[ca] Update CLI versions: Codex 0.133.0, Copilot CLI 1.0.52, GitHub MCP Server v1.0.5

[github-actions]

Summary

Three CLI/MCP tools have new stable releases. Constants in pkg/constants/version_constants.go updated and make recompile ran twice — 235 lock files regenerated.

Tool	Previous	New	Risk
Copilot CLI	1.0.51	1.0.52	Low
OpenAI Codex	0.130.0	0.133.0 (3 intermediate)	Low–Medium
GitHub MCP Server	v1.0.4	v1.0.5	Low

No changes needed for: Claude Code (2.1.150), MCP Gateway (v0.3.18), Playwright MCP (0.0.75), Playwright CLI (0.1.13), Playwright Browser (v1.60.0).

---

Update Copilot CLI

• Previous: 1.0.51 → New: 1.0.52
• Release date: 2026-05-23
• Release notes: https://github.com/github/copilot-cli/releases/tag/v1.0.52
• NPM Package: https://www.npmjs.com/package/`@github/copilot`
• Repository: https://github.com/github/copilot-cli

Key Features

• Scrollbar with mouse drag support in the main conversation view.
• /compact accepts optional focus instructions to shape the compaction summary.
• /usage shows quota progress bars for session and weekly limits.
• New deferred-tool-loading agent frontmatter for tool-search discovery on large toolsets.
• Status line command accepts plain shell commands alongside executable script paths.
• Old process log files in ~/.copilot/logs/ are auto-pruned at startup.
• General-purpose subagents use GPT-5.4 or GPT-5.5 when available.
• Reasoning tokens shown alongside output token count in usage summary.

View Full Changelog (Copilot CLI 1.0.52)

Bug Fixes

• Non-interactive subcommands (plugin list, mcp list, help, version) no longer read from stdin.
• Switching to Autopilot mode no longer raises unexpected permission prompts for tools, paths, or URLs.
• copilot --continue from a saved session refreshes the saved branch and git context.
• Kill command safety filter no longer rejects valid commands with shell redirection (e.g., kill -0 <PID> 2>/dev/null).
• Sessions resume in their saved working directory; pass -C to override. Relative-path flag values resolve from saved cwd.
• Context window tier selection (~200K vs 1M tokens) enforced across compaction, truncation, and token display.
• AI Credits usage now correctly displays after Responses API sessions.
• Rendering stutter fixed on tmux + Cygwin/mintty.
• Slash command picker keeps (experimental) and (staff) labels orange when row is selected.
• Sessions with non-URL strings in URL/URI fields resume without 'Session file is corrupted' error.
• HTTP/2 upload stall timeouts auto-retry over HTTP/1.1.
• Windows: sessions no longer fail to load when a process exits with a high-bit exit code.
• Timeline entry connector color matches surrounding elements when expanded.
• Gray background bar removed from user messages on non-truecolor terminals.
• Exit summary AI Credits label has correct spacing.
• /restart and /update preserve current session ID.
• PowerShell's division operator no longer falsely triggers 'Allow directory access' prompt on Windows.

MCP / OAuth

• Legacy nested oauth.clientId and oauth.callbackPort keys in MCP server configs are migrated to oauthClientId and auth.redirectPort (previously dropped silently).
• MCP OAuth re-authentication honors configured redirectPort.

Polish & UI

• /statusline picker has cleaner item descriptions and improved spacing.
• Picker checkboxes use a single-cell ▣/▢ glyph.
• AI credits error messages reworded for clarity; include Manage budget link.

Impact Assessment

• Risk: Low — patch release, mostly bug fixes and UI polish.
• Affects: Copilot engine workflows. The MCP OAuth key migration is helpful for any nested-config users. No breaking changes detected.
• Verify after update: MCPs load (tools.mcp configuration), /models works with PAT auth (per existing checklist in version_constants.go comment).

