Follow us on to be up to date with the latest changes.
v1.34.0
Elements
// June 4, 2026
Replace AI Insights with Project Assistant
This release backs Elements chat with a server-side assistant, the foundation for replacing AI Insights with the Project Assistant. Unlike the old AI Insights sidebar, the Project Assistant is a complete, full-featured assistant like any other you host on the platform — with the backend now owning conversation ids and history while the UI stays in sync.
Guided enterprise onboarding, runtime tool filtering, and a configurable marketplace name
This release adds a five-step enterprise onboarding wizard that takes a new org from SSO to live traffic, lets MCP clients filter exposed tools at request time, and makes your plugin marketplace name configurable per project.
Features
Enterprise onboarding wizard#3079 - A new wizard at
walks a new org through SSO via WorkOS, directory sync, publishing a private plugin marketplace to GitHub, instrumenting each agent platform (Claude Code, Claude Cowork, OpenAI Codex, Cursor) with auto-generated keys, and confirming traffic is flowing. It resumes on the deepest incomplete step, includes a typeahead GitHub-user picker for marketplace collaborators, and ships an enterprise-admin invite email that deep-links recipients straight into the wizard. (Author: @adaam2 )
Filter exposed MCP tools at request time#3164 - The public
handler now accepts a
query parameter (comma-separated, union) to expose only the tool variations matching those tags, resolved from the server's or toolset's variation group with a project default fallback. (Author: @bflad )
See tool filtering on the MCP details page#3213 - The Tools tab now shows a read-only scopes panel when filtering is enabled, listing the available filter tags with their member tools and the tools excluded from every filter, with a tag chip to filter the list below. (Author: @bflad )
Configurable marketplace name per project#2964 - A new Marketplace settings dialog lets you rename a project's generated plugin marketplace; the default is now
so marketplaces stay unique across customers. Saving an override on a project with a published marketplace auto-republishes the manifest to GitHub. (Author: @chase-crumbaugh )
Project Assistant turns run as the sender#3216 - Assistant turns sent from the dashboard now run under the sending user's identity, so MCP tool calls, audit attribution, and per-user RBAC reflect who actually sent the message rather than whoever first enabled the assistant. (Author: @danielkov )
Project Assistant reads from the chat service#3204 - The dashboard Project Assistant now reads its conversation directly from the chat service:
takes an optional
to continue a thread or omits it to start one, and replies surface as plain assistant messages from
Project Assistant available out of the box#3202 - A new
endpoint provisions a project's built-in Project Assistant on first access, so the dashboard sidebar resolves it without manual setup. (Author: @simplesagar )
Bug fixes
Imported remote MCP sources serve traffic immediately#3179 - Importing a remote MCP server as a source now auto-creates a default endpoint, so the server is ready to serve once enabled instead of requiring you to add an endpoint by hand. (Author: @walker-tx )
Preserve Authorization header for passthrough tools#3177 - A configured Authorization header on external MCP passthrough tools is no longer overwritten by the gating OAuth token. (Author: @walker-tx )
Consistent Insights and Logs filter dropdowns#3183 - The filter dropdowns on the Insights and Logs pages no longer race two filters against each other, so valid matches stop falling into "No results found" and the list recovers when characters are deleted. (Author: @simplesagar )
Insights counts only workspace members#3184 - The Employees and Role views in Insights now exclude impersonating superadmins that previously appeared as a raw UUID. (Author: @danielkov )
Clearer Shadow MCP rule delete dialog#3191 - Improves the confirmation dialog for deleting Shadow MCP access rules. (Author: @alx-xo )
Consistent release-stage badges#3180 - Preview and beta badges now render consistently in the side nav and tab navigation. (Author: @alx-xo )
no longer returns a 500 in production, now that WorkOS connection and directory lookups use the official WorkOS Go SDK and the correct endpoints. (Author: @adaam2 )
Reliable organization invite emails#3190 - Organization invite emails now fall back to a non-empty inviter name when the inviter's display name is blank, preventing rejected invites. (Author: @bradcypert )
MCP server tool filtering, a self-service device agent page, and sharper risk targeting
This release lets you filter the tools an MCP server exposes using variation groups, adds an org-level page for rolling out the Speakeasy device agent, and gives risk policies finer control over which messages they scan.
Features
Filter MCP server tools with variation groups#3162 - Enable and configure tool filtering on an MCP server through new management APIs and dashboard UI, so each server exposes only the tools you want from a shared toolset. (Author: @bflad )
Self-service device agent rollout page#3070 - A new org-level Device Agent page gives per-OS install instructions, an MDM
configuration reference, and self-service
generation, so admins can deploy the Speakeasy device agent and copy a ready-to-paste config without leaving the dashboard. (Author: @bradcypert )
Target risk policies by message type#3133 - Risk policies can now scope enforcement and batch scanning to user messages, tool requests, tool responses, or assistant text, so you only screen the traffic that matters for a given rule. (Author: @vishalg0wda )
Filter risk events by user#3165 - The Risk Events page adds a "User contains..." search box that filters findings by the chat's external user id, alongside the existing policy and rule filters. (Author: @simplesagar )
Send a message to a project assistant#3138 - A new endpoint lets a dashboard user message an assistant and poll for its asynchronous reply, with a correlation key to pick the conversation thread and an idempotency key so a retried send is never enqueued twice. (Author: @simplesagar )
Bug fixes
OAuth handlers resolved for /mcp/<slug>#3136 - The
OAuth flow now resolves its handlers via
with a toolset fallback, so OAuth-gated servers complete the handshake reliably. (Author: @bflad )
Tools load on issuer-gated private servers under RBAC#3174 - RBAC grants are now prepared for issuer-gated private remote MCP servers, so
and
no longer fail and return zero tools for RBAC-enforced callers. (Author: @bflad )
Audit logs page scopes AI Insights setup to a project#3163 - The audit logs page no longer calls
without a project slug from org-level routes, fixing AI Insights setup there. (Author: @bradcypert )
component now renders external links inline with the surrounding text instead of stretching them to full width and pushing trailing punctuation to a new line. (Author: @bradcypert )
Workforce observability graph, project-aware AI Insights, and plugin distribution by email
This release adds an employee data-flow graph for seeing how your workforce uses agents, points the AI Insights sidebar at every toolset in your project, and lets admins hand out Claude Code plugins to people by email address.
