Follow us on to be up to date with the latest changes.
v1.36.0
Elements
// June 12, 2026
Replies that type onto the screen, even over polling transports
Chat now feels alive on poll-based transports: replies stream onto the screen token by token while a set of whimsical "thinking" verbs cycles during the wait, and tool call cards stay put instead of flashing as the assistant works.
Features
Streaming-feel replies over polling#3381 - Assistant replies now type onto the screen token by token, emulating an SSE stream over the poll-based transport, and a rotating set of whimsical "thinking" verbs shows progress while the assistant works. (Author: @simplesagar )
Bug fixes
Tool call cards no longer flash mid-turn#3391 - Cards no longer reset — collapsing and re-highlighting their code — when a streaming turn grows a single tool call into a group, and they no longer re-render on every text chunk. (Author: @danielkov )
Tokens under management billing, risk exclusions for false positives, and assistants that respond instantly
Enterprise organizations can now track token consumption against their contracted allowance with a 12-cycle usage history, false-positive risk findings can be suppressed with scoped exclusions, and assistants boot their runtime at creation time and upgrade while idle — so the first message and every message after a deploy stop paying a cold-start wait.
Features
Tokens under management billing for enterprise orgs#3352 - The billing page now shows enterprise organizations their token consumption for the active billing cycle against the contracted monthly allowance, with a usage-history bar chart covering the trailing 12 billing cycles at day or cycle granularity. Usage is computed from a durable per-chat daily aggregate retained for 2 years, so historical cycles stay accurate, and platform admins can set the contracted limit and billing cycle anchor. (Author: @chase-crumbaugh )
Suppress false-positive risk findings with exclusions#3253 - Exclude findings by exact value, regex, rule ID, source, or entity type, scoped per-policy or globally. Exclusions apply to new scans immediately and retroactively flag existing findings, and removing an exclusion restores them — all manageable via the new
Assistants respond from the first message#3364 - Assistants now boot their runtime as soon as they're created, so the first message no longer pays the cold-start wait. (Author: @danielkov )
No upgrade tax after deploys#3375 - Assistant runtime VMs roll onto new runtime images right after a deploy, while they sit idle, so your next conversation turn doesn't pay the image upgrade cost. (Author: @danielkov )
Long-running assistants stay fast#3229 - Scheduled assistants summarize their conversation history after every run, and interactive threads compact earlier, so long-lived schedules and conversations no longer slow down or risk hitting model limits. (Author: @danielkov )
Unified Tools insights#3369 - Tools insights now cover hosted MCP servers, shadow MCP servers, local tools, and skills in one place. (Author: @alx-xo )
Project Assistant replies stream in live#3381 - Replies now type onto the screen token by token while the assistant cycles a set of whimsical "thinking" verbs, so you see progress instead of a silent wait. (Author: @simplesagar )
Watch the Project Assistant work#3389 - Tool calls and their results now render in the side panel as they happen, so you can see which tool the assistant is calling instead of the conversation sitting silent until the final reply. (Author: @danielkov )
Distribute MCP servers during onboarding#3327 - A new onboarding step lets teams search the MCP catalog and distribute selected servers to their organization during setup, with OAuth servers auto-configured along the way. (Author: @adaam2 )
Auto-configured identity for custom remote MCP servers#3339 - When OAuth metadata can be discovered for a custom remote MCP server, Gram now configures the remote identity provider automatically, reusing existing issuers and deriving a display name from the issuer URL. (Author: @walker-tx )
Prompt-based risk policies cover every message type#3382 - LLM-judge policies are no longer locked to tool requests: the judge runs on whatever message types a policy declares — user messages, tool requests, tool responses, and assistant messages — and the policy form lets you choose them. (Author: @vishalg0wda )
Smarter, hardened LLM-judge evaluations#3384 - The judge now receives the message type and, for tool calls, the destructured MCP server and function, so policies can target specific actors and tools. The risk view renders the judge's rationale, and the judge is hardened against adversarial input: hostile message bodies can't spoof prompt structure or pad their way to a fail-open allow. (Author: @vishalg0wda )
Filter tool traces by agent#3353 - A new Source filter on the Tools logs and insights pages narrows tool traces by originating agent — Claude Code, Cursor, Codex, and more. (Author: @simplesagar )
Easier-to-find navigation for key pages#3367 - Agent Sessions is promoted to top-level Observe navigation, Employees and Costs move to top-level navigation (#3368 ), and Risk Events moves into the Secure section (#3366 ). (Author: @alx-xo )
Check platform status from the profile menu#3392 - A new "Platform Status" link in the profile menu points to the Speakeasy status page. (Author: @simplesagar )
Every project gets its own device-agent marketplace#3337 - Marketplace names are now project-scoped, so devices in multi-project organizations receive every published marketplace, each pointing at its own project, instead of one project's marketplace silently winning. Single-project orgs keep their existing name. (Author: @bradcypert )
All org members see published plugins#3393 - Every plugin in an org's published projects is now returned to every org member, so plugins assigned via role or user principals reach devices while assignment management UI is pending. (Author: @bradcypert )
Bug fixes
Unique titles for Project Assistant threads#3350 - Thread titles no longer all render as the assistant's name; new threads get a title generated from the conversation's first turn. (Author: @simplesagar )
Prompt-based policies work for group-targeted rollouts#3356 - Organizations that enabled the
flag via a PostHog group no longer see it treated as disabled server-side, unblocking policy creation and enforcement. (Author: @vishalg0wda )
Shadow MCP access requests work across identities#3217 - Requesting access no longer fails with a 403 when the request link was minted for an agent-reported identity that differs from the authenticated dashboard user (multi-domain orgs, duplicate accounts, or shared block links). Approval stays org-admin gated. (Author: @bradcypert )
Honest Slack status updates#3390 - The Slack thread indicator no longer cycles through a fake pipeline of stages; it reports what the assistant is actually doing, one phrase at a time, updated as the work progresses. (Author: @danielkov )
Reliable trace export from assistant runtimes#3354 - Assistant runtime machines retain access to private-network DNS, so agent traces export reliably to the OpenTelemetry collector. (Author: @danielkov )
Search the whole dashboard with Cmd+K, publish Remote MCP servers to collections, and instant Slack feedback
A new command palette puts every resource and page one keystroke away, collections can now publish Remote MCP-backed servers alongside toolset-backed ones, and Slack-triggered assistants show a native "is thinking…" indicator the moment a message arrives.
