🌟 Release Highlights

This release focuses on reliability and correctness — fixing several impactful bugs reported by the community, improving agent workflow efficiency, and hardening security boundaries for the Claude engine.

🐛 Bug Fixes & Improvements

• protected-files object form compilation fixed — Workflows using the documented {policy, exclude} object form for protected-files were incorrectly rejected at compile time with expected string or null, got object. The schema now correctly allows the object form alongside the string shorthand. (#28341)

• APM-restored skills no longer clobbered in pull_request runs — Skills installed by pre-agent-steps (e.g. from .github/skills/) were silently overwritten because the "Restore agent config folders" step executed after pre-agent-steps. The step ordering is now correct for pull_request triggers. (#28290)

• push_to_pull_request_branch patch size now uses incremental diff — On long-running branches, max_patch_size was measured against the full cumulative diff from the default branch rather than the net change since the last push. Each iteration now measures only the incremental git diff against the PR branch head, preventing spurious size-limit rejections. (#28198)

• design-decision-gate reliability — Raised max-turns from 15 → 20 and added git ls-remote:* to allowed tools. The workflow was exhausting all turns on copilot/* PRs before completing useful work. An explicit MCP fallback table ensures the agent switches to GitHub MCP tools when pre-fetched context files are unavailable. (#28353)

• jsweep workflow no longer runs to 60 turns — Added explicit exit criteria after PR creation. Previously the agent kept calling create_pull_request in a loop consuming 4.64M tokens/run. (#28322)

• audit/audit-diff MCP tools now return structured JSON consistently — These tools were setting IsError: true on failure and routing output to stderr, unlike logs and compile which always return structured JSON. Behaviour is now consistent. (#28291)

• Model update in github-remote-mcp-auth-test — Replaced the unavailable gpt-5.1-codex-mini model with gpt-5.4-mini, fixing 3+ days of consecutive workflow failures. (#28321)

• MCP Gateway v0.2.30 compatibility — The mempalace shared config now includes the required container field on stdio server entries, fixing daily-fact workflow failures after the gateway schema tightened. (#28288)

✨ What's New

• Hippo memory vector embeddings — New hippo-embed maintenance workflow generates vector embeddings for all Hippo memories (previously <1% were embedded, making semantic recall nearly non-functional). The daily-hippo-learn workflow now runs hippo embed on every cycle to keep the index current. (#28178)

• Claude bypassPermissions tool enforcement documented and hardened — When Claude Code runs in bypassPermissions mode (triggered by unrestricted bash access), --allowed-tools is silently ignored. The MCP gateway allowed: filter is now the documented sole effective tool boundary in this mode, with implementation notes added to prevent regressions. (#28174)

⚡ Performance

• docs-noob-tester token usage reduced ~70% — Server setup (npm install, Astro dev server startup, readiness polling, bridge IP detection) now runs in pre-agent-steps before the agent starts, saving ~700K–1M tokens/run. Timeout reduced from 45 → 30 minutes. (#28343)

📚 Documentation

• Docs table wrapping on tablet screens — Markdown tables on 641px–768px viewports were silently clipped without horizontal scroll. A new rehype plugin wraps tables in a scrollable container. (#28280)

🌍 Community Contributions

For complete details, see CHANGELOG.