Features
Employee data-flow graph#3111 - A new workforce observability view visualizes how employees and agents move data across your tools, so you can see usage patterns at a glance instead of reading raw logs. (Author: @subomi )
AI Insights sidebar connects to all project toolsets#3123 - The AI Insights sidebar now talks to every toolset configured in your current project instead of a single hardcoded server, so it answers questions using your real tools out of the box. (Author: @simplesagar )
Distribute Claude Code plugins by email#3088 - Assign published plugins to people by email address and let the Speakeasy device agent pull them into Claude Code automatically. Mint the required
-scoped API key from the same API Keys page you use for every other scope. (Author: @bradcypert )
Organization-level remote session issuers#3108 - Manage remote session issuers at the organization level through a new
service, so identity configuration can be shared across projects in an org. (Author: @bflad )
Per-project managed assistant#3125 - Toggle a platform-managed assistant for a project that comes preloaded with the Insights prompt and every MCP-reachable toolset attached, with safe enable and disable that you can flip on and off without leaving anything behind. (Author: @simplesagar )
Bug fixes
No Speakeasy key prompt on OAuth-gated private servers#3156 - MCP install pages for private servers that delegate identity to a user session issuer no longer ask for a Speakeasy API key, since OAuth already handles authentication. (Author: @walker-tx )
External proxy MCPs appear in the role picker#3132 - External MCP proxy servers now show up in the "Specific MCP Servers" picker when creating an access role and no longer display a misleading "No Tools" badge before their tools can be enumerated. (Author: @mfbx9da4 )
Per-assistant Slack onboarding, risk-only trace filtering, and resilience fixes
This release adds a per-assistant Slack setup card with capability and event selection, brings a risk-only toggle to trace panels, and ships a batch of resilience fixes around model completions, OAuth metadata, and remote session scoping.
Features
Per-assistant Slack setup with tuned warm runtimes#3063 - A new Slack setup card lets operators pick capabilities (send, read, react, and more) and which events wake the assistant up, then provisions a dedicated per-assistant Slack toolset instead of reusing a shared one. The card warns about always-on event firehoses, and the onboarding agent offers plain-English filter narrowing after Slack install. New assistants now default to five concurrent warm runtimes and a 60-second warm TTL so they handle bursts without queueing while reclaiming idle resources faster. (Author: @danielkov )
Risk-only trace filter#3121 - Adds a risk-only toggle to trace panels and deep-linked Risk Events that open with risk filtering enabled. (Author: @alx-xo )
Bug fixes
Retry empty model completions#3129 - Retries chat completions when the upstream model returns an empty response and reports the upstream details when it still fails, reducing transient playground and chat errors. (Author: @danielkov )
Project-scoped Remote OAuth client lookups#3090 - Remote OAuth client lookups no longer surface clients whose bound user session issuer lives in a different project or has been soft-deleted. The legacy fallback path now scopes both the client and its user session issuer to the request's project and excludes soft-deleted records, matching the join-table read path. (Author: @walker-tx )
OAuth metadata resolved via mcp_endpoints#3118 - Resolves
Custom detection rules with a rule playground, Shadow MCP access controls, and /mcp endpoints
This release adds AI-assisted custom detection rules with a built-in rule playground, ships management APIs, runtime enforcement, and a dashboard for Shadow MCP access rules, and serves MCP endpoints from
with a fallback to the legacy toolsets lookup. (Author: @bflad )
AI-suggested custom detection rules with a rule playground#2992 - Adds a
endpoint that turns a one-line description into a prefilled custom detection rule, landing the operator in an editable review form with a suggested rule ID, title, description, regex, and severity. A new rule playground lets operators paste a sample into the Detection Rules detail sheet and run it through the same scanner code (gitleaks, Presidio, prompt-injection, regex) the worker uses via the
Shadow MCP approval requests and access rules#2763 - Adds management APIs for Shadow MCP approval requests and access rules, backed by a Redis-backed access store. (Author: @alx-xo )
Runtime enforcement of Shadow MCP access rules#2771 - Enforces Shadow MCP access rules at runtime, allowing approved access rule exceptions while preserving existing block policy behavior. (Author: @alx-xo )
Shadow MCP access rules dashboard#2831 - Adds a dashboard UI for reviewing Shadow MCP requests and managing project-scoped access rules. (Author: @alx-xo )
Tool variations menu on the source Tools tab#3083 - Adds a tool variations menu to the source detail Tools tab. (Author: @bflad )
Bug fixes
Full Svix portal capabilities for admins#3074 - The Svix app portal now correctly grants full capabilities to org admins and read-only access to non-admin members, fixing an inverted capability check and an earlier empty-capabilities slice that resulted in read-only sessions. (Author: @disintegrator )
Login journey for allowed orgs#2949 - Fixes the login journey for allowed orgs. (Author: @dennnis-ez )
Clearable logs filter search bars#3096 - Logs filter search bars can now be cleared with the Escape key or by emptying the box, not just the × button, across the MCP Server Logs filter bar and the shared search bar. Escape only clears when there is text to clear, so an empty box lets the key bubble up to close a surrounding popover. (Author: @simplesagar )
Sidebar nav hover highlight#3092 - Fixes the sidebar nav hover highlight snapping back to the active route when moving between items. (Author: @alx-xo )
Function tool tags, SSO and SCIM feature flags, and Remote MCP authentication UI
This release ingests tags declared on Gram Function tools and exposes them through the management API, adds SSO and SCIM feature flags backed by WorkOS event sync, and ships an authentication UI for Remote MCP-backed servers.
