Tagging 0.3.1 (#360)

Signed-off-by: Mihai Criveti <[email protected]>

Author: crivetimihai

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.3.0
+current_version = 0.3.1
 commit = False
 tag = False
 sign-tags = True

CHANGELOG.md

@@ -6,6 +6,59 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 
 ---
 
+## [0.3.1] - 2025-01-11 - Security and Data Validation (Pydantic, UI)
+
+### Security Improvements
+
+> This release adds enhanced validation rules in the Pydantic data models to help prevent XSS injection when data from untrusted MCP servers is displayed in downstream UIs. You should still ensure any downstream agents and applications perform data sanitization coming from untrusted MCP servers (apply defense in depth).
+
+> Data validation has been strengthened across all API endpoints (/admin and main), with additional input and output validation in the UI to improve overall security.
+
+> The Admin UI continues to follow security best practices with localhost-only access by default and feature flag controls - now set to disabled by default, as shown in `.env.example` file (`MCPGATEWAY_UI_ENABLED=false` and `MCPGATEWAY_ADMIN_API_ENABLED=false`).
+
+* **Comprehensive Input Validation Framework** (#339, #340):
+  * Enhanced data validation for all `/admin` endpoints - tools, resources, prompts, gateways, and servers
+  * Extended validation framework to all non-admin API endpoints for consistent data integrity
+  * Implemented configurable validation rules with sensible defaults:
+    - Character restrictions: names `^[a-zA-Z0-9_\-\s]+$`, tool names `^[a-zA-Z][a-zA-Z0-9_]*$`
+    - URL scheme validation for approved protocols (`http://`, `https://`, `ws://`, `wss://`)
+    - JSON nesting depth limits (default: 10 levels) to prevent resource exhaustion
+    - Field-specific length limits (names: 255, descriptions: 4KB, content: 1MB)
+    - MIME type validation for resources
+  * Clear, helpful error messages guide users to correct input formats
+
+* **Enhanced Output Handling in Admin UI** (#336):
+  * Improved data display safety - all user-controlled content now properly HTML-escaped
+  * Protected fields include prompt templates, tool names/annotations, resource content, gateway configs
+  * Ensures user data displays as intended without unexpected behavior
+
+### Added
+
+* **Test MCP Server Connectivity Tool** (#181) - new debugging feature in Admin UI to validate gateway connections
+* **Persistent Admin UI Filter State** (#177) - filters and view preferences now persist across page refreshes
+* **Revamped UI Components** - metrics and version tabs rewritten from scratch for consistency with overall UI layout
+
+### Changed
+
+* **Code Quality - Zero Lint Status** (#338):
+  * Resolved all 312 code quality issues across the web stack
+  * Updated 14 JavaScript patterns to follow best practices
+  * Corrected 2 HTML structure improvements
+  * Standardized JavaScript naming conventions
+  * Removed unused code for cleaner maintenance
+
+* **Validation Configuration** - new environment variables for customization. Update your `.env`:
+  ```bash
+  VALIDATION_MAX_NAME_LENGTH=255
+  VALIDATION_MAX_DESCRIPTION_LENGTH=4096
+  VALIDATION_MAX_JSON_DEPTH=10
+  VALIDATION_ALLOWED_URL_SCHEMES=["http://", "https://", "ws://", "wss://"]
+  ```
+
+* **Performance** - validation overhead kept under 10ms per request with efficient patterns
+
+---
+
 ## [0.3.0] - 2025-07-08
 
 ### Added

Containerfile

@@ -1,7 +1,7 @@
 FROM registry.access.redhat.com/ubi9-minimal:9.6-1751286687
 LABEL maintainer="Mihai Criveti" \
       name="mcp/mcpgateway" \
-      version="0.3.0" \
+      version="0.3.1" \
       description="MCP Gateway: An enterprise-ready Model Context Protocol Gateway"
 
 ARG PYTHON_VERSION=3.11

Containerfile.lite

@@ -106,7 +106,7 @@ LABEL maintainer="Mihai Criveti" \
       org.opencontainers.image.title="mcp/mcpgateway" \
       org.opencontainers.image.description="MCP Gateway: An enterprise-ready Model Context Protocol Gateway" \
       org.opencontainers.image.licenses="Apache-2.0" \
-      org.opencontainers.image.version="0.3.0"
+      org.opencontainers.image.version="0.3.1"
 
