Follow us on to be up to date with the latest changes.
v1.42.1
Elements
// July 13, 2026
Claude Fable 5 and GPT-5.6 arrive in the model picker
Chat surfaces built with Elements now offer the newest models. The picker adds Claude Fable 5 and the GPT-5.6 series, retires deprecated models, and defaults to Claude Sonnet 5 — with safer fallbacks so a de-listed model never silently resolves to a premium one.
Features
Refreshed model list#4128 - The model picker adds Claude Fable 5 and the GPT-5.6 series (Sol, Terra, and Luna), marks premium models with an Expensive badge, and removes deprecated models like Claude Sonnet 4, GPT-4.1, o3, and Gemini 2.5. (Author: @simplesagar)
Bug fixes
Predictable defaults and fallbacks#4130 - Elements now uses an explicit Claude Sonnet 5 default model, and unknown or de-listed models resolve to pinned per-provider fallbacks instead of silently landing on the most expensive model. (Author: @simplesagar)
One hooks binary for Claude Code, Cursor, and Codex — plus the latest models and a faster dashboard
Hook-based observability now runs on a single purpose-built binary:
receives coding-agent hook events from Claude Code, Cursor, and Codex, relays them to Gram, and enforces policy decisions like shadow MCP blocking — replacing the previous bash senders. Organizations also get control over interactive sign-in (published plugins no longer open a browser unless an admin opts in), the model picker gains Claude Fable 5 and the GPT-5.6 series, and the dashboard is noticeably faster for projects with many toolsets.
Features
The speakeasy-hooks binary#3889 - A single Go binary now handles coding-agent hook events end to end: it receives events from Claude Code, Cursor, and Codex, relays them to the platform, enforces server policy decisions such as shadow MCP blocking, and can recover authentication mid-session with its own browser sign-in. (Author: @danielkov)
Browser sign-in is opt-in per organization#4009 - Published hook plugins no longer open a browser by default: they authenticate with explicitly configured credentials, a previously cached key, or the organization-wide key, and the login helper prints manual setup instructions instead. Org admins can re-enable interactive browser sign-in from the org settings page. (Author: @danielkov)
Claude Fable 5 and GPT-5.6 in the model picker#4128 - The model list adds Claude Fable 5 and the GPT-5.6 series (Sol, Terra, and Luna), marks premium models with an Expensive badge instead of a label suffix, and removes deprecated models like Claude Sonnet 4, GPT-4.1, and Gemini 2.5. (Author: @simplesagar)
Guaranteed user identity on remote and tunneled MCP servers#4069 - Every remote and tunneled MCP server now gets a user session issuer minted at creation that lasts for the server's lifetime and can't be supplied, stripped, or swapped through the API — enforced at the database level — so user session identity on these servers is always trustworthy. (Author: @ThomasRooney)
Local assistant runtime for development#4118 - Assistant runtimes can now run locally: a new
runtime provider starts one Docker container per assistant on demand, reuses it across turns, and swaps in rebuilt images automatically — no Fly.io credentials or registry pushes needed to develop runtime images. (Author: @danielkov)
Codex in example agent lists#4107 - Risk policies, logging, insights, and the connect-server dialog now include Codex alongside Claude Code and Cursor in their example agent copy. (Author: @danielkov)
Judge timeout observability#3912 - Internal: prompt-injection and LLM judge timeouts now surface as a dedicated outcome metric with retuned duration histograms, improving operational visibility into risk scanning. (Author: @linear-code)
Token usage forwarded to PostHog#4106 - Internal: each organization's tokens-under-management usage is forwarded to PostHog hourly for product analytics. (Author: @daviddanialy)
Bug fixes
Faster dashboard for projects with many toolsets#4007 - Listing toolsets used to issue 11+ database round trips per toolset, taking seconds for busy projects and slowing the dashboard home page. Queries are now batched into a fixed ~10 round trips regardless of toolset count. (Author: @alx-xo)
Faster project overview#4104 - The project overview loads faster by running its independent aggregations concurrently and computing chat resolutions in a single pass. (Author: @walker-tx)
Predictable model fallbacks#4130 - De-listed or unknown models now resolve to pinned per-provider fallbacks instead of silently landing on a premium model, and Elements gets an explicit Claude Sonnet 5 default. (Author: @simplesagar)
Default plugin identified reliably#4125 - The dashboard now identifies an org's fallback plugin by the API's
flag instead of matching on the "Default" name, so renamed plugins no longer confuse onboarding and plugin pages. (Author: @adaam2)
No more spurious access denials in diagnostics#4109 - The chat session list's visibility check no longer records an authorization challenge for members without the chat read grant, which previously polluted access diagnostics with denials on every page load. (Author: @linear-code)
Project Assistant replies link straight to the dashboard
When the Project Assistant mentions a toolset, server, or other project entity, the reply now links directly to that entity's dashboard page — no more hunting for the thing the assistant just described. This release also moves the package to ESM only.
