Releases: docker/docker-agent
Release list
v1.69.0
This release adds new TUI customization options and improves OAuth authentication handling.
What's New
- Adds
--app-nameflag to override TUI title display - Adds
--disable-commandsflag to hide and disable slash commands in TUI - Adds
--sidebarflag to control sidebar visibility - Adds out-of-band callback route for unmanaged OAuth drive-flow
Improvements
- Extends unmanaged OAuth flow to drive code exchange in-process
- Propagates user-initiated cancellation across the WithoutCancel boundary
Technical Changes
- Renames OAuth elicitation meta keys from cagent/ to docker-agent/
- Trims aijson re-tests while keeping docker-agent integration tests
- Fixes lint issues in OAuth tests and helpers
- Canonicalizes bootstrapRepo temp dir for macOS in snapshot tests
- Simplifies AllBindings by removing redundant leanMode guard
What's Changed
- docs: update CHANGELOG.md for v1.68.0 by @docker-read-write[bot] in #2909
- docs: update CHANGELOG.md for v1.68.0 and document cancelled v1.66/v1.67 by @aheritier in #2910
- test(tools): trim aijson re-tests, keep docker-agent integration by @trungutt in #2905
- Rename OAuth elicitation meta keys from cagent/ to docker-agent/ by @trungutt in #2915
- feat: add --app-name flag and fix macOS test symlink issue by @dgageot in #2914
- feat: add --disable-commands flag to hide and disable slash commands in TUI by @dgageot in #2913
- feat: add --sidebar flag to control sidebar visibility by @dgageot in #2917
- Extend unmanaged OAuth flow to drive code exchange in-process by @trungutt in #2896
Full Changelog: v1.68.0...v1.69.0
v1.68.0
What's Changed
- docs: update CHANGELOG.md for v1.65.0 by @docker-read-write[bot] in #2868
- Show the path from where the skill is loaded by @rumpl in #2869
- chore: bump github.com/pb33f/libopenapi to v0.36.5 by @dgageot in #2862
- docs: document --sandbox auto-kit and --no-kit flag by @dgageot in #2867
- docs: document reset_remote_mcp_server_auth meta-tool by @dgageot in #2874
- fix(anthropic): handle SSE in-band errors with correct HTTP status codes by @dgageot in #2880
- feat: add 'docker agent debug skills' command by @dgageot in #2881
- docs: document mcp_catalog toolset and reorganize RAG reference by @dgageot in #2876
- chore(deps): bump direct Go dependencies by @dgageot in #2883
- a2a: honour
timeoutandallow_private_ipsconfig (with SSRF protection) by @dgageot in #2882 - docs: add dedicated MCP tool reference page by @dgageot in #2875
- feat(config): enable redact_secrets by default by @rumpl in #2889
- feat(sandbox): alias/runtime sandbox defaults and persistent network allowlist by @dgageot in #2888
- fix(#2861): release per-message render caches when streaming completes by @aheritier in #2866
- fix: don't close shared session store in runtime.Close by @dgageot in #2879
- Polish --sandbox auto-kit output and tool auto-install logging by @dgageot in #2878
- fix(mcp/oauth): discover RFC 8414 §3.1 path-aware metadata URLs by @dgageot in #2877
- fix: reduce retained tool output memory by @dgageot in #2854
- Revert "fix: spool large mcp media to disk" by @dgageot in #2893
- feat(mcp_catalog): add 7 remote streamable-http servers by @dgageot in #2894
- docs: document all toolset config options for api, fetch, openapi by @dgageot in #2895
- Bump go dependencies by @dgageot in #2898
- feat(pkg/history): redact secrets in command history by @dgageot in #2892
- ci: skip image push in forked repositories by @areebahmeddd in #2805
- refactor(tools): use github.com/docker/aijson for tool-arg shape repair by @trungutt in #2899
- persist cookies in remote MCP client for sticky sessions by @maxcleme in #2902
- Smarter search by @rumpl in #2901
- feat(tui): word-level highlighting in edit_file diff view by @rumpl in #2900
- Lazy headers in tools by @dgageot in #2907
- fix(snapshot): scope git operations from worktree root by @rumpl in #2904
- chore: bump direct go dependencies by @dgageot in #2908
Full Changelog: v1.65.0...v1.68.0
v1.65.0
This release adds a skills dialog to the TUI and improves HTTP configuration options for API tools, along with proxy handling fixes.
