chore(deps): update ⬆️ aqua-packages

[renovate]

This PR contains the following updates:

Package	Update	Change
aquaproj/aqua-registry	patch	v4.466.0 → v4.466.1
astral-sh/uv	patch	0.9.29 → 0.9.30
charmbracelet/crush	patch	v0.39.1 → v0.39.3
github/copilot-cli	patch	v0.0.402 → v0.0.403
jdx/mise	patch	v2026.2.3 → v2026.2.4
openai/codex	minor	v0.95.0 → v0.97.0

---

Release Notes

aquaproj/aqua-registry (aquaproj/aqua-registry)

v4.466.1

Compare Source

Issues | Pull Requests | aquaproj/aqua-registry@v4.466.0...v4.466.1

Fixes

#​48194 Re-scaffold gogs/gogs
#​48191 flux-iac/tofu-controller/tfctl: Fix cosign config
#​48190 yaml/yamlscript: Fix supported_envs at 0.2.9
#​48182 uutils/coreutils: support coreutils 0.6.0

astral-sh/uv (astral-sh/uv)

v0.9.30

Compare Source

Released on 2026-02-04.

Python

• Add CPython 3.14.3 and 3.13.12 (#​17849)

Enhancements

• Allow comma-separated values for --extra option (#​17525)
• Check all files during a dry-run publish instead of stopping at the first failure (#​17785)
• Clarify UV_HTTP_TIMEOUT error message (#​17493)

Preview features

• Use relocatable virtual environments by default (#​17770)

Bug fixes

• Fix deadlock on token refresh in uv publish when using pyx (#​17832)
• Ignore global Python pins when incompatible with project (#​15473)

charmbracelet/crush (charmbracelet/crush)

v0.39.3

Compare Source

Tiny UI Fix

Tiny fix for an apparently empty message being selected in the UI.

Screenshot

Changelog

Fixed

• f22a6f986a32e94bdd46672557bccf8544575859: fix(ui): list: ensure the offset line does not go negative when scrolling up (@​aymanbagabas)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.39.3/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.39.3/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

v0.39.2

Compare Source

Quick Windows fix

Pasting text on Windows 🪟 is working again.

Thank you for all the support.
The Charm Team ™️

Changelog

Fixed

• afed74c: fix(ui): api key dialog typo (#​2131) (@​nickgrim)
• b28f4ce: fix(ui): completions popup gets too narrow on single item (#​2125) (@​caarlos0)
• 2d0a0e2: fix(ui): fix bug preventing pasting text on windows (#​2126) (@​andreynering)
• 142c854: fix: change hyper url (#​2120) (@​caarlos0)
• 8adfe70: fix: hyper provider cancel (#​2133) (@​kujtimiihoxha)
• d29d0e2: fix: realtime session file changes (#​2134) (@​kujtimiihoxha)

Other stuff

• 874c1ca: chore: update ui/agents.md (#​2122) (@​caarlos0)
• 9013bb0: refactor: remove old tui (#​2008) (@​kujtimiihoxha)

---

Verifying the artifacts

First, download the checksums.txt file and the checksums.txt.sigstore.json file files, for example, with wget:

wget 'https://github.com/charmbracelet/crush/releases/download/v0.39.2/checksums.txt'
wget 'https://github.com/charmbracelet/crush/releases/download/v0.39.2/checksums.txt.sigstore.json'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle 'checksums.txt.sigstore.json' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on X, Discord, Slack, The Fediverse, Bluesky.

github/copilot-cli (github/copilot-cli)

v0.0.403: 0.0.403

Compare Source

2026-02-04

• Windows Task Manager displays correct application name
• Introduce security check preventing use of modules outside of application bundle
• ACP model info includes usage multiplier and enablement status
• Fix logic checking user organization membership
• Stop MCP servers before updating plugins
• Detached shell processes work on vanilla macOS installations
• Escape key consistently aborts permission dialogs regardless of selection
• Plugin skills work in prompt mode
• Config files preserve custom fields when CLI updates them
• Reasoning summaries enabled by default for supporting models
• Support comma-separated tools in custom agent frontmatter
• Skills with unknown frontmatter fields now load with warnings instead of being silently skipped

jdx/mise (jdx/mise)

v2026.2.4: : Taming the Environment

Compare Source

This release focuses on fixing several edge cases in environment handling and tool management. Users working with complex environment configurations, npm package managers, and locked tool versions will find this update particularly helpful.

