docker-agent

v1.64.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 13d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agents ai

Affected surfaces

auth deps

ReleasePort's take

Light signal

editorial:auto 13d

v1.64.0 adds input_id passthrough for eval results and enables MCP servers on private IP addresses in OAuth flows. Includes sandbox and MCP OAuth reliability fixes.

Why it matters: Eval input tracking improves with ID passthrough. MCP OAuth gains private IP support and fixes race conditions and token issues. Sandbox reliability improves for non-default configs. Test in dev; routine upgrade.

Summary

AI summary

Eval input files can pass through an input_id field unchanged to results, and MCP servers on private IPs may participate in OAuth flows.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Enables remote MCP servers on private IP addresses in OAuth flow Enables remote MCP servers on private IP addresses in OAuth flow Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Adds input_id passthrough in eval results when present in input file Adds input_id passthrough in eval results when present in input file Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Passthrough `input_id` from eval input to results output (JSON/SQLite) Passthrough `input_id` from eval input to results output (JSON/SQLite) Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Performance
Performance	Medium	Improves accuracy of network allowlisting for per-toolset auto-install Improves accuracy of network allowlisting for per-toolset auto-install Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Low	Add `go.dev` and `dl.google.com` to sandbox proxy allowlist for Go toolchain bootstrap Add `go.dev` and `dl.google.com` to sandbox proxy allowlist for Go toolchain bootstrap Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Performance	Low	Resolve package-host allowlisting per toolset from aqua registry for auto‑install Resolve package-host allowlisting per toolset from aqua registry for auto‑install Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes resource parameter missing from OAuth token exchange requests Fixes resource parameter missing from OAuth token exchange requests Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes token file permissions for non-root sandbox user access Fixes token file permissions for non-root sandbox user access Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes race condition deduplicating concurrent OAuth flows per server Fixes race condition deduplicating concurrent OAuth flows per server Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixes kit resolution failures for non-default sandbox cache directories Fixes kit resolution failures for non-default sandbox cache directories Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Enables Go toolchain download in sandbox via network policy allowlist Enables Go toolchain download in sandbox via network policy allowlist Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Deduplicate concurrent MCP OAuth authorization flows per server Deduplicate concurrent MCP OAuth authorization flows per server Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Bugfix	Medium	Mount docker-agent kit from correct host path in sandbox Mount docker-agent kit from correct host path in sandbox Source: granite4.1:30b@2026-05-21-audit Confidence: low	—
Refactor	Medium	Removes obsolete token-forwarding step from sandbox startup Removes obsolete token-forwarding step from sandbox startup Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

v1.64.0

Note: v1.63.0 was a failed release and was skipped. This release includes all changes that accumulated since v1.62.0.

New Features

Eval: input_id passthrough — When an eval input file contains a top-level "input_id" field, that value is now carried through untouched to the session entry in the results output (JSON and SQLite). The session's own "id" (a fresh UUID) is unchanged. When the input file has no "input_id", the field is absent from the output — no change to existing behaviour. This lets callers correlate eval results back to their own records without custom post-processing. (#2857)
MCP: allow private IPs for remote OAuth — Remote MCP servers hosted on private-network IP addresses can now participate in the OAuth authorization flow. (#2828)

Bug Fixes

MCP OAuth: send resource on token exchange — The OAuth resource parameter is now correctly included when exchanging an authorization code for a token, fixing token exchange failures for resource-aware authorization servers. (#2828)
MCP OAuth: coalesce concurrent authorization requests — Concurrent OAuth authorization flows for the same server are now deduplicated so only one browser redirect is triggered per server, preventing race conditions when multiple tool calls fire simultaneously. (#2828)
Sandbox: use correct host path for kit — The docker-agent kit (skills + prompt files staged into the sandbox) is now mounted from the correct host-side directory rather than a constant container mount path, fixing kit resolution failures when the host cache directory is not at the default location. (#2859)

Improvements

Sandbox: remove stale token forwarding on startup — Removed an obsolete token-forwarding step from sandbox startup that was redundant after the token-forwarding refactor in v1.62.0. (#2859)
Sandbox: Go toolchain bootstrap allowed through network policy — go.dev and dl.google.com are now added to the sandbox proxy allowlist, so the Go toolchain can be downloaded inside the sandbox without hitting a blocked-network-policy error. (#2859)
Sandbox: resolve tool-install hosts per-toolset from aqua registry — Package-host allowlisting for tool auto-install is now resolved per toolset from the aqua registry, giving more accurate (and minimal) network opens for each toolset's install requirements. (#2859)
Sandbox: make tokens file readable by sandbox user — The tokens file written inside the sandbox is now created with permissions that allow the sandbox user to read it, fixing authentication failures in sandboxes running as a non-root user. (#2859)

Contributors

@hamza-jeddad · @rumpl · @dgageot

Full Changelog: https://github.com/docker/docker-agent/compare/v1.62.0...v1.64.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track docker-agent

Get notified when new releases ship.

About docker-agent

AI Agent Builder and Runtime by Docker Engineering

All releases →

Related context

Related tools

Earlier breaking changes

v1.71.0 Freezes configuration schema v9 and starts v10 as latest version