Support search contexts in the List Repos tool. The tool now uses a search-based implementation, following the same design as other Deep Search tools such as Keyword Search and NLS Search.

Search context lookup now matches by visible name, namespace, and full spec format, making it easier to find contexts using partial queries.

Diff search can now filter by multiple authors.

Added keyboard shortcut (Cmd/Ctrl+Shift+,) to open the scope picker directly from the Deep Search composer.

Added a code execution 'evaluator' tool to Deep Search that allows sandboxed Lua scripts to call keyword, regex, commit or diff searches and process results programmatically.

Deep Search now uses Sonnet 4.6 as the main agent model.

Deep Search can now more efficiently answer questions about which versions and releases contain a specific commit or fix.

Upgraded zoekt dependency to include a 21% performance improvement in git indexing time

Tree-sitter syntax highlighting support for Gherkin/Cucumber .feature files.

SRC_CODE_INTEL_COMMIT_GRAPH_MAX_ANCESTORS can now be set to alter the default of 100.

Added commit signing toggle to OAuth credential configuration flow for batch changes. Users can now enable SSH commit signing when configuring credentials via OAuth (GitHub, GitLab), matching the functionality previously available only in the PAT flow.

As an alternative to SITE_CONFIG_FILE and EXTSVC_CONFIG_FILE, the entire contents of advanced configuration and external service configuration can now be provided using SITE_CONFIG and EXTSVC_CONFIG respectively.

Automatically retry OAuth2 refresh tokens after transient errors, improving authentication reliability and reducing the need for manual reconnection.

Notify users when their account credentials have expired, prompting them to reconnect.

A Reconnect button now appears on the user settings security page when an authentication token has expired, allowing users to easily re-establish their connection.

Admins can now customize the sign-in page message when built-in sign-up and access requests are disabled using the new auth.accessRequest.disabledMessage site config field (supports Markdown).

Reorganized file tree panel to show reviewed status inline and moved file stats to bottom of page. Updated file tree styling to match VS Code: removed folder icons and aligned file icons with folder toggle buttons.

Long lines in unified diff mode now wrap instead of extending horizontally

Added visual badges to indicate added, removed, and renamed files in the compare view. Deleted files are now automatically collapsed by default.

Added visual level lines to the file tree view to improve readability of deeply nested directory structures. The tree view is now more condensed with slightly smaller item sizes.

Kubernetes jobs launched by the executor service can now be configured with a runtime class via the EXECUTOR_KUBERNETES_RUNTIME_CLASS environment variable.

When creating a GitHub App from Sourcegraph, the corresponding webhook handler is now linked to the App, and deleting the App in Sourcegraph deletes the webhook handler as well.

Added support for Opus 4.7 model in Cody with adaptive thinking.

Exposed the evaluator tool on MCP endpoints.

Added new OBSERVABILITY#{READ,WRITE} RBAC permissions that gate access to observability and debugging admin endpoints (outbound requests, slow requests, gitserver info, background jobs, search stats, observability test alerts).

Add a dedicated EXTERNAL_SERVICES RBAC namespace gating code host configuration (replacing prior site-admin and REPO_MANAGEMENT checks), grant admin UI access to its holders, and surface a high-trust warning for EXTERNAL_SERVICES#WRITE.

Added EXECUTOR_SECRETS#READ and EXECUTOR_SECRETS#WRITE RBAC permissions to allow delegated executor secret administration without requiring full site-admin privileges.

Added new OOB_MIGRATIONS#{READ,WRITE} RBAC permissions that gate access to the out-of-band migrations admin endpoints.

Added new NOTIFICATIONS#READ and NOTIFICATIONS#WRITE RBAC permissions for controlling access to admin notifications and test email sending

Access request management now uses the USER_MANAGEMENT#{READ,WRITE} RBAC permissions instead of the static site-admin check.

Access token management and auth provider validation endpoints now use ACCESS_TOKENS#READ and ACCESS_TOKENS#WRITE RBAC permissions instead of requiring site-admin status, allowing delegated access token administration without full site-admin privileges.

Non-site-admin users can now manage users, organizations, roles, and permissions when explicitly granted USER_MANAGEMENT#{READ,WRITE} RBAC permissions.

Added INTEGRATION_MANAGEMENT#{READ,WRITE} RBAC permission to allow non-site-admin users to manage Slack, incoming webhook, and outbound webhook integrations

Non-site-admin users can now manage entitlements when explicitly granted ENTITLEMENT#{READ,WRITE} RBAC permissions.

Implemented the BATCH_CHANGES#READ permission. This enables administrators to create a role where users can view, but not edit or create Batch Changes.

Added a Compare action to repository branch listings to open the compare view for a branch.

Smart hover summaries now support entitlements.

Upgrade Monaco editor to 0.55.

In Sourcegraph Cloud, some site config fields are no longer configurable by customers, such as auth.allowedIpAddress, as they are managed by our infrastructure.

Admin notifications now alert when credit balance is low, with thresholds at 50%, 25%, 10%, 5%, and 0% remaining.

SCIM-managed users can now add additional non-primary emails

Admins can now set entitlement limits to zero to fully block user access to a feature.

Add entitlements for smart hover summary, enabling site admins to configure usage limits for the feature.

Added monthly (30-day) window option for entitlements

Users are notified when repository permissions are being synced for the first time and when the sync completes.

Fixed visual bug where the read_file tool in Deep Search showed "undefined" if the line range wasn't explicitly set. Now falls back to "1" for a missing start line and "end" for a missing end line, matching how the backend handles missing bounds.

Fixed pluralization of "more ranges" label in file citations to correctly show singular form when only one range is present

Deep Search now displays an error message when reasoning consumes the entire output budget, preventing users from seeing a blank response.

Deep Search keyword and NLS search results now include repository revisions in file and repo results.

Fixed Deep Search title generation failing with "context length exceeded" on deeply forked conversations.

Scoped listRepos to the active search context when a repo-defined search context is selected.

Fixes a bug where some deep search conversations were not indexed for conversation search. This change triggers a full rebuild of the search index for conversation search, which happens in the background.

Conversation search now correctly finds conversations after their titles have been changed.

Fixed a bug where "/"-delimited regex patterns were incorrectly detected in the Fuzzy Finder, which especially for path queries could lead to zero search results.

Slash-delimited inline regex queries now preserve regex escapes and behave like patterntype:regexp.

• Fixed symbol tree panel failing to expand after switching to Deep Search
• Fixed symbol tree and search preview panels jumping unexpectedly on window resize
• Fixed layout distribution to prevent unnecessary collapse of fixed-size panels

Canceled searches are now classified separately from application errors, preventing false-positive SLO burn alerts from normal product behavior.

Fixed an issue where multiple suggestion rows could appear selected simultaneously during Query assist refreshes

Fixed incorrect commit date filter suggestions for "Last week" and "Last month" options, which were using before: instead of after:.

Batch Changes now rejects pushed-only changesets for unsupported code hosts (Bitbucket Cloud) instead of accepting them and failing during reconciliation.

Fixed a batch changes UI error when Bitbucket Cloud pull request metadata is missing its HTML link.

Fixed foreign key constraint violation when re-running batch specs with previously-applied changesets

The Select all button now appears consistently and is more responsive while selecting all changesets on the preview page.

Select All on the batch changes changeset details page will now lazy select all changesets.

Fixed the code host connections page displaying confusing text like "Next sync 4 minutes ago" when a sync was overdue or running. It now shows "Next sync pending." instead.

Fixed incorrect paths used for GitHub OAuth token refreshes

Built-in auth now accepts passwords longer than 72 UTF-8 bytes. Existing hashes continue to work and are migrated on next successful login.

Preserve user permissions when a 401 error occurs immediately after a successful OAuth token refresh, treating it as a transient error rather than a credential revocation. This prevents unnecessary permission wipes caused by GitLab's token rotation eventual consistency and concurrent refresh race conditions.

MCP clients using random ports in redirect URIs no longer require reauthentication when the port changes.

