Core

Improvements

• Added a built-in customize-opencode skill so opencode config edits are less likely to break startup.

Bugfixes

• Fixed numeric HTTP API query parameters in the generated OpenAPI spec and SDK for session and file endpoints.
• Fixed boolean HTTP API query handling so SDK types and runtime validation stay aligned.
• Tolerated legacy stored numeric values in sessions, diffs, and retry events instead of failing to load old data.
• Fixed old sessions with negative token counts causing message loads and Desktop startup to fail.
• Fixed MCP tool discovery when a server publishes broken outputSchema references.
• Fixed workspace HTTP API query drift so workspace-routed endpoints expose the right query parameters in OpenAPI and the SDK.
• Fixed a Plan Mode security bypass where subagents could ignore parent-agent deny rules.

Core

Bugfixes

• Provider configs and API responses now accept models marked as active.
• Read tool permission rules now match worktree-relative paths, so read allowlists and denylists apply correctly.
• Workspace-routed HTTP API endpoints no longer reject valid directory and workspace query params.

TUI

Bugfixes

• Startup errors now report every failed bootstrap request instead of only the first one.
• Opening a session no longer crashes when the messages request fails.

Desktop

Bugfixes

• Older migrated sessions with missing diff file details load again.
• Older migrated sessions with missing diff patches load again. (@OpeOginni)

SDK

Bugfixes

• throwOnError: true now throws a real Error with the server message and preserves the response body in cause.

Extensions

Improvements

• TUI plugins using the deprecated api.command API keep working while you migrate to api.keymap.

Bugfixes

• Provider plugins can no longer mutate shared provider model state for the rest of the app.

Thank you to 1 community contributor:

• @OpeOginni:
  • fix(sessions): allow optional patch field in diff for migrated sessions (#26574)

Core

Bugfixes

• Fixed upgrades failing for existing workspaces when adding the time_used field.

Core

Bugfixes

• Keep provider and config API responses working when auth loaders add non-JSON options to providers.
• Include tool image attachments in ACP updates and session replays. (@SteffenDE)

Thank you to 1 community contributor:

• @SteffenDE:
  • fix(acp): include tool image attachments in updates (#25128)

Core

Improvements

• Added HTTP API response compression for large non-streaming responses.
• Added the Scout agent for repo research, docs lookup, and dependency-source inspection.
• Added workspace sync so adapter-backed workspaces can be discovered and registered automatically.
• Added an interactive split-footer mode for opencode run.
• Simplified TUI keybinding config into a flat keybind format.
• Made duplicate worktree names fall back to the parent directory for clearer labels.

Bugfixes

• Fixed HTTP API auth responses to match the previous wire format for empty authorize results and share errors.
• Returned structured validation errors from the HTTP API.
• Rejected invalid permission and question IDs in the HTTP API.
• Included auth challenges on typed HTTP API 401 responses.
• Fixed the HTTP API OpenAPI document route.
• Fixed detached sessions so they are claimed by the source project again.
• Forwarded SIGINT, SIGTERM, and SIGHUP correctly when running through the npm shim. (@chubes4)
• Allowed skills without descriptions to load correctly.
• Required auth on effect HTTP API root routes. (@RajvardhanPatil07)
• Kept tool ordering stable so tool lists stop reshuffling between runs.
• Made retry dialogs more specific to the provider and failure reason.
• Fixed Gemini reasoning controls so supported effort levels and small-mode defaults match the model.
• Fixed Anthropic Opus 4.5 reasoning effort options.
• Limited OpenAI deep research models to the reasoning level they actually support.
• Fixed GPT-5 reasoning variants so the exposed effort options match each model family.

TUI

Improvements

• Show retrying sessions as active in the project sidebar. (@edemaine)

Bugfixes

• Fixed the sidebar message shown for language server state. (@Polo123456789)
• Sorted the session picker by full last-updated time instead of day buckets. (@Sleepful)
• Kept longer cleared prompts in draft history so they can be restored.

Desktop

Improvements

• Switched desktop updates to silent per-user install flow.