---

Update OpenAI Codex

• Previous: 0.130.0 → New: 0.133.0
• Intermediate versions: 0.131.0, 0.132.0
• Release notes:
  • https://github.com/openai/codex/releases/tag/rust-v0.131.0
  • https://github.com/openai/codex/releases/tag/rust-v0.132.0
  • https://github.com/openai/codex/releases/tag/rust-v0.133.0
• NPM Package: https://www.npmjs.com/package/`@openai/codex`
• Repository: https://github.com/openai/codex

Key Features (across 0.131–0.133)

• Goals are now enabled by default with dedicated storage and progress tracking across turns (0.133).
• codex remote-control runs like a foreground command with readiness waits, machine status, and explicit start/stop daemon commands (0.133).
• Permission profiles expanded: list APIs, inheritance, managed requirements.toml support, runtime refresh, stronger Windows sandbox integration (0.133).
• Plugin discovery improved: marketplace-aware list output, installed versions, visible marketplace roots, remote collection support (0.133).
• Extension lifecycle events for subagent start/stop, tool execution, turn metadata, async approval/turn processing (0.133).
• Python SDK auth: API key login, ChatGPT browser/device-code flows, account inspection, logout APIs (0.132).
• Python turn APIs: pass plain string as input; handle-based runs return richer TurnResult with collected items, timing, and usage (0.132).
• codex exec resume accepts --output-schema (0.132).
• Faster TUI startup via batched terminal capability probes (0.132).
• TUI session controls: data-driven service-tier commands, blended token usage, permissions/approval mode, effective workspace roots, responsive Markdown tables (0.131).
• Unified @ picker for files, directories, plugins, skills via app-server plugin metadata (0.131).
• Plugin marketplace CLI commands, version-aware sharing, shared-workspace buckets (0.131).
• Remote workflows with daemon-managed codex remote-control, runtime enable/disable APIs (0.131).
• Python SDK moved to openai-codex / openai_codex package name (0.131).
• codex doctor for support-ready diagnostics across runtime, auth, terminal, network, config, local state (0.131).

View Full Changelog (Codex 0.131 – 0.133)

Codex 0.133.0 — Bug Fixes

• TUI startup choosing wrong working directory when reusing a local app-server socket (Fix: TUI starting in wrong CWD openai/codex#23538).
• Plan-mode free-form answers so modified Enter keys (e.g. Shift+Enter) no longer submit unexpectedly (fix(tui): preserve modified enter in plan questions openai/codex#23536).
• Stale background terminal poll events removed after process exits (Fix stale background terminal poll events openai/codex#23231).
• Preserved raw code-mode exec output unless an explicit output token limit is requested ([codex] Preserve raw code-mode exec output by default openai/codex#23564).
• AGENTS instruction loading more reliable, local global reads, warnings for invalid UTF-8 (codex: route global AGENTS reads through LOCAL_FS openai/codex#23343, Warn on invalid UTF-8 in AGENTS.md files openai/codex#23232).
• Fixed app-server startup/shutdown races, empty resume/fork paths, plugin upgrade failures, realtime v1 websocket compatibility (fix: serialize unix app-server startup openai/codex#23516, fix(app-server): speed up shutdown openai/codex#23578, Fix empty rollout path app-server handling openai/codex#23400, fix(plugins): keep version upgrades additive openai/codex#23356, [codex] Fix realtime v1 websocket compatibility openai/codex#23771).

Codex 0.133.0 — Documentation

• Plugin-creator guidance for updating and reinstalling local personal plugins ([skills] Create a personal update flow for plugin creator openai/codex#23542).
• Expanded app-server/API docs and schema coverage around managed permission profile requirements (feat: support managed permission profiles in requirements.toml openai/codex#23433, Add CUA requirements subsection for locked computer use openai/codex#23555).

Codex 0.133.0 — Chores

• Canonical Codex package archive pipeline; installers, npm packages, DotSlash, SDK runtimes moved toward shared layout (build: add Codex package builder openai/codex#23513, ci: build Codex package archives in release workflow openai/codex#23582, build: package prebuilt Codex entrypoints openai/codex#23586, runtime: detect Codex package layout openai/codex#23596, release: publish Codex package archive checksums openai/codex#23635, install: consume Codex package archives openai/codex#23636, npm: ship platform packages in Codex package layout openai/codex#23637, dotslash: publish Codex entrypoints from package archives openai/codex#23638, sdk: launch packaged Codex runtimes openai/codex#23786).
• Linux Python runtime wheel tags fixed so glibc-based systems can install runtime artifacts (Publish Linux runtime wheels with glibc-compatible tags openai/codex#21812).
• Release/CI reliability: package-builder tests, prebuilt resource packaging, DotSlash zstd handling, platform-sharded Rust tests, Codex Linux release runners (ci: run Codex package builder tests openai/codex#23760, release: package prebuilt resource binaries openai/codex#23759, release: use DotSlash zstd for package archives openai/codex#23752, Fan out rust-ci-full nextest by platform openai/codex#23358, chore: use Codex Linux runners for Rust releases openai/codex#23761).

