Releases: EnterpriseDB/pg-airman-mcp
Release v1.0.0
Pg Airman MCP v1.0.0
Release Date: March 5, 2026
Highlights
- OAuth 2.0 Authentication: RFC 7662 token introspection with SSRF prevention and resource validation
- DNS Rebinding Protection: Configurable transport security for Kubernetes and proxy deployments
- Server Settings refactoring: Pydantic BaseSettings with
AIRMAN_MCP_env prefix convention - Docker hardening: Fixed runtime dependencies and added Kubernetes sidecar detection
- Security-focused dependency updates: Resolved 11 Dependabot CVEs in transitive dependencies
What's New
OAuth 2.0 Authentication
Added IntrospectionTokenVerifier implementing RFC 7662 Token Introspection for validating access tokens against any compliant authorization server. Includes SSRF prevention (HTTPS required with localhost exception for dev), hierarchical resource matching (RFC 8707), configurable scope/resource validation, and comprehensive error handling.
DNS Rebinding Protection
Added configurable transport security settings to resolve HTTP 421 Misdirected Request errors when the server is accessed through Kubernetes services or reverse proxies. Three new settings: AIRMAN_MCP_DNS_REBINDING_PROTECTION, AIRMAN_MCP_ALLOWED_HOSTS, and AIRMAN_MCP_ALLOWED_ORIGINS.
Server Settings Refactoring
Extracted server configuration into ServerSettings (Pydantic BaseSettings with AIRMAN_MCP_ env prefix) and refactored MCP server creation into a create_mcp_server() factory function. Added auth_config module bridging settings to the token verifier. Standardized environment variable naming from DATABASE_URI to AIRMAN_MCP_DATABASE_URL.
Docker Improvements
- Fixed missing
libpq5runtime dependency causing PostgreSQL connection failures - Preserved
libldap-2.5-0during package cleanup - Added Kubernetes sidecar detection to skip Docker host remapping
- Added backward-compatibility bridge from deprecated
DATABASE_URIenv var
Security Updates
- Added OAuth 2.0 token introspection with SSRF prevention and SSL enforcement
- Pinned minimum versions for transitive dependencies to resolve 11 CVEs:
aiohttp>=3.13.3(CVE-2025-69223 through CVE-2025-69230)cryptography>=46.0.5(CVE-2026-26007)python-multipart>=0.0.22(CVE-2026-24486)urllib3>=2.6.3(CVE-2026-21441)
Links
Release v0.5.0
Pg Airman MCP v0.5.0
Release Date: December 23, 2025
Highlights
- Migration to psycopg[c]: Switched from psycopg[binary] to psycopg[c] for broader platform support and to eliminate reliance on precompiled binary packages.
- Security-focused dependency updates: Upgraded critical dependencies to address security vulnerabilities and ensure a safer deployment.
What's New
Migration to psycopg[c]
Transitioned database driver from psycopg[binary] to psycopg[c]. This change improves compatibility across platforms and simplifies installation by removing the need for precompiled binaries.
Security Updates
- Upgraded critical dependencies for improved security
- Further hardened Docker container isolation
Links
Release v0.4.0
Pg Airman MCP v0.4.0
Release Date: November 26, 2025
Highlights
- Multi-transport support: Added Streamable HTTP transport alongside stdio and sse
- Database comments: New tool to add comments to database objects
- Enhanced security: Docker hardening and critical dependency updates
- Rebranded: Renamed from postgres-mcp to pg-airman-mcp (EnterpriseDB fork)
What's New
Multi-Transport Architecture
Added Streamable HTTP transport with threading support and graceful shutdown handling.
Database Comment Management
New add_comment_to_object tool for adding comments to tables, views, and columns.
Enhanced Introspection
Object details now include description/comment fields for better documentation.
Security Updates
- Docker container now runs as non-root user