From a4e13ff25513b30c59c5a17c710aaf95c823f4f2 Mon Sep 17 00:00:00 2001 From: "gram-bot[bot]" Date: Wed, 20 May 2026 16:09:12 +0000 Subject: [PATCH] RELEASING: Releasing 2 package(s) Releases: server@0.56.0 dashboard@0.57.0 --- .changeset/age-2395-xmcp-user-session-issuer.md | 5 ----- .../age-2443-assistant-disable-reasoning.md | 5 ----- .changeset/anthropic-prompt-cache-passthrough.md | 5 ----- .changeset/assistant-trigger-self-update-fix.md | 5 ----- .changeset/assistants-mcp-oauth.md | 5 ----- .changeset/dashboard-mcp-server-management.md | 5 ----- .changeset/fix-token-graph-filter.md | 5 ----- .changeset/mighty-lions-write.md | 5 ----- .changeset/negated-grants-ui.md | 5 ----- .changeset/openrouter-attribution.md | 5 ----- .changeset/slack-platform-tools-expansion.md | 5 ----- .changeset/smooth-doodles-shop.md | 5 ----- client/dashboard/CHANGELOG.md | 12 ++++++++++++ client/dashboard/package.json | 2 +- server/CHANGELOG.md | 16 ++++++++++++++++ server/package.json | 2 +- 16 files changed, 30 insertions(+), 62 deletions(-) delete mode 100644 .changeset/age-2395-xmcp-user-session-issuer.md delete mode 100644 .changeset/age-2443-assistant-disable-reasoning.md delete mode 100644 .changeset/anthropic-prompt-cache-passthrough.md delete mode 100644 .changeset/assistant-trigger-self-update-fix.md delete mode 100644 .changeset/assistants-mcp-oauth.md delete mode 100644 .changeset/dashboard-mcp-server-management.md delete mode 100644 .changeset/fix-token-graph-filter.md delete mode 100644 .changeset/mighty-lions-write.md delete mode 100644 .changeset/negated-grants-ui.md delete mode 100644 .changeset/openrouter-attribution.md delete mode 100644 .changeset/slack-platform-tools-expansion.md delete mode 100644 .changeset/smooth-doodles-shop.md diff --git a/.changeset/age-2395-xmcp-user-session-issuer.md b/.changeset/age-2395-xmcp-user-session-issuer.md deleted file mode 100644 index cd56a2845b..0000000000 --- a/.changeset/age-2395-xmcp-user-session-issuer.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": minor ---- - -Integrate `/x/mcp` with `mcp_servers.user_session_issuer_id`. The `mcpServers.create` and `mcpServers.update` management endpoints now accept an optional `user_session_issuer_id`, and `McpServer` carries it on read. When set on an `mcp_server`, `/x/mcp` requests are issuer-gated: callers without a valid Authorization receive 401 + `WWW-Authenticate` pointing at `/.well-known/oauth-protected-resource/x/mcp/{slug}`, and the full OAuth surface — dynamic client registration, authorize, IDP callback, consent, token, revoke — is mounted under `/x/mcp/{slug}/...` against the same JWT machinery `/mcp` uses, with audience bound to `urn.NewUserSessionIssuer(...)` so tokens stay portable across toolset-backed and remote-backed servers under the same issuer. Both well-known metadata routes under `/x/mcp` now return the issuer-gated metadata shape for any addressed `mcp_server` with an issuer set, including remote-backed servers (previously 404). The `/oauth/proxy-register` DCR helper now also registers `/x/mcp/remote_login_callback` so remote-OAuth `mcp_servers` reached via `/x/mcp/{slug}/connect` can complete the upstream callback against the same upstream client registration. diff --git a/.changeset/age-2443-assistant-disable-reasoning.md b/.changeset/age-2443-assistant-disable-reasoning.md deleted file mode 100644 index b0f7ee3fb1..0000000000 --- a/.changeset/age-2443-assistant-disable-reasoning.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": patch ---- - -Chat completions no longer generate hidden reasoning tokens. Previously, OpenRouter could route requests through models that produced reasoning output Gram discarded before storage — yet still billed. The proxy and every internal completion caller (chat title generation, Slack agent loop, risk policy naming, structured object completion) now explicitly disable reasoning, eliminating that silent cost without changing observed behavior. diff --git a/.changeset/anthropic-prompt-cache-passthrough.md b/.changeset/anthropic-prompt-cache-passthrough.md deleted file mode 100644 index 4cf96240d4..0000000000 --- a/.changeset/anthropic-prompt-cache-passthrough.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": patch ---- - -Anthropic prompt caching now actually takes effect for assistant chats. The `/chat/completions` proxy used to strip `cache_control` markers off the request body before forwarding to OpenRouter, so every Anthropic call billed at the full input rate. The proxy now preserves the markers at the top level, on tool definitions, and on message content blocks, so Claude requests with stable prefixes can serve from cache. diff --git a/.changeset/assistant-trigger-self-update-fix.md b/.changeset/assistant-trigger-self-update-fix.md deleted file mode 100644 index 6968bd4ca5..0000000000 --- a/.changeset/assistant-trigger-self-update-fix.