Follow us on to be up
to date with the latest changes.

v1.42.2

Dashboard

// July 15, 2026

Typed date ranges apply everywhere in the time range picker

Typing a natural-language date range like "last week" now works even on pages that hide the quick presets. The picker converts the parsed preset into its concrete date range and applies it, instead of silently doing nothing.

Bug fixes

  • Natural-language dates work without presets #4173 - When a typed range like "last week" parsed to a preset that a page doesn't offer (such as the billing page, which hides all presets), the picker applied nothing. It now applies the preset's concrete date range. (Author: @simplesagar)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.88.0

Platform

// July 15, 2026

Shadow MCP server detail pages and RBAC for remote MCP servers

Shadow MCP inventory grows from a list into a place to investigate: each discovered server now has its own detail page, and organization admins can rename inventory entries without losing their canonical URL identity. Access control widens too — the Roles & Permissions "Specific Servers" picker now lists remote and tunneled MCP servers alongside toolset-backed ones, so connection policies can cover every kind of server you run.

Features

  • Shadow MCP server detail pages #4065 - Each server in the Shadow MCP inventory now has a dedicated detail page backed by a project-scoped API, so a discovered server can be investigated in one place. (Author: @alx-xo)
  • Rename Shadow MCP servers #4214 - Organization admins can give Shadow MCP inventory entries a friendly name without changing the canonical URL identity used to track them. (Author: @alx-xo)
  • Permission remote and tunneled MCP servers with RBAC #4167 - The Roles & Permissions "Specific Servers" picker for
    mcp:connect
    now lists remote and tunneled MCP servers alongside toolset-backed ones, backed by a new org-wide server listing, so connection policies can scope to any server in the organization. (Author: @qstearns)
  • Filter risk events by assistant #3933 - The "Risk Events" page gains an "Assistant" filter listing the project's assistants plus a "No assistant" option, so findings from chats not linked to an assistant can be surfaced on their own or scoped to a single assistant. (Author: @linear-code)
  • Pause model provider keys without deleting them #4182 - Custom model provider keys can be disabled and re-enabled in place, so temporarily falling back to the platform key no longer means deleting and re-entering a key. (Author: @danielkov)
  • Prompt-injection detection upgraded for everyone #4184 - Prompt-injection detection now uses the LLM judge for all organizations, replacing the previous heuristics layer with higher-quality analysis across the board. (Author: @vishalg0wda)

Bug fixes

  • Remote MCP servers behind strict origin checks work again #4171 - Browser-only headers (
    Origin
    ,
    Referer
    ,
    Cookie
    ) are no longer forwarded to remote MCP upstreams. Servers enforcing DNS-rebinding protection (e.g. Langfuse) previously rejected dashboard-driven requests with "Something went wrong loading tools", and the dashboard session cookie no longer leaks upstream. (Author: @svadrutk)
  • MCP inventory captured at session start #4170 - The hooks relay again sends a redacted MCP inventory snapshot on session start and configuration changes, so external MCP URLs appear in Shadow MCP inventory before a tool is ever called. (Author: @alx-xo)
  • Linked accounts attach to the right employee #4196 - The employees list now attaches linked accounts by directory ownership instead of raw telemetry user ids, so stray telemetry rows can no longer hand an account — and its role bucket — to the wrong person. (Author: @daviddanialy)
  • Deleted usage rows excluded from billing #4174 - Tokens-under-management totals and breakdowns now filter out soft-deleted usage rows, matching how the costs page already reads the same data. (Author: @daviddanialy)
  • Consistent Speakeasy branding in the dashboard #4179 - Remaining user-visible "Gram" mentions in dashboard copy now read "Speakeasy", and the brand logo gains an accessible label for screen readers. (Author: @simplesagar)
  • Created and updated dates on risk policies #4199 - The risk policies table shows "Created" and "Updated" columns with compact relative dates; hovering reveals the exact timestamp. (Author: @simplesagar)
  • Model provider key table polish #4188 - Key editing and row actions are improved, table actions are aligned, and disabled keys are easier to identify #4183. (Author: @danielkov)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.87.0

Platform

// July 14, 2026

Bring your own model provider keys and a truer tokens-under-management view

Projects can now run AI surfaces on their own model provider keys: set a project default key in settings, override individual surfaces like assistants, the risk-policy judge, or the prompt-injection classifier, and see at a glance which surfaces run on your key versus the platform key. Billing also gets more honest — tokens under management now counts only the agent traffic the platform observes from your users' sessions, never inference the platform spends itself, with richer breakdowns by model, agent, provider, project, user, and role.

Features

  • Bring your own model provider keys #4115 - Manage model provider keys from project settings: set a project default OpenRouter key, override individual surfaces, and see which surfaces run on your key versus the platform key. Keys are validated with the provider on save, stored encrypted, and never returned by the API. (Author: @danielkov)
  • Assistants run on your key #4114 - Assistant completions route through a project's own model provider key when one covers the assistants slot, with the platform-covered behavior unchanged for projects without a key. (Author: @danielkov)
  • Your key for risk scanning too #4116 - The risk-policy judge and the prompt-injection classifier each get an independent key slot, falling back to the project default key and then the platform key when unset, and both slots are listed in project settings #4117. (Author: @danielkov)
  • Tokens under management, redefined as observed agent traffic #4146 - The billing page now counts the tokens the platform observes coming from users' agent sessions (input, output, and cache writes), never inference the platform spends itself. Breakdowns now cover model, agent, provider, account type, project, user, division, department, and role. (Author: @daviddanialy)
  • Average token throughput at a glance #4168 - The billing cycle panel gains an average tokens-under-management stat with a per hour, day, or week toggle, computed over the elapsed window of the active cycle. (Author: @daviddanialy)
  • Manage headers on remote MCP servers #4076 - A new API manages the headers a remote MCP server sends upstream, so servers that need custom header configuration can be wired up without workarounds. (Author: @svadrutk)
  • See who uses a Shadow MCP server #3947 - A project-scoped API lists the users and usage of a Shadow MCP server, with generated dashboard SDK support, so unsanctioned MCP usage can be traced back to the people using it. (Author: @alx-xo)

