v0.20.0a2

• Merge pull request #194 from bbrowning/paude-connect-openshift
• Fix paude connect failing to attach to headless OpenShift sessions

v0.20.0a1

• Merge pull request #193 from bbrowning/unauth-git-pulls-fix
• Update paude-proxy to e990bd7 to fix unauthenticated git pulls
• Merge pull request #192 from bbrowning/git_ssl_cainfo
• Add GIT_SSL_CAINFO to proxy environment variables
• Merge pull request #187 from bbrowning/remove-agent-config-sync
• Remove stale _syncer_instance mock from upgrade test
• Fix K8s ConfigMap session crash loop in headless mode
• Fix K8s upgrade test timeout by skipping agent installation
• Fix K8s pod startup failure when host has no git config
• Remove orphaned seed copy tests and fix Podman integration test
• Replace post-apply config sync with pre-mounted ConfigMap
• Remove agent config directory syncing from both backends
• Merge pull request #186 from bbrowning/gitops-migration-plan
• Add ARCH-001 GitOps migration tracking and remove resolved known issues
• Merge pull request #185 from bbrowning/paude-proxy-podman-secrets
• Use podman native secrets for proxy container credentials
• Merge pull request #184 from bbrowning/golang-paude-proxy
• Fix K8s integration test broken by PAUDE_PROXY_ALLOWED_CLIENTS env var ordering
• Add DNS-based PAUDE_PROXY_ALLOWED_CLIENTS and update paude-proxy version
• Fix TLS failure on non-CentOS agent images (Debian, Alpine)
• Add ingress NetworkPolicy to restrict proxy access to session's agent pod
• Fix Podman integration tests by making proxy creation conditional on proxy_image
• Update paude-proxy to latest version
• Fix type contract violations after credential injection removal
• Remove all credential injection from agent containers
• Fix proxy 401 after idle by returning 502 on token failure and enabling Node.js proxy
• Fix GCP token refresh by updating paude-proxy to fix canceled context bug
• Pin paude-proxy to specific commit SHA
• Pass GCP ADC as env var to fix proxy credential timing race
• Fix proxy CA cert unreadable by agent due to chmod 600
• Fix agent IP mismatch and replace update-ca-trust with custom CA bundle
• Fix ECDSA key format for proxy CA and clean up CA volume on upgrade
• Fix N+1 API calls, leaky abstractions, and missing timeout in certs module
• Pre-generate CA cert and use K8s Secrets for proxy coordination
• Optimize CA cert injection and deduplicate path constants
• Clean up squid remnants, deduplicate CA cert constants, and remove dead code
• Deduplicate proxy credential gathering and session startup sequence
• Add test coverage for source IP filtering (allowed_clients)
• Remove squid references and rename to generic proxy terminology (Phase 7 of paude-proxy migration)
• Add CA cert verification after proxy recreate (Phase 6 of paude-proxy migration)
• Add source IP filtering and remove credential watchdog (Phase 5 of paude-proxy migration)
• Relocate credentials to proxy container (Phase 4 of paude-proxy migration)
• Add CA certificate distribution for paude-proxy MITM (Phase 3 of paude-proxy migration)
• Replace squid with paude-proxy (Phase 2 of paude-proxy migration)
• Remove squid ACL formatting logic (Phase 1 of paude-proxy migration)
• Merge pull request #183 from bbrowning/remove-starting-agent-log
• Remove noisy "Starting agent" log line from create output

v0.15.0

Paude v0.15.0 Release Notes

Highlights

OpenClaw Agent Support

Paude now supports OpenClaw as a fully integrated agent alongside Claude Code, Cursor, and Gemini CLI. OpenClaw sessions include automatic auth token URL display on connect, hardened default configuration, and --yolo flag support for tool approval control.

OpenTelemetry Observability

New --otel-endpoint flag enables exporting telemetry data from agent sessions. OTEL support works across both Podman and OpenShift backends, with automatic proxy-aware SDK patching for Gemini CLI and OpenClaw agents, cumulative temporality, and 30-second export intervals.

In-Place Session Upgrades

The new paude upgrade command lets you upgrade running sessions without recreating them. Upgrades handle proxy image updates, session reconfiguration, and bind mount refreshes — on both Podman and OpenShift backends.

Inference Provider Abstraction

A new --provider flag abstracts inference provider configuration, making it easy to switch between different model providers without changing agent-specific settings.

Headless Mode Improvements

Sessions created with headless mode now auto-start agents on paude create, and --git sessions correctly start the agent after the git push completes, eliminating previous timeout issues.

Port Forwarding

Port-forward support has been added for the Podman backend (previously OpenShift-only), with improved logging, automatic restart on transient connection failures, and proper cleanup of zombie processes.

