[ca] Update CLI versions: Claude Code 2.1.7, Copilot 0.0.382, Codex 0.81.0, MCP Gateway v0.0.59

[github-actions]

CLI Version Updates - January 14, 2026

This issue tracks updates for 4 agentic CLI tools that have new versions available.

Summary

• Claude Code: 2.1.6 → 2.1.7
• Copilot CLI: 0.0.381 → 0.0.382
• Codex: 0.80.0 → 0.81.0
• MCP Gateway: v0.0.56 → v0.0.59

Files Modified: pkg/constants/constants.go has been updated with the new versions.

Action Required: Run make recompile to regenerate workflow files from constants.

---

1. Update Claude Code (2.1.6 → 2.1.7)

Version: 2.1.6 → 2.1.7
Release Date: January 14, 2026 (published at 00:00:19 UTC)
Timeline: Same-day update

Changes

• Breaking Changes: None
• New Features: No public changelog available for this version
• Bug Fixes: No public changelog available
• Security: None reported
• CLI Discovery: Cannot verify without installing (read-only filesystem)

Impact Assessment

• Risk: Low
• Affected Features: None identified
• Migration Required: No

Package Links

• NPM Package: https://www.npmjs.com/package/@anthropic-ai/claude-code
• Release Notes: No public GitHub repository available

---

2. Update Copilot CLI (0.0.381 → 0.0.382)

Version: 0.0.381 → 0.0.382
Release Date: January 14, 2026 (published at 18:55:01 UTC)
Timeline: Same-day update

Changes

• Breaking Changes: None identified
• New Features: Unknown (no public release notes)
• Bug Fixes: Unknown (no public release notes)
• Security: None reported
• CLI Discovery: Cannot verify without installing

Impact Assessment

• Risk: Low to Medium (requires integration testing per WARNING in constants.go)
• Affected Features: All Copilot-based workflows
• Migration Required: No, but full integration test recommended

Package Links

• NPM Package: https://www.npmjs.com/package/@github/copilot
• Repository: https://github.com/github/copilot-cli (may be private)

Notes

• WARNING: Per constants.go line 246, "UPGRADING COPILOT CLI REQUIRES A FULL INTEGRATION TEST RUN TO ENSURE COMPATIBILITY"
• Unable to access detailed changelog as repository may be private

---

3. Update Codex (0.80.0 → 0.81.0)

Version: 0.80.0 → 0.81.0
Release Date: January 14, 2026 (published at 18:12:36 UTC)
Timeline: Same-day update

Changes

Breaking Changes

• Default API Model Changed: Moved from previous model to gpt-5.2-codex (change api default model openai/codex#9188)

New Features

• Headless Device-Code Login: Automatically switches to device-code login when headless environment is detected, enabling sign-in without a browser ([device-auth] When headless environment is detected, show device login flow instead. openai/codex#8756)
• Read-Only Mounts: Linux sandbox can mount paths read-only to better protect files from writes (feat: add support for read-only bind mounts in the linux sandbox openai/codex#9112)
• Partial Tool Call Rendering: Support for partial tool calls rendering in TUI

Bug Fixes

• Alternate-Screen Handling: Fixed to avoid breaking Zellij scrollback; added config/flag to control behavior (fix: add tui.alternate_screen config and --no-alt-screen CLI flag for Zellij scrollback openai/codex#8555)
• Windows Sandbox Prompts: Correctly prompts before unsafe commands when running with read-only sandbox policy (fix: prompt for unsafe commands on Windows openai/codex#9117)
• Config Error Reporting: Config.toml and rules parsing errors now reported to app-server clients/TUI instead of failing silently (Improve handling of config and rules errors for app server clients openai/codex#9182, fix: report an appropriate error in the TUI for malformed rules openai/codex#9011)
• macOS Proxy Discovery: Worked around crash in system-configuration library during proxy discovery (Work around crash in system-configuration library openai/codex#8954)
• Invalid Image Uploads: Now surface errors instead of silently replacing invalid user image uploads (feat: return an error if the image sent by the user is a bad image openai/codex#9146)

Documentation

• JSON Schema: Published generated JSON Schema for config.toml validation in docs/ (add generated jsonschema for config.toml openai/codex#8956)
• TUI Documentation: Documented the TUI paste-burst state machine for terminals without reliable bracketed paste (fix(tui): document paste-burst state machine openai/codex#9020)

Chores

• Bazel Support: Added Bazel build support plus just bazel-codex helper for contributors (feat: add support for building with Bazel openai/codex#8875, feat: add bazel-codex entry to justfile openai/codex#9177)

Impact Assessment

• Risk: Medium (default model change could affect API behavior)
• Affected Features:
  • All Codex API calls (new default model)
  • Headless environments (improved login flow)
  • Linux sandbox configurations (new read-only mount capability)
  • Windows sandbox workflows (improved safety prompts)
• Migration Required: No code changes required, but test with new default model