Bug fixes

  • Environment variables no longer save their masked placeholder #4152 - The MCP server "Authentication" tab could persist the server-redacted placeholder (e.g.
    sup*****
    ) as the real value. Saving now only writes values you actually typed, removes them on an intentional clear, and otherwise leaves the stored secret untouched. (Author: @walker-tx)
  • Clear guidance when tools fail to load without authentication #4016 - When MCP tools fail to load on a server with no authentication configured, the dashboard now shows actionable guidance with a "Configure authentication" deep link instead of a generic error. (Author: @linear-code)
  • Assistant onboarding finds your existing integrations #4164 - Assistant onboarding now checks your existing toolsets first and includes tools proxied from external MCP servers in its search, instead of telling you integrations you already set up aren't available. (Author: @danielkov)
  • Stable environment variable ordering #4150 - The environment variables table on the MCP server page no longer reorders its rows on every page refresh or tab focus change. (Author: @walker-tx)
  • Cowork tool calls labeled in tool logs #4020 - Tool calls made by Cowork are now labeled
    cowork
    in tool logs, so filtering by Cowork source works. (Author: @linear-code)
  • MCP attribution works with org-wide hooks keys #4155 - When the Claude hooks plugin authenticated with an organization-wide key, recovered MCP attribution never matched its telemetry rows and sessions stayed labeled "custom". Attribution is now matched by organization, so true server and tool names come through regardless of how the plugin authenticates. (Author: @subomi)
  • Internal: dormant telemetry endpoint removed #4158 - The unused
    telemetry.queryRiskTokens
    endpoint, which computed a superseded billing population, is removed. (Author: @daviddanialy)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.42.1

Dashboard

// July 13, 2026

Claude Fable 5 and GPT-5.6 arrive in the model picker

Chat surfaces built with Elements now offer the newest models. The picker adds Claude Fable 5 and the GPT-5.6 series, retires deprecated models, and defaults to Claude Sonnet 5 — with safer fallbacks so a de-listed model never silently resolves to a premium one.

Features

  • Refreshed model list #4128 - The model picker adds Claude Fable 5 and the GPT-5.6 series (Sol, Terra, and Luna), marks premium models with an Expensive badge, and removes deprecated models like Claude Sonnet 4, GPT-4.1, o3, and Gemini 2.5. (Author: @simplesagar)

Bug fixes

  • Predictable defaults and fallbacks #4130 - Elements now uses an explicit Claude Sonnet 5 default model, and unknown or de-listed models resolve to pinned per-provider fallbacks instead of silently landing on the most expensive model. (Author: @simplesagar)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.85.0

Platform

// July 13, 2026

One hooks binary for Claude Code, Cursor, and Codex — plus the latest models and a faster dashboard

Hook-based observability now runs on a single purpose-built binary:
speakeasy-hooks
receives coding-agent hook events from Claude Code, Cursor, and Codex, relays them to Gram, and enforces policy decisions like shadow MCP blocking — replacing the previous bash senders. Organizations also get control over interactive sign-in (published plugins no longer open a browser unless an admin opts in), the model picker gains Claude Fable 5 and the GPT-5.6 series, and the dashboard is noticeably faster for projects with many toolsets.

Features

  • The speakeasy-hooks binary #3889 - A single Go binary now handles coding-agent hook events end to end: it receives events from Claude Code, Cursor, and Codex, relays them to the platform, enforces server policy decisions such as shadow MCP blocking, and can recover authentication mid-session with its own browser sign-in. (Author: @danielkov)
  • Browser sign-in is opt-in per organization #4009 - Published hook plugins no longer open a browser by default: they authenticate with explicitly configured credentials, a previously cached key, or the organization-wide key, and the login helper prints manual setup instructions instead. Org admins can re-enable interactive browser sign-in from the org settings page. (Author: @danielkov)
  • Claude Fable 5 and GPT-5.6 in the model picker #4128 - The model list adds Claude Fable 5 and the GPT-5.6 series (Sol, Terra, and Luna), marks premium models with an Expensive badge instead of a label suffix, and removes deprecated models like Claude Sonnet 4, GPT-4.1, and Gemini 2.5. (Author: @simplesagar)
  • Guaranteed user identity on remote and tunneled MCP servers #4069 - Every remote and tunneled MCP server now gets a user session issuer minted at creation that lasts for the server's lifetime and can't be supplied, stripped, or swapped through the API — enforced at the database level — so user session identity on these servers is always trustworthy. (Author: @ThomasRooney)
  • Local assistant runtime for development #4118 - Assistant runtimes can now run locally: a new
    local
    runtime provider starts one Docker container per assistant on demand, reuses it across turns, and swaps in rebuilt images automatically — no Fly.io credentials or registry pushes needed to develop runtime images. (Author: @danielkov)
  • Codex in example agent lists #4107 - Risk policies, logging, insights, and the connect-server dialog now include Codex alongside Claude Code and Cursor in their example agent copy. (Author: @danielkov)
  • Judge timeout observability #3912 - Internal: prompt-injection and LLM judge timeouts now surface as a dedicated outcome metric with retuned duration histograms, improving operational visibility into risk scanning. (Author: @linear-code)
  • Token usage forwarded to PostHog #4106 - Internal: each organization's tokens-under-management usage is forwarded to PostHog hourly for product analytics. (Author: @daviddanialy)

