Merge branch 'main' into fix/sbom

Author: crivetimihai

.bumpversion.cfg

@@ -1,27 +1,25 @@
 [bumpversion]
-current_version = 0.1.0
-commit          = False
-tag             = False
-sign-tags       = True
-tag_name        = v{new_version} # tag format (only used if you flip tag=True later)
-
-# SemVer parsing/serialising
-parse      = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
+current_version = 0.1.1
+commit = False
+tag = False
+sign-tags = True
+tag_name = v{new_version} # tag format (only used if you flip tag=True later)
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
 serialize =
     {major}.{minor}.{patch}
 
 [bumpversion:file:mcpgateway/__init__.py]
-search  = __version__ = "{current_version}"
+search = __version__ = "{current_version}"
 replace = __version__ = "{new_version}"
 
 [bumpversion:file:Containerfile]
-search  = version="{current_version}"
+search = version="{current_version}"
 replace = version="{new_version}"
 
 [bumpversion:file:Containerfile.lite]
-search  = version="{current_version}"
+search = version="{current_version}"
 replace = version="{new_version}"
 
 [bumpversion:file:pyproject.toml]
-search  = version = "{current_version}"
+search = version = "{current_version}"
 replace = version = "{new_version}"

.devcontainer/devcontainer.json

@@ -25,6 +25,6 @@
   },
   "remoteEnv": {
     "MCPGATEWAY_DEV_MODE": "true",
-    "VENV_DIR": "/Users/mg/.venv/mcpgateway"
+    "VENV_DIR": "$HOME/.venv/mcpgateway"
   }
 }

.devcontainer/postCreateCommand.sh

@@ -11,7 +11,7 @@ fi
 make install-dev
 
 # Run tests to verify setup
-make test
+# make test
 
 echo "Devcontainer setup complete."
 

.dockerignore

@@ -1,3 +1,7 @@
+Dockerfile
+Dockerfile.*
+Containerfile.*
+.devcontainer
 .github
 docker-compose.yml
 podman-compose-sonarqube.yaml

.env.example

@@ -140,6 +140,18 @@ WEBSOCKET_PING_INTERVAL=30
 # SSE client retry timeout (milliseconds)
 SSE_RETRY_TIMEOUT=5000
 
+
+#####################################
+# Streamabe HTTP Transport Configuration
+#####################################
+
+# Set False to use stateless sessions without event store and True for stateful sessions
+USE_STATEFUL_SESSIONS=false
+
+# Set true for JSON responses, false for SSE streams
+JSON_RESPONSE_ENABLED=true
+
+
 #####################################
 # Federation
 #####################################

.github/CODEOWNERS

@@ -1,8 +1,5 @@
 # All files in the repo
 * @crivetimihai
 
-# Ownership for the mcpgateway-wrapper
-/mcpgateway-wrapper/ @crivetimihai @kevalmahajan @madhav165
-
 # Ownership for all tests
 /tests/ @crivetimihai @kevalmahajan @madhav165

.github/ISSUE_TEMPLATE/bug-report-code.md

@@ -17,7 +17,7 @@ Select the area of the project impacted:
 
 - [ ] `mcpgateway` - API
 - [ ] `mcpgateway` - UI (admin panel)
-- [ ] `mcpgateway-wrapper` - stdio wrapper
+- [ ] `mcpgateway.wrapper` - stdio wrapper
 - [ ] Federation or Transports
 - [ ] CLI, Makefiles, or shell scripts
 - [ ] Container setup (Docker/Podman/Compose)