What's New
- Adds
/skillsslash command to TUI that displays all available skills with their names, sources, and descriptions
Improvements
- Adds timeout and allow_private_ips configuration support to api and openapi tools for consistency with fetch tool
Bug Fixes
- Fixes HTTP proxy support for private IPs in SSRF transport to allow configured proxies on private addresses
Technical Changes
- Updates configuration documentation and applies minor cleanups
What's Changed
- docs: update CHANGELOG.md for v1.64.0 by @docker-read-write[bot] in #2860
- feat: add timeout and allow_private_ips support to api and openapi tools by @dgageot in #2865
- fix: allow configured HTTP proxy on private IPs in SSRF transport by @dgageot in #2864
- feat: add skills dialog to TUI by @dgageot in #2863
Full Changelog: v1.64.0...v1.65.0
v1.64.0
Note: v1.63.0 was a failed release and was skipped. This release includes all changes that accumulated since v1.62.0.
New Features
-
Eval:
input_idpassthrough — When an eval input file contains a top-level"input_id"field, that value is now carried through untouched to the session entry in the results output (JSON and SQLite). The session's own"id"(a fresh UUID) is unchanged. When the input file has no"input_id", the field is absent from the output — no change to existing behaviour. This lets callers correlate eval results back to their own records without custom post-processing. (#2857) -
MCP: allow private IPs for remote OAuth — Remote MCP servers hosted on private-network IP addresses can now participate in the OAuth authorization flow. (#2828)
Improvements
-
Sandbox: remove stale token forwarding on startup — Removed an obsolete token-forwarding step from sandbox startup that was redundant after the token-forwarding refactor in v1.62.0. (#2859)
-
Sandbox: Go toolchain bootstrap allowed through network policy —
go.devanddl.google.comare now added to the sandbox proxy allowlist, so the Go toolchain can be downloaded inside the sandbox without hitting a blocked-network-policy error. (#2859) -
Sandbox: resolve tool-install hosts per-toolset from aqua registry — Package-host allowlisting for tool auto-install is now resolved per toolset from the aqua registry, giving more accurate (and minimal) network opens for each toolset's install requirements. (#2859)
-
Sandbox: make tokens file readable by sandbox user — The tokens file written inside the sandbox is now created with permissions that allow the sandbox user to read it, fixing authentication failures in sandboxes running as a non-root user. (#2859)
Bug Fixes
-
MCP OAuth: send resource on token exchange — The OAuth
resourceparameter is now correctly included when exchanging an authorization code for a token, fixing token exchange failures for resource-aware authorization servers. (#2828) -
MCP OAuth: coalesce concurrent authorization requests — Concurrent OAuth authorization flows for the same server are now deduplicated so only one browser redirect is triggered per server, preventing race conditions when multiple tool calls fire simultaneously. (#2828)
-
Sandbox: use correct host path for kit — The docker-agent kit (skills + prompt files staged into the sandbox) is now mounted from the correct host-side directory rather than a constant container mount path, fixing kit resolution failures when the host cache directory is not at the default location. (#2859)
Contributors
@hamza-jeddad · @rumpl · @dgageot
Full Changelog: v1.62.0...v1.64.0
v1.62.0
This release improves error handling for model context overflow, adds external coding harness support, and includes numerous TUI fixes and performance optimizations.
