v1.65.0

This release adds a skills dialog to the TUI and improves HTTP configuration options for API tools, along with proxy handling fixes.

What's New

• Adds /skills slash command to TUI that displays all available skills with their names, sources, and descriptions

Improvements

• Adds timeout and allow_private_ips configuration support to api and openapi tools for consistency with fetch tool

Bug Fixes

• Fixes HTTP proxy support for private IPs in SSRF transport to allow configured proxies on private addresses

Technical Changes

• Updates configuration documentation and applies minor cleanups

---

What's Changed

• docs: update CHANGELOG.md for v1.64.0 by @docker-read-write[bot] in #2860
• feat: add timeout and allow_private_ips support to api and openapi tools by @dgageot in #2865
• fix: allow configured HTTP proxy on private IPs in SSRF transport by @dgageot in #2864
• feat: add skills dialog to TUI by @dgageot in #2863

Full Changelog: v1.64.0...v1.65.0

v1.64.0

Note: v1.63.0 was a failed release and was skipped. This release includes all changes that accumulated since v1.62.0.

---

New Features

• Eval: input_id passthrough — When an eval input file contains a top-level "input_id" field, that value is now carried through untouched to the session entry in the results output (JSON and SQLite). The session's own "id" (a fresh UUID) is unchanged. When the input file has no "input_id", the field is absent from the output — no change to existing behaviour. This lets callers correlate eval results back to their own records without custom post-processing. (#2857)

• MCP: allow private IPs for remote OAuth — Remote MCP servers hosted on private-network IP addresses can now participate in the OAuth authorization flow. (#2828)

---

Improvements

• Sandbox: remove stale token forwarding on startup — Removed an obsolete token-forwarding step from sandbox startup that was redundant after the token-forwarding refactor in v1.62.0. (#2859)

• Sandbox: Go toolchain bootstrap allowed through network policy — go.dev and dl.google.com are now added to the sandbox proxy allowlist, so the Go toolchain can be downloaded inside the sandbox without hitting a blocked-network-policy error. (#2859)

• Sandbox: resolve tool-install hosts per-toolset from aqua registry — Package-host allowlisting for tool auto-install is now resolved per toolset from the aqua registry, giving more accurate (and minimal) network opens for each toolset's install requirements. (#2859)

• Sandbox: make tokens file readable by sandbox user — The tokens file written inside the sandbox is now created with permissions that allow the sandbox user to read it, fixing authentication failures in sandboxes running as a non-root user. (#2859)

---

Bug Fixes

• MCP OAuth: send resource on token exchange — The OAuth resource parameter is now correctly included when exchanging an authorization code for a token, fixing token exchange failures for resource-aware authorization servers. (#2828)

• MCP OAuth: coalesce concurrent authorization requests — Concurrent OAuth authorization flows for the same server are now deduplicated so only one browser redirect is triggered per server, preventing race conditions when multiple tool calls fire simultaneously. (#2828)

• Sandbox: use correct host path for kit — The docker-agent kit (skills + prompt files staged into the sandbox) is now mounted from the correct host-side directory rather than a constant container mount path, fixing kit resolution failures when the host cache directory is not at the default location. (#2859)

---

Contributors

@hamza-jeddad · @rumpl · @dgageot

Full Changelog: v1.62.0...v1.64.0

v1.62.0

This release improves error handling for model context overflow, adds external coding harness support, and includes numerous TUI fixes and performance optimizations.

What's New

• Adds external coding harness agents that delegate coding tasks to external coding CLIs
• Adds support for running context: fork slash commands as sub-sessions instead of inlining them
• Adds docker-agent kit staging in sandbox with skills and prompt files

Improvements

• Classifies overflow errors by kind to provide more specific error messages for different types of context window issues
• Optimizes session browser rendering to only render visible window rows for better performance with large session histories
• Improves shutdown safety by racing Wait() against deadline and calling ReleaseTerminal on timeout
• Updates Gemini adapter to forward stream chunks that carry only UsageMetadata for accurate token counting

