This release introduces self-update functionality, session read-only mode, and 1Password CLI integration, along with model selection improvements and various bug fixes.

What's New

• Adds opt-in self-update functionality via DOCKER_AGENT_AUTO_UPDATE environment variable with interactive confirmation
• Adds --session-read-only flag to view sessions without sending messages in TUI mode
• Adds 1Password CLI integration for secret resolution using op:// references
• Adds first_available model selection for automatic fallback across multiple model candidates
• Adds user_steering_messages_submit and user_followup_submit hooks for queued user messages

Improvements

• Updates default agent to use first_available model selection with multi-provider fallbacks
• Updates default model versions: OpenAI from gpt-5-mini to gpt-5, Google from gemini-2.5-flash to gemini-3.5-flash
• Updates coder agent to use first_available model selection instead of hardcoded Anthropic models

Bug Fixes

• Fixes tool call being dropped when finish_reason shares the same chunk in streaming responses
• Fixes orphaned tool results on session resume that caused validation errors on AWS Bedrock
• Fixes agent field not being preserved during command expansion, causing incorrect routing to root agent
• Fixes binary files being processed in content search operations
• Fixes self-update validation to prevent arbitrary file deletion and detect help flags properly
• Fixes IPv6 6to4, NAT64, site-local and CGNAT ranges not being blocked in SSRF protection

Technical Changes

• Hardens self-update download and re-exec process against tampering with digest and checksum verification
• Uses SSRF-safe HTTP client for MCP OAuth metadata fetches
• Hardens 1Password provider against silent pass-through and PATH hijacking
• Fixes custom-base-image evaluation template to include docker-agent binary and entrypoint
• Removes broken MCP servers from configuration

What's Changed

• docs: update CHANGELOG.md for v1.73.0 by @docker-read-write[bot] in #2990
• feat: add first_available model selection by @dgageot in #2991
• fix: don't drop tool call when finish_reason shares the chunk by @Sayt-0 in #2992
• chore: bump go dependencies (acp-go-sdk, goja) by @dgageot in #2995
• feat: add opt-in self-update by @dgageot in #2993
• docs: update agent config reference, custom provider api_type, and slash command behavior by @aheritier in #2999
• feat: update default agent to use first_available model selection by @dgageot in #2997
• refactor(coder): use first_available model selection with multi-provider fallbacks by @dgageot in #2996
• feat: add user_steering_messages_submit and user_followup_submit hooks by @simonferquel-clanker in #3000
• docs: add thinking/reasoning guide and expand provider thinking docs by @rumpl in #3004
• docs: update default model examples to gpt-5 and gemini-3.5-flash by @aheritier in #3003
• fix: drop orphaned tool results on session resume by @Sayt-0 in #3001
• docs: sync config examples with updated default models (gpt-5, gemini-3.5-flash) by @aheritier in #3012
• fix: preserve agent field during command expansion by @dgageot in #3007
• docs: update remaining gpt-5-mini → gpt-5 examples across docs by @aheritier in #3025
• feat: add --session-read-only flag to view sessions without sending messages by @gtardif in #3026
• fix: skip binary files in content search by @dgageot in #3006
• docs: document --session-read-only flag for TUI read-only mode by @aheritier in #3028
• fix(evals): copy docker-agent binary + entrypoint in custom-base-image template by @hamza-jeddad in #3029
• chore: bump go dependencies by @dgageot in #3005
• fix: block IPv6 6to4, NAT64, site-local and CGNAT ranges in IsPublicIP by @ronan-thibaut-glitch in #3031
• Remove broken MCP servers by @dgageot in #3032
• chore: bump go dependencies by @dgageot in #3033
• fix: use SSRF-safe HTTP client for MCP OAuth authorization server metadata fetch by @ronan-thibaut-glitch in #3035
• feat: add 1Password CLI integration for secret resolution by @dgageot in #3036

New Contributors

• @ronan-thibaut-glitch made their first contribution in #3031

Full Changelog: v1.73.0...v1.74.0

This release improves MCP catalog server management, fixes streaming issues with AI providers, and adds memory protection for file search operations.

