| v0.25.2 | ### Highlights **Slack attachment handling repaired** — Four bugs caused Slack file uploads to be silently dropped: files posted to an already-engaged thread, files posted *before* the agent was invited (mid-thread history), files attached to follow-ups that coalesced into a busy conversation, and same-named files that overwrote each other. The agent now reliably receives every attachment, and duplicate names are automatically uniquified (`data.csv` → `data-1.csv`). (#610) **Email attachme | High | 6/3/2026 |
| v0.25.1 | ### Highlights **Web search restored** — A regression in 0.25.0 broke `web_search`: every web search the agent ran failed the whole turn with a 400 error. Web search now works again. (#608) ### Other Changes - Dependency bumps across the main and proxy lockfiles — runtime: idna 3.16, pyjwt 2.13.0 (main), tornado 6.5.6, click 8.4.1 (proxy container); plus dev-tool updates (ty, ruff, coverage, pytest-asyncio, and others). All three vulnerability scans pass. (#607) ### Upgrade `airut | High | 5/30/2026 |
| v0.25.0 | ### Highlights **Slack channel mode** — Airut now engages in Slack public and private channels via `@`-mention, not just DMs. Mention the bot in a thread and it joins the conversation; a sticky-thread rule lets follow-ups land without re-mentioning, and a mid-thread mention replays prior thread context (≤200 messages) into Claude's first prompt. Channel work is acknowledged with a `:eyes:` reaction on arrival that swaps to `:white_check_mark:` (success) or `:x:` (failure) on completion. Inbou | High | 5/27/2026 |
| v0.24.2 | ### Highlights **GraphQL repository scoping — `Query.repository(owner, name)` form** — Third installment in the v0.24 GraphQL scope-checker hardening series. The proxy's repo-scope checker previously only validated `repositoryId`/`*Id`/`repositoryNameWithOwner` fields and missed GitHub's `Query.repository(owner, name)` form (and its `organization(login).repository(name)`, `repositoryOwner.repository(name)`, `user(login).repository(name)` accessors). With `queries: ["*"]`, an in-scope GitHub A | High | 5/7/2026 |
| v0.24.1 | ### Highlights **Preserve substantive replies** — Fixed a bug where the email/Slack reply dropped the substantive part of the agent's response when the model emitted a short closing remark after tool calls (e.g. "Memory saved…" following the real reply). The reply builder now anchors on the latest substantive text and concatenates everything after it. (#574) **GraphQL repository scoping hardening** — Follow-up to the v0.24.0 scope checker: `createCommitOnBranch` bypassed repo-scope checks | High | 4/18/2026 |
| v0.24.0 | ### Highlights **GraphQL repository scoping** — GitHub App installation tokens can perform GraphQL mutations on any public repository, creating an exfiltration channel where a sandboxed agent could post secrets to attacker-controlled issues. The proxy now resolves configured repository node IDs at token refresh time and rejects any GraphQL mutation targeting an out-of-scope repository. A second defense layer decodes GitHub node IDs in all `*Id` input fields to verify repository ownership, cat | High | 4/15/2026 |
| v0.23.0 | ### Highlights **Markdown rendering rewrite** — The hand-rolled ~690-line markdown-to-HTML converter has been replaced with [mistune](https://github.com/lepture/mistune) v3, a proper CommonMark parser with a custom email renderer. This eliminates formatting issues with paragraphs, blockquotes, list continuations, and table spacing in email output. The earlier incremental fixes to the old parser (paragraph handling, blockquote support, list continuation lines) were superseded by the full migra | High | 4/14/2026 |
| v0.22.1 | ### Highlights - **Claude Code CDN downloads** — Binary downloads now use `downloads.claude.ai` as the primary source with automatic fallback to GCS, improving reliability and aligning with Anthropic's official distribution channel. (#511, #512) - **GitHub Actions security hardening** — All third-party actions are pinned to commit SHAs with minimal permissions per job, plus a new `check_actions.py` tool to verify and auto-update pins. (#504, #505) ### Other Changes - Added Markdown c | High | 4/11/2026 |
