# airut > Airut is a system for running Claude Code tasks from email and Slack. It handles workspace provisioning, container isolation, network sandboxing, session persistence, and cleanup — a secure foundation - **URL**: https://www.freshcrate.ai/projects/airut - **Author**: airutorg - **Category**: Security - **Latest version**: `v0.25.2` (2026-06-03) - **License**: MIT - **Source**: https://github.com/airutorg/airut - **Homepage**: https://airut.org - **Language**: Python - **GitHub**: 73 stars, 3 forks - **Registry**: github - **Tags**: `python` ## Description Airut is a system for running Claude Code tasks from email and Slack. It handles workspace provisioning, container isolation, network sandboxing, session persistence, and cleanup — a secure foundation for autonomous agentic development. ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `v0.25.2` | 2026-06-03 | High | ### Highlights **Slack attachment handling repaired** — Four bugs caused Slack file uploads to be silently dropped: files posted to an already-engaged thread, files posted *before* the agent was invited (mid-thread history), files attached to follow-ups that coalesced into a busy conversation, and same-named files that overwrote each other. The agent now reliably receives every attachment, and duplicate names are automatically uniquified (`data.csv` → `data-1.csv`). (#610) **Email attachme | | `v0.25.1` | 2026-05-30 | High | ### Highlights **Web search restored** — A regression in 0.25.0 broke `web_search`: every web search the agent ran failed the whole turn with a 400 error. Web search now works again. (#608) ### Other Changes - Dependency bumps across the main and proxy lockfiles — runtime: idna 3.16, pyjwt 2.13.0 (main), tornado 6.5.6, click 8.4.1 (proxy container); plus dev-tool updates (ty, ruff, coverage, pytest-asyncio, and others). All three vulnerability scans pass. (#607) ### Upgrade `airut | | `v0.25.0` | 2026-05-27 | High | ### Highlights **Slack channel mode** — Airut now engages in Slack public and private channels via `@`-mention, not just DMs. Mention the bot in a thread and it joins the conversation; a sticky-thread rule lets follow-ups land without re-mentioning, and a mid-thread mention replays prior thread context (≤200 messages) into Claude's first prompt. Channel work is acknowledged with a `:eyes:` reaction on arrival that swaps to `:white_check_mark:` (success) or `:x:` (failure) on completion. Inbou | | `v0.24.2` | 2026-05-07 | High | ### Highlights **GraphQL repository scoping — `Query.repository(owner, name)` form** — Third installment in the v0.24 GraphQL scope-checker hardening series. The proxy's repo-scope checker previously only validated `repositoryId`/`*Id`/`repositoryNameWithOwner` fields and missed GitHub's `Query.repository(owner, name)` form (and its `organization(login).repository(name)`, `repositoryOwner.repository(name)`, `user(login).repository(name)` accessors). With `queries: ["*"]`, an in-scope GitHub A | | `v0.24.1` | 2026-04-18 | High | ### Highlights **Preserve substantive replies** — Fixed a bug where the email/Slack reply dropped the substantive part of the agent's response when the model emitted a short closing remark after tool calls (e.g. "Memory saved…" following the real reply). The reply builder now anchors on the latest substantive text and concatenates everything after it. (#574) **GraphQL repository scoping hardening** — Follow-up to the v0.24.0 scope checker: `createCommitOnBranch` bypassed repo-scope checks | | `v0.24.0` | 2026-04-15 | High | ### Highlights **GraphQL repository scoping** — GitHub App installation tokens can perform GraphQL mutations on any public repository, creating an exfiltration channel where a sandboxed agent could post secrets to attacker-controlled issues. The proxy now resolves configured repository node IDs at token refresh time and rejects any GraphQL mutation targeting an out-of-scope repository. A second defense layer decodes GitHub node IDs in all `*Id` input fields to verify repository ownership, cat | | `v0.23.0` | 2026-04-14 | High | ### Highlights **Markdown rendering rewrite** — The hand-rolled ~690-line markdown-to-HTML converter has been replaced with [mistune](https://github.com/lepture/mistune) v3, a proper CommonMark parser with a custom email renderer. This eliminates formatting issues with paragraphs, blockquotes, list continuations, and table spacing in email output. The earlier incremental fixes to the old parser (paragraph handling, blockquote support, list continuation lines) were superseded by the full migra | | `v0.22.1` | 2026-04-11 | High | ### Highlights - **Claude Code CDN downloads** — Binary downloads now use `downloads.claude.ai` as the primary source with automatic fallback to GCS, improving reliability and aligning with Anthropic's official distribution channel. (#511, #512) - **GitHub Actions security hardening** — All third-party actions are pinned to commit SHAs with minimal permissions per job, plus a new `check_actions.py` tool to verify and auto-update pins. (#504, #505) ### Other Changes - Added Markdown c | | `v0.22.0` | 2026-04-09 | Medium | ### Highlights - **Leaner runtime dependencies** — Replaced three external packages (`httpx`, `python-dotenv`, `platformdirs`) with minimal built-in modules, removing 7 transitive dependencies from the install. Fewer packages to audit and faster installs. (#499, #501, #502) - **GitHub App credential editor** — Creating a new GitHub App credential in the config editor now pre-populates host scopes (`github.com`, `api.github.com`, `*.githubusercontent.com`) and common permissions, reducing s | | `v0.21.1` | 2026-04-08 | High | ### Bug Fixes - **Conversation cleanup with container-created files** — Fixed `PermissionError` when deleting conversation directories containing files created inside rootless Podman containers (subordinate UID ownership). Cleanup now falls back to `podman unshare rm -rf` when `shutil.rmtree()` fails. (#486) - **Dashboard 404 during config reload** — Dashboard API endpoints for active conversations returned 404 when the repo was in `RELOAD_PENDING` or `RELOADING` state. Fixed the work-dire | ## Dependency audit - **Score**: 83/100 - **Total deps**: 9 - **Resolved**: 5 - **Unresolved**: 4 - **License conflicts**: 0 - **Warnings**: 4 - **Scanned**: 2026-05-18 ## Citation - HTML: https://www.freshcrate.ai/projects/airut - Markdown: https://www.freshcrate.ai/projects/airut.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/airut/deps _Generated by freshcrate.ai. Indexes github releases for AI-agent ecosystem packages._