Bug fixes

  • Faster dashboard for projects with many toolsets #4007 - Listing toolsets used to issue 11+ database round trips per toolset, taking seconds for busy projects and slowing the dashboard home page. Queries are now batched into a fixed ~10 round trips regardless of toolset count. (Author: @alx-xo)
  • Faster project overview #4104 - The project overview loads faster by running its independent aggregations concurrently and computing chat resolutions in a single pass. (Author: @walker-tx)
  • Predictable model fallbacks #4130 - De-listed or unknown models now resolve to pinned per-provider fallbacks instead of silently landing on a premium model, and Elements gets an explicit Claude Sonnet 5 default. (Author: @simplesagar)
  • Default plugin identified reliably #4125 - The dashboard now identifies an org's fallback plugin by the API's
    is_default
    flag instead of matching on the "Default" name, so renamed plugins no longer confuse onboarding and plugin pages. (Author: @adaam2)
  • No more spurious access denials in diagnostics #4109 - The chat session list's visibility check no longer records an authorization challenge for members without the chat read grant, which previously polluted access diagnostics with denials on every page load. (Author: @linear-code)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.86.0

Platform

// July 13, 2026

AI-suggested exclusion rules and true MCP server names in cost telemetry

Tuning risk policies gets easier: describe the traffic you want to exclude and let AI draft the exclusion rule for you, with structured match fields validated before they reach the form. Cost telemetry also gets more truthful — sessions from user-configured MCP servers in Claude now report their real server and tool names instead of a generic "custom" label, so usage breakdowns reflect what your agents actually called.

Features

  • Suggest exclusion rules with AI #4129 - The exclusion create/edit form gains a "Suggest with AI" option that returns structured match fields (match type, match value, and rule filters) ready to apply, with regex suggestions validated server-side before they reach the form. (Author: @claude)
  • Real MCP server names in cost telemetry #4122 - Claude redacts the names of user-configured MCP servers in its cost telemetry. The platform now recovers the true server and tool attribution from session transcripts, so cost and usage summaries show which MCP servers were actually used instead of a generic "custom" label. (Author: @subomi)
  • Shadow MCP inventory API #3852 - A new project-scoped API lists the Shadow MCP servers observed in your organization, with generated client SDK support, laying the groundwork for exploring unsanctioned MCP usage programmatically. (Author: @alx-xo)

Bug fixes

  • Remote session and tunnel fixes #3968 - Organization-level remote session clients can now be deleted, tunnel gateway URLs are derived from the active environment, and remote identity providers can be detached without deleting shared clients. (Author: @ThomasRooney)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.42.0

Dashboard

// July 10, 2026

Project Assistant replies link straight to the dashboard

When the Project Assistant mentions a toolset, server, or other project entity, the reply now links directly to that entity's dashboard page — no more hunting for the thing the assistant just described. This release also moves the package to ESM only.

Features

  • Linked entities in assistant replies #3739 - Entities mentioned in Project Assistant replies are rendered as links to their dashboard pages, styled in Moonshine blue with an external-link icon, so you can jump from an answer to the resource it references in one click. (Author: @adaam2)
  • ESM-only package #4013 - The package drops CommonJS support and ships as ESM only. Note this is a breaking change for consumers still importing via
    require()
    — switch to
    import
    . (Author: @disintegrator)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.83.0

Platform

// July 10, 2026

Break down token usage by billing cycle and see who's running the device agent

The billing page now answers "where did the tokens go?" in detail: pick any billing cycle and slice org-wide usage by token type, risk involvement, or analytics dimensions, then drill into any date range on the chart. Admins also get visibility into device agent adoption — the Employee Enrollment table shows whether each member's agent is checking in — and agent sessions now display the personal AI account email behind each session, not just the attributed work email.

Features

  • Token usage breakdown on the billing page #3973 - A billing-cycle picker scopes a new Token usage panel to any contracted cycle. The stacked chart slices org-wide tokens by type (input, output, cache read, cache write), risk involvement, or analytics dimensions, with daily, weekly, and monthly granularity and a cumulative view. Click or drag across bars to drill into a range, type a custom period in natural language, and read per-metric cycle totals with sparklines in the details table below. Finalized cycles are served from durable billing snapshots, so historical numbers stay stable. (Author: @daviddanialy)
  • Device agent status on Employee Enrollment #4066 - An admin-only Device Agent column shows whether each member's Speakeasy device agent is Active, Stale, or Not Enrolled, refreshes every 30 seconds, and is sortable — so it's easy to spot who is (or isn't) running the agent right next to their telemetry enrollment. (Author: @bradcypert)
  • AI account email on agent sessions #3943 - Session list rows, transcript user messages, and the session details popover now show the email of the personal AI account behind a session (e.g. a Gmail on a Claude Max plan) alongside the attributed employee's work email. Attribution is also deterministic: the device-enrolled work email always takes precedence over the account's self-reported email. (Author: @daviddanialy)
  • External credentials management API #3911 - Manage the AWS and GCP IAM credentials Gram uses to authenticate into a customer cloud account through a new organization-scoped API, with per-provider create, update, get, and delete plus a filterable list. Access is gated on org roles and every change is audited. (Author: @bflad)
  • Safer hook sign-in #3957 - Browser login for hooks now delivers the minted API key to the local listener as a form POST instead of a callback URL parameter, keeping the key out of browser history and request logs, and the sign-in tab closes itself once authentication completes. (Author: @danielkov)
  • Observe pages restricted to org admins #3922 - The Observe section (Costs, MCP & Tools Insights, Employee Enrollment, Agent Sessions, and Tool Logs) is now gated on the org admin role, so basic members see an access-restricted notice instead of org-wide telemetry. (Author: @mfbx9da4)
  • Issuer documentation links #4055 - Issuer discovery now captures RFC 8414 service documentation, policy, and terms-of-service URLs and surfaces them on remote session issuers across the project, organization, and admin views. (Author: @bflad)
  • Reorganized remote sessions management API #3955 - The org-admin remote sessions service is split into per-resource services for issuers, clients, and sessions, mirroring the project-scoped layer. Note this is a breaking change for the management API and SDK: method names drop their redundant resource suffix (e.g.
    organizationRemoteSessionIssuers.createClient
    becomes
    organizationRemoteSessionClients.create
    ). (Author: @bflad)