| v0.22.0 | ### Highlights - **Leaner runtime dependencies** — Replaced three external packages (`httpx`, `python-dotenv`, `platformdirs`) with minimal built-in modules, removing 7 transitive dependencies from the install. Fewer packages to audit and faster installs. (#499, #501, #502) - **GitHub App credential editor** — Creating a new GitHub App credential in the config editor now pre-populates host scopes (`github.com`, `api.github.com`, `*.githubusercontent.com`) and common permissions, reducing s | Medium | 4/9/2026 |
| v0.21.1 | ### Bug Fixes - **Conversation cleanup with container-created files** — Fixed `PermissionError` when deleting conversation directories containing files created inside rootless Podman containers (subordinate UID ownership). Cleanup now falls back to `podman unshare rm -rf` when `shutil.rmtree()` fails. (#486) - **Dashboard 404 during config reload** — Dashboard API endpoints for active conversations returned 404 when the repo was in `RELOAD_PENDING` or `RELOADING` state. Fixed the work-dire | High | 4/8/2026 |
| v0.21.0 | ### Highlights **Scheduled tasks** — Airut can now run tasks on a cron schedule without any external trigger. Define a schedule in your server config with a cron expression, a prompt or trigger script, and an email recipient — Airut handles the rest. Two modes are supported: *prompt mode* runs Claude with a fixed prompt on each fire, and *script mode* runs a command first and only invokes Claude when there's output to analyze or a failure to investigate. Results are delivered via email with f | Medium | 4/5/2026 |
| v0.20.2 | ### Highlights **Email channel reliability overhaul** — Fixed a family of bugs across IMAP and SMTP that could cause message corruption, silent reconnection failures, and broken email threads. - *IMAP sequence number invalidation* — All IMAP operations now use UID commands instead of sequence numbers. When multiple emails queued during a poll cycle, deleting a message shifted subsequent sequence numbers, causing wrong messages to be deleted, duplicates to be re-processed, and `BAD Invalid | Medium | 3/29/2026 |
| v0.20.1 | ### Bug Fixes **Container package-manager compatibility** — Fixed `apt-get` failures (privilege-drop to `_apt` user) and `npm gyp` `EPERM: operation not permitted, fchown` errors inside sandbox containers. The container now selectively re-adds five POSIX ownership/permission capabilities (`CHOWN`, `DAC_OVERRIDE`, `FOWNER`, `SETGID`, `SETUID`) after the blanket `--cap-drop=ALL`. In rootless Podman these remain scoped to the user namespace; capabilities that package managers don't need stay dro | Medium | 3/27/2026 |
| v0.20.0 | ### Highlights **Airut-managed Claude Code installation** — The gateway now downloads, verifies, and caches Claude Code binaries on the host, bind-mounting them read-only into containers. This eliminates the need to install Claude Code in Dockerfiles, producing smaller and faster-to-build container images — especially beneficial for `airut-sandbox` and `sandbox-action` CI sandboxing where Claude Code isn't needed at all. Per-repo version pinning is available via the `claude_version` config fi | Medium | 3/27/2026 |
| v0.19.0 | ### Highlights **Web config editor** — The dashboard now includes a full schema-driven configuration editor, replacing manual YAML editing as the primary way to configure Airut. The editor supports all settings — global options, per-repo configuration, channel setup (email/Slack), credentials with source selectors (`!env`/`!var`/literal), and config variables with cross-reference tracking and atomic rename. An edit buffer pattern provides diff preview before saving, and validation catches err | Medium | 3/26/2026 |
| v0.18.0 | ### Highlights **GitHub App credential support** — The proxy can now authenticate as a GitHub App instead of using classic PATs. It holds the App's RSA private key, generates JWTs, exchanges them for short-lived installation tokens (1-hour expiry), and caches/rotates them transparently. This closes an exfiltration vector where a sandboxed session could leak small amounts of data by creating repositories via the GraphQL API — encoding secrets in the repo name or other fields. App installation | Low | 3/21/2026 |
| v0.17.2 | ### Bug Fixes - **Proxy image not rebuilt after GC prunes it** — When the housekeeping thread pruned the proxy container image, subsequent `start_proxy()` calls failed with a Podman "short-name did not resolve" error. The proxy image is now rebuilt on demand when missing or stale. (#321) - **Test warning noise under xdist** — Filtered `PytestUnraisableExceptionWarning` from third-party plugin leaks (pytest-socket, pytest-asyncio) under xdist, which were false positives triggered by the stric | Low | 3/19/2026 |
