Upstream changes detected: Gemini CLI, Codex CLI (App Server Protocol), GitHub Copilot CLI, Qwen Code

[github-actions]

This issue was opened automatically by upstream-watch.yml on 2026-05-04 because at least one upstream project this plugin depends on shipped a new release.

Detected changes

Gemini CLI — v0.39.1 → v0.40.1

• Release: Release v0.40.1 (published 2026-04-30)
• Why this matters for the plugin: Drives plugins/multi/scripts/lib/adapters/gemini.mjs. Watch for changes to ACP handshake, model alias resolution, MCP support, or new approval modes.

Release notes excerpt

What's Changed

• fix(patch): cherry-pick 2194da2 to release/v0.40.0-pr-26153 to patch version v0.40.0 and create version 0.40.1 by @gemini-cli-robot in fix(patch): cherry-pick 2194da2 to release/v0.40.0-pr-26153 to patch version v0.40.0 and create version 0.40.1 google-gemini/gemini-cli#26268
  Full Changelog: google-gemini/gemini-cli@v0.40.0...v0.40.1

Codex CLI (App Server Protocol) — rust-v0.125.0 → rust-v0.128.0

• Release: 0.128.0 (published 2026-04-30)
• Why this matters for the plugin: Drives plugins/multi/scripts/lib/adapters/codex.mjs and app-server.mjs. Watch for sandbox mode changes, new approval policies, or app-server protocol updates.

Release notes excerpt

New Features

• Added persisted /goal workflows with app-server APIs, model tools, runtime continuation, and TUI controls for create, pause, resume, and clear. (#18073, #18074, #18075, #18076, #18077, #20082)
• Added codex update, configurable TUI keymaps, plan-mode nudges, action-required terminal titles, and active-turn /statusline and /title edits. (#19933, #18593, #19901, #18372, #19917)
• Expanded permission profiles with built-in defaults, sandbox CLI profile selection, cwd controls, and active-profile metadata for clients. (#19900, #20117, #20118, #20095)
• Improved plugin workflows with marketplace installation, remote bundle caching, remote uninstall, plugin-bundled hooks, hook enablement state, and external-agent config import. (#18704, #19914, #19456, #19705, #19840, #19949)
• Added external agent session import, including background imports and imported-session title handling. (#19895, #20284, #20261)
• Made MultiAgentV2 configuration more explicit with thread caps, wait-time controls, root/subagent hints, and v2-specific depth handling. (#19360, #19792, #19805, #20052, #20180)

Bug Fixes

• Fixed several resume and interruption issues, including stale interrupt hangs, persisted provider restoration, large remote resume responses, and slow filtered resume lists. (#18392, #19287, #19920, #19591)
• Improved TUI reliability around terminal resize reflow, markdown list spacing, slash-command popup layout, keyboard cleanup, shell-mode escape, and working status updates. (#18575, #19706, #19511, #19625, #19986, #19939)
• Hardened managed network behavior for deferred denials, proxy bypass defaults, resolved target checks, IPv6 host matching, and git -C approval handling. (#19184, #20002, #19999, #19995, #20085)
• Fixed Windows sandbox and PTY edge cases, including pseudoconsole startup, elevated runner process handling, core shell environment inheritance, and named-pipe validation. (#20042, #19211, #20089, #19283)
• Fixed Bedrock model support for apply_patch, GPT-5.4 reasoning levels, and updated Bedrock GPT-5.4 endpoint/model metadata. (#19416, #19461, #20109)
• Fixed MCP/plugin edge cases around stdio server cleanup, plugin MCP approval persistence, and custom MCP metadata isolation. (#19753, #19537, #19836, #19875)

Documentation

• Updated the bundled OpenAI Docs skill for GPT-5.5, gpt-image-2, and clearer upgrade guidance. (#19407, #19443, #19422)
• Clarified contributor-facing docs, including the PR template, Rust async trait guidance, and README wording. (#19912, #20242, #19514)
• Added a checked-in codex-core public API listing and a ThreadManager sample crate. (#20243, #20141)

