Changelog

Rich tool UI restored and

exported

Features

• Restore rich tool UI in tool calls #2221  - The MCP Apps integration had replaced the default tool UI for every tool call. Tool calls now delegate to the default
  , and the MCP App iframe is only appended when a tool has a UI resource binding. Elements now exports
  from its public API. (Author: @simplesagar )

Organisational collections, plugin distribution, and a data-driven project dashboard

Features

• Organisational collections and MCP publishing #2199  - Added an MCP collections service, publishing flow, and catalog UI so MCP servers can be shared across an organisation. (Author: @subomi )
• Plugins for MCP server bundle distribution #2194  - Introduced a plugins feature for distributing MCP server bundles to teams, including custom plugin support for Claude via zip. (Author: @bradcypert )
• Plugins database migration #2214  - Added the
  ,
  , and
  tables to support the plugins feature. (Author: @bradcypert )
• Project dashboard #2217  - Replaced the home placeholder with a data-driven project dashboard surfacing key metrics. (Author: @alx-xo )
• Project metrics summary endpoint #2216  - Added a new project metrics summary endpoint that powers the new project dashboard. (Author: @chase-crumbaugh )
• Hooks dashboard with metrics #2175  - Shipped an expanded hooks dashboard with charts for server activity, source volume, user activity, error rates, and usage over time, plus a KPI metrics row and a toggle to show or hide the raw trace log list. (Author: @alx-xo )
• Pre-aggregated summary endpoint for hooks analytics #2241  - Switched hooks analytics charts and KPIs to a pre-aggregated summary endpoint for faster dashboard loads. (Author: @alx-xo )
• Super-admin RBAC interface #2212  - Added RBAC management endpoints and a super-admin interface for enabling RBAC on organisations. (Author: @tgmendes )
• OAuth config wizard #2200  - Extracted OAuth setup for external MCP servers into a dedicated step-by-step wizard with a state machine, supporting both proxy and external OAuth paradigms and adding success and failure result steps. (Author: @walker-tx )
• MCP status dropdown #2205  - Replaced the MCP enable button with a three-state status dropdown for Disabled, Private, and Public. (Author: @alx-xo )
• Global AI Insights action #2239  - Surfaced AI Insights as a static button in the top breadcrumb bar across every project page. Pages that need a custom prompt or tool set declare it with
  ; everywhere else the global default applies. (Author: @simplesagar )
• Redesigned MCP logs #2206  - Redesigned the MCP logs view with color-coded severity badges, left-edge status dots, tighter row density, sample-query popovers on the filter and date-range inputs, and React performance fixes including memoized trace rows and stable callbacks. (Author: @simplesagar )
• Click-to-filter log attributes #2258  - Added click-to-filter on attribute rows in the MCP logs detail sheet. Clicking an attribute filters by equals, exclude, or contains, or copies its value. Also fixed attribute filters returning too few results due to a hardcoded
  filter that did not account for attributes being spread across multiple log entries per trace. (Author: @simplesagar )
• Restore rich tool UI in the playground #2221  - Restored the rich tool-call rendering in the playground. The MCP Apps integration had replaced the default tool UI for every tool call; the playground now delegates to the default
  and only appends the MCP App iframe when the tool has a UI resource binding. Elements now exports
  from its public API so consumers can compose around it. (Author: @simplesagar )

Bug fixes

• Hard limits on Fly runners #2253  - Set a hard limit on concurrent HTTP requests to Gram Function runners deployed on Fly, preventing OOM errors and crashes when a large number of tool calls arrive in a short period. (Author: @disintegrator )
• Idempotent default registry collection bootstrap #2249  - Fixed a race condition where concurrent
  calls could fail with
  while bootstrapping the default registry collection. The ensure routine now treats unique-constraint violations as success and refetches the existing rows. (Author: @danielkov )
• Corrupt session role resolution #2245  - Added a better error handler for failed role resolution when a user ends up with a corrupt session. (Author: @qstearns )
• Remove legacy
  column #2246  - Replaced
  with
  in queries and app code, then removed the legacy column. (Author: @qstearns )

