Releases: getraksha/agp
Release list
AGP Community Edition v0.0.13
AGP Community Edition v0.0.13 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
This release introduces the connectors plane — OAuth-backed MCP connectors
with managed credential lifecycle — and threads an end-to-end request id
through every service so a single action can be traced from the console (or
CLI) all the way to the backend MCP server.
Added
- Connectors: OAuth consent + managed credential lifecycle. A new service,
agp-connectors, ships in the release for the first time. It handles the
OAuth consent flow for MCP servers (e.g. Slack, Calendly, or your own) and
owns the resulting credentials. Tools registered with the new CONNECTOR
auth type carry no static secret: at tool-call time the proxy asks
agp-connectorsto mint a short-lived runtime credential scoped to the
agent and decision context, so agents never hold provider tokens. Connectors
follow a clear lifecycle — connect, disconnect (purges token material),
reconnect-in-place, and remove. agp connectorscommand group. Manage the whole lifecycle from the CLI:
add(register a connector and start OAuth consent),list/get,
list-connections,disconnect/revoke,remove,reconnect, and
discovery-token(mint a short-lived token to discover a connector's tools).
Shell completions cover the new commands automatically.- Dynamic Client Registration (RFC 7591). Connectors can register an OAuth
client dynamically with the provider instead of requiring a pre-provisioned
client_id/client_secret.agp connectors add --dcr(or
--registration-mode dynamic) drives it, with optional DCR client metadata
(--client-name,--logo-uri,--contacts, …); preregistered clients
continue to work unchanged. - Connectors in the console. The admin console gains a Connectors page
(card layout) to register connectors, walk the consent flow, and view
connection status and granted scopes. - End-to-end request tracing (
X-AGP-Request-ID). Every request is tagged
with a single id that propagates across all hops — the console and CLI
originate one, and it flows through the BFF, every service (HTTP and gRPC),
the proxy, and on to the backend MCP server. The id is echoed on responses,
recorded on audit events, and queryable, so one console click can be traced
through the whole flow.agp --verbose <cmd>prints the id it used. - Access-log header dump (off by default). Each service supports
ACCESS_LOG_INCLUDE_HEADERS=trueto include redacted request and response
headers in its access log, for debugging. Sensitive headers (Authorization,
Cookie,Set-Cookie,X-Admin-Token, …) are masked. Default is off.
Changed
- Registry: CONNECTOR-backed tools. Tools can now declare
auth_type: CONNECTORwith aconnector_nameandconnector_scopesinstead of a static
auth_header/auth_value; the registry stores the binding and the proxy
resolves the credential at call time (see Connectors above). Adds a SQL
migration framework with connector-auth migrations for both SQLite and
Postgres. - Canonical request-id header. Services that previously emitted
X-Request-Id(e.g. identity, registry) now use the canonical
X-AGP-Request-IDend to end. - Proxy: quieter logs — routine
tools/listpolls are no longer logged.
MCP clients and bridge agents calltools/listconstantly; a successful one
now emits neither aninvocationnor anaccess_logline, so proxy logs stay
focused on real activity (tools/calland everything else is still fully
logged, and a denied/erroredtools/liststill logs). This applies to every
caller, including a manualagp ... tools list.
Changed components vs v0.0.12: all of them. A new shared module
(agp-shared, carrying the request-id and access-log middleware) underpins the
tracing work, and every service plus agp-cli, agp-admin-ui, and the new
agp-connectors carry commits in this release.
Upgrading from v0.0.12
v0.0.13 adds a new service (connectors). Existing installs:
agp fetch all # installs the new agp-connectors binary alongside the rest
agp init # idempotent — seeds the new connectors env file without
# touching your config.yaml or existing service envs
agp restart allTo update the CLI binary itself:
agp updateYour current ports, console URL, and credentials are preserved — agp init
never rewrites config.yaml and only adds the missing connectors env.
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.12
AGP Community Edition v0.0.12 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Added
agp update— self-update the CLI.agp fetchinstalls the service
binaries but never the CLI itself, so until now upgradingagpmeant re-running
the installer.agp updatedownloads the latest CLI release, verifies its
SHA-256, smoke-tests that it runs, then atomically swaps it in — keeping the
previous binary until the new one is validated and in place. It refuses to
downgrade (--version vX.Y.Zfor an explicit/rollback install;--checkto
only report availability). Not yet available on Windows — re-runinstall.ps1
there. (Note:agp updateworks from v0.0.12 onward; users on v0.0.11 or
earlier update the CLI once via the installer to pick it up.)