What's New

• Adds --json flag to alias list command for structured output
• Adds ContextLimit helper to modelinfo for centralized context window handling
• Blocks enable_remote_mcp_server until the server is actually connected, eliminating the need to re-ask questions

Improvements

• Removes command queueing - commands are now sent immediately
• Removes empty query truncation from MCP server search, showing all matching servers
• Restricts MCP catalog to OAuth and anonymous-access servers only, removing API key complexity

Bug Fixes

• Fixes Gemini parallel tool responses by coalescing them into a single Content
• Fixes custom OpenAI provider routing for Responses-only models (gpt-4.1, o-series, gpt-5, Codex)
• Fixes memory explosion in search_files_content by capping output at 1 MiB and skipping large files
• Fixes MCP catalog retry logic for existing unstarted entries
• Fixes rollback behavior when MCP server Start is cancelled during OAuth or Tools operations
• Fixes conversation caching to exclude failed chat continuations

Technical Changes

• Refactors registry operations to reuse single session across digest and pull operations
• Updates OpenAI handler to support newer Responses stream event shapes
• Uses cmd.Context() instead of context.Background() for proper cancellation support
• Uses strings.Builder for message merging to reduce memory allocations
• Improves search_files_content memory handling for symlinks and device files

What's Changed

• docs: update CHANGELOG.md for v1.72.0 by @docker-read-write[bot] in #2974
• docs: document alias list --json flag and failure-safe conversation caching by @aheritier in #2977
• refactor: reuse registry session for OCI pulls by @dgageot in #2975
• openai: handle newer Responses stream event shapes by @rumpl in #2976
• fix(gemini): coalesce parallel tool responses into a single Content by @t-mizumoto1203 in #2959
• Don't queue commands by @rumpl in #2979
• chore: bump direct Go dependencies by @dgageot in #2980
• fix: use cmd.Context() instead of context.Background() by @dgageot in #2981
• feat(mcp_catalog): block enable_remote_mcp_server until the server is connected by @trungutt in #2973
• fix: prevent memory explosion in search_files_content by @dgageot in #2983
• refactor: remove empty query truncation from MCP server search by @dgageot in #2984
• fix(providers): route Responses-only models on custom OpenAI providers by @Sayt-0 in #2985
• feat: add ContextLimit helper to modelinfo by @dgageot in #2982
• test(mcp): fix staticcheck SA5011 nil-pointer errors in oauth_test by @dgageot in #2989
• refactor: use strings.Builder for message merging in oaistream by @dgageot in #2986
• refactor: restrict mcp_catalog to oauth and none auth only by @dgageot in #2988

New Contributors

• @t-mizumoto1203 made their first contribution in #2959

Full Changelog: v1.72.0...v1.73.0

This release adds support for JSON output in alias commands, top-level shared configuration, and includes documentation updates and bug fixes.

What's New

• Adds Atlassian expert agent example for specialized assistance
• Adds JSON output support for alias list command with --json flag
• Adds support for top-level shared skills and commands in configuration files

Bug Fixes

• Fixes HTTP client panic when default transport is wrapped by other libraries

Technical Changes

• Documents --agent-picker flag for interactive agent selection
• Documents MCP embedded resource forwarding to model providers
• Documents OAuth authorization cancel behavior for remote MCP servers
• Refactors configuration handling to support shared skills and commands in latest package

What's Changed

• docs: update CHANGELOG.md for v1.71.0 by @docker-read-write[bot] in #2962
• feat(examples): add Atlassian expert agent example by @maxcleme in #2963
• feat(cli): support alias list --json output by @Sayt-0 in #2966
• chore: bump Go dependencies by @dgageot in #2968
• docs: update documentation for agent-picker, MCP embedded resources, and remote MCP OAuth cancel by @aheritier in #2957
• fix(httpclient): fall back when http.DefaultTransport is not *http.Transport by @Daniel-Kolev in #2970
• feat(config): support top-level shared skills and commands by @Sayt-0 in #2971

New Contributors

• @Sayt-0 made their first contribution in #2966
• @Daniel-Kolev made their first contribution in #2970

Full Changelog: v1.71.0...v1.72.0

This release improves GitHub Copilot integration with better API routing and error handling, along with enhanced conversation state management and expanded documentation.

