All users can now filter batch changes by user, not just site administrators. The current user appears at the top of the user filter list for easy access to their own batch changes.

Fixed "View on code host" button to properly escape % characters in file paths when generating external links.

Code Insight preview results now exclude archived and forked repositories by default, matching the backend behavior present since 3.40.

Repository permissions are no longer dropped when encountering HTTP/2 stream cancellation or "internal error" from the upstream GitLab code host. Instead, existing permissions are preserved and the permissions sync is retried later.

Fixed an issue where URLs containing the external URL would be incorrectly mangled, resulting in duplicate domain paths

Fixed invalid links in deepsearch markdown content that contained the host twice

Fixed TLS configuration not being applied to HTTP client, causing OAuth authentication failures.

Fixed TLS certificate validation via regular expressions in site config

Fixed an edge case where Deep Search questions did not respect cancellation state from the database, preventing them from continuing indefinitely after being cancelled.

Fixed infinite loop in DeepSearch when LLM tool argument parsing fails during streaming by properly propagating errors to internal callers

MCP deepsearch queries on the old .api/mcp/v1 and new .api/mcp endpoints will now time out after 50 seconds to avoid Cloudflare connection timeouts. Queries exceeding this timeout return a link so agents can track completion and inform users where to follow progress.

• Fixes a log spam issue where EnsureRevision calls would logspam "failed to perform background repo update" when a scheduled repo update is already running.
• Fixes an issue where EnsureRevision would incorrectly increase the update failure counter on a repository if a scheduled fetch is already running.
• Fixes an issue where log output from Fetch could cause a Fetch to stall forever because the reader silently errored.

Deep Search now streams results as they become available.

The Deep Search input now dynamically grows as users type or paste content.

Deep Search history sidebar can now be navigated using arrow keys.

Site admins can now set per-user Deep Search usage limits through entitlements: classes of usage limits that can be assigned as a global default, or to specific users.

Deep Search backend sources are now rendered after citations in collapsible sections within a unified sources container.

Deep Search sidebar is now available in the blob view for enhanced code exploration.

Added Slack bot integration for Deep Search. To get set up, go to Site Admin → Slack integration.

The site admin page is now simply titled "Administration".

Site admin organizations page now uses the standard page container design.

Navigation sidebars in site admin pages now support collapsible sections with localStorage persistence

GitHub Apps can now be configured via the declarative config file with secure handling and storage of private keys

Introduces a new notification widget that replaces the site-wide banners on Sourcegraph, as well as a new site-admin dashboard that shows notifications, as well as some suggestions on what admins can do to manage their instance.

Fixed context retrieval bug when using remote file mentions and chat UI flickering

Added option to skip TLS verification for executors talking to Sourcegraph via EXECUTOR_FRONTEND_TLS_SKIP_VERIFY

Alert when repository cleanups fail consistently

The repository permissions page now displays the total count of users who have access to the repository.

Fix history panel displaying the last question's title instead of the conversation title by generating conversation title only on the first question.

Links now point to answers instead of questions. This resolves confusion where the link pointed to the question but the copy button was part of the answer card. Old links continue to work because the question anchor is preserved in the code.

The tab title is now correctly updated when switching between DeepSearch conversations and then navigating away and back to DeepSearch.

Permalinks now use full commit hashes instead of abbreviated ones.

The star button is no longer rendered for non-owners, eliminating the confusing behavior where changes appeared to work but were reverted on refresh.

Fixed submit button icon visibility in Deep Search

Conversation creation failures now display error messages instead of hanging indefinitely in a loading state

• Fixed Deep Search suggestions to display with correct font styles
• Fixed Feedback modal to have proper spacing and close button styling

Increased the deep search input size from one line to multiple lines for improved usability.

Fixed loading skeleton and sources to reflect the currently viewed question's state instead of a global "is anything searching" state

Fixed file search result content not updating when filtering results in certain situations where truncated content caused stale data to be displayed

Fixed branded logos not appearing on the search homepage and in the global navigation when configured.

Repository name matches are excluded from search results when a repo: filter is present without an explicit type: filter. Users can still search repository names by adding type:repo.

Switch from plain ctags to tree-sitter for analyzing symbols in CSS and SCSS files. The result is more predictable parsing, no comment blocks leaking into the symbols sidebar, and css variables showing up as symbols.

Reduced the complexity of GitHub GraphQL queries for syncing changesets to reduce token consumption

READONLY changesets are now counted as CLOSED in batch change statistics, fixing a discrepancy between the burndown chart and summary stats.

Improve error message clarity when user creation fails in site admin

Fixed incorrect navigation highlighting in site admin where 'Settings' was highlighted instead of 'Batch specs'.

Error messages are now clearer when attempting to connect an external account that is already in use by another Sourcegraph account

Addresses an issue where the OAuth consent pages did not allow to scroll down to the action buttons.