Triggers, soft-delete for chat sessions, and redesigned deployment logs

Features

• Triggers across Gram #2146  - End-to-end support for webhook and scheduled triggers, including server APIs, worker execution for dispatch and cron processing, SDK support, and dashboard UI for managing trigger definitions and instances. (Author: @danielkov )
• Soft-delete for chat sessions #2197  - Added the ability to soft-delete chat sessions from the dashboard with a confirmation dialog, available from both the chat list table and the detail panel. (Author: @simplesagar )
• Redesigned deployment logs #2167  - Deployment logs now use color-coded level badges, dot indicators, and inline keyboard hints, along with React performance fixes for smoother rendering. (Author: @simplesagar )
• OAuth config under authentication tab #2193  - Moved OAuth config to the Authentication tab of the MCP page and added indicators for the type of OAuth connection per MCP. (Author: @walker-tx )

Bug fixes

• Cross-org toolset leakage on install page #2184  - Fixed an issue where a fallback in the install page toolset lookup could return a different org's active toolset that shared the same MCP slug, instead of returning 404, when a custom-domain-scoped query returned no rows. (Author: @disintegrator )
• Telemetry logs dropped on context cancellation #2195  - Telemetry logs now continue to be inserted into ClickHouse even after the request context has been canceled. (Author: @disintegrator )
• Noisy retryablehttp logs #2196  - Disabled the logger for the retryablehttp client to avoid noisy output cluttering the logs. (Author: @disintegrator )
• Server resolution without a custom domain #2204  - Allow resolving a server without a custom domain attached when the user is authenticated and a custom domain is available. (Author: @qstearns )
• Tailwind CSS v4 globals.css migration #2179  - Migrated
  to Tailwind CSS v4 syntax. (Author: @alx-xo )

Team invite flow and expanded Cursor hook capture

Features

• Team invite flow with accept page #2004  - Added the team management page and invite UI, including an invite accept page, configurable invite expiry, and security hardening around the accept flow. (Author: @adaam2 )
• Expanded Cursor hook capture #2136  - Cursor hook capture now includes UserPromptSubmit, afterAgentThought, and afterAgentResponse events, giving a fuller picture of agent activity inside Cursor. (Author: @bradcypert )

Bug fixes

• Role creation audit log bloat #2168  - Stopped serializing the full role object into the
  column of the audit log when a role is created, avoiding unnecessary database bloat. A future dashboard update will link directly to the role instead. (Author: @disintegrator )
• Playground credential slug length #2176  - Fixed playground credential saving failing with a "length of slug must be lesser or equal than 40" error by shortening the environment slug format to stay within the server's 40-character limit. (Author: @simplesagar )

Editable OAuth proxy servers configs and static platform tools

Features

• Editable OAuth proxy server configuration #2122  - Admins can now edit an existing OAuth proxy server's audience, authorization endpoint, token endpoint, scopes, token endpoint auth methods, and environment slug without unlinking and recreating the configuration. The new
  endpoint accepts partial updates with PATCH semantics. The dashboard's OAuth proxy details modal exposes an Edit button that opens the OAuth modal pre-filled with the current values. Slug and provider type remain immutable after creation, and Gram-managed OAuth proxy servers stay view-only. (Author: @simplesagar )
• Static platform tools and built-in MCP logs server #2094  - Added static platform tools to tool discovery along with a built-in MCP logs server, so platform-native capabilities surface alongside user-defined tools. (Author: @danielkov )

Team management and skills tracking

Features

• Team management endpoints #2082  - Added team management endpoints for invites and members, enabling organization-level team administration. (Author: @adaam2 )
• Skills tracking in hooks dashboard #2121  - Added support for tracking skills in the hooks dashboard, with materialized skill names in the data layer. (Author: @chase-crumbaugh )
• Server-side playground credential storage #2100  - Playground credentials are now stored in encrypted server-side environments instead of
  . Credentials are scoped per-user per-toolset and resolved server-side when proxying to MCP servers. (Author: @simplesagar )

Bug fixes

• Custom domain MCP serving #2114  - Fixed an issue where the platform domain could not serve MCP servers with custom domains. (Author: @adaam2 )

Updated playground model list

Features

• Updated playground models #2101  - Updated the playground model list to add Claude Sonnet 4.6, GPT-5.4 Mini, o4-mini, o3, Gemini 3.1 Pro, DeepSeek R1/V3.2, Llama 4 Maverick, Grok 4, and Qwen3 Coder, and removed superseded models. (Author: @simplesagar )

