Edit system role permissions, tune risk detection sensitivity, and tighter shadow MCP enforcement
Organizations get more control over access and risk detection this release: the built-in admin and member roles can now be tailored per organization, and risk policies gain a sensitivity slider for tuning how aggressively detections fire. Shadow MCP enforcement is also hardened against a couple of false results.
Features
Editable system-role permissions#3727 - Edit the permissions of the built-in
and
roles per organization, while their name and description stay platform-managed. The Admin role is guarded against losing the
permission to prevent an org lockout. The roles tab is reworked so the whole role row opens the edit sheet, scope groups show a description when collapsed, and the members column uses an interactive member facepile with hover focus and click-to-view-all. Directory Sync (SCIM) organizations see info alerts on the team, roles, and identity pages explaining that members and roles are managed by the identity provider while SCIM is enabled. (Author: @adaam2)
Configurable risk detection sensitivity#3723 - Each risk policy now has a minimum match-confidence threshold, adjustable with a Sensitivity slider in the policy wizard, so detections can be tuned to be more or less aggressive. The default sensitivity is lowered to 0.5. (Author: @dennnis-ez)
Bug fixes
Harden Codex shadow MCP enforcement#3719 - Codex shadow MCP calls are now checked against the session's actual MCP server inventory, closing a gap where enforcement could be bypassed. (Author: @danielkov)
Fix Cursor shadow MCP enforcement false positives#3720 - Cursor shadow MCP enforcement no longer wrongly blocks Speakeasy-hosted MCP servers when a shadow MCP risk policy is enabled. Access is now decided by the server URL rather than requiring the agent to echo an internal identifier. (Author: @danielkov)
Fix duplicate servers in the MCP catalog#3310 - The MCP catalog no longer lists duplicate servers (with an inflated count) when loading more results. (Author: @alx-xo)