Release Notes Added

• (tools) production-grade coding tools, file history, and skills (#2025)
• add extensible deployment profiles (IRONCLAW_PROFILE) (#2203)
• (skills) commitments system — active intake for personal AI assistant (#1736)
• add native Composio tool for third-party app integrations (#920)
• (gateway) extract gateway frontend into ironclaw_gateway crate with widget system (#1725)
• (railway) build staging target with pre-bundled WASM extensions (#2219)
• (docker) pre-bundle WASM extensions in staging image (#2210)
• (tui) ship TUI in default binary (#2195)
• (admin) admin tool policy to disable tools for users (#2154)
• (web) add scroll-to-bottom arrow in gateway chat (#2202)
• unified tool dispatch + schema-validated workspace (#2049)
• (workspace) admin system prompt shared with all users (#2109)
• (engine) restage skill repair learning loop on staging (#1962)
• (tui) port full-featured Ratatui terminal UI onto staging (#1973)
• (slack) implement on_broadcast and fix message tool hints (#2113)
• (i18n) add Korean translation, fix zh-CN drift, and prevent future drift via pre-commit hook (#2065)
• NEAR AI MCP server (#2009)
• (test) dual-mode live/replay test harness with LLM judge (#2039)
• add AWS Bedrock embeddings provider (#1568)
• (ownership) centralized ownership model with typed identities, DB-backed pairing, and OwnershipCache (#1898)
• (tools) persistent per-user tool permission system (#1911)
• (engine) Unified Thread-Capability-CodeAct execution engine (v2 architecture) (#1557)
• (auth) direct OAuth/social login with Google, GitHub, Apple, and NEAR wallet (#1798)
• Add ACP (Agent Client Protocol) job mode for delegating to any compatible coding agent (#1600)
• (workspace) metadata-driven indexing/hygiene, document versioning, and patch (#1723)
• (jobs) per-job MCP server filtering and max_iterations cap (#1243)
• (config) unify all settings to DB > env > default priority (#1722)
• (telegram) add sendVoice support for audio/ogg attachments (#1314)
• (setup) build ironclaw-worker Docker image in setup wizard (#1757) Fixed
• (ci) bump 5 channel versions + fix lifetime desync in panics check (#2300)
• (test) case-insensitive hint matching in TraceLlm step_matches (#2292)
• (v2) tool naming, auth gates, schema flatten, WASM traps, workspace race (#2209)
• (ci) resolve 4 staging test failures (#2273)
• (docker) copy profiles/ into build stages (#2289)
• (engine) mission cron scheduling + timezone propagation (#1944) (#1957)
• (oauth) use localhost for redirect URI when bound to 0.0.0.0 (#2247)
• (bridge) sanitize auth_url on engine v2 path (#2206) (#2215)
• (docs) explain in more details activation block & installation steps for skills (#2216)
• (docker) consume CACHE_BUST arg so BuildKit invalidates cache
• (gateway) suppress duplicate text response during auth flow and unify extension config modal (#2172)
• (agent) stop intercepting bare yes/no/always as approval when nothing pending (#2178)
• (ci) resolve 3 staging test failures (#2207)
• (wasm) upgrade Wasmtime to 43.0.1 and restore CI (#2224)
• fix(auth) first-pass Gmail OAuth auth prompt in chat (#2038)
• (db) repair V6 migration checksum and guard against re-modification (#1328) (#2101)
• (ci) target wasm32-wasip2 in WASM build script (#2175)
• (test) use canonical extension name in setup submit test (#2158)
• fix (skills) installs for invalid catalog names (#2040)
• universal engine-version tool visibility filtering (#2132)
• (ownership) remove silent cross-tenant credential fallback (#2099)
• (e2e) canonicalize extension names + fix remaining test failures (#2129)
• (ownership) unify ownership checks via Owned trait and fix mission visibility bug (#2126)
• (web) intercept approval text input in chat (#2124)