.github/tools/cleanup.sh

@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+#───────────────────────────────────────────────────────────────────────────────
+#  Script : cleanup.sh
+#  Author : Mihai Criveti
+#  Purpose: Prune old or unused GHCR container versions for IBM's MCP Context Forge
+#  Copyright 2025
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  Description:
+#    This script safely manages container versions in GitHub Container Registry
+#    (ghcr.io) under the IBM organization, specifically targeting the
+#    `mcp-context-forge` package. It supports interactive and non-interactive
+#    deletion modes to help you keep the container registry clean.
+#
+#    Features:
+#    • Dry-run by default to avoid accidental deletion
+#    • Tag whitelisting with regular expression matching
+#    • GitHub CLI integration with scope validation
+#    • CI/CD-compatible via environment overrides
+#
+#  Requirements:
+#    • GitHub CLI (gh) v2.x with appropriate scopes
+#    • jq (command-line JSON processor)
+#
+#  Required Token Scopes:
+#    delete:packages
+#
+#  Authentication Notes:
+#    Authenticate with:
+#      gh auth refresh -h github.com -s read:packages,delete:packages
+#    Or:
+#      gh auth logout
+#      gh auth login --scopes "read:packages,delete:packages,write:packages,repo,read:org,gist"
+#
+#    Verify authentication with:
+#      gh auth status -t
+#
+#  Environment Variables:
+#    GITHUB_TOKEN / GH_TOKEN : GitHub token with required scopes
+#    DRY_RUN                 : Set to "false" to enable actual deletions (default: true)
+#
+#  Usage:
+#    ./cleanup.sh                 # Dry-run with confirmation prompt
+#    DRY_RUN=false ./cleanup.sh --yes  # Actual deletion without prompt (for CI)
+#
+#───────────────────────────────────────────────────────────────────────────────
+
+set -euo pipefail
+
+##############################################################################
+# 1. PICK A TOKEN
+##############################################################################
+NEEDED_SCOPES="delete:packages"
+
+if [[ -n "${GITHUB_TOKEN:-}" ]]; then
+  TOKEN="$GITHUB_TOKEN"
+elif [[ -n "${GH_TOKEN:-}" ]]; then
+  TOKEN="$GH_TOKEN"
+else
+  # fall back to whatever gh already has
+  if ! TOKEN=$(gh auth token 2>/dev/null); then
+    echo "❌  No token exported and gh not logged in. Fix with:"
+    echo "    gh auth login  (or export GITHUB_TOKEN)"
+    exit 1
+  fi
+fi
+export GH_TOKEN="$TOKEN"   # gh api uses this
+
+# Fixed scope checking - check for both required scopes individually
+if scopes=$(gh auth status --show-token 2>/dev/null | grep -oP 'Token scopes: \K.*' || echo ""); then
+  missing_scopes=()
+
+  # if ! echo "$scopes" | grep -q "read:packages"; then
+  #   missing_scopes+=("read:packages")
+  # fi
+
+  if ! echo "$scopes" | grep -q "delete:packages"; then
+    missing_scopes+=("delete:packages")
+  fi
+
+  if [[ ${#missing_scopes[@]} -gt 0 ]]; then
+    echo "⚠️  Your token scopes are [$scopes] – but you're missing: [$(IFS=','; echo "${missing_scopes[*]}")]"
+    echo "    Run: gh auth refresh -h github.com -s $NEEDED_SCOPES"
+    exit 1
+  fi
+else
+  echo "⚠️  Could not verify token scopes. Proceeding anyway..."
+fi
+
+##############################################################################
+# 2. CONFIG
+##############################################################################
+ORG="ibm"
+PKG="mcp-context-forge"
+KEEP_TAGS=( "0.1.0" "v0.1.0" "0.1.1" "v0.1.1" "latest" )
+PER_PAGE=100
+
+DRY_RUN=${DRY_RUN:-true}          # default safe
+ASK_CONFIRM=true
+[[ ${1:-} == "--yes" ]] && ASK_CONFIRM=false
+KEEP_REGEX="^($(IFS='|'; echo "${KEEP_TAGS[*]}"))$"
+
+##############################################################################
+# 3. MAIN
+##############################################################################
+delete_ids=()
+
+echo "📦  Scanning ghcr.io/${ORG}/${PKG} …"
+
+# Process versions and collect IDs to delete
+while IFS= read -r row; do
+  id=$(jq -r '.id' <<<"$row")
+  digest=$(jq -r '.digest' <<<"$row")
+  tags_csv=$(jq -r '.tags | join(",")' <<<"$row")
+  keep=$(jq -e --arg re "$KEEP_REGEX" 'any(.tags[]?; test($re))' <<<"$row" 2>/dev/null) || keep=false
+
+  if [[ $keep == true ]]; then
+    printf "✅  KEEP    %s  [%s]\n" "$digest" "$tags_csv"
+  else
+    printf "🗑️   DELETE  %s  [%s]\n" "$digest" "$tags_csv"
+    delete_ids+=("$id")
+  fi
+done < <(gh api -H "Accept: application/vnd.github+json" \
+            "/orgs/${ORG}/packages/container/${PKG}/versions?per_page=${PER_PAGE}" \
+            --paginate | \
+         jq -cr --arg re "$KEEP_REGEX" '
+           .[] |
+           {
+             id,
+             digest: .metadata.container.digest,
+             tags: (.metadata.container.tags // [])
+           }
+         ')
+
+##############################################################################
+# 4. CONFIRMATION & DELETION
+##############################################################################
+if [[ ${#delete_ids[@]} -eq 0 ]]; then
+  echo "✨  Nothing to delete!"
+  exit 0
+fi
+
+if [[ $DRY_RUN == true ]]; then
+  if [[ $ASK_CONFIRM == true ]]; then
+    echo
+    read -rp "Proceed to delete the ${#delete_ids[@]} versions listed above? (y/N) " reply
+    [[ $reply =~ ^[Yy]$ ]] || { echo "Aborted – nothing deleted."; exit 0; }
+  fi
+  echo "🚀  Re-running in destructive mode …"
+  DRY_RUN=false exec "$0" --yes
+else
+  echo "🗑️  Deleting ${#delete_ids[@]} versions..."
+  for id in "${delete_ids[@]}"; do
+    if gh api -X DELETE -H "Accept: application/vnd.github+json" \
+              "/orgs/${ORG}/packages/container/${PKG}/versions/${id}" >/dev/null 2>&1; then
+      echo "✅  Deleted version ID: $id"
+    else
+      echo "❌  Failed to delete version ID: $id"
+    fi
+  done
+  echo "Done."
+fi