Features
Global command palette on Cmd+K#3285 - Press Cmd+K (or click the new magnifying glass beside the logo) to search MCP servers, sources, deployments, environments, assistants, plugins, and admin-only risk resources, jump to any app page, or hand a free-form question off to the Project Assistant with "Ask AI". (Author: @simplesagar )
Publish Remote MCP servers to collections#3212 - Collections can now include Remote MCP-backed servers alongside toolset-backed ones: the Publishing section, create-collection form, and edit-servers picker all offer them, and the Remote MCP server settings page gains its own Publishing section. (Author: @bflad )
Slack assistants show they're thinking#3298 - Slack-triggered assistants now show a native loading indicator on the thread as soon as a message comes in, update it as they work, and clear it when the reply lands — no more wondering whether the message was received. (Author: @simplesagar )
Agent sessions sorted by latest activity#3284 - The sessions list now orders and filters by each session's most recent chat message instead of when the session was created, and shows that activity time, so active conversations stay at the top. (Author: @alx-xo )
Project Assistant on Cmd+/#3305 - The Project Assistant shortcut moves from Option+Shift+W to the much easier Cmd+/ (Ctrl+/ on PC), and the sidebar collapse button now shows its Cmd+B shortcut on hover. (Author: @simplesagar )
Inactive access rules are visually dimmed#3288 - Access rules that aren't backed by a blocking Shadow MCP policy now render dimmed so you can tell at a glance which rules are actually in effect, while their actions stay available. (Author: @alx-xo )
Standalone Slack app retired#3309 - The deprecated dedicated Slack app pages and endpoints are removed. Slack keeps working through assistants and triggers, which is the supported path. (Author: @danielkov )
Cleaner environment value tracking#3286 - The misleading
field is gone from environment entries — it was computed from already-redacted values and collided on any shared 3-character prefix, so it never reliably identified matching values. (Author: @chase-crumbaugh )
Accurate error reporting for canceled requests#3299 - When a client disconnects mid-request, the platform now records it as a client cancellation instead of a 500 server fault, so error dashboards reflect real server problems. (Author: @bflad )
Reliable platform metrics at scale#3304 - OTel counters now export delta temporality, fixing corrupted counter values in horizontally scaled deployments. (Author: @bflad )
Bug fixes
Catalog detail pages load for every server#3290 - Servers deep in the aggregated catalog list (like
) no longer return "Server not found"; the lookup now narrows the registry query so the target lands in the first page of results. (Author: @adaam2 )
Feature-flagged UI appears as soon as flags load#3283 - Flag-gated UI no longer stays hidden when a flag is enabled; the dashboard now re-renders when feature flags resolve or change. (Author: @bradcypert )
No double-clicks during pending auth#3296 - The "Give Access" button is disabled while a challenge resolution is pending, preventing duplicate auth attempts. (Author: @qstearns )
Write risk policies in plain language, export agent traces to your observability stack, and faster assistant startup
Risk policies can now be expressed as a prompt evaluated by an LLM judge instead of a fixed rule, assistant runtimes can export their traces over OTLP to Sentry, Datadog, or Honeycomb, and assistants connect to all their MCP servers in parallel so thread startup no longer grows with server count.
Features
Prompt-based risk policies with an LLM judge#3294 - Write a risk policy as a plain-language prompt and let an LLM judge evaluate tool-call messages against it, in both the realtime enforcement scanner and the batch analyzer, with findings flowing into risk results. Gated behind the
Export agent traces to Sentry, Datadog, or Honeycomb#3325 - Assistant runtimes can now export agent traces — turns and tool calls — over OTLP to any OpenTelemetry-compatible backend, with gRPC and HTTP transports supported and traces tagged with their assistant and project. (Author: @danielkov )
Assistants start threads faster#3338 - Assistants now connect to all of their MCP servers in parallel when a thread starts, so startup time no longer grows with the number of servers and one slow or unreachable server can't stall the rest. Hung servers fail fast against connect and handshake timeouts. (Author: @danielkov )
Configure guardrails during onboarding#3265 - A new Configure policies onboarding step lets teams enable the Shadow MCP guardrail and per-category detection policies (secrets, PII, prompt injection) directly during setup. (Author: @adaam2 )
Display names and logos for remote session issuers#3336 - Remote session issuers can now carry an optional display name and logo, rendered as the primary label with the issuer URL as the secondary line. On the attach sheet, the display name auto-derives from the issuer URL hostname until you edit it. (Author: @bflad )
Risk policy bypass requests are enforced at runtime#3236 - The bypass request workflow introduced in v0.66.0 is now wired into runtime access checks, so an approved bypass actually grants access. (Author: @tgmendes )
Clearer audit log event names for access workflows#3287 - Shadow MCP approval requests and access rules now emit generic
and
webhook events; the old Shadow MCP-specific names remain available for compatibility. (Author: @alx-xo )
Bug fixes
MCP auth prompts go to the assistant's owner#3324 - OAuth links for an assistant's MCP servers are now delivered to the assistant's owner instead of whoever happened to trigger it, and anyone else is told the owner has to complete the connection — so an unexpected auth message is no longer mistaken for a failed setup. (Author: @danielkov )
Observability hook events arrive with your identity#3335 - The generated observability plugin now probes for
, the binary the device agent actually ships as, so identity enrichment works on a standard install instead of events arriving anonymously. Applies to the Claude Code, Cursor, and Codex plugin templates. (Author: @bradcypert )
No more request storm from the command palette#3318 - The Recently Visited feature no longer fires unauthenticated
requests from every page, including the login page; the lookup is gated on the palette being open and reuses the session the auth provider already fetched. (Author: @simplesagar )
Onboarding is legible in dark mode#3326 - The onboarding stepper and instrument-agents step now use theme-aware colors so text and controls remain readable in dark mode. (Author: @adaam2 )
Rewrite or hide loaded messages, brand the welcome screen, and discover tools from the composer
This release gives you control over how loaded chat history renders, lets you put your logo on the empty-thread welcome screen, and adds a tool-mention picker button so users can discover available tools without knowing to type @.