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": patch ---- - -Assistants can now update their own triggers. Previously, calling `configure_trigger` on an existing trigger returned a generic internal error every time, even though the assistant could read its triggers fine — its scoped tool was being silently swapped for a stricter variant that demanded fields the assistant isn't allowed to send. As a side effect, an assistant's trigger list no longer leaks sibling assistants' triggers in the same project. diff --git a/.changeset/assistants-mcp-oauth.md b/.changeset/assistants-mcp-oauth.md deleted file mode 100644 index 72816bfb81..0000000000 --- a/.changeset/assistants-mcp-oauth.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": minor ---- - -Assistants can now authenticate with OAuth-protected MCP servers. When a configured MCP server requires user authentication, the assistant relays the authorization link through an available output tool; once the user completes authentication, the assistant reconnects and continues its task. diff --git a/.changeset/dashboard-mcp-server-management.md b/.changeset/dashboard-mcp-server-management.md deleted file mode 100644 index daebe01ee4..0000000000 --- a/.changeset/dashboard-mcp-server-management.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"dashboard": minor ---- - -Add the initial Remote MCP-backed MCP server management UI under the `gram-remote-mcp` feature flag. diff --git a/.changeset/fix-token-graph-filter.md b/.changeset/fix-token-graph-filter.md deleted file mode 100644 index 9ad7f3e61a..0000000000 --- a/.changeset/fix-token-graph-filter.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"dashboard": patch ---- - -Fix token graph blanking when filtering by agent type on /insights/costs diff --git a/.changeset/mighty-lions-write.md b/.changeset/mighty-lions-write.md deleted file mode 100644 index 3edbc87659..0000000000 --- a/.changeset/mighty-lions-write.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"dashboard": patch ---- - -update @speakeasy-api/moonshine dependency to 1.36.1 diff --git a/.changeset/negated-grants-ui.md b/.changeset/negated-grants-ui.md deleted file mode 100644 index 8f23a1436f..0000000000 --- a/.changeset/negated-grants-ui.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"dashboard": minor ---- - -Add deny rules (exceptions) to RBAC role editor, allowing admins to grant broad access then carve out specific resources or tools that a role should not access diff --git a/.changeset/openrouter-attribution.md b/.changeset/openrouter-attribution.md deleted file mode 100644 index 7e6f5167c6..0000000000 --- a/.changeset/openrouter-attribution.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": patch ---- - -Outbound OpenRouter chat completions now carry a session ID, user, source metadata, and distributed-trace identifiers so OpenRouter's dashboard can group requests per conversation and roll up cost per customer, and so Datadog traces correlate with OpenRouter's request records. diff --git a/.changeset/slack-platform-tools-expansion.md b/.changeset/slack-platform-tools-expansion.md deleted file mode 100644 index d38e9f331e..0000000000 --- a/.changeset/slack-platform-tools-expansion.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": minor ---- - -Slack assistants can now manage the full message and channel lifecycle: edit, delete, and ephemeral messages; pull permalinks; open DMs; create, join, leave, invite, archive, and rename channels; manage pins, bookmarks, usergroup membership, reminders, file uploads, canvases, and presence/DND. Closes the previous gap where assistants could read Slack but barely write to it. diff --git a/.changeset/smooth-doodles-shop.md b/.changeset/smooth-doodles-shop.md deleted file mode 100644 index d4affbd115..0000000000 --- a/.changeset/smooth-doodles-shop.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"server": patch ---- - -Deprecated obsolete outbox event types and explicitly adds versioning in the name scheme of events. In particular, `risk_finding.created` is replaced by `risk_finding.created_v1`. diff --git a/client/dashboard/CHANGELOG.md b/client/dashboard/CHANGELOG.md index ed8b0676e0..795f1ac45e 100644 --- a/client/dashboard/CHANGELOG.md +++ b/client/dashboard/CHANGELOG.md @@ -1,5 +1,17 @@ # dashboard +## 0.57.0 + +### Minor Changes + +- 5e00422: Add the initial Remote MCP-backed MCP server management UI under the `gram-remote-mcp` feature flag. +- f9b43d9: Add deny rules (exceptions) to RBAC role editor, allowing admins to grant broad access then carve out specific resources or tools that a role should not access + +### Patch Changes + +- 2cdae0e: