[ca] Update CLI versions: Copilot 0.0.403, Codex 0.97.0, MCP Gateway v0.0.99 #13898
Description
Three agentic CLI tools have new versions available with significant improvements across security, features, and stability.
Summary
- GitHub Copilot CLI: 0.0.402 → 0.0.403 (published 2026-02-04)
- OpenAI Codex: 0.94.0 → 0.97.0 (published 2026-02-05, 3 intermediate versions)
- MCP Gateway: v0.0.98 → v0.0.99 (published 2026-02-04)
Update Priority: Medium - Security enhancements and stability improvements with no breaking changes
Status: constants.go updated in this workflow run, requires make recompile and testing
GitHub Copilot CLI v0.0.403
Release Date: February 4, 2026
Breaking Changes
None
Key Features
- Security enhancements: Module usage restricted to application bundle
- Plugin improvements: MCP servers stop before updates, skills work in prompt mode
- Configuration preservation: Config files now preserve custom fields during CLI updates
- Enhanced reasoning: Reasoning summaries enabled by default for supported models
- Cross-platform fixes: Detached shell processes work on vanilla macOS, Windows Task Manager shows correct app names
View Full Changelog
Security & Safety
- Implemented security checks to prevent module usage outside the application bundle
- Enhanced permission dialog behavior with consistent Escape key handling
Plugin & MCP Improvements
- MCP servers now stop before plugin updates
- Plugin skills function in prompt mode
- Skills with unrecognized frontmatter fields load with warnings rather than silencing
Configuration & Data Handling
- Config files preserve custom fields when CLI updates them
- ACP model info now includes usage multiplier and enablement status
User Experience
- Windows Task Manager displays correct application names
- Detached shell processes work on vanilla macOS installations
- Reasoning summaries enabled by default for supported models
- Custom agent frontmatter supports comma-separated tools
Bug Fixes
- Fixed logic checking user organization membership
- Improved custom agent field handling with warnings instead of silent failures
Impact Assessment
- Risk: Low
- Affects: Security posture, plugin system, config handling, cross-platform compatibility
- Migration: None required, backward compatible
Package Links
- NPM Package: https://www.npmjs.com/package/`@github/copilot`
- Repository: https://github.com/github/copilot-cli
- Changelog: https://github.com/github/copilot-cli/blob/main/changelog.md
OpenAI Codex v0.97.0
Release Date: February 5, 2026 (spans versions 0.95.0 through 0.97.0)
Breaking Changes
None
Key Features
- Session-scoped tool approvals: "Allow and remember" option enables auto-approval of repeated MCP/App tool calls within a session
- Live skill updates: Skill file changes detected and applied without restart
- Mixed media support: Dynamic tool outputs support combined text and image content
- Debug command: New
/debug-configslash command for inspecting effective configuration - Memory infrastructure: Initial API client and local persistence for thread memory summaries
- Configurable logging: New
log_dirconfiguration option via CLI overrides - macOS launcher:
codex app (path)launches Codex Desktop from CLI with automatic DMG download - Personal skill loading: Loads skills from
~/.agents/skillsand~/.codex/skillswith app-server APIs - Enhanced
/plancommand: Supports inline prompt arguments and image attachments - Parallel shell execution: Multi-command throughput improvements
- Thread environment variable: Shell executions receive
CODEX_THREAD_IDfor thread/session detection
View Full Changelog
Version 0.97.0 (February 5, 2026)
New Features
- Session-scoped tool approvals with "Allow and remember" option (Add option to approve and remember MCP/Apps tool usage openai/codex#10584)
- Live skill updates without restart (Added support for live updates to skills openai/codex#10478)
- Mixed media support in dynamic tool outputs (feat(app-server, core): allow text + image content items for dynamic tool outputs openai/codex#10567)
- New
/debug-configslash command (Add /debug-config slash command openai/codex#10642) - Memory infrastructure: API client and local persistence (feat: add phase 1 mem client openai/codex#10629, feat: add phase 1 mem db openai/codex#10634)
- Configurable logging with
log_diroption (feat(core): add configurable log_dir openai/codex#10678)
Bug Fixes
- Stabilized TUI apps/connectors picker rendering (Fix jitter in TUI apps/connectors picker openai/codex#10593)
- Restored "working" status indicator during preamble (fix: ensure status indicator present earlier in exec path openai/codex#10700, fix(tui): restore working shimmer after preamble output openai/codex#10701)
- Enhanced cloud requirements reliability with timeout increases and retry logic (Cloud Requirements: increase timeout and retries openai/codex#10631, Cloud Requirements: take precedence over MDM openai/codex#10633, Increase cloud req timeout openai/codex#10659)
- Improved pending-input user event persistence (Persist pending input user events openai/codex#10656)
Version 0.96.0 (February 4, 2026)
New Features
- Added
thread/compactasync trigger RPC to v2 app-server API - Introduced websocket-side rate limit signaling through
codex.rate_limitsevent - Enabled
unified_execacross all non-Windows platforms - Constrained requirement values now track source provenance
Bug Fixes
- Corrected