Features
Transform chat history before it renders#3240 - A new optional
hook on
runs against every message loaded from
: return a rewritten message to render it, or
to omit it. Keep backend-specific transcript conventions — like stripping server-injected framing or hiding system events — out of your rendered chat without forking the library. (Author: @simplesagar )
option renders a logo image above the title on the empty-thread welcome screen, so a fresh chat opens with your branding. (Author: @simplesagar )
Tool-mention picker in the composer#3222 - A new button next to the attachment button opens a list of available tools and inserts an @mention for the chosen one — a discoverable counterpart to the existing type-@ autocomplete. It hides itself when tool mentions are disabled or there are no tools. (Author: @simplesagar )
A sidebar-first dashboard, a fully equipped Project Assistant, and Remote MCP servers in plugins
The dashboard gets a cleaner sidebar-only layout that puts the workspace switcher, account menu, and theme toggle in one place. The Project Assistant can now answer real observability questions — searching logs, tool calls, and chats, pulling metrics, and summarizing risk findings — and plugins can distribute Remote MCP servers alongside toolset-backed ones.
Features
Sidebar-first app layout#3247 - The full-width top nav is gone: the workspace switcher, account menu, theme toggle, and a new Roadmap link all live in the sidebar, light mode is the default, and switching projects shows a loading skeleton instead of flashing an empty nav. (Author: @simplesagar )
Project Assistant answers observability questions#3218 - The Project Assistant can now search logs, tool calls, chats, and users, pull project and user metrics, list and load chats, browse the org's user directory, summarize risk findings without exposing secret content, and fetch deployment logs — so you can ask it questions like "what errored since Monday" instead of digging through pages yourself. (Author: @simplesagar )
Distribute Remote MCP servers through plugins#3269 - Plugins can now include Remote MCP-backed servers alongside toolset-backed ones. The add-server picker offers both, display names default to the backing server's name, and generated bundles emit Remote MCP servers as OAuth HTTP servers with no static auth header. (Author: @bflad )
Request a bypass when a risk policy blocks you#3224 - When a risk policy blocks an action, the request URL flow now has backend support for filing a bypass request, backed by current-state request records and principal grants. (Author: @tgmendes )
Right-click any dashboard card#3251 - Right-clicking a Plugin, Source, Environment, Assistant, Custom Tool, Prompt, or Resource card opens the same action menu as its visible button, with the same RBAC gating, so common actions are one click closer. (Author: @simplesagar )
Far fewer false-positive IP address findings#3170 - Risk scanning now consults a unified catalog of reserved ranges, public DNS resolvers, placeholder IPs, and cloud/CDN address space, suppressing about 80% of IP findings on a production sample versus roughly 10% under the previous filter — so the findings that remain are worth your attention. (Author: @mfbx9da4 )
Observability hooks attribute events to the right person#3211 - Generated observability hooks now use device-agent identity when available, so hook events arrive attributed to the actual user while existing fallbacks keep working when the daemon isn't running. (Author: @bradcypert )
Project Assistant starts lean#3264 - A new Project Assistant no longer auto-attaches every MCP server in the project; it starts with its built-in and platform tools, and admins attach the servers they actually want it to use. (Author: @danielkov )
Project Assistant understands relative time#3246 - Each conversation turn is now stamped with its timestamp, so questions like "errors since Monday" resolve correctly even in long-lived threads. (Author: @simplesagar )
Status-driven MCP server overview#3245 - The experimental MCP server details page now shows Server Address, Authentication, and Source/Tools as cards with Ready or Needs Setup signals, including an explicit authentication posture that flags a public server with no remote identity as unsecured. (Author: @walker-tx )
Bug fixes
Faster, cleaner Project Assistant threads#3240 - Replies now surface within a few hundred milliseconds for short turns thanks to adaptive polling, reopened threads no longer show raw internal framing blocks, and thread titles are generated from the conversation instead of fixating on boilerplate. (Author: @simplesagar )
No more duplicate endpoints in the catalog Add Server dialog#3262 - Registry entries that expose the same streamable-http URL twice (like Datadog's OAuth and API-key variants) now collapse to a single checkbox, matching how deploys already resolved them. (Author: @adaam2 )
This release backs Elements chat with a server-side assistant, the foundation for replacing AI Insights with the Project Assistant. Unlike the old AI Insights sidebar, the Project Assistant is a complete, full-featured assistant like any other you host on the platform — with the backend now owning conversation ids and history while the UI stays in sync.
Guided enterprise onboarding, runtime tool filtering, and a configurable marketplace name
This release adds a five-step enterprise onboarding wizard that takes a new org from SSO to live traffic, lets MCP clients filter exposed tools at request time, and makes your plugin marketplace name configurable per project.