Codex 0.132.0 — Bug Fixes

• Goal continuations stop on usage limits or repeated blockers; completion responses phrase usage more naturally (goal: pause continuation loops on usage limits and blockers openai/codex#23094, Improve goal completion usage reporting openai/codex#22907).
• Session picker: renamed threads show name (thread-id) in resume hints; pasted text works in picker search box (Clarify resume hints for renamed threads openai/codex#23234, feat(tui): handle paste in session picker openai/codex#23338).
• Multi-session TUI: in-progress MCP calls stay marked as active during replay; elicitation replies sent back to requesting thread (TUI: replay in-progress MCP calls as started openai/codex#23236, TUI: route elicitation responses to request thread openai/codex#23241).
• Remote sessions keep websocket connections alive; repo-relative diff paths restored (Add exec-server websocket keepalive openai/codex#23226, Fix remote turn diff display roots openai/codex#23261).
• Windows: codex doctor detects npm-managed installs correctly; MSVC release binaries no longer depend on separately installed VC++ runtime DLLs (Fix Windows doctor npm root probe openai/codex#22967, windows: link MSVC release binaries with static CRT openai/codex#22905).
• TUI polish: immediate shutdown feedback on exit; hide ChatGPT usage link for non-OpenAI providers; cleared Fast tier stays cleared after side-thread resume (fix(tui): show shutdown feedback on exit openai/codex#23323, Hide ChatGPT usage link for non-OpenAI status openai/codex#23127, tui: keep cleared Fast tier from reappearing after side-thread resume openai/codex#23121).

Codex 0.132.0 — Chores

• Memory summaries versioned and rebuilt when stored format is stale (Densify and version memory summaries openai/codex#23148).

Codex 0.131.0 — Bug Fixes

• TUI rendering/interaction: URL wrapping, light-mode selection contrast, Shift+Enter in tmux, /review MCP startup status, /side Esc handling, network approval history text (fix(tui): preserve wrapped prose beside URLs openai/codex#21760, fix(tui): improve light-mode selection contrast openai/codex#21950, fix(tui): preserve Shift+Enter in tmux csi-u panes openai/codex#21943, Fix /review mode MCP startup render issue openai/codex#21624, Prevent Esc from dismissing or rewinding /side openai/codex#22710, fix(tui): render network approval history by target openai/codex#22229).
• Windows sandbox hardening: deny-read rules, scoped write roots, ineffective firewall policy, PowerShell edge cases (feat(sandbox): add Windows deny-read parity openai/codex#18202, [codex] Scope Windows sandbox write-root capability SIDs openai/codex#21479, windows-sandbox: fail elevated setup when firewall policy is ineffective openai/codex#22353, Avoid PowerShell profiles in elevated Windows sandbox openai/codex#21400, [codex] treat PowerShell stop-parsing forms as unsupported openai/codex#22643).
• Preserved managed read restrictions during permission escalation; cleaned up workspace-root permission profile resolution (fix(permissions): preserve managed deny-read during escalation openai/codex#15977, permissions: canonicalize workspace_roots and danger-full-access names openai/codex#22624, permissions: resolve profile identity with constraints openai/codex#22683).
• App-server/local state startup: preserve SQLite data, fail closed when state cannot open, add recovery paths, soften optional metadata sync failures (app-server: support daemon-safe restart handling openai/codex#21831, sqlite: no more destructive version bumps openai/codex#21847, fix: Block appserver startup if state db can't be opened openai/codex#22580, tui: recover local state db startup failures openai/codex#22734, [codex] Soften SQLite metadata sync failures openai/codex#22899).
• Git/auth: root worktree hooks used consistently; helper commands ignore repo hook/fsmonitor config; local MCP OAuth callbacks bind; superseded login tokens revoked (Use root repo hooks in linked worktrees openai/codex#21969, Ignore configured hooks in git helpers openai/codex#22843, [codex] Ignore fsmonitor config in Git metadata reads openai/codex#22652, Add callback ids to local MCP OAuth redirects openai/codex#20237, [login] revoke superseded auth tokens on relogin openai/codex#21747).
• Remote/Windows cleanup: longer exec-server transport timeouts; quieter taskkill cleanup; non-queued plugin reads (Increase exec-server environment transport timeouts openai/codex#21825, fix(tui): suppress taskkill output for MCP teardown on Windows openai/codex#21759, fix(exec-server): suppress Windows taskkill output openai/codex#22058, Unqueue plugin list and read requests openai/codex#22703).