Fix token graph blanking when filtering by agent type on /insights/costs +- 8dcf760: update @speakeasy-api/moonshine dependency to 1.36.1 + ## 0.56.0 ### Minor Changes diff --git a/client/dashboard/package.json b/client/dashboard/package.json index e544151913..a1a61d575a 100644 --- a/client/dashboard/package.json +++ b/client/dashboard/package.json @@ -1,7 +1,7 @@ { "name": "dashboard", "private": true, - "version": "0.56.0", + "version": "0.57.0", "type": "module", "scripts": { "dev": "vite --port ${GRAM_SITE_PORT:-5173}", diff --git a/server/CHANGELOG.md b/server/CHANGELOG.md index 33a4a058da..b39399ef1d 100644 --- a/server/CHANGELOG.md +++ b/server/CHANGELOG.md @@ -1,5 +1,21 @@ # server +## 0.56.0 + +### Minor Changes + +- 978d13f: Integrate `/x/mcp` with `mcp_servers.user_session_issuer_id`. The `mcpServers.create` and `mcpServers.update` management endpoints now accept an optional `user_session_issuer_id`, and `McpServer` carries it on read. When set on an `mcp_server`, `/x/mcp` requests are issuer-gated: callers without a valid Authorization receive 401 + `WWW-Authenticate` pointing at `/.well-known/oauth-protected-resource/x/mcp/{slug}`, and the full OAuth surface — dynamic client registration, authorize, IDP callback, consent, token, revoke — is mounted under `/x/mcp/{slug}/...` against the same JWT machinery `/mcp` uses, with audience bound to `urn.NewUserSessionIssuer(...)` so tokens stay portable across toolset-backed and remote-backed servers under the same issuer. Both well-known metadata routes under `/x/mcp` now return the issuer-gated metadata shape for any addressed `mcp_server` with an issuer set, including remote-backed servers (previously 404). The `/oauth/proxy-register` DCR helper now also registers `/x/mcp/remote_login_callback` so remote-OAuth `mcp_servers` reached via `/x/mcp/{slug}/connect` can complete the upstream callback against the same upstream client registration. +- 9aa2fed: Assistants can now authenticate with OAuth-protected MCP servers. When a configured MCP server requires user authentication, the assistant relays the authorization link through an available output tool; once the user completes authentication, the assistant reconnects and continues its task. +- 0ef489c: Slack assistants can now manage the full message and channel lifecycle: edit, delete, and ephemeral messages; pull permalinks; open DMs; create, join, leave, invite, archive, and rename channels; manage pins, bookmarks, usergroup membership, reminders, file uploads, canvases, and presence/DND. Closes the previous gap where assistants could read Slack but barely write to it. + +### Patch Changes + +- 4f16ea3: Chat completions no longer generate hidden reasoning tokens. Previously, OpenRouter could route requests through models that produced reasoning output Gram discarded before storage — yet still billed. The proxy and every internal completion caller (chat title generation, Slack agent loop, risk policy naming, structured object completion) now explicitly disable reasoning, eliminating that silent cost without changing observed behavior. +- 11d0b70: Anthropic prompt caching now actually takes effect for assistant chats. The `/chat/completions` proxy used to strip `cache_control` markers off the request body before forwarding to OpenRouter, so every Anthropic call billed at the full input rate. The proxy now preserves the markers at the top level, on tool definitions, and on message content blocks, so Claude requests with stable prefixes can serve from cache. +- 5746c4e: Assistants can now update their own triggers. Previously, calling `configure_trigger` on an existing trigger returned a generic internal error every time, even though the assistant could read its triggers fine — its scoped tool was being silently swapped for a stricter variant that demanded fields the assistant isn't allowed to send. As a side effect, an assistant's trigger list no longer leaks sibling assistants' triggers in the same project. +- 4e1be24: Outbound OpenRouter chat completions now carry a session ID, user, source metadata, and distributed-trace identifiers so OpenRouter's dashboard can group requests per conversation and roll up cost per customer, and so Datadog traces correlate with OpenRouter's request records. +- 31bafa1: Deprecated obsolete outbox event types and explicitly adds versioning in the name scheme of events. In particular, `risk_finding.created` is replaced by `risk_finding.created_v1`. + ## 0.55.1 ### Patch Changes diff --git a/server/package.json b/server/package.json index 4dbc70788d..c3eec91b51 100644 --- a/server/package.json +++ b/server/package.json @@ -1,6 +1,6 @@ { "name": "server", - "version": "0.55.1", + "version": "0.56.0", "description": "", "private": true, "main": "index.js",