Features
Enterprise onboarding wizard#3079 - A new wizard at
walks a new org through SSO via WorkOS, directory sync, publishing a private plugin marketplace to GitHub, instrumenting each agent platform (Claude Code, Claude Cowork, OpenAI Codex, Cursor) with auto-generated keys, and confirming traffic is flowing. It resumes on the deepest incomplete step, includes a typeahead GitHub-user picker for marketplace collaborators, and ships an enterprise-admin invite email that deep-links recipients straight into the wizard. (Author: @adaam2 )
Filter exposed MCP tools at request time#3164 - The public
handler now accepts a
query parameter (comma-separated, union) to expose only the tool variations matching those tags, resolved from the server's or toolset's variation group with a project default fallback. (Author: @bflad )
See tool filtering on the MCP details page#3213 - The Tools tab now shows a read-only scopes panel when filtering is enabled, listing the available filter tags with their member tools and the tools excluded from every filter, with a tag chip to filter the list below. (Author: @bflad )
Configurable marketplace name per project#2964 - A new Marketplace settings dialog lets you rename a project's generated plugin marketplace; the default is now
so marketplaces stay unique across customers. Saving an override on a project with a published marketplace auto-republishes the manifest to GitHub. (Author: @chase-crumbaugh )
Project Assistant turns run as the sender#3216 - Assistant turns sent from the dashboard now run under the sending user's identity, so MCP tool calls, audit attribution, and per-user RBAC reflect who actually sent the message rather than whoever first enabled the assistant. (Author: @danielkov )
Project Assistant reads from the chat service#3204 - The dashboard Project Assistant now reads its conversation directly from the chat service:
takes an optional
to continue a thread or omits it to start one, and replies surface as plain assistant messages from
Project Assistant available out of the box#3202 - A new
endpoint provisions a project's built-in Project Assistant on first access, so the dashboard sidebar resolves it without manual setup. (Author: @simplesagar )
Bug fixes
Imported remote MCP sources serve traffic immediately#3179 - Importing a remote MCP server as a source now auto-creates a default endpoint, so the server is ready to serve once enabled instead of requiring you to add an endpoint by hand. (Author: @walker-tx )
Preserve Authorization header for passthrough tools#3177 - A configured Authorization header on external MCP passthrough tools is no longer overwritten by the gating OAuth token. (Author: @walker-tx )
Consistent Insights and Logs filter dropdowns#3183 - The filter dropdowns on the Insights and Logs pages no longer race two filters against each other, so valid matches stop falling into "No results found" and the list recovers when characters are deleted. (Author: @simplesagar )
Insights counts only workspace members#3184 - The Employees and Role views in Insights now exclude impersonating superadmins that previously appeared as a raw UUID. (Author: @danielkov )
Clearer Shadow MCP rule delete dialog#3191 - Improves the confirmation dialog for deleting Shadow MCP access rules. (Author: @alx-xo )
Consistent release-stage badges#3180 - Preview and beta badges now render consistently in the side nav and tab navigation. (Author: @alx-xo )
no longer returns a 500 in production, now that WorkOS connection and directory lookups use the official WorkOS Go SDK and the correct endpoints. (Author: @adaam2 )
Reliable organization invite emails#3190 - Organization invite emails now fall back to a non-empty inviter name when the inviter's display name is blank, preventing rejected invites. (Author: @bradcypert )
MCP server tool filtering, a self-service device agent page, and sharper risk targeting
This release lets you filter the tools an MCP server exposes using variation groups, adds an org-level page for rolling out the Speakeasy device agent, and gives risk policies finer control over which messages they scan.
Features
Filter MCP server tools with variation groups#3162 - Enable and configure tool filtering on an MCP server through new management APIs and dashboard UI, so each server exposes only the tools you want from a shared toolset. (Author: @bflad )
Self-service device agent rollout page#3070 - A new org-level Device Agent page gives per-OS install instructions, an MDM
configuration reference, and self-service
generation, so admins can deploy the Speakeasy device agent and copy a ready-to-paste config without leaving the dashboard. (Author: @bradcypert )
Target risk policies by message type#3133 - Risk policies can now scope enforcement and batch scanning to user messages, tool requests, tool responses, or assistant text, so you only screen the traffic that matters for a given rule. (Author: @vishalg0wda )
Filter risk events by user#3165 - The Risk Events page adds a "User contains..." search box that filters findings by the chat's external user id, alongside the existing policy and rule filters. (Author: @simplesagar )
Send a message to a project assistant#3138 - A new endpoint lets a dashboard user message an assistant and poll for its asynchronous reply, with a correlation key to pick the conversation thread and an idempotency key so a retried send is never enqueued twice. (Author: @simplesagar )
Bug fixes
OAuth handlers resolved for /mcp/<slug>#3136 - The
OAuth flow now resolves its handlers via
with a toolset fallback, so OAuth-gated servers complete the handshake reliably. (Author: @bflad )
Tools load on issuer-gated private servers under RBAC#3174 - RBAC grants are now prepared for issuer-gated private remote MCP servers, so
and
no longer fail and return zero tools for RBAC-enforced callers. (Author: @bflad )
Audit logs page scopes AI Insights setup to a project#3163 - The audit logs page no longer calls
without a project slug from org-level routes, fixing AI Insights setup there. (Author: @bradcypert )
component now renders external links inline with the surrounding text instead of stretching them to full width and pushing trailing punctuation to a new line. (Author: @bradcypert )
Workforce observability graph, project-aware AI Insights, and plugin distribution by email
This release adds an employee data-flow graph for seeing how your workforce uses agents, points the AI Insights sidebar at every toolset in your project, and lets admins hand out Claude Code plugins to people by email address.
Features
Employee data-flow graph#3111 - A new workforce observability view visualizes how employees and agents move data across your tools, so you can see usage patterns at a glance instead of reading raw logs. (Author: @subomi )
AI Insights sidebar connects to all project toolsets#3123 - The AI Insights sidebar now talks to every toolset configured in your current project instead of a single hardcoded server, so it answers questions using your real tools out of the box. (Author: @simplesagar )
Distribute Claude Code plugins by email#3088 - Assign published plugins to people by email address and let the Speakeasy device agent pull them into Claude Code automatically. Mint the required
-scoped API key from the same API Keys page you use for every other scope. (Author: @bradcypert )
Organization-level remote session issuers#3108 - Manage remote session issuers at the organization level through a new
service, so identity configuration can be shared across projects in an org. (Author: @bflad )
Per-project managed assistant#3125 - Toggle a platform-managed assistant for a project that comes preloaded with the Insights prompt and every MCP-reachable toolset attached, with safe enable and disable that you can flip on and off without leaving anything behind. (Author: @simplesagar )
Bug fixes
No Speakeasy key prompt on OAuth-gated private servers#3156 - MCP install pages for private servers that delegate identity to a user session issuer no longer ask for a Speakeasy API key, since OAuth already handles authentication. (Author: @walker-tx )
External proxy MCPs appear in the role picker#3132 - External MCP proxy servers now show up in the "Specific MCP Servers" picker when creating an access role and no longer display a misleading "No Tools" badge before their tools can be enumerated. (Author: @mfbx9da4 )
Per-assistant Slack onboarding, risk-only trace filtering, and resilience fixes
This release adds a per-assistant Slack setup card with capability and event selection, brings a risk-only toggle to trace panels, and ships a batch of resilience fixes around model completions, OAuth metadata, and remote session scoping.