What's New
- Adds external coding harness agents that delegate coding tasks to external coding CLIs
- Adds support for running
context: forkslash commands as sub-sessions instead of inlining them - Adds docker-agent kit staging in sandbox with skills and prompt files
Improvements
- Classifies overflow errors by kind to provide more specific error messages for different types of context window issues
- Optimizes session browser rendering to only render visible window rows for better performance with large session histories
- Improves shutdown safety by racing Wait() against deadline and calling ReleaseTerminal on timeout
- Updates Gemini adapter to forward stream chunks that carry only UsageMetadata for accurate token counting
Bug Fixes
- Fixes URL clicks in TUI by properly handling mouse events
- Fixes crash prevention by not notifying on click if the agent didn't change
- Fixes deadlock in TUI exit safety net and race conditions in shutdown handling
- Fixes auto-scroll blocking user scroll in long elicitation dialogs
- Fixes MCP tool name prefix stripping in callTool functionality
- Fixes OpenAI strict mode support for Notion and Jira MCP tools with gpt-5
- Fixes user_prompt dialog to open scrolled to top and respect user scrolling
- Fixes keychain prompts in tests by using in-memory token store
- Fixes MCP OAuth handler to drop stray callbacks and respond with proper HTTP status codes
Technical Changes
- Bounds three previously-unbounded caches to prevent memory growth on long sessions
- Uses SSRF-safe HTTP client for remote skills registry
- Honors Cache-Control headers properly in skills caching
- Extracts lrucache package and bounds unbounded caches
- Refactors model override into runAgent request body for atomic model selection
- Updates Grok example to use grok-4.3 model
- Treats wezterm as a terminal that handles shift+enter properly
- Adds clean task to remove generated binary
- Updates various dependencies including Anthropic SDK, AWS Bedrock runtime, and Docker CLI
What's Changed
- docs: update CHANGELOG.md for v1.61.0 by @docker-read-write[bot] in #2822
- modelerrors: make overflow errors more specific by @trungutt in #2818
- Add .cache to .gitignore by @rumpl in #2827
- Treat wezterm as a terminal that knows how to handle shift+enter by @rumpl in #2825
- Don't notify on click if the agent didn't change by @rumpl in #2824
- tui: Fix URL clicks by @vvoland in #2823
- feat: add external coding harness agents by @rumpl in #2826
- perf(tui): only render visible session rows in /sessions dialog by @dgageot in #2830
- docs: document allow_private_ips option and SSRF protection in fetch tool by @dgageot in #2833
- fix(tui): bound previously-unbounded caches to prevent OOM on long sessions by @dgageot in #2831
- Misc Security fixes by @dgageot in #2820
- fix: use in-memory token store in tests to avoid OS keychain prompt by @dgageot in #2836
- fix MCP tool name prefix stripping in callTool by @dgageot in #2837
- chore(examples): remove shebang lines and executable bits by @dgageot in #2838
- docs(memory): fix incorrect default database path placeholder by @kenijkawada in #2835
- fix(tui): user_prompt dialog opens scrolled to top and respects user scrolling by @dgageot in #2843
- feat(mcpcatalog): hide disable / reset_auth tools when no server is enabled by @dgageot in #2840
- fix(tui): restore terminal on Ctrl-C when bubbletea shutdown stalls by @dgageot in #2842
- fix(examples): update grok example to use grok-4.3 by @dgageot in #2846
- chore: add clean task to remove generated binary by @dgageot in #2847
- test(server): make TestAttachedServer_DeleteSessionStopsEventStream more robust by @dgageot in #2845
- chore: bump direct Go dependencies by @dgageot in #2849
- fix(openai): support Notion and Jira MCP tools with gpt-5 strict mode by @dgageot in #2839
- fix(gemini): forward stream chunks that carry only UsageMetadata by @kenijkawada in #2848
- docs+config: surface the two env-variable expansion syntaxes (#2615) by @dgageot in #2851
- feat(skills): run
context: forkslash commands as sub-sessions by @dgageot in #2850 - refactor(api): fold model override into runAgent request body by @dgageot in #2852
- feat(sandbox): docker-agent kit, gateway allowlist, and assorted --sandbox fixes by @dgageot in #2844
New Contributors
- @kenijkawada made their first contribution in #2835
Full Changelog: v1.61.0...v1.62.0
v1.61.0
This is a maintenance release that updates documentation for the previous version.
Technical Changes
- Updates CHANGELOG.md with release notes for v1.60.0
What's Changed
- docs: update CHANGELOG.md for v1.60.0 by @docker-read-write[bot] in #2817
Full Changelog: v1.60.0...v1.61.0
v1.60.0
This release adds agent switching commands, MCP server discovery capabilities, and runtime model switching, along with UI improvements and stability fixes.