Codex 0.131.0 — Documentation

• Clarified general Codex product docs don't belong in this repo; app-server API docs remain in scope (Clarify docs folder guidance in AGENTS.md openai/codex#21772).
• Plugin-creator guidance updated for simplified local plugin handoff links (docs(skills): simplify plugin creator deeplink shape openai/codex#22240).
• Documented new app-server/API contracts for remote environments and the desktop-owned config namespace ([codex] support executor registry remote environments openai/codex#21323, [codex] Add opaque desktop config namespace openai/codex#22584).

Impact Assessment

• Risk: Low–Medium — three sequential releases with broad changes, but no breaking changes identified for gh-aw workflow usage (Codex is invoked non-interactively via CLI).
• Affects: Codex engine workflows. The auto-enabled Goals feature and richer permission profiles may shift behavior, but defaults remain compatible.
• Migration: None required. Codex CLI invocation surface used by gh-aw is unchanged.

---

Update GitHub MCP Server

• Previous: v1.0.4 → New: v1.0.5
• Release date: 2026-05-18
• Release notes: https://github.com/github/github-mcp-server/releases/tag/v1.0.5
• Repository: https://github.com/github/github-mcp-server
• Docker image: ghcr.io/github/github-mcp-server:v1.0.5
• Full Changelog: github/github-mcp-server@v1.0.4...v1.0.5

Key Features

• New tool: list repo collaborators (Add tool to list repo collaborators github-mcp-server#2477).
• New tool: discussion comment write operations (feat: Add tool for discussion comment write operations github-mcp-server#2427).
• Optional rationale parameter on update_issue_type (Add optional rationale parameter to update_issue_type tool github-mcp-server#2458).
• Code search returns minimal results with text match snippets (feat: return minimal code search results with text match snippets github-mcp-server#2476).
• Added missing pagination on get_reviews (fix: add missing pagination on get_reviews github-mcp-server#2367).

View Full Changelog (GitHub MCP Server v1.0.5)

IFC Labeling (Information Flow Control)

• Added ifc label for list_issues tool (Add ifc label for list_issues tool github-mcp-server#2453).
• Added ifc label for get_file_contents tool (Add ifc label for get_file_contents tool github-mcp-server#2454).
• Added ifc label for search_issues tool (Add ifc label for search_issues tool github-mcp-server#2456).
• Added ifc label for issue_read tool (Add ifc label for issue_read tool github-mcp-server#2457).
• Added ifc label for search_repositories tool (Add ifc label for search_repositories tool github-mcp-server#2459).
• Replaced ingress IFC reader list with private marker (Replace ingress IFC reader list with private marker github-mcp-server#2478).

Documentation

• Document Copilot Spaces PAT requirements (Document Copilot Spaces PAT requirements github-mcp-server#2479).

Chores

• Upgrade go-github to v0.87 (Upgrade go-github to v 0.87 github-mcp-server#2452).

Impact Assessment

• Risk: Low — additive changes (new tools, new optional params, new pagination). No breaking changes.
• Affects: Workflows using the GitHub MCP server. New tools become available; get_reviews pagination may require updates in scripts that assumed all reviews returned in one call (existing behavior preserved for default page size).
• Migration: None required.

---

Update Process

Applied:

• Edited pkg/constants/version_constants.go (3 lines changed)
• Ran make recompile twice — 235 lock files modified, 0 errors
• Saved version-check cache to /tmp/gh-aw/cache-memory/version-check-2026-05-24.txt

Recommendations

• Update priority: Routine. None of these are security releases.
• Testing: Existing workflow tests should cover all three CLIs. For Copilot, verify the existing checklist from version_constants.go (MCP loading, /models with PAT).
• Rollout: Standard PR review and merge.

References

• §26354138907

Generated by 🔢 CLI Version Checker · ● opu47 9.5M · ◷

• expires on May 26, 2026, 6:42 AM UTC

[github-actions]

🍪 Issue Monster selected this for Copilot

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● hai45 23.4K · ◷