Features
Linked entities in assistant replies#3739 - Entities mentioned in Project Assistant replies are rendered as links to their dashboard pages, styled in Moonshine blue with an external-link icon, so you can jump from an answer to the resource it references in one click. (Author: @adaam2)
ESM-only package#4013 - The package drops CommonJS support and ships as ESM only. Note this is a breaking change for consumers still importing via
Break down token usage by billing cycle and see who's running the device agent
The billing page now answers "where did the tokens go?" in detail: pick any billing cycle and slice org-wide usage by token type, risk involvement, or analytics dimensions, then drill into any date range on the chart. Admins also get visibility into device agent adoption — the Employee Enrollment table shows whether each member's agent is checking in — and agent sessions now display the personal AI account email behind each session, not just the attributed work email.
Features
Token usage breakdown on the billing page#3973 - A billing-cycle picker scopes a new Token usage panel to any contracted cycle. The stacked chart slices org-wide tokens by type (input, output, cache read, cache write), risk involvement, or analytics dimensions, with daily, weekly, and monthly granularity and a cumulative view. Click or drag across bars to drill into a range, type a custom period in natural language, and read per-metric cycle totals with sparklines in the details table below. Finalized cycles are served from durable billing snapshots, so historical numbers stay stable. (Author: @daviddanialy)
Device agent status on Employee Enrollment#4066 - An admin-only Device Agent column shows whether each member's Speakeasy device agent is Active, Stale, or Not Enrolled, refreshes every 30 seconds, and is sortable — so it's easy to spot who is (or isn't) running the agent right next to their telemetry enrollment. (Author: @bradcypert)
AI account email on agent sessions#3943 - Session list rows, transcript user messages, and the session details popover now show the email of the personal AI account behind a session (e.g. a Gmail on a Claude Max plan) alongside the attributed employee's work email. Attribution is also deterministic: the device-enrolled work email always takes precedence over the account's self-reported email. (Author: @daviddanialy)
External credentials management API#3911 - Manage the AWS and GCP IAM credentials Gram uses to authenticate into a customer cloud account through a new organization-scoped API, with per-provider create, update, get, and delete plus a filterable list. Access is gated on org roles and every change is audited. (Author: @bflad)
Safer hook sign-in#3957 - Browser login for hooks now delivers the minted API key to the local listener as a form POST instead of a callback URL parameter, keeping the key out of browser history and request logs, and the sign-in tab closes itself once authentication completes. (Author: @danielkov)
Observe pages restricted to org admins#3922 - The Observe section (Costs, MCP & Tools Insights, Employee Enrollment, Agent Sessions, and Tool Logs) is now gated on the org admin role, so basic members see an access-restricted notice instead of org-wide telemetry. (Author: @mfbx9da4)
Issuer documentation links#4055 - Issuer discovery now captures RFC 8414 service documentation, policy, and terms-of-service URLs and surfaces them on remote session issuers across the project, organization, and admin views. (Author: @bflad)
Reorganized remote sessions management API#3955 - The org-admin remote sessions service is split into per-resource services for issuers, clients, and sessions, mirroring the project-scoped layer. Note this is a breaking change for the management API and SDK: method names drop their redundant resource suffix (e.g.
Billing charts match billed totals#4061 - The billing page's headline chart and every breakdown (model, user, division, role, source, token type) now read the billed population directly, instead of org-wide analytics aggregates that could overstate usage by orders of magnitude. (Author: @daviddanialy)
Tool Logs status filtering#3975 - The response status filter now applies at the trace level, so status-less rows no longer leak successful traces into "Non-2xx responses", and the Tool Logs page gains a first-class Error, Success, Blocked, and Pending status filter. (Author: @simplesagar)
Employee session counts from telemetry#3946 - The Agent Sessions card on the employee detail page now counts distinct sessions from telemetry instead of an email substring match against mirrored chats, so the number is consistent with every other metric on the page. (Author: @linear-code)
Deleted MCP servers keep their tool-usage classification#4040 - A managed server's usage history no longer flips to shadow MCP classification once the server is deleted or recreated. (Author: @linear-code)
Confirm before deleting a risk policy#3863 - Deleting a risk policy now asks for confirmation instead of removing it immediately. (Author: @alx-xo)
Redesigned Plugins pages, MCP server readiness checks, and custom headers for remote servers
Distributing MCP servers to your team is now much clearer. The Plugins pages show the real state of your marketplace setup with direct calls to action, a single install dropdown covers both GitHub and zip installation, and a new readiness bar on each MCP server page tells you exactly what's left before the server is usable — URL, authentication, source, and plugin membership. Remote MCP servers also gain a header management API for passing custom headers upstream.