Cursor hooks support and MCP app integration

Features

• Cursor hooks support #2073  - Added Cursor hooks support with an authenticated endpoint, plugin, and setup flow. (Author: @bradcypert )
• Claude Code full session capture #2049  - Added support for full session capture from Claude Code, recording complete transcripts of prompts, responses, and tool calls. (Author: @simplesagar )
• MCP app support #2061  - Added MCP app support across the playground, local functions runner, and functions SDK, with improved lifecycle handling for proxied tool and resource responses. (Author: @danielkov )
• Interactive Available Tools section on MCP install pages #2089  - Redesigned the Available Tools section on MCP install pages with a compact expandable table format. Each tool row shows its name and description, with an inline detail panel revealing annotation badges on click. Servers with more than ten tools display a "Show N more" button. (Author: @simplesagar )

Role-based access control enforcement and roles dashboard

Features

• RBAC enforcement for projects #2005  - Added role-based access control enforcement to projects, gated behind a feature flag. (Author: @tgmendes )
• Roles assignment dashboard #2078  - Added a feature-flagged dashboard for assigning roles to organization members. (Author: @qstearns )
• Dialog component for MCP server deletion #2076  - Replaced the browser
  dialog with a proper Dialog component for MCP server deletion, improving the user experience. (Author: @alx-xo )

Bug fixes

• Fix OAuth validation checks #2080  - Fixed an issue with OAuth validation checks when tools have no security annotations, ensuring toolset-level OAuth is checked correctly. (Author: @tgmendes )
• Fix custom domain verification on transient errors #2047  - Fixed custom domain verification to fail fast on transient database errors instead of incorrectly creating a new domain record. (Author: @bflad )

Dashboard performance improvements and log search enhancements

Features

• Faster initial page load #2058  - Improved initial page load performance by prefetching key queries in parallel with auth, adding preconnect hints, and switching
  to
  . (Author: @adaam2 )
• Attribute key discovery in log search #2050  - When searching MCP logs, available attribute keys are now displayed to assist with filtering. (Author: @alx-xo )

Bug fixes

• Idempotent project deletion #2069  - The
  endpoint now returns idempotent success for non-existent projects instead of a misleading error. (Author: @bflad )
• Fix toolset cache invalidation on template deletion #2046  - Fixed an issue where the toolset cache was not being invalidated when a template was deleted. (Author: @bflad )
• Remove legacy grants API endpoints #2043  - Removed the legacy grants API endpoints, now replaced by the roles management API. (Author: @tgmendes )

Role-based access control API and improved deployment logs

Features

• Role, membership, and grants management API #2031  - Added a new API for managing roles, memberships, and grants, providing the foundation for role-based access control across projects and organizations. (Author: @tgmendes )
• Improved deployment logs #2033  - Improved user-facing deployment logs with source processing details and an aggregate summary for better visibility into deployment progress. (Author: @bflad )

Bug fixes

• Revert multiple security schemes with public OAuth #2030  - Reverted the feature allowing other security schemes when public OAuth is configured due to unexpected behavior. (Author: @disintegrator )
• Validate default environment ID #2024  - Added validation to ensure
  belongs to the caller's project before storing it in MCP metadata. (Author: @simplesagar )
• Fix Pylon chat widget overlap #2025  - Fixed the Pylon chat widget overlapping the playground send button by hiding the default launcher and adding toggle support to the Get Support button. (Author: @simplesagar )
• Clean up defunct observability seed logic #2019  - Removed defunct observability seed tool logic as part of onboarding cleanup. (Author: @danielkov )

Multiple security schemes alongside OAuth and health check improvements

Features

• Multiple security schemes with public OAuth #2023  - Added support for multiple security schemes even when OAuth servers are configured on public servers. (Author: @qstearns )
• Improved server health checks #2018  - Moved control server initialization after all routes and middleware are attached, and added a
  endpoint to the main API mux so the control server can verify the API is actually serving traffic before reporting healthy. (Author: @disintegrator )

Bug fixes

• Align built-in MCP detail page header #2013  - Aligned the built-in MCP detail page header and install section with the standard MCP detail page styling. (Author: @adaam2 )