Package Links

• NPM Package: https://www.npmjs.com/package/@openai/codex
• Repository: https://github.com/openai/codex
• Release Notes: https://github.com/openai/codex/releases/tag/rust-v0.81.0
• Full Changelog: openai/codex@rust-v0.80.0...rust-v0.81.0

---

4. Update MCP Gateway (v0.0.56 → v0.0.59)

Versions: v0.0.56 → v0.0.57 → v0.0.58 → v0.0.59
Release Dates:

• v0.0.57: January 14, 2026 (00:23:03 UTC)
• v0.0.58: January 14, 2026 (00:28:32 UTC)
• v0.0.59: January 14, 2026 (14:06:19 UTC)
  Timeline: Three releases in 14 hours

Changes in v0.0.57-v0.0.58

New Features

• Authentication Package (Add internal/auth package and update documentation for MCP spec 7.1 authentication gh-aw-mcpg#245)
  • New internal/auth package centralizes authentication logic
  • Full compliance with MCP Specification 7.1 for Authorization headers (plain API key format, not Bearer scheme)
  • ParseAuthHeader() function extracts API key and agent ID
  • ValidateAPIKey() function provides secure API key validation
  • Maintains backward compatibility with Bearer token format

Improvements

• Enhanced Release Workflow (Add git pull and uncommitted changes check to make release gh-aw-mcpg#244)
  • make release now syncs latest commits and tags from remote
  • Pre-flight validation prevents version conflicts
  • Uncommitted changes detection with clear error messages

Changes in v0.0.59

⚠️ Breaking Changes

Mount Path Validation Now Enforces Absolute Paths

Per MCP specification v1.7.0 §4.1.5, all mount paths (both host and container) must be absolute. Configurations with relative paths like "data:/app:ro" or "./config:/app/config:ro" will be rejected.

Action Required: Review config.toml or config.json files and update any relative mount paths to absolute paths starting with /.

Example:

// ❌ Will now fail
"mounts": ["data:/app/data:ro", "./config:/app/config:ro"]

// ✅ Correct format
"mounts": ["/var/app/data:/app/data:ro", "/home/user/config:/app/config:ro"]

Why this matters: Absolute paths enforce security and portability guarantees required by the MCP specification, preventing ambiguous path resolution that could lead to security vulnerabilities.

Improvements

• Enhanced Debug Logging for Authentication ([log] Add debug logging to auth header parser gh-aw-mcpg#253)
  • Comprehensive debug logging tracks auth header format detection
  • API key validation results logged
  • Missing/malformed headers detected
  • Sensitive data automatically sanitized (only first 4 characters shown)
  • Enable with DEBUG=auth:* environment variable

Code Quality

• Reusable Sanitization Helper (Extract auth header sanitization into reusable helper function gh-aw-mcpg#254)

  • Extracted auth header sanitization into sanitizeForLogging() function
  • Consistent secure logging across codebase

• Improved Test Coverage ([test] Add tests for difc.FormatViolationError gh-aw-mcpg#246)

  • Added 9 comprehensive test cases for DIFC violation error formatting
  • ~90% coverage for critical security error messages

Impact Assessment

• Risk: Medium (breaking change in mount path validation)
• Affected Features:
  • MCP server configurations with mount paths
  • Authentication flows (improved with new package)
  • Debug logging capabilities (enhanced)
• Migration Required: Yes - update any relative mount paths to absolute paths

Docker Images

docker pull ghcr.io/githubnext/gh-aw-mcpg:v0.0.59
# or
docker pull ghcr.io/githubnext/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

Package Links

• Repository: https://github.com/githubnext/gh-aw-mcpg
• Release v0.0.57: https://github.com/githubnext/gh-aw-mcpg/releases/tag/v0.0.57
• Release v0.0.58: https://github.com/githubnext/gh-aw-mcpg/releases/tag/v0.0.58
• Release v0.0.59: https://github.com/githubnext/gh-aw-mcpg/releases/tag/v0.0.59
• Full Changelog v0.0.56→v0.0.59: github/gh-aw-mcpg@v0.0.56...v0.0.59

---

Files Changed

Modified

• pkg/constants/constants.go (4 version constants updated)

Requires Recompilation

After merging, run:

make recompile

This will regenerate all workflow YAML files with the new version constants.

---

Testing Recommendations

1. Copilot CLI 0.0.382: Run full integration test suite (per WARNING in constants.go)
2. Codex 0.81.0: Test with new gpt-5.2-codex default model to ensure API compatibility
3. MCP Gateway v0.0.59:
   • Verify all mount path configurations use absolute paths
   • Test authentication flows with new internal/auth package
   • Verify debug logging works with DEBUG=auth:*

---

Version Check Details

Check Date: 2026-01-14
Previous Check: 2026-01-06
Tools Checked: 8 (4 updates found, 4 up-to-date)

Up-to-Date Tools

• GitHub MCP Server: v0.28.1 ✅
• Playwright MCP: 0.0.55 ✅
• Sandbox Runtime: 0.0.26 ✅
• Playwright Browser: v1.57.0 ✅

AI generated by CLI Version Checker