Features
Redesigned Plugins pages#4003 - The marketplace card now reflects real setup state: until the marketplace repo exists and a collaborator has accepted their GitHub invite, it shows a "Not published" state with Publish now and Add collaborators calls to action. A single Install dropdown (GitHub installation via marketplace, or direct zip download) replaces the old split button on both the Plugins index and detail pages, and zip downloads work even before the marketplace is set up. The Default plugin gets its own badge and description. (Author: @adaam2)
MCP server readiness bar#4003 - Each MCP server page gains a collapsible readiness summary covering Server URL, Authentication, Source, and Included in Plugin status, with links to fix each item — so it's obvious what stands between a server and its users. (Author: @adaam2)
Custom headers for remote MCP servers#4075 - A new header management API lets remote MCP servers carry custom headers, so upstream servers that expect extra headers can be connected without workarounds. (Author: @bflad)
Clearer billing model breakdown#4071 - The billing page's model breakdown now separates the Risk Policy Analysis Model — the platform's own risk-scanning inference, the metered unit of tokens-under-management contracts — from the Completion Model used by chat surfaces like the playground and Slack. Risk-analysis inference is attributed to the scanned user, so user, role, and division breakdowns report whose traffic was analyzed. (Author: @daviddanialy)
Hooks install from your org's marketplace#4017 - The hooks setup dialog's Claude Code instructions now install from your organization's published plugin marketplace, with copyable commands and managed-settings snippets, instead of a public repository that carried no credentials. (Author: @danielkov)
Bug fixes
Remote MCP servers join the Default plugin reliably#4003 - MCP servers now attach to the Default plugin when they're enabled, so remote servers (which start disabled) no longer fail with "mcp server is disabled or has no published endpoint" when added. Adding a second endpoint to an already-attached server works, endpointless servers are hidden from the plugin's add-server picker, and removing a server's last address asks for confirmation. (Author: @adaam2)
Accurate employee enrollment stats#4094 - The enrollment page no longer shows 0 tokens and stale activity for employees whose telemetry rows split across identity keys: usage rows carrying a user ID but no email now merge into the employee's summary, and role breakdowns resolve those users instead of bucketing them as Unassigned. (Author: @daviddanialy)
Faster toolset listing#4089 - Listing toolsets no longer rebuilds every platform tool descriptor per tool, significantly cutting latency for projects with large toolsets. (Author: @walker-tx)
See who created each chat and browse teammates' threads read-only
Shared chat histories are now easier to navigate as a team. Each thread and user turn can show who wrote it — name and avatar included — and opening a thread someone else created shows a read-only transcript instead of a composer that would fail on send.
to a displayable name and avatar, shown on thread-list rows and above each user turn in the transcript. The dashboard wires this up for the Project Assistant using its existing org member list, so no identity data is fetched from inside Elements itself. User message bubbles also get an iMessage-style blue treatment. (Author: @adaam2)
Read-only view of threads you don't own#3931 - An opt-in
callback reports whether the caller owns a thread, and the composer is hidden for threads they didn't create. Admins opening another member's chat now see a read-only transcript instead of a "chat not found" error on send. (Author: @adaam2)
Bug fixes
Chat MCP tools restored#3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools. Opening a chat via a shared
URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
One-click dismissal for the time range picker#3862 - Clicking outside the
while its input is in edit mode now exits editing and closes the dropdown in a single click. Typed-but-uncommitted text no longer makes the dropdown undismissable and is discarded on outside click. (Author: @daviddanialy)
Test prompt guardrails against real chats, flag personal AI accounts, and attach remote MCP servers to assistants
Policy authors can now prove a prompt guardrail works before rolling it out: a new evaluation workbench replays real chat transcripts through a policy and shows per-message judge verdicts, with verdicts saved as regression sets for future changes. A new Non-Corporate Accounts risk policy flags sessions authenticated with personal AI accounts or unapproved email domains, and assistants can now connect directly to remote MCP servers alongside their toolsets.