Features
Per-assistant Slack setup with tuned warm runtimes#3063 - A new Slack setup card lets operators pick capabilities (send, read, react, and more) and which events wake the assistant up, then provisions a dedicated per-assistant Slack toolset instead of reusing a shared one. The card warns about always-on event firehoses, and the onboarding agent offers plain-English filter narrowing after Slack install. New assistants now default to five concurrent warm runtimes and a 60-second warm TTL so they handle bursts without queueing while reclaiming idle resources faster. (Author: @danielkov )
Risk-only trace filter#3121 - Adds a risk-only toggle to trace panels and deep-linked Risk Events that open with risk filtering enabled. (Author: @alx-xo )
Bug fixes
Retry empty model completions#3129 - Retries chat completions when the upstream model returns an empty response and reports the upstream details when it still fails, reducing transient playground and chat errors. (Author: @danielkov )
Project-scoped Remote OAuth client lookups#3090 - Remote OAuth client lookups no longer surface clients whose bound user session issuer lives in a different project or has been soft-deleted. The legacy fallback path now scopes both the client and its user session issuer to the request's project and excludes soft-deleted records, matching the join-table read path. (Author: @walker-tx )
OAuth metadata resolved via mcp_endpoints#3118 - Resolves
Custom detection rules with a rule playground, Shadow MCP access controls, and /mcp endpoints
This release adds AI-assisted custom detection rules with a built-in rule playground, ships management APIs, runtime enforcement, and a dashboard for Shadow MCP access rules, and serves MCP endpoints from
with a fallback to the legacy toolsets lookup. (Author: @bflad )
AI-suggested custom detection rules with a rule playground#2992 - Adds a
endpoint that turns a one-line description into a prefilled custom detection rule, landing the operator in an editable review form with a suggested rule ID, title, description, regex, and severity. A new rule playground lets operators paste a sample into the Detection Rules detail sheet and run it through the same scanner code (gitleaks, Presidio, prompt-injection, regex) the worker uses via the
Shadow MCP approval requests and access rules#2763 - Adds management APIs for Shadow MCP approval requests and access rules, backed by a Redis-backed access store. (Author: @alx-xo )
Runtime enforcement of Shadow MCP access rules#2771 - Enforces Shadow MCP access rules at runtime, allowing approved access rule exceptions while preserving existing block policy behavior. (Author: @alx-xo )
Shadow MCP access rules dashboard#2831 - Adds a dashboard UI for reviewing Shadow MCP requests and managing project-scoped access rules. (Author: @alx-xo )
Tool variations menu on the source Tools tab#3083 - Adds a tool variations menu to the source detail Tools tab. (Author: @bflad )
Bug fixes
Full Svix portal capabilities for admins#3074 - The Svix app portal now correctly grants full capabilities to org admins and read-only access to non-admin members, fixing an inverted capability check and an earlier empty-capabilities slice that resulted in read-only sessions. (Author: @disintegrator )
Login journey for allowed orgs#2949 - Fixes the login journey for allowed orgs. (Author: @dennnis-ez )
Clearable logs filter search bars#3096 - Logs filter search bars can now be cleared with the Escape key or by emptying the box, not just the × button, across the MCP Server Logs filter bar and the shared search bar. Escape only clears when there is text to clear, so an empty box lets the key bubble up to close a surrounding popover. (Author: @simplesagar )
Sidebar nav hover highlight#3092 - Fixes the sidebar nav hover highlight snapping back to the active route when moving between items. (Author: @alx-xo )
Function tool tags, SSO and SCIM feature flags, and Remote MCP authentication UI
This release ingests tags declared on Gram Function tools and exposes them through the management API, adds SSO and SCIM feature flags backed by WorkOS event sync, and ships an authentication UI for Remote MCP-backed servers.
Features
Tags on Gram Function tools#3031 - Ingests tags declared on Gram Function tools, both the top-level
field on the manifest and
on the TypeScript framework
, and exposes them through the management API. The playground tool editor now opens for function tools the same way it does for HTTP tools. (Author: @bflad )
SSO and SCIM feature flags with WorkOS event sync#3061 - Adds product feature toggles for SSO and SCIM to admin settings. The Identity page shows connection status and gates configure buttons on these flags, and the Team page invite button is disabled when SSO is active. WorkOS event processing now handles all SSO connection and SCIM directory sync lifecycle events. (Author: @adaam2 )
Authentication UI for Remote MCP-backed servers#3008 - Adds a remote-based MCP server authentication UI for configuring credentials against Remote MCP-backed servers. (Author: @bflad )
Abbreviated metric card numbers#3045 - Metric cards now display abbreviated numbers such as 1.5K and 2.3M instead of raw comma-separated values. (Author: @alx-xo )
Bug fixes
Stable assistant runtime image tags#3056 - Tags the assistant runtime image with a content hash so deploys that do not change the runtime image sources reuse the existing Fly machines instead of recycling them on every commit. (Author: @danielkov )
Triggers page handles fired and cancelled wake triggers#3016 - Fixes the triggers page failing to load whenever a wake trigger has fired or been cancelled. The status enum now includes
,
,
, and
, and the triggers page renders distinct badges for fired and cancelled triggers instead of mislabelling them as Paused or surfacing a generic response validation error. (Author: @danielkov )
AI Insights for risk findings, Cursor cost and token tracking, and multi-role RBAC
This release brings risk-aware suggestions into the dashboard's AI Insights sidebar on the Security Overview and Policy Center pages, adds Cursor support to the Insights Employees and Costs tabs, and ships multi-role assignments for RBAC.
