[ca] chore: Update agentic CLI tools (Claude Code 2.1.160, Copilot CLI 1.0.57, Codex 0.136.0, GitHub MCP Server v1.1.2)

[github-actions]

Summary

Four monitored agentic CLI tools have new stable releases. pkg/constants/version_constants.go was updated and make recompile succeeded (237/237 workflows, 0 errors).

Note: the previous tracking issue #35883 was closed as expired/not_planned on 2026-06-01 before its constant changes were committed, and newer versions have since shipped (Claude 2.1.160, Copilot 1.0.57, plus a new Codex 0.136.0). This issue supersedes it.

Tool	Previous	New	Risk
Claude Code	2.1.156	2.1.160	Low
Copilot CLI	1.0.55	1.0.57	Low
Codex	0.135.0	0.136.0	Low
GitHub MCP Server	v1.1.0	v1.1.2	Low

No changes needed (already current): MCP Gateway v0.3.22, Playwright MCP 0.0.75, Playwright CLI 0.1.13, Playwright Browser v1.60.0.

Critical Information

• All updates are point/patch releases with no breaking changes.
• make recompile regenerated 237 lock files (0 errors, 47 pre-existing warnings). Per project guidelines only pkg/constants/version_constants.go is committed — *.lock.yml files are not committed.
• Observation: @github/copilot-sdk (not in the monitored set of 8) has 1.0.0-beta.12 available vs the pinned 1.0.0-beta.9 — left unchanged here.

---

Update Claude Code

• Previous: 2.1.156 → New: 2.1.160 (intermediates: 2.1.157, 2.1.158, 2.1.159)

Breaking Changes: None

View CLI Discovery & Details

CLI Discovery

No new flags or commands. --help output for 2.1.160 is identical to 2.1.158 (the version analyzed in the prior cycle).

Notes

Claude Code has no public GitHub repository; analysis is based on NPM metadata and --help output comparison.

Impact Assessment

• Risk: Low
• Affects: Claude engine default version pin (DefaultClaudeCodeVersion)

Package Links

• NPM Package: https://www.npmjs.com/package/`@anthropic-ai/claude-code`
• Repository: None (no public repo)

---

Update Copilot CLI

• Previous: 1.0.55 → New: 1.0.57 (intermediate: 1.0.56)

Breaking Changes: None

Key Features (cumulative since 1.0.55, from --help/subcommand diff)

• New flag --context — set the context window tier, overriding the persisted setting (choices: default, long_context). (1.0.56)
• New flag --extension-sdk-path — override the bundled @github/copilot-sdk injected into extension subprocesses with a local copilot-sdk/ folder. (1.0.56)

View Subcommand Changes

config subcommand

• (1.0.56) Added contextTier (context window tier for tiered-pricing models) and builtInAgents.rubberDuck (adversarial-feedback subagent, defaults true).
• (1.0.57) Added showTipsOnStartup — whether to show a random command tip when the CLI starts; defaults to true.
• (1.0.57) Removed gpt-4.1 from a documented model list in the config help.

environment subcommand

No changes vs 1.0.55.

Impact Assessment

• Risk: Low
• Affects: Copilot engine default version pin (DefaultCopilotVersion). New flags/settings are additive and opt-in.
• Note: Copilot CLI repository is private; analysis based on NPM metadata + installed --help/subcommand output comparison. Per the standing note in version_constants.go, verify MCPs still load and /models works with PAT auth.

Package Links

• NPM Package: https://www.npmjs.com/package/`@github/copilot`
• Repository: https://github.com/github/copilot-cli (private)

---

Update Codex

• Previous: 0.135.0 → New: 0.136.0

Breaking Changes: None

Key Features (from GitHub release notes)

• Sessions can be archived from the TUI with /archive or from the CLI with codex archive / codex unarchive; archived sessions are protected from resume/fork until restored — Add /archive slash command openai/codex#25027 · Add thread archive CLI commands openai/codex#25021
• TUI markdown keeps web links clickable (OSC 8); cramped tables render as key/value records — feat(tui): add OSC 8 web links to rich content openai/codex#24472 · feat(tui): render cramped markdown tables as key-value records [2 of 2] openai/codex#24636
• App-server integrations: resume a thread with its initial turns page, richer MCP status, codex app-server --stdio — feat(app-server): include turns page on thread resume openai/codex#23534 · Add codex app-server --stdio alias openai/codex#24940
• Remote exec setup supports CODEX_API_KEY registration; remote-control websockets use short-lived server tokens — Allow API-key auth for remote exec-server registration openai/codex#24666 · feat(app-server): migrate remote control to server tokens openai/codex#24141

CLI Discovery

• New top-level subcommands: archive and unarchive (confirmed via codex --help diff).

