[ca] CLI Version Updates: Claude Code, Copilot, Codex, GitHub MCP Server, MCP Gateway (2026-05-21)

[github-actions]

Summary

Five CLI tools have new stable releases since the last check. All updates have been applied to pkg/constants/version_constants.go and make recompile was run twice to regenerate workflow lock files.

Tool	Previous	New	Risk
Claude Code	2.1.142	2.1.146	Low
Copilot CLI	1.0.48	1.0.51	Low
Codex	0.130.0	0.132.0	Low
GitHub MCP Server	v1.0.4	v1.0.5	Low
MCP Gateway	v0.3.9	v0.3.16	Low

No updates for Playwright MCP (0.0.75), Playwright CLI (0.1.13), or Playwright Browser (v1.60.0).

Critical Issues

No breaking changes detected. All updates are additive (features, fixes, refactors).

---

Update Claude Code

• Previous: 2.1.142 → New: 2.1.146 (4 patch versions)
• Risk: Low — patch-level updates

Claude Code has no public GitHub repository, so detailed changelog is not available. Updates are typically bug fixes and minor improvements based on the patch-level cadence.

Package Links:

• NPM Package: https://www.npmjs.com/package/`@anthropic-ai/claude-code`

---

Update Copilot CLI

• Previous: 1.0.48 → New: 1.0.51 (3 patch versions)
• Risk: Low — patch-level updates

Copilot CLI repository (https://github.com/github/copilot-cli) is private and changelogs are not publicly accessible. Patch-level updates typically contain bug fixes and incremental improvements.

Package Links:

• NPM Package: https://www.npmjs.com/package/`@github/copilot`
• Repository: https://github.com/github/copilot-cli (private)

---

Update Codex

• Previous: 0.130.0 → New: 0.132.0 (2 minor versions)
• Timeline: 0.131.0 (2026-05-18), 0.132.0 (2026-05-20)
• Risk: Low — new features are opt-in; no breaking changes

Key Features

0.131.0:

• TUI session controls: data-driven service-tier commands, blended token usage, permissions/approval mode display, responsive Markdown tables
• @ mentions search files, directories, plugins, and skills in one picker
• Plugin workflows: marketplace CLI commands, version-aware sharing, share checkout
• Remote workflows: daemon-managed codex remote-control, runtime enable/disable APIs
• Python SDK moved to openai-codex / openai_codex namespace
• New codex doctor for support-ready diagnostics

0.132.0:

• Python SDK first-class auth: API key login, ChatGPT browser/device-code flows, account inspection, logout APIs
• codex exec resume now accepts --output-schema for structured JSON output
• Faster TUI startup (batched terminal capability probes)
• Remote executor uses standard Codex auth
• App-server preserves image fidelity across user inputs and tools

View Bug Fixes

0.131.0:

• Fixed TUI: URL wrapping, light-mode selection contrast, Shift+Enter in tmux, /review MCP startup status, /side Esc handling
• Hardened Windows sandbox (deny-read rules, scoped write roots, firewall policy)
• Preserved managed read restrictions during permission escalation
• Safer app-server/local state startup (SQLite preservation, fail-closed on state open)
• Improved Git and auth (root worktree hooks, repo hook isolation, local MCP OAuth callbacks, superseded login token revocation)

0.132.0:

• Goal continuations stop on usage limits or repeated blockers (no more token-burning loops)
• Session picker shows renamed threads as name (thread-id); paste works in search
• MCP calls stay active during replay; elicitation responses routed correctly
• Remote sessions: websocket keepalive, repo-relative diff paths
• Windows: codex doctor detects npm-managed installs; MSVC release binaries link static CRT
• TUI: shutdown feedback on exit, hide ChatGPT usage link for non-OpenAI providers

View Notable PRs

• feat(cli): add codex doctor diagnostics openai/codex#22336 — codex doctor diagnostics command
• sdk/python: add first-class login support openai/codex#23093 — Python SDK first-class auth
• Support --output-schema for exec resume openai/codex#23123 — --output-schema for exec resume
• Densify and version memory summaries openai/codex#23148 — Versioned memory summaries
• exec-server: support auth-backed remote executor registration openai/codex#22769 — Auth-backed remote executor registration
• goal: pause continuation loops on usage limits and blockers openai/codex#23094 — Goal continuations pause on usage limits
• Improve goal completion usage reporting openai/codex#22907 — Improved goal completion usage reporting
• windows: link MSVC release binaries with static CRT openai/codex#22905 — Windows MSVC static CRT linking

Package Links:

• NPM Package: https://www.npmjs.com/package/`@openai/codex`
• Repository: https://github.com/openai/codex
• Release 0.131.0: https://github.com/openai/codex/releases/tag/rust-v0.131.0
• Release 0.132.0: https://github.com/openai/codex/releases/tag/rust-v0.132.0

---

Update GitHub MCP Server

• Previous: v1.0.4 → New: v1.0.5 (1 patch version)
• Released: 2026-05-18
• Risk: Low — additive tool additions and pagination fixes

Key Features (v1.0.5)

• Add tool to list repo collaborators (Add tool to list repo collaborators github-mcp-server#2477)
• Add tool for discussion comment write operations (feat: Add tool for discussion comment write operations github-mcp-server#2427)
• Optional rationale parameter on update_issue_type (Add optional rationale parameter to update_issue_type tool github-mcp-server#2458)
• Minimal code search results with text match snippets (feat: return minimal code search results with text match snippets github-mcp-server#2476)
• Document Copilot Spaces PAT requirements (Document Copilot Spaces PAT requirements github-mcp-server#2479)