• Fixed GraphQL API requests by adding required Content-Type header
• Fixed code intelligence hover popovers by updating permalink selector for modern GitLab versions
• Added dark mode support for code intelligence hover overlays
• Updated Sourcegraph logo in hover overlay

Restored the GraphQL field Repository.createdAt to return the persisted repository timestamp instead of synthetic time.Now() data.

Fixed license key changes taking up to an hour to take effect.

Improved RBAC permission error message formatting for better readability (e.g. "missing READ permission for REPO_MANAGEMENT" instead of "user is missing permission REPO_MANAGEMENT#READ").

Fixed z-index stacking order issues in repository area pages that caused UI elements to overlap with the header search input suggestions panel.

Upgraded github.com/go-jose/go-jose to address CVE-2026-34986, a potential denial of service vulnerability in JSON Web Encryption decryption.

The "Set your preferred editor" popover now shows the current repository name in the path example instead of a hardcoded placeholder.

Fixed collapsible panel resizing that was broken with Svelte 5.55.0.

Fixed syntax validation for Bitbucket Server code host connection configuration

• Adjusted core navigation popover positioning
• Fixed button shadows in icon variant
• Fixed code insights creation UI layout
• Removed pressed translation CSS rule to prevent layout shifts
• Fixed resizable panel bug when conditionally rendering panels
• Simplified search result UI by removing unnecessary headings

Repository sync failure notifications are automatically cleared after a successful sync

Fixed OTLP receiver in bundled jaeger.yaml to accept cluster traffic by binding to 0.0.0.0:4317 (gRPC) and 0.0.0.0:4318 (HTTP). Previously, after otelcol v0.104.0, the receiver defaulted to 127.0.0.1 and silently dropped traces from other pods.

In non-indexed regex search, when both path and content matching are enabled, searcher now evaluates content even when paths match, ensuring content matches contribute to result counts and aligning counting semantics with indexed search.

Hover tooltips, highlights, and basic code navigation in search-based mode are now powered by Syntactic code navigation.

Clarified Deep Search sharing notice to explicitly indicate that code will be visible to anyone with the link.

Converted Deep Search history sidebar from fixed overlay to inline layout that persists state across reloads

Improved visual feedback when forking conversations

Forked conversations display a fork indicator in the sidebar and thread header, with a "View parent conversation" option in the menu

Added a copy button next to file paths in the Deep Search citations panel for easier copying to clipboard.

Conversation titles can now be renamed by clicking the title or using the rename button in the options menu.

• Deep Search displays a proactive warning at 75% context capacity
• When context limit is reached and summarization fails, Deep Search now shows a call-to-action to fork the conversation

Use TypeWriter effect for smoother Deep Search conversation streaming

Add in-place conversation forking and parent navigation to the Deep Search sidebar. Users can fork a conversation from any question and navigate back to the parent conversation, all without leaving the sidebar. This mirrors the forking behavior already available on the main Deep Search page.

Load mermaid diagram renderer lazily to reduce initial JavaScript bundle size when opening Deep Search.

Tool calls and redis broker operations now have a 2-minute timeout to prevent runaway operations and improve system stability.

Added PDF export option to Deep Search conversations.

Deep Search now uses a faster and more reliable model (GPT-5.4 Nano) to generate conversation titles.

Deep Search users can now fork from any question in an existing conversation. Forking creates a new conversation that includes all questions and answers up to and including the selected question, making it easy to branch into a new line of inquiry while preserving valuable context

When you delete a Deep Search conversation from history, you’ll now see the same small confirmation pop-up used in "Recent conversations".

Deep Search homepage now displays global notices configured with location "home", matching the behavior of the code search homepage.

Improve styling of inline errors in deep search conversations.

Deep Search now receives the user and date info at the start of every conversation.

Code Navigation tooltips can now be used in the Deep Search citations panel without needing to expand a citation.

Commit searches with date filters (after: / before:) are now significantly faster on large repositories.

Indexed search is now faster during both searching and indexing.

Added onboarding prompts to help new users discover Query Assist.

Query assist is now enabled by default for customers with code search licenses who have signed AI terms.

Adds a focus=search URL parameter for the search results page. When present, the search input is focused instead of the first search result, and suggestions are suppressed until the user interacts with the input. This enables external tools (e.g. golinks) to deep-link into Sourcegraph search with the cursor ready for query refinement.

Added Alt+B keyboard shortcut to toggle git blame view in file viewer

Code intelligence hovers are now faster thanks to a simplified architecture that initiates requests earlier during file load and falls back to search-based results more quickly when precise data is unavailable.

Batch change admins can now select changesets and trigger a high-priority status sync from the code host using the "Sync changesets" bulk action on the batch change detail page.

GitHub OAuth tokens can now be used as Batch Changes credentials, providing an alternative to personal access tokens and GitHub Apps.

Added agentic workflows client prototype with three main pages: home page listing predefined workflows and running instances, template page with canvas UI for workflow configuration, and running instance page with logs and outputs panels for monitoring workflow progress.

Usage export now includes user metadata, eliminating the need for additional lookups based on user_id.

Include whether a user is a service account in opt-in user metadata exports.

Add filter support to ListConversationSummaries. Two filter types are supported: content_query for substring search (min 3 characters) and starred for filtering by starred status. Duplicate filters of the same type are rejected with InvalidArgument.

Add a basic repositories service to the Sourcegraph API that can fetch repositories by their ID.

A default ReferenceExample authentication provider is now available in /api-reference. Users can click "Authorize" in the "Authentication" modal to use their own credentials when making test requests in the reference.

The GetUser RPC now supports looking up users by their verified email address using the name parameter, for example: GetUser({ name: 'users/[email protected]' }

The users.v1.Service API now returns verified emails associated with the user.

Add repos field to Azure DevOps external service for explicit repository selection

Updated the required src CLI version to 7.0.2, with OAuth support and more.

Retry git operations on executors to improve reliability during gitserver pod shutdowns.

Admins now receive notifications to clean up GitHub Apps on Sourcegraph if they have been deleted on GitHub.

Normalized LLM provider stop reasons into a consistent enum, enabling provider-agnostic error handling for refusal and content filter cases in deep search and subagents.

Added support for specifying reasoning effort overrides per request, allowing different applications to use different thinking levels with the same model.

Add support for GPT-5.4 models (base, mini and nano).

Added a thinking variant of Claude Sonnet 4.6 to the model selector for comparison and testing purposes.

Add support for Gemini 3.1 Flash Lite

The Code Intelligence Platform and Cody Enterprise plans no longer require a separate license key to use AI features beyond Cody. Deep Search, AI query assist, and future AI features are now automatically enabled on these plans.

MCP tools now validate arguments earlier and provide clearer error messages that mention the specific argument incorrectly used.

• MCP read_file: Large files (>128KB) now return the first 200 lines (further capped by bytes to avoid huge responses from files with very long lines) as accurately line-numbered content. The truncation notice is returned in ToolExecutionResponse.Note instead of being appended to the file content, preserving the guarantee that each numbered line corresponds to an actual file line. Binary files are detected and return a clear message with MIME type instead of a misleading line count.
• MCP nls_search: Tool description rewritten to accurately describe OR-logic keyword matching with stemming. No longer claims to be "semantic search". Includes explicit examples of correct vs incorrect query formatting.
• MCP list_repos: Now accepts an empty query to list all available repositories. A default pagination limit is always applied at the database layer to prevent unbounded table scans.
• MCP tool descriptions: Removed redundant preamble from all non-dotcom tool descriptions.

Added a new RBAC permission MCP#ACCESS for accessing MCP endpoints under /.api/mcp.

Added a new "/all" MCP endpoint that users can opt into before it becomes the default in the next release.

Added site configuration mcp.enabled to allow admins to disable MCP API endpoints instance-wide

Added MCP tool behavior annotations so Sourcegraph tool definitions now expose safety hints like read-only, destructive, idempotent, and open-world to clients

For self-hosted customers:

• Grafana panels now display informative tooltips on hover to help interpret each panel
• Gitserver and Zoekt Grafana dashboards now include improved explanatory text for resource usage interpretation

Added granular SITE_CONFIG#{READ,WRITE} RBAC permissions for site administration endpoints, allowing non-admin users with the appropriate role to view or modify site configuration options.