Code insights job UI now displays correctly on mobile devices.

In 6.11 our experimental AWS RDS IAM Auth would panic if we failed to refresh the token. We now correctly treat this as an error to log and retry.

Fix broken links to alerts reference in alert notifications for customers on the latest release.

Fixed an edge case where the permission sync scheduler would excessively enqueue jobs when old completed jobs existed in the database

Temporary files are now cleaned up from repository directories, reducing disk space usage.

Fixed an issue where a service account's access tokens would be deleted when the site admin that created the access tokens for the service account got deleted.

Custom indexing policies are now disabled by default. The codeIntelAutoIndexing.policyManagementEnabled configuration can be used to re-enable support.

Removed the repository setup wizard as it is no longer up to date with code hosts. Site admins are encouraged to add repositories via the "Code Host Connections" section of the site admin page.

Anthropic deprecated Sonnet 3.5 and Haiku 3.5. These models are no longer available in Cody. Make sure to upgrade to a recent Cody client release to ensure all features are still functional.

Removed autoupgrade toggle selector and readiness banner as part of autoupgrade deprecation

Fixed a potential issue where a buffer overflow can cause repository update processes to deadlock.

Fixed git object expiration logic that was setting future dates instead of past dates, preventing potential repository corruption in concurrent operations.

Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591). This makes it easier to authenticate against Sourcegraph from an MCP client. As an administrator you must set auth.idpDynamicClientRegistrationEnabled to true in your site settings.

Sourcegraph can now communicate to code hosts using mTLS by providing a list of {"host", "clientCertificate", "clientKey"} configurations in the site config under mtlsConfigurations in tls.external.

Ensure that citations are enabled by default and rendered correctly even when the feature flag value is not set on the backend.

Fixed an issue where applying a new license key would not clear messages from the old, expired license key.

Immediately navigate to the conversation view showing the submitted question with a loading indicator when creating a new Deep Search conversation, before the server responds.

Users can now use the Tab key to select repository suggestions in the Deep Search @ mention menu, providing a more efficient keyboard-only workflow

Improved @-mention filtering with smarter caching for faster, more responsive filtering and reduced backend requests.

Deep Search conversations can now be exported as Markdown by appending ".md" to the URL.

Add ability to collapse results in reference panel.

Embedded organization batch-changes routes into the Svelte app, improving the integration between React and Svelte components for batch changes functionality.

Added batch changes pages in the personal user area for the creation flow.

Added batch-changes-gitlab-oauth feature flag to gate GitLab OAuth integration for Batch Changes.

Added a site-admin page for viewing batch changes specs.

Embedded site-admin batch changes pages into the Svelte app, improving consistency and maintainability of the admin interface.

When site-config or global settings files are loaded from the file system, the config editors in-app now reflect the read-only state.

Redact access tokens in model configuration displayed in the site-config UI.

Added external accounts page for site administrators.

Added auth providers page to site-admin interface

Added a new updates page in the site admin interface.

Frontend service restarts are no longer required when changing certain settings.

Embedded the site-admin init page into the Svelte app

Embedded the site-admin background jobs page into the Svelte app.

The out-of-band migrations page in site admin is now embedded in the Svelte app.

Site admins can now manage OAuth clients through dedicated pages in the admin interface.

Added a roles management page in the site admin interface

Embed OpenAPI documentation pages into the Svelte application at /api/openapi/public and /api/openapi/internal endpoints.

OAuth now supports multiple redirect URIs (space or comma separated)

Embedded the auth consent page into the Svelte app and added test coverage for invalid user codes on the auth device page.

Support for Opus 4.5 with extended thinking is now available. Opus 4.1 models have been deprecated in favor of the new version.

Claude Opus 4.5 is now available for selection

GitHub permissions syncing now uses gzip compression for caching organization and team membership data in Redis, significantly reducing memory usage for large organizations.

Added GraphQL API console support to the Svelte app using graphiql v4 with CodeMirror. Introduced a mechanism to undo CSS reset styles for embedded components using the data-css-unstyled attribute.

incident.io is now supported as an alert notifier in observability.alerts configuration

Added a site-admin page for viewing permissions sync jobs.

Organization pages now use React Router loaders for data fetching and improved navigation performance.

Fixed an issue where clicking the Deep Search link in the top nav from the conversation view did nothing - it now navigates to the Deep Search home page as expected.

Fixed a runtime error on the All Sources tab that was caused by duplicate render keys.

Expanded file preview now has consistent horizontal padding with citations.

Markdown styles are now applied to Deep Search responses when citations are enabled.

The hovered separator is now always displayed on top of resizable panels.

Removed support for deprecated Atom and AppCode editors from the "Editor" action.