| v0.17.1 | ### Highlights **Automatic container image pruning** — The housekeeping thread now prunes dangling and stale airut-prefixed container images each GC cycle, preventing disk usage from growing unbounded on long-running servers. The initial GC delay was also reduced from 24 hours to 60 seconds so servers that restart frequently no longer skip garbage collection entirely. Controlled by the `execution.image_prune` config option (default `true`). (#315) ### Bug Fixes - **Stale network blockin | Low | 3/18/2026 |
| v0.17.0 | ### Performance **Async IO execution layer** — Rewrote the sandbox execution layer from blocking `subprocess.Popen` to `asyncio`, eliminating deadlock risk from sequential stdout/stderr reads. Stream reading uses chunk-based `read()` with manual line splitting, removing any line-length limit. (#275, #277, #280) **Reduced execution memory footprint** — `ExecutionResult` no longer stores raw stdout, stderr, or event lists. A new streaming `ExecutionAccumulator` extracts fields in a single pa | Low | 3/17/2026 |
| v0.16.1 | ### Highlights **Fix sandbox CLI ignoring `allow_foreign_credentials` for masked secrets** — The sandbox CLI's masked secret parser did not read the `allow_foreign_credentials` field from config, so `MaskedSecret` always defaulted to `false`. This caused the proxy to strip legitimate credentials (e.g., server-issued JWTs during Cloudflare Pages deploys) even when `allow_foreign_credentials: true` was explicitly set. The CLI parser now reads the field, matching the gateway config parser. (#274 | Low | 3/16/2026 |
| v0.16.0 | ### Highlights **Foreign credential blocking** — When masked secrets are scoped to a host, the proxy now strips credential headers that don't contain the expected surrogate token. This prevents sandboxed code from bypassing credential isolation by supplying its own API key on an allowlisted endpoint (e.g., uploading data to an attacker-controlled account). This is a **behavior change**: previously, foreign credential headers were passed through unmodified. To restore pass-through behavior for | Low | 3/16/2026 |
| v0.15.0 | ### Highlights **CI sandboxing with `airut-sandbox` CLI** — A new standalone CLI (`airut-sandbox run`) executes arbitrary commands inside the same sandboxed containers used by the gateway, with network restrictions, credential isolation, and exit code passthrough. The sandbox library was refactored into a generic foundation (`CommandTask`) that both the CLI and gateway share. The CLI defaults to quiet output (only the sandboxed command's stdout/stderr), with `--verbose`, `--debug`, and `--log | Low | 3/15/2026 |
| v0.14.0 | ### Highlights **Configurable container resource limits** — Containers can now be constrained with memory, CPU, and PID limits via a `resource_limits` block in both server and repo configuration. Server-side ceilings clamp per-repo values, ensuring operators maintain control. The `timeout` field moves into this block (legacy top-level `timeout` still works). A new `airut check` step verifies cgroup v2 delegation is configured correctly. (#219, #221) **Dashboard security hardening** — The d | Low | 3/7/2026 |
| v0.13.3 | ## Highlights **Proxy subnet allocator isolation fix** — The proxy subnet allocator used a modular counter that could wrap around after 254 allocations and reuse a subnet still held by a running task, allowing two containers to share a network. The allocator now tracks active subnets in a set, skips in-use octets, and raises `ProxyError` when all 254 subnets are exhausted instead of silently reusing. (#216) **Email attachment path traversal fix** — A crafted email with a filename like `../ | Low | 3/7/2026 |
| v0.13.2 | ## Highlights **Slack listener health recovery after reconnect** — The Slack WebSocket health status could get stuck as `DEGRADED` after a transient connection drop, even though the Bolt SDK successfully auto-reconnected. The listener now detects the first incoming message after a degraded state and restores the status to `CONNECTED`. (#209) **Cost display with API key and OAuth** — When both `ANTHROPIC_API_KEY` and `CLAUDE_CODE_OAUTH_TOKEN` are configured, Claude Code uses the API key (an | Low | 3/4/2026 |
