout: Sandboxed browsers now use the configured

navigation_timeout_ms (default 30s) instead of a shorter internal timeout. Previously, sandboxed browser connections could time out prematurely.

Tall screenshot lightbox: Full-page screenshots now display at proper size

with vertical scrolling instead of being scaled down to fit the viewport.

Telegram typing indicator for long responses: Channel replies now wait for outbound delivery tasks to finish before chat completion returns, so periodic typing... updates continue until the Telegram message is actually sent.
Skills dependency install safety: skills.install_dep now requires explicit user confirmation and blocks host installs when sandbox mode is disabled (unless explicitly overridden in the RPC call).

Security

Asset response hardening: Static assets now set X-Content-Type-Options: nosniff, and SVG responses include a restrictive Content-Security-Policy (script-src 'none', object-src 'none') to reduce stored-XSS risk if user-controlled SVGs are ever introduced.
Archive extraction hardening: Skills/plugin tarball installs now reject unsafe archive paths (.., absolute/path-prefix escapes) and reject symlink/hardlink archive entries to prevent path traversal and link-based escapes.
Install provenance: Installed skill/plugin repo manifests now persist a pinned commit_sha (resolved from clone or API fallback) for future trust drift detection.
Re-trust on source drift: If an installed git-backed repo's HEAD commit changes from the pinned commit_sha, the gateway now marks its skills untrusted+disabled and requires trust again before re-enabling; the UI surfaces this as source changed.
Security audit trail: Skill/plugin install, remove, trust, enable/disable, dependency install, and source-drift events are now appended to ~/.moltis/logs/security-audit.jsonl for incident review.
Emergency kill switch: Added skills.emergency_disable to immediately disable all installed third-party skills and plugins; exposed in the Skills UI as a one-click emergency action.
Risky dependency install blocking: skills.install_dep now blocks suspicious install command patterns by default (e.g. piped shell payloads, base64 decode chains, quarantine bypass) unless explicitly overridden with allow_risky_install=true.
Provenance visibility: Skills UI now displays pinned install commit SHA in repo and detail views to make source provenance easier to verify.
Recent-commit risk warnings: Skill/plugin detail views now include commit links and commit-age indicators, with a prominent warning banner when the pinned commit is very recent.
Installer subprocess reduction: Skills/plugins install paths now avoid git subprocess clone attempts and use GitHub tarball installs with pinned commit metadata.
Install resilience for rapid multi-repo installs: Skills/plugins install now auto-clean stale on-disk directories that are missing from manifest state, and tar extraction skips link entries instead of failing the whole install.
Orphaned repo visibility: Skills/plugins repo listing now surfaces manifest-missing directories found on disk as orphaned entries and allows removing them from the UI.
Protected seed skills: Discovered template skills (template-skill / template) are now marked protected and cannot be deleted from the web UI.
License review links: Skill/plugin license badges now link directly to repository license files when detectable (e.g. LICENSE.txt, LICENSE.md, LICENSE).
Example skill seeding: Gateway now seeds ~/.moltis/skills/template-skill/SKILL.md on startup when missing, so users always have a starter personal skill template.
Memory indexing scope tightened: Memory sync now indexes only MEMORY.md / memory.md and memory/ content by default (instead of scanning the entire data root), reducing irrelevant indexing noise from installed skills/plugins.
Ollama embedding bootstrap: When using Ollama for memory embeddings, gateway now auto-attempts to pull missing embedding models (default nomic-embed-text) via Ollama HTTP API.

Documentation

Added docs/src/skills-security.md with third-party skills/plugin hardening guidance (trust lifecycle, provenance pinning, source-drift re-trust, risky install guards, emergency disable, and security audit logging).

0.1.10 - 2026-02-06

Changed

CI builds: Build Docker images natively per architecture instead of QEMU emulation, then merge into multi-arch manifest

0.1.9 - 2026-02-06

Changed

CI builds: Migrate all release build jobs from self-hosted to GitHub-hosted runners for full parallelism (ubuntu-latest, ubuntu-latest-arm, macos-latest), remove all cross-compilation toolchain steps

0.1.8 - 2026-02-06

Fixed

CI builds: Fix corrupted cargo config on all self-hosted runner jobs, fix macOS runner label, add llama-cpp build deps to Docker and Snap builds

0.1.7 - 2026-02-06

Fixed

CI builds: Use project-local .cargo/config.toml for cross-compilation instead of appending to global config (fixes duplicate key errors on self-hosted runners)