Features
Policy evaluation workbench for prompt guardrails#3924 - Replay real chat transcripts through a prompt guardrail and see per-message judge verdicts with cost and latency details before enforcing the policy. Reviewer verdicts can be saved, listed, and deleted as regression sets, so a policy edit can be checked against past decisions instead of guesswork. CEL scopes are supported in replay. (Author: @vishalg0wda)
Flag sessions from personal AI accounts#3861 - A new Non-Corporate Accounts risk-policy category flags sessions authenticated with a personal AI account or with an AI-account email domain outside an approved list you configure. Findings appear once per session on the Risk Events page, and the approved-domains list is editable in the Policy Center's Customize sheet. (Author: @daviddanialy)
Attach remote MCP servers to assistants#3831 - Assistants can now connect directly to MCP servers, including remote (external SaaS) and tunneled servers that aren't backed by a Gram toolset. The assistant setup chat can list the project's MCP servers and attach one by name, and the assistant's runtime connects to it alongside its toolsets. (Author: @danielkov)
Self-serve sign-in for hook plugins#3824 - Connecting the hooks plugin no longer requires Python or manual API key setup. On session start the plugin opens the Gram dashboard in a browser, receives a hooks-scoped API key on a localhost callback, and caches it per device. Machines that have never signed in aren't blocked — sessions proceed with a warning, and enforcement only becomes strict after the first successful sign-in. (Author: @danielkov)
Track skill activations in Codex sessions#3896 - Opening a skill's SKILL.md or mentioning a skill by name in a Codex session now surfaces as
events in observability, matching the visibility already available for Claude Code sessions. (Author: @danielkov)
Email org admins when an access request is submitted#3221 - Org admins now get an email when a new access request comes in, so requests are noticed and approved without anyone having to watch the dashboard. (Author: @alx-xo)
See which account an employee used last#3909 - The Employees page's Last Activity column now shows the most recently used AI account as a dropdown, with icons distinguishing team accounts from personal ones (#3858 by @chase-crumbaugh). (Author: @daviddanialy)
Refresh list pages in place#3860 - Catalog, MCP, Agent Sessions, Employee Insights, User Sessions, Risk Events, and the Observe Tools and Agents log pages now have a manual refresh button in the toolbar, so the latest data is one click away without reloading the page. (Author: @simplesagar)
Assistant setup chat history is preserved#3811 - Prior onboarding threads with the assistant setup chat are now listed and URL-addressable, so a setup conversation can be picked up where it left off or shared with a teammate. (Author: @claude)
Groundwork for shared remote session providers#3812 - An internal admin API now manages a platform-wide catalog of remote session providers, laying the foundation for projects to inherit shared providers in a future release. (Author: @walker-tx)
Bug fixes
Restore MCP tools in chat#3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools, including the assistant setup chat. Opening a chat via a shared
URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
View teammates' assistant chats read-only#3931 - Admins opening another member's project assistant chat now see a read-only transcript instead of hitting a "chat not found" error on send. The composer is hidden for threads the signed-in caller didn't create, matching what the backend has always enforced. (Author: @adaam2)
Let environment editors edit environments#3916 - Creating, updating, and deleting environments now checks the
permission instead of
, so principals holding only
are no longer rejected. Dashboard gates were realigned to match. (Author: @qstearns)
Recover from stale hooks credentials#3901 - Cached hook credentials that are rejected on auth are now cleared automatically, so Claude prompt submission continues and the user is prompted to reconnect instead of getting stuck. (Author: @danielkov)
Connect MCP servers on private networks and silence known risk false positives
MCP servers that live behind a firewall can now join a Gram project: run the new tunnel agent next to the server and Gram routes traffic to it, no inbound network access required. On the risk side, a built-in exclusions library now suppresses well-known false positives — test credit cards, example API keys, placeholder emails — so risk events stay focused on findings that matter.
Features
Tunneled MCP servers#3703 - MCP servers running in a private network can now be added as tunneled sources. The tunnel agent ships as a public Docker image (
, linux/amd64 and linux/arm64) that runs alongside the server and connects out to Gram, and the tunneled MCP server page includes Docker and Kubernetes setup instructions. (Author: @ThomasRooney)
Built-in exclusions library for risk detections#3895 - Known false positives — test credit card numbers, example API keys and tokens, module and content hashes, and placeholder emails — are now suppressed automatically across all detection sources. A read-only Built-in library section on the Exclusions tab lists the live catalog, backed by the new
Session status reflects refresh expiry#3936 - A session's active or expired status is now keyed off its refresh token expiry, so sessions that can still refresh no longer show as expired. (Author: @linear-code)
Non-Corporate Accounts policy card restored#3940 - The Non-Corporate Accounts detector — including its approved-email-domains configuration — is back on the risk-policy detail form after being dropped in a refactor, and the Off-Policy Content card no longer appears twice. (Author: @daviddanialy)
Assistant messages made up entirely of tool calls no longer show a stray copy button with nothing to copy.
Bug fixes
Hide the copy button on tool-only turns#3834 - A message consisting solely of tool calls or reasoning has no copyable text, so the lone copy button no longer hangs beneath it. (Author: @disintegrator)
See AI usage by account type and provider, with clearer cost estimates and a more secure CLI login
Costs, Insights, Agent Sessions, Tool Logs, and Employees now break down AI usage by account type (Team versus Personal) and provider (Claude, Codex, Cursor), with per-account cost estimates spelled out clearly. Logging in to the CLI as a device agent is also more secure, using a one-time PKCE code instead of passing a raw key in a URL.
