v1.71.0

This release improves GitHub Copilot integration with better API routing and error handling, along with enhanced conversation state management and expanded documentation.

Bug Fixes

• Fixes GitHub Copilot Responses API auto-selection and error preservation to properly route models to correct endpoints
• Prevents X-Conversation-Id from mutating cached session on retry by making continuations transactional
• Preserves item value fields and Ask permission in Session.Clone operations
• Implements deep-copy for Evals, EvalResult, and ToolDefinitions in session clones
• Updates github-copilot model from gpt-4o to gpt-4.1 to match available models

Technical Changes

• Freezes configuration schema v9 and starts v10 as latest version
• Adds comprehensive documentation for coding harnesses, caching, lifecycle, defer, and fetch filtering
• Adds end-to-end tests for conversation state handling across failed turns

---

What's Changed

• docs: update CHANGELOG.md for v1.70.2 by @docker-read-write[bot] in #2951
• docs: document coding harnesses and fill P0/P1/P2 documentation gaps by @aheritier in #2950
• fix: keep failed chat continuations out of conversation cache by @dgageot in #2947
• fix: github-copilot Responses API auto-selection and error preservation by @dgageot in #2942
• fix: update github-copilot model from gpt-4o to gpt-4.1 by @dgageot in #2961
• chore(config): freeze v9 and bump latest to v10 by @dgageot in #2960

Full Changelog: v1.70.2...v1.71.0

v1.70.2

This release adds support for inline skills in agent configuration and improves environment variable handling in path fields, along with several bug fixes.

What's New

• Adds support for inline skills in agent YAML config, allowing skills to be defined directly without separate files
• Adds support for ${env.VAR} syntax in path fields as an alias for ${VAR}

Improvements

• Streams tool outputs for better real-time feedback

Bug Fixes

• Fixes duplicate persistent toolset-failure notifications that were stacking in the TUI
• Fixes MCP OAuth dialog re-appearing after user declines authentication
• Surfaces inline-skill decode errors and rejects file reads for inline skills

Technical Changes

• Removes obsolete expansion-mismatch warnings for path fields
• Extracts failureStreak helper in StartableToolSet
• Removes notification-layer deduplication
• Removes MCP server on OAuth decline and stops providing incorrect information to the model

---

What's Changed

• docs: update CHANGELOG.md for v1.70.1 by @docker-read-write[bot] in #2940
• Stream tool outputs by @rumpl in #2945
• feat: support inline skills in agent YAML config by @dgageot in #2946
• chore: bump direct Go dependencies by @dgageot in #2941
• feat(config): accept ${env.X} in path fields (steps 2-4 of #2615) by @dgageot in #2944
• fix: dedupe persistent toolset-failure notifications by @dgageot in #2943
• fix(mcp): stop the OAuth Authentication Request loop after the user clicks Cancel by @trungutt in #2949

Full Changelog: v1.70.1...v1.70.2

v1.70.1

This release introduces agent selection UI, git worktree isolation, theme preselection, and notification improvements for enhanced workflow management.

What's New

• Adds --agent-picker flag for full-screen agent selection dialog with YAML syntax highlighting and scrollable interface
• Adds --worktree flag to run agents in isolated git worktrees on dedicated branches
• Adds --worktree-pr flag to run agents on GitHub pull requests in separate worktrees
• Adds --theme flag to preselect TUI theme at launch, overriding user config settings

Improvements

• Improves TUI notifications with hover protection, click-to-copy content, and visual enhancements
• Adds worktree cleanup when interactive runs end to maintain clean workspace
• Adds worktree_create hook to prepare fresh git worktrees for agent execution

Bug Fixes

• Fixes agent config display sanitization and enables YAML soft-wrap in picker dialog

Technical Changes

• Forwards MCP embedded resources (images, PDFs, text) to model providers as native content blocks
• Adds theme flag validation and completion tests for better user experience

---

What's Changed

• docs: update CHANGELOG.md for v1.70.0 by @docker-read-write[bot] in #2930
• TUI - Improve notifications by @krissetto in #2931
• feat: add --theme flag to preselect TUI theme by @dgageot in #2933
• docs: document --auth-token flag, OAuth callback security note, and TUI notification UX by @aheritier in #2932
• docs: document --theme flag for docker agent run by @aheritier in #2936
• docs: add --theme launch example to TUI quickstart by @aheritier in #2939
• feat: add --agent-picker flag for agent selection UI by @dgageot in #2937
• feat: run agents in isolated git worktrees by @dgageot in #2938
• feat(mcp): forward embedded resources to model providers by @rumpl in #2935

Full Changelog: v1.70.0...v1.70.1

v1.70.0

This release focuses on text handling improvements, OAuth flow enhancements for MCP catalog servers, and server filtering capabilities.