Features
AI Insights for risk findings#2922 - The dashboard's AI Insights sidebar now surfaces risk-aware suggestions on the Security Overview and Policy Center pages, letting the assistant reason over recent policy findings without seeing raw secrets. Findings are read through a redacted endpoint that replaces the
field with an opaque fingerprint of the form
, so identical secrets are still dedupable across findings while their content stays hidden, and a system-prompt rule bars the assistant from echoing redacted values verbatim. (Author: @simplesagar )
Cursor cost and token tracking in Insights#2923 - Organization admins can now connect a Cursor Admin API key, and Cursor token and cost usage flows into the Insights Employees and Costs tabs alongside Claude Code data. An hourly job pulls usage events from Cursor so per-employee cost and token totals stay current. (Author: @subomi )
Multi-role RBAC#2982 - Users can now be assigned multiple roles simultaneously, replacing the previous single-role assignment model. (Author: @adaam2 )
so remote MCP traffic can be observed and shaped through the same interceptor pipeline as tool calls. (Author: @bflad )
Expanded onboarding personality picker#2980 - Expands the assistant onboarding personality picker with Brad and Walker, rebalances Quinn against Nolan and Daniel, and groups team voices into a compact chip row above the generic preset cards. (Author: @danielkov )
Bug fixes
Source Activity panel for Remote MCP sources#2819 -
now accepts an optional
filter so callers can scope summary, time-series, and per-tool breakdown metrics to a single Remote MCP source.
tools/call traffic also writes a structured row to ClickHouse
per invocation, and the Source Activity panel on the Remote MCP source overview shows real telemetry for the last 7 days. (Author: @bflad )
Explicit user-identity opt-in for public MCP authorize#2971 - Public-MCP
now accepts a
query parameter that forces the caller through the IDP so the resulting session is bound to a user subject rather than an anonymous one. Without the parameter, public-toolset
continues to mint an anonymous subject. The assistant runtime sets the parameter when initiating MCP authorization flows against Gram-served endpoints so subsequent tool calls can be attributed to the user. (Author: @danielkov )
Owner-only OAuth in the assistant system prompt#2984 - Assistants are now instructed to treat OAuth/MCP authentication as owner-only and to avoid pre-emptively prompting for auth on toolsets they have not yet needed. (Author: @danielkov )
Always emit
in JSON-RPC success responses#3007 - Always emits the
field in JSON-RPC success responses from the MCP server. Empty-result handlers (notably
) previously sent
, which violated JSON-RPC 2.0 and the MCP spec — Cursor's MCP SDK rejected those frames with
zod errors and dropped the transport to a failed state after each keep-alive ping. (Author: @walker-tx )
Resilient assistant-runtime reaper for Fly Machines#3019 - Bounds each Destroy/List call against the Fly Machines API by its own timeout, and uses a Temporal heartbeat for liveness on the janitor activity rather than relying on a short overall timeout that turned tombstone-machine hangs into elevated workflow-failure alerts. (Author: @danielkov )
Server-side OAuth metadata discovery for Remote MCP and a redesigned org home
This release adds an RFC 9728 OAuth Protected Resource Metadata discovery endpoint for Remote MCP servers, brings tag editing into the playground tool editor, migrates dashboard tables to Moonshine, and ships a redesigned org home with favorites and a contributor facepile.
Features
Server-side OAuth Protected Resource Metadata discovery for Remote MCP#3032 - Adds the
endpoint that probes a remote MCP server for an RFC 9728 OAuth Protected Resource Metadata document server-side under
. External resource servers are unlikely to allowlist the Gram dashboard origin via CORS, so discovery moves to the backend, following RFC 9728 §3.1 path-style and origin-style discovery and returning typed unavailability codes with backend-composed user messages. (Author: @bflad )
Tag editing on tool variations#2962 - Exposes tags on tool variations and adds a tags row to the playground tool editor for HTTP tools, with chip input, base-source quick-add, an override indicator, and a reset-to-source affordance. (Author: @bflad )
Dashboard tables migrated to Moonshine Table#3004 - Migrates dashboard tables to Moonshine Table with sortable insights columns and removes the legacy table wrapper. (Author: @alx-xo )
Redesigned org home with favorites and contributor facepile#3014 - Redesigns the org home page with a two-column layout. The left rail shows compressed Recent challenges and Recent activity, while the right column shows projects as a thin rectangular stack or a 1/2/3-column card grid (toggle persisted in localStorage). Each project row or card shows the most recent audit-log action with a hover tooltip for full UTC and local timestamps, a facepile of up to 10 active contributors, a star to favorite or unfavorite, and a kebab menu. A new Add New dropdown next to the search bar offers Project, Team member, and Role, gated by
Deterministic UUIDv5 org IDs from WorkOS#3023 - Derives org IDs as deterministic UUIDv5 from the WorkOS org ID during Register and auto-provisioning, replacing the previous
format which was not a valid UUID. (Author: @adaam2 )
Preserve theme and project favorites across logout#3034 - Preserves theme and saved project favorites when logging out, so visual preferences and starred projects survive the next sign-in. (Author: @alx-xo )
This patch pulls in the shared Risk overview analytics pieces so the Elements bundle stays aligned with the platform.