Administrators can now grant non-site-admin users the ability to manage repositories and code host connections through the new REPO_MANAGEMENT permission. Users with this permission can access the Repositories section of the admin interface without requiring full site administrator privileges.

Gitserver can now be scaled up or down without downtime using secondary fallbacks and a graceful drain mechanism via the SRC_GITSERVER_DRAIN_SHARDS environment variable.

Added sort by last committed (asc/desc) to /admin/repositories, making it easier for admins to identify stale repositories.

Repository pages now show repository icons sync'd from code hosts.

Inline markdown (such as backtick-wrapped code) in changelog post titles and taglines now renders correctly in the in-product changelog modal.

External services with expired credentials are now automatically suspended and will not retry syncing until credentials are updated. The UI displays the suspended state and prompts admins to take action.

Support GitHub's theme-specific image syntax in markdown rendering, allowing images to adapt based on light/dark theme context.

Added adminOnly attribute to notices configuration, allowing site administrators to create banners visible only to other admins.

Self-hosted Sourcegraph no longer requires separate buckets for LSIF uploads and search jobs: a single SOURCEGRAPH_UPLOADS_ bucket can now be used for all features. Existing configurations for AWS S3 and GCS object storage will be respected for LSIF uploads and search jobs. To learn more, refer to https://sourcegraph.com/docs/self-hosted/external-services/object-storage

Added warning to administrators when the new sourcegraph bucket requirement is not fulfilled. Self-hosted customers using GCS or AWS S3 will soon need to manually prepare this bucket - see https://sourcegraph.com/docs/self-hosted/external-services/object-storage for more details.

Deep search now displays tool call errors instead of silently showing no results.

Fixed an issue where clicking "Cancel" while a Deep Search conversation or follow-up question was being created would be silently ignored. The cancel now executes once the server responds with the conversation/question ID.

Fixed token limit error incorrectly suggesting to fork on the first question when there's no prior context.

Adjusted copy button positioning in deep search code blocks for more balanced spacing.

Fixed summarization failures in Deep Search when token limits are exceeded.

The prompt editor now automatically receives focus when the /deepsearch page loads.

Fixed explore panel not populating when using "find references" from citation hover cards by including the end position of the symbol range.

Cancelled Deep Search questions now remain visible in conversation history when asking follow-up questions.

Add copy button to code blocks without a language specifier in deep search answers

Aligned error boxes with question cards in deep search interface

Fixed visual jitter of question-answer pairs in forked conversations during streaming.

Hide the fork button on DeepSearch answers that are part of the fork origin context.

MCP and Deep Search tools now surface search alerts when a query matches no repositories, times out, or hits another issue.

Reduced visual jitter in conversations by only animating the most recent answer card instead of all cards during conversation reloads.

Fixed an issue where deleted Deep Search conversations could reappear in the history sidebar or recent conversations menu. Deleted conversations are now consistently removed across both views.

Fixed source reference pills in the deep search prompt editor and question cards from triggering unnecessary page reloads when clicked. Pills in the prompt editor are now non-clickable, while question card pills only navigate when showing different content than currently displayed.

Fixed symbol search and conversation search not returning results in the command palette.

count and timeout fields now apply consistently across OR expressions in search queries.

All citations and sources are now always visible for Deep Search conversations, with consistent counts between the conversation header and the right sidebar.

Disabled a recent optimization in search indexers which sometimes led to git processes with large memory usage while indexing a repository.

Query assist promo now remains visible in search suggestions after onboarding, positioned above the "Narrow your search" section instead of being removed entirely.

Hid the Query Assist promo suggestion after a user starts typing a query.

Unindexed search now uses the same maximum file limits as indexed search (1 MB instead of 2 MB).

Fixed non-deterministic count of "skipped files" in index options. For large repos, the count could fluctuate with every page refresh.

When switching from Precise to Search in the Explore panel, fetch search-based results from the API instead of showing an empty tab. Previously, the Search tab reused the same precise query and showed no results.

Fixed explore panel not showing local references in certain situations when clicking "Find references" on a local symbol.

Removed deprecated PRECISE_CODE_INTEL_UPLOAD_TTL environment variable. Configure CODEINTEL_UPLOADSTORE_EXPIRER_MAX_AGE on the worker container instead.

Fixed an issue where enqueuing already existing Precise auto-indexing jobs resulted in a warning.

Fixed bulk delete to only affect uploads from the active tab (auto-indexing or user uploads), preventing unintended deletion of uploads from the other source.

Fixed database constraint for pushed-only changesets to align with application code

Fixed setup error display for GitHub Apps and OAuth apps in code host connections

OAuth authentication options are now hidden when adding site credentials for batch changes, as OAuth is not supported for site-level credentials. Only Personal Access Token authentication is shown for GitLab and Bitbucket site credentials.

Deleting a batch changes user credential now also removes its associated BATCH_CHANGES external account, preventing orphaned accounts while preserving AUTH accounts to maintain user access.

Fixed error when updating changeset events with GitLab pipeline metadata

Fixed incorrect GitHub review statuses showing as pending after a PR is merged

All GitHub Apps, including ones used for Batch Changes, can now be deleted from the /admin/github-apps page.

Fixed OAuth client scope selection for admin-created clients

Fixed an issue where GitHub App code host connection pages without an installationID would crash.

Admin notifications for deleted code hosts are now automatically cleared.

MCP clients using random ports in redirect URIs no longer require reauthentication when the port changes.

Fixed OAuth device authorization endpoint advertisement to match the actual registered endpoint path, preventing 404 errors for clients using metadata-based discovery.

Enabled OAuth tokens to make API requests on sourcegraph.com

• Kubernetes executor jobs now include a run ID in their name to ensure uniqueness for each execution
• Labels (job-id, queue, run-id, commit) and repository annotation added to jobs for easier querying and debugging

Reduced the number of stale executors tracked in the executors list.

Deprecated statusFilters in modelConfiguration to simplify model availability. Sourcegraph now automatically determines which models should be available, eliminating cases where important models may be accidentally excluded through configuration. Individual and provider-specific models may still be excluded through modelFilters.

Fixed auto-edit failures on instances using modelConfiguration.systemPreInstruction.

Fixed tool call events for Gemini models to prevent client-side errors when mapping responses to tool calls.

Preserve raw JSON bytes in Anthropic tool-call handling to prevent cache invalidation caused by JSON reformatting.

MCP endpoints now accept Personal Access Tokens using the standard Authorization: Bearer <token> format for compliance with the MCP authorization specification (RFC 6750).

Fixed certain notifications not appearing in the sidebar admin alerts

Grandfathered in the MCP#ACCESS RBAC role to all existing service account roles to avoid restricting access if your system role previously used MCP.

Acronyms in RBAC namespaces are now correctly displayed in uppercase (e.g., "IdP" instead of "Idp").

Fixed unwanted shadow and border styling on role collapsible headers in the RBAC roles page

Fixed edge-case in gitserver where zero repos on the primary shard caused database errors when syncing repo status

Fixed cross-site scripting vulnerability where repository file paths containing HTML metacharacters could execute arbitrary scripts when viewing file diffs.

Fixed Slack bot not responding in Enterprise Grid environments with shared channels or org-level installs

Fixed GitHub icon display in dark mode on the code host connections configuration page

Removed duplicate close button from export modal

Improved performance when retrieving git notes for commits

Fixed cache disk filling up due to temporary files never being cleaned up after process restarts.

Removed Mixtral 8x22B Instruct model from available model configurations

Gemini 3 Pro and 2.0-flash-exp are not accessible anymore.

Support unlimited results when the query specifies a count: parameter, removing hardcoded limits.

Fixed the Product license page in the admin section crashing when the Sourcegraph license is invalid or revoked.

• Use site config defined batcheshelper image unless explicitly overridden
• KUBERNETES_JOB_STEP_IMAGE should override pre / post images

Fixed the prompt detail page (/prompts/:id) returning "must specify owner or viewerIsAffiliated args: must be site admin" for non-admin users by adding the missing viewerIsAffiliated: true argument to the PromptsDetailPage query.

Deep Search now displays deepsearch_read tool calls with a dedicated UX.

Deep Search can now read other Deep Search threads when you include a URL in your conversation.

