Skip to content

server@0.79.0

Choose a tag to compare

@gram-bot gram-bot released this 01 Jul 23:59
1a4ba22

Minor Changes

  • 57bf9af: Public well-known OAuth/MCP metadata responses now send Cache-Control: public, max-age=60 and a strong ETag with If-None-Match 304 revalidation, so clients and proxies can cache them. The OAuth Client ID Metadata Document keeps max-age=3600 and gains an ETag. This is a prerequisite for fronting these responses with an ingress cache or CDN.
  • 2186673: Support organization-level remote session clients. A remote_session_client can now be created with no project (organization-level) so every project in the organization can attach and use it, mirroring organization-level remote session issuers. On organizationRemoteSessionIssuers.createClient and createCimdClient an omitted project_id under an organization-level issuer creates an organization-level client (the same project_id-omission convention createIssuer already uses), while a supplied project_id scopes the client to that project. The consent/token runtime resolver, the project-scoped client reads, and the attach-time single-client invariant now resolve both a project's own clients and organization-level clients in its organization, so a project admin can attach, detach, and use an organization-level client from their own user session issuer but cannot edit or delete it (those stay on the org-admin surface). The RemoteSessionClient API shape adds organization_id and allows an empty project_id for organization-level clients, mirroring the issuer change.
  • 5c825a9: Default to Claude Sonnet 5 (anthropic/claude-sonnet-5) for in-app model usage and newly created assistants. The model is added to the allowlist and all model pickers (playground, elements, onboarding). The backend DefaultChatModel, the platform-managed assistant, the onboarding assistant default, and the playground/MCP chat surfaces now select Sonnet 5. Specialized models (risk/PromptIntel judges, chat segmentation, embeddings, follow-on suggestions) are unchanged.
  • fcfd78e: Add server-side controls for unmasking redacted secrets
  • 400f471: Plugin marketplaces now send a human-readable displayName to Claude Code, so plugins show with their admin-entered name and capitalization (e.g. "MoonPay MCP Servers") instead of the de-slugified lowercase name ("Moonpay mcp servers"). The synthesized observability plugin displays as " Observability". The plugin name remains the kebab-case slug used for namespacing and claude.ai marketplace sync. Older Claude Code clients ignore the field and fall back to prior behavior.
  • c8597b1: Add the unified /rpc/hooks.ingest endpoint for third-party hook ingestion while preserving existing provider-specific hook endpoints. Hook plugins now authenticate each developer locally through the browser callback flow and store a hooks-scoped key on the device.

Patch Changes

  • d7b8ec9: Gate the "click to reveal" secret action in Risk Events behind the chat:read scope. Users without chat:read now see flagged secret values as a non-interactive "Hidden" placeholder (with an explanatory tooltip) instead of a reveal control, and the page-level "Reveal all" toggle is hidden for them. The chat:read scope description in the role editor is updated to note that the grant also controls unmasking flagged secrets in Risk Events.
  • 98de65f: mig: add session_capture_exclusions table