NEXO 7.9.17 — security gate + restart fix
Published 2026-04-24. Patch release over v7.9.16.
v7.9.17 is the publication build for the restart-marker recovery work. It keeps the high-severity Bandit security gate green by marking the continuity snapshot SHA-1 digest as non-security usage while preserving stable idempotency keys.
Why this patch exists
Continuity snapshots use a deterministic digest to deduplicate repeated writes for the same conversation/session/event payload. That is not a security boundary, so Python's hashlib.sha1(..., usedforsecurity=False) is the correct contract and keeps CI strict without changing stored key semantics.
Includes the v7.9.16 restart-marker fix
Restart-required markers now target only active interactive clients, nexo_startup stays reachable during recovery, and identified clients auto-ack after restart when installed and process versions match.
Verification
Release validation includes the full pytest suite, release-readiness, Bandit high/high, root npm pack, and OpenClaw build/test/pack before publication.