---

All Changes

New Features

• Add OpenClaw as a supported agent (#147)
• Add OpenTelemetry export support via --otel-endpoint flag (#159)
• Add paude upgrade command to upgrade sessions in place (#130)
• Add --provider flag for inference provider abstraction (#151)
• Add port-forward support for Podman backend (#153)
• Add agent-provided base images and fix container config paths (#152)
• Add session reconfiguration support to upgrade command (#162)
• Auto-start agents in headless mode on session create (#165)
• Add Gemini CLI OTEL proxy support via SDK patching (#159)
• Add cumulative temporality and 30s export interval for OTEL metrics (#159)
• Add port-forward logging and death detection for OpenShift backend (#159)
• Show OpenClaw auth token URL on connect and wait for user acknowledgement (#148)
• Allow session and build resources to be configured in defaults.json (#139)
• Preserve agent session history across container restarts (#140)
• Execute devcontainer postCreateCommand after session creation (#166)
• Add /commit skill to delegate commit message writing to Sonnet (#146)
• Add /audit-docs skill and fix documentation inaccuracies (#144)

Improvements

• Harden OpenClaw default config and wire --yolo flag to tool approvals (#171)
• Improve OpenClaw out-of-the-box experience (#149)
• Enable OpenClaw OTEL diagnostics with proxy-aware SDK patching (#163)
• Auto-restart oc port-forward on transient connection failures (#164)
• Unify backend exception hierarchy and split cli/commands.py (#141)
• Extract shared BaseConfigSyncer for Podman and OpenShift config sync (#130)
• Eliminate shell/Python duplication in entrypoint and proxy scripts (#143)
• Move CLAUDE.md to repo root and restructure into AGENTS.md with progressive disclosure (#142)
• Preserve base image PATH when using custom base images (#134)
• Update commit skill to enforce 72-character line wrapping (#150)
• Change default OpenClaw Vertex model from Opus to Sonnet (#173)
• Disable service account token and service links in OpenShift pods (#177)
• Add useful default domains to paude's own paude.json (#160)
• Update README prerequisites and feature OpenClaw more prominently (#158)
• Remove noisy "Starting agent" log line from create output (#183)

Bug Fixes

• Fix sandbox config not delivered to OpenShift pods on start (#181)
• Fix proxy image not updated during OpenShift upgrade in non-dev mode (#179)
• Stop rewriting host project paths in .claude.json (#178)
• Fix OpenShift proxy image to use versioned tag and registry env var (#176)
• Fix OpenShift build failure for non-default base images (#175)
• Fix OTEL ports missing from squid.conf on OpenShift (#172)
• Fix --git session hanging when not in a git repository (#170)
• Remove OTEL_LOG_LEVEL=debug from OpenClaw agent config (#169)
• Fix PAUDE_GITHUB_TOKEN not passed to headless agent in Podman containers (#168)
• Fix --git session creation timeout by starting agent after git push (#167)
• Fix proxy and image updates during OpenShift upgrade (#163)
• Fix port-forward cleanup and zombie process detection (#161)
• Fix port-forward proxy shutdown and flaky test cleanup (#154)
• Fix misleading port-forward message during paude create (#154)
• Fix proxy DNS resolution for cluster-internal OTEL endpoints (#159)
• Fix DNS resolution for Podman containers on internal networks (#137)
• Fix new tmux panes opening in /pvc instead of /pvc/workspace (#135)
• Fix spurious plugin sync warnings for non-Claude agents (#156)
• Fix seed copy tests failing on macOS due to GNU-specific cp flags (#155)
• Fix Podman config sync: respect excludes and sync global gitignore (#130)
• Fix multiple issues with paude upgrade (#138)

CI & Testing

• Update GitHub Actions to Node.js 24-compatible versions (#174)
• Fix astral-sh/setup-uv version: v8 tag doesn't exist, use v7 (#174)
• Add integration tests for paude upgrade on Podman and OpenShift (#130)
• Fix flaky PVC assertion in Kubernetes integration test (#180)
• Isolate unit tests from workspace config files (#161)
• Document pre-release process in contributing guide (#157)