Bug Fixes

• Fixes URL clicks in TUI by properly handling mouse events
• Fixes crash prevention by not notifying on click if the agent didn't change
• Fixes deadlock in TUI exit safety net and race conditions in shutdown handling
• Fixes auto-scroll blocking user scroll in long elicitation dialogs
• Fixes MCP tool name prefix stripping in callTool functionality
• Fixes OpenAI strict mode support for Notion and Jira MCP tools with gpt-5
• Fixes user_prompt dialog to open scrolled to top and respect user scrolling
• Fixes keychain prompts in tests by using in-memory token store
• Fixes MCP OAuth handler to drop stray callbacks and respond with proper HTTP status codes

Technical Changes

• Bounds three previously-unbounded caches to prevent memory growth on long sessions
• Uses SSRF-safe HTTP client for remote skills registry
• Honors Cache-Control headers properly in skills caching
• Extracts lrucache package and bounds unbounded caches
• Refactors model override into runAgent request body for atomic model selection
• Updates Grok example to use grok-4.3 model
• Treats wezterm as a terminal that handles shift+enter properly
• Adds clean task to remove generated binary
• Updates various dependencies including Anthropic SDK, AWS Bedrock runtime, and Docker CLI

---

What's Changed

• docs: update CHANGELOG.md for v1.61.0 by @docker-read-write[bot] in #2822
• modelerrors: make overflow errors more specific by @trungutt in #2818
• Add .cache to .gitignore by @rumpl in #2827
• Treat wezterm as a terminal that knows how to handle shift+enter by @rumpl in #2825
• Don't notify on click if the agent didn't change by @rumpl in #2824
• tui: Fix URL clicks by @vvoland in #2823
• feat: add external coding harness agents by @rumpl in #2826
• perf(tui): only render visible session rows in /sessions dialog by @dgageot in #2830
• docs: document allow_private_ips option and SSRF protection in fetch tool by @dgageot in #2833
• fix(tui): bound previously-unbounded caches to prevent OOM on long sessions by @dgageot in #2831
• Misc Security fixes by @dgageot in #2820
• fix: use in-memory token store in tests to avoid OS keychain prompt by @dgageot in #2836
• fix MCP tool name prefix stripping in callTool by @dgageot in #2837
• chore(examples): remove shebang lines and executable bits by @dgageot in #2838
• docs(memory): fix incorrect default database path placeholder by @kenijkawada in #2835
• fix(tui): user_prompt dialog opens scrolled to top and respects user scrolling by @dgageot in #2843
• feat(mcpcatalog): hide disable / reset_auth tools when no server is enabled by @dgageot in #2840
• fix(tui): restore terminal on Ctrl-C when bubbletea shutdown stalls by @dgageot in #2842
• fix(examples): update grok example to use grok-4.3 by @dgageot in #2846
• chore: add clean task to remove generated binary by @dgageot in #2847
• test(server): make TestAttachedServer_DeleteSessionStopsEventStream more robust by @dgageot in #2845
• chore: bump direct Go dependencies by @dgageot in #2849
• fix(openai): support Notion and Jira MCP tools with gpt-5 strict mode by @dgageot in #2839
• fix(gemini): forward stream chunks that carry only UsageMetadata by @kenijkawada in #2848
• docs+config: surface the two env-variable expansion syntaxes (#2615) by @dgageot in #2851
• feat(skills): run context: fork slash commands as sub-sessions by @dgageot in #2850
• refactor(api): fold model override into runAgent request body by @dgageot in #2852
• feat(sandbox): docker-agent kit, gateway allowlist, and assorted --sandbox fixes by @dgageot in #2844

New Contributors

• @kenijkawada made their first contribution in #2835

Full Changelog: v1.61.0...v1.62.0

v1.61.0

This is a maintenance release that updates documentation for the previous version.

Technical Changes

• Updates CHANGELOG.md with release notes for v1.60.0

---

What's Changed

• docs: update CHANGELOG.md for v1.60.0 by @docker-read-write[bot] in #2817

Full Changelog: v1.60.0...v1.61.0

v1.60.0

This release adds agent switching commands, MCP server discovery capabilities, and runtime model switching, along with UI improvements and stability fixes.