When Deep Search sidebar is opened from a repository's root page, the conversation now includes the repository name as context.

Improved ranking of file suggestions in @-mention of the Deep Search sidebar in the blob view. Results from the repository the user is currently browsing are prioritized.

Added shareable URL field to Deep Search API responses

Failed questions are now automatically hidden after a successful retry or follow-up question

Deep Search now uses Claude Sonnet 4.6 as the main agent model.

Persist unsubmitted Deep Search queries in sessionStorage, preventing loss of unsaved queries during accidental navigation.

Added a search bar to the history panel of Deep Search

Commit search results now display a count of git notes attached to each commit.

Deep Search and MCP tools now return outputs in a more compact format, reducing token usage.

Search now automatically redirects to the file view when only one result is returned, with an info toast notification. Back navigation returns to search results without re-triggering the redirect.

Added syntax highlighting support for JSONC files.

Code intelligence dashboards now allow filtering indexing errors by time range (last 7 days, 30 days, 90 days, last year, or all time).

Added admin-only network diagnostic endpoints (/netdiag) for testing proxy and load balancer compatibility, including upload, download, timeout, SSE streaming, and latency tests to verify ingress reverse proxy configuration.

Invalid keys that are not in the advanced configuration schema are now highlighted in the configuration editor.

The "Report a bug" page is now available to all authenticated users in user settings, instead of only to site admins in the site admin area.

Site admins on self-hosted instances now see a warning notification on the admin dashboard when telemetry export has failed persistently, including the target address and last error. The notification auto-clears once export recovers.

When the site configuration auth.idpDynamicClientRegistrationEnabled is set to false, existing DCR registered clients and tokens are disabled.

Optimised assigning pending permissions to newly created users

Integrations page now includes "Add to Cursor" and "Add to VS Code" buttons for Sourcegraph MCP.

Added a new RBAC permission SEARCH_CONTEXTS#WRITE_GLOBAL for managing global search contexts. Users with this permission can manage global search contexts independently of site-admin status.

Added background worker jobs that compile repository activity data.

Filesystem operations in gitserver and archive extraction use Go 1.24's os.OpenRoot API, replacing manual path-traversal checks.

Multiple Slack workspaces can now be connected to the same Sourcegraph instance. Visit the Administration > Slack integration page for setup.

Site admins can now set up the Slack integration for link unfurling independently of Deep Search, and control whether Deep Search is allowed in Slack via a new "Allow Deep Search" toggle on the Slack integration admin page.

Truncated deep search responses now show a rich preview card automatically via link unfurl, with a single "Send full response to thread" button replacing the previous prompt with two buttons.

Added a user setting to disable the Deep Search Slack integration CTA. This can be set globally for all users under Administration > Global Settings by adding "deepSearch.slackCta.disable": true,

Enable Slack agent mode, allowing users to interact with Sourcegraph via the split-view pane in Slack's top bar

Show a warning when entering a GitHub App base URL that contains a path

• Added support for fixed-size panels (px, rem, em)
• Added keyboard navigation support
• Added ARIA window splitter specification compliance
• Migrated implementation to Svelte 5

Error messages now appear on the repository settings page when reclone or fetch scheduling operations fail, improving visibility into repository synchronization issues.

Show error state when requesting a manual reclone or sync fails for a repository

Expanded fuzzy finder into a command palette. Click, click, click. "Wait? Where's that option gone...? Damn, they changed the UI again!" Say no more, we've got you. We've upgraded our fuzzy finder into a full-blown command palette.

Jump to parts of Sourcegraph you need quickly and easily. Search files, repositories and symbols in flash. Just CMD/Ctrl + K.

This is just a starting point to making all parts of Sourcegraph more accessible, and if we're lucky, maybe even reduce some RSI.

Access tokens now display their last 5 characters in the UI, making it easier to identify which token corresponds to credentials stored in configuration files or environment variables.

Expired access tokens are now visible in the UI and marked as expired, allowing users to identify and delete them for easier token management.

The changelog modal now includes deep links: the header 'Changelog ↗' link navigates to the specific changelog post, and a new footer link 'View all changes in this update' directs users to the release page's details section.

Git notes are now displayed on commit pages and in commit elements throughout the UI. On commit pages, full notes are shown, while other views display a count of notes.

Users can now view their own entitlement usage under the new "Entitlements" tab on the user settings page (/settings).

Deleting a feature flag now automatically removes its per-user and per-org overrides.

Add src CLI usage guidance to the integrations page

Entitlement warnings and errors now display correctly when entitlement limits are reached.

Quota warnings and errors now display correctly in the Deep Search UI when quota limits are reached.

Improve reliability of conversation title generation by reducing reasoning overhead for simple tasks.

Harden Deep Search image upload validation to verify content type matches declared MIME type.

Fixed citation UI header styling in Deep Search to match search result page appearance in dark mode.

• Fixed citation block overflow issues with file names and paths using right-to-left text layout
• Added tooltips to display full file paths when truncated
• Fixed line number background in code preview
• Added dynamic border in code preview when scrolling horizontally
• Fixed star and delete button styling on selected items

Fixed a bug in @-anchor detection that could cause the selected suggestion to be inserted at an incorrect position in the prompt, particularly when line breaks were involved.

Fixed recent conversations flashing when toggling the sidebar and ensured conversation deletes sync across components.

Prevented memory exhaustion from crafted images by limiting decompressed image size to 25MP.

Fixed Deep Search in the repository sidebar so follow-up responses now stay auto-scrolled as results stream in.

Fix pasted text formatting in the Deep Search input

Remove user info from Deep Search prompt to improve handling of codebase-wide questions.

Fixed "Markdown copied" and "JSON copied" notifications being cut off when the sidebar is collapsed.

Fix deep link detection in deep search conversation URLs.

Fixed copy buttons in Deep Search answers to show green check marks and updated tooltips.

Limited the maximum width of the Deep Search sidebar to 920px for better readability while maintaining full width on mobile devices. Prompt and answer sections now use the full available sidebar width.

Optimized context handling in Deep Search sidebar conversations to avoid resending identical source reference context from previous questions.

Fixed incorrect panel state when navigating between search results and file views

Search results toolbar is now more responsive, keeping result stats and action buttons stable and readable across screen sizes.

Improved selection visibility in CodeMirror for pre-selected and cursor-selected lines

On the commit page, the copy button next to the abbreviated commit SHA now copies the full SHA instead of the abbreviated SHA to the clipboard

Fixed "Find references", "Go to definition", and "Find implementations" buttons in the search results file preview panel, which previously had no effect when clicked.

Significantly improved Precise code navigation performance by optimizing symbol ranking and query ordering, reducing lookup times from timeouts to seconds.

Fixed a data race in the search method that could cause panics when concurrent goroutines modified the thread status map. The search method now safely retrieves a snapshot of thread statuses while holding the appropriate lock.

Moved the enqueue auto-indexing form to appear only when viewing the auto-indexing jobs tab.

Optimized upload discovery query by reversing join order and preventing full upload table scans, eliminating timeouts on large instances

Fixed pagination bug that caused missing results and infinite loops when one data source (uploads or indexes) was exhausted before the other

Error codes returned by codeintel upload API are now consistent: 401 is used for token problems and 403 for permission problems

Fixed broken documentation link in Batch Changes settings page that previously returned a 404 error

Fixed an issue where creating a GitHub App through the Batch Changes settings interface would fail.

Fixed a bug where password reset links generated immediately after updating the external URL in site config could use the previous (or default unconfigured.sourcegraph.com) URL due to a stale cache. The external URL cache is now invalidated whenever site config is saved.

Fixed panic when telemetry allowlist entries are configured via environment variable

Fixed M2M credential names and descriptions containing apostrophes or other special characters being displayed with raw HTML entities (e.g., ' instead of ').

Fixed account security page to correctly show SAML connection status when the SAML provider does not provide standard attribute statements.

Changed the OAuth consent screen messaging for third-party MCP clients from "has not been verified by Sourcegraph administrators" with an "Unverified" badge to "Third-party" badge with simpler trust guidance.

Service accounts are now excluded from the registered users count on the administration users page and license page, and shown separately with their own count.