Bug Fixes

• Environment variable resolution for tool templates: When using env._.source to source environment files, tool templates now correctly resolve the sourced environment variables. Previously, tool version templates that depended on sourced env vars might not have worked as expected. Thanks to @​corymhall for this fix! #​7895

• npm package manager dependencies: When using mise to manage Node.js package managers (npm, yarn, pnpm, bun), mise now only declares the specifically configured package manager as a dependency rather than all of them. This prevents unnecessary dependency resolution issues. #​7995

• Respect use_locked_version during upgrades: The mise upgrade command now properly respects the use_locked_version setting when checking tracked configs. If you have this setting enabled, upgrades will now correctly use the locked versions from your config files. #​7997

• Ignore MISE_TOOL_VERSION in env parsing: Fixed an issue where the internal MISE_TOOL_VERSION environment variable could interfere with environment variable parsing, preventing potential conflicts in certain workflows. #​8004

New Contributors

Welcome to @​corymhall who made their first contribution to mise! 🎉

openai/codex (openai/codex)

v0.97.0: 0.97.0

Compare Source

New Features

• Added a session-scoped “Allow and remember” option for MCP/App tool approvals, so repeated calls to the same tool can be auto-approved during the session. (#​10584)
• Added live skill update detection, so skill file changes are picked up without restarting. (#​10478)
• Added support for mixed text and image content in dynamic tool outputs for app-server integrations. (#​10567)
• Added a new /debug-config slash command in the TUI to inspect effective configuration. (#​10642)
• Introduced initial memory plumbing (API client + local persistence) to support thread memory summaries. (#​10629, #​10634)
• Added configurable log_dir so logs can be redirected (including via -c overrides) more easily. (#​10678)

Bug Fixes

• Fixed jitter in the TUI apps/connectors picker by stabilizing description-column rendering. (#​10593)
• Restored and stabilized the TUI “working” status indicator/shimmer during preamble and early exec flows. (#​10700, #​10701)
• Improved cloud requirements reliability with higher timeouts, retries, and corrected precedence over MDM settings. (#​10631, #​10633, #​10659)
• Persisted pending-input user events more consistently for mid-turn injected input handling. (#​10656)

Documentation

• Documented how to opt in to the experimental app-server API. (#​10667)
• Updated docs/schema coverage for new log_dir configuration behavior. (#​10678)

Chores

• Added a gated Bubblewrap (bwrap) Linux sandbox path to improve filesystem isolation options. (#​9938)
• Refactored model client lifecycle to be session-scoped and reduced implicit client state. (#​10595, #​10664)
• Added caching for MCP actions from apps to reduce repeated load latency for users with many installed apps. (#​10662)
• Added a none personality option in protocol/config surfaces. (#​10688)