What's New
- Adds slash commands for agent switching (e.g.,
/planto hand off to planner agent) - Adds MCP catalog toolset for on-demand discovery and activation of remote MCP servers
- Adds runtime model switching with GET/PATCH/POST endpoints for changing models during sessions
- Adds sampling/createMessage support for MCP servers to use the host's LLM
- Adds identity headers (X-Docker-Agent-Version, X-Docker-Desktop-Version) to built-in tool requests
Improvements
- Renders user pasted content in TUI and collapses large pasted file contents (over 30 lines) into toggleable view
- Routes mouse-wheel events to background dialogs instead of falling through to chat area
- Uses Claude Sonnet 4.6 as default model in Anthropic provider
- Switches to non-preview Gemini model
- Adds configurable thinking expansion in user config
Bug Fixes
- Fixes evaluation builds with legacy Docker builder by using printf instead of heredoc for /run.sh
- Fixes crash prevention by explicitly sending tool_choice=auto in OpenAI requests with tools
- Fixes Desktop version lookup to be TTL-based and context-independent
- Fixes command resolution before agent switching to prevent lookup failures
- Fixes concurrent access issues by using thread-safe methods and improving snapshot isolation
Technical Changes
- Refactors toolset creation into individual packages with standardized naming
- Improves concurrent package with thread-safe methods and uses it across multiple components
- Centralizes context-limit resolution in runtime
- Moves concurrency deduplication from trigger to review workflow in CI
- Updates example configuration to use xai/grok-2-latest model
What's Changed
- fix(evals): build /run.sh with printf so legacy builder works by @hamza-jeddad in #2779
- bump github.com/coder/acp-go-sdk from v0.12.2 to v0.13.0 by @dgageot in #2782
- docs: update CHANGELOG.md for v1.59.0 by @docker-read-write[bot] in #2783
- route mouse-wheel events to background dialogs by @dgageot in #2787
- Use a non preview gemini model by @dgageot in #2785
- Use sonnet 4.6 as default in anthropic by @rumpl in #2786
- feat(tui): show user pasted content by @joshbarrington in #2784
- ci: move concurrency dedup from trigger to review workflow by @dgageot in #2789
- docs(site): make the docs site feel like part of Docker, and explain what Docker Agent is by @dgageot in #2793
- Expand thinking configuration by @rumpl in #2802
- fix(examples): use xai/grok-2-latest in grok.yaml by @dgageot in #2806
- bump direct go dependencies by @dgageot in #2803
- feat: add X-Docker-Agent-Version and X-Docker-Desktop-Version headers to built-in tools by @dgageot in #2795
- Improve concurrent package by @dgageot in #2810
- bump direct go dependencies by @dgageot in #2811
- feat(mcp): add sampling/createMessage support by @dgageot in #2815
- fix(runtime): use provider_opts.context_size for compaction by @dgageot in #2814
- fix(openai): explicitly send tool_choice=auto when tools are provided by @dgageot in #2813
- Better tool registry by @dgageot in #2807
- feat(api): accept model overrides on session creation and add runtime model switching endpoints by @dgageot in #2791
- feat: add mcp_catalog toolset for on-demand MCP server discovery by @dgageot in #2794
- feat: add slash commands for agent switching by @dgageot in #2790
Full Changelog: v1.59.0...v1.60.0
v1.59.0
This release adds XML tool call parsing for better model compatibility, performance improvements for TUI rendering, and enhanced remote runtime capabilities.