Remove the option to configure completion quotas when Cody is disabled. Unless Cody is enabled, this configuration no longer has any effect.

Set the HOME environment variable in executor job pods to ensure processes running in the pod containers use the mounted volume instead of falling back to /.

Propagated KUBERNETES_FS_GROUP environment variable to the executor job pod's security context.

Improved handling of extremely large outputs when a worker executes commands

Loading GitHub App code host connections from a declarative config file no longer prevents frontend pods from starting when failures occur.

Fixed GitLab OAuth login failures caused by API rate limiting when allowGroups is configured and the user belongs to a large number of groups. Group membership is now verified with a single targeted API call per allowed group instead of paginating through all user groups.

Fixed a bug where the permissionsSyncJobs GraphQL resolver would only return a maximum of 100 results, despite it being documented as 500.

This increases the timeout on SMP from 2 to 10 minutes and also removes the capability to override the timeout by setting the header "X-Timeout-Ms".

Preserve Gemini thinking signature when thinking text is empty to prevent inference failures on tool calls

sampling.retain trace attribute is now only set when tracing is explicitly requested via ?trace=1 query parameter or X-Sourcegraph-Request-Trace header, rather than being set for all requests when observability.tracing: { sampling: all } is configured. Behaviour in other sampling modes (selective, none) is unchanged.

Removed redundant permission sync jobs to prevent queue growth

Fixed incorrect status reporting for long-running repository clones

Fixed queue position calculation for repository optimization to exclude soft-deleted repositories

Improved Slack integration error messages when an associated Sourcegraph account email could not be found, informing the user how to resolve the issue themselves.

Slack app manifest now always displayed on the Administration > Slack integration page for reference, irrespective of integration status.

Icon and link button variants no longer incorrectly display borders, shadows, or push-down effects when used in expandable sections and tree nodes.

Removed stale preload for sourcegraph-mark.svg that was causing browser warnings on SvelteKit pages where the asset is not used.

Improved contrast for raised and muted backgrounds in dark mode. Fixed code insight centered legend button styling.

Fixed curl request examples to include required content-type header for GraphQL queries.

Blame gutter now uses a muted background color for reduced visual contrast.

Added /integrations to the frontend Go router static page entries so requests are served by the Svelte-backed UI page instead of returning 404.

Schema migrations now terminate blocking transactions by default to prevent upgrades from stalling on long-running queries.

Remove expandable step previews in Deep Search.

Removed feature to replace manual uploads with auto-indexing.

The update.channel site-config setting no longer has any effect. Pings and update checks are now controlled by license features.

Removed Gemini 2.0 Flash and Flash Lite models, redirecting usage to Gemini 2.5 Flash

The deprecated native Jaeger export option has been removed. To set up a tracing backend, refer to our documentation.

The advanced settings experimentalFeatures.deepSearch.enabled and experimentalFeatures.deepSearch.sharing.enabled are now deprecated. Please use the new top-level fields deepSearch.enabled and deepSearch.sharing.enabled instead. To give customers time to migrate, we will support both the old and new fields for several releases. The precedence is: top-level > experimentalFeatures > default.

The site config batchChanges.nativeServerSideExecution replaces the feature flag native-ssbc-execution. Support for native-ssbc-execution will be removed in a future release.

Renamed sidebar entries from "Permissions" and "Roles" to "Repository permissions" and "Role-based access control" for clarity.

Enabled collection of user IDs in telemetry when admins delete users to improve user deduplication.

Renamed the "Account security" settings menu item and page heading to "Security".

Resolved security vulnerabilities CVE-2026-25121, CVE-2026-25122, and CVE-2026-26958 by updating apko and edwards25519 dependencies.

Added KUBERNETES_EXECUTOR_POD_SECURITY_CONTEXT and KUBERNETES_EXECUTOR_CONTAINER_SECURITY_CONTEXT to configure Kubernetes Executors pod and container security contexts.

Fixed an issue where Gemini 3 Flash was incorrectly marked as experimental, preventing query categorization, title suggestions, open-source research sub-agent, and the finder tool from working on customer instances with model status filters.

The Finder subagent has been reverted while we investigate some issues.

Improved prompt caching for system prompts and tool descriptions, resulting in lower latency and reduced token costs for deep search queries.

Added a debug GraphQL query to view telemetry events queued for export.

The API now supports users/- as an alias for the authenticated user, in addition to the existing users/~self alias.

The Enterprise Portal access error page now explains that site admin access on a Sourcegraph instance does not automatically grant access to the Enterprise Portal, and directs users to contact their support engineer. The instance admin dashboard analytics card also clarifies that a separate account linked to the customer's subscription is needed.

When no Deep Search quota is available, the error now renders correctly instead of showing NaN

Deep Search subagents now consistently produce summaries for the main agent to consume.

Fixed newly created batch changes incorrectly showing "Updated by a deleted user" in the header byline.

/api/users.v1.Service/ListUsers now returns a better error for invalid active period filters. The API reference also no longer shows an example with ACTIVE_PERIOD_UNSPECIFIED.

Made parent field optional on ListConversationSummaries RPC, defaulting to the authenticated user when omitted.

Fixed authentication for codex and older versions of Cursor and VSCode to correctly include the "mcp" scope when authenticating via OAuth for MCP endpoints.

Azure DevOps repositories marked as disabled are no longer cloned or surfaced as synced repositories in Sourcegraph.

• Premade prompts in the dropdown menu now work as expected
• Large files no longer encounter token limits

Fixed migrator drift check failing for codeintel/codeinsights schemas in IAM-authenticated environments by ensuring the frontend schema connection is always included when version checking is enabled.

Fixed executor src-cli download failing when the latest version API call errors.

Kubernetes-native executors can now run as a non-root user by setting KUBERNETES_RUN_AS_USER, KUBERNETES_RUN_AS_GROUP, and optionally KUBERNETES_FS_GROUP environment variables on the executor service. When using Helm, add these to your override.yaml:

executor:
...
  kubernetesJob:
    fsGroup: 100
    runAsGroup: 101
    runAsUser: 101

Note that "100" and "101" are the values Sourcegraph images use for the sourcegraph user. Adjust these values for your environment.

Fixed repository permissions being dropped when permission syncs failed due to configured internal rate limits.

Fixed URL parsing to handle legacy format URLs correctly, preventing unintentional truncation of repository names.

Improved Slack integration behavior when a Deep Search takes longer than a few minutes to complete, showing a helpful link preview instead of Deep Search timed out.

Fixed error message shown when a non-author attempts to ask a follow-up question in Slack.

Deep Search now displays a warning banner when answers are truncated due to output token limits.

Citations in Deep Search conversations are numbered continuously across all questions. When the same source is referenced in multiple questions, it reuses the original citation number, making it easier to track sources throughout a conversation. The citations panel auto-scrolls to show relevant sources as you navigate between answers.

Deep Search now provides better answers to "what have I worked on recently" questions by automatically including current user and date context.

Added Deep Search conversation search to the fuzzy finder, allowing users to search past conversations by title or content using Cmd+J (or Ctrl+J on Linux/Windows).

Moving to Code Navigation from Deep Search file previews opens a side panel where the conversation can be continued while exploring the codebase.

When Deep Search is enabled, it replaces Cody Web in the UI. The /cody/chat route and Cody sidebar are no longer shown.

Reintroduced the get_contributor_repos tool to enable queries about contributor activity.

Added quick conversation navigation by holding Opt (or platform equivalent) to bring up an answer navigator

Added button and keyboard shortcut to upload images to Deep Search

Added Cmd+. (Mac) / Ctrl+. (Windows/Linux) keyboard shortcut to start a new Deep Search conversation from anywhere within the interface.

@mention suggestions now remember recently used repositories and show them instantly

Deep Search now streams answers with a typing effect, improving perceived latency.

Added context window indicator to inform users of how much of the context window has been used.

Include images in Deep Search questions by pasting or dragging up to 2 images per question (5MB max each) to share screenshots, diagrams, or error messages.

File preview in Deep Search now supports code intelligence features including hover tooltips, go to definition, and find references.