Features
Tags on Gram Function tools#3031 - Ingests tags declared on Gram Function tools, both the top-level
field on the manifest and
on the TypeScript framework
, and exposes them through the management API. The playground tool editor now opens for function tools the same way it does for HTTP tools. (Author: @bflad )
SSO and SCIM feature flags with WorkOS event sync#3061 - Adds product feature toggles for SSO and SCIM to admin settings. The Identity page shows connection status and gates configure buttons on these flags, and the Team page invite button is disabled when SSO is active. WorkOS event processing now handles all SSO connection and SCIM directory sync lifecycle events. (Author: @adaam2 )
Authentication UI for Remote MCP-backed servers#3008 - Adds a remote-based MCP server authentication UI for configuring credentials against Remote MCP-backed servers. (Author: @bflad )
Abbreviated metric card numbers#3045 - Metric cards now display abbreviated numbers such as 1.5K and 2.3M instead of raw comma-separated values. (Author: @alx-xo )
Bug fixes
Stable assistant runtime image tags#3056 - Tags the assistant runtime image with a content hash so deploys that do not change the runtime image sources reuse the existing Fly machines instead of recycling them on every commit. (Author: @danielkov )
Triggers page handles fired and cancelled wake triggers#3016 - Fixes the triggers page failing to load whenever a wake trigger has fired or been cancelled. The status enum now includes
,
,
, and
, and the triggers page renders distinct badges for fired and cancelled triggers instead of mislabelling them as Paused or surfacing a generic response validation error. (Author: @danielkov )
AI Insights for risk findings, Cursor cost and token tracking, and multi-role RBAC
This release brings risk-aware suggestions into the dashboard's AI Insights sidebar on the Security Overview and Policy Center pages, adds Cursor support to the Insights Employees and Costs tabs, and ships multi-role assignments for RBAC.
Features
AI Insights for risk findings#2922 - The dashboard's AI Insights sidebar now surfaces risk-aware suggestions on the Security Overview and Policy Center pages, letting the assistant reason over recent policy findings without seeing raw secrets. Findings are read through a redacted endpoint that replaces the
field with an opaque fingerprint of the form
, so identical secrets are still dedupable across findings while their content stays hidden, and a system-prompt rule bars the assistant from echoing redacted values verbatim. (Author: @simplesagar )
Cursor cost and token tracking in Insights#2923 - Organization admins can now connect a Cursor Admin API key, and Cursor token and cost usage flows into the Insights Employees and Costs tabs alongside Claude Code data. An hourly job pulls usage events from Cursor so per-employee cost and token totals stay current. (Author: @subomi )
Multi-role RBAC#2982 - Users can now be assigned multiple roles simultaneously, replacing the previous single-role assignment model. (Author: @adaam2 )
so remote MCP traffic can be observed and shaped through the same interceptor pipeline as tool calls. (Author: @bflad )
Expanded onboarding personality picker#2980 - Expands the assistant onboarding personality picker with Brad and Walker, rebalances Quinn against Nolan and Daniel, and groups team voices into a compact chip row above the generic preset cards. (Author: @danielkov )
Bug fixes
Source Activity panel for Remote MCP sources#2819 -
now accepts an optional
filter so callers can scope summary, time-series, and per-tool breakdown metrics to a single Remote MCP source.
tools/call traffic also writes a structured row to ClickHouse
per invocation, and the Source Activity panel on the Remote MCP source overview shows real telemetry for the last 7 days. (Author: @bflad )
Explicit user-identity opt-in for public MCP authorize#2971 - Public-MCP
now accepts a
query parameter that forces the caller through the IDP so the resulting session is bound to a user subject rather than an anonymous one. Without the parameter, public-toolset
continues to mint an anonymous subject. The assistant runtime sets the parameter when initiating MCP authorization flows against Gram-served endpoints so subsequent tool calls can be attributed to the user. (Author: @danielkov )
Owner-only OAuth in the assistant system prompt#2984 - Assistants are now instructed to treat OAuth/MCP authentication as owner-only and to avoid pre-emptively prompting for auth on toolsets they have not yet needed. (Author: @danielkov )
Always emit
in JSON-RPC success responses#3007 - Always emits the
field in JSON-RPC success responses from the MCP server. Empty-result handlers (notably
) previously sent
, which violated JSON-RPC 2.0 and the MCP spec — Cursor's MCP SDK rejected those frames with
zod errors and dropped the transport to a failed state after each keep-alive ping. (Author: @walker-tx )
Resilient assistant-runtime reaper for Fly Machines#3019 - Bounds each Destroy/List call against the Fly Machines API by its own timeout, and uses a Temporal heartbeat for liveness on the janitor activity rather than relying on a short overall timeout that turned tombstone-machine hangs into elevated workflow-failure alerts. (Author: @danielkov )
Server-side OAuth metadata discovery for Remote MCP and a redesigned org home
This release adds an RFC 9728 OAuth Protected Resource Metadata discovery endpoint for Remote MCP servers, brings tag editing into the playground tool editor, migrates dashboard tables to Moonshine, and ships a redesigned org home with favorites and a contributor facepile.