What's New

• Adds --app-name flag to override the default "docker agent" label in the TUI status bar and window title
• Adds allow-list and block-list filtering for MCP catalog servers via allowed_servers and blocked_servers configuration options

Improvements

• Tells the model to proceed automatically after enabling an OAuth server in MCP catalog instead of requiring user to repeat their request
• Restores dynamic progress bar width in evaluation mode (was previously fixed at width 10)

Bug Fixes

• Fixes rune-safe truncation across multiple UI components: file names in file picker, session titles in session browser, directory names in working-dir picker, tab titles, search query preview, and tool output preview
• Fixes rune-safe truncation of operation descriptions in OpenAPI handling
• Fixes rune-safe search-result preview in filesystem operations
• Prevents sending split UTF-8 runes to embedding models in RAG operations
• Populates ModelID field correctly in after_llm_call hook payload

Technical Changes

• Removes dead code in WASM agent loop selection
• Adds validation for allowed_servers and blocked_servers in MCP catalog configuration
• Adds warning for unknown server IDs in MCP catalog allow/block lists
• Updates documentation for CLI flags, hook payloads, and OAuth endpoints

---

What's Changed

• docs: update CHANGELOG.md for v1.69.0 by @docker-read-write[bot] in #2919
• chore: bump direct Go dependencies by @dgageot in #2918
• fix(runtime): populate ModelID in after_llm_call hook payload by @kimizuka in #2911
• fix: rune-safe truncation and dead-code cleanup by @dgageot in #2920
• Address review feedback on #2896 by @trungutt in #2921
• docs: sync CLI flags and hook payload docs with recent changes by @aheritier in #2927
• chore: bump direct Go dependencies by @dgageot in #2926
• feat: add allow/block-list of servers to the mcp_catalog tool by @dgageot in #2928
• docs: sync /docs with changes merged 2026-05-28 – 2026-05-29 by @aheritier in #2929
• fix(mcpcatalog): tell the model to proceed after enabling an OAuth server by @trungutt in #2925

New Contributors

• @kimizuka made their first contribution in #2911

Full Changelog: v1.69.0...v1.70.0

v1.69.0

This release adds new TUI customization options and improves OAuth authentication handling.

What's New

• Adds --app-name flag to override TUI title display
• Adds --disable-commands flag to hide and disable slash commands in TUI
• Adds --sidebar flag to control sidebar visibility
• Adds out-of-band callback route for unmanaged OAuth drive-flow

Improvements

• Extends unmanaged OAuth flow to drive code exchange in-process
• Propagates user-initiated cancellation across the WithoutCancel boundary

Technical Changes

• Renames OAuth elicitation meta keys from cagent/ to docker-agent/
• Trims aijson re-tests while keeping docker-agent integration tests
• Fixes lint issues in OAuth tests and helpers
• Canonicalizes bootstrapRepo temp dir for macOS in snapshot tests
• Simplifies AllBindings by removing redundant leanMode guard

---

What's Changed

• docs: update CHANGELOG.md for v1.68.0 by @docker-read-write[bot] in #2909
• docs: update CHANGELOG.md for v1.68.0 and document cancelled v1.66/v1.67 by @aheritier in #2910
• test(tools): trim aijson re-tests, keep docker-agent integration by @trungutt in #2905
• Rename OAuth elicitation meta keys from cagent/ to docker-agent/ by @trungutt in #2915
• feat: add --app-name flag and fix macOS test symlink issue by @dgageot in #2914
• feat: add --disable-commands flag to hide and disable slash commands in TUI by @dgageot in #2913
• feat: add --sidebar flag to control sidebar visibility by @dgageot in #2917
• Extend unmanaged OAuth flow to drive code exchange in-process by @trungutt in #2896

