[deps-release-notes] copilot-cli v1.0.56 action items

[github-actions]

Release Notes Action Items for copilot-cli 1.0.48 → 1.0.56

This issue summarizes upstream release notes for the copilot-cli dependency between the previously pinned version (1.0.48) and the new pinned version (1.0.56), highlighting items that may need follow-up in ado-aw.

The companion version-bump PR is titled chore(deps): update COPILOT_CLI_VERSION to 1.0.56.

Releases analyzed

• v1.0.49
• v1.0.50 — Does not exist (skipped version)
• v1.0.51
• v1.0.52
• v1.0.53
• v1.0.54
• v1.0.55
• v1.0.56

Security fixes

• Secret scanning now covers commit messages and PR descriptions — v1.0.51: Redacting secrets before they are published.
• Add permissions.disableBypassPermissionsMode setting — v1.0.55: To prevent enabling allow-all/yolo mode. Relevant for sandboxed pipelines.

Notable features for ado-aw to adopt

Session & Agent Management

• /chronicle search subcommand — v1.0.49: Search all session content by keyword or topic — could be useful for agent memory/history queries.
• /rubber-duck command — v1.0.49: For independent critique of agent's work — interesting pattern for multi-agent validation.
• /memory on|off|show slash command — v1.0.49: For persistent memory management.
• --session-id=<id> flag — v1.0.51: To resume or start sessions with specific UUID — useful for pipeline correlation.
• /security-review slash command — v1.0.51: For code change security review (experimental) — aligns with ado-aw's threat detection stage.
• /chronicle cost-tips subcommand — v1.0.51: For personalized token usage and cost reduction — could inform ado-aw's token budgeting.

MCP & Tool Infrastructure

• postToolUse hook additionalContext now injected as system message — v1.0.49: Instead of being discarded — useful for agent instrumentation.
• auth.redirectPort config for MCP OAuth callback pinning — v1.0.49.
• preMcpToolCall hook — v1.0.51: For controlling outgoing MCP request metadata.
• Custom agents support opt-in deferred tool loading — v1.0.52: Via deferred-tool-loading frontmatter — reduces initial token overhead.
• Hook progress streaming — v1.0.55: Shows real-time status messages from long-running hooks.
• Extension log files — v1.0.55: Captured per extension and surfaced in extensions_manage tool.
• MCP tools returning both content and structuredContent — v1.0.56: Now surface both to agent (deduplication when redundant) — better data fidelity.

Observability & Diagnostics

• Customizable status line — v1.0.51: Displaying session info (model, context window, git branch, etc.).
• terminalProgress setting — v1.0.51: For OSC 9;4 terminal progress indicators.
• Reasoning tokens displayed — v1.0.52: As parenthetical in token usage summary.
• Show per-MCP-server token usage — v1.0.55: In /mcp and break out MCP tool tokens in /context.
• Report Claude thinking (reasoning) tokens — v1.0.55: In session usage summaries.

Configuration & Environment

• COPILOT_PLUGIN_DIR_ONLY environment variable — v1.0.49: For deterministic plugin sets with --plugin-dir.
• Context window tier selection — v1.0.52: Default ~200K vs 1M tokens enforced end-to-end.
• Custom agents and skills discovered recursively — v1.0.55: In subdirectories.
• permissions.disableBypassPermissionsMode setting — v1.0.55: To prevent allow-all mode — relevant for sandboxed pipelines.

Model Support

• Claude Opus 4.8 support — v1.0.55.
• General-purpose subagents use GPT-5.4 or GPT-5.5 — v1.0.52: When available.

SDK & Extensibility

• pluginDirectories on session.create and session.resume RPC — v1.0.55: For per-session plugin mounting.
• Project extensions in .github/extensions discovered — v1.0.55: In non-git workspaces.

Deprecations

• Legacy nested oauth.clientId and oauth.callbackPort keys — v1.0.52: In MCP server configs migrated to oauthClientId and auth.redirectPort — old keys still supported but deprecated.

---

This issue was opened automatically by the dependency version updater workflow.

Generated by Dependency Version Updater · ● 5.1M · ◷