Changelog

Full Changelog: openai/codex@rust-v0.96.0...rust-v0.97.0

• #​10595 Stop client from being state carrier @​pakrym-oai
• #​10584 Add option to approve and remember MCP/Apps tool usage @​canvrno-oai
• #​10644 fix: flaky test @​jif-oai
• #​10629 feat: add phase 1 mem client @​jif-oai
• #​10633 Cloud Requirements: take precedence over MDM @​gt-oai
• #​10659 Increase cloud req timeout @​gt-oai
• #​9938 feat(linux-sandbox): add bwrap support @​viyatb-oai
• #​10656 Persist pending input user events @​aibrahim-oai
• #​10634 feat: add phase 1 mem db @​jif-oai
• #​10593 Fix jitter in TUI apps/connectors picker @​canvrno-oai
• #​10662 [apps] Cache MCP actions from apps. @​mzeng-openai
• #​10649 Fix test_shell_command_interruption flake @​gt-oai
• #​10642 Add /debug-config slash command @​gt-oai
• #​10478 Added support for live updates to skills @​etraut-openai
• #​10688 add none personality option @​aibrahim-oai
• #​10567 feat(app-server, core): allow text + image content items for dynamic tool outputs @​owenlin0
• #​10667 chore(app-server): document experimental API opt-in @​owenlin0
• #​10664 Session-level model client @​pakrym-oai
• #​10678 feat(core): add configurable log_dir @​joshka-oai
• #​10631 Cloud Requirements: increase timeout and retries @​gt-oai
• #​10650 chore(core) personality migration tests @​dylan-hurd-oai
• #​10701 fix(tui): restore working shimmer after preamble output @​joshka-oai
• #​10700 fix: ensure status indicator present earlier in exec path @​sayan-oai

v0.96.0: 0.96.0

Compare Source

New Features

• Added thread/compact to the v2 app-server API as an async trigger RPC, so clients can start compaction immediately and track completion separately. (#​10445)
• Added websocket-side rate limit signaling via a new codex.rate_limits event, with websocket parity for ETag/reasoning metadata handling. (#​10324)
• Enabled unified_exec on all non-Windows platforms. (#​10641)
• Constrained requirement values now include source provenance, enabling source-aware config debugging in UI flows like /debug-config. (#​10568)

Bug Fixes

• Fixed Esc handling in the TUI request_user_input overlay: when notes are open, Esc now exits notes mode instead of interrupting the session. (#​10569)
• Thread listing now queries the state DB first (including archived threads) and falls back to filesystem traversal only when needed, improving listing correctness and resilience. (#​10544)
• Fixed thread path lookup to require that the resolved file actually exists, preventing invalid thread-id resolutions. (#​10618)
• Dynamic tool injection now runs in a single transaction to avoid partial state updates. (#​10614)
• Refined request_rule guidance used in approval-policy prompting to correct rule behavior. (#​10379, #​10598)

Documentation

• Updated app-server docs for thread/compact to clarify its asynchronous behavior and thread-busy lifecycle. (#​10445)
• Updated TUI docs to match the mode-specific Esc behavior in request_user_input. (#​10569)

Chores

• Migrated state DB helpers to a versioned SQLite filename scheme and cleaned up legacy state files during runtime initialization. (#​10623)
• Expanded runtime telemetry with websocket timing metrics and simplified internal metadata flow in core client plumbing. (#​10577, #​10589)

Changelog

Full Changelog: openai/codex@rust-v0.95.0...rust-v0.96.0

• #​10569 tui: make Esc clear request_user_input notes while notes are shown @​charley-oai
• #​10577 feat: log webscocket timing into runtime metrics @​apanasenko-oai
• #​10445 Add thread/compact v2 @​aibrahim-oai
• #​10589 Move metadata calculation out of client @​pakrym-oai
• #​10379 fix(core) updated request_rule guidance @​dylan-hurd-oai
• #​10598 fix(core) Request Rule guidance tweak @​dylan-hurd-oai
• #​10544 Prefer state DB thread listings before filesystem @​jif-oai
• #​10614 fix: single transaction for dyn tools injection @​jif-oai
• #​10568 Requirements: add source to constrained requirement values @​gt-oai
• #​10611 chore: simplify user message detection @​jif-oai
• #​10618 fix: make sure file exist in find_thread_path_by_id_str_in_subdir @​jif-oai
• #​10619 nit: cleaning @​jif-oai
• #​10324 Add a codex.rate_limits event for websockets @​rasmusrygaard
• #​10623 Migrate state DB path helpers to versioned filename @​jif-oai
• #​10638 Update tests to stop using sse_completed fixture @​pakrym-oai
• #​10641 feat: land unified_exec @​jif-oai

---

Configuration

📅 Schedule: Branch creation - Between 05:00 AM and 07:59 AM ( * 5-7 * * * ) in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.