Thank you to 5 community contributors:

• @edemaine:
  • feat(desktop): working indicator on project sidebar (#26223)
• @RajvardhanPatil07:
  • fix(server): require auth for effect root routes (#26361)
• @chubes4:
  • fix(cli): forward signals from npm shim (#26259)
• @Sleepful:
  • fix(tui): sort session picker by full updated timestamp (#24725)
• @Polo123456789:
  • fix(sidebar): fix logic and missleading message #26469 (#26470)

Core

Bugfixes

• Restored formatter output handling so formatting still works when formatters write to stdout or stderr. (@ferdinandyb)

Improvements

• Warping a session to another workspace can now carry over your uncommitted file changes.

TUI

Bugfixes

• Restored custom provider setup in /connect.

Desktop

Bugfixes

• Added a macOS Settings menu entry. (@jessedi0n)

Improvements

• Moved the desktop app's local server into a separate utility process for more reliable startup and shutdown.

Extensions

Improvements

• ACP clients now restore the last model, mode, and effort when loading sessions, and can close sessions cleanly.

Thank you to 4 community contributors:

• @carmithersh:
  • docs: add opencode-jfrog-plugin to ecosystem list for JFrog integration (#26019)
• @jessedi0n:
  • fix(desktop): add macOS settings menu entry (#26081)
• @ferdinandyb:
  • fix(format): restore stdout/stderr ignore for formatter processes (#26037)
• @YGoetschel:
  • fix: guard undefined contents in diff renderer to fix share viewer SSR crash (#21763)

Core

Improvements

• Support .well-known/opencode configs that point to a separate remote config file.

Bugfixes

• Preserve assistant text when replaying signed reasoning blocks. (@edevil)
• Return consistent not-found errors for missing sessions.
• Apply CORS headers before auth so browser clients can reach legacy server endpoints.
• Fix serve, web, and ACP network options triggering runtime re-entry errors.
• Only show connected workspaces in warp flows, and carry the new directory into the session after warping.
• Restore web terminal CSP allowances.
• Sanitize invalid surrogate characters before provider transforms.
• Fix Cloudflare AI Gateway provider options for OpenAI-compatible models. (@NathanDrake2406)
• Use the current workspace with /new, including local-project warps.
• Keep editor selection context stable until it is sent.
• Retry server_is_overloaded API errors automatically.
• Restore Mistral Medium 3.5 variants so model selection works correctly.
• Show compaction summaries before retained tail messages.

TUI

Bugfixes

• Keep the selected model when model data refreshes.
• Fix /agent create to use the /agents path. (@OpeOginni)

Desktop

Improvements

• Allow trusted app windows to write to the clipboard without permission failures.

Bugfixes

• Ignore broken pipe (EPIPE) errors in desktop console logging.
• Stop auto-installing updates when quitting the app.
• Silence noisy browser API Sentry reports in production.
• Prevent sync bootstrap queries from failing during app startup.

Thank you to 6 community contributors:

• @OpeOginni:
  • fix(TUI): update agent create target path from "/agent" to "/agents" (#14427)
• @NathanDrake2406:
  • fix(cf-ai-gateway): route provider options through openaiCompatible key (#24432) (#25573)
• @imduchuyyy:
  • docs: update desktop app references from Tauri to Electron (#25965)
• @kill74:
  • docs: fix CLI attach section order (#25749)
• @zharinov:
  • fix(ui): preserve SVG tags in DOMPurify config for KaTeX math rendering (#25866)
• @edevil:
  • fix(provider): preserve assistant message content when reasoning blocks present (#21370)

Desktop

Bugfixes

• Respect HTTP_PROXY and related proxy environment variables in the desktop app.
• Return null instead of failing when the desktop app cannot read a stored value.

Core

Bugfixes

• Embedded UI requests now work with arbitrary connect-src origins under the default CSP.

Desktop

Bugfixes

• Desktop now trusts system CA certificates for HTTPS connections.

Core

Bugfixes

• Canceling a task now also cancels child subtask sessions.

Improvements

• Improved v2 session rendering with cleaner tool states, better compaction summaries, and more accurate timing.
• Warp a session into another workspace or back to the local project.

Desktop

Bugfixes

• Run the desktop migration on startup so existing installs transition correctly after the desktop packaging move.
• Stabilized the Windows titlebar when changing zoom levels.