Deep Search conversations now display a Slack icon in the thread header when initiated from Slack, providing a direct link back to the original Slack thread.

Reduced Deep Search conversation persistence from 24 hours to 1 hour, and sidebar open/closed state now resets on page refresh instead of persisting indefinitely. Conversations can always be restored from the history panel.

Deep Search now uses a dedicated subagent for finding relevant files, reducing token usage and allowing more thorough searches before reaching context window limits.

When the search input is empty, a "Recent searches" suggestion group now appears showing up to 5 of your most recent queries with syntax highlighting and clock icons. Selecting an entry populates the search input with that query.

Added a new site config option batchChanges.restrictMergeToAdmins to restrict merge and auto-merge actions to site admins only.

Site admin authentication settings now offer password policy presets (Standard, Strong, Fortress) instead of requiring manual configuration of each complexity rule. Session idle timeout uses an explicit checkbox instead of empty-field conventions. Access request toggle is disabled with an explanation when built-in signup is already enabled.

Added a form-based UI for managing authentication settings including session management, signup controls, password policies, and access restrictions, replacing the need to edit raw JSON configuration.

Added a dedicated UI in the site administration area for configuring TLS/mTLS settings.

• Renamed site admin "Site configuration" page to "Advanced configuration" and moved it to the bottom of the Configuration section in the sidebar
• Added vertical resize capability to the JSON settings editor container

Added a dedicated page in the site administration area for configuring email SMTP settings.

Admins can now update the license key directly from the License page

Consolidated Background jobs and Code Insights jobs pages as tabs within the Diagnostics page.

Added query parameters to the Diagnostics page to make tab selection shareable and bookmarkable. Old diagnostic routes now redirect to the new page with the appropriate tab selected.

Consolidated Pings, Migrations, Outbound requests, and Slow requests pages under a single "Diagnostics" page in the site admin sidebar.

Administrators can now mark an email as verified when creating a user.

Reorganized site admin sidebar navigation: Repositories section now lists repos before code hosts, Users & auth section moved higher, new Integrations section groups Slack/webhooks, and redundant API Console and Documentation links removed.

A warning is now displayed on the repositories administration page when authz.enforceForSiteAdmins is enabled.

Users now see a modal informing them their session has expired, with an option to redirect to the sign-in page.

GitHub privacy emails (format: <ID>+<username>@users.noreply.github.com) are now resolved to Sourcegraph users when the GitHub account is linked, improving user attribution on commit pages and other views.

auth.idpDynamicClientRegistrationEnabled is now enabled by default for easy MCP access.

OAuth Clients registered via Dynamic Client Registration are now limited to the "mcp" scope only, improving security by preventing overly permissive applications.

Added a new mcp scope for issuing access tokens or OAuth tokens with access limited to MCP tools only. This provides a more restricted alternative to the previously required user:all scope.

Added a search bar to the Code Insights "All Insights" tab, enabling users to quickly filter insights by title instead of scrolling through paginated results.

Group Results (Compute) Code Insights feature is now generally available and no longer requires an experimental feature flag.

• Fixed CSS token cascade issues causing broken UI in Cody Web
• Fixed prompts editor layout shifts and focus state
• Fixed modal rendering issues
• Fixed z-index overlaps for tooltips and popovers

Added a worker that runs ANALYZE on database tables on weekends to optimize query performance.

Added KUBERNETES_JOB_HOST_NETWORK environment variable for the Executor service to enable host networking for Kubernetes job pods. This is useful when pods need to access routes accessible by the host but not from the pod, such as when running a kind cluster on podman.

On sourcegraph.com, MCP tool descriptions now explicitly indicate they search open source code, making it easier for AI agents to distinguish between public and private Sourcegraph instances.

Repository recloning operations now display real-time progress updates on the repository mirroring page. The reclone and fetch buttons are hidden while a reclone is in progress.

Gitserver now coordinates optimization tasks per repository, ensuring only one optimization runs at a time with priority-based preemption.

Repository optimization now writes incremental progress reports, making it easier to monitor long-running optimization operations.

This enables us to render the Slack identity of a user instead of just the Sourcegraph username.

Added instructions for uploading a profile picture to the Slack app.

Add "View in Sourcegraph" button alongside "Show Full Response" for long answers

Users can now send direct messages to the Slack app for Deep Search. To use this feature, uninstall the app, update the manifest, and reinstall the app.

Slack integration now supports rich link previews for code file links.

Slack integration now supports asking Deep Search questions with images in the thread, with a maximum of 2 images per message.

Slack integration now uses the ContentBlocks API to pass thread context as structured data instead of prepending it to the question text.

Added a dismissible banner to the Deep Search homepage featuring the new Deep Search Slack integration.

Slack configuration errors are now displayed in the Administration -> Notifications area.

Sourcegraph now supports rich link preview for search links in Slack.

Verbose responses in Slack now include an AI-generated summary, providing immediate insight before expanding the full response.

Removed the 30-minute expiration for deferred Slack messages, so unfurled responses are now always available.

Added an interactive button to handle lengthy Slackbot responses (over 3,000 characters). Users can choose to view the full response inline or in the Deep Search thread. Full responses are temporarily stored for 30 minutes, after which users must view them in the Sourcegraph instance.

Removed the feature flag UI from the site admin interface for all non-Cody self-hosted Sourcegraph instances. Site admins that still need to manage feature flags can do so using the src CLI tool with GraphQL API commands.

Removed the feature flag UI from the site admin interface for all non-Cody self-hosted Sourcegraph instances. Site admins that still need to manage feature flags can do so using the src CLI tool with GraphQL API commands. See this docs page for instructions on how to do so.

Repository URLs now use the /r/ prefix (e.g., /r/github.com/owner/repo). Old top-level repository routes automatically redirect to the new format for backward compatibility. This prevents conflicts between product routes and repository names.

• Easier discovery of everything Sourcegraph can do. As the platform has grown, some capabilities have been harder to find in the old horizontal navigation. The new expandable vertical menu makes it easier to access, explore, and understand the full range of features available.
• Optimized for the way developers actually work. Most developers use Sourcegraph on laptops and larger displays. The vertical nav makes better use of that screen space, while still working well on smaller devices.
• A dedicated space for important updates. The new layout gives a clear, unobtrusive place to highlight major features and announcements so important updates aren't missed.
• A refreshed, modern interface. This update is part of a broader effort to improve the platform's visual clarity, reduce clutter, and move away from the older tab-based top navigation.

Access requests are now displayed as a status notification.

Added a 'What's new' popover in the navigation that displays recent changelog posts, allowing users to discover new features directly within the product.

Hides several admin UI elements on Cloud that are not relevant and actionable to customers on Cloud, including gitserver disk details, email delivery configuration, Updates/Gitserver/Observability pages, OOB migrations, license key form, and gitserver storage warnings.

Diff pages now load faster by initially rendering plaintext hunks and lazily loading syntax highlighting as hunks are scrolled into view.

Entitlements now support an hourly option.

Administrators can now reset user entitlement usage via the "Entitlement usage" page.

To support moving off of notebooks, we're providing an exports API. The GraphQL query field notebookExports provides markdown exports of all notebooks with filtering options.

Added toast notification system with helper functions and custom Sourcegraph styling for light and dark themes.

Improved error handling when token limits are exceeded by estimating prompt size before LLM calls and ensuring errors are displayed in the UI.

Fixed tool renderers to display "0 results" instead of raw JSON when no results are found.

Deep Search now resumes automatically after server restarts instead of getting stuck in a pending state.

Added support for Proto/Protobuf, SCSS, Groovy, PowerShell, CMake, and Makefile highlighting in Deep Search markdown code blocks.

Fixed URLs in deep search results being incorrectly double-prepended with the domain when they already contained the external URL.

Fix errors when deleting Deep Search conversations while they are still processing.

Fixed horizontal scrolling in the Deep Search sidebar when a long filename context chip was displayed.

Fixed a visual bug where a draggable divider line appeared on the right edge of Deep Search on narrow screens.

Fixed overflow issue in search input history mode

Search-based symbols in the symbol tree now preserve the current file view (e.g., blame view) instead of resetting to code/raw view.