Bug fixes

  • Billing charts match billed totals #4061 - The billing page's headline chart and every breakdown (model, user, division, role, source, token type) now read the billed population directly, instead of org-wide analytics aggregates that could overstate usage by orders of magnitude. (Author: @daviddanialy)
  • Tool Logs status filtering #3975 - The response status filter now applies at the trace level, so status-less rows no longer leak successful traces into "Non-2xx responses", and the Tool Logs page gains a first-class Error, Success, Blocked, and Pending status filter. (Author: @simplesagar)
  • Employee session counts from telemetry #3946 - The Agent Sessions card on the employee detail page now counts distinct sessions from telemetry instead of an email substring match against mirrored chats, so the number is consistent with every other metric on the page. (Author: @linear-code)
  • Deleted MCP servers keep their tool-usage classification #4040 - A managed server's usage history no longer flips to shadow MCP classification once the server is deleted or recreated. (Author: @linear-code)
  • Confirm before deleting a risk policy #3863 - Deleting a risk policy now asks for confirmation instead of removing it immediately. (Author: @alx-xo)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.84.0

Platform

// July 10, 2026

Redesigned Plugins pages, MCP server readiness checks, and custom headers for remote servers

Distributing MCP servers to your team is now much clearer. The Plugins pages show the real state of your marketplace setup with direct calls to action, a single install dropdown covers both GitHub and zip installation, and a new readiness bar on each MCP server page tells you exactly what's left before the server is usable — URL, authentication, source, and plugin membership. Remote MCP servers also gain a header management API for passing custom headers upstream.

Features

  • Redesigned Plugins pages #4003 - The marketplace card now reflects real setup state: until the marketplace repo exists and a collaborator has accepted their GitHub invite, it shows a "Not published" state with Publish now and Add collaborators calls to action. A single Install dropdown (GitHub installation via marketplace, or direct zip download) replaces the old split button on both the Plugins index and detail pages, and zip downloads work even before the marketplace is set up. The Default plugin gets its own badge and description. (Author: @adaam2)
  • MCP server readiness bar #4003 - Each MCP server page gains a collapsible readiness summary covering Server URL, Authentication, Source, and Included in Plugin status, with links to fix each item — so it's obvious what stands between a server and its users. (Author: @adaam2)
  • Custom headers for remote MCP servers #4075 - A new header management API lets remote MCP servers carry custom headers, so upstream servers that expect extra headers can be connected without workarounds. (Author: @bflad)
  • Clearer billing model breakdown #4071 - The billing page's model breakdown now separates the Risk Policy Analysis Model — the platform's own risk-scanning inference, the metered unit of tokens-under-management contracts — from the Completion Model used by chat surfaces like the playground and Slack. Risk-analysis inference is attributed to the scanned user, so user, role, and division breakdowns report whose traffic was analyzed. (Author: @daviddanialy)
  • Hooks install from your org's marketplace #4017 - The hooks setup dialog's Claude Code instructions now install from your organization's published plugin marketplace, with copyable commands and managed-settings snippets, instead of a public repository that carried no credentials. (Author: @danielkov)

Bug fixes

  • Remote MCP servers join the Default plugin reliably #4003 - MCP servers now attach to the Default plugin when they're enabled, so remote servers (which start disabled) no longer fail with "mcp server is disabled or has no published endpoint" when added. Adding a second endpoint to an already-attached server works, endpointless servers are hidden from the plugin's add-server picker, and removing a server's last address asks for confirmation. (Author: @adaam2)
  • Accurate employee enrollment stats #4094 - The enrollment page no longer shows 0 tokens and stale activity for employees whose telemetry rows split across identity keys: usage rows carrying a user ID but no email now merge into the employee's summary, and role breakdowns resolve those users instead of bucketing them as Unassigned. (Author: @daviddanialy)
  • Faster toolset listing #4089 - Listing toolsets no longer rebuilds every platform tool descriptor per tool, significantly cutting latency for projects with large toolsets. (Author: @walker-tx)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.41.0

Dashboard

// July 7, 2026

See who created each chat and browse teammates' threads read-only

Shared chat histories are now easier to navigate as a team. Each thread and user turn can show who wrote it — name and avatar included — and opening a thread someone else created shows a read-only transcript instead of a composer that would fail on send.