Bug Fixes

• Fixes GitHub Copilot Responses API auto-selection and error preservation to properly route models to correct endpoints
• Prevents X-Conversation-Id from mutating cached session on retry by making continuations transactional
• Preserves item value fields and Ask permission in Session.Clone operations
• Implements deep-copy for Evals, EvalResult, and ToolDefinitions in session clones
• Updates github-copilot model from gpt-4o to gpt-4.1 to match available models

Technical Changes

• Freezes configuration schema v9 and starts v10 as latest version
• Adds comprehensive documentation for coding harnesses, caching, lifecycle, defer, and fetch filtering
• Adds end-to-end tests for conversation state handling across failed turns

What's Changed

• docs: update CHANGELOG.md for v1.70.2 by @docker-read-write[bot] in #2951
• docs: document coding harnesses and fill P0/P1/P2 documentation gaps by @aheritier in #2950
• fix: keep failed chat continuations out of conversation cache by @dgageot in #2947
• fix: github-copilot Responses API auto-selection and error preservation by @dgageot in #2942
• fix: update github-copilot model from gpt-4o to gpt-4.1 by @dgageot in #2961
• chore(config): freeze v9 and bump latest to v10 by @dgageot in #2960

Full Changelog: v1.70.2...v1.71.0

This release adds support for inline skills in agent configuration and improves environment variable handling in path fields, along with several bug fixes.

What's New

• Adds support for inline skills in agent YAML config, allowing skills to be defined directly without separate files
• Adds support for ${env.VAR} syntax in path fields as an alias for ${VAR}

Improvements

• Streams tool outputs for better real-time feedback

Bug Fixes

• Fixes duplicate persistent toolset-failure notifications that were stacking in the TUI
• Fixes MCP OAuth dialog re-appearing after user declines authentication
• Surfaces inline-skill decode errors and rejects file reads for inline skills

Technical Changes

• Removes obsolete expansion-mismatch warnings for path fields
• Extracts failureStreak helper in StartableToolSet
• Removes notification-layer deduplication
• Removes MCP server on OAuth decline and stops providing incorrect information to the model

What's Changed

• docs: update CHANGELOG.md for v1.70.1 by @docker-read-write[bot] in #2940
• Stream tool outputs by @rumpl in #2945
• feat: support inline skills in agent YAML config by @dgageot in #2946
• chore: bump direct Go dependencies by @dgageot in #2941
• feat(config): accept ${env.X} in path fields (steps 2-4 of #2615) by @dgageot in #2944
• fix: dedupe persistent toolset-failure notifications by @dgageot in #2943
• fix(mcp): stop the OAuth Authentication Request loop after the user clicks Cancel by @trungutt in #2949

Full Changelog: v1.70.1...v1.70.2

This release introduces agent selection UI, git worktree isolation, theme preselection, and notification improvements for enhanced workflow management.

What's New

• Adds --agent-picker flag for full-screen agent selection dialog with YAML syntax highlighting and scrollable interface
• Adds --worktree flag to run agents in isolated git worktrees on dedicated branches
• Adds --worktree-pr flag to run agents on GitHub pull requests in separate worktrees
• Adds --theme flag to preselect TUI theme at launch, overriding user config settings

Improvements

• Improves TUI notifications with hover protection, click-to-copy content, and visual enhancements
• Adds worktree cleanup when interactive runs end to maintain clean workspace
• Adds worktree_create hook to prepare fresh git worktrees for agent execution

Bug Fixes

• Fixes agent config display sanitization and enables YAML soft-wrap in picker dialog

Technical Changes

• Forwards MCP embedded resources (images, PDFs, text) to model providers as native content blocks
• Adds theme flag validation and completion tests for better user experience