Full Changelog: v1.68.0...v1.69.0

v1.68.0

What's Changed

• docs: update CHANGELOG.md for v1.65.0 by @docker-read-write[bot] in #2868
• Show the path from where the skill is loaded by @rumpl in #2869
• chore: bump github.com/pb33f/libopenapi to v0.36.5 by @dgageot in #2862
• docs: document --sandbox auto-kit and --no-kit flag by @dgageot in #2867
• docs: document reset_remote_mcp_server_auth meta-tool by @dgageot in #2874
• fix(anthropic): handle SSE in-band errors with correct HTTP status codes by @dgageot in #2880
• feat: add 'docker agent debug skills' command by @dgageot in #2881
• docs: document mcp_catalog toolset and reorganize RAG reference by @dgageot in #2876
• chore(deps): bump direct Go dependencies by @dgageot in #2883
• a2a: honour timeout and allow_private_ips config (with SSRF protection) by @dgageot in #2882
• docs: add dedicated MCP tool reference page by @dgageot in #2875
• feat(config): enable redact_secrets by default by @rumpl in #2889
• feat(sandbox): alias/runtime sandbox defaults and persistent network allowlist by @dgageot in #2888
• fix(#2861): release per-message render caches when streaming completes by @aheritier in #2866
• fix: don't close shared session store in runtime.Close by @dgageot in #2879
• Polish --sandbox auto-kit output and tool auto-install logging by @dgageot in #2878
• fix(mcp/oauth): discover RFC 8414 §3.1 path-aware metadata URLs by @dgageot in #2877
• fix: reduce retained tool output memory by @dgageot in #2854
• Revert "fix: spool large mcp media to disk" by @dgageot in #2893
• feat(mcp_catalog): add 7 remote streamable-http servers by @dgageot in #2894
• docs: document all toolset config options for api, fetch, openapi by @dgageot in #2895
• Bump go dependencies by @dgageot in #2898
• feat(pkg/history): redact secrets in command history by @dgageot in #2892
• ci: skip image push in forked repositories by @areebahmeddd in #2805
• refactor(tools): use github.com/docker/aijson for tool-arg shape repair by @trungutt in #2899
• persist cookies in remote MCP client for sticky sessions by @maxcleme in #2902
• Smarter search by @rumpl in #2901
• feat(tui): word-level highlighting in edit_file diff view by @rumpl in #2900
• Lazy headers in tools by @dgageot in #2907
• fix(snapshot): scope git operations from worktree root by @rumpl in #2904
• chore: bump direct go dependencies by @dgageot in #2908

Full Changelog: v1.65.0...v1.68.0

v1.65.0

This release adds a skills dialog to the TUI and improves HTTP configuration options for API tools, along with proxy handling fixes.

What's New

• Adds /skills slash command to TUI that displays all available skills with their names, sources, and descriptions

Improvements

• Adds timeout and allow_private_ips configuration support to api and openapi tools for consistency with fetch tool

Bug Fixes

• Fixes HTTP proxy support for private IPs in SSRF transport to allow configured proxies on private addresses

Technical Changes

• Updates configuration documentation and applies minor cleanups

---

What's Changed

• docs: update CHANGELOG.md for v1.64.0 by @docker-read-write[bot] in #2860
• feat: add timeout and allow_private_ips support to api and openapi tools by @dgageot in #2865
• fix: allow configured HTTP proxy on private IPs in SSRF transport by @dgageot in #2864
• feat: add skills dialog to TUI by @dgageot in #2863

Full Changelog: v1.64.0...v1.65.0

v1.64.0

Note: v1.63.0 was a failed release and was skipped. This release includes all changes that accumulated since v1.62.0.

---

New Features

• Eval: input_id passthrough — When an eval input file contains a top-level "input_id" field, that value is now carried through untouched to the session entry in the results output (JSON and SQLite). The session's own "id" (a fresh UUID) is unchanged. When the input file has no "input_id", the field is absent from the output — no change to existing behaviour. This lets callers correlate eval results back to their own records without custom post-processing. (#2857)

• MCP: allow private IPs for remote OAuth — Remote MCP servers hosted on private-network IP addresses can now participate in the OAuth authorization flow. (#2828)

---

Improvements

• Sandbox: remove stale token forwarding on startup — Removed an obsolete token-forwarding step from sandbox startup that was redundant after the token-forwarding refactor in v1.62.0. (#2859)

• Sandbox: Go toolchain bootstrap allowed through network policy — go.dev and dl.google.com are now added to the sandbox proxy allowlist, so the Go toolchain can be downloaded inside the sandbox without hitting a blocked-network-policy error. (#2859)

• Sandbox: resolve tool-install hosts per-toolset from aqua registry — Package-host allowlisting for tool auto-install is now resolved per toolset from the aqua registry, giving more accurate (and minimal) network opens for each toolset's install requirements. (#2859)

• Sandbox: make tokens file readable by sandbox user — The tokens file written inside the sandbox is now created with permissions that allow the sandbox user to read it, fixing authentication failures in sandboxes running as a non-root user. (#2859)

---

Bug Fixes

• MCP OAuth: send resource on token exchange — The OAuth resource parameter is now correctly included when exchanging an authorization code for a token, fixing token exchange failures for resource-aware authorization servers. (#2828)

• MCP OAuth: coalesce concurrent authorization requests — Concurrent OAuth authorization flows for the same server are now deduplicated so only one browser redirect is triggered per server, preventing race conditions when multiple tool calls fire simultaneously. (#2828)

• Sandbox: use correct host path for kit — The docker-agent kit (skills + prompt files staged into the sandbox) is now mounted from the correct host-side directory rather than a constant container mount path, fixing kit resolution failures when the host cache directory is not at the default location. (#2859)

---

Contributors

@hamza-jeddad · @rumpl · @dgageot

Full Changelog: v1.62.0...v1.64.0

v1.62.0

This release improves error handling for model context overflow, adds external coding harness support, and includes numerous TUI fixes and performance optimizations.