Fixed symbol sidebar toggle reliability and made Deep Search, Cody, and Symbol sidebars mutually exclusive so only one can be open at a time

Hid expand/collapse button for path search results that have no expandable content

Fixed alignment of code intelligence preview popover when blame panel is visible

Fixed inconsistent alignment of the batch change state pill (OPEN/CLOSED badge) in the batch changes list.

Fixed author attribution when signing batch changes commits with GitHub Apps by appending a Co-authored-by trailer to preserve the original author.

GitLab OAuth tokens are now properly validated using the /oauth/token/info endpoint to check scopes, while personal access tokens continue to use the /user endpoint. This ensures correct token validation behavior for both authentication methods.

When connecting a code host identity to Batch Changes, errors are now correctly surfaced in the UI.

Fixed incorrect pattern syntax in the "GitHub Actions: Pin Versions" batch spec template to use proper regex instead of glob syntax

Fixed database constraint violations when recreating batch changes in the same repositories by properly cleaning up associated changesets during deletion

Fixed a bug where users (including service accounts) could not be created by a site admin when signup is disabled.

Site configuration history now loads significantly faster in many cases.

Fixed site config occasionally reverting to old config after saving

Fixed an issue where site config would occasionally revert to old config after saving

Sourcegraph will now avoid dropping a user's repository permissions if it encounters a 429, 500, 502, 503, or 504 when refreshing the OAuth access token (as encountered during the Feb 9 GitHub incident: https://www.githubstatus.com/incidents/lcw3tg2f6zsd). The permission syncer will simply re-use the users' old permissions until the next sync.

• Fixed race condition in OAuth token refresh that could cause invalid_grant errors when concurrent refresh attempts occurred
• Fixed stale external account linkage when users reconnect their OAuth accounts, ensuring token refresh uses the correct refresh token

User profile roles are now only visible to site admins and the user themselves, fixing a permissions issue where roles were visible to unauthorized users.

Removed distracting fly-in animation when loading Code Insights dashboards

Skip invalid repositories (deleted or not cloned) to prevent infinite processing loops

Code monitor webhooks now accept all HTTP 2xx status codes (200-299) as successful responses, preventing duplicate notifications when webhook endpoints return HTTP 202 Accepted or other 2xx codes.

Reduce concurrent load on gitserver by spreading out code monitor queries with jitter

Long gone because of webworker issues in Safari, Cody Web is now available again.

Report which container failed if an executor pod fails when executing on Kubernetes.

Fixed executors on Kubernetes joining commands incorrectly

Improve page that lists executor instances to better handle instances with extremely long names

When connecting a GitHub external account to Sourcegraph, the user's GitHub profile link is now properly displayed on the Account Security page. If the link is not visible, remove and re-add the GitHub connection.

Fixed missing sync reasons in the SOURCEGRAPH group for the permissionsSyncJobs API.

Fixed an issue where Anthropic models could produce malformed tool call arguments, causing Deep Search conversations to become stuck in an errored state.

Fixed stale license validation states being used after updating license keys, ensuring validation results always correspond to the currently configured key.

Added --scopes mcp argument to the MCP login command to ensure proper OAuth scope grants for MCP functionality.

Upgraded go-tuf dependency to v2.4.1 to fix three medium-severity security vulnerabilities (CVE-2026-23991, CVE-2026-23992, CVE-2026-24686).

Show the right error message in Slack search link preview when there is a query syntax error

Fixed confusing UI state in Administration -> Slack configuration where the UI showed a warning that Slack couldn't contact the Sourcegraph instance even when the integration was working correctly. The UI now displays a cache-busting ?retry URL parameter to force Slack to re-verify the connection.

Improved error message when non-author users attempt follow-up questions in Slack, directing them to use @Sourcegraph new question <message> instead.

Fixed video playback in Safari for Markdown-rendered content

• Fixed button group pressed effects and focus ring rendering
• Fixed Batch Changes row layout issue in Safari 18.x and lower
• Fixed blob UI bottom panel alignment to show border only when open

Pages with sidebar navigation are now usable on mobile and tablet devices. The sidebar can be toggled open and closed, and sidebar sections are collapsible on smaller screens.

Fixed z-index stacking issue where app shell floating elements incorrectly appeared above survey toasts and feedback modals

Fixed UI flash when loading temporary settings from cache

The "Account security" page now displays the login for each connected external account (e.g., GitHub, GitLab).

Fixed line number alignment when switching to blame view

Fixed sticky file header positioning on commit page

Fixed image alignment in the image viewer and now always display the dimensions of binary images.

Fixed navigation error when leaving organization profile page

Fixed cursor-based pagination to correctly apply filters when using multi-column cursors. Previously, filters (such as search queries or clone status) were silently ignored for a subset of results due to SQL operator precedence, causing paginated endpoints to return more results than expected and include items that didn't match the filter criteria.

User settings page headers now have a consistent appearance across all sections.

Deep Search no longer generates diagrams by default, making responses faster and more responsive. You can still request diagrams anytime by including "draw a diagram" or similar in your query.

Removed the "Find implementations" button from the code navigation hover tooltip. This button appeared inconsistently—showing for symbols where it wasn't applicable (like local variables or package names)—and relied on indexer support that varied by language. With less than 0.1% of code navigation actions using this feature, the hover experience has been streamlined.

Hid implementations and supers buttons in the explore panel when using search-based code navigation, as these features are only supported by precise code intelligence.

Removed automatic PostgreSQL 12 to PostgreSQL 16 upgrade support from builtin Sourcegraph database containers (pgsql, codeintel-db, and codeinsights-db).

Removed support for generation 1 Gemini models (no longer accessible) and Mistral models (no longer deployed on Fireworks serverless).

Deprecated observability.tracing.type: "jaeger"; use "opentelemetry" with an OTLP-compatible collector instead

Remove autoupgrade supporting functions and methods

Removed feature flag UI access for non-Sourcegraph operators in Cloud environments.

Removed the single-container (sourcegraph/server) deployment mode. The sourcegraph/server Docker image is no longer published. Customers must migrate to Docker Compose or Kubernetes before upgrading to 7.0.0.

Search Notebooks pick up on the idea that most searches are not just one search. In a common workflow, you run multiple searches, gather several pieces of information, and then you compile your final answer from all these sources. Back in 2022, Notebooks solved a real need to be able to document and share that research trail.

Sound familiar? Notebooks are reflecting the steps a Deep Search takes to compile it's answer. It collects citations and the answer in a central place. We believe that the future lies much more in this agent-driven code exploration and future iterations of it than the manual Notebooks idea that predates the AI era.

Removed explicit code ownership assignment and teams management from the web app. Codeowners files are still processed and this information is still available via search and the ownership panel.

Migrated the search-content-based-lang-detection feature flag to the searchContentBasedLanguageDetection site configuration setting. Customers who previously had the flag enabled and would like to continue using this feature should enable it in their site configuration settings.

• The /api/openapi/ pages, home to the Cody API, have been moved to /legacy/openapi/. Existing links are redirected.
• Integrations going forward should use the new official Sourcegraph API documented in /external-api.

• Moved the GraphQL API console from /api/console/ to /debug/console/ to reflect its role as an internal API. Existing links are redirected.
• Going forward, external integrations should use the new official Sourcegraph API documented in /external-api.

Upgrade opentelemetry-collector to v0.144.0.

Fixed negated terms in hybrid search to correctly exclude files when the term appears in either the file path or contents.

Fixed search history not saving new searches after the Svelte 5 signals migration.

Improved user deletion latency by optimizing database calls and removing redundant work

Fixed user-initiated actions (OAuth sign-in, auth token validation) that would hang when the internal Bitbucket rate limit was hit. These operations now bypass the internal rate limiter.

Fixed action buttons (such as delete) in code insight headers that were not functioning correctly

Migrator now gracefully handles cases where the pg_stat_statements extension cannot be installed due to database permission restrictions

Fixed an issue where access tokens created by hard-deleted users could not be listed.

Commits with changes to large files are now displayed with plaintext diff output when syntax highlighting is unavailable.

All users can now filter batch changes by user, not just site administrators. The current user appears at the top of the user filter list for easy access to their own batch changes.