Features

  • Attribute chats to their creator #3930 - An opt-in
    history.resolveCreator
    callback resolves a chat's
    userId
    or
    externalUserId
    to a displayable name and avatar, shown on thread-list rows and above each user turn in the transcript. The dashboard wires this up for the Project Assistant using its existing org member list, so no identity data is fetched from inside Elements itself. User message bubbles also get an iMessage-style blue treatment. (Author: @adaam2)
  • Read-only view of threads you don't own #3931 - An opt-in
    history.isOwnChat
    callback reports whether the caller owns a thread, and the composer is hidden for threads they didn't create. Admins opening another member's chat now see a read-only transcript instead of a "chat not found" error on send. (Author: @adaam2)

Bug fixes

  • Chat MCP tools restored #3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools. Opening a chat via a shared
    ?threadId=
    URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
  • One-click dismissal for the time range picker #3862 - Clicking outside the
    TimeRangePicker
    while its input is in edit mode now exits editing and closes the dropdown in a single click. Typed-but-uncommitted text no longer makes the dropdown undismissable and is discarded on outside click. (Author: @daviddanialy)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.81.0

Platform

// July 7, 2026

Test prompt guardrails against real chats, flag personal AI accounts, and attach remote MCP servers to assistants

Policy authors can now prove a prompt guardrail works before rolling it out: a new evaluation workbench replays real chat transcripts through a policy and shows per-message judge verdicts, with verdicts saved as regression sets for future changes. A new Non-Corporate Accounts risk policy flags sessions authenticated with personal AI accounts or unapproved email domains, and assistants can now connect directly to remote MCP servers alongside their toolsets.

Features

  • Policy evaluation workbench for prompt guardrails #3924 - Replay real chat transcripts through a prompt guardrail and see per-message judge verdicts with cost and latency details before enforcing the policy. Reviewer verdicts can be saved, listed, and deleted as regression sets, so a policy edit can be checked against past decisions instead of guesswork. CEL scopes are supported in replay. (Author: @vishalg0wda)
  • Flag sessions from personal AI accounts #3861 - A new Non-Corporate Accounts risk-policy category flags sessions authenticated with a personal AI account or with an AI-account email domain outside an approved list you configure. Findings appear once per session on the Risk Events page, and the approved-domains list is editable in the Policy Center's Customize sheet. (Author: @daviddanialy)
  • Attach remote MCP servers to assistants #3831 - Assistants can now connect directly to MCP servers, including remote (external SaaS) and tunneled servers that aren't backed by a Gram toolset. The assistant setup chat can list the project's MCP servers and attach one by name, and the assistant's runtime connects to it alongside its toolsets. (Author: @danielkov)
  • Self-serve sign-in for hook plugins #3824 - Connecting the hooks plugin no longer requires Python or manual API key setup. On session start the plugin opens the Gram dashboard in a browser, receives a hooks-scoped API key on a localhost callback, and caches it per device. Machines that have never signed in aren't blocked — sessions proceed with a warning, and enforcement only becomes strict after the first successful sign-in. (Author: @danielkov)
  • Track skill activations in Codex sessions #3896 - Opening a skill's SKILL.md or mentioning a skill by name in a Codex session now surfaces as
    skill.activated
    events in observability, matching the visibility already available for Claude Code sessions. (Author: @danielkov)
  • Email org admins when an access request is submitted #3221 - Org admins now get an email when a new access request comes in, so requests are noticed and approved without anyone having to watch the dashboard. (Author: @alx-xo)
  • See which account an employee used last #3909 - The Employees page's Last Activity column now shows the most recently used AI account as a dropdown, with icons distinguishing team accounts from personal ones (#3858 by @chase-crumbaugh). (Author: @daviddanialy)
  • Refresh list pages in place #3860 - Catalog, MCP, Agent Sessions, Employee Insights, User Sessions, Risk Events, and the Observe Tools and Agents log pages now have a manual refresh button in the toolbar, so the latest data is one click away without reloading the page. (Author: @simplesagar)
  • Assistant setup chat history is preserved #3811 - Prior onboarding threads with the assistant setup chat are now listed and URL-addressable, so a setup conversation can be picked up where it left off or shared with a teammate. (Author: @claude)
  • Groundwork for shared remote session providers #3812 - An internal admin API now manages a platform-wide catalog of remote session providers, laying the foundation for projects to inherit shared providers in a future release. (Author: @walker-tx)

Bug fixes

  • Restore MCP tools in chat #3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools, including the assistant setup chat. Opening a chat via a shared
    ?threadId=
    URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
  • View teammates' assistant chats read-only #3931 - Admins opening another member's project assistant chat now see a read-only transcript instead of hitting a "chat not found" error on send. The composer is hidden for threads the signed-in caller didn't create, matching what the backend has always enforced. (Author: @adaam2)
  • Let environment editors edit environments #3916 - Creating, updating, and deleting environments now checks the
    environment:write
    permission instead of
    project:write
    , so principals holding only
    environment:write
    are no longer rejected. Dashboard gates were realigned to match. (Author: @qstearns)
  • Recover from stale hooks credentials #3901 - Cached hook credentials that are rejected on auth are now cleared automatically, so Claude prompt submission continues and the user is prompted to reconnect instead of getting stuck. (Author: @danielkov)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.82.0

Platform

// July 7, 2026

Connect MCP servers on private networks and silence known risk false positives

MCP servers that live behind a firewall can now join a Gram project: run the new tunnel agent next to the server and Gram routes traffic to it, no inbound network access required. On the risk side, a built-in exclusions library now suppresses well-known false positives — test credit cards, example API keys, placeholder emails — so risk events stay focused on findings that matter.