0.1.6 - 2026-02-06

Fixed

CI builds: Use macOS GitHub-hosted runners for apple-darwin binary builds instead of cross-compiling from Linux
CI performance: Run lightweight lint jobs (zizmor, biome, fmt) on GitHub-hosted runners to free up self-hosted runners

0.1.5 - 2026-02-06

Fixed

CI security: Use GitHub-hosted runners for PRs to prevent untrusted code from running on self-hosted infrastructure
CI security: Add persist-credentials: false to docs workflow checkout (fixes zizmor artipacked warning)

0.1.4 - 2026-02-06

Added

--no-tls CLI flag: --no-tls flag and MOLTIS_NO_TLS environment variable to disable

TLS for cloud deployments where the provider handles TLS termination

One-click cloud deploy: Deploy configs for Fly.io (fly.toml), DigitalOcean

(.do/deploy.template.yaml), Render (render.yaml), and Railway (railway.json) with deploy buttons in the README

Config Check Command: moltis config check validates the configuration file, detects unknown/misspelled fields with Levenshtein-based suggestions, warns about security misconfigurations, and checks file references

Memory Usage Indicator: Display process RSS and system free memory in the header bar, updated every 30 seconds via the tick WebSocket broadcast

QMD Backend Support: Optional QMD (Query Memory Daemon) backend for hybrid search with BM25 + vector + LLM reranking
Gated behind qmd feature flag (enabled by default)
Web UI shows installation instructions and QMD status
Comparison table between built-in SQLite and QMD backends
Citations: Configurable citation mode (on/off/auto) for memory search results
Auto mode includes citations when results span multiple files
Session Export: Option to export session transcripts to memory for future reference
LLM Reranking: Use LLM to rerank search results for improved relevance (requires QMD)
Memory Documentation: Added docs/src/memory.md with comprehensive memory system documentation

Mobile PWA Support: Install moltis as a Progressive Web App on iOS, Android, and desktop
Standalone mode with full-screen experience
Custom app icon (crab mascot)
Service worker for offline support and caching
Safe area support for notched devices

Push Notifications: Receive alerts when the LLM responds
VAPID key generation and storage for Web Push API
Subscribe/unsubscribe toggle in Settings > Notifications
Subscription management UI showing device name, IP address, and date
Remove any subscription from any device
Real-time subscription updates via WebSocket
Client IP detection from X-Forwarded-For, X-Real-IP, CF-Connecting-IP headers
Notifications sent for both streaming and agent (tool-using) chat modes

Safari/iOS PWA Detection: Show "Add to Dock" instructions when push notifications

require PWA installation (Safari doesn't support push in browser mode)

Browser Screenshot Thumbnails: Screenshots from the browser tool now display as

clickable thumbnails in the chat UI

Click to view fullscreen in a lightbox overlay
Press Escape or click anywhere to close
Thumbnails are 200×150px max with hover effects

Improved Browser Detection: Better cross-platform browser detection
Checks macOS app bundles before PATH (avoids broken Homebrew chromium wrapper)
Supports Chrome, Chromium, Edge, Brave, Opera, Vivaldi, Arc
Shows platform-specific installation instructions when no browser found
Custom path via chrome_path config or CHROME environment variable

Vision Support for Screenshots: Vision-capable models can now interpret

browser screenshots instead of having them stripped from context

Screenshots sent as multimodal image content blocks for GPT-4o, Claude, Gemini
Non-vision models continue to receive [base64 data removed] placeholder
supports_vision() trait method added to LlmProvider for capability detection

Session state store: per-session key-value persistence scoped by

namespace, backed by SQLite (session_state tool).

Session branching: branch_session tool forks a conversation at any

message index into an independent copy.

Session fork from UI: Fork button in the chat header and sidebar action

buttons let users fork sessions without asking the LLM. Forked sessions appear indented under their parent with a branch icon.

Skill self-extension: create_skill, update_skill, delete_skill

tools let the agent manage project-local skills at runtime.

Skill hot-reload: filesystem watcher on skill directories emits

skills.changed events via WebSocket when SKILL.md files change.

Typed tool sources: ToolSource enum (Builtin / Mcp { server })

replaces string-prefix identification of MCP tools in the tool registry.

Tool registry metadata: list_schemas() now includes source and

mcpServer fields so the UI can group tools by origin.

