What broke
A routed EEG workspace exposed a bad habit in sciClaw. A Python analysis completed successfully, wrote the expected workbook, and then the agent appended a full dated run summary to memory/MEMORY.md: command inputs, output paths, byte counts, sheet names, row counts, validation status, and one unmatched event marker.
That felt useful for one run. It is poisonous as a system behavior. MEMORY.md is injected into context on future turns. If routine successes go there, every future request pays to reread stale execution receipts. The workbook, session history, job state, hook audit log, and output files already carry that record. Copying it into long-term memory makes the agent slower and less focused without making the science more reproducible.
The first fix was not enough
The early draft of this post said the answer was to tell the model about daily notes and route routine work there instead of MEMORY.md. That was still wrong. Daily notes are also injected for a few days. Moving execution spam from one injected file to another only delays the bloat.
The real issue was architectural: sciClaw had deterministic memory readers but no deterministic memory writer. The agent could mutate MEMORY.md with generic file tools, so memory became whatever the model guessed was worth preserving. That is too loose for scientific workspaces.
The real fix
sciClaw now has a narrow remember tool for long-term memory. It accepts only durable categories: user preferences, project conventions, canonical artifacts, method decisions, known recurring issues, open questions, and data provenance. It rejects execution-log categories and obvious routine-success text.
Generic mutation paths are blocked from touching memory/MEMORY.md. write_file, edit_file, and append_file refuse the write and tell the agent to use remember. The shell guard also blocks obvious bypasses like >> memory/MEMORY.md and tee -a MEMORY.md. Reading memory still works. Manual edits through the System tab still work. The agent just cannot quietly turn long-term memory into an activity log.
The prompts and workspace templates were tightened too. Hooks now mean audit logs, plans, reports, and artifacts, not memory. Daily notes are short-lived context, not a second execution ledger. The default MEMORY.md template no longer asks for runtime state or current objectives; it asks for stable decisions and provenance.
If your MEMORY.md is already bloated: delete routine dated run entries. Keep method choices, data provenance, project conventions, collaborator preferences, canonical artifact notes, open questions, and recurring problems that should change future work. The new system does not need old execution logs to function.
Commits
af5bc250 feat: enforce curated workspace memory
14a16a4c docs: add curated workspace memory RFC
bfa41cfd fix(agent): route execution logs to daily notes, not MEMORY.md
aff810c8 feat(agent): add Memory Policy to workspace template
Model update
Added gpt-5.5 to the OpenAI model list. Two lines in pkg/models/models.go. The model resolution already routes anything containing "gpt" to the OpenAI provider, so there is nothing else to change. Set it with sciclaw models set gpt-5.5.
Privacy scrub
A full scan of the repository found real Discord user and channel IDs in CLI usage examples in the README and docs. These were not credentials, but they did identify real people. Replaced all of them with obviously fake placeholder IDs. Also added *.key and *.pem to .gitignore so private key material cannot be accidentally committed.
No API keys, passwords, or email addresses were found in the git history. The scan checked for Resend keys, database passwords, Cloudflare tokens, and personal email addresses. All clean.
Mailing list
Set up a self-hosted Listmonk instance on hel2 for release announcements. It runs behind Caddy with security headers (X-Frame-Options, nosniff, referrer policy) and sends through AWS SES. The subscription form is embedded inline on the sciclaw.dev homepage so signing up does not require a page bounce.
Commits
a9059e68 feat(models): add gpt-5.5 + scrub real Discord IDs from docs
c0088fea feat(site): inline email signup in hero, no page bounce
1c94a632 copy: clean up hero text, kill redundancy, tighten signup
sciClaw sends outbound email through the Resend API. The from address was being wrapped in RFC 5322 display-name format: "sciClaw" <[email protected]>. Cloud Resend accepts this. Self-hosted Resend instances (like the one at resend.cincineuro.com) reject it as an invalid email.
The root cause was Go's mail.Address.String() producing angle brackets even when the display name was empty, plus the config loader silently defaulting the display name to "sciClaw" on every read. The fix sends the bare email address in all cases. The display name is cosmetic anyway: what the recipient sees is controlled by DKIM and SPF, not the API payload.
Verified on data3: test email to a real inbox delivered successfully from [email protected].
Commits
e289183d fix(email): send bare from address for self-hosted Resend compat
23Core Commits
3Repos
180+New Tests
0New Deps
What shipped
sciClaw can now host optional capabilities as installable addons. Each addon is a separate git repository with a manifest (addon.json), a sidecar binary that speaks HTTP over a Unix socket, and optional install scripts. The core binary stays lean. Scientists who do not need addons pay nothing for them.
Ten CLI commands handle the full lifecycle: install, enable, disable, uninstall, upgrade, verify, rollback, sbom, list, status. The gateway has a reconciler that spawns addon sidecar processes on startup and converges live state against the on-disk registry every ten seconds. The web UI injects tabs in the sidebar for each enabled addon.
Two reference addons
sciclaw-addon-webtop gives each scientist a full Ubuntu XFCE desktop in the browser via linuxserver/webtop and Docker. The workspace is bind-mounted into the container so the agent and the desktop see the same files. A React admin panel in the sciClaw web UI lets the operator add users, assign workspace mounts, and manage container state.
sciclaw-addon-jupyter gives each scientist a Jupyter Lab instance with token-based authentication. Tokens are stored as SHA-256 hashes. Plaintext is shown exactly once when a user is created and never persisted. Rotating the token invalidates the old URL immediately.
Both addons share the same workspace and user identity system. Adding a user in the webtop admin panel shows a dropdown sourced from /api/core/users, the same identity list that the chat routing and /theme profiles already use.
Security
The addon system went through two full security reviews that produced 14 findings. All but one (GPG tag signing, consciously deferred) were closed before the reference addons shipped. Mount sources are validated against an allowlist so a container cannot bind-mount the host root. Docker flag injection is blocked by a -- terminator before the image name. The web proxy only forwards safe paths (/ui/*, /control/*, /health, /version) to addon sidecars. Admin routes like /shutdown and /hook/* are reachable only over the Unix socket where sciClaw core owns the connection.
How it extends the base
The addon system sits on top of the existing routing and profile infrastructure without moving any of it. When a routing rule changes, core emits a routing_changed hook to every subscribed addon. The webtop addon catches that hook, recomputes mount sets per user, and restarts containers whose mounts changed. The agent and the desktop stay in sync because both watch the same workspace folder.
Notable commits
0ac4755e phase 1 data plane: manifest, registry, integrity, resolver
d2008e22 wave 2a runtime: lifecycle, sidecar, hooks
b165f97f wave 3a: CLI subcommand group
880c7000 wave 4d: gateway reconciliation control loop
9d013459 security hardening from wave 3 review
ec21f2ba security sweep round 2: proxy scope, payload leak, socket lockdown
29b8ec06 /api/core/users endpoint for addon identity dropdown