Chores

• Published codex-app-server release artifacts, stopped publishing GNU Linux binaries, and increased release workflow timeouts. (#19447, #19445, #20271, #20343)
• Added Codex-pinned versioning for the Python app-server SDK package. (#18996)
• Deprecated --full-auto while steering users toward explicit permission profiles and trust flows. (#20133)
• Stabilized CI and release plumbing with Bazel setup migration, release smoke-test pinning, and updated workflow pins/timeouts. (#19851, #19854, #19472, #19609)

Changelog

Full Changelog: openai/codex@rust-v0.125.0...rust-v0.128.0

• #19124 Make MultiAgentV2 interruption markers assistant-authored @jif-oai
• #19354 chore: alias max_concurrent_threads_per_session @jif-oai
• #19360 feat: surface multi-agent thread limit in spawn description @jif-oai
• #19351 Add agents.interrupt_message for interruption markers @jif-oai
• #18392 Fix hang on turn/interrupt @danwang-oai

…(release notes truncated; click the link above for the full text)

GitHub Copilot CLI — v1.0.36 → v1.0.40

• Release: 1.0.40 (published 2026-05-01)
• Why this matters for the plugin: Drives plugins/multi/scripts/lib/adapters/copilot.mjs. Watch for ACP changes, slash-command additions/removals, or auth flow changes.

Release notes excerpt

2026-05-01

• PR branch decoration displays correctly in the footer regardless of model name length
• /clear and /new reset the active custom agent selection
• Assistant responses stream with smoother text output
• copilot plugin list shows the correct version after running copilot plugin update
• Add support for client_credentials OAuth grant type for MCP servers, enabling fully headless authentication without a browser
• Subagents correctly evaluate tool search support for their own model instead of inheriting the parent session's settings
• Switching sessions with /new or /resume no longer carries over pending messages to the new session
• CLI no longer hangs at 100% CPU when sending a large file attachment
• Resume session picker no longer shows duplicate entries for the same Mission Control-backed session
• Session resume selector displays summaries on a single line, truncated to fit the column width
• Print "Exiting…" to stderr immediately on Ctrl+C during prompt mode so shutdown progress is visible
• /research uses an orchestrator/subagent model for more thorough and reliable deep research results
• Autopilot mode now limits continuation messages to 5 by default (configurable with --max-autopilot-continues)
• Automatically clean up old CLI package versions from disk during auto-update
• Remote session statusline shows the remote working directory and branch instead of local context
• /update no longer re-submits the original -i prompt after restarting
• Detect Azure DevOps repositories and auto-disable the GitHub MCP server
• Session history, file tracking, and the /chronicle command are now available to all users
• Skills are available as slash commands in ACP clients, matching the CLI experience
• Resuming a session no longer falsely reports it as in use after a previous CLI process exited unexpectedly
• --config-dir now propagates correctly to plugin subcommands; --config-dir is deprecated in favor of COPILOT_HOME
• Mouse selection works while the /ask response dialog is open, so its content can be highlighted and copied
• Improve CLI startup speed by loading custom CA certificates asynchronously
• Remote control link shows the full URL in the timeline instead of 'Open in browser'
• ACP clients (e.g. Zed) now display the agent's live plan as it works through multi-step tasks
• Add toggle for custom statusLine.command visibility in the statusline picker
• ACP clients can now list and switch custom agents via the agent config option
• MCP OAuth tokens cache correctly when multiple servers share the same URL but use different static OAuth client IDs
• MCP tool names with dots or other invalid characters are now sanitized correctly

…(release notes truncated; click the link above for the full text)

Qwen Code — v0.15.3 → v0.15.6

• Release: Release v0.15.6 (published 2026-04-30)
• Why this matters for the plugin: Drives plugins/multi/scripts/lib/adapters/qwen.mjs. Watch for ACP support changes (the --acp flag graduated from --experimental-acp recently).