Per-session MCP toggle: sessions store an mcp_disabled flag; the chat

header exposes a toggle button to enable/disable MCP tools per session.

Debug panel convergence: the debug side-panel now renders the same seven

sections as the /context slash command, eliminating duplicated rendering logic.

Documentation pages for session state, session branching, skill

self-extension, and the tool registry architecture.

Changed

Memory settings UI enhanced with backend comparison and feature explanations
Added memory.qmd.status RPC method for checking QMD availability
Extended memory.config.get to include qmd_feature_enabled flag

Push notifications feature is now enabled by default in the CLI

TLS HTTP redirect port now defaults to gateway_port + 1 instead of

the hardcoded port 18790. This makes the Dockerfile simpler (both ports are adjacent) and avoids collisions when running multiple instances. Override via [tls] http_redirect_port in moltis.toml or the MOLTIS_TLS__HTTP_REDIRECT_PORT environment variable.

TLS certificates use moltis.localhost domain. Auto-generated server

certs now include moltis.localhost, *.moltis.localhost, localhost, 127.0.0.1, and ::1 as SANs. Banner and redirect URLs use https://moltis.localhost:<port> when bound to loopback, so the cert matches the displayed URL. Existing certs are automatically regenerated on next startup.

Certificate validity uses dynamic dates. Cert notBefore/notAfter

are now computed from the current system time instead of being hardcoded. CA certs are valid for 10 years, server certs for 1 year from generation.

McpToolBridge now stores and exposes server_name() for typed

registration.

mcp_service::sync_mcp_tools() uses unregister_mcp() /

register_mcp() instead of scanning tool names by prefix.

chat.rs uses clone_without_mcp() instead of

clone_without_prefix("mcp__") in all three call sites.

Fixed

Push notifications not sending when chat uses agent mode (run_with_tools)
Missing space in Safari install instructions ("usingFile" → "using File")
WebSocket origin validation now treats .localhost subdomains

(e.g. moltis.localhost) as loopback equivalents per RFC 6761.

Browser tool schema enforcement: Added strict: true and additionalProperties: false

to OpenAI-compatible tool schemas, improving model compliance with required fields

Browser tool defaults: When model sends URL without action, defaults to navigate

instead of erroring

Chat message ordering: Fixed interleaving of text and tool cards when streaming;

messages now appear in correct chronological order

Tool passthrough in ProviderChain: Fixed tools not being passed to fallback

providers when using provider chains

Fork/branch icon in session sidebar now renders cleanly at 16px (replaced

complex git-branch SVG with simple trunk+branch path).

Deleting a forked session now navigates to the parent session instead of

an unrelated sibling.

Streaming tool calls for non-Anthropic providers: OpenAiProvider,

GitHubCopilotProvider, KimiCodeProvider, OpenAiCodexProvider, and ProviderChain now implement stream_with_tools() so tool schemas are sent in the streaming API request and tool-call events are properly parsed. Previously only AnthropicProvider supported streaming tool calls; all other providers silently dropped the tools parameter, causing the LLM to emit tool invocations as plain text instead of structured function calls.

Streaming tool call arguments dropped when index ≠ 0: When a provider

(e.g. GitHub Copilot proxying Claude) emits a text content block at streaming index 0 and a tool_use block at index 1, the runner's argument finalization used the streaming index as the vector position directly. Since tool_calls has only 1 element at position 0, the condition 1 < 1 was false and arguments were silently dropped (empty {}). Fixed by mapping streaming indices to vector positions via a HashMap.

Skill tools wrote to wrong directory: create_skill, update_skill, and

delete_skill used std::env::current_dir() captured at gateway startup, writing skills to <cwd>/.moltis/skills/ instead of ~/.moltis/skills/. Skills now write to <data_dir>/skills/ (Personal source), which is always discovered regardless of where the gateway was started.

Skills page missing personal/project skills: The /api/skills endpoint

only returned manifest-based registry skills. Personal and project-local skills were never shown in the navigation or skills page. The endpoint now discovers and includes them alongside registry skills.

Documentation

Added voice.md with TTS/STT provider documentation and setup guides
Added mobile-pwa.md with PWA installation and push notification documentation
Updated CLAUDE.md with cargo feature policy (features enabled by default)
Updated browser-automation.md with browser detection, screenshot display, and

model error handling sections

Rewrote session-branching.md with accurate fork details, UI methods, RPC

API, inheritance table, and deletion behavior.