Features

  • Tunneled MCP servers #3703 - MCP servers running in a private network can now be added as tunneled sources. The tunnel agent ships as a public Docker image (
    ghcr.io/speakeasy-api/gram-tunnel-agent:latest
    , linux/amd64 and linux/arm64) that runs alongside the server and connects out to Gram, and the tunneled MCP server page includes Docker and Kubernetes setup instructions. (Author: @ThomasRooney)
  • Built-in exclusions library for risk detections #3895 - Known false positives — test credit card numbers, example API keys and tokens, module and content hashes, and placeholder emails — are now suppressed automatically across all detection sources. A read-only Built-in library section on the Exclusions tab lists the live catalog, backed by the new
    risk.listBuiltinPresets
    endpoint. (Author: @dennnis-ez)

Bug fixes

  • Session status reflects refresh expiry #3936 - A session's active or expired status is now keyed off its refresh token expiry, so sessions that can still refresh no longer show as expired. (Author: @linear-code)
  • Non-Corporate Accounts policy card restored #3940 - The Non-Corporate Accounts detector — including its approved-email-domains configuration — is back on the risk-policy detail form after being dropped in a refactor, and the Off-Policy Content card no longer appears twice. (Author: @daviddanialy)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.40.1

Dashboard

// July 2, 2026

Cleaner tool-only assistant turns

Assistant messages made up entirely of tool calls no longer show a stray copy button with nothing to copy.

Bug fixes

  • Hide the copy button on tool-only turns #3834 - A message consisting solely of tool calls or reasoning has no copyable text, so the lone copy button no longer hangs beneath it. (Author: @disintegrator)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.80.0

Platform

// July 2, 2026

See AI usage by account type and provider, with clearer cost estimates and a more secure CLI login

Costs, Insights, Agent Sessions, Tool Logs, and Employees now break down AI usage by account type (Team versus Personal) and provider (Claude, Codex, Cursor), with per-account cost estimates spelled out clearly. Logging in to the CLI as a device agent is also more secure, using a one-time PKCE code instead of passing a raw key in a URL.

Features

  • Break down AI usage by account type and provider #3755 - Costs, Insights, Agent Sessions, Tool Logs, and Employees now split AI usage by account type — Team (enterprise) versus Personal (individual, e.g., Claude Max) — and by provider (Claude, Codex, Cursor). Personal usage is flagged at a glance on sessions and logs, and each employee's linked AI accounts are listed with the option to scope their metrics to a single account. (Author: @daviddanialy)
  • Clearer cost estimates #3755 - Cost now reads as "Est. cost" (with an explanation on hover) everywhere it appears in Costs and Insights, since the figure is derived from token usage at standard API rates and only reflects real spend on metered accounts, not flat-fee plans like Claude Max, Pro, Team, or Enterprise. Admins can declare a provider integration's billing mode — Metered, Flat rate, or Unknown — under SettingsLogging & Telemetry, and once an account is declared metered, its cost reads as a confident "Cost". (Author: @daviddanialy)
  • Secure CLI device-agent enrollment #3810 - A new
    cliAuth
    service backs device-agent enrollment: the dashboard CLI callback authorizes a PKCE-bound one-time code against an active session, then redeems it for a per-user API key without the raw key ever traveling in a URL. Existing CLI producer-key login is unchanged. (Author: @bradcypert)
  • Surface Claude attribution dimensions in the cost explorer #3638 - Telemetry query results and the cost explorer now surface Claude attribution dimensions, giving a clearer view of where usage and cost originate. (Author: @subomi)

Bug fixes

  • Show historical findings for disabled policies in Risk Events #3847 - Filtering Risk Events by a disabled policy previously returned no results because the query required the policy to be enabled. An explicit policy filter now surfaces that policy's past matches, and the dashboard flags the inactive policy with a banner and an "(inactive)" label in the filter. The default unfiltered view is unchanged and still lists only active policies. (Author: @daviddanialy)
  • Drop false-positive US driver's license findings #3836 -
    US_DRIVER_LICENSE
    Presidio findings are now dropped at the finding level so they never surface, even when a policy pins no entities and Presidio scans its full default recognizer set. (Author: @disintegrator)
  • Fix dropped connections on function-runner calls #3846 - HTTP keep-alives are now disabled on function-runner calls, and that path gets its own timeout, so retries dial fresh connections instead of reusing pooled connections to Fly machines that were autostopped mid-flight (which surfaced as instant EOF errors). The timeout now sits above the runner's five-minute execution budget, so long tool calls are no longer cancelled by the caller. (Author: @disintegrator)
  • Fix a nil pointer panic in telemetry SearchUsers #3843 - Calling telemetry SearchUsers without a filter no longer panics. (Author: @disintegrator)
  • Adjust API endpoint paths to RPC conventions #3825 - Internal API endpoint paths were adjusted to follow existing RPC API conventions. (Author: @disintegrator)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.40.0

Dashboard

// July 1, 2026

Claude Sonnet 5 is now the default assistant model

New assistants and in-app model usage now default to Claude Sonnet 5, available across the playground, Elements, and onboarding model pickers.

Features

  • Default to Claude Sonnet 5 #3758 - Claude Sonnet 5 (
    anthropic/claude-sonnet-5
    ) is now the default model for in-app usage and newly created assistants, added to the allowlist and every model picker across the playground, Elements, and onboarding. Specialized models used for risk and PromptIntel judging, chat segmentation, embeddings, and follow-on suggestions are unchanged. (Author: @simplesagar)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.79.0

Platform

// July 1, 2026

Default to Claude Sonnet 5 and share remote session clients across an organization

New assistants and in-app model usage now default to Claude Sonnet 5. Remote session clients can also be created at the organization level, so every project can share one instead of configuring its own, and admins get finer control over who can unmask redacted secrets in Risk Events.

