You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Minor Changes
57bf9af: Public well-known OAuth/MCP metadata responses now send Cache-Control: public, max-age=60 and a strong ETag with If-None-Match 304 revalidation, so clients and proxies can cache them. The OAuth Client ID Metadata Document keeps max-age=3600 and gains an ETag. This is a prerequisite for fronting these responses with an ingress cache or CDN.
2186673: Support organization-level remote session clients. A remote_session_client can now be created with no project (organization-level) so every project in the organization can attach and use it, mirroring organization-level remote session issuers. On organizationRemoteSessionIssuers.createClient and createCimdClient an omitted project_id under an organization-level issuer creates an organization-level client (the same project_id-omission convention createIssuer already uses), while a supplied project_id scopes the client to that project. The consent/token runtime resolver, the project-scoped client reads, and the attach-time single-client invariant now resolve both a project's own clients and organization-level clients in its organization, so a project admin can attach, detach, and use an organization-level client from their own user session issuer but cannot edit or delete it (those stay on the org-admin surface). The RemoteSessionClient API shape adds organization_id and allows an empty project_id for organization-level clients, mirroring the issuer change.
5c825a9: Default to Claude Sonnet 5 (anthropic/claude-sonnet-5) for in-app model usage and newly created assistants. The model is added to the allowlist and all model pickers (playground, elements, onboarding). The backend DefaultChatModel, the platform-managed assistant, the onboarding assistant default, and the playground/MCP chat surfaces now select Sonnet 5. Specialized models (risk/PromptIntel judges, chat segmentation, embeddings, follow-on suggestions) are unchanged.
fcfd78e: Add server-side controls for unmasking redacted secrets
400f471: Plugin marketplaces now send a human-readable displayName to Claude Code, so plugins show with their admin-entered name and capitalization (e.g. "MoonPay MCP Servers") instead of the de-slugified lowercase name ("Moonpay mcp servers"). The synthesized observability plugin displays as " Observability". The plugin name remains the kebab-case slug used for namespacing and claude.ai marketplace sync. Older Claude Code clients ignore the field and fall back to prior behavior.
c8597b1: Add the unified /rpc/hooks.ingest endpoint for third-party hook ingestion while preserving existing provider-specific hook endpoints. Hook plugins now authenticate each developer locally through the browser callback flow and store a hooks-scoped key on the device.
Patch Changes
d7b8ec9: Gate the "click to reveal" secret action in Risk Events behind the chat:read scope. Users without chat:read now see flagged secret values as a non-interactive "Hidden" placeholder (with an explanatory tooltip) instead of a reveal control, and the page-level "Reveal all" toggle is hidden for them. The chat:read scope description in the role editor is updated to note that the grant also controls unmasking flagged secrets in Risk Events.