Features
Server-side OAuth Protected Resource Metadata discovery for Remote MCP#3032 - Adds the
endpoint that probes a remote MCP server for an RFC 9728 OAuth Protected Resource Metadata document server-side under
. External resource servers are unlikely to allowlist the Gram dashboard origin via CORS, so discovery moves to the backend, following RFC 9728 §3.1 path-style and origin-style discovery and returning typed unavailability codes with backend-composed user messages. (Author: @bflad )
Tag editing on tool variations#2962 - Exposes tags on tool variations and adds a tags row to the playground tool editor for HTTP tools, with chip input, base-source quick-add, an override indicator, and a reset-to-source affordance. (Author: @bflad )
Dashboard tables migrated to Moonshine Table#3004 - Migrates dashboard tables to Moonshine Table with sortable insights columns and removes the legacy table wrapper. (Author: @alx-xo )
Redesigned org home with favorites and contributor facepile#3014 - Redesigns the org home page with a two-column layout. The left rail shows compressed Recent challenges and Recent activity, while the right column shows projects as a thin rectangular stack or a 1/2/3-column card grid (toggle persisted in localStorage). Each project row or card shows the most recent audit-log action with a hover tooltip for full UTC and local timestamps, a facepile of up to 10 active contributors, a star to favorite or unfavorite, and a kebab menu. A new Add New dropdown next to the search bar offers Project, Team member, and Role, gated by
Deterministic UUIDv5 org IDs from WorkOS#3023 - Derives org IDs as deterministic UUIDv5 from the WorkOS org ID during Register and auto-provisioning, replacing the previous
format which was not a valid UUID. (Author: @adaam2 )
Preserve theme and project favorites across logout#3034 - Preserves theme and saved project favorites when logging out, so visual preferences and starred projects survive the next sign-in. (Author: @alx-xo )
This patch pulls in the shared Risk overview analytics pieces so the Elements bundle stays aligned with the platform.
Bug fixes
Risk overview summary metrics, charts, and trend data#2912 - Picks up the shared summary metrics, charts, and trend data for recent policy findings on the Risk overview. (Author: @alx-xo )
Configurable upstream OAuth audience and scope on remote session clients#2941 - Adds nullable
and
columns on
and surfaces them on the management API. When
is set, the upstream OAuth dance attaches the
parameter to the authorize redirect, authorization-code-to-token exchange, and every refresh-token request. When
is set, the dance requests those scopes instead of echoing the issuer's full
, which avoids over-granting access on providers that advertise broad scope sets. (Author: @qstearns )
Notes on cron triggers#2955 - Cron triggers now accept an optional
field, matching wake triggers. The note is included in every scheduled tick the assistant sees, so one assistant can carry multiple cron triggers with distinct per-schedule steering — for example, "run daily digest" versus "check deploy status". (Author: @danielkov )
Risk overview analytics#2912 - Adds summary metrics, charts, and trend data for recent policy findings on the Risk overview. (Author: @alx-xo )
Assistant spec panel links MCP server rows#2972 - The Assistants spec panel now links each attached MCP server to its MCP details page, so the draft view jumps straight to inspect or configure the server. (Author: @danielkov )
Toggle assistant active state from the list#2974 - The active/paused indicator on each assistant card is now an interactive switch — pause or resume an assistant directly from the assistants list without opening it. (Author: @danielkov )
Bug fixes
Hook source on Claude Code usage metrics#2968 - Fixes the token graph blanking when filtering by agent type on /insights/costs by including the
attribute on Claude Code usage metrics. (Author: @simplesagar )
Better server names and inspection in hooks logs#2990 - Extracts server names from MCP configs in hooks logs and improves the UI for inspecting individual logs. (Author: @chase-crumbaugh )
One assistant thread per Slack top-level message#2951 - Slack-triggered assistant chats now open a fresh assistant thread for each top-level message instead of folding distinct conversations onto a single per-channel thread. Top-level Slack messages and DMs used to share one Gram thread — and one Fly runtime — per channel, so unrelated users' messages bled into the same context window. (Author: @danielkov )
Ephemeral Slack button for MCP re-auth#2959 - Assistants on Slack now surface MCP OAuth re-auth via an ephemeral Block Kit button instead of dumping the raw URL into the thread, so only the user that needs to authenticate sees the prompt. (Author: @danielkov )
Quick jump from an assistant to its agent sessions
This release adds a "Sessions" quick link on the Assistants spec panel, so inspection of an assistant's recent agent runs is one click away.