Release notes excerpt

What's Changed

• fix(memory): use project transcript path for dream by @LaZzyMan in fix(memory): use project transcript path for dream QwenLM/qwen-code#3722
• fix(cli): bound SubAgent display by visual height to prevent flicker by @wenshao in fix(cli): bound SubAgent display by visual height to prevent flicker QwenLM/qwen-code#3721
• fix(cli): keep sticky todo panel compact by @shenyankm in fix(cli): keep sticky todo panel compact QwenLM/qwen-code#3647
• fix(core): replay DeepSeek reasoning_content on all assistant turns by @tanzhenxin in fix(core): replay DeepSeek reasoning_content on all assistant turns QwenLM/qwen-code#3747
• fix(cli): correct model precedence — argv > settings > auth env vars by @B-A-M-N in fix(cli): correct model precedence — argv > settings > auth env vars QwenLM/qwen-code#3645
• fix(core): preserve reasoning_content in rewind, compression, and merge paths (#3579) by @fyc09 in fix(core): preserve reasoning_content in rewind, compression, and merge paths (#3579) QwenLM/qwen-code#3737
• fix(cli): persist directory add entries by @cyphercodes in fix(cli): persist directory add entries QwenLM/qwen-code#3752
• fix(lsp): 修复 LSP 文档、isPathSafe 限制，并提升 LSP 工具调用率 by @yiliang114 in fix(lsp): 修复 LSP 文档、isPathSafe 限制，并提升 LSP 工具调用率 QwenLM/qwen-code#3615
• fix(vscode-companion): fill slash commands into input on Enter instead of auto-submitting by @yiliang114 in fix(vscode-companion): fill slash commands into input on Enter instead of auto-submitting QwenLM/qwen-code#3618
• fix(ci): add merge-back PR for stable releases in release workflow by @yiliang114 in fix(ci): add merge-back PR for stable releases in release workflow QwenLM/qwen-code#3764
• chore(core): drop tool token usage tracking by @tanzhenxin in chore(core): drop tool token usage tracking QwenLM/qwen-code#3727

New Contributors

• @cyphercodes made their first contribution in fix(cli): persist directory add entries QwenLM/qwen-code#3752
  Full Changelog: QwenLM/qwen-code@v0.15.5...v0.15.6

Also worth checking (manual — Copilot, please research these too)

• Cursor agent CLI — changelog: https://cursor.com/changelog · forum (bug reports): https://forum.cursor.com/c/bug-report/6
  • Drives plugins/multi/scripts/lib/adapters/cursor.mjs. The plugin currently works around the 2026.04.17-787b533 ACP regression (see maybeWarnAboutCursorVersion and ensureCursorAllowlist). When Cursor ships a fix, both workarounds can likely be simplified or removed.

Plugin files most likely to need updates

• plugins/multi/scripts/lib/acp-client.mjs (shared ACP JSON-RPC client; buildAutoApproveRequestHandler)
• plugins/multi/scripts/lib/acp-terminals.mjs (client-side terminal services)
• plugins/multi/scripts/lib/mcp-servers.mjs (MCP wiring for ACP session/new)
• plugins/multi/scripts/lib/adapters/{codex,gemini,cursor,copilot,qwen}.mjs (per-CLI adapters)
• plugins/multi/scripts/multi-cli-companion.mjs (companion runtime + dispatch)

What I'd like you to do, @copilot

1. Read the linked release notes for each detected change above, plus the manual-reference changelogs.
2. Compare what changed against the relevant adapter / shared code in this repo. Look specifically for:
   • New ACP methods we should handle in acp-client.mjs's buildAutoApproveRequestHandler
   • Renamed / deprecated CLI flags or model IDs hardcoded in any adapter
   • New CLI capabilities that obsolete a workaround we currently ship (e.g., the Cursor 2026.04.17 regression workaround in cursor.mjs — check if a newer Cursor release fixes it, and if so, propose removing maybeWarnAboutCursorVersion and the allowlist-injection or scoping it tighter)
   • Breaking changes that would silently break the plugin
3. For each change that warrants action, open a focused PR against master with the minimal fix. Reference the upstream release / commit / forum thread in the PR description.
4. If a detected change does NOT need any plugin update, reply on this issue with a short note saying "no plugin updates needed for X — reason: …" and close it.
5. If something is ambiguous (you can't tell from release notes whether the plugin is affected), ask in a comment rather than guessing.

You may use ACP_TRACE=1 and the rest of the diagnostic patterns documented in plugins/multi/skills/customize/SKILL.md if you want to verify behavior empirically.

---

State tracked in .github/upstream-state.json — bumped by this same workflow. If you want to suppress a noisy upstream from this watch, edit .github/scripts/upstream-watch.mjs.