What's Changed

• docs: update CHANGELOG.md for v1.70.0 by @docker-read-write[bot] in #2930
• TUI - Improve notifications by @krissetto in #2931
• feat: add --theme flag to preselect TUI theme by @dgageot in #2933
• docs: document --auth-token flag, OAuth callback security note, and TUI notification UX by @aheritier in #2932
• docs: document --theme flag for docker agent run by @aheritier in #2936
• docs: add --theme launch example to TUI quickstart by @aheritier in #2939
• feat: add --agent-picker flag for agent selection UI by @dgageot in #2937
• feat: run agents in isolated git worktrees by @dgageot in #2938
• feat(mcp): forward embedded resources to model providers by @rumpl in #2935

Full Changelog: v1.70.0...v1.70.1

This release focuses on text handling improvements, OAuth flow enhancements for MCP catalog servers, and server filtering capabilities.

What's New

• Adds --app-name flag to override the default "docker agent" label in the TUI status bar and window title
• Adds allow-list and block-list filtering for MCP catalog servers via allowed_servers and blocked_servers configuration options

Improvements

• Tells the model to proceed automatically after enabling an OAuth server in MCP catalog instead of requiring user to repeat their request
• Restores dynamic progress bar width in evaluation mode (was previously fixed at width 10)

Bug Fixes

• Fixes rune-safe truncation across multiple UI components: file names in file picker, session titles in session browser, directory names in working-dir picker, tab titles, search query preview, and tool output preview
• Fixes rune-safe truncation of operation descriptions in OpenAPI handling
• Fixes rune-safe search-result preview in filesystem operations
• Prevents sending split UTF-8 runes to embedding models in RAG operations
• Populates ModelID field correctly in after_llm_call hook payload

Technical Changes

• Removes dead code in WASM agent loop selection
• Adds validation for allowed_servers and blocked_servers in MCP catalog configuration
• Adds warning for unknown server IDs in MCP catalog allow/block lists
• Updates documentation for CLI flags, hook payloads, and OAuth endpoints

What's Changed

• docs: update CHANGELOG.md for v1.69.0 by @docker-read-write[bot] in #2919
• chore: bump direct Go dependencies by @dgageot in #2918
• fix(runtime): populate ModelID in after_llm_call hook payload by @kimizuka in #2911
• fix: rune-safe truncation and dead-code cleanup by @dgageot in #2920
• Address review feedback on #2896 by @trungutt in #2921
• docs: sync CLI flags and hook payload docs with recent changes by @aheritier in #2927
• chore: bump direct Go dependencies by @dgageot in #2926
• feat: add allow/block-list of servers to the mcp_catalog tool by @dgageot in #2928
• docs: sync /docs with changes merged 2026-05-28 – 2026-05-29 by @aheritier in #2929
• fix(mcpcatalog): tell the model to proceed after enabling an OAuth server by @trungutt in #2925

New Contributors

• @kimizuka made their first contribution in #2911

Full Changelog: v1.69.0...v1.70.0

This release adds new TUI customization options and improves OAuth authentication handling.

What's New

• Adds --app-name flag to override TUI title display
• Adds --disable-commands flag to hide and disable slash commands in TUI
• Adds --sidebar flag to control sidebar visibility
• Adds out-of-band callback route for unmanaged OAuth drive-flow

Improvements

• Extends unmanaged OAuth flow to drive code exchange in-process
• Propagates user-initiated cancellation across the WithoutCancel boundary

Technical Changes

• Renames OAuth elicitation meta keys from cagent/ to docker-agent/
• Trims aijson re-tests while keeping docker-agent integration tests
• Fixes lint issues in OAuth tests and helpers
• Canonicalizes bootstrapRepo temp dir for macOS in snapshot tests
• Simplifies AllBindings by removing redundant leanMode guard