Features
Break down AI usage by account type and provider#3755 - Costs, Insights, Agent Sessions, Tool Logs, and Employees now split AI usage by account type — Team (enterprise) versus Personal (individual, e.g., Claude Max) — and by provider (Claude, Codex, Cursor). Personal usage is flagged at a glance on sessions and logs, and each employee's linked AI accounts are listed with the option to scope their metrics to a single account. (Author: @daviddanialy)
Clearer cost estimates#3755 - Cost now reads as "Est. cost" (with an explanation on hover) everywhere it appears in Costs and Insights, since the figure is derived from token usage at standard API rates and only reflects real spend on metered accounts, not flat-fee plans like Claude Max, Pro, Team, or Enterprise. Admins can declare a provider integration's billing mode — Metered, Flat rate, or Unknown — under Settings → Logging & Telemetry, and once an account is declared metered, its cost reads as a confident "Cost". (Author: @daviddanialy)
service backs device-agent enrollment: the dashboard CLI callback authorizes a PKCE-bound one-time code against an active session, then redeems it for a per-user API key without the raw key ever traveling in a URL. Existing CLI producer-key login is unchanged. (Author: @bradcypert)
Surface Claude attribution dimensions in the cost explorer#3638 - Telemetry query results and the cost explorer now surface Claude attribution dimensions, giving a clearer view of where usage and cost originate. (Author: @subomi)
Bug fixes
Show historical findings for disabled policies in Risk Events#3847 - Filtering Risk Events by a disabled policy previously returned no results because the query required the policy to be enabled. An explicit policy filter now surfaces that policy's past matches, and the dashboard flags the inactive policy with a banner and an "(inactive)" label in the filter. The default unfiltered view is unchanged and still lists only active policies. (Author: @daviddanialy)
Drop false-positive US driver's license findings#3836 -
Presidio findings are now dropped at the finding level so they never surface, even when a policy pins no entities and Presidio scans its full default recognizer set. (Author: @disintegrator)
Fix dropped connections on function-runner calls#3846 - HTTP keep-alives are now disabled on function-runner calls, and that path gets its own timeout, so retries dial fresh connections instead of reusing pooled connections to Fly machines that were autostopped mid-flight (which surfaced as instant EOF errors). The timeout now sits above the runner's five-minute execution budget, so long tool calls are no longer cancelled by the caller. (Author: @disintegrator)
Fix a nil pointer panic in telemetry SearchUsers#3843 - Calling telemetry SearchUsers without a filter no longer panics. (Author: @disintegrator)
Adjust API endpoint paths to RPC conventions#3825 - Internal API endpoint paths were adjusted to follow existing RPC API conventions. (Author: @disintegrator)
Claude Sonnet 5 is now the default assistant model
New assistants and in-app model usage now default to Claude Sonnet 5, available across the playground, Elements, and onboarding model pickers.
Features
Default to Claude Sonnet 5#3758 - Claude Sonnet 5 (
) is now the default model for in-app usage and newly created assistants, added to the allowlist and every model picker across the playground, Elements, and onboarding. Specialized models used for risk and PromptIntel judging, chat segmentation, embeddings, and follow-on suggestions are unchanged. (Author: @simplesagar)
Default to Claude Sonnet 5 and share remote session clients across an organization
New assistants and in-app model usage now default to Claude Sonnet 5. Remote session clients can also be created at the organization level, so every project can share one instead of configuring its own, and admins get finer control over who can unmask redacted secrets in Risk Events.
