Release v0.2.20

Release v0.2.20

Changes since v0.2.19

github-actions[bot] (1)

• deps(runner): bump claude-agent-sdk 0.2.102, anthropic 0.109.2 (#1694) (edaaa9a)

Kyle Squizzato (1)

• fix(runner): make integrations behave more consistently in session (#1686) (1bd2057)

Full Changelog: v0.2.19...v0.2.20

---

CodeRabbit Triage Summary

CodeRabbit Triage: v0.2.20

Metric	Value	Δ vs Previous
PRs analyzed	1	-29 ↓
Critical issues	0	-23 ↓
Major issues	2	-118 ↓
Issues per PR	2.0	-2.8 ↓
Coverage gaps	2	-123 ↓

Trend

Release	Date	PRs	Critical	Major	Per PR	Gaps
v0.2.0	2026-04-10	30	23	120	4.8	125
v0.2.20	2026-06-15	1	0	2	2.0	2

Top Uncovered Patterns

1. Gemini prompt now has conflicting GitHub instructions in MCP mode. (1 occurrences, impact: 3) — runner
2. Jira sidecar mode is currently misdetected as “not configured”. (1 occurrences, impact: 3) — runner

Recommended Guardrails

CLAUDE.md Conventions

• Gemini prompt now has conflicting GitHub instructions in MCP mode.: Enforce via convention (needs specific rule)
• Jira sidecar mode is currently misdetected as “not configured”.: Enforce via convention (needs specific rule)

Hookify Rules

• PreToolUse hook for gemini prompt now has conflicting github instructions in mcp mode. enforcement in Python code
• PreToolUse hook for jira sidecar mode is currently misdetected as “not configured”. enforcement in Python code

Release v0.2.19

Release v0.2.19

Changes since v0.2.18

Mark Turansky (1)

• fix(runner): always emit MESSAGES_SNAPSHOT to prevent compaction failures (#1693) (b85feee)

Full Changelog: v0.2.18...v0.2.19

Release v0.2.18

Release v0.2.18

Changes since v0.2.17

🎉 First-Time Contributors

• Kyle Squizzato

dependabot[bot] (2)

• chore(deps): bump the uv group across 1 directory with 5 updates (#1691) (cbb6023)
• chore(deps): bump the npm_and_yarn group across 4 directories with 3 updates (#1688) (cfe520d)

Kyle Squizzato (1)

• fix(frontend): offset error toast to prevent overlaying stop button (#1689) (7e918dd)

Mark Turansky (1)

• fix(frontend): prevent session polling from stopping permanently after backend errors (#1692) (0b0a1d9)

Full Changelog: v0.2.17...v0.2.18

Release v0.2.17

Release v0.2.17

Changes since v0.2.16

github-actions[bot] (1)

• deps(runner): bump claude-agent-sdk 0.2.101 (#1681) (5c41471)

Full Changelog: v0.2.16...v0.2.17

Release v0.2.16

Release v0.2.16

Changes since v0.2.15

Mark Turansky (1)

• fix(backend): include thread_id in between-run listener events URL (#1687) (50a0594)

Full Changelog: v0.2.15...v0.2.16

Release v0.2.15

Release v0.2.15

Changes since v0.2.14

Mark Turansky (1)

• fix(frontend): restore chat history when returning to a session (#1684) (d3ee37a)

Full Changelog: v0.2.14...v0.2.15

Release v0.2.14

Release v0.2.14

Changes since v0.2.13

jsell-rh (22)

• chore(ambient-ui): rebrand user-facing text from Ambient to ACP (#1672) (16bf3e5)
• feat(security): credential binding enforcement (#1671) (5ea8bef)
• spec(security): credential binding enforcement (#1670) (c5de4fc)
• feat(manifests): enable RBAC authorization in SaaS template (#1667) (13a0805)
• feat(api-server): RBAC enforcement with scope-aware authorization (#1660) (b93485d)
• feat(tekton): add Konflux pipelines for ambient-ui, mcp, and credential sidecars (#1665) (fb8ce78)
• feat(manifests): rewrite SaaS templates to match hcmais deployment (#1659) (04d9b43)
• docs(deploy): credential encryption key setup and plaintext defaults (#1658) (cd9d5d9)
• fix(api-server): address coderabbit review on credential encryption (#1657) (d9a3e4e)
• feat(api-server): credential token encryption at rest (#1656) (a793466)
• spec(security): credential token encryption at rest (#1655) (498bd13)
• fix(credentials): align UI provider registry with API enum (#1654) (4da6f09)
• fix(api-server): seed credential:viewer role in migration (#1653) (6973963)
• feat(ambient-ui): Credentials view with binding matrix (#1650) (78e3086)
• feat(ambient-ui): Dashboard, agent detail, multi-session sidebar, responsive layout (#1647) (933eb0d)
• spec(security): RBAC runtime enforcement specification (#1640) (233a2cc)
• feat(ambient-ui): Agents view, Session creation, SDLC ops dashboard spec (#1641) (754ab13)
• fix(ambient-ui): address CodeRabbit review findings from #1638 (#1639) (7fa15f4)
• feat(ambient-ui): Resources/Config tabs, session table enhancements, navigation overhaul (#1638) (a5a95b1)
• feat(ambient-ui): chat tab, action bar, persistent chat sidebar (#1636) (cc61b11)
• feat(manifests): retarget hcmais overlay for ambient-ui deployment (#1634) (0fd9a46)
• feat(ambient-ui): session log details tab (#1633) (f9c8817)

github-actions[bot] (7)

