wacli v0.6.0: the security sweep you didn't know you needed
SQLite path injection, FTS5 query syntax, and reconnect deadlocks — all gone.
The SQLite store was trusting user input in ways that would make a freshman wince: question marks and hash characters in URI paths, empty table names sailing past validation, null bytes in path sanitization. @draix's #141, #142, and #140 close those doors. Meanwhile, reconnect logic could hold a lock indefinitely waiting on a socket that would never answer — #113 bounds that duration so the rest of the app keeps breathing.
the keychain bug that nuked your cache every time your Mac woke up
One Keychain error code, interpreted as 'destroy everything', now handled gracefully.
When macOS returned errSecInteractionNotAllowed — the polite way of saying 'you're locked, try later' — CodexBar's KeychainCacheStore took it as a signal to wipe itself clean. @steipete's #594 catches that specific error and backs off instead of self-destructing. Separately, v0.21 lands Abacus AI provider support, Opus 4.7 pricing via #734, and a fix for menu bar icons vanishing on macOS 26 by avoiding RenderBox-triggering SwiftUI effects.
slack timestamps kept arriving as integers — now they don't
Schema says string, CLI said 'looks like a number to me', Slack said '404'.
Slack's thread_ts parameter is a decimal timestamp that must remain a string, but mcporter's key=value argument coercion was helpfully parsing it to a number. #141 now respects the schema's declared string type before reaching for parseFloat. v0.9.0 also adds per-server tool filtering via #142 — allowedTools and blockedTools at config time — and fixes Windows OAuth URLs losing their query parameters when cmd.exe swallows the unquoted string (#136).
the Eight Sleep CLI that finally knows which side you sleep on
Away mode, side-aware targeting, and OAuth that survives household switches.
Eight Sleep's API exposes two sides of the bed, but eightctl treated the mattress as a monolith. #35 adds --side targeting and trends telemetry; #26 introduces vacation (away) mode. The real headache was OAuth: switching household userIDs invalidated the cached token. #37 now caches per-user, and #36 fixes IANA timezone lookups that were quietly failing.
Antigravity's localhost probe was looking for tokens in all the wrong places
TLS delegate mismatch, stale extension tokens, and port ranking — three ways to fail before breakfast.
Antigravity changed its localhost endpoint layout, and CodexBar's probe kept knocking on the old door. #727 updates the TLS delegate, refreshes extension token extraction, and reorders port ranking so the probe actually finds a listener. Separately, #723 handles fnm-managed Gemini OAuth config discovery, and #712 updates Alibaba's China mainland RPC endpoint.
OpenClaw integration wants to manage your LM providers
A pending PR wires CodexBar into the lobster-themed assistant's credential store.
Open PR #720 proposes letting OpenClaw handle LM provider credentials — a secure handoff so CodexBar doesn't store secrets itself. Also in flight: #741 adds a fallback when Claude's OAuth response omits the five_hour window, and #728 extracts OAuth credentials from bundled Gemini CLI layouts.
MS Teams integration gets a security audit
Hardened flows for the connector nobody asked for but everyone uses.
The Teams connector had security-sensitive code paths that weren't as defensive as they should be. #65841 hardens those flows — the PR title is intentionally vague, but the diff tightens input validation and token handling in the OAuth dance.
phone-based pairing without the QR code dance
Remote authentication via --phone flag is waiting in the wings.
QR codes are fine until you're SSHed into a headless box. Open PR #184 adds a --phone flag for remote pairing, skipping the camera entirely. Also pending: #166 promises webhook robustness improvements, and #157 polishes message context output.
| openclaw/openclaw | ★★★★★★★★★★ | 363,022 |
| CodexBar | ★☆☆☆☆☆☆☆☆☆ | 11,115 |
| mcporter | ★☆☆☆☆☆☆☆☆☆ | 4,155 |
| wacli | ★☆☆☆☆☆☆☆☆☆ | 2,103 |
| oracle | ★☆☆☆☆☆☆☆☆☆ | 2,015 |
| imsg | ★☆☆☆☆☆☆☆☆☆ | 1,024 |
| homebrew-tap | ★☆☆☆☆☆☆☆☆☆ | 74 |
| eightctl | ★☆☆☆☆☆☆☆☆☆ | 64 |
Antigravity's localhost probe was looking for tokens in all the wrong places
TLS delegate mismatch, stale extension tokens, and port ranking — three ways to fail before breakfast.
Antigravity changed its localhost endpoint layout, and CodexBar's probe kept knocking on the old door. #727 updates the TLS delegate, refreshes extension token extraction, and reorders port ranking so the probe actually finds a listener. Separately, #723 handles fnm-managed Gemini OAuth config discovery, and #712 updates Alibaba's China mainland RPC endpoint.
OpenClaw integration wants to manage your LM providers
A pending PR wires CodexBar into the lobster-themed assistant's credential store.
Open PR #720 proposes letting OpenClaw handle LM provider credentials — a secure handoff so CodexBar doesn't store secrets itself. Also in flight: #741 adds a fallback when Claude's OAuth response omits the five_hour window, and #728 extracts OAuth credentials from bundled Gemini CLI layouts.
MS Teams integration gets a security audit
Hardened flows for the connector nobody asked for but everyone uses.
The Teams connector had security-sensitive code paths that weren't as defensive as they should be. #65841 hardens those flows — the PR title is intentionally vague, but the diff tightens input validation and token handling in the OAuth dance.
phone-based pairing without the QR code dance
Remote authentication via --phone flag is waiting in the wings.
QR codes are fine until you're SSHed into a headless box. Open PR #184 adds a --phone flag for remote pairing, skipping the camera entirely. Also pending: #166 promises webhook robustness improvements, and #157 polishes message context output.
| openclaw/openclaw | ★★★★★★★★★★ | 363,022 |
| CodexBar | ★☆☆☆☆☆☆☆☆☆ | 11,115 |
| mcporter | ★☆☆☆☆☆☆☆☆☆ | 4,155 |
| wacli | ★☆☆☆☆☆☆☆☆☆ | 2,103 |
| oracle | ★☆☆☆☆☆☆☆☆☆ | 2,015 |
| imsg | ★☆☆☆☆☆☆☆☆☆ | 1,024 |
| homebrew-tap | ★☆☆☆☆☆☆☆☆☆ | 74 |
| eightctl | ★☆☆☆☆☆☆☆☆☆ | 64 |