What's New

• Adds external coding harness agents that delegate coding tasks to external coding CLIs
• Adds support for running context: fork slash commands as sub-sessions instead of inlining them
• Adds docker-agent kit staging in sandbox with skills and prompt files

Improvements

• Classifies overflow errors by kind to provide more specific error messages for different types of context window issues
• Optimizes session browser rendering to only render visible window rows for better performance with large session histories
• Improves shutdown safety by racing Wait() against deadline and calling ReleaseTerminal on timeout
• Updates Gemini adapter to forward stream chunks that carry only UsageMetadata for accurate token counting

Bug Fixes

• Fixes URL clicks in TUI by properly handling mouse events
• Fixes crash prevention by not notifying on click if the agent didn't change
• Fixes deadlock in TUI exit safety net and race conditions in shutdown handling
• Fixes auto-scroll blocking user scroll in long elicitation dialogs
• Fixes MCP tool name prefix stripping in callTool functionality
• Fixes OpenAI strict mode support for Notion and Jira MCP tools with gpt-5
• Fixes user_prompt dialog to open scrolled to top and respect user scrolling
• Fixes keychain prompts in tests by using in-memory token store
• Fixes MCP OAuth handler to drop stray callbacks and respond with proper HTTP status codes

Technical Changes

• Bounds three previously-unbounded caches to prevent memory growth on long sessions
• Uses SSRF-safe HTTP client for remote skills registry
• Honors Cache-Control headers properly in skills caching
• Extracts lrucache package and bounds unbounded caches
• Refactors model override into runAgent request body for atomic model selection
• Updates Grok example to use grok-4.3 model
• Treats wezterm as a terminal that handles shift+enter properly
• Adds clean task to remove generated binary
• Updates various dependencies including Anthropic SDK, AWS Bedrock runtime, and Docker CLI

---

What's Changed

• docs: update CHANGELOG.md for v1.61.0 by @docker-read-write[bot] in #2822
• modelerrors: make overflow errors more specific by @trungutt in #2818
• Add .cache to .gitignore by @rumpl in #2827
• Treat wezterm as a terminal that knows how to handle shift+enter by @rumpl in #2825
• Don't notify on click if the agent didn't change by @rumpl in #2824
• tui: Fix URL clicks by @vvoland in #2823
• feat: add external coding harness agents by @rumpl in #2826
• perf(tui): only render visible session rows in /sessions dialog by @dgageot in #2830
• docs: document allow_private_ips option and SSRF protection in fetch tool by @dgageot in #2833
• fix(tui): bound previously-unbounded caches to prevent OOM on long sessions by @dgageot in #2831
• Misc Security fixes by @dgageot in #2820
• fix: use in-memory token store in tests to avoid OS keychain prompt by @dgageot in #2836
• fix MCP tool name prefix stripping in callTool by @dgageot in #2837
• chore(examples): remove shebang lines and executable bits by @dgageot in #2838
• docs(memory): fix incorrect default database path placeholder by @kenijkawada in #2835
• fix(tui): user_prompt dialog opens scrolled to top and respects user scrolling by @dgageot in #2843
• feat(mcpcatalog): hide disable / reset_auth tools when no server is enabled by @dgageot in #2840
• fix(tui): restore terminal on Ctrl-C when bubbletea shutdown stalls by @dgageot in #2842
• fix(examples): update grok example to use grok-4.3 by @dgageot in #2846
• chore: add clean task to remove generated binary by @dgageot in #2847
• test(server): make TestAttachedServer_DeleteSessionStopsEventStream more robust by @dgageot in #2845
• chore: bump direct Go dependencies by @dgageot in #2849
• fix(openai): support Notion and Jira MCP tools with gpt-5 strict mode by @dgageot in #2839
• fix(gemini): forward stream chunks that carry only UsageMetadata by @kenijkawada in #2848
• docs+config: surface the two env-variable expansion syntaxes (#2615) by @dgageot in #2851
• feat(skills): run context: fork slash commands as sub-sessions by @dgageot in #2850
• refactor(api): fold model override into runAgent request body by @dgageot in #2852
• feat(sandbox): docker-agent kit, gateway allowlist, and assorted --sandbox fixes by @dgageot in #2844

New Contributors

• @kenijkawada made their first contribution in #2835

Full Changelog: v1.61.0...v1.62.0

v1.61.0

This is a maintenance release that updates documentation for the previous version.

Technical Changes

• Updates CHANGELOG.md with release notes for v1.60.0

---

What's Changed

• docs: update CHANGELOG.md for v1.60.0 by @docker-read-write[bot] in #2817

Full Changelog: v1.60.0...v1.61.0