What's New

• Adds slash commands for agent switching (e.g., /plan to hand off to planner agent)
• Adds MCP catalog toolset for on-demand discovery and activation of remote MCP servers
• Adds runtime model switching with GET/PATCH/POST endpoints for changing models during sessions
• Adds sampling/createMessage support for MCP servers to use the host's LLM
• Adds identity headers (X-Docker-Agent-Version, X-Docker-Desktop-Version) to built-in tool requests

Improvements

• Renders user pasted content in TUI and collapses large pasted file contents (over 30 lines) into toggleable view
• Routes mouse-wheel events to background dialogs instead of falling through to chat area
• Uses Claude Sonnet 4.6 as default model in Anthropic provider
• Switches to non-preview Gemini model
• Adds configurable thinking expansion in user config

Bug Fixes

• Fixes evaluation builds with legacy Docker builder by using printf instead of heredoc for /run.sh
• Fixes crash prevention by explicitly sending tool_choice=auto in OpenAI requests with tools
• Fixes Desktop version lookup to be TTL-based and context-independent
• Fixes command resolution before agent switching to prevent lookup failures
• Fixes concurrent access issues by using thread-safe methods and improving snapshot isolation

Technical Changes

• Refactors toolset creation into individual packages with standardized naming
• Improves concurrent package with thread-safe methods and uses it across multiple components
• Centralizes context-limit resolution in runtime
• Moves concurrency deduplication from trigger to review workflow in CI
• Updates example configuration to use xai/grok-2-latest model

---

What's Changed

• fix(evals): build /run.sh with printf so legacy builder works by @hamza-jeddad in #2779
• bump github.com/coder/acp-go-sdk from v0.12.2 to v0.13.0 by @dgageot in #2782
• docs: update CHANGELOG.md for v1.59.0 by @docker-read-write[bot] in #2783
• route mouse-wheel events to background dialogs by @dgageot in #2787
• Use a non preview gemini model by @dgageot in #2785
• Use sonnet 4.6 as default in anthropic by @rumpl in #2786
• feat(tui): show user pasted content by @joshbarrington in #2784
• ci: move concurrency dedup from trigger to review workflow by @dgageot in #2789
• docs(site): make the docs site feel like part of Docker, and explain what Docker Agent is by @dgageot in #2793
• Expand thinking configuration by @rumpl in #2802
• fix(examples): use xai/grok-2-latest in grok.yaml by @dgageot in #2806
• bump direct go dependencies by @dgageot in #2803
• feat: add X-Docker-Agent-Version and X-Docker-Desktop-Version headers to built-in tools by @dgageot in #2795
• Improve concurrent package by @dgageot in #2810
• bump direct go dependencies by @dgageot in #2811
• feat(mcp): add sampling/createMessage support by @dgageot in #2815
• fix(runtime): use provider_opts.context_size for compaction by @dgageot in #2814
• fix(openai): explicitly send tool_choice=auto when tools are provided by @dgageot in #2813
• Better tool registry by @dgageot in #2807
• feat(api): accept model overrides on session creation and add runtime model switching endpoints by @dgageot in #2791
• feat: add mcp_catalog toolset for on-demand MCP server discovery by @dgageot in #2794
• feat: add slash commands for agent switching by @dgageot in #2790

Full Changelog: v1.59.0...v1.60.0

v1.59.0

This release adds XML tool call parsing for better model compatibility, performance improvements for TUI rendering, and enhanced remote runtime capabilities.

What's New

• Adds XML tool call fallback parsing for models that return <tool_call>...</tool_call> text instead of using OpenAI function-calling API
• Adds fd:// scheme support to server.Listen for parent process socket passing
• Adds per-code-block copy affordance with clickable copy glyphs in TUI
• Adds session persistence and resumption for A2A (agent-to-agent) interactions using SQLite
• Adds comprehensive remote runtime API with SSE event streaming, session management, and graceful degradation

Improvements

• Improves TUI rendering performance with cached output, targeted invalidation, and incremental markdown rendering
• Improves ACP support with session management, event handling, and structured error codes
• Preserves user input across tab switches in TUI dialogs

Bug Fixes

• Fixes crash during tool auto-install by adding panic recovery
• Fixes SSE stream cancellation and IPv6 address binding issues
• Fixes Vertex AI Model Garden provider capability lookups by rewriting provider to publisher mapping

Technical Changes

• Replaces internal secretsscan with github.com/docker/portcullis library
• Centralizes modelsdev.Store creation via RuntimeConfig with lazy initialization
• Merges modelcaps into modelinfo and introduces strongly-typed modelsdev.ID
• Refactors event handling to use EventSink interface instead of channel threading
• Removes experimental send, watch, and proto subcommands