Bug Fixes

• Missing pagination on get_reviews (fix: add missing pagination on get_reviews github-mcp-server#2367)

Chores

• IFC label additions for list_issues, get_file_contents, search_issues, issue_read, search_repositories tools
• Replace ingress IFC reader list with private marker (Replace ingress IFC reader list with private marker github-mcp-server#2478)
• Upgrade go-github to v0.87 (Upgrade go-github to v 0.87 github-mcp-server#2452)

Package Links:

• Repository: https://github.com/github/github-mcp-server
• Release Notes: https://github.com/github/github-mcp-server/releases/tag/v1.0.5
• Full Changelog: github/github-mcp-server@v1.0.4...v1.0.5

---

Update MCP Gateway

• Previous: v0.3.9 → New: v0.3.16 (7 patch versions)
• Timeline: v0.3.10 (2026-05-15) through v0.3.16 (2026-05-21)
• Risk: Low — mostly internal refactoring, tests, OTEL/tracing improvements

MCP Gateway is the default sandbox.agent container (see pkg/constants/constants.go:184). All 7 intermediate releases focus on observability, refactoring, and DIFC policy improvements.

Key Features

• v0.3.10: Compact network context rendering; rust-guard performance optimizations (zero-alloc rank matching)
• v0.3.11: OTEL_EXPORTER_OTLP_HEADERS env var fallback for OTLP export; list_repository_collaborators DIFC rules
• v0.3.12: Support gh CLI /meta probe in DIFC proxy (Support gh CLI /meta probe in DIFC proxy gh-aw-mcpg#5924)
• v0.3.13: Sentry OTLP export support in smoke-otel-tracing; cached compiled custom JSON schemas
• v0.3.14: Cobra traverse hooks enabled; OTEL tracer-holder refactor
• v0.3.15: OTLP endpoint /v1/traces path append fix (fix(tracing): append /v1/traces to OTLP endpoint per spec gh-aw-mcpg#6137)
• v0.3.16: gen_ai semantic conventions alignment for tracing span attributes (feat(tracing): align span attributes with gen_ai semantic conventions gh-aw-mcpg#6153)

View Bug Fixes

• v0.3.10: Fall back to stderr (not stdout) when log-dir is unwritable (fix: fall back to stderr (not stdout) when log-dir is unwritable gh-aw-mcpg#5773)
• v0.3.11: Classify discussion_comment_write correctly; align list_repository_collaborators DIFC to reader-level
• v0.3.13: Raise PR enrichment buffer to 64 KB in Rust guard (Raise PR enrichment buffer to 64 KB in Rust guard gh-aw-mcpg#5938)
• v0.3.13: Use x-sentry-token header for Sentry OTLP auth
• v0.3.14: Flush tracing spans on /close endpoint shutdown (fix: flush tracing spans on /close endpoint shutdown gh-aw-mcpg#6115)
• v0.3.15: Use URL parsing for /v1/traces path append (fix(tracing): use URL parsing for /v1/traces path append gh-aw-mcpg#6141)

View Refactoring & Performance

• v0.3.10: Rust-guard zero-alloc rank matching via Cow<str> (rust-guard: remove hot-path scope/integrity allocations via Cow<str> and zero-alloc rank matching gh-aw-mcpg#5754)
• v0.3.11: Replace http.Error with httputil.WriteErrorResponse for consistent JSON error shape
• v0.3.13: Cache compiled custom JSON schemas (Cache compiled custom JSON schemas for repeated custom server validation gh-aw-mcpg#5940)
• v0.3.13: Upgrade go-sdk to v1.6.0 (Upgrade go-sdk to v1.6.0 and consolidate session-missing detection gh-aw-mcpg#6017)
• v0.3.13: Pin actions/github-script to immutable SHA, upgrade to v9.0.0
• v0.3.14: Extract BaseResponseWriter to httputil; cobra traverse hooks

Package Links:

• Repository: https://github.com/github/gh-aw-mcpg
• Release Notes: https://github.com/github/gh-aw-mcpg/releases/tag/v0.3.16
• Docker Image: ghcr.io/github/gh-aw-mcpg:v0.3.16

---

Impact Assessment

• Risk: Low across all updates — patch and minor releases with no breaking changes detected
• Affects: Default CLI versions used by gh-aw workflows; default MCP Gateway container; default GitHub MCP Server container
• Migration notes: None required. Existing workflows continue to work; new Codex/MCP Gateway features are opt-in.

Recommendations

• Update priority: Standard rollout (no security fixes flagged)
• Testing strategy: Run smoke tests for Claude Code, Copilot CLI, Codex agents; verify MCP Gateway tracing in smoke-otel-tracing workflow
• Watch items: MCP Gateway v0.3.11 added OTEL_EXPORTER_OTLP_HEADERS env var fallback — verify Sentry tracing flow still works in v0.3.15+ after the /v1/traces path append change

Files Modified

• pkg/constants/version_constants.go — version constants updated
• 233 workflow lock files (.github/workflows/*.lock.yml) regenerated via make recompile (ran twice)

References:

• §26209838886

Generated by 🔢 CLI Version Checker · ● 10.3M · ◷

• expires on May 23, 2026, 6:45 AM UTC