Changed
- Out-of-the-box default ports. Fresh installs now bind the quiet
27860–27868(HTTP) /27880–27885(gRPC) range instead of common dev ports,
soagp init+agp startwork without conflicts on a typical machine. The
console moves tohttp://localhost:27868on new installs.agp initwrites
every service's listeners and its dependencies' addresses and the CLI
profile endpoints from one computed topology, so they stay consistent — edit a
port in one~/.agp/services/<service>.envandagp restartit, or
agp init --forceto re-render every.envfrom defaults (keeps a.bak;
secrets are never regenerated). - CLI config hardening. The CLI config (
config.yaml) is now parsed with a
standard YAML library and is created once byagp initand never overwritten
byagp— not even with--force— because it accrues your agents and
credentials over time. A config that exists but won't parse now produces a
clear warning instead of silent misbehavior. JSON output is pretty-printed by
default (--no-prettyfor compact). agp identity delete-agentpermanently deletes an agent rather than
decommissioning it.
Fixed
- Identity: agent list filters. SQLite
list-agentsbound its filter
arguments before pagination, so--statusand--team-idfilters now match
the generated placeholders and return the correct rows.
Changed components vs v0.0.11: agp-cli (agp update, default ports, config
hardening, delete-agent) and agp-identity (the list-filter fix). All other
components carry the same commits as v0.0.11.
Upgrading from v0.0.11
agp fetch all
agp restart allTo update the CLI binary itself, re-run the installer (the agp update command
ships in this release, so v0.0.11 users pick it up on the next upgrade):
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh # macOS/LinuxFrom v0.0.12 onward, agp update does this for you.
Existing installs are not disrupted: agp init is idempotent and never
rewrites your config.yaml, so your current ports and console URL stay as they
are. The new 27860+ defaults apply only to fresh installs.
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.11
AGP Community Edition v0.0.11 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Fixed
- Windows: policy no longer denies every tool call. On Windows the policy
engine loaded its bundle from an absolute temp directory, and OPA's directory
data-mounting silently failed for an absolute path — leaving the tool
classification data unmounted, so every governed tool was denied with
"No matching policy" even when registered and granted. The engine now reads
the bundle's.regomodules anddata.jsonfiles directly and serves the data
from an in-memory store, which behaves identically on macOS, Linux, and
Windows. The bundle also degrades gracefully (missing data = "no overrides"
rather than a blanket deny), and the engine now fails to start loudly if a
plain read tool does not classify — so this can never ship silently again.
Changed
- Uniform
/healthcontract and version stamping across identity, registry,
behavior-profile, audit, approval, proxy, the shared proto, and the CLI:
services report their build version on/health/live, surfaced by
agp status.
Changed components vs v0.0.10: agp-policy (the Windows fix) plus the health/version
work above. agp-admin-ui, agp-shared, and agp-mcp-servers carry the same
commits as v0.0.10.
Upgrading from v0.0.10
agp fetch all # macOS/Linux
agp restart allOn Windows: agp fetch all then agp restart all. Windows users on v0.0.10
should upgrade — this release is what makes governed tool calls work there.
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.10
AGP Community Edition v0.0.10 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
New since v0.0.9
- Grant a whole server's tools to a profile in one step. From the Tools page, search by server alias, tick the tools (or the select-all header), and click Grant to profile — every selected tool is added to a behavior profile's operating envelope in a single action, with a reason recorded in the audit log. Same select-then-act flow as Rotate credentials / Deprecate / Yank. Granting is additive and idempotent (re-granting an already-allowed tool is a no-op).
- Searchable, pattern-aware grant modal. On Behavior Profiles → profile → Grant tools, a new filter box narrows the available tools by name or server alias — which also surfaces tools the old unfiltered picker could hide behind its result cap. The add box now accepts a regex: typing
^daily-assistant.*selects every matching tool at once, while a plain name still adds a single tool.
Changed
Changed: agp-admin-ui (console only). All other components carry the same commits as v0.0.9.
Upgrading from v0.0.9
agp fetch all # macOS/Linux
agp restart allOnly the admin console changed this release, so the agp CLI itself does not need re-installing. On Windows, agp fetch all then agp restart all.