• deps(runner): bump claude-agent-sdk 0.2.99 (#1679) (1a4eaf7)
• deps(runner): bump claude-agent-sdk 0.2.97, anthropic 0.109.1 (#1673) (b5bc02d)
• deps(runner): bump claude-agent-sdk 0.2.94 (#1666) (1162d5d)
• deps(runner): bump claude-agent-sdk 0.2.93, anthropic 0.107.1 (#1663) (e968afb)
• deps(runner): bump claude-agent-sdk 0.2.91 (#1652) (a61d106)
• deps(runner): bump claude-agent-sdk 0.2.89 (#1649) (a44f39f)
• deps(runner): bump claude-agent-sdk 0.2.88 (#1637) (8dd99cd)

Mark Turansky (5)

• fix(backend): preserve snapshot events in loadEvents head+tail read for large JSONL files (#1662) (8e3bac3)
• feat(api-server,sdk,cli): implement Application API with full-stack support (#1676) (f4e07df)
• feat(spec): add AgenticApplication to data model spec (#1648) (bd7ae53)
• feat(spec): session SA requires system:image-builder for registry push (#1635) (7276402)
• feat: MPP-aware pod-status-syncer and kubernetes MCP sidecar (#1632) (9ad67f7)

dependabot[bot] (4)

• chore(deps): bump uuid from 8.3.2 to removed in /e2e in the npm_and_yarn group across 1 directory (#1680) (18d3639)
• chore(deps): bump starlette from 0.50.0 to 1.0.1 in /components/runners/ambient-runner in the uv group across 1 directory (#1651) (094cb96)
• chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /components/runners/ambient-runner in the uv group across 1 directory (#1646) (859caa7)
• chore(deps): bump github.com/quic-go/quic-go from 0.59.0 to 0.59.1 in /components/public-api in the go_modules group across 1 directory (#1645) (5888593)

Matt Knop (3)

• removing unused components (#1678) (338c379)
• Adding tekton files for building each component of Ambient Code (#1644) (994ec0a)
• feat: add OpenShift deployment templates (#1642) (1b01260)

Jeremy Eder (1)

• fix: harden token redaction in GitLab logger and session error handling (#1669) (1c23b65)

Full Changelog: v0.2.13...v0.2.14

---

CodeRabbit Triage Summary

CodeRabbit Triage: v0.2.14

Metric	Value	Δ vs Previous
PRs analyzed	20	-10 ↓
Critical issues	7	-16 ↓
Major issues	100	-20 ↓
Issues per PR	5.3	+0.5 ↑
Coverage gaps	91	-34 ↓

Trend

Release	Date	PRs	Critical	Major	Per PR	Gaps
v0.2.0	2026-04-10	30	23	120	4.8	125
v0.2.14	2026-06-11	20	7	100	5.3	91

Top Uncovered Patterns

1. Propagate revoke failures so orphaned grants get retried. (4 occurrences, impact: 12) — api-server, other, runner
2. Run History drops sessions once the project has more than 100 runs. (3 occurrences, impact: 9) — other
3. Do not inject credentials after partial grant failures. (2 occurrences, impact: 6) — api-server, other
4. Avoid exposing raw mutation error messages to end users. (2 occurrences, impact: 6) — other
5. Fail closed when the encrypted-token probe cannot run. (2 occurrences, impact: 6) — api-server, other
6. Replace hardcoded project_id: 'hi' with a real fixture project id. (2 occurrences, impact: 6) — other
7. Scope the sidebar Escape handler before clearing all tabs. (2 occurrences, impact: 6) — manifests, other
8. Align the repo annotation with the actual source repository. (2 occurrences, impact: 6) — other
9. Tabs won't sync with browser back/forward. (2 occurrences, impact: 6) — other
10. Scope terminated-container failure detection to the runner container. (2 occurrences, impact: 6) — other

Recommended Guardrails

CLAUDE.md Conventions

• Propagate revoke failures so orphaned grants get retried.: Enforce via convention (needs specific rule)
• Run History drops sessions once the project has more than 100 runs.: Enforce via convention (needs specific rule)
• Do not inject credentials after partial grant failures.: Enforce via convention (needs specific rule)
• Avoid exposing raw mutation error messages to end users.: Enforce via convention (needs specific rule)
• Fail closed when the encrypted-token probe cannot run.: Enforce via convention (needs specific rule)
• Replace hardcoded project_id: 'hi' with a real fixture project id.: Enforce via convention (needs specific rule)
• Scope the sidebar Escape handler before clearing all tabs.: Enforce via convention (needs specific rule)
• Align the repo annotation with the actual source repository.: Enforce via convention (needs specific rule)
• Tabs won't sync with browser back/forward.: Enforce via convention (needs specific rule)
• Scope terminated-container failure detection to the runner container.: Enforce via convention (needs specific rule)