Bug fixes
Risk overview summary metrics, charts, and trend data#2912 - Picks up the shared summary metrics, charts, and trend data for recent policy findings on the Risk overview. (Author: @alx-xo )
Configurable upstream OAuth audience and scope on remote session clients#2941 - Adds nullable
and
columns on
and surfaces them on the management API. When
is set, the upstream OAuth dance attaches the
parameter to the authorize redirect, authorization-code-to-token exchange, and every refresh-token request. When
is set, the dance requests those scopes instead of echoing the issuer's full
, which avoids over-granting access on providers that advertise broad scope sets. (Author: @qstearns )
Notes on cron triggers#2955 - Cron triggers now accept an optional
field, matching wake triggers. The note is included in every scheduled tick the assistant sees, so one assistant can carry multiple cron triggers with distinct per-schedule steering — for example, "run daily digest" versus "check deploy status". (Author: @danielkov )
Risk overview analytics#2912 - Adds summary metrics, charts, and trend data for recent policy findings on the Risk overview. (Author: @alx-xo )
Assistant spec panel links MCP server rows#2972 - The Assistants spec panel now links each attached MCP server to its MCP details page, so the draft view jumps straight to inspect or configure the server. (Author: @danielkov )
Toggle assistant active state from the list#2974 - The active/paused indicator on each assistant card is now an interactive switch — pause or resume an assistant directly from the assistants list without opening it. (Author: @danielkov )
Bug fixes
Hook source on Claude Code usage metrics#2968 - Fixes the token graph blanking when filtering by agent type on /insights/costs by including the
attribute on Claude Code usage metrics. (Author: @simplesagar )
Better server names and inspection in hooks logs#2990 - Extracts server names from MCP configs in hooks logs and improves the UI for inspecting individual logs. (Author: @chase-crumbaugh )
One assistant thread per Slack top-level message#2951 - Slack-triggered assistant chats now open a fresh assistant thread for each top-level message instead of folding distinct conversations onto a single per-channel thread. Top-level Slack messages and DMs used to share one Gram thread — and one Fly runtime — per channel, so unrelated users' messages bled into the same context window. (Author: @danielkov )
Ephemeral Slack button for MCP re-auth#2959 - Assistants on Slack now surface MCP OAuth re-auth via an ephemeral Block Kit button instead of dumping the raw URL into the thread, so only the user that needs to authenticate sees the prompt. (Author: @danielkov )
Quick jump from an assistant to its agent sessions
This release adds a "Sessions" quick link on the Assistants spec panel, so inspection of an assistant's recent agent runs is one click away.
Features
Sessions quick link on the Assistants spec panel#2973 - The Assistants spec panel now has a "Sessions" quick link that opens Agent Sessions filtered to that assistant. (Author: @danielkov )
as an optional auth method in remote session negotiation, broadening compatibility with upstream OAuth providers. (Author: @qstearns )
Bug fixes
Restore OAuth proxy auto-configure#2928 - Keeps the OAuth wizard auto-configure path on OAuth Proxy setup with DCR credentials, even when user-session onboarding is enabled for the organization. (Author: @walker-tx )
Agent log drawer accessibility#2929 - Adds a drawer title to the chat detail panel, resolving agent log drawer accessibility warnings. (Author: @alx-xo )
Issuer-gated remote MCP, OAuth for assistant tools, and full Slack write access
This release wires
into per-server OAuth via
, lets assistants complete MCP OAuth mid-task, closes the Slack write-tools gap, and adds an early Remote MCP server management UI behind a feature flag.
Features
Issuer-gated
and full OAuth surface per server#2926 - Adds an optional
on
and
. When set,
requests without a valid Authorization receive 401 and a
pointing at
, and the full dynamic client registration, authorize, IDP callback, consent, token, and revoke surface is mounted under
. Both well-known metadata routes return the issuer-gated shape for any addressed server with an issuer set, including remote-backed servers. The
helper now also registers
so remote-OAuth servers reached via
can complete the upstream callback. (Author: @bflad )
Assistants relay MCP OAuth links mid-task#2935 - When a configured MCP server requires user authentication, the assistant relays the authorization link through an available output tool, then reconnects and continues its task once the user completes authentication. (Author: @danielkov )
Slack assistants gain full message and channel lifecycle tools#2887 - Slack assistants can now edit, delete, and send ephemeral messages; pull permalinks; open DMs; create, join, leave, invite, archive, and rename channels; and manage pins, bookmarks, usergroup membership, reminders, file uploads, canvases, and presence/DND. Closes the previous gap where assistants could read Slack but barely write to it. (Author: @danielkov )
Remote MCP-backed server management UI#2717 - Adds the initial dashboard UI for managing Remote MCP-backed MCP servers, gated behind the
Deny rules in the RBAC role editor#2946 - Admins can now grant broad access in a role and then carve out specific resources or tools that the role should not access. (Author: @adaam2 )
Bug fixes
Disable OpenRouter reasoning across completion paths#2950 - Chat completions no longer generate hidden reasoning tokens. OpenRouter could route requests through models that produced reasoning output Gram discarded before storage while still billing for it. The proxy and every internal completion caller — chat title generation, the Slack agent loop, risk policy naming, and structured object completion — now explicitly disable reasoning. (Author: @danielkov )
markers off the request body before forwarding to OpenRouter, so every Anthropic call billed at the full input rate. Markers are now preserved at the top level, on tool definitions, and on message content blocks, so Claude requests with stable prefixes can serve from cache. (Author: @danielkov )
Assistants can update their own triggers#2885 - Calling
on an existing trigger previously returned a generic internal error because the assistant's scoped tool was being swapped for a stricter variant. As a side effect, an assistant's trigger list no longer leaks sibling assistants' triggers in the same project. (Author: @danielkov )
Attribute outbound OpenRouter completions#2952 - Outbound OpenRouter chat completions now carry a session ID, user, source metadata, and distributed-trace identifiers so OpenRouter's dashboard can group requests per conversation and roll up cost per customer, and so Datadog traces correlate with OpenRouter's request records. (Author: @danielkov )
Version outbox event names#2944 - Deprecates obsolete outbox event types and adds explicit versioning in the name scheme. In particular,
Preserve token graph data while filtering by agent type#2936 - Fixes the token graph blanking when filtering by agent type on /insights/costs. Claude Code usage metrics were missing the
attribute, so the filter returned no data for non-Cursor agents. (Author: @simplesagar )
This release surfaces a clear message when an organization runs out of chat credits and exposes utilities so downstream consumers can react to the same condition.
