Skip to content

v0.2.7

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 27 Mar 00:12
· 64 commits to main since this release
v0.2.7
45c06fc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🌟 Release Highlights

This release focuses on GitHub Enterprise Cloud (GHEC) tenant support, improved session reliability, and better HTTP backend compatibility β€” alongside several security guard enhancements and internal quality improvements.

✨ What's New

  • GHEC Tenant Support (#2481, #2484): MCP Gateway now correctly handles GitHub Enterprise Cloud tenants in both proxy routing and guard URL parsing, including port-safe GHEC detection in API URL derivation. Configure via GITHUB_SERVER_URL or GITHUB_API_URL for seamless GHEC integration. See Proxy Mode docs for details.

  • Trusted Users in AllowOnly Guard (#2584): The allow-only guard policy now supports a trusted-users list, allowing specific users to receive elevated integrity levels β€” enabling fine-grained control over who can perform sensitive operations. See Guard Response Labeling.

πŸ› Bug Fixes & Improvements

  • Transparent Session Reconnection (#2597): Expired MCP backend sessions are now reconnected automatically and transparently, with an extended session timeout. No more unexpected disconnections from long-running workflows.

  • HTTP Backend Compatibility (#2608): Fixed HTTP 400 errors on tools/list for HTTP backends that use custom authentication headers (e.g., Atlassian MCP). The gateway now correctly forwards auth headers on capability discovery requests.

  • Guard Write Classification (#2613): Pre-emptive write classification added for set_variable, upload_release_asset, and sync_fork tools, ensuring these operations are correctly guarded before execution rather than after.

  • Schema Fetch Reliability (#2582): Added retry logic with exponential backoff for schema fetches, making the gateway resilient to transient HTTP errors on startup.

  • Accurate DIFC Filter Notices (#2518): Filter notices now correctly distinguish between secrecy and integrity violations, giving users clearer information about why a tool response was filtered.

  • Trusted Bot Elevation Fix (#2574): Corrected configured trusted-bot elevation in apply_tool_labels so explicitly trusted bots receive the correct integrity levels.

πŸ“š Documentation

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.7
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • fix: port-safe GHEC detection in deriveAPIFromServerURL by @Copilot in #2484
  • feat: GHEC tenant support for proxy and guard URL parsing by @lpcox in #2481
  • πŸ”„ chore: update schema URL to v0.63.1 by @github-actions[bot] in #2503
  • refactor: eliminate truncateForLog duplicate, simplify ValidateDIFCMode, split unified.go by @Copilot in #2497
  • [rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper by @Copilot in #2508
  • Add DIFC integrity audit tests: detection failure rate, audit trail, safe_outputs blocking by @Copilot in #2514
  • fix: distinguish secrecy vs integrity in filtered notice by @Copilot in #2518
  • Remove duplicate log calls where global structured logger already covers the event by @Copilot in #2522
  • refactor: Extract shared LogConnectionError to eliminate duplicate connection error diagnostics by @Copilot in #2524
  • Extract syncutil.GetOrCreate to eliminate double-check locking duplication by @Copilot in #2531
  • docs: add proxy mode env vars to ENVIRONMENT_VARIABLES.md and link gateway compatibility reference from README by @Copilot in #2541
  • [test-improver] Improve tests for mcp package (ExpandEnvArgs) by @github-actions[bot] in #2499
  • [test] Add tests for server.callBackendTool DIFC phases by @github-actions[bot] in #2513
  • [log] Add debug logger to internal/server/guard_init.go by @github-actions[bot] in #2528
  • fix: update DIFC test assertions to match new notice format by @lpcox in #2552
  • refactor: relocate SysServer to server package, IsRunningInContainer to sys package by @Copilot in #2549
  • πŸ”„ chore: update schema URL to v0.64.0 by @github-actions[bot] in #2572
  • rust-guard: fix configured trusted bot elevation in apply_tool_labels + deduplicate item collection by @Copilot in #2574
  • [Repo Assist] refactor(cmd): add getDefault helpers for all DIFC flag env vars by @github-actions[bot] in #2569
  • fix: add retry with exponential backoff to schema fetch for transient HTTP errors by @Copilot in #2582
  • feat: add trusted-users list to AllowOnly guard policy for user integrity elevation by @Copilot in #2584
  • refactor(difc): reduce boilerplate duplication in agent.go and labels.go by @Copilot in #2591
  • fix: reconnect expired MCP backend sessions transparently, extend server session timeout by @Copilot in #2597
  • feat: add gateway issue dispatcher workflow by @lpcox in #2603
  • Fix HTTP 400 on tools/list for HTTP backends with custom auth headers (Atlassian MCP) by @Copilot in #2608
  • fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork by @Copilot in #2613
  • [log] Add debug logging to container detection in sys/container.go by @github-actions[bot] in #2598
  • fix: update HTTP backend mock tests for SDK streamable transport by @lpcox in #2619

Full Changelog: v0.2.6...v0.2.7

Contributors

lpcox
Assets 8
Loading