| v0.13.1 | ## Highlights **Slack and email formatting improvements** — Several fixes improve how Airut renders messages across both channels. Bare URLs in Slack messages are now pre-linkified to prevent Slack's auto-linker from mangling URLs adjacent to bold formatting. Table columns in Slack code fences are aligned using Unicode-aware width calculation that correctly handles emoji, East Asian wide characters, and combining marks. For email, pipe characters inside backtick code spans no longer incorrect | Low | 2/21/2026 |
| v0.12.0 | ## Breaking Changes **Email configuration nesting** — All email-related fields in the server config (`~/.config/airut/airut.yaml`) must now be nested under an `email:` key within each repo. The following fields have moved from the repo level into `email:`: - `authorized_senders` - `trusted_authserv_id` - `microsoft_internal_auth_fallback` - `imap` (with `poll_interval`, `use_idle`, `idle_reconnect_interval`) Airut will refuse to start and print a clear error listing misplaced fields | Low | 2/17/2026 |
| v0.11.0 | ## Highlights **Protocol-Agnostic Gateway** — The gateway core has been fully decoupled from email-specific logic. A new `ChannelAdapter` protocol and `ParsedMessage` dataclass define the boundary between the generic orchestration layer and channel implementations (currently email). This lays the groundwork for future messaging channels (Slack, etc.) without modifying the core. (#137, #138) ## Other Changes - `airut update` now runs `airut check` after upgrading to verify configuration | Low | 2/16/2026 |
| v0.9.1 | ## Highlights **Dashboard Polling Fallback** — All dashboard pages now automatically fall back to ETag-based polling when SSE connections fail (e.g., when the 8-connection limit is reached with multiple browser tabs). Previously, only the main dashboard had this fallback; actions, network, task detail, and repo detail pages would show "Disconnected" with no recovery. New `/api/conversation/{id}/events/poll` and `/api/conversation/{id}/network/poll` endpoints support incremental HTML updates w | Low | 2/15/2026 |
| v0.9.0 | ## Highlights **CLI Overhaul** — The `airut` CLI is now a proper command-line tool with helpful defaults. Running `airut` with no arguments prints version and available commands instead of silently starting the gateway. Unknown commands produce clear errors with usage hints. Every subcommand supports `--help`. The `airut check` command has been expanded into a full installation health dashboard — it shows version info, config paths, dependency status, systemd service state, and checks PyPI or | Low | 2/15/2026 |
| v0.8.3 | ## Summary Fixes dashboard visibility issues and improves PyPI packaging. ## Changes - **Fix pending request visibility in dashboard** — The pending request prompt was hidden on the actions page because SSE catch-up replayed all events from offset zero, pushing the viewport past the structured timeline. The task detail page also omitted pending requests entirely. SSE streams now start from the correct byte offset at page load, and the task detail page renders pending request text when p | Low | 2/15/2026 |
| v0.8.2 | ## Summary Fixes version reporting for PyPI installations. ## Changes - **Fix version display on PyPI installs** — The `airut --version` command showed "unknown" when installed from PyPI via `uv tool install airut`. The version lookup now always checks embedded version info first, regardless of how the gateway was invoked. The unused `repo_path` parameter was removed from the version API to prevent future confusion. (#101) | Low | 2/15/2026 |
| v0.8.1 | ## Summary Fixes the PyPI package reporting version "unknown" when installed via `uv tool install airut`. ## Changes - **Fix version in PyPI wheels** — Wheels built from the sdist (the PyPI install path) were missing `lib/_version.py`, causing the installed package to show "unknown" as its version. The build hook now preserves the existing `_version.py` when git is unavailable. (#98) - **Switch to dynamic versioning from git tags** — The package version is now derived automatically fro | Low | 2/15/2026 |
| v0.8.0 | ## Highlights **`uv tool install` Deployment** — Airut is now distributed as a self-contained Python wheel installable via `uv tool install airut`. Static resources (proxy scripts, assets) are bundled into the package via `importlib.resources`, configuration uses XDG directories (`~/.config/airut/`, `~/.local/state/airut/`), and version info is embedded at build time. New CLI commands `airut init` and `airut check` help with initial setup and system validation. The auto-updater service has be | Low | 2/15/2026 |