.github/workflows/docker-release.yml

@@ -4,12 +4,12 @@
 #
 # This workflow re-tags a Docker image (built by a previous workflow)
 # when a GitHub Release is published, giving it a semantic version tag
-# like `v0.1.0`. It assumes the CI build has already pushed an image
+# like `v0.1.1`. It assumes the CI build has already pushed an image
 # tagged with the commit SHA, and that all checks on that commit passed.
 #
 # ➤ Trigger: Release published (e.g. from GitHub UI or `gh release` CLI)
 # ➤ Assumes: Existing image tagged with the commit SHA is available
-# ➤ Result: Image re-tagged as `ghcr.io/OWNER/REPO:v0.1.0`
+# ➤ Result: Image re-tagged as `ghcr.io/OWNER/REPO:v0.1.1`
 #
 # ======================================================================
 
@@ -25,7 +25,7 @@ on:
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Release tag (e.g., v0.1.0)'
+        description: 'Release tag (e.g., v0.1.1)'
         required: true
         type: string
 
@@ -76,8 +76,8 @@ jobs:
       # ----------------------------------------------------------------
       - name: ✅  Verify commit checks passed
         env:
-          SHA:   ${{ steps.meta.outputs.sha }}
-          REPO:  ${{ github.repository }}
+          SHA: ${{ steps.meta.outputs.sha }}
+          REPO: ${{ github.repository }}
         run: |
           set -euo pipefail
           STATUS=$(curl -sSL \

.github/workflows/ibm-cloud-code-engine.yml

@@ -35,6 +35,10 @@
 #         not the secret value.
 # Triggers:
 #   • Every push to `main`
+#   • Expects a secret called `mcpgateway-dev` in Code Engine. Ex:
+#      ibmcloud ce secret create \
+#        --name mcpgateway-dev \
+#        --from-env-file .env
 # ---------------------------------------------------------------
 
 name: Deploy to IBM Code Engine
@@ -156,6 +160,7 @@ jobs:
               --name  "$CODE_ENGINE_APP_NAME" \
               --image "$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$IMAGE_TAG" \
               --registry-secret "$CODE_ENGINE_REGISTRY_SECRET" \
+              --env-from-secret mcpgateway-dev \
               --cpu 1 --memory 2G
           else
             echo "🆕 Creating new application…"
@@ -164,6 +169,7 @@ jobs:
               --image "$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$IMAGE_TAG" \
               --registry-secret "$CODE_ENGINE_REGISTRY_SECRET" \
               --port  "$PORT" \
+              --env-from-secret mcpgateway-dev \
               --cpu 1 --memory 2G
           fi