Features
Sessions quick link on the Assistants spec panel#2973 - The Assistants spec panel now has a "Sessions" quick link that opens Agent Sessions filtered to that assistant. (Author: @danielkov )
as an optional auth method in remote session negotiation, broadening compatibility with upstream OAuth providers. (Author: @qstearns )
Bug fixes
Restore OAuth proxy auto-configure#2928 - Keeps the OAuth wizard auto-configure path on OAuth Proxy setup with DCR credentials, even when user-session onboarding is enabled for the organization. (Author: @walker-tx )
Agent log drawer accessibility#2929 - Adds a drawer title to the chat detail panel, resolving agent log drawer accessibility warnings. (Author: @alx-xo )
Issuer-gated remote MCP, OAuth for assistant tools, and full Slack write access
This release wires
into per-server OAuth via
, lets assistants complete MCP OAuth mid-task, closes the Slack write-tools gap, and adds an early Remote MCP server management UI behind a feature flag.
Features
Issuer-gated
and full OAuth surface per server#2926 - Adds an optional
on
and
. When set,
requests without a valid Authorization receive 401 and a
pointing at
, and the full dynamic client registration, authorize, IDP callback, consent, token, and revoke surface is mounted under
. Both well-known metadata routes return the issuer-gated shape for any addressed server with an issuer set, including remote-backed servers. The
helper now also registers
so remote-OAuth servers reached via
can complete the upstream callback. (Author: @bflad )
Assistants relay MCP OAuth links mid-task#2935 - When a configured MCP server requires user authentication, the assistant relays the authorization link through an available output tool, then reconnects and continues its task once the user completes authentication. (Author: @danielkov )
Slack assistants gain full message and channel lifecycle tools#2887 - Slack assistants can now edit, delete, and send ephemeral messages; pull permalinks; open DMs; create, join, leave, invite, archive, and rename channels; and manage pins, bookmarks, usergroup membership, reminders, file uploads, canvases, and presence/DND. Closes the previous gap where assistants could read Slack but barely write to it. (Author: @danielkov )
Remote MCP-backed server management UI#2717 - Adds the initial dashboard UI for managing Remote MCP-backed MCP servers, gated behind the
Deny rules in the RBAC role editor#2946 - Admins can now grant broad access in a role and then carve out specific resources or tools that the role should not access. (Author: @adaam2 )
Bug fixes
Disable OpenRouter reasoning across completion paths#2950 - Chat completions no longer generate hidden reasoning tokens. OpenRouter could route requests through models that produced reasoning output Gram discarded before storage while still billing for it. The proxy and every internal completion caller — chat title generation, the Slack agent loop, risk policy naming, and structured object completion — now explicitly disable reasoning. (Author: @danielkov )
markers off the request body before forwarding to OpenRouter, so every Anthropic call billed at the full input rate. Markers are now preserved at the top level, on tool definitions, and on message content blocks, so Claude requests with stable prefixes can serve from cache. (Author: @danielkov )
Assistants can update their own triggers#2885 - Calling
on an existing trigger previously returned a generic internal error because the assistant's scoped tool was being swapped for a stricter variant. As a side effect, an assistant's trigger list no longer leaks sibling assistants' triggers in the same project. (Author: @danielkov )
Attribute outbound OpenRouter completions#2952 - Outbound OpenRouter chat completions now carry a session ID, user, source metadata, and distributed-trace identifiers so OpenRouter's dashboard can group requests per conversation and roll up cost per customer, and so Datadog traces correlate with OpenRouter's request records. (Author: @danielkov )
Version outbox event names#2944 - Deprecates obsolete outbox event types and adds explicit versioning in the name scheme. In particular,
Preserve token graph data while filtering by agent type#2936 - Fixes the token graph blanking when filtering by agent type on /insights/costs. Claude Code usage metrics were missing the
attribute, so the filter returned no data for non-Cursor agents. (Author: @simplesagar )
This release surfaces a clear message when an organization runs out of chat credits and exposes utilities so downstream consumers can react to the same condition.
Features
Credits-exhausted message and stream error exports#2921 - When an organization runs out of chat credits, the thread now renders a clear credit-limit message instead of silently stopping the stream on a 402 from the gateway. New
and
exports let downstream consumers detect and react to the same condition. (Author: @simplesagar )
Webhooks catalog, collections RBAC, and team invitations
This release introduces a typed webhooks catalog for audit log events, enforces RBAC on the collections API, normalizes risk finding identifiers across scanners, and ships a DB-backed team invitation flow with trusted domain guards.