Features
Credits-exhausted message and stream error exports#2921 - When an organization runs out of chat credits, the thread now renders a clear credit-limit message instead of silently stopping the stream on a 402 from the gateway. New
and
exports let downstream consumers detect and react to the same condition. (Author: @simplesagar )
Webhooks catalog, collections RBAC, and team invitations
This release introduces a typed webhooks catalog for audit log events, enforces RBAC on the collections API, normalizes risk finding identifiers across scanners, and ships a DB-backed team invitation flow with trusted domain guards.
Features
Webhooks catalog#2905 - The webhooks feature now generates a catalog of event types and schemas. The catalog is emitted as an OpenAPI 3.1 document that is synced to Svix. (Author: @disintegrator )
Granular per-subject audit log webhook events#2927 - Each auditable subject (deployments, projects, MCP servers, API keys, toolsets, risk policies, sessions, and more) now emits its own typed webhook event (for example,
), enabling subscribers to filter by subject domain rather than receiving all audit activity under a single event type. (Author: @disintegrator )
. Update, AttachServer, and DetachServer now run in a transaction alongside the audit insert, and a new
identifier (prefix
) is used as the audit subject. (Author: @subomi )
Team invitations with trusted domain guards#2896 - Adds RBAC and assigned roles on pending organization invites, lets org admins change the role before acceptance, and emits audit log entries for invite creation and role changes. Invite acceptance now uses Gram invite tokens plus WorkOS User Management Magic Auth codes — the server validates the invite token, creates and consumes the Magic Auth code for the invited email, verifies the email match, and completes provisioning. (Author: @ThomasRooney )
Bulk install all servers in a collection#2899 - Adds an Install All button to the collection detail page for bulk server installation. (Author: @subomi )
Improved trace session detail UX#2864 - Adds filtering and a clearer presentation for trace entries. (Author: @alx-xo )
Bug fixes
Drop IPv6 short-form and IPv4 unspecified false positives#2915 - Drops Presidio
false positives produced from short-form IPv6 strings (
,
,
) and IPv4 unspecified
. Analysis of prod
showed these single-hex-group
matches dominated
noise alongside the existing
filter; they are now dropped before becoming findings. (Author: @mfbx9da4 )
Exclude plugin download key creation from audit log#2760 - Excludes per-request plugin download API key creation from the audit log to prevent flooding with
Skip WorkOS reads when org is linked locally#2844 - Skips WorkOS reads when the org is already linked locally, removing redundant lookups on the auth path. (Author: @bflad )
Filter already-added toolsets from plugin add-server dialog#2904 - Filters the plugin Add Server dialog to exclude toolsets already attached to the plugin, preventing duplicate entries. (Author: @bradcypert )
Credits-exhausted message in chat#2921 - Shows a graceful message in AI Insights and the Playground when an organization runs out of chat credits. Previously the chat would silently stop streaming on a 402 from the gateway because the AI SDK masks stream errors by default. The thread now renders a clear credit-limit message, and the new
and
exports are available on
for downstream consumers that want to react to the same condition. (Author: @simplesagar )
Issuer-gated OAuth from the playground, release-stage badges, and resilient assistant runtimes
This release wires the playground Connect button into the issuer-gated OAuth flow, surfaces Preview and Beta release-stage badges across the dashboard, and fixes assistant runtimes that hung after image upgrades.
Features
Preview and Beta release-stage badges#2882 - Adds Preview and Beta release-stage badges so pre-GA features are clearly labeled wherever their name appears. The same badge renders inline on the sidebar nav entry (with a hover tooltip explaining the stage), the page section title, sub-route tabs, and raw
headings. Tagged in this release: Assistants as preview; Risk Overview and Risk Policies as beta; Insights → Employees and Insights → Costs as preview. The Policy Center nav entry is renamed to Risk Policies to match its page heading and URL, the Risk Overview empty state now uses the same dashed-border box treatment as Risk Policies, and a handful of pages that were missing a top-level title (SDKs, Integrations, Roles & Permissions, Audit Logs) now have one. (Author: @simplesagar )
Issuer-gated OAuth from the playground Connect button#2883 - The playground's Connect button now drives the issuer-gated OAuth flow when a toolset is bound to a user-session issuer, so connecting to MCP servers like
lands an upstream session that the runtime can resolve. The connection-status badge and the 401 challenge on
both read from the issuer-gated session store for these toolsets, and the security-check fallback now always emits a non-empty
Assistant JWT on issuer-gated MCP servers#2879 - Issuer-gated MCP servers now accept an assistant-runtime JWT and use the assistant owner's linked upstream account, so the runtime can call
without re-prompting for login. Requests with no linked upstream still return a 401 plus WWW-Authenticate as before. (Author: @danielkov )
Bug fixes
Recover assistant runtimes after image recycle#2877 - Assistant runtimes no longer get stuck unresponsive after a Gram release. When the assistant runtime image was upgraded in place, the underlying VM was being left stopped, so the next chat turn timed out and the assistant stopped responding. Subsequent turns now bring the runtime back up cleanly. (Author: @danielkov )
Preserve inline JSON in audit log outbox entries#2880 - Fixes a bug where snapshot and metadata fields in audit log outbox entries were being base64-encoded instead of preserved as inline JSON objects. (Author: @disintegrator )
Dedupe chat asset writes#2839 - Dedupes chat asset writes and idempotently uploads to prevent GCS 429s. (Author: @bflad )
Structured hook telemetry attributes#2838 - Makes hook routes (Claude, Cursor, Codex, OTEL Logs, OTEL Metrics) filterable in Datadog by
,
,
, and
. Replaces nested
payloads with top-level slog attrs and logs on every early-return path so silent 401s and missing-session-id branches are visible when debugging hook setup. (Author: @bradcypert )
Codex Stop hook in Cowork#2842 - Gets the Stop hook working in Cowork again. (Author: @chase-crumbaugh )