• (staging) repair 4 categories of CI test failures (#2091)
• (web) emit Done after response — SSE ordering fix (#2079) (#2104)
• (tools) gate claude_code and acp modes behind enabled flags (#2003)
• (acp) propagate follow-up prompt failures as job errors (#1981)
• color for tools use (#2096)
• (registry) use canonical underscore names in manifests to fix WASM install (#2029)
• (safety) add credential patterns and sensitive path blocklist (#1675)
• (channels) allow telegram wasm channel name (#2051)
• (staging) repair broken test build and macOS-incompatible SSRF tests (#2064)
• honor auto-approve tools in engine v2 (#2013)
• (bridge) sanitize orphaned tool results in v2 adapter (#1975)
• (docker) ensure ironclaw runtime home exists (#1918)
• (agent) prevent self-repair notification spam for stuck jobs (#1867)
• (self-repair) skip built-in tools in broken tool detection and repair (#1991)
• unblock bootstrap ownership on dynamic_tools (#2005)
• (llm) invert reasoning default — unknown models skip think/final tags (#1952)
• (llm) add sanitize_tool_messages to OpenAiCodexProvider (#1971)
• update CLI help snapshots for --auto-approve and acp command (#1966)
• (docker) switch to glibc to fix libSQL segfault on DB reopen (#1930)
• (db) swap V16/V17 to match production PG (document_versions before user_identities) (#1931)
• (db) keep V15=conversation_source_channel to match production PG (#1928)
• (db) resolve V15 migration numbering conflict (#1923)
• (routines) add bounded retry for transient lightweight failures (#1471)
• (relay) thread responses under original message in Slack channels (#1848)
• (worker) Improve command execution parameter validation (#1692)
• (telegram) auto-generate webhook secret during setup (#1536)
• (builder) accept inline-table and object-map dependency formats from LLM (#1748)
• (gemini) preserve and echo thoughtSignature for Gemini 3.x function calls (#1752)
• (relay) route async Slack messages to correct channel instead of DMs (#1845)
• (security) block cross-channel approval thread hijacking (#1590)
• (builder) add approval context propagation for sub-tool execution (#1125) Other
• trigger ironclaw-dind image build (#2190)
• add amazon tutorial (#2261)
• Create QA Bug Report issue template (#2228)
• [codex] Stabilize auth readiness and gate flows (#2050)
• Add mintlify docs (#2189)
• [codex] allow private local llm endpoints (#1955)
• (ci) add Dependabot and pin GitHub Actions by SHA (#2043)
• Fix routine Telegram notification summaries (#2033)
• (channels) add Slack E2E tests, integration tests, and smoke runner (#2042)
• (engine) rename ENGINE_V2_TRACE to IRONCLAW_RECORD_TRACE (#2114)
• fix multi-tenant inference latency (per-conversation locking + workspace indexing) (#2127)
• Improve channel onboarding and Telegram pairing flow (#2103)
• (e2e) expand SSE resilience coverage (#1897)
• add Telegram E2E tests and Rust integration tests (#2037)
• (fix) WASM channel HTTP SSRF protections (#1976)
• Ignore default model override and empty WASM polls (#1914)
• (workspace) add direct regression tests for scoped_to_user rebinding (#1652) (#1875)
• Fix turn cost footer and per-turn usage accounting (#1951)
• Publish ironclaw-worker image from Dockerfile.worker (#1979)
• [codex] Move safety benches into ironclaw_safety crate (#1954)
• Fix bootstrap paths and webhook defaults
• Only tag :latest/:version on release, allow 😒taging via manual dispatch [skip-regression-check] (#1925)
• Add Docker Hub workflow and optimize Dockerfile for size (#1886)
• (e2e) add agent loop recovery coverage (#1854)
• disable cooldown in gateway webhook workflow test (#1889)
• Expand GitHub WASM tool surface (#1884)
• (e2e) cover chat approval parity across channels (#1858)
• add routine coverage for issue 1781 (#1856)