---

What's Changed

• docs: update CHANGELOG.md for v1.58.0 by @docker-read-write[bot] in #2745
• feat: add fd:// scheme support to server.Listen by @dgageot in #2744
• refactor: replace internal secretsscan with github.com/docker/portcullis by @dgageot in #2747
• refactor: centralize modelsdev.Store creation and inject via RuntimeConfig by @dgageot in #2746
• docs: Docker-branded redesign with dark-mode-first theme and improved homepage by @dgageot in #2750
• feat(modelsdev): add WithCache option to override cache file path by @rumpl in #2753
• feat: wire TUI/CLI to emit Document parts and render attachments by @simonferquel-clanker in #2751
• fix: avoid sub-agent terminology in skill instructions to prevent transfer_task confusion by @dgageot in #2748
• refactor: merge modelcaps into modelinfo and simplify by @dgageot in #2755
• refactor: simplify RuntimeConfig by removing dead field and caching env provider by @dgageot in #2754
• refactor: extract loopState struct to bundle runTurn parameters by @dgageot in #2759
• feat: add docs preview workflow for PRs by @dgageot in #2752
• feat(runtime): remote runtime with full TUI parity and production readiness by @dgageot in #2749
• feat(a2a): allow session to be resumed interactively by @maxcleme in #2762
• feat: improve TUI control plane API for external consumers by @dgageot in #2757
• perf: TUI rendering performance improvements by @dgageot in #2756
• drop send, watch and proto subcommands by @dgageot in #2763
• xml fallback for llama.cpp models by @areebahmeddd in #2732
• refactor: replace chan Event threading with EventSink interface by @dgageot in #2760
• Improve ACP support: session management, event handling, and code simplification by @dgageot in #2758
• refactor: introduce modelsdev.ID for provider-qualified model identity by @dgageot in #2766
• fix(toolinstall): recover from panics during auto-install by @dgageot in #2768
• fix: rewrite Vertex AI Model Garden provider to publisher for capability lookups by @dgageot in #2767
• bump direct go dependencies by @dgageot in #2771
• Fix linter by @dgageot in #2772
• fix(tui): preserve user_prompt input across tab switches by @dgageot in #2774
• perf(tui): make streaming chunk rendering linear by @dgageot in #2773
• fix: two TUI control-plane bugs (SSE cancel, IPv6 listen) by @dgageot in #2775
• set working dir properly by @krissetto in #2777
• feat(tui): add per-code-block copy affordance by @rumpl in #2778

New Contributors

• @areebahmeddd made their first contribution in #2732

Full Changelog: v1.58.0...v1.59.0

v1.58.0

This release adds external TUI control capabilities, HTTP POST hooks, and several security hardening improvements.

What's New

• Adds http_post builtin hook for making HTTP POST requests from agent workflows
• Adds --listen flag to run command to expose the running TUI for external control
• Adds send subcommand to drive a live TUI session from external processes
• Adds watch subcommand to stream events from a running TUI
• Adds --on-event hooks to observe arbitrary events during runs
• Adds --attach flag to serve mcp command to expose running TUI via MCP
• Adds newline-delimited JSON protocol over stdio for external communication
• Adds discovery files for live runs in run registry
• Adds bump-config-version skill for configuration management

Bug Fixes

• Fixes filesystem tool path expansion for ~ (home directory) in file paths
• Fixes model ID handling to use fully-qualified provider/model identifiers for capability lookups
• Fixes Nebius example to use available Kimi-K2.5 model instead of deprecated Kimi-K2-Instruct
• Fixes dry-run mode to work properly before contacting remote servers
• Fixes request context propagation in echo logging
• Fixes run registry permissions and session lifecycle cleanup

Improvements

• Makes max_iterations builtin stateless by using runtime's existing iteration counter
• Hardens http_post hook with SSRF-safe client, scheme validation, and request logging
• Consolidates home directory path expansion across the codebase
• Shows current git branch when working in a repository
• Unifies local and remote run dispatch through shared backend interface