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.9
AGP Community Edition v0.0.9 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
New since v0.0.8
- Every service now reports its version.
agp statusshows the running version of each service, and a newagp versioncommand prints the CLI version alongside a service→version table — read live from each service's/health/live. Each service's health endpoints (/health/liveand/health/ready) now carryserviceandversionon a uniform contract, so version skew across a running stack is obvious at a glance. A service built from source or running an older build reportsdev/-rather than failing the command.
Fixed since v0.0.8
- Denied requests are now attributable to the agent. When a bridge presented an expired, stale, or revoked token, the Proxy logged the denial with an empty
agent_id— so you couldn't tell which agent's bridge was failing withoutlsof. The Identity service now returns the identity the rejected token claimed, and the Proxy records it on the denial (both the access log and the audit event). These values are clearly scoped to the denied request and are never used for authorization — attribution only. - Orphaned bridges no longer linger. When an MCP client (Codex, Claude Desktop) exits without cleanly closing the bridge's stdio, the bridge could keep running for hours and quietly retry against the Proxy. Bridges now detect that their launching parent has gone away and exit on their own, in addition to the existing clean-disconnect (stdin EOF) path.
- Bridges recover from token invalidation. A bridge whose token went stale or expired (for example after an agent was suspended and reactivated) could keep retrying the dead token until its next scheduled refresh (~15 min). The bridge's
tools/listwatcher now refreshes on a401and recovers on the next poll, matching the request-forwarding path — so a recoverable token heals in seconds, not minutes. - Quieter logs. The bridge's
tools/listchange-detection poll dropped from every 15s to every 60s, cutting routine Proxy log volume from idle bridges.
Changed: all components (every service stamps its version). The denial-attribution and bridge fixes additionally touch agp-identity, agp-proxy, and the agp CLI.
Upgrading from v0.0.8
agp fetch all # macOS/Linux
agp restart allThe bridge fixes (orphan exit, token recovery, quieter polling) and agp version ship in the agp CLI itself, so re-install the CLI to pick them up:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh # macOS/LinuxOn Windows, agp fetch all then agp restart all (re-install the CLI for the latest agp binary: irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex).
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.8
AGP Community Edition v0.0.8 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
New since v0.0.7
- Rotate backend credentials from the console — no re-registration. When a tool's backend token expires or is rotated (e.g. a GitHub PAT), you can now refresh it in place: Tools → filter by server alias → select the tools → Rotate credentials, paste the new secret. The credential is replaced on each tool's current version (schema, backend URL, and version are unchanged), and the Proxy picks it up on the next call — no restart. Same select-then-act flow as bulk yank/deprecate. The new secret is write-only in the UI and is never echoed or logged; each rotation emits a
tool.credential_rotatedaudit event (auth type only).
Fixed since v0.0.7
- More real-world MCP tools now register. Schema validation was too strict and rejected valid tools whose input schemas use nullable type arrays (
["string","null"]), typelessenum/oneOf/$refproperties, or an emptyinputSchema(parameterless tools). These now register correctly. AGP is a governance layer, not the schema authority — a false rejection is fail-closed (the tool is never reachable), so over-strict checks only kept legitimate tools (e.g. GitHub'srun_secret_scanning) from being governed. Bare-scalar properties and non-objectinputSchema.typeare still rejected. agp stop registryreported "killed" instead of "stopped". The Registry's long-lived watch streams to the Proxy blocked graceful shutdown past the supervisor's grace window, so it was force-killed. The Registry now shuts those streams promptly and exits cleanly.agp stop/agp restartreport "stopped".
Changed: agp-registry and agp-admin-ui; all other components carry the same commits as v0.0.7.
Upgrading from v0.0.7
agp fetch all # macOS/Linux
agp restart allOn Windows, agp fetch all then agp restart all (re-install the CLI only if you want the latest agp binary: irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex).
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.7
AGP Community Edition v0.0.7 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Fixed since v0.0.6
- Windows:
agp stopfailed with "TerminateProcess: Access is denied." Go'sos.FindProcesson Windows opens a process handle withoutPROCESS_TERMINATErights, soos.Process.Kill()was denied even for your own services. The supervisor now stops Windows services withtaskkill /F /T(terminates by PID using your own rights, and stops any child processes a service spawned).agp stop/agp restartwork on Windows.