Generated by Release · ● 1.4M

What's Changed

• fix: sync Hard Turn Budget in design-decision-gate prompt to match max-turns: 15 by @Copilot in #28173
• fix(otel): emit agent sub-span for cancelled workflow runs by @Copilot in #28172
• feat: add hippo-embed workflow + recurring embed step to daily-hippo-learn by @Copilot in #28178
• Normalize report formatting guidelines across 5 reporting workflows by @Copilot in #28186
• docs: document Claude bypassPermissions/--allowed-tools security boundary by @Copilot in #28174
• build(deps): Bump fast-xml-parser from 5.5.9 to 5.7.1 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #28189
• [docs] docs: remove duplicated code block and redundant paragraph in concurrency reference by @github-actions[bot] in #28194
• fix: disallow --name flag when adding multiple workflows at once by @Copilot in #28195
• chore: bump CLI tool versions (Claude Code, Copilot, Codex, MCP Server, MCP Gateway) + fix comment memory rendering + fix Claude install by @Copilot in #28200
• Update docs sidebar and streamline references by @dsyme in #28223
• [architecture] Update architecture diagram - 2026-04-24 by @github-actions[bot] in #28227
• chore(deps): update golang.org/x/vuln v1.2.0 → v1.3.0 by @Copilot in #28232
• [dead-code] chore: remove dead functions — 1 function removed by @github-actions[bot] in #28257
• rename: FormatReference → FormatPinnedActionReference, notifyResolutionFailure → recordPinResolutionFailure in pkg/actionpins by @Copilot in #28246
• [docs] dev.md v7.0 maintenance tone scan (2026-04-24) by @github-actions[bot] in #28244
• deps: bump github.com/charmbracelet/x/exp/golden to v0.0.0-20260422141420-a6cbdff8a7e2 by @Copilot in #28231
• Fix push_to_pull_request_branch patch size to use incremental net diff by @Copilot in #28198
• [jsweep] Clean create_labels.cjs and add comprehensive tests by @github-actions[bot] in #28210
• refactor: move outlier functions to their semantic homes by @Copilot in #28282
• docs: add build-time table scroll wrapper as no-JS fallback by @Copilot in #28280
• Add update_pull_request_branches maintenance operation with dedicated workflow job by @Copilot in #28108
• fix(codemod): preserve source pin when migrating tools.serena by @Copilot in #28286
• fix(spec-enforcer): add explicit noop branch when all tests are already up-to-date by @Copilot in #28289
• fix(mcp): audit/audit-diff return graceful JSON errors instead of IsError=true by @Copilot in #28291
• fix: migrate mempalace MCP server to HTTP transport for MCP Gateway v0.2.30 by @Copilot in #28288
• fix(skill-optimizer): pre-flight stash, higher limits, targeted eval tasks by @Copilot in #28292
• Suggest tools.github.mode: gh-proxy when api.github.com is firewall-blocked by @Copilot in #28293
• Add push trigger on repository default branch for .github/workflows/*.md to agentic maintenance workflow generator by @Copilot in #28295
• fix: move base-folder restore before pre-agent-steps so APM-restored skills survive PR context by @Copilot in #28290
• fix: resolve 4 CLI help text inconsistencies (secrets bootstrap, trial, logs, validate) by @Copilot in #28306
• build(deps): Bump postcss from 8.5.8 to 8.5.10 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #28312
• fix: add render_template.cjs and is_truthy.cjs to SAFE_OUTPUTS_FILES by @Copilot in #28331
• Fix copilot-pr-prompt-analysis: add github ecosystem to firewall allow-list by @Copilot in #28319
• test(workflow): improve agentic_engine_test.go quality with testify patterns by @Copilot in #28320
• jsweep: add Done Conditions to prevent runaway PR creation loop by @Copilot in #28322
• Apply progressive disclosure to firewall blocked domains alert by @Copilot in #28332
• fix: replace unsupported gpt-5.1-codex-mini model in github-remote-mcp-auth-test by @Copilot in #28321
• build(deps): Bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0 in the go_modules group across 1 directory by @dependabot[bot] in #28337
• fix: replace unsupported model pins in 5 workflow frontmatters by @Copilot in #28323
• feat: use actions/cache and artifacts for APM bundle with lock file hash + engine ID key by @Copilot in #28333
• optimize: move docs-noob-tester setup to pre-agent-steps, slim prompt, reduce timeout by @Copilot in #28343
• fix: add regression tests for protected-files object form compilation by @Copilot in #28341
• fix(security): remove readiness check from MemPalace MCP server startup by @Copilot in #28340
• fix(design-decision-gate): add git ls-remote permission, raise turn limit to 20, add MCP fallback by @Copilot in #28353

Full Changelog: v0.71.0...v0.71.1