Audit log diff viewer and non-blocking deployments

Features

• Audit log diff viewer #1988  - Introduced a diff viewer that highlights changes in audit subjects for update events. Additionally, renamed
  audit events to
  since toolsets are no longer a visible primitive on the dashboard. (Author: @disintegrator )
• Non-blocking deployment interactions #2001  - Made deployment interactions non-blocking by passing
  to create/evolve API calls. The UI now polls for deployment completion instead of blocking the request, preventing timeouts on long-running deployments. (Author: @adaam2 )

Bug fixes

• Strip tools from toolset audit log snapshots #2000  - Removed the large
  field from toolset audit log snapshots to avoid serializing unnecessary data into audit log entries. (Author: @disintegrator )

Access and permissions management API and login page redesign

Features

• Access and permissions management API #1968  - Added new API endpoints for access and permissions management with an RBAC enforcement package. (Author: @tgmendes )
• Login page redesign #1962  - Revamped the login page with Speakeasy brand styling, a distributed platform diagram with Control Plane and Tools Platform sections, and updated copy. (Author: @simplesagar )

Bug fixes

• Fix authorization header clobbering #1973  - Fixed an issue where API key headers were overwritten when the client credentials exchange was unconfigured. (Author: @qstearns )
• Upgrade insights copilot model #1964  - Upgraded the insights copilot to
  and injected the current date into the system prompt for improved temporal context. (Author: @adaam2 )
• Fix skeleton flash on logout #1961  - Suppressed the loading shell skeleton flash on unauthenticated routes during logout. (Author: @adaam2 )

Audit log faceted search and dashboard audit logs page

Features

• Audit log faceted search #1982  - Added actor and action search facets to audit logs via a new
  endpoint, with the existing
  endpoint updated to support filtering by actor and action. (Author: @disintegrator )
• Audit logs page in the organization dashboard #1985  - Introduced a new Audit Logs page to the organization dashboard, allowing users to view a history of actions taken within the organization. (Author: @disintegrator )

Bug fixes

• Fix mixed-case HTTP authentication scheme handling #1986  - Standardized OpenAPI HTTP authentication scheme casing so extraction and stored metadata function correctly across variants like
  and
  . (Author: @disintegrator )
• Fix server filtering in logs page #1984  - Fixed server selection functionality in the dashboard logs page using exact server filtering. (Author: @tgmendes )

Audit logs API

Features

• Audit logs API service #1944  - Introduced the audit logs API service and supplementary code to start recording audit logs across services, including new URN types to represent various subjects in Gram. (Author: @disintegrator )

Bug fixes

• Fix hardcoded org slugs in MCP log URLs #1936  - Replaced hardcoded org slugs in MCP URLs for the built-in MCP logs server. (Author: @simplesagar )
• Fix CLI release signing #1945  - Fixed CLI release signing by switching to cosign v3 bundle format and migrating to Ubuntu runner. (Author: @adaam2 )

Environment detachment and authentication fixes

Features

• Detach environments from MCP servers #1934  - Added the ability to detach an environment from an MCP server, giving more flexibility in environment management. (Author: @simplesagar )

Bug fixes

• Fix org-scoped chat credit usage authentication #1935  - Fixed
  authentication so org-scoped credit usage works correctly for customers with multiple projects, requiring only session auth. (Author: @disintegrator )
• Show coming soon placeholder on CLIs page #1929  - Added a coming soon placeholder on the CLIs page. (Author: @simplesagar )
• Fix CLI update when using Homebrew #1931  - Fixed an issue where the CLI update command didn't work correctly when installed via Homebrew. (Author: @aditya-mitra )

Increased Gram Function runner memory and table view for list pages

Features

• Increased Gram Function runner memory to 1 GB #1922  - Gram Function runners now run with 1 GB of memory instead of 512 MB, providing more headroom for memory-intensive operations. (Author: @disintegrator )
• Table view toggle for list pages #1894  - Added a grid/table view toggle for MCP, Sources, and Catalog list pages with animated dot-pattern rows and localStorage persistence. (Author: @adaam2 )

Bug fixes

• Fix MCP environments default display #1898  - Fixed an issue where the MCP environments section displayed the wrong default when no environment was attached. (Author: @simplesagar )
• Prevent double-back-button on detail pages #1907  - Fixed a navigation issue where detail pages rendered two back buttons. (Author: @simplesagar )