Hookify Rules

• PreToolUse hook for propagate revoke failures so orphaned grants get retried. enforcement in Python code
• PreToolUse hook for run history drops sessions once the project has more than 100 runs. enforcement in TypeScript code
• PreToolUse hook for do not inject credentials after partial grant failures. enforcement in TypeScript code
• PreToolUse hook for avoid exposing raw mutation error messages to end users. enforcement in TypeScript code
• PreToolUse hook for fail closed when the encrypted-token probe cannot run. enforcement in TypeScript code
• PreToolUse hook for replace hardcoded project_id: 'hi' with a real fixture project id. enforcement in TypeScript code
• PreToolUse hook for scope the sidebar escape handler before clearing all tabs. enforcement in TypeScript code
• PreToolUse hook for align the repo annotation with the actual source repository. enforcement in TypeScript code
• PreToolUse hook for tabs won't sync with browser back/forward. enforcement in TypeScript code
• PreToolUse hook for scope terminated-container failure detection to the runner container. enforcement in TypeScript code

Release v0.2.13

Release v0.2.13

Changes since v0.2.12

Mark Turansky (1)

• fix: resolve kustomize 5.4.3 panic on ambient-ui delete patch (#1631) (992f98f)

Full Changelog: v0.2.12...v0.2.13

Release v0.2.12

Release v0.2.12

Changes since v0.2.11

Full Changelog: v0.2.11...v0.2.12

Release v0.2.11

Release v0.2.11

Changes since v0.2.10

Mark Turansky (2)

• fix: update mcp-proxy invocation for CLI breaking change in credential sidecars (#1629) (4456c63)
• fix: correct COPY paths in credential sidecar Dockerfiles for CI build context (#1627) (2efb2db)

jsell-rh (1)

• feat(ambient-ui): status bar with connection context switching (#1626) (e86b1fe)

Full Changelog: v0.2.10...v0.2.11

---

CodeRabbit Triage Summary

CodeRabbit Triage: v0.2.11

Metric	Value	Δ vs Previous
PRs analyzed	2	-28 ↓
Critical issues	1	-22 ↓
Major issues	6	-114 ↓
Issues per PR	3.5	-1.3 ↓
Coverage gaps	7	-118 ↓

Trend

Release	Date	PRs	Critical	Major	Per PR	Gaps
v0.2.0	2026-04-10	30	23	120	4.8	125
v0.2.11	2026-06-01	2	1	6	3.5	7

Top Uncovered Patterns

1. Do not keep connection overrides in process-global module state. (1 occurrences, impact: 4) — other
2. Blank token cannot switch back to SSO once a custom token was set. (1 occurrences, impact: 3) — other
3. Interaction contract mismatch: spec says double-click, implementation intent says click. (1 occurrences, impact: 3) — other
4. Spec/implementation mismatch: popover vs inline expansion. (1 occurrences, impact: 3) — other
5. Do not document TLS verification disablement for production. (1 occurrences, impact: 3) — other
6. Fix NODE_EXTRA_CA_CERTS to trust the OpenShift service-ca signer (not the serviceaccount CA). (1 occurrences, impact: 3) — manifests
7. Distroless-incompatible verification command will fail. (1 occurrences, impact: 3) — other

Recommended Guardrails

CLAUDE.md Conventions

• Do not keep connection overrides in process-global module state.: Enforce via convention (needs specific rule)
• Blank token cannot switch back to SSO once a custom token was set.: Enforce via convention (needs specific rule)
• Interaction contract mismatch: spec says double-click, implementation intent says click.: Enforce via convention (needs specific rule)
• Spec/implementation mismatch: popover vs inline expansion.: Enforce via convention (needs specific rule)
• Do not document TLS verification disablement for production.: Enforce via convention (needs specific rule)
• Fix NODE_EXTRA_CA_CERTS to trust the OpenShift service-ca signer (not the serviceaccount CA).: Enforce via convention (needs specific rule)
• Distroless-incompatible verification command will fail.: Enforce via convention (needs specific rule)

Hookify Rules

• PreToolUse hook for do not keep connection overrides in process-global module state. enforcement in TypeScript code
• PreToolUse hook for blank token cannot switch back to sso once a custom token was set. enforcement in TypeScript code
• PreToolUse hook for interaction contract mismatch: spec says double-click, implementation intent says click. enforcement in TypeScript code
• PreToolUse hook for spec/implementation mismatch: popover vs inline expansion. enforcement in TypeScript code
• PreToolUse hook for do not document tls verification disablement for production. enforcement in TypeScript code
• PreToolUse hook for fix node_extra_ca_certs to trust the openshift service-ca signer (not the serviceaccount ca). enforcement in TypeScript code
• PreToolUse hook for distroless-incompatible verification command will fail. enforcement in TypeScript code