Features
Default to Claude Sonnet 5#3758 - Claude Sonnet 5 (
) is now the default model for in-app usage and newly created assistants, added to the allowlist and every model picker across the playground, Elements, and onboarding. Specialized models used for risk and PromptIntel judging, chat segmentation, embeddings, and follow-on suggestions are unchanged. (Author: @simplesagar)
Organization-level remote session clients#3749 - Create a
with no project so every project in the organization can attach and use it, mirroring the existing convention for organization-level remote session issuers. A project admin can attach, detach, and use an organization-level client from their own session issuer, but editing or deleting it stays with org admins. (Author: @bflad)
Restrict who can unmask redacted secrets#3766 - Server-side controls now govern who can reveal redacted secrets flagged in chat, giving admins a way to restrict access to sensitive matched values. (Author: @qstearns)
Human-readable plugin marketplace names in Claude Code#3763 - Plugin marketplaces now send a human-readable display name to Claude Code, so plugins show with their admin-entered name and capitalization (e.g., "MoonPay MCP Servers") instead of a de-slugified lowercase name ("Moonpay mcp servers"). (Author: @bradcypert)
Unified endpoint for third-party hook ingestion#3661 - A single
endpoint now accepts hook events from any third-party provider. Hook plugins authenticate each developer locally through a browser callback flow and store a hooks-scoped key on the device, while existing provider-specific hook endpoints keep working. (Author: @danielkov)
Redirect URI callout for remote identity provider clients#3762 - The Remote Session Client form now surfaces the callback URL needed when manually configuring a remote identity provider client, making the setup step easier to complete correctly. (Author: @qstearns)
Caching for public OAuth and MCP metadata endpoints#3761 - Public well-known OAuth/MCP metadata responses now send
and a strong ETag with 304 revalidation, so clients and proxies can cache them. The OAuth Client ID Metadata Document keeps its one-hour max-age and also gains an ETag. (Author: @bflad)
Bug fixes
Gate secret reveal behind the chat:read scope#3764 - Users without the
scope now see flagged secret values in Risk Events as a non-interactive "Hidden" placeholder instead of a reveal control, and the page-level "Reveal all" toggle is hidden for them. (Author: @simplesagar)
Add session_capture_exclusions table#3528 - Internal schema migration adding a
Connect to stricter OAuth providers with outbound CIMD support
Remote session OAuth now works with identity providers that require Client ID Metadata Documents (CIMD), so organizations with stricter upstream authorization servers can register outbound clients without a shared secret.
Features
Outbound CIMD support for remote session OAuth#3706 - Create a
in CIMD mode: Gram generates the client ID, hosts a public client metadata document, and sends that URL as the client ID on every outbound authorize, token, and refresh call, with no symmetric secret required. Issuer discovery now detects CIMD support automatically, which gates the new option, and the client and issuer views surface the metadata URL and support status. (Author: @bflad)
Cleaner assistant chats when apps inject extra context
Context an application injects into a user turn no longer clutters the conversation. It now folds into a collapsible disclosure that's there when needed and out of the way otherwise.
Features
Collapse injected context into an "Additional context" disclosure#3721 - App-injected context in a user turn now folds into a collapsed Additional context disclosure that expands to inspect, instead of rendering the raw tags inline. The expanded block wraps to the message width, so opening it no longer widens the chat bubble. (Author: @adaam2)
Gate access to other members' agent sessions with a new chat:read scope
A new RBAC scope lets you decide who can read other members' agent session transcripts. Everyone can always read their own sessions; reading everyone's now requires an explicit grant.
Features
chat:read scope for agent session transcripts#3688 - A new
scope gates access to other members' agent session transcripts: anyone can read sessions they own, while reading every member's session requires an unrestricted
. The scope is not a default of any system role — not even admin — so it must be granted via a custom role. Members without it see only their own sessions, and each dashboard session open is recorded in the audit log. (Author: @adaam2)
Project Assistant: rename chats, see who owns each assistant, and a tidier context block
A handful of Project Assistant improvements land together: rename conversations inline as you work, see at a glance who owns each assistant, and keep the chat clean with app-injected context folded into a collapsible disclosure.
Features
Rename assistant chats from the live chat view#3649 - The dock header shows the active conversation's title and lets you click to rename it inline. Names you set are kept — automatic title generation skips any chat you've renamed, and clearing the title re-enables auto-naming. (Author: @simplesagar)
See who owns each assistant#3709 - An assistant's creator is now shown as its owner — an avatar and name on both the assistant card and the setup page — resolving to the creating member, "No owner" when never attributed, or "Orphaned, no owner" when the creator has left the organization. (Author: @simplesagar)
Tidier injected context in assistant chats#3721 - App-injected context in a user turn now folds into a collapsed Additional context disclosure you can expand to inspect, instead of rendering the raw tags, and the expanded block wraps to the message width so opening it no longer widens the bubble. (Author: @adaam2)
Edit system role permissions, tune risk detection sensitivity, and tighter shadow MCP enforcement
Organizations get more control over access and risk detection this release: the built-in admin and member roles can now be tailored per organization, and risk policies gain a sensitivity slider for tuning how aggressively detections fire. Shadow MCP enforcement is also hardened against a couple of false results.
