Default to Claude Sonnet 5 and share remote session clients across an organization
New assistants and in-app model usage now default to Claude Sonnet 5. Remote session clients can also be created at the organization level, so every project can share one instead of configuring its own, and admins get finer control over who can unmask redacted secrets in Risk Events.
Features
Default to Claude Sonnet 5#3758 - Claude Sonnet 5 (
) is now the default model for in-app usage and newly created assistants, added to the allowlist and every model picker across the playground, Elements, and onboarding. Specialized models used for risk and PromptIntel judging, chat segmentation, embeddings, and follow-on suggestions are unchanged. (Author: @simplesagar)
Organization-level remote session clients#3749 - Create a
with no project so every project in the organization can attach and use it, mirroring the existing convention for organization-level remote session issuers. A project admin can attach, detach, and use an organization-level client from their own session issuer, but editing or deleting it stays with org admins. (Author: @bflad)
Restrict who can unmask redacted secrets#3766 - Server-side controls now govern who can reveal redacted secrets flagged in chat, giving admins a way to restrict access to sensitive matched values. (Author: @qstearns)
Human-readable plugin marketplace names in Claude Code#3763 - Plugin marketplaces now send a human-readable display name to Claude Code, so plugins show with their admin-entered name and capitalization (e.g., "MoonPay MCP Servers") instead of a de-slugified lowercase name ("Moonpay mcp servers"). (Author: @bradcypert)
Unified endpoint for third-party hook ingestion#3661 - A single
endpoint now accepts hook events from any third-party provider. Hook plugins authenticate each developer locally through a browser callback flow and store a hooks-scoped key on the device, while existing provider-specific hook endpoints keep working. (Author: @danielkov)
Redirect URI callout for remote identity provider clients#3762 - The Remote Session Client form now surfaces the callback URL needed when manually configuring a remote identity provider client, making the setup step easier to complete correctly. (Author: @qstearns)
Caching for public OAuth and MCP metadata endpoints#3761 - Public well-known OAuth/MCP metadata responses now send
and a strong ETag with 304 revalidation, so clients and proxies can cache them. The OAuth Client ID Metadata Document keeps its one-hour max-age and also gains an ETag. (Author: @bflad)
Bug fixes
Gate secret reveal behind the chat:read scope#3764 - Users without the
scope now see flagged secret values in Risk Events as a non-interactive "Hidden" placeholder instead of a reveal control, and the page-level "Reveal all" toggle is hidden for them. (Author: @simplesagar)
Add session_capture_exclusions table#3528 - Internal schema migration adding a