Technical Changes

• Refactors snapshot handling into dedicated SnapshotController separate from runtime
• Refactors unload builtin to be pure and runtime-agnostic
• Promotes model switching and tools change subscription onto Runtime interface
• Adds security hardening for secrets provider, archive extraction, OAuth HTTP client, and shell tool
• Enables gosec linter for file permission validation
• Updates Go to version 1.26.3
• Adds migration content pinning to enforce append-only database schema changes

---

What's Changed

• docs: update CHANGELOG.md for v1.57.0 by @docker-read-write[bot] in #2703
• fix: expand ~ in filesystem tool paths by @dgageot in #2704
• feat(hooks): add http_post builtin by @dgageot in #2705
• fix: use available Kimi-K2.5 model in nebius example by @dgageot in #2711
• fix: make max_iterations builtin stateless (#2698) by @dgageot in #2708
• update PR reviewer to 1.5.1 by @derekmisler in #2717
• Show the current git branch when in a repo by @rumpl in #2721
• Consolidate home directory path expansion by @rumpl in #2720
• Change the default models for the golang dev by @rumpl in #2718
• Change the app name in otel to docker-agent by @rumpl in #2719
• bump direct go dependencies by @dgageot in #2709
• bump go to 1.26.3 by @dgageot in #2712
• feat: let external processes drive a running TUI by @dgageot in #2714
• security: five defense-in-depth fixes (secrets, archives, oauth, shell tool, request logs) by @dgageot in #2713
• refactor(run): unify local/remote dispatch via Backend (10 baby steps) by @dgageot in #2715
• refactor: extract SnapshotController so the runtime no longer brokers /undo by @dgageot in #2707
• add bump-config-version skill by @dgageot in #2729
• ci: enable gosec linter by @dgageot in #2730
• test(session): pin migration catalogue content (append-only enforcement) by @dgageot in #2727
• fix(toolinstall): route the registry client through httpclient.NewSafeClient by @dgageot in #2726
• Fix broken test on main by @dgageot in #2735
• Add alias by @dgageot in #2736
• ci: lint workflow invariants actionlint misses (concurrency, SHA pinning, payload deny-list) by @dgageot in #2725
• refactor(run-control): unify target resolution and SSE handling by @dgageot in #2731
• refactor(hooks): make the unload on_agent_switch builtin pure by @dgageot in #2706
• chore: bump direct Go dependencies by @dgageot in #2742
• remote-runtime: close silent gaps, consolidate Runtime, scaffold wire (10 baby steps) by @dgageot in #2723
• fix: pass fully-qualified provider/model ID to modelcaps.Load by @simonferquel-clanker in #2738

Full Changelog: v1.57.0...v1.58.0

v1.57.0

This release improves markdown rendering performance, adds agent switching capabilities, and enhances secret redaction with better error handling.

What's New

• Adds unload on_agent_switch builtin hook for releasing model resources when switching between agents

Improvements

• Speeds up and simplifies markdown fast renderer for better performance
• Trims builtin tool schemas to save tokens in LLM requests
• Tightens Docker PAT redaction and adds organization access tokens support
• Adds more vendor-prefixed secret patterns for improved security scanning

Bug Fixes

• Fixes retry handling for Vertex AI 'function response parts' 400 errors that occur intermittently
• Restores styles on continuation lines of broken words in markdown rendering
• Fixes H1 prefix and ANSI style handling in wrapText functionality
• Defensively lowercases transient patterns in model error handling
• Caps quantifiers on new secret rules to prevent adjacent text being incorrectly redacted

Technical Changes

• Adopts new rubocop-go DSL across all linting cops for better code organization
• Uses slog.WarnContext where context is available for improved logging
• Drains unload response body and documents single-tenant assumption

---

What's Changed

• docs: update CHANGELOG.md for v1.56.0 by @docker-read-write[bot] in #2695
• Make the FastMarkdown renderer simpler and faster by @dgageot in #2686
• refactor(lint): adopt new rubocop-go DSL across all cops by @dgageot in #2687
• fix: retry transient Vertex AI 'function response parts' 400 errors by @dgageot in #2691
• shrink builtin tool schemas to save tokens by @dgageot in #2694
• feat: add unload on_agent_switch builtin hook by @dgageot in #2684
• secretsscan: tighten Docker PAT, add new vendor patterns, cap quantifiers by @dgageot in #2697

Full Changelog: v1.56.0...v1.57.0

v1.56.0

This release adds snapshot management capabilities and expands secret detection with 20 new patterns.