Features
Editable system-role permissions#3727 - Edit the permissions of the built-in
and
roles per organization, while their name and description stay platform-managed. The Admin role is guarded against losing the
permission to prevent an org lockout. The roles tab is reworked so the whole role row opens the edit sheet, scope groups show a description when collapsed, and the members column uses an interactive member facepile with hover focus and click-to-view-all. Directory Sync (SCIM) organizations see info alerts on the team, roles, and identity pages explaining that members and roles are managed by the identity provider while SCIM is enabled. (Author: @adaam2)
Configurable risk detection sensitivity#3723 - Each risk policy now has a minimum match-confidence threshold, adjustable with a Sensitivity slider in the policy wizard, so detections can be tuned to be more or less aggressive. The default sensitivity is lowered to 0.5. (Author: @dennnis-ez)
Bug fixes
Harden Codex shadow MCP enforcement#3719 - Codex shadow MCP calls are now checked against the session's actual MCP server inventory, closing a gap where enforcement could be bypassed. (Author: @danielkov)
Fix Cursor shadow MCP enforcement false positives#3720 - Cursor shadow MCP enforcement no longer wrongly blocks Speakeasy-hosted MCP servers when a shadow MCP risk policy is enabled. Access is now decided by the server URL rather than requiring the agent to echo an internal identifier. (Author: @danielkov)
Fix duplicate servers in the MCP catalog#3310 - The MCP catalog no longer lists duplicate servers (with an inflated count) when loading more results. (Author: @alx-xo)
More reliable risky-message filtering and thread search
Two chat-detail fixes land together: the "Risky only" filter now finds flagged messages no matter where they sit in a long thread, and search steps through every match in order instead of highlighting them all the same color.
Bug fixes
Fix "Risky only" filter missing findings on other pages#3715 - The filter previously showed nothing when flagged messages sat on transcript pages that weren't loaded.
now returns the seqs of flagged messages so the panel can window the full thread and filter correctly, and the toggle is available to any authorized viewer rather than only org admins. (Author: @adaam2)
Step through search matches one at a time#3715 - Search-within-thread now steps through every occurrence in document order, across message text and tool call arguments and output, with the active occurrence highlighted distinctly, instead of jumping per message and highlighting every hit the same color. (Author: @adaam2)
Blocked tool calls get their own page the agent can reason about, plus filter sessions by agent type
When the risk engine blocks a tool call it's now a durable, linkable page with thumbs-up/down feedback — and the reason is handed back to the agent so it explains the denial instead of inventing one. Agent Sessions also gain an agent-type filter.
Features
Durable tool-call block pages#3672 - Blocked tool calls are now first-class entities with a stable
URL and 👍/👎 feedback. The block reason is injected into the agent-facing response (Claude, Cursor, and Codex) with a link to the block page, so the agent can reason about the denial instead of hallucinating one, and a More Info link reaches it from the Risk Events modal. (Author: @daviddanialy)
Filter agent sessions by agent type#3712 - The Agent Sessions page gains an agent-type filter, populated from the agent sources actually present in each project's chats. (Author: @simplesagar)
Read-only and destructive labels in Distribute MCP tools#3713 - The Distribute → MCP → Tools view now shows the same text permission labels (Read-only, Destructive, Idempotent) as the Connect catalog, instead of icon-only badges, for quicker at-a-glance behavior hints. (Author: @daviddanialy)
Up-to-date badge on plugin detail#3708 - The plugin detail page now shows an explicit Up to date badge and surfaces the last-published time even when there are unpublished changes, rounding out the publish-freshness view. (Author: @daviddanialy)
Shorter access-request links on blocked tool calls#3710 - The "Request access" link on a blocked tool call now embeds a short cache-backed token instead of a 1,000-plus character encrypted blob, with previously issued links still working until they expire. (Author: @daviddanialy)
Bug fixes
Risky-only filter and in-thread search reworked#3715 - The chat detail "Risky only" filter now windows the full thread and shows flagged messages even when they sit on other transcript pages, and search steps through every occurrence in document order — across message text and tool call arguments and output — with the active match highlighted distinctly. (Author: @adaam2)
Prompt correlation no longer stalls on busy sessions#3716 - Claude Code prompt correlation now bounds its work and drains a large backlog of unlinked prompts incrementally, so prompts stay reliably linked to their telemetry instead of failing entirely on high-volume sessions. (Author: @danielkov)
Detect step Continue enables for category-level detectors#3714 - Creating a risk policy now enables the Continue button when only category-level detectors (Prompt Injection, Shadow MCP, Destructive Tools, Destructive CLI Commands) are selected, instead of treating those categories as empty and keeping the step disabled. (Author: @daviddanialy)
Rename assistant chats without leaving the conversation
Project Assistant chats can now be renamed right from the live chat view instead of navigating elsewhere first.
Features
Rename assistant chats from the chat view#3649 - Click the conversation title in the chat header to edit it inline. Manually chosen names are preserved. Automatic title generation skips any chat that's been renamed, and clearing the title re-enables auto-naming. (Author: @simplesagar)
Jump straight from the audit log to any subject and register remote session clients without leaving the issuer page
Every subject in the org audit log now links to its own detail page so you can pivot from an event to the thing it happened to, and org admins can register a standalone remote session client directly from the Remote Identity Provider page.
