Blocked tool calls get their own page the agent can reason about, plus filter sessions by agent type
When the risk engine blocks a tool call it's now a durable, linkable page with thumbs-up/down feedback — and the reason is handed back to the agent so it explains the denial instead of inventing one. Agent Sessions also gain an agent-type filter.
Features
Durable tool-call block pages#3672 - Blocked tool calls are now first-class entities with a stable
URL and 👍/👎 feedback. The block reason is injected into the agent-facing response (Claude, Cursor, and Codex) with a link to the block page, so the agent can reason about the denial instead of hallucinating one, and a More Info link reaches it from the Risk Events modal. (Author: @daviddanialy)
Filter agent sessions by agent type#3712 - The Agent Sessions page gains an agent-type filter, populated from the agent sources actually present in each project's chats. (Author: @simplesagar)
Read-only and destructive labels in Distribute MCP tools#3713 - The Distribute → MCP → Tools view now shows the same text permission labels (Read-only, Destructive, Idempotent) as the Connect catalog, instead of icon-only badges, for quicker at-a-glance behavior hints. (Author: @daviddanialy)
Up-to-date badge on plugin detail#3708 - The plugin detail page now shows an explicit Up to date badge and surfaces the last-published time even when there are unpublished changes, rounding out the publish-freshness view. (Author: @daviddanialy)
Shorter access-request links on blocked tool calls#3710 - The "Request access" link on a blocked tool call now embeds a short cache-backed token instead of a 1,000-plus character encrypted blob, with previously issued links still working until they expire. (Author: @daviddanialy)
Bug fixes
Risky-only filter and in-thread search reworked#3715 - The chat detail "Risky only" filter now windows the full thread and shows flagged messages even when they sit on other transcript pages, and search steps through every occurrence in document order — across message text and tool call arguments and output — with the active match highlighted distinctly. (Author: @adaam2)
Prompt correlation no longer stalls on busy sessions#3716 - Claude Code prompt correlation now bounds its work and drains a large backlog of unlinked prompts incrementally, so prompts stay reliably linked to their telemetry instead of failing entirely on high-volume sessions. (Author: @danielkov)
Detect step Continue enables for category-level detectors#3714 - Creating a risk policy now enables the Continue button when only category-level detectors (Prompt Injection, Shadow MCP, Destructive Tools, Destructive CLI Commands) are selected, instead of treating those categories as empty and keeping the step disabled. (Author: @daviddanialy)