Features

  • Default to Claude Sonnet 5 #3758 - Claude Sonnet 5 (
    anthropic/claude-sonnet-5
    ) is now the default model for in-app usage and newly created assistants, added to the allowlist and every model picker across the playground, Elements, and onboarding. Specialized models used for risk and PromptIntel judging, chat segmentation, embeddings, and follow-on suggestions are unchanged. (Author: @simplesagar)
  • Organization-level remote session clients #3749 - Create a
    remote_session_client
    with no project so every project in the organization can attach and use it, mirroring the existing convention for organization-level remote session issuers. A project admin can attach, detach, and use an organization-level client from their own session issuer, but editing or deleting it stays with org admins. (Author: @bflad)
  • Restrict who can unmask redacted secrets #3766 - Server-side controls now govern who can reveal redacted secrets flagged in chat, giving admins a way to restrict access to sensitive matched values. (Author: @qstearns)
  • Human-readable plugin marketplace names in Claude Code #3763 - Plugin marketplaces now send a human-readable display name to Claude Code, so plugins show with their admin-entered name and capitalization (e.g., "MoonPay MCP Servers") instead of a de-slugified lowercase name ("Moonpay mcp servers"). (Author: @bradcypert)
  • Unified endpoint for third-party hook ingestion #3661 - A single
    /rpc/hooks.ingest
    endpoint now accepts hook events from any third-party provider. Hook plugins authenticate each developer locally through a browser callback flow and store a hooks-scoped key on the device, while existing provider-specific hook endpoints keep working. (Author: @danielkov)
  • Redirect URI callout for remote identity provider clients #3762 - The Remote Session Client form now surfaces the callback URL needed when manually configuring a remote identity provider client, making the setup step easier to complete correctly. (Author: @qstearns)
  • Caching for public OAuth and MCP metadata endpoints #3761 - Public well-known OAuth/MCP metadata responses now send
    Cache-Control: public, max-age=60
    and a strong ETag with 304 revalidation, so clients and proxies can cache them. The OAuth Client ID Metadata Document keeps its one-hour max-age and also gains an ETag. (Author: @bflad)

Bug fixes

  • Gate secret reveal behind the chat:read scope #3764 - Users without the
    chat:read
    scope now see flagged secret values in Risk Events as a non-interactive "Hidden" placeholder instead of a reveal control, and the page-level "Reveal all" toggle is hidden for them. (Author: @simplesagar)
  • Add session_capture_exclusions table #3528 - Internal schema migration adding a
    session_capture_exclusions
    table. (Author: @simplesagar)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.78.0

Platform

// June 30, 2026

Connect to stricter OAuth providers with outbound CIMD support

Remote session OAuth now works with identity providers that require Client ID Metadata Documents (CIMD), so organizations with stricter upstream authorization servers can register outbound clients without a shared secret.

Features

  • Outbound CIMD support for remote session OAuth #3706 - Create a
    remote_session_client
    in CIMD mode: Gram generates the client ID, hosts a public client metadata document, and sends that URL as the client ID on every outbound authorize, token, and refresh call, with no symmetric secret required. Issuer discovery now detects CIMD support automatically, which gates the new option, and the client and issuer views surface the metadata URL and support status. (Author: @bflad)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.39.0

Dashboard

// June 29, 2026

Cleaner assistant chats when apps inject extra context

Context an application injects into a user turn no longer clutters the conversation. It now folds into a collapsible disclosure that's there when needed and out of the way otherwise.

Features

  • Collapse injected context into an "Additional context" disclosure #3721 - App-injected context in a user turn now folds into a collapsed Additional context disclosure that expands to inspect, instead of rendering the raw tags inline. The expanded block wraps to the message width, so opening it no longer widens the chat bubble. (Author: @adaam2)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.76.0

Platform

// June 29, 2026

Gate access to other members' agent sessions with a new chat:read scope

A new RBAC scope lets you decide who can read other members' agent session transcripts. Everyone can always read their own sessions; reading everyone's now requires an explicit grant.

Features

  • chat:read scope for agent session transcripts #3688 - A new
    chat:read
    scope gates access to other members' agent session transcripts: anyone can read sessions they own, while reading every member's session requires an unrestricted
    chat:read
    . The scope is not a default of any system role — not even admin — so it must be granted via a custom role. Members without it see only their own sessions, and each dashboard session open is recorded in the audit log. (Author: @adaam2)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.76.0

Platform

// June 29, 2026

Project Assistant: rename chats, see who owns each assistant, and a tidier context block

A handful of Project Assistant improvements land together: rename conversations inline as you work, see at a glance who owns each assistant, and keep the chat clean with app-injected context folded into a collapsible disclosure.

Features

  • Rename assistant chats from the live chat view #3649 - The dock header shows the active conversation's title and lets you click to rename it inline. Names you set are kept — automatic title generation skips any chat you've renamed, and clearing the title re-enables auto-naming. (Author: @simplesagar)
  • See who owns each assistant #3709 - An assistant's creator is now shown as its owner — an avatar and name on both the assistant card and the setup page — resolving to the creating member, "No owner" when never attributed, or "Orphaned, no owner" when the creator has left the organization. (Author: @simplesagar)
  • Tidier injected context in assistant chats #3721 - App-injected context in a user turn now folds into a collapsed Additional context disclosure you can expand to inspect, instead of rendering the raw tags, and the expanded block wraps to the message width so opening it no longer widens the bubble. (Author: @adaam2)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.77.0

Platform

// June 29, 2026

Edit system role permissions, tune risk detection sensitivity, and tighter shadow MCP enforcement

Organizations get more control over access and risk detection this release: the built-in admin and member roles can now be tailored per organization, and risk policies gain a sensitivity slider for tuning how aggressively detections fire. Shadow MCP enforcement is also hardened against a couple of false results.