Features
Jump from any audit log entry to its subject#3683 - MCP servers, risk policies, environments, assistants, roles, members, and collections now render as links in the org audit log, alongside the deployments, toolsets, projects, plugins, and API keys already linked. Project-scoped subjects route under their own project, and risk policies and roles deep-link to the specific item. (Author: @simplesagar)
Register a remote session client from the issuer page#3678 - Org admins can create a standalone client directly from a Remote Identity Provider's Clients tab via a new New Client sheet, supporting Dynamic Client Registration when the issuer advertises a registration endpoint or manual client ID and secret entry. The client inherits a project-scoped issuer's project, or the admin names a project when the issuer is organization-level. (Author: @bflad)
See chat titles in the cost dashboard#3677 - The cost dashboard's session table now shows each chat's title in place of its id, so spend is easier to attribute to the conversation that drove it. (Author: @adaam2)
Hook event processing metrics#3685 - Hook event processing duration is now measured for Claude, Codex, and Cursor hook traffic, giving clearer visibility into hook performance. (Author: @subomi)
Bug fixes
Shadow MCP enforcement survives a missing session snapshot#3614 - The Claude hook shadow-MCP guard no longer depends on the server having cached the SessionStart MCP inventory in time: the inventory is persisted per session and replayed in the blocking PreToolUse payload, so enforcement stays reliable and still fails closed when no inventory is available. (Author: @bradcypert)
Combined session filters no longer return empty#3673 - Session list dimension filters now match per-chat instead of per-row, so combining a user-directory filter such as department with a hook source no longer comes back empty when those attributes live on different rows of the same chat. (Author: @subomi)
Pin the chats you keep coming back to and publish plugins without leaving their detail page
Pin important conversations to a dedicated section above your recent chats, and republish a plugin in one click straight from its detail page — with an at-a-glance badge that tells you whether what's live matches what you've changed.
Features
Pin chats on the chat page#3670 - Pin and unpin conversations on the chat page; pinned chats surface in a dedicated Pinned section above Recent Chats so the ones you return to stay within reach. (Author: @simplesagar)
Publish plugins from the detail page#3690 - After adding or removing a server or editing a plugin's metadata, a Publish now prompt offers a one-click republish — or opens the first-publish dialog for projects not yet connected to GitHub — so there's no need to return to the plugins list. The page also shows publish freshness: an Unpublished changes badge when the live state differs from what was last published, or the last published time when up to date. (Author: @daviddanialy)
Bug fixes
Faster tool observability filters#3699 - The logs and insights pages now read hosted MCP server display names straight from telemetry filter options instead of hydrating full toolset resources for server filter labels, so those filters load faster. (Author: @danielkov)
Long chat searches no longer error#3700 - The find-in-conversation bar now gates queries at 200 characters and flags the over-limit state inline — the search icon turns into a red warning with a tooltip and the match counter shows a live count — instead of failing with a hard validation error. (Author: @adaam2)
Jump straight to any message with in-thread search
Long chat threads are easier to navigate now: a find-in-conversation bar jumps between matching messages instantly, backed by full server-side text search instead of only scanning what happens to be loaded on screen.
Features
Search within a chat thread#3634 - Jump between matches with prev/next controls, or Enter/Shift+Enter to step forward and back (wrapping at the ends), and Escape to clear. The active match highlights in bright yellow against paler surrounding matches across message text, tool names, and tool arguments and output, and the tool call holding the active match expands automatically. Powered by a new
parameter on
that returns matching messages plus surrounding context. (Author: @adaam2)
Trigger agents from Slack, Linear, and GitHub webhooks
Agents can now react to what happens in the tools your team already lives in. A shared webhook-trigger foundation lets Slack, Linear, and GitHub events drive your agents, with signature verification, delivery de-duplication, and event filtering handled for you — so wiring up a new source is a matter of pointing it at Gram.
Features
Linear webhook triggers#2729 - Drive agents from Linear events with verified HMAC-SHA256 signatures and
de-duplication. Comments fold onto their parent issue's conversation, so an agent sees the full context of an issue rather than scattered events. (Author: @danielkov)
GitHub webhook triggers#2729 - Drive agents from GitHub events with verified
signatures and
de-duplication. Pull request, review, and comment activity correlates onto the PR, and pushes onto their repo and branch, so related events arrive as one coherent conversation. (Author: @danielkov)
A shared foundation for webhook sources#2729 - A common webhook-trigger abstraction centralizes signature verification, replay protection, and a default-deny event-type allowlist with CEL filters, so every source — including the existing Slack trigger, now rebuilt on it — behaves consistently and new sources land quickly. (Author: @danielkov)