Contributors

• Ben Browning
• Gabriel Montero
• John Collier
• Michael Hess

v0.15.0rc6

• Merge pull request #181 from bbrowning/sandbox-config-openshift
• Fix sandbox config not delivered to OpenShift pods on start
• Merge pull request #180 from bbrowning/fix-flaky-pvc-assertion-kube-integ
• Fix flaky PVC assertion in Kubernetes integration test

v0.15.0rc5

• Merge pull request #179 from bbrowning/fix-proxy-image-releases-paude-upgrade
• Fix proxy image not updated during OpenShift upgrade in non-dev mode

v0.15.0rc4

• Merge pull request #178 from bbrowning/stop-rewriting-host-paths-claude-json
• Merge pull request #177 from bbrowning/disable-k8s-service-account-links
• Stop rewriting host project paths in .claude.json
• Disable service account token and service links in OpenShift pods

v0.15.0rc3

• Merge pull request #176 from bbrowning/proxy-image-version-fix
• Fix OpenShift proxy image to use versioned tag and registry env var

v0.15.0rc2

• Merge pull request #175 from bbrowning/openshift-build-scripts-missing
• Fix OpenShift build failure for non-default base images (e.g. openclaw)
• Merge pull request #174 from bbrowning/github-actions-node-24
• Fix astral-sh/setup-uv version: v8 tag doesn't exist, use v7
• Update GitHub Actions to Node.js 24-compatible versions

v0.15.0rc1

What's Changed

• consolidate openshift/podman file copy (address SELinux issues with fedora et. al.) by @gabemontero in #120
• Add paude upgrade command to upgrade sessions in place by @bbrowning in #130
• Preserve base image PATH when using custom base images by @GrimmiMeloni in #134
• Fix DNS resolution in podman containers on internal networks by @bbrowning in #136
• Fix new tmux panes opening in /pvc instead of /pvc/workspace by @bbrowning in #135
• Fix DNS resolution for Podman containers on internal networks by @bbrowning in #137
• Fix multiple issues with paude upgrade by @bbrowning in #138
• Allow session and build resources ato be configured in defaults.json by @johnmcollier in #139
• Exclude container-runtime directories from host config sync by @bbrowning in #140
• Unify backend exception hierarchy and split cli/commands.py by @bbrowning in #141
• Move CLAUDE.md to repo root and restructure into AGENTS.md with progressive disclosure by @bbrowning in #142
• Add /audit-docs skill and fix documentation inaccuracies by @bbrowning in #144
• Eliminate shell/Python duplication in entrypoint and proxy scripts by @bbrowning in #143
• Fix documentation inaccuracies found during audit by @bbrowning in #145
• Add commit skill to delegate commit message writing to Sonnet by @bbrowning in #146
• Add OpenClaw as a supported agent by @bbrowning in #147
• Show OpenClaw auth token URL on connect and wait for user acknowledgement by @bbrowning in #148
• Improve openclaw out-of-the-box experience by @bbrowning in #149
• Update commit skill to enforce 72-character line wrapping by @bbrowning in #150
• Add --provider flag for inference provider abstraction by @bbrowning in #151
• Add agent-provided base images and fix container config paths by @bbrowning in #152
• Add port-forward support for Podman backend by @bbrowning in #153
• Fix misleading port-forward message during paude create by @bbrowning in #154
• Fix seed copy tests failing on macOS due to GNU-specific cp flags by @bbrowning in #155
• Fix spurious plugin sync warnings for non-Claude agents by @bbrowning in #156
• Document pre-release process in contributing guide by @bbrowning in #157
• readme updates for openclaw by @bbrowning in #158
• Add OpenTelemetry metrics export support by @bbrowning in #159
• Add some useful default domains to paude's own paude.json by @bbrowning in #160
• Fix port-forward cleanup and zombie process detection by @bbrowning in #161
• Add session reconfiguration support to upgrade command by @bbrowning in #162
• Enable OpenClaw OTEL diagnostics with proxy-aware SDK and log transport patching by @bbrowning in #163
• Auto-restart oc port-forward on transient connection failures by @bbrowning in #164
• Auto-start agents in headless mode on session create by @bbrowning in #165
• Fix --git session creation timeout by starting agent after git push by @bbrowning in #167
• Execute devcontainer postCreateCommand after session creation by @GrimmiMeloni in #166
• Fix PAUDE_GITHUB_TOKEN not passed to headless agent in Podman containers by @bbrowning in #168
• Remove OTEL_LOG_LEVEL=debug from openclaw agent config by @bbrowning in #169
• Fix --git session hanging when not in a git repository by @bbrowning in #170
• Harden OpenClaw default config and wire --yolo flag to tool approvals by @bbrowning in #171
• Fix OTEL ports missing from squid.conf on OpenShift by @bbrowning in #172
• Change default openclaw vertex model from opus to sonnet by @bbrowning in #173

New Contributors

• @gabemontero made their first contribution in #120
• @GrimmiMeloni made their first contribution in #134
• @johnmcollier made their first contribution in #139

Full Changelog: v0.14.2...v0.15.0rc1

v0.14.2

What's Changed

• Bundle container entrypoints in wheel and install tini in custom Dockerfiles by @bbrowning in #131
• Improve tini installation in custom Dockerfiles by @bbrowning in #133

Full Changelog: v0.14.1...v0.14.2