Fixed a database constraint issue that could cause errors when scheduling code intelligence indexing jobs after a job reset.

S3proxy multipart uploads no longer fail due to CRC32 checksum validation errors

Repository HEAD auto-indexing jobs are now deduplicated to prevent queue growth.

Fixed scroll functionality on the batch change spec page when embedded in full-screen mode

OAuth authentication errors (like "could not get verified email for GitHub user") are now displayed in the UI instead of causing users to get stuck in an infinite login loop.

Site admins now see a banner when viewing another user's settings pages, indicating they are viewing settings for a different user.

Fixed an issue where deep copying model configuration incorrectly handled nil values, preventing default models from being applied correctly.

Fixed corrupt model configuration states that could cause Cody to use incorrect license keys when communicating with Cody Gateway, previously requiring a frontend container restart to resolve.

MCP tools are no longer rejected by antigravity and VS Code versions older than 1.32.

Gitserver now automatically reclones repositories when a "fatal: bad tree object XXX" error is observed during a fetch.

Fixed React reset styles overwriting component styles, resolving incorrect list styling

Fixed double scroll issue on prompt pages caused by conflicting height rules between React shell UI and PageLayout.

Fuzzy finder is now always enabled and no longer requires experimental settings.

Removed unused in-app analytics APIs including instanceOwnershipStats, User.usageStatistics, Site.usageStatistics, and Site.analytics.

Removed the experimental opencodegraph feature that was previously behind a feature flag.

Sourcegraph reranker is now disabled by default and can be enabled via a feature flag.

Added a predefined OAuth2 client for the Sourcegraph Raycast extension.

Errors in Deep Search are now displayed inline in the answer section with options to retry or start a new search, replacing the previous error banner.

Added the ability to star favorite threads with a new sidebar tab showing all starred threads in one place.

Upgraded Deep Search to use Claude Sonnet 4.5 as the main model and Claude Haiku 4.5 for summary generation, improving performance while maintaining quality.

Deep Search now displays only new steps for each follow-up question instead of showing all previous steps, reducing confusion in the UI.

GitHub account connections now use Proof Key for Code Exchange (PKCE)

Enterprise Portal now shows SLOs for Sourcegraph Cloud instances to track how the instance is performing.

Adds a warning on the GitHub App page in Sourcegraph to warn site admins that a GitHub App does not have the necessary permissions to enable groups caching.

Fixed pagination cursor to match id-descending ordering, preventing glitches during infinite scrolling.

Fixed incorrect base quota calculation for Deep Search metering when customers have complex license histories with expired licenses

Increased timeout from 1 minute to 4 minutes to reduce timeout errors.

Fixed rendering of the Search Jobs management page when search jobs exist for soft-deleted users.

Return WWW-Authenticate header on 401 responses to advertise OAuth schema to MCP clients.

Used constraints instead of exact match in database version validation

Fixed an issue where permissions sync jobs couldn't be paginated if they referenced a deleted user or repository.

Fix default GitHub and GitLab URLs being incorrectly applied when not explicitly configured in site config.

GitHub Apps now require the Repository administration: read permission for groups caching functionality.

Fixed groups caching validation for GitHub Apps by checking for members: read permission instead of OAuth scopes.

Fixed GitHub sign-in failing due to PKCE data retrieval issues

Decline sign-in attempts for NoSignIn auth providers while still allowing users to connect new auth providers when already logged in.

Removed the VSCode Code Search extension's ability to share authentication credentials with the Cody extension. Users must now authenticate directly with their own credentials or access token.

We have updated the structured response of all MCP tools to conform to the advertised output schema.

The kubernetes executor now idempotentally creates secrets (deleting and recreating it if it exists already) instead of failing the entire job.

Add retry button to resubmit questions when errors occur in Deep Search

Added RBAC to Deep Search. By default, all users have full read and write access for Deep Search, but this can be restricted by changing the default role permissions or by creating new custom roles.

Added a new Explain with Deep Search button in repository navigation that opens a pre-filled Deep Search conversation with context about the current repository or file.

Migrated the batch changes creation page to SvelteKit, including all three UI variations: new template creation, classic form creation, and execution-disabled instruction page.

Batch Changes home page is now rendered within the SvelteKit application framework.

Added a pings page to the site admin interface.

Added global-settings page to site admin interface

Added site admin support to the Svelte app, including Overview, Feedback surveys, and Site configuration pages

Sign-in, sign-up, and post-sign-up pages are now embedded in the Svelte application.

Added a 'request access' page to the Svelte app, allowing users to request access when needed.

Allow 'all' value for requiredSsoOrgs parameter to require authorization to all SSO organizations

Added support for validating GitHub SSO authentication via X-GitHub-SSO headers. Admins can now configure required SSO organizations in the sign-in provider settings to ensure users properly authenticate with SSO-enabled orgs. Error messages for authentication issues are now displayed on the Account Security page.