Features
Webhooks catalog#2905 - The webhooks feature now generates a catalog of event types and schemas. The catalog is emitted as an OpenAPI 3.1 document that is synced to Svix. (Author: @disintegrator )
Granular per-subject audit log webhook events#2927 - Each auditable subject (deployments, projects, MCP servers, API keys, toolsets, risk policies, sessions, and more) now emits its own typed webhook event (for example,
), enabling subscribers to filter by subject domain rather than receiving all audit activity under a single event type. (Author: @disintegrator )
. Update, AttachServer, and DetachServer now run in a transaction alongside the audit insert, and a new
identifier (prefix
) is used as the audit subject. (Author: @subomi )
Team invitations with trusted domain guards#2896 - Adds RBAC and assigned roles on pending organization invites, lets org admins change the role before acceptance, and emits audit log entries for invite creation and role changes. Invite acceptance now uses Gram invite tokens plus WorkOS User Management Magic Auth codes — the server validates the invite token, creates and consumes the Magic Auth code for the invited email, verifies the email match, and completes provisioning. (Author: @ThomasRooney )
Bulk install all servers in a collection#2899 - Adds an Install All button to the collection detail page for bulk server installation. (Author: @subomi )
Improved trace session detail UX#2864 - Adds filtering and a clearer presentation for trace entries. (Author: @alx-xo )
Bug fixes
Drop IPv6 short-form and IPv4 unspecified false positives#2915 - Drops Presidio
false positives produced from short-form IPv6 strings (
,
,
) and IPv4 unspecified
. Analysis of prod
showed these single-hex-group
matches dominated
noise alongside the existing
filter; they are now dropped before becoming findings. (Author: @mfbx9da4 )
Exclude plugin download key creation from audit log#2760 - Excludes per-request plugin download API key creation from the audit log to prevent flooding with
Skip WorkOS reads when org is linked locally#2844 - Skips WorkOS reads when the org is already linked locally, removing redundant lookups on the auth path. (Author: @bflad )
Filter already-added toolsets from plugin add-server dialog#2904 - Filters the plugin Add Server dialog to exclude toolsets already attached to the plugin, preventing duplicate entries. (Author: @bradcypert )
Credits-exhausted message in chat#2921 - Shows a graceful message in AI Insights and the Playground when an organization runs out of chat credits. Previously the chat would silently stop streaming on a 402 from the gateway because the AI SDK masks stream errors by default. The thread now renders a clear credit-limit message, and the new
and
exports are available on
for downstream consumers that want to react to the same condition. (Author: @simplesagar )
Issuer-gated OAuth from the playground, release-stage badges, and resilient assistant runtimes
This release wires the playground Connect button into the issuer-gated OAuth flow, surfaces Preview and Beta release-stage badges across the dashboard, and fixes assistant runtimes that hung after image upgrades.
Features
Preview and Beta release-stage badges#2882 - Adds Preview and Beta release-stage badges so pre-GA features are clearly labeled wherever their name appears. The same badge renders inline on the sidebar nav entry (with a hover tooltip explaining the stage), the page section title, sub-route tabs, and raw
headings. Tagged in this release: Assistants as preview; Risk Overview and Risk Policies as beta; Insights → Employees and Insights → Costs as preview. The Policy Center nav entry is renamed to Risk Policies to match its page heading and URL, the Risk Overview empty state now uses the same dashed-border box treatment as Risk Policies, and a handful of pages that were missing a top-level title (SDKs, Integrations, Roles & Permissions, Audit Logs) now have one. (Author: @simplesagar )
Issuer-gated OAuth from the playground Connect button#2883 - The playground's Connect button now drives the issuer-gated OAuth flow when a toolset is bound to a user-session issuer, so connecting to MCP servers like
lands an upstream session that the runtime can resolve. The connection-status badge and the 401 challenge on
both read from the issuer-gated session store for these toolsets, and the security-check fallback now always emits a non-empty
Assistant JWT on issuer-gated MCP servers#2879 - Issuer-gated MCP servers now accept an assistant-runtime JWT and use the assistant owner's linked upstream account, so the runtime can call
without re-prompting for login. Requests with no linked upstream still return a 401 plus WWW-Authenticate as before. (Author: @danielkov )
Bug fixes
Recover assistant runtimes after image recycle#2877 - Assistant runtimes no longer get stuck unresponsive after a Gram release. When the assistant runtime image was upgraded in place, the underlying VM was being left stopped, so the next chat turn timed out and the assistant stopped responding. Subsequent turns now bring the runtime back up cleanly. (Author: @danielkov )
Preserve inline JSON in audit log outbox entries#2880 - Fixes a bug where snapshot and metadata fields in audit log outbox entries were being base64-encoded instead of preserved as inline JSON objects. (Author: @disintegrator )
Dedupe chat asset writes#2839 - Dedupes chat asset writes and idempotently uploads to prevent GCS 429s. (Author: @bflad )
Structured hook telemetry attributes#2838 - Makes hook routes (Claude, Cursor, Codex, OTEL Logs, OTEL Metrics) filterable in Datadog by
,
,
, and
. Replaces nested
payloads with top-level slog attrs and logs on every early-return path so silent 401s and missing-session-id branches are visible when debugging hook setup. (Author: @bradcypert )
Codex Stop hook in Cowork#2842 - Gets the Stop hook working in Cowork again. (Author: @chase-crumbaugh )
OpenRouter credit monitoring, v2 assistant runtime foundation, and MCP server renaming
This release lays the groundwork for the v2 assistant runtime path, adds OpenRouter credit monitoring and auto-reconciliation for enterprise organizations, and lets users rename MCP servers without breaking existing URLs.