What's New
- Adds XML tool call fallback parsing for models that return
<tool_call>...</tool_call>text instead of using OpenAI function-calling API - Adds fd:// scheme support to server.Listen for parent process socket passing
- Adds per-code-block copy affordance with clickable copy glyphs in TUI
- Adds session persistence and resumption for A2A (agent-to-agent) interactions using SQLite
- Adds comprehensive remote runtime API with SSE event streaming, session management, and graceful degradation
Improvements
- Improves TUI rendering performance with cached output, targeted invalidation, and incremental markdown rendering
- Improves ACP support with session management, event handling, and structured error codes
- Preserves user input across tab switches in TUI dialogs
Bug Fixes
- Fixes crash during tool auto-install by adding panic recovery
- Fixes SSE stream cancellation and IPv6 address binding issues
- Fixes Vertex AI Model Garden provider capability lookups by rewriting provider to publisher mapping
Technical Changes
- Replaces internal secretsscan with github.com/docker/portcullis library
- Centralizes modelsdev.Store creation via RuntimeConfig with lazy initialization
- Merges modelcaps into modelinfo and introduces strongly-typed modelsdev.ID
- Refactors event handling to use EventSink interface instead of channel threading
- Removes experimental send, watch, and proto subcommands
What's Changed
- docs: update CHANGELOG.md for v1.58.0 by @docker-read-write[bot] in #2745
- feat: add fd:// scheme support to server.Listen by @dgageot in #2744
- refactor: replace internal secretsscan with github.com/docker/portcullis by @dgageot in #2747
- refactor: centralize modelsdev.Store creation and inject via RuntimeConfig by @dgageot in #2746
- docs: Docker-branded redesign with dark-mode-first theme and improved homepage by @dgageot in #2750
- feat(modelsdev): add WithCache option to override cache file path by @rumpl in #2753
- feat: wire TUI/CLI to emit Document parts and render attachments by @simonferquel-clanker in #2751
- fix: avoid sub-agent terminology in skill instructions to prevent transfer_task confusion by @dgageot in #2748
- refactor: merge modelcaps into modelinfo and simplify by @dgageot in #2755
- refactor: simplify RuntimeConfig by removing dead field and caching env provider by @dgageot in #2754
- refactor: extract loopState struct to bundle runTurn parameters by @dgageot in #2759
- feat: add docs preview workflow for PRs by @dgageot in #2752
- feat(runtime): remote runtime with full TUI parity and production readiness by @dgageot in #2749
- feat(a2a): allow session to be resumed interactively by @maxcleme in #2762
- feat: improve TUI control plane API for external consumers by @dgageot in #2757
- perf: TUI rendering performance improvements by @dgageot in #2756
- drop send, watch and proto subcommands by @dgageot in #2763
- xml fallback for llama.cpp models by @areebahmeddd in #2732
- refactor: replace chan Event threading with EventSink interface by @dgageot in #2760
- Improve ACP support: session management, event handling, and code simplification by @dgageot in #2758
- refactor: introduce modelsdev.ID for provider-qualified model identity by @dgageot in #2766
- fix(toolinstall): recover from panics during auto-install by @dgageot in #2768
- fix: rewrite Vertex AI Model Garden provider to publisher for capability lookups by @dgageot in #2767
- bump direct go dependencies by @dgageot in #2771
- Fix linter by @dgageot in #2772
- fix(tui): preserve user_prompt input across tab switches by @dgageot in #2774
- perf(tui): make streaming chunk rendering linear by @dgageot in #2773
- fix: two TUI control-plane bugs (SSE cancel, IPv6 listen) by @dgageot in #2775
- set working dir properly by @krissetto in #2777
- feat(tui): add per-code-block copy affordance by @rumpl in #2778
New Contributors
- @areebahmeddd made their first contribution in #2732
Full Changelog: v1.58.0...v1.59.0
v1.58.0
This release adds external TUI control capabilities, HTTP POST hooks, and several security hardening improvements.
What's New
- Adds
http_postbuiltin hook for making HTTP POST requests from agent workflows - Adds
--listenflag toruncommand to expose the running TUI for external control - Adds
sendsubcommand to drive a live TUI session from external processes - Adds
watchsubcommand to stream events from a running TUI - Adds
--on-eventhooks to observe arbitrary events during runs - Adds
--attachflag toserve mcpcommand to expose running TUI via MCP - Adds newline-delimited JSON protocol over stdio for external communication
- Adds discovery files for live runs in run registry
- Adds
bump-config-versionskill for configuration management
Bug Fixes
- Fixes filesystem tool path expansion for
~(home directory) in file paths - Fixes model ID handling to use fully-qualified provider/model identifiers for capability lookups
- Fixes Nebius example to use available Kimi-K2.5 model instead of deprecated Kimi-K2-Instruct
