v0.9.0 - 2025-11-09 - Internal Observability, Performance Optimizations & Production Hardening

[crivetimihai]

This release delivers detailed internal observability, major performance improvements, compression & pagination, REST API passthrough, Ed25519 certificate signing, and critical multi-tenancy fixes with 60+ issues resolved and 50+ PRs merged.

🏆 Major Achievements

Release 0.9.0 represents a major milestone in production readiness and operational excellence:

✅ 📊 Built-in Observability Platform - Self-contained performance monitoring with interactive dashboards, Gantt charts, flame graphs, and comprehensive trace analytics (no external platforms required!)
✅ ⚡ 30-70% Bandwidth Reduction - Multi-algorithm response compression (Brotli, Zstd, GZip) with zero client changes
✅ 🚀 5-6x Faster JSON Processing - orjson serialization for high-throughput APIs with 7% smaller payloads
✅ 🦀 5-100x Plugin Performance - Rust-accelerated PII filter with automatic Python fallback
✅ 📄 Comprehensive Pagination - HTMX-based UI pagination tested up to 10K records with database optimization
✅ 🔌 REST API Passthrough - Complete REST tool configuration with query/header mapping and plugin chains
✅ 🔐 Ed25519 Certificate Signing - Production-ready certificate authentication with zero-downtime key rotation
✅ 🛡️ Multi-Tenancy Security Fixes - Critical RBAC vulnerability patches and ownership enforcement
✅ 💬 LLM Chat Interface - Built-in MCP client with Redis-based session consistency for distributed environments

---

✨ Highlights

📊 Internal Observability System (NEW!)

Self-contained performance monitoring and trace analytics without external dependencies

The biggest feature of 0.9.0 is a comprehensive built-in observability system that provides production-grade monitoring, tracing, and analytics stored entirely in your database (SQLite/PostgreSQL/MariaDB) with interactive visualizations in the Admin UI.

Key Capabilities

Performance Analytics

• Latency Percentiles: p50, p90, p95, p99 metrics for detailed performance analysis