| v0.7.0 | ## Highlights **AWS Credential Masking** — The network proxy can now intercept and re-sign AWS API requests, allowing containers to use surrogate credentials while the proxy transparently substitutes real ones. This prevents containers from exfiltrating AWS keys while maintaining full access to AWS services. Supports SigV4, SigV4A (multi-region), chunked streaming, presigned URLs, and S3-compatible services (R2, MinIO, B2). (#53) **Message-ID Threading** — Outbound emails now include struc | Low | 2/11/2026 |
| v0.6.1 | ## Highlights **HTML-First Email Parsing** — The gateway now prefers the `text/html` part over `text/plain` in multipart emails, using client-specific HTML structural markers to reliably strip quoted replies. This replaces the fragile text-based quote stripping with a parser that recognizes quote containers from Outlook (web, mobile, desktop), Gmail, Yahoo, Thunderbird, and Apple Mail. Inline replies are preserved as markdown blockquotes so the LLM sees the context the user replied to, while | Low | 2/11/2026 |
| v0.6.0 | ## Highlights **Microsoft 365 Support** — Airut can now run on Microsoft 365 mailboxes. This required adding OAuth2 Client Credentials authentication (XOAUTH2) for IMAP and SMTP, which is the only auth method M365 supports for application access. It also required addressing several areas where M365 deviates from standard email behavior — see the entries below. Includes a deployment guide for Azure AD app registration and Exchange Online service principal setup. (#44) **First-Header DMARC V | Low | 2/10/2026 |
| v0.5.0 | ## Highlights **Corrupted Session Recovery** — When a Claude Code session becomes permanently invalid (e.g., mismatched tool state causing API 4xx errors), the gateway now detects the corruption and automatically retries with a fresh session. Previously, a corrupted session would cause every subsequent message in the conversation to fail with the same error indefinitely. This uses the same recovery path as the existing "prompt too long" handler. (#40) **Boot Progress Dashboard** — The web | Low | 2/9/2026 |
| v0.4.0 | ## Highlights **Update Channels** — The auto-updater now supports two channels, selected at install time via `--channel`. The `rel` channel (default) tracks the latest `v*` tag and polls every 6 hours. The `dev` channel tracks `origin/main` and polls every 30 minutes. The polling interval can be overridden with `--interval`. Install logic moved from `scripts/` to `lib/install_services.py` for testability. (#34) **Persistent `/storage` Mount** — Conversations now have a `/storage` directory | Low | 2/7/2026 |
| v0.3.0 | ## Highlights **Transparent DNS-Spoofing Proxy** — The network sandbox has been re-architected from the ground up. The old design relied on `HTTP_PROXY` environment variables, which many tools (Node.js, Go) silently ignore. The new design intercepts all traffic transparently via DNS, with no cooperation required from the container. A custom DNS responder replaces Podman's default aardvark-dns. For allowlisted domains, it returns the proxy's IP address; for everything else, it returns NXDOM | Low | 2/6/2026 |
| v0.2.0 | ## Highlights **Masked Secrets** — Containers no longer receive real credentials. Instead, they get surrogate tokens that are useless outside the system. The proxy swaps surrogates for real credentials only when requests match configured host scopes. This prevents credential exfiltration — even if the container is compromised via prompt injection, the attacker cannot steal credentials because they were never there. (#6) **Network Log Improvements** — Error responses (4xx/5xx) are now visua | Low | 2/5/2026 |
| v0.1.0 | ## Airut v0.1.0 Initial public release of Airut — an email gateway for headless Claude Code interaction. ### What's Included - **Email Gateway**: Send instructions via email, receive Claude Code responses - **Container Isolation**: Each conversation runs in an isolated container with resource limits - **Network Sandbox**: Allowlist-based network access via mitmproxy prevents data exfiltration - **DMARC Authentication**: Email sender verification with configurable allowlist - **Conve | Low | 2/4/2026 |