What's New

• Adds /snapshots command to list and restore captured snapshots from the current session
• Adds 20 new secret detection patterns including Discord bot tokens, Telegram bot tokens, Fly.io macaroons, Groq API keys, Perplexity API keys, and xAI/Grok API keys

Technical Changes

• Freezes config v8 and starts v9 as the latest configuration schema version
• Moves non-migration config tests to pkg/config for better organization
• Updates logging to use slog.WarnContext when a context is in scope
• Simplifies snapshot plumbing implementation

---

What's Changed

• freeze config v8 and start v9 as latest by @dgageot in #2688
• docs: update CHANGELOG.md for v1.55.0 by @docker-read-write[bot] in #2689
• feat(tui): add /snapshots command to list and restore captured snapshots by @dgageot in #2690
• feat(secretsscan): add 20 more secret patterns by @dgageot in #2692
• move non-migration config tests to pkg/config by @dgageot in #2693

Full Changelog: v1.55.0...v1.56.0

v1.55.0

This release introduces significant security hardening, attachment system foundations, and enhanced configuration capabilities.

What's New

• Adds HCL configuration format support as an alternative to YAML for agent configurations
• Adds /pause command to toggle the runtime loop at iteration boundaries
• Adds turn_end hook that fires once per turn regardless of how the turn ended
• Adds shadow snapshots and /undo command for restoring file changes without modifying session transcript
• Adds Anthropic Workload Identity Federation support for OIDC-derived authentication
• Adds attachment system foundations with chat.Document and per-provider document conversion
• Adds JavaScript/WebAssembly browser build with OpenRouter PKCE support
• Adds custom request headers support for the fetch toolset with environment variable expansion
• Adds allow/deny lists for filesystem toolset to sandbox file access
• Adds wildcard and CIDR pattern support in fetch toolset domain filtering
• Adds input-shape repair layer for tool calls to handle common model mistakes
• Adds MCP embedded resource content type support
• Adds --hook-stop CLI flag for the existing stop event
• Adds --tool-name flag to override MCP tool identifier
• Adds --mcp-keepalive flag for MCP server connections

Improvements

• Expands secret detection with additional patterns for OpenAI, Anthropic, Google, Stripe, Notion, GitLab, Vault, and Slack tokens
• Speeds up secret redaction with aho-corasick keyword pre-filter
• Improves markdown rendering performance with single-pass URL scanner optimizations
• Enhances session ID and install UUID forwarding on gateway-bound requests for better tracing
• Pauses animation ticks while terminal is blurred to reduce CPU usage
• Propagates non-interactive mode to child sessions and declines elicitation automatically

Bug Fixes

• Fixes crash on startup when configuration file is empty
• Fixes environment variable race in script shell tool execution
• Fixes data races on session token and message writes
• Fixes lifecycle supervisor state race condition
• Fixes infinite loop on hash-prefixed paragraphs in markdown renderer
• Fixes tab switching and chat scroll functionality while prompts are open
• Fixes compaction kept-tail mapping after prior summaries
• Fixes IPv4-mapped IPv6 SSRF bypass in fetch domain matcher
• Fixes finish_reason stop when tracking usage in OpenAI streams
• Fixes comment-only SSE events that crash openai-go client

Technical Changes

• Replaces mise with go-task as the project task runner
• Splits builtin tools into individual sub-packages for better organization
• Centralizes model-specific behavior in pkg/modelinfo package
• Tightens file and directory permissions for per-user data to 0o700/0o600
• Adds contextual logging throughout codebase for better trace correlation
• Adds 7 new architectural-sync linting cops that caught 10 real bugs
• Hardens OAuth with constant-time state comparison and SSRF protection
• Blocks non-public IPs in API and OpenAPI tools by default
• Updates jose2go to v1.7.0 to address security vulnerabilities
• Bumps various Go dependencies including Anthropic SDK, Docker CLI, and OpenTelemetry packages