Fixed "View on code host" button to properly escape % characters in file paths when generating external links.

Code Insight preview results now exclude archived and forked repositories by default, matching the backend behavior present since 3.40.

Disable deepsearch and sg_deepsearch tools at .api/mcp and .api/mcp/v1 respectively. To use Deep Search, directly use /.api/mcp/deepsearch.

Repository permissions are no longer dropped when encountering HTTP/2 stream cancellation or "internal error" from the upstream GitLab code host. Instead, existing permissions are preserved and the permissions sync is retried later.

Fixed an issue where URLs containing the external URL would be incorrectly mangled, resulting in duplicate domain paths

Fixed invalid links in deepsearch markdown content that contained the host twice

Fixed TLS configuration not being applied to HTTP client, causing OAuth authentication failures.

Fixed TLS certificate validation via regular expressions in site config

Fixed an edge case where Deep Search questions did not respect cancellation state from the database, preventing them from continuing indefinitely after being cancelled.

Fixed infinite loop in DeepSearch when LLM tool argument parsing fails during streaming by properly propagating errors to internal callers

MCP deepsearch queries on the old .api/mcp/v1 and new .api/mcp endpoints will now time out after 50 seconds to avoid Cloudflare connection timeouts. Queries exceeding this timeout return a link so agents can track completion and inform users where to follow progress.

• Fixes a log spam issue where EnsureRevision calls would logspam "failed to perform background repo update" when a scheduled repo update is already running.
• Fixes an issue where EnsureRevision would incorrectly increase the update failure counter on a repository if a scheduled fetch is already running.
• Fixes an issue where log output from Fetch could cause a Fetch to stall forever because the reader silently errored.

Deep Search now streams results as they become available.

The Deep Search input now dynamically grows as users type or paste content.

Deep Search history sidebar can now be navigated using arrow keys.

Site admins can now set per-user Deep Search usage limits through entitlements: classes of usage limits that can be assigned as a global default, or to specific users.

Deep Search backend sources are now rendered after citations in collapsible sections within a unified sources container.

Deep Search sidebar is now available in the blob view for enhanced code exploration.

Added Slack bot integration for Deep Search. To get set up, go to Site Admin → Slack integration.

The site admin page is now simply titled "Administration".

Site admin organizations page now uses the standard page container design.

Navigation sidebars in site admin pages now support collapsible sections with localStorage persistence

GitHub Apps can now be configured via the declarative config file with secure handling and storage of private keys

Introduces a new notification widget that replaces the site-wide banners on Sourcegraph, as well as a new site-admin dashboard that shows notifications, as well as some suggestions on what admins can do to manage their instance.

Fixed context retrieval bug when using remote file mentions and chat UI flickering

Added option to skip TLS verification for executors talking to Sourcegraph via EXECUTOR_FRONTEND_TLS_SKIP_VERIFY

Alert when repository cleanups fail consistently

The repository permissions page now displays the total count of users who have access to the repository.

Fix history panel displaying the last question's title instead of the conversation title by generating conversation title only on the first question.

Links now point to answers instead of questions. This resolves confusion where the link pointed to the question but the copy button was part of the answer card. Old links continue to work because the question anchor is preserved in the code.

The tab title is now correctly updated when switching between DeepSearch conversations and then navigating away and back to DeepSearch.

Permalinks now use full commit hashes instead of abbreviated ones.

The star button is no longer rendered for non-owners, eliminating the confusing behavior where changes appeared to work but were reverted on refresh.

Fixed submit button icon visibility in Deep Search

Conversation creation failures now display error messages instead of hanging indefinitely in a loading state

• Fixed Deep Search suggestions to display with correct font styles
• Fixed Feedback modal to have proper spacing and close button styling

Increased the deep search input size from one line to multiple lines for improved usability.

Fixed loading skeleton and sources to reflect the currently viewed question's state instead of a global "is anything searching" state

Fixed file search result content not updating when filtering results in certain situations where truncated content caused stale data to be displayed

Fixed branded logos not appearing on the search homepage and in the global navigation when configured.

Repository name matches are excluded from search results when a repo: filter is present without an explicit type: filter. Users can still search repository names by adding type:repo.

Switch from plain ctags to tree-sitter for analyzing symbols in CSS and SCSS files. The result is more predictable parsing, no comment blocks leaking into the symbols sidebar, and css variables showing up as symbols.

Reduced the complexity of GitHub GraphQL queries for syncing changesets to reduce token consumption

READONLY changesets are now counted as CLOSED in batch change statistics, fixing a discrepancy between the burndown chart and summary stats.

Improve error message clarity when user creation fails in site admin

Fixed incorrect navigation highlighting in site admin where 'Settings' was highlighted instead of 'Batch specs'.

Error messages are now clearer when attempting to connect an external account that is already in use by another Sourcegraph account

Addresses an issue where the OAuth consent pages did not allow to scroll down to the action buttons.

Code insights job UI now displays correctly on mobile devices.

In 6.11 our experimental AWS RDS IAM Auth would panic if we failed to refresh the token. We now correctly treat this as an error to log and retry.

Fix broken links to alerts reference in alert notifications for customers on the latest release.

Fixed an edge case where the permission sync scheduler would excessively enqueue jobs when old completed jobs existed in the database

Temporary files are now cleaned up from repository directories, reducing disk space usage.

Fixed an issue where a service account's access tokens would be deleted when the site admin that created the access tokens for the service account got deleted.

Custom indexing policies are now disabled by default. The codeIntelAutoIndexing.policyManagementEnabled configuration can be used to re-enable support.

Removed the repository setup wizard as it is no longer up to date with code hosts. Site admins are encouraged to add repositories via the "Code Host Connections" section of the site admin page.

Anthropic deprecated Sonnet 3.5 and Haiku 3.5. These models are no longer available in Cody. Make sure to upgrade to a recent Cody client release to ensure all features are still functional.

Removed autoupgrade toggle selector and readiness banner as part of autoupgrade deprecation

Fixed a potential issue where a buffer overflow can cause repository update processes to deadlock.

Fixed git object expiration logic that was setting future dates instead of past dates, preventing potential repository corruption in concurrent operations.

Sourcegraph now supports OAuth 2.0 Dynamic Client Registration (RFC 7591). This makes it easier to authenticate against Sourcegraph from an MCP client. As an administrator you must set auth.idpDynamicClientRegistrationEnabled to true in your site settings.

Sourcegraph can now communicate to code hosts using mTLS by providing a list of {"host", "clientCertificate", "clientKey"} configurations in the site config under mtlsConfigurations in tls.external.

Ensure that citations are enabled by default and rendered correctly even when the feature flag value is not set on the backend.

Fixed an issue where applying a new license key would not clear messages from the old, expired license key.

Immediately navigate to the conversation view showing the submitted question with a loading indicator when creating a new Deep Search conversation, before the server responds.

Users can now use the Tab key to select repository suggestions in the Deep Search @ mention menu, providing a more efficient keyboard-only workflow

Improved @-mention filtering with smarter caching for faster, more responsive filtering and reduced backend requests.

Deep Search conversations can now be exported as Markdown by appending ".md" to the URL.

Add ability to collapse results in reference panel.

Embedded organization batch-changes routes into the Svelte app, improving the integration between React and Svelte components for batch changes functionality.

Added batch changes pages in the personal user area for the creation flow.

Added batch-changes-gitlab-oauth feature flag to gate GitLab OAuth integration for Batch Changes.

Added a site-admin page for viewing batch changes specs.

Embedded site-admin batch changes pages into the Svelte app, improving consistency and maintainability of the admin interface.

When site-config or global settings files are loaded from the file system, the config editors in-app now reflect the read-only state.

Redact access tokens in model configuration displayed in the site-config UI.

Added external accounts page for site administrators.

Added auth providers page to site-admin interface

Added a new updates page in the site admin interface.

Frontend service restarts are no longer required when changing certain settings.

Embedded the site-admin init page into the Svelte app

Embedded the site-admin background jobs page into the Svelte app.

The out-of-band migrations page in site admin is now embedded in the Svelte app.

Site admins can now manage OAuth clients through dedicated pages in the admin interface.