Features
Monitor OpenRouter credits for enterprise organizations#2860 - Adds monitoring of OpenRouter credit usage for enterprise organizations so spend is visible alongside other AI-cost telemetry. (Author: @bflad )
Auto-reconcile OpenRouter per-key credit limits#2871 - A metrics workflow now keeps OpenRouter per-key credit limits in sync, so enterprise orgs do not need to manually adjust them as usage shifts. (Author: @bflad )
v2 assistant runtime foundation#2843 - Lays the groundwork for the v2 assistant runtime path: optional
claim on assistant runtime tokens (assistant-scoped tokens omit it), a
column plus partial unique index on
, a new
endpoint that lets a runner pull a thread's bootstrap state on demand, and an assistant-scope check on
that rejects writes whose
resolves to a chat outside the caller's assistant. Existing v1 admit, configure, and run-turn flows are unchanged. (Author: @danielkov )
Rename MCP servers from the detail page#2873 - Adds the ability to rename MCP servers from the server detail page without changing the server URL slug, so existing integrations keep working after a rename. (Author: @walker-tx )
Bug fixes
Allow MCP-valid tool names in tool URNs#2868 - Tool URNs now accept MCP-valid tool names, including camelCase, PascalCase, dotted, and kebab-case names. (Author: @walker-tx )
Rename plugin publish CTA to "Publish Private Marketplace"#2865 - Renames the plugins publish CTA from "Publish to GitHub" to "Publish Private Marketplace" so the action better reflects what it does. (Author: @bradcypert )
Align risk page headers with shared layout#2866 - Updates the Risk Overview and Risk Policies page headers to match the shared page layout and Moonshine CTA patterns. (Author: @alx-xo )
Resilient tool merging across multiple MCP servers
This patch release prevents a single failing MCP server from wiping out tools from healthy ones in multi-MCP chat configurations.
Bug fixes
One failing MCP server no longer drops tools from healthy ones#2816 - When a chat is configured with multiple MCP servers, a rejection on any single
call (e.g. a 401 on one toolset) used to wipe out the merged tool map and trigger React Query retries against every server. Healthy servers are now merged in normally; only when every server fails does the query reject and retry. (Author: @danielkov )
Codex hooks, OTEL forwarding, Slack Block Kit, and WorkOS-native auth
A major release: Gram now ships hooks support for Codex (OpenAI), forwards OTEL telemetry to customer-configured destinations, supports rich Slack Block Kit messages with interactive button replies, and migrates the entire authentication layer to WorkOS-native auth. Assistants gain self-healing chat history and an always-on platform toolset.
endpoint accepting all six Codex hook events (SessionStart, PreToolUse, PermissionRequest, PostToolUse, UserPromptSubmit, Stop), enforces org-level risk policies on blocking events, and records telemetry to ClickHouse. The plugin generator now produces a downloadable Codex observability plugin (ZIP and install script) that registers the hooks via a Gram marketplace entry in
. The install instructions dialog gains a Codex tab alongside Claude Code and Cursor. (Author: @bradcypert )
OTEL forwarding to customer destinations#2756 - Customers can configure a URL and headers on the Org Logs page; a body-tee middleware mirrors every payload received on
to that endpoint. Forwarding is org-wide, async (bounded worker pool, fire-and-forget on failure), capped at 4 MiB per request, and gated behind
for writes and
for reads. Header values are encrypted at rest. (Author: @chase-crumbaugh )
Slack Block Kit messages with interactive replies#2798 - Outbound Slack messages can now render rich Block Kit content.
and
accept an optional typed
field (section, actions plus button, context, divider) alongside the text fallback. Button clicks come back as
interactions on the existing Slack trigger webhook and reach the assistant as a new turn carrying
WorkOS-native authentication#2669 - Removes the legacy Speakeasy IDP authentication layer and migrates to WorkOS-native auth. Authorization, token exchange, and session management now go directly through the WorkOS SDK instead of the intermediate Speakeasy IDP proxy. Deterministic UUIDv5 user and org IDs bridge cross-system identity without runtime lookups. Adds OAuth CSRF nonce validation and a browser-binding cookie to the login flow. (Author: @adaam2 )
Always-on platform toolset for assistants#2719 - Every assistant now exposes a platform toolset to its runtime alongside its user-attached toolsets, with no user-facing toolset row and no setup required. The
product feature flag is removed; assistant memory tools are always-on. (Author: @danielkov )
Self-healing corrupt chat history#2805 - Assistants now self-heal when the inference provider rejects a chat as malformed: the runtime trims history to the last 5 user messages, prepends a recovery notice that nudges the agent to recover lost context via its tools, and retries instead of leaving the thread stuck. (Author: @danielkov )
Multiple GitHub collaborators on plugin publish#2611 - The publish dialog accepts a list of usernames as chips, and the
Audit log webhooks#2815 - Adds support for configuring webhooks to deliver audit log events to external destinations. (Author: @disintegrator )
Employee token observability dashboard#2716 - Repurposes the Agents insights tab into an employee token observability dashboard. Shows per-employee token consumption, estimated cost, tool usage breakdown, and platform/model distribution. Clicking an employee row opens a detail dialog with model-level usage, time-series charts, and tool breakdown. Results can be scoped to specific coding tools like Cursor or Claude Code. (Author: @subomi )
Split assistant onboarding name and personality steps#2818 - Onboarding now asks for the assistant's name and personality as two separate steps instead of one combined card. When the user has already named the assistant in chat, the agent skips the name picker and goes straight to the personality step. (Author: @danielkov )
MCP servers listing search#2820 - Adds a search bar to the MCP servers listing page. (Author: @bflad )