---

What's Changed

• docs: document toon and per-toolset model routing by @dgageot in #2587
• Bump direct Go dependencies by @dgageot in #2586
• docs: update CHANGELOG.md for v1.54.0 by @docker-read-write[bot] in #2588
• Finish secret redaction by @dgageot in #2589
• simplify pkg/hooks: drop unused EventSpec abstraction by @dgageot in #2591
• lint: add 7 architectural-sync cops (catches 10 real bugs) by @dgageot in #2593
• Add turn_end hook by @rumpl in #2592
• Bump direct Go dependencies by @dgageot in #2597
• update PR review workflow with fork-supporting trigger by @derekmisler in #2596
• Use the latest rubocop-go by @dgageot in #2594
• Bump direct Go dependencies by @dgageot in #2599
• docs: fix outdated content and document missing commands by @dgageot in #2600
• Handle case when session started with Docker Desktop proxy available, and the Desktop is stopped by @gtardif in #2606
• Add /pause command to toggle the runtime loop by @dgageot in #2605
• harden docker agent serve api: warn on non-loopback, fix runtime race, block SSRF by @dgageot in #2604
• Support HCL as an alternative agent config format by @dgageot in #2598
• fetch: support wildcard and CIDR patterns in domain allow/deny lists by @dgageot in #2602
• Add detection rules for more secret formats by @dgageot in #2603
• docs: refresh outdated examples, missing env vars, and CLI options by @dgageot in #2610
• feat(hooks): expose stop hook via CLI by @tdabasinskas in #2627
• fix(session): close data races on session token and message writes by @tdabasinskas in #2622
• fix(lifecycle): order state transition before waking restart waiters by @tdabasinskas in #2621
• fix(security): bump jose2go to v1.7.0 (GO-2025-4123, GO-2023-2409) by @tdabasinskas in #2619
• fix(runtime): add OpenTelemetry tracer to runtime initialization by @tdabasinskas in #2505
• fix(tools): prevent environment variable race in script shell tool by @tdabasinskas in #2616
• feat(mcp): add support for embedded resource content type by @tdabasinskas in #2612
• docs: fix outdated and incorrect references by @dgageot in #2618
• deps: bump direct Go dependencies by @dgageot in #2609
• feat(filesystem): add allow_list / deny_list to sandbox the toolset by @dgageot in #2601
• feat(gateway): add X-Cagent-Session-Id header to models gateway requests by @tdabasinskas in #2631
• feat(mcp-server): add --tool-name flag to override the MCP tool identifier by @tdabasinskas in #2625
• feat(runtime): propagate non-interactive mode to child sessions and decline elicitation by @tdabasinskas in #2623
• feat(otel): configure W3C trace propagation for distributed tracing by @tdabasinskas in #2506
• docs: fill in missing CLI flags and fix outdated content by @dgageot in #2633
• bump direct Go dependencies by @dgageot in #2637
• feat(mcp-server): add keep-alive support by @tdabasinskas in #2624
• Fix perf regression urls by @dgageot in #2638
• docs: add HCL configuration documentation by @rumpl in #2643
• docs: fix broken links and outdated/incorrect snippets by @dgageot in #2650
• Update pr-review.yml by @derekmisler in #2648
• avoid duplicate compaction system prompt by @rumpl in #2647
• HCL: add a file() function by @rumpl in #2642
• docs(agents): expand AGENTS.md with guidelines and standards by @aheritier in #2644
• docs(github): update issue templates and triage workflow by @aheritier in #2645
• Fix finish_reason stop when tracking usage by @rumpl in #2641
• feat(tools): generic input-shape repair for tool calls (validate-then-repair) by @trungutt in #2635
• bump direct go dependencies by @dgageot in #2655
• fix: keep tab switching and chat scroll working while a prompt is open by @dgageot in #2654
• Add JS placeholders support in instructions by @dgageot in #2652
• fetch: support custom request headers by @dgageot in #2651
• feat(httpclient): forward cagent install UUID on gateway-bound requests by @dgageot in #2653
• split builtin tools into individual sub-packages by @dgageot in #2661
• chore: replace mise with go-task by @dgageot in #2659
• docs: refresh examples README by @dgageot in #2665
• tui: pause animation ticks while the terminal is blurred by @dgageot in #2668
• refactor(logging): pass context to all slog calls for correlation by @tdabasinskas in #2669
• redact_secrets: catch more token shapes and bare unquoted values by @dgageot in https://github.com/docke...