What's Changed

• docs: update CHANGELOG.md for v1.68.0 by @docker-read-write[bot] in #2909
• docs: update CHANGELOG.md for v1.68.0 and document cancelled v1.66/v1.67 by @aheritier in #2910
• test(tools): trim aijson re-tests, keep docker-agent integration by @trungutt in #2905
• Rename OAuth elicitation meta keys from cagent/ to docker-agent/ by @trungutt in #2915
• feat: add --app-name flag and fix macOS test symlink issue by @dgageot in #2914
• feat: add --disable-commands flag to hide and disable slash commands in TUI by @dgageot in #2913
• feat: add --sidebar flag to control sidebar visibility by @dgageot in #2917
• Extend unmanaged OAuth flow to drive code exchange in-process by @trungutt in #2896

Full Changelog: v1.68.0...v1.69.0

What's Changed

• docs: update CHANGELOG.md for v1.65.0 by @docker-read-write[bot] in #2868
• Show the path from where the skill is loaded by @rumpl in #2869
• chore: bump github.com/pb33f/libopenapi to v0.36.5 by @dgageot in #2862
• docs: document --sandbox auto-kit and --no-kit flag by @dgageot in #2867
• docs: document reset_remote_mcp_server_auth meta-tool by @dgageot in #2874
• fix(anthropic): handle SSE in-band errors with correct HTTP status codes by @dgageot in #2880
• feat: add 'docker agent debug skills' command by @dgageot in #2881
• docs: document mcp_catalog toolset and reorganize RAG reference by @dgageot in #2876
• chore(deps): bump direct Go dependencies by @dgageot in #2883
• a2a: honour timeout and allow_private_ips config (with SSRF protection) by @dgageot in #2882
• docs: add dedicated MCP tool reference page by @dgageot in #2875
• feat(config): enable redact_secrets by default by @rumpl in #2889
• feat(sandbox): alias/runtime sandbox defaults and persistent network allowlist by @dgageot in #2888
• fix(#2861): release per-message render caches when streaming completes by @aheritier in #2866
• fix: don't close shared session store in runtime.Close by @dgageot in #2879
• Polish --sandbox auto-kit output and tool auto-install logging by @dgageot in #2878
• fix(mcp/oauth): discover RFC 8414 §3.1 path-aware metadata URLs by @dgageot in #2877
• fix: reduce retained tool output memory by @dgageot in #2854
• Revert "fix: spool large mcp media to disk" by @dgageot in #2893
• feat(mcp_catalog): add 7 remote streamable-http servers by @dgageot in #2894
• docs: document all toolset config options for api, fetch, openapi by @dgageot in #2895
• Bump go dependencies by @dgageot in #2898
• feat(pkg/history): redact secrets in command history by @dgageot in #2892
• ci: skip image push in forked repositories by @areebahmeddd in #2805
• refactor(tools): use github.com/docker/aijson for tool-arg shape repair by @trungutt in #2899
• persist cookies in remote MCP client for sticky sessions by @maxcleme in #2902
• Smarter search by @rumpl in #2901
• feat(tui): word-level highlighting in edit_file diff view by @rumpl in #2900
• Lazy headers in tools by @dgageot in #2907
• fix(snapshot): scope git operations from worktree root by @rumpl in #2904
• chore: bump direct go dependencies by @dgageot in #2908

Full Changelog: v1.65.0...v1.68.0

This release adds a skills dialog to the TUI and improves HTTP configuration options for API tools, along with proxy handling fixes.

What's New

• Adds /skills slash command to TUI that displays all available skills with their names, sources, and descriptions

Improvements

• Adds timeout and allow_private_ips configuration support to api and openapi tools for consistency with fetch tool

Bug Fixes

• Fixes HTTP proxy support for private IPs in SSRF transport to allow configured proxies on private addresses

Technical Changes

• Updates configuration documentation and applies minor cleanups

What's Changed

• docs: update CHANGELOG.md for v1.64.0 by @docker-read-write[bot] in #2860
• feat: add timeout and allow_private_ips support to api and openapi tools by @dgageot in #2865
• fix: allow configured HTTP proxy on private IPs in SSRF transport by @dgageot in #2864
• feat: add skills dialog to TUI by @dgageot in #2863

Full Changelog: v1.64.0...v1.65.0