Identity tab refresh#2755 - Renames the org "Security" tab to "Identity" and refreshes the SSO and Directory Sync cards: drops the SAML-specific branding, replaces the hover popover with a tooltip on a fully clickable Configure button, and captures an
ML prompt-injection classifier (opt-in)#2667 - Adds an opt-in L1 ML prompt-injection classifier (deberta-v3) that runs alongside the heuristic baseline. Enable the new "ML classifier (deberta-v3)" rule under the Prompt Injection category. Detection runs in a sidecar service. (Author: @vishalg0wda )
filter and can return direct external MCP tools, unblocking the toolset editor's "Add Tools" picker for tools from already-attached external MCP servers. (Author: @walker-tx )
Onboarding chat connects to all MCP servers#2736 - The assistant onboarding chat now connects to every MCP server attached to the assistant, not just the first one, so the agent can call tools across all configured toolsets. (Author: @danielkov )
Bug fixes
Remove public MCP server cap on unpaid plans#2822 - Removed the 1-public-MCP-server cap on accounts without an active subscription. Users can now enable as many public MCP servers as they want on any plan. (Author: @danielkov )
Harden AnalyzeBatch against Presidio degradation#2770 - Hardens batch risk analysis against Presidio degradation. (Author: @bflad )
Spill oversized MCP tool results to disk#2797 - The assistant runtime now spills oversized MCP tool results to a file inside the assistant workdir instead of letting them 413 the provider. The in-band tool result is replaced with a pointer (
) so the model can read or grep the full output via the filesystem tools. (Author: @danielkov )
Drop trigger dispatches for deleted assistants#2802 - Drops trigger dispatches whose target assistant has been deleted instead of failing the activity. (Author: @danielkov )
Plugin re-publish refreshes installed clients#2804 - Every plugin manifest now ships with a per-publish version (
) instead of a hardcoded
, so Claude Code, Cursor, and Codex marketplace clients see a newer version on republish and pull updated content. (Author: @bradcypert )
Order Slack credential prompts to match Slack UI#2817 - Onboarding now asks for Slack credentials in the order users encounter them in Slack's UI: Signing Secret first, then Bot User OAuth Token, then User OAuth Token. (Author: @danielkov )
Prevent transient 404 after deleting MCP toolset#2826 - Prevents a transient "toolset not found" error from appearing immediately after deleting an MCP server's toolset. (Author: @bflad )
Disable Create Assistant when missing permissions#2752 - Disables Create Assistant buttons in the dashboard when the user lacks the permissions needed to create one, with a tooltip explaining why. (Author: @danielkov )
config option that connects a single chat to multiple MCP servers, merging and namespacing tools so identical names do not collide.
Features
Multi-MCP server support in chat config#2736 - Adds an
config option that connects a single chat to multiple MCP servers. Tools across servers are merged and namespaced as
so identical names do not collide; each entry can pin its own
slug. When set,
takes precedence over the existing single-server
option, which continues to work unchanged. (Author: @danielkov )
Bug fixes
Drop tool calls missing
#2736 - Drops persisted tool calls that arrive without a
instead of giving them an empty-string id. Previously two such parts in the same restored thread would alias under the same key and the runtime would throw "Tool call argsText can only be appended, not updated" while loading the chat. (Author: @danielkov )
This patch release unifies the Observe filter bar across Insights, Tools, and Logs views, rebuilds the assistant Slack install step into two clearer cards, and auto-enables MCP on toolsets attached to assistants.
Features
Unified Observe filter bar#2616 - Unifies the Observe filter bar for Insights Tools and Logs Tools views; server, email, and type filters are now multi-select dropdowns with OR semantics. (Author: @alx-xo )
Slack install step split into install + tokens cards#2735 - Rebuilds the assistant-onboarding Slack install step as two separate cards: an install card (workspace pick, install, Event Subscriptions Retry) followed by a tokens card. Copy rewritten for non-technical users, with the Event Subscriptions Retry step called out as the most common silent failure. (Author: @danielkov )
Bug fixes
Auto-enable MCP on assistant-attached toolsets#2722 - Auto-enables MCP on toolsets when they are attached to an assistant, so the runtime can build a startup config without manual toggling. (Author: @danielkov )
PostHog disposition person property#2728 - Tags users who sign up with
with a PostHog person property so the assistants feature flag can target them. (Author: @danielkov )
Long-running assistants with context compaction and self-wake triggers
This release brings token-aware context compaction so long-running assistants can keep going past the original window limit, introduces one-shot wake triggers that let an assistant schedule its own resumption, and fixes the assistant Slack onboarding flow end-to-end.
Features
Token-aware context compaction#2674 - The assistant runtime now compacts conversation history as it approaches the model's context window: older turns are summarized so long-running assistants can keep going past the original window limit. System prompt, context items, and the most recent turns are preserved. (Author: @danielkov )
One-shot wake triggers#2709 - Adds wake triggers: one-shot self-wakes that an assistant schedules from inside its own turn to resume work later. New
and
tools let an assistant set a future fire time (up to 30 days out) with an optional self-note; when the wake fires, dispatch lands on the same thread it was scheduled from. (Author: @danielkov )
WorkOS webhook ingestion#2690 - Adds an endpoint to consume WorkOS webhooks to sync data from WorkOS. (Author: @tgmendes )
Bug fixes
Slack onboarding install reliability#2711 - Assistant onboarding now installs a Slack app reliably end-to-end: the install card stays in view until the user clicks "I've installed it", a single approval grants both the bot and user OAuth tokens, and the generated manifest can no longer be rejected by Slack. Slack-touching assistants now get a Slack trigger by default. (Author: @danielkov )
