Back to all releases

v0.81.0

Platform

// July 7, 2026

Test prompt guardrails against real chats, flag personal AI accounts, and attach remote MCP servers to assistants

Policy authors can now prove a prompt guardrail works before rolling it out: a new evaluation workbench replays real chat transcripts through a policy and shows per-message judge verdicts, with verdicts saved as regression sets for future changes. A new Non-Corporate Accounts risk policy flags sessions authenticated with personal AI accounts or unapproved email domains, and assistants can now connect directly to remote MCP servers alongside their toolsets.

Features

  • Policy evaluation workbench for prompt guardrails #3924 - Replay real chat transcripts through a prompt guardrail and see per-message judge verdicts with cost and latency details before enforcing the policy. Reviewer verdicts can be saved, listed, and deleted as regression sets, so a policy edit can be checked against past decisions instead of guesswork. CEL scopes are supported in replay. (Author: @vishalg0wda)
  • Flag sessions from personal AI accounts #3861 - A new Non-Corporate Accounts risk-policy category flags sessions authenticated with a personal AI account or with an AI-account email domain outside an approved list you configure. Findings appear once per session on the Risk Events page, and the approved-domains list is editable in the Policy Center's Customize sheet. (Author: @daviddanialy)
  • Attach remote MCP servers to assistants #3831 - Assistants can now connect directly to MCP servers, including remote (external SaaS) and tunneled servers that aren't backed by a Gram toolset. The assistant setup chat can list the project's MCP servers and attach one by name, and the assistant's runtime connects to it alongside its toolsets. (Author: @danielkov)
  • Self-serve sign-in for hook plugins #3824 - Connecting the hooks plugin no longer requires Python or manual API key setup. On session start the plugin opens the Gram dashboard in a browser, receives a hooks-scoped API key on a localhost callback, and caches it per device. Machines that have never signed in aren't blocked — sessions proceed with a warning, and enforcement only becomes strict after the first successful sign-in. (Author: @danielkov)
  • Track skill activations in Codex sessions #3896 - Opening a skill's SKILL.md or mentioning a skill by name in a Codex session now surfaces as
    events in observability, matching the visibility already available for Claude Code sessions. (Author: @danielkov)
  • Email org admins when an access request is submitted #3221 - Org admins now get an email when a new access request comes in, so requests are noticed and approved without anyone having to watch the dashboard. (Author: @alx-xo)
  • See which account an employee used last #3909 - The Employees page's Last Activity column now shows the most recently used AI account as a dropdown, with icons distinguishing team accounts from personal ones (#3858 by @chase-crumbaugh). (Author: @daviddanialy)
  • Refresh list pages in place #3860 - Catalog, MCP, Agent Sessions, Employee Insights, User Sessions, Risk Events, and the Observe Tools and Agents log pages now have a manual refresh button in the toolbar, so the latest data is one click away without reloading the page. (Author: @simplesagar)
  • Assistant setup chat history is preserved #3811 - Prior onboarding threads with the assistant setup chat are now listed and URL-addressable, so a setup conversation can be picked up where it left off or shared with a teammate. (Author: @claude)
  • Groundwork for shared remote session providers #3812 - An internal admin API now manages a platform-wide catalog of remote session providers, laying the foundation for projects to inherit shared providers in a future release. (Author: @walker-tx)

Bug fixes

  • Restore MCP tools in chat #3831 - Chat MCP tool connections no longer fail with an "Illegal invocation" fetch error that left chats without their configured MCP tools, including the assistant setup chat. Opening a chat via a shared
    URL also reliably restores the linked conversation instead of sometimes landing on a new empty thread. (Author: @danielkov)
  • View teammates' assistant chats read-only #3931 - Admins opening another member's project assistant chat now see a read-only transcript instead of hitting a "chat not found" error on send. The composer is hidden for threads the signed-in caller didn't create, matching what the backend has always enforced. (Author: @adaam2)
  • Let environment editors edit environments #3916 - Creating, updating, and deleting environments now checks the
    permission instead of
    , so principals holding only
    are no longer rejected. Dashboard gates were realigned to match. (Author: @qstearns)
  • Recover from stale hooks credentials #3901 - Cached hook credentials that are rejected on auth are now cleared automatically, so Claude prompt submission continues and the user is prompted to reconnect instead of getting stuck. (Author: @danielkov)
Sagar Batchu
Sagar Batchu
View on GitHub