Esckey behavior in TUI'srequest_user_inputoverlay - Thread listing prioritizes state DB queries before filesystem traversal
- Fixed thread path lookup validation
- Dynamic tool injection executes within single transaction
- Refined
request_ruleguidance in approval-policy prompting
Version 0.95.0 (February 4, 2026)
New Features
- macOS launcher:
codex app (path)to launch Codex Desktop from CLI - Personal skill loading from
~/.agents/skillsand~/.codex/skills - Enhanced
/plancommand with inline prompts and image attachments - Parallel execution for shell-related tools
- Shell executions receive
CODEX_THREAD_IDenvironment variable - Linux sandbox groundwork with vendored Bubblewrap
Bug Fixes
- Hardened Git command safety to prevent destructive operations
- Fixed thread resume/browsing with correct saved thread names
- Corrected first-run trust-mode handling
- Resolved
codex exechanging on interrupt with websockets - Fixed review-mode approval event alignment
- Enhanced 401 error diagnostics with server message details
Notable Changes
- Completed migration from deprecated
mcp-typescrate tormcp-based protocol types - Updated
bytesdependency for security advisory resolution
Impact Assessment
- Risk: Low to Medium
- Affects: Tool approval workflow, skill management, debugging capabilities, shell execution, thread management, macOS desktop integration
- Migration: None required, all features are additive or improvements to existing functionality
Package Links
- NPM Package: https://www.npmjs.com/package/`@openai/codex`
- Repository: https://github.com/openai/codex
- Release Notes: https://github.com/openai/codex/releases
- v0.97.0 Release: https://github.com/openai/codex/releases/tag/rust-v0.97.0
- v0.96.0 Release: https://github.com/openai/codex/releases/tag/rust-v0.96.0
- v0.95.0 Release: https://github.com/openai/codex/releases/tag/rust-v0.95.0
MCP Gateway v0.0.99
Release Date: February 4, 2026
Breaking Changes
None
Key Features
- OAuth Discovery Endpoint: Root-level OAuth discovery at
/.well-known/oauth-authorization-servereliminates request hangs - Extended MCP Server Support: Authentication for 10+ new MCP servers:
- Google services (Maps, Drive) with API key and credential configurations
- Slack workspace connectivity with OAuth tokens
- Sentry error monitoring with DSN authentication
- Brave Search API integration
- EverArt AI art generation tool
- Filesystem, browser automation, and Kubernetes servers
- Automated Documentation Sync: Nightly workflow maintains documentation alignment
View Full Changelog
New Features
- OAuth Discovery Endpoint implemented at
/.well-known/oauth-authorization-server - Extended MCP Server Support with authentication for 10+ new servers:
- Google Maps, Google Drive
- Slack workspaces
- Sentry error monitoring
- Brave Search API
- EverArt AI art generation
- Filesystem, browser automation, Kubernetes
- Automated Documentation Synchronization via nightly workflow
Bug Fixes & Improvements
- Resolved nightly stress test stability by transitioning from Docker-in-Docker to external gateway infrastructure
- Corrected Copilot API errors in issue-monster workflow by minimizing prompt dimensions
- Enhanced AWS integration configurations
- Strengthened daily device and smoke test reliability
Testing Infrastructure Enhancements
- Nightly MCP Gateway stress testing validates multi-server deployment scenarios
- Firewall configuration encompasses containers ecosystem
- Go module access enabled in stress environments
- Iterative stress test refinements with comprehensive MCP server integration coverage
Merged Pull Requests
36 commits merged since v0.0.98
Primary contributors: Copilot (automated), lpcox (manual updates)
Impact Assessment
- Risk: Low
- Affects: MCP server compatibility, OAuth authentication flows, stress testing infrastructure
- Migration: None required, backward compatible
Package Links
- Docker Image: https://github.com/github/gh-aw-mcpg/pkgs/container/gh-aw-mcpg
- Repository: https://github.com/github/gh-aw-mcpg
- Release Notes: https://github.com/github/gh-aw-mcpg/releases
- v0.0.99 Release: https://github.com/github/gh-aw-mcpg/releases/tag/v0.0.99
Docker Command
docker pull ghcr.io/github/gh-aw-mcpg:v0.0.99Supported architectures: linux/amd64, linux/arm64
Recommendations
Update Strategy
- Test Copilot 0.0.403: Run integration tests focusing on security checks, plugin system, and config preservation
- Test Codex 0.97.0: Verify tool approval workflows, skill loading, and shell execution enhancements
- Test MCP Gateway v0.0.99: Validate OAuth discovery endpoint and new MCP server integrations
- Rollout: Deploy sequentially (Copilot → Codex → MCP Gateway) to isolate any issues
Testing Focus Areas
- Copilot: Security module restrictions, plugin updates, config file handling
- Codex: Session-scoped tool approvals, live skill updates,
/debug-configcommand, parallel shell execution - MCP Gateway: OAuth discovery, new MCP server authentication flows
Risk Mitigation
- All three updates are non-breaking and backward compatible
- Focus testing on new features rather than regression testing
- Monitor for edge cases in security restrictions (Copilot) and tool approvals (Codex)
Timeline
- Immediate: Integration testing can begin
- 1-2 days: Complete testing and validation
- Rollout: Deploy to production after successful testing
References:
AI generated by CLI Version Checker
- expires on Feb 7, 2026, 12:29 PM UTC