Changed: agp-cli only; all other components carry the same commits as v0.0.6.
Upgrading from v0.0.6
agp fetch all # macOS/Linux
agp restart allOn Windows, re-install the CLI (irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex), then agp fetch all and agp restart all.
Install
- macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh - Windows (PowerShell):
irm https://raw.githubusercontent.com/getraksha/agp/main/install.ps1 | iex
Then agp init · agp fetch all · agp start all · agp setup --agent-id my-agent --client claude-desktop.
Platforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install scripts verify checksums automatically.
AGP Community Edition v0.0.6
AGP Community Edition v0.0.6 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Fixed since v0.0.5
- Windows: services failed to start with a SQLite migration error. Identity and Registry built a
sqlite://+ path URL for the schema migrator. A Windows DB path (C:\Users\...\agp-identity.db) is not a valid URL authority, so the URL parser rejected it ("invalid port after host") and migrations failed — even though the database connection itself opened fine. Both services now run migrations against the already-open connection (no URL parsing), matching how the other services already worked. Windows installs reach a running stack.
Changed: agp-identity, agp-registry. The other DB services (audit, approval, behavior-profile) were already using the connection-based migrator and gained regression tests.
Upgrading from v0.0.5
agp fetch all
agp restart allInstall (testers, macOS/Linux)
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh
agp init
agp fetch all
agp start all
agp setup --agent-id my-agent --client claude-desktopPlatforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64 — experimental)
Windows is still experimental and not yet exercised end-to-end in CI, but this release clears the first blocker to a working stack on Windows.
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install script verify checksums automatically.
AGP Community Edition v0.0.5
AGP Community Edition v0.0.5 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Changed since v0.0.4
- Slow tool calls no longer time out at the bridge. AGP Connect (the stdio bridge) forwarded tool calls with a 10-second client timeout — shorter than the proxy's own backend budget — so any tool that took longer than 10s failed with
NETWORK_ERROR: context deadline exceededeven though the proxy completed it. The bridge now uses a 120-second forward timeout (configurable viaAGP_BRIDGE_REQUEST_TIMEOUT_SECONDS), comfortably above the proxy's backend budget, so the proxy stays the authority on tool duration and slow tools (searches, LLM-backed tools, etc.) complete normally. Token issuance and tools/list polling keep their own short timeouts.
Only agp-cli changed; all other components carry the same commits as v0.0.4.
Upgrading from v0.0.4
agp fetch all
agp restart allRe-run agp connect <client> is not required — but restart the MCP client (Claude Desktop, Codex, etc.) so it respawns the updated bridge.
Install (testers, macOS/Linux)
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh
agp init
agp fetch all
agp start all
agp setup --agent-id my-agent --client claude-desktopPlatforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64 — experimental)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install script verify checksums automatically.
AGP Community Edition v0.0.4
AGP Community Edition v0.0.4 (private test release)
Pre-release build for private testing. The first public release will be v0.1.0.
Changed since v0.0.3
- Tool discovery now reaches public MCP servers by default.
DISCOVERY_BACKEND_HOST_ALLOWLISTdefaults to*(allow any host) so you can connect the MCP servers you already use — GitHub, gitmcp.io, and others — without configuration. Cloud-metadata and link-local addresses (e.g.169.254.169.254,metadata.google.internal) remain blocked as an SSRF safeguard; loopback and private/LAN hosts stay reachable for local and Docker MCP servers. Set an explicit comma-separated host list to harden a shared deployment; an empty value denies all discovery.
Upgrading from v0.0.3
agp fetch all
agp init --force # re-renders service config to the new defaults (keeps .bak)
agp restart allagp init --force is needed so the registry picks up the new DISCOVERY_BACKEND_HOST_ALLOWLIST=* default; an existing config file's explicit value overrides the binary default. (Or edit ~/.agp/services/registry.env and agp restart registry.)
Install (testers, macOS/Linux)
curl -fsSL https://raw.githubusercontent.com/getraksha/agp/main/install.sh | sh
agp init
agp fetch all
agp start all
agp setup --agent-id my-agent --client claude-desktopPlatforms
macOS (arm64, amd64) · Linux (amd64, arm64) · Windows (amd64, arm64 — experimental)
Verify
All assets are listed with SHA-256 checksums in SHA256SUMS and manifest.json; the CLI and install script verify checksums automatically.