Features

  • Editable system-role permissions #3727 - Edit the permissions of the built-in
    admin
    and
    member
    roles per organization, while their name and description stay platform-managed. The Admin role is guarded against losing the
    org:admin
    permission to prevent an org lockout. The roles tab is reworked so the whole role row opens the edit sheet, scope groups show a description when collapsed, and the members column uses an interactive member facepile with hover focus and click-to-view-all. Directory Sync (SCIM) organizations see info alerts on the team, roles, and identity pages explaining that members and roles are managed by the identity provider while SCIM is enabled. (Author: @adaam2)
  • Configurable risk detection sensitivity #3723 - Each risk policy now has a minimum match-confidence threshold, adjustable with a Sensitivity slider in the policy wizard, so detections can be tuned to be more or less aggressive. The default sensitivity is lowered to 0.5. (Author: @dennnis-ez)

Bug fixes

  • Harden Codex shadow MCP enforcement #3719 - Codex shadow MCP calls are now checked against the session's actual MCP server inventory, closing a gap where enforcement could be bypassed. (Author: @danielkov)
  • Fix Cursor shadow MCP enforcement false positives #3720 - Cursor shadow MCP enforcement no longer wrongly blocks Speakeasy-hosted MCP servers when a shadow MCP risk policy is enabled. Access is now decided by the server URL rather than requiring the agent to echo an internal identifier. (Author: @danielkov)
  • Fix duplicate servers in the MCP catalog #3310 - The MCP catalog no longer lists duplicate servers (with an inflated count) when loading more results. (Author: @alx-xo)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.38.2

Dashboard

// June 28, 2026

More reliable risky-message filtering and thread search

Two chat-detail fixes land together: the "Risky only" filter now finds flagged messages no matter where they sit in a long thread, and search steps through every match in order instead of highlighting them all the same color.

Bug fixes

  • Fix "Risky only" filter missing findings on other pages #3715 - The filter previously showed nothing when flagged messages sat on transcript pages that weren't loaded.
    chat.load
    now returns the seqs of flagged messages so the panel can window the full thread and filter correctly, and the toggle is available to any authorized viewer rather than only org admins. (Author: @adaam2)
  • Step through search matches one at a time #3715 - Search-within-thread now steps through every occurrence in document order, across message text and tool call arguments and output, with the active occurrence highlighted distinctly, instead of jumping per message and highlighting every hit the same color. (Author: @adaam2)
Sagar Batchu
Sagar Batchu
View on GitHub

v0.75.0

Platform

// June 28, 2026

Blocked tool calls get their own page the agent can reason about, plus filter sessions by agent type

When the risk engine blocks a tool call it's now a durable, linkable page with thumbs-up/down feedback — and the reason is handed back to the agent so it explains the denial instead of inventing one. Agent Sessions also gain an agent-type filter.

Features

  • Durable tool-call block pages #3672 - Blocked tool calls are now first-class entities with a stable
    /blocks/<id>
    URL and 👍/👎 feedback. The block reason is injected into the agent-facing response (Claude, Cursor, and Codex) with a link to the block page, so the agent can reason about the denial instead of hallucinating one, and a More Info link reaches it from the Risk Events modal. (Author: @daviddanialy)
  • Filter agent sessions by agent type #3712 - The Agent Sessions page gains an agent-type filter, populated from the agent sources actually present in each project's chats. (Author: @simplesagar)
  • Read-only and destructive labels in Distribute MCP tools #3713 - The Distribute → MCP → Tools view now shows the same text permission labels (Read-only, Destructive, Idempotent) as the Connect catalog, instead of icon-only badges, for quicker at-a-glance behavior hints. (Author: @daviddanialy)
  • Up-to-date badge on plugin detail #3708 - The plugin detail page now shows an explicit Up to date badge and surfaces the last-published time even when there are unpublished changes, rounding out the publish-freshness view. (Author: @daviddanialy)
  • Shorter access-request links on blocked tool calls #3710 - The "Request access" link on a blocked tool call now embeds a short cache-backed token instead of a 1,000-plus character encrypted blob, with previously issued links still working until they expire. (Author: @daviddanialy)

Bug fixes

  • Risky-only filter and in-thread search reworked #3715 - The chat detail "Risky only" filter now windows the full thread and shows flagged messages even when they sit on other transcript pages, and search steps through every occurrence in document order — across message text and tool call arguments and output — with the active match highlighted distinctly. (Author: @adaam2)
  • Prompt correlation no longer stalls on busy sessions #3716 - Claude Code prompt correlation now bounds its work and drains a large backlog of unlinked prompts incrementally, so prompts stay reliably linked to their telemetry instead of failing entirely on high-volume sessions. (Author: @danielkov)
  • Detect step Continue enables for category-level detectors #3714 - Creating a risk policy now enables the Continue button when only category-level detectors (Prompt Injection, Shadow MCP, Destructive Tools, Destructive CLI Commands) are selected, instead of treating those categories as empty and keeping the step disabled. (Author: @daviddanialy)
Sagar Batchu
Sagar Batchu
View on GitHub

v1.38.1

Dashboard

// June 26, 2026

Rename assistant chats without leaving the conversation

Project Assistant chats can now be renamed right from the live chat view instead of navigating elsewhere first.

Features

  • Rename assistant chats from the chat view #3649 - Click the conversation title in the chat header to edit it inline. Manually chosen names are preserved. Automatic title generation skips any chat that's been renamed, and clearing the title re-enables auto-naming. (Author: @simplesagar)
Sagar Batchu
Sagar Batchu
View on GitHub