Anvil v2.2.23: Talk to It, Reach Further, See What It’s Doing

Anvil v2.2.23: Talk to It, Reach Further, See What It’s Doing

Anvil v2.2.23 is the voice & reach release. You can now dictate to Anvil with live in-terminal transcription, connect it to remote tool servers over the network with a browser login, and — across everything — see a single, consistent indicator of what it’s working on. It also closes a wide compatibility gap with the upstream Claude Code feature set, tightens security around credentials and destructive commands, and makes signing in land you exactly where you want to be: inside Anvil.

Talk to Anvil

Press Ctrl+E (or run /voice) and start speaking. Anvil records in short chunks, transcribes each one as you go, and drops the text into your input box live — so you watch your words appear rather than waiting for a single block at the end.

  • Toggle, don’t hold. Press Ctrl+E to start, press it again to stop. Ctrl+C interrupts immediately. And you can keep typing while it records — the interface never freezes.
  • Your provider, your credentials. Transcription runs through an OpenAI-compatible endpoint with your own key by default, or a local whisper.cpp binary for fully offline, no-key dictation. Nothing heavy is bundled into Anvil itself.
  • Offline voice, set up for you. The setup wizard now offers an optional whisper.cpp step right next to QMD — it installs the local transcriber and downloads a model, then wires your config to use it. Prefer the cloud? It stays the default and needs no install.

Configuration lives in a voice block in your config file — backend, language, and chunk length. Voice capture is supported on macOS and Linux.

Reach remote tool servers

Anvil’s Model Context Protocol client used to speak only to local processes over standard input and output. v2.2.23 adds a full remote transport, so Anvil can connect to MCP servers running anywhere.

  • Streamable HTTP / SSE transport. Anvil POSTs each request to the server’s endpoint and reads the reply as JSON or a server-sent event, transparently. TLS is handled with a pure-Rust stack, so it builds cleanly on every supported platform.
  • Browser-based login. Run anvil mcp login <server> to authenticate a remote server through the standard OAuth authorization-code flow — opening your browser, catching the redirect locally, and exchanging the code. Add --no-browser for SSH or headless sessions. anvil mcp logout <server> clears it.
  • Per-server tokens. Each server keeps its own refreshable token, applied automatically whenever Anvil connects to it.

A shared “working” indicator

Anvil has always shown a spinner while the model thinks. Now that same animation appears for every long-running action, with a label describing exactly what’s happening:

  • Thinking — the model is generating.
  • Recording and Transcribing — voice entry, switching as it captures and then transcribes each chunk.
  • Running command, Loading, Searching, and Authenticating — for inline shell commands, runtime rebuilds, search, and sign-in.

One consistent signal that Anvil is busy — and what it’s busy with.

Closing the compatibility gap

v2.2.23 brings over a dozen features and settings to match the upstream coding-assistant baseline:

  • Inline shell. A leading ! runs a shell command through the same path Anvil’s own Bash tool uses — permissions and sandboxing apply — and an opt-in setting feeds the output back to the model.
  • Set settings from the prompt. /config thinking=false works inline, in interactive and non-interactive modes alike.
  • Why was that blocked? A recent-denials view shows the reason a tool call was refused — auto-mode rule, reviewer, stored decision, or credential guard.
  • Stricter auto-mode. An option to route every shell command through approval, not just the obviously dangerous ones.
  • Model allow/deny. Organizations can restrict which models may be selected, enforced at every model switch.
  • Plus skill-frontmatter flexibility, a memory-index compaction reminder, a mouse-click pass-through toggle, and a structured-output safeguard that stops a tool from looping on itself.

Security

  • Credential-read blocking. With sandbox.credentials enabled, sandboxed commands are blocked from reading credential files and from dumping secret environment variables. Because inline shell routes through the same gate, an attempt to read your cloud credentials is refused exactly as it would be if the model tried it.
  • Destructive-command guards. Auto-mode now flags history-rewriting and infrastructure-teardown commands — hard resets, working-tree discards, force-clean, dropped stashes, and infrastructure destroy operations — for review before they run.

Sign in, and you’re in

Signing in used to leave you back at a shell prompt. Now anvil login runs the standard browser-callback flow and then launches straight into Anvil when it completes. The callback listener binds both IPv4 and IPv6 loopback and quietly ignores stray connections — favicon fetches, port probes — instead of letting them abort the login. Pasting a code remains a silent fallback for SSH and containers.

Reliability

v2.2.23 also resolves a batch of platform and daemon issues: correct peer-credential checks on Linux, a fix for the background daemon being wrongly flagged as stale, guaranteed publication of release checksums, and full silencing of the voice-capture subprocess so its progress output can never disturb the interface.

Upgrade

Run anvil update, or brew upgrade anvil. Seven platforms, as always.

Scroll to Top