View Bug Fixes & Security (from release notes)

• Command-safety hardening: /diff no longer runs repo-provided Git helpers/hooks; no PowerShell parser execution on non-Windows hosts; browser-origin exec-server websocket handshakes rejected — fix(tui): prevent repository-configured code execution in /diff openai/codex#24954 · [codex] Avoid PowerShell safety parsing off Windows openai/codex#24946 · fix(exec-server): reject websocket requests with Origin headers openai/codex#24947
• Sandboxed commands clean up more reliably after interruptions/denied Windows network attempts; deny read rules enforced on safe-command and approval-bypass paths — fix(linux-sandbox): preserve shell cleanup on interruption openai/codex#22729 · fix: cancel Windows sandbox on network denial openai/codex#19880 · fix: preserve deny-read sandboxing for safe commands openai/codex#23943
• ChatGPT auth refreshes tokens before the 5-minute expiry window; relogin path for reused refresh tokens — [codex-cli] Refresh near-expiry ChatGPT access tokens before requests openai/codex#23546 · Treat refresh_token_reused 400s as relogin-required openai/codex#24830
• Bedrock auth falls back to AWS_REGION / AWS_DEFAULT_REGION; unsupported Bedrock GPT tiers no longer advertised — fix: Bedrock API key region fallback openai/codex#25171 · fix: Limit Bedrock GPT models to default service tier openai/codex#25318

Impact Assessment

• Risk: Low
• Affects: Codex engine default version pin (DefaultCodexVersion). Several command-safety/sandbox hardening fixes are security-positive.

Package Links

• NPM Package: https://www.npmjs.com/package/`@openai/codex`
• Repository: https://github.com/openai/codex
• Release Notes: https://github.com/openai/codex/releases/tag/rust-v0.136.0
• Full Changelog: openai/codex@rust-v0.135.0...rust-v0.136.0

---

Update GitHub MCP Server

• Previous: v1.1.0 → New: v1.1.2 (intermediate: v1.1.1)

Breaking Changes: None

Key Changes

• v1.1.1 (bugfix release for MCP APP Resources):
  • Bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround — deps: bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround github-mcp-server#2564
  • Enable only ifc — I want to enable only ifc github-mcp-server#2565
  • OSS release prep — OSS release prep github-mcp-server#2568
  • Register MCP App UI resources in shared server constructor — Register MCP App UI resources in shared server constructor github-mcp-server#2570
• v1.1.2:
  • Lockdown mode: scope RepoAccessCache per request — Lockdown mode: scope RepoAccessCache per request github-mcp-server#2571

View Changelog Links

• v1.1.0...v1.1.1: github/github-mcp-server@v1.1.0...v1.1.1
• v1.1.1...v1.1.2: github/github-mcp-server@v1.1.1...v1.1.2

Impact Assessment

• Risk: Low
• Affects: GitHub MCP server Docker image pin (DefaultGitHubMCPServerVersion). The v1.1.2 lockdown-mode fix (per-request RepoAccessCache scoping) is relevant to gh-aw's lockdown feature (DefaultGitHubLockdown) — a security-positive correctness fix.

Package Links

• Repository: https://github.com/github/github-mcp-server
• Release Notes: https://github.com/github/github-mcp-server/releases
• Specific Releases: https://github.com/github/github-mcp-server/releases/tag/v1.1.1 · https://github.com/github/github-mcp-server/releases/tag/v1.1.2

---

Recommendations

• Merge priority: Normal. All low-risk patch/point updates; the GitHub MCP v1.1.2 lockdown fix and Codex command-safety hardening are the most valuable (security-positive).
• Testing: CI recompile already validates lock-file regeneration. When upgrading Copilot, verify MCPs still load and /models works with PAT auth.
• Commit: Only pkg/constants/version_constants.go. Do not commit *.lock.yml files.

References:

• §26803789160

Generated by 🔢 CLI Version Checker · opus48 1.2M · ◷

• expires on Jun 4, 2026, 7:07 AM UTC

[github-actions]

🍪 Issue Monster selected this for Copilot

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · haiku45 30.8K · ◷