User profile and settings pages are now rendered in the Svelte app, with improved UI for the profile page and enhanced sidebar navigation supporting menu groups.

Added site admin page for managing outgoing webhooks

Converts schemeless URLs generated by the LLM to absolute URLs to prevent broken links containing /deepsearch/ in the path.

Fixed changeset duplication for Gerrit during network instability by adding pre-retry verification to check if changes already exist before retrying failed operations.

Fixed runtime errors in batch changes changeset diff UI when rendered within SvelteKit

Fixed password validation to properly compare password and confirm password fields across component re-renders

Fixed a race condition where deleting an external account in the middle of a permissions sync could cause permissions for that account to stick around indefinitely.

Gerrit icon now properly adapts to light and dark themes.

Updated redis to 7.4.6-272, which patches CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, and CVE-2025-46819

Fixed an issue where a Perforce user's permissions would not be removed when the user was deleted on Perforce and p4broker was being used as a proxy.

Allow connecting GitHub accounts with no verified emails when already authenticated

• Fixed Gerrit account connection modal not reopening after being closed in external accounts settings
• Fixed Gerrit icon visibility issues
• Improved spacing consistency between React and Svelte external account modals

Fixed password update form validation in user settings

Removed support for LSIF format.

The deprecated site-admin analytics pages have been removed. All Sourcegraph analytics are available at analytics.sourcegraph.com.

Removed support for the deprecated gemini-1.5-pro-002 model

• DeepSearch tool added to the MCP API, enabling codebase assistant integration to run deep search queries and return results with dashboard links

• Added Model Context Protocol (MCP) support to Deepsearch API
• Refactored tool response handling to use strongly typed responses
• Moved error messages and notes to dedicated fields instead of embedding in content
• Removed X-Requested-With middleware requirement for MCP endpoints

• File sources now support multiple line ranges within a single file, reducing visual clutter when different parts of the same file are referenced
• File previews display up to 3 ranges with separators between them
• Backend tools use a new lineRanges array format instead of single lineRange

• Added tracking for when DeepSearch conversations are shared and viewed by others

File filter suggestions now consider existing file filters in the query, providing more relevant autocomplete results when multiple file filters are used.

Added a predefined OAuth client for Visual Studio.

Enables OAuth authentication for Sourcegraph Cody across all IDEs using device flow with authorization_code, refresh_token, and device_code grant types.

Added Claude Opus 4.1 model support to Cody

• Added Workload Identity authentication support for Google Vertex as an alternative to access token authentication
• Fixed issues preventing Gemini models from being used with Cody
• Resolved critical regression that broke Google Vertex Anthropic support
• Introduced authentication cache to optimize Workload Identity authorization performance

Users can now be allowed through the RBAC system to upload SCIP indexes for repositories they do not have write access to on code forge. This also applies to service accounts.

Sourcegraph now supports Bitbucket Server's official way to archive a repository. The workaround of applying an "archived" label is no longer supported.

Support for .git-blame-ignore-revs files in the root of repositories.

experimentalFeatures->tls.external is not experimental anymore. The old setting is still respected, but customers should move to the new top-level tls.external setting. The certificate setting for Bitbucket server, GitHub, and GitLab has been marked as deprecated, the tls.external setting should be used instead and is the only correctly working setting. Both will be removed in a future release.

Prompt pages now embedded in the Svelte app with improved accessibility and testing

Follow-up suggestion analytics events are now correctly recorded as DeepSearchEventRawLLM instead of DeepSearchEventFollowUp.

Improved query performance for retrieving user's most recently updated deep searches by adding a composite database index.

Deep Search now works on smaller screens and mobile devices. The sidebar has been converted to an overlay for better mobile navigation.

Fixed styling issues in the repositories search alert UI.

Fixed OAuth provider matching to correctly handle cases where multiple client IDs are configured for the same URL.

Fixed a bug where the number of repositories a user has access to could be greatly exaggerated on their Repo Permissions page.

Pagination on a user's Repo Permissions page now works correctly.

Fixed theme state synchronization between SvelteKit and React applications

Add redirect from /search/notebook to /notebooks

Fixed incorrect error handling in Git blame that caused unnecessary error logging for missing files.

Error messages now properly distinguish between user and organization name conflicts and are correctly formatted.

Cody API endpoints (anything under /.api/llm) are no longer available.

Mark the EOL Claude Sonnet 3.5 model (anthropic::2024-10-22::claude-3-5-sonnet-latest) as deprecated.

closes: CODY-6235

Fixed model configuration to include reasoning parameter.

Swift code should be now properly highlighted using tree-sitter.
Backport 61c45dfc1e2371fb4e6802f5d877cdcfbb139bce from #7113