Playground OAuth discovery fix and error handling for MCP tool results

Features

• Display audience field in OAuth proxy server details #1862  - The OAuth proxy server details view now displays the audience field. (Author: @simplesagar )
• Set isError on MCP tool results based on HTTP status #1887  - MCP tool results now have
  set based on the HTTP response status code, improving error visibility for tool calls. (Author: @minuteman3 )

Bug fixes

• Fix playground OAuth discovery #1861  - Resolved an issue where the playground OAuth discovery relied on removed tool-definition fields. OAuth requirements are now detected from
  and
  at the toolset level. (Author: @simplesagar )

Admin cache purging and telemetry cleanup

Features

• Admin-only cache purging for MCP registries #1815  - Added a
  endpoint restricted to admin users for purging MCP registry caches. (Author: @ndimares )

Bug fixes

• Correct HTTP status attribute references in MCP logs #1814  - Fixed incorrect HTTP status attribute references in MCP logs search to surface the correct values. (Author: @simplesagar )
• Remove logs enabled flag from telemetry API #1811  - Removed the deprecated
  field from telemetry API responses. (Author: @tgmendes )
• Remove automatic browser opening on deployment #1807  - The CLI no longer automatically opens the browser when a deployment completes. The URL is printed to the console instead. (Author: @disintegrator )

Unified OAuth for external MCP servers and hooks dashboard

Features

• Unified OAuth for external MCP servers #1797  - External MCP servers now use the same OAuth configuration pathway as all other toolsets, removing special-cased token resolution. The "Configure OAuth" button is enabled for external MCP servers that require OAuth, and discovered OAuth metadata can auto-populate the configuration form with a single click. (Author: @qstearns )
• Hooks dashboard page #1767  - Added a dedicated dashboard page for viewing and managing hooks. (Author: @chase-crumbaugh )

Feedback UI fixes and settings improvements

Bug fixes

• Feedback UI improvements #1774  - Set
  default to
  to match documentation, improved dark mode styling for feedback buttons, and updated the system prompt to prevent multiple generative UI widgets per response. (Author: @adaam2 )
• Settings page with tabs routing #1747  - Improved the settings page with tabbed routing and logging API integration. (Author: @adaam2 )

Hooks, telemetry attribute filtering, and identity passthrough

Features

• Gram hooks for tool capture #1755  - Added Gram hooks that capture tool invocations, enabling observability into tool usage. (Author: @chase-crumbaugh )
• Telemetry attribute filtering #1751  - Added the ability to filter telemetry logs by dynamic attributes on the logs page. (Author: @tgmendes )
• Identity passthrough for functions #1771  - Function authors can now receive the authenticated Gram user's email by setting
  in the
  config, populating the
  environment variable. (Author: @qstearns )
• Settings page improvements #1747  - Improved the settings page with tabbed routing and logging API integration. (Author: @adaam2 )
• Server instructions section #1729  - Moved server instructions to a dedicated section with LLM-generated best practices for MCP server instructions. (Author: @simplesagar )
• External auth user ID tracking #1746  - Added the ability to track external auth user IDs in telemetry logs by extracting JWT subject from external MCP OAuth tokens. (Author: @tgmendes )
• Zod v4 upgrade #1717  - Upgraded Zod to v4 across the monorepo and bumped
  . (Author: @qstearns )

Bug fixes

• Telemetry timestamp format #1754  - Updated the telemetry search logs API response to send unix nanosecond timestamps as strings instead of integers, preventing precision loss. (Author: @tgmendes )

Slack app installation and redeployment command

Features

• Slack app installation through Gram UI #1711  - Added the ability to install Slack apps through the Gram UI with OAuth-based installation, per-app event handling, and legacy cleanup. (Author: @qstearns )
• Redeploy CLI command #1721  - Added
  command to clone and redeploy existing deployments, with a visible redeploy button on every deployment detail page and deployments navigation on the sources page. (Author: @simplesagar )

Bug fixes

• Tool call logs count shown but empty state #1708  - Fixed an issue where the tool call logs count was displayed but the content showed an empty state. (Author: @simplesagar )