- Fixes dry-run mode to work properly before contacting remote servers
- Fixes request context propagation in echo logging
- Fixes run registry permissions and session lifecycle cleanup
Improvements
- Makes
max_iterationsbuiltin stateless by using runtime's existing iteration counter - Hardens
http_posthook with SSRF-safe client, scheme validation, and request logging - Consolidates home directory path expansion across the codebase
- Shows current git branch when working in a repository
- Unifies local and remote run dispatch through shared backend interface
Technical Changes
- Refactors snapshot handling into dedicated
SnapshotControllerseparate from runtime - Refactors unload builtin to be pure and runtime-agnostic
- Promotes model switching and tools change subscription onto Runtime interface
- Adds security hardening for secrets provider, archive extraction, OAuth HTTP client, and shell tool
- Enables gosec linter for file permission validation
- Updates Go to version 1.26.3
- Adds migration content pinning to enforce append-only database schema changes
What's Changed
- docs: update CHANGELOG.md for v1.57.0 by @docker-read-write[bot] in #2703
- fix: expand ~ in filesystem tool paths by @dgageot in #2704
- feat(hooks): add http_post builtin by @dgageot in #2705
- fix: use available Kimi-K2.5 model in nebius example by @dgageot in #2711
- fix: make max_iterations builtin stateless (#2698) by @dgageot in #2708
- update PR reviewer to 1.5.1 by @derekmisler in #2717
- Show the current git branch when in a repo by @rumpl in #2721
- Consolidate home directory path expansion by @rumpl in #2720
- Change the default models for the golang dev by @rumpl in #2718
- Change the app name in otel to docker-agent by @rumpl in #2719
- bump direct go dependencies by @dgageot in #2709
- bump go to 1.26.3 by @dgageot in #2712
- feat: let external processes drive a running TUI by @dgageot in #2714
- security: five defense-in-depth fixes (secrets, archives, oauth, shell tool, request logs) by @dgageot in #2713
- refactor(run): unify local/remote dispatch via Backend (10 baby steps) by @dgageot in #2715
- refactor: extract SnapshotController so the runtime no longer brokers /undo by @dgageot in #2707
- add bump-config-version skill by @dgageot in #2729
- ci: enable gosec linter by @dgageot in #2730
- test(session): pin migration catalogue content (append-only enforcement) by @dgageot in #2727
- fix(toolinstall): route the registry client through httpclient.NewSafeClient by @dgageot in #2726
- Fix broken test on main by @dgageot in #2735
- Add alias by @dgageot in #2736
- ci: lint workflow invariants actionlint misses (concurrency, SHA pinning, payload deny-list) by @dgageot in #2725
- refactor(run-control): unify target resolution and SSE handling by @dgageot in #2731
- refactor(hooks): make the unload on_agent_switch builtin pure by @dgageot in #2706
- chore: bump direct Go dependencies by @dgageot in #2742
- remote-runtime: close silent gaps, consolidate Runtime, scaffold wire (10 baby steps) by @dgageot in #2723
- fix: pass fully-qualified provider/model ID to modelcaps.Load by @simonferquel-clanker in #2738
Full Changelog: v1.57.0...v1.58.0
v1.57.0
This release improves markdown rendering performance, adds agent switching capabilities, and enhances secret redaction with better error handling.
What's New
- Adds unload on_agent_switch builtin hook for releasing model resources when switching between agents
Improvements
- Speeds up and simplifies markdown fast renderer for better performance
- Trims builtin tool schemas to save tokens in LLM requests
- Tightens Docker PAT redaction and adds organization access tokens support
- Adds more vendor-prefixed secret patterns for improved security scanning
Bug Fixes
- Fixes retry handling for Vertex AI 'function response parts' 400 errors that occur intermittently
- Restores styles on continuation lines of broken words in markdown rendering
- Fixes H1 prefix and ANSI style handling in wrapText functionality
- Defensively lowercases transient patterns in model error handling
- Caps quantifiers on new secret rules to prevent adjacent text being incorrectly redacted
Technical Changes
- Adopts new rubocop-go DSL across all linting cops for better code organization
- Uses slog.WarnContext where context is available for improved logging
- Drains unload response body and documents single-tenant assumption
What's Changed
- docs: update CHANGELOG.md for v1.56.0 by @docker-read-write[bot] in #2695
- Make the FastMarkdown renderer simpler and faster by @dgageot in #2686
- refactor(lint): adopt new rubocop-go DSL across all cops by @dgageot in #2687
- fix: retry transient Vertex AI 'function response parts' 400 errors by @dgageot in #2691
- shrink builtin tool schemas to save tokens by @dgageot in #2694
- feat: add unload on_agent_switch builtin hook by @dgageot in #2684
- secretsscan: tighten Docker PAT, add new vendor patterns, cap quantifiers by @dgageot in #2697
Full Changelog: v1.56.0...v1.57.0