 # ----------------------------------------------------------------------------
 # Copy the entire prepared root filesystem from the builder stage

README.md

@@ -344,13 +344,13 @@ docker run -d --name mcpgateway \
   -e BASIC_AUTH_PASSWORD=changeme \
   -e AUTH_REQUIRED=true \
   -e DATABASE_URL=sqlite:///./mcp.db \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 
 # Tail logs (Ctrl+C to quit)
 docker logs -f mcpgateway
 
 # Generating an API key
-docker run --rm -it ghcr.io/ibm/mcp-context-forge:0.3.0 \
+docker run --rm -it ghcr.io/ibm/mcp-context-forge:0.3.1 \
   python -m mcpgateway.utils.create_jwt_token --username admin --exp 0 --secret my-test-key
 ```
 
@@ -376,7 +376,7 @@ docker run -d --name mcpgateway \
   -e JWT_SECRET_KEY=my-test-key \
   -e BASIC_AUTH_USER=admin \
   -e BASIC_AUTH_PASSWORD=changeme \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 ```
 
 SQLite now lives on the host at `./data/mcp.db`.
@@ -398,7 +398,7 @@ docker run -d --name mcpgateway \
   -e PORT=4444 \
   -e DATABASE_URL=sqlite:////data/mcp.db \
   -v $(pwd)/data:/data \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 ```
 
 Using `--network=host` allows Docker to access the local network, allowing you to add MCP servers running on your host. See [Docker Host network driver documentation](https://docs.docker.com/engine/network/drivers/host/) for more details.
@@ -414,7 +414,7 @@ podman run -d --name mcpgateway \
   -p 4444:4444 \
   -e HOST=0.0.0.0 \
   -e DATABASE_URL=sqlite:///./mcp.db \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 ```
 
 #### 2 - Persist SQLite
@@ -433,7 +433,7 @@ podman run -d --name mcpgateway \
   -p 4444:4444 \
   -v $(pwd)/data:/data \
   -e DATABASE_URL=sqlite:////data/mcp.db \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 ```
 
 #### 3 - Host networking (rootless)
@@ -451,7 +451,7 @@ podman run -d --name mcpgateway \
   --network=host \
   -v $(pwd)/data:/data \
   -e DATABASE_URL=sqlite:////data/mcp.db \
-  ghcr.io/ibm/mcp-context-forge:0.3.0
+  ghcr.io/ibm/mcp-context-forge:0.3.1
 ```
 
 ---
@@ -460,7 +460,7 @@ podman run -d --name mcpgateway \
 <summary><strong>✏️ Docker/Podman tips</strong></summary>
 
 * **.env files** - Put all the `-e FOO=` lines into a file and replace them with `--env-file .env`. See the provided [.env.example](.env.example) for reference.
-* **Pinned tags** - Use an explicit version (e.g. `v0.3.0`) instead of `latest` for reproducible builds.
+* **Pinned tags** - Use an explicit version (e.g. `v0.3.1`) instead of `latest` for reproducible builds.
 * **JWT tokens** - Generate one in the running container:
 
   ```bash
@@ -506,7 +506,7 @@ docker run --rm -i \
   -e MCP_SERVER_CATALOG_URLS=http://host.docker.internal:4444/servers/UUID_OF_SERVER_1 \
   -e MCP_TOOL_CALL_TIMEOUT=120 \
   -e MCP_WRAPPER_LOG_LEVEL=DEBUG \
-  ghcr.io/ibm/mcp-context-forge:0.3.0 \
+  ghcr.io/ibm/mcp-context-forge:0.3.1 \
   python3 -m mcpgateway.wrapper
 ```
 
@@ -586,7 +586,7 @@ docker run -i --rm \
   -e MCP_SERVER_CATALOG_URLS=http://localhost:4444/servers/UUID_OF_SERVER_1 \
   -e MCP_AUTH_TOKEN=${MCPGATEWAY_BEARER_TOKEN} \
   -e MCP_TOOL_CALL_TIMEOUT=120 \
-  ghcr.io/ibm/mcp-context-forge:0.3.0 \
+  ghcr.io/ibm/mcp-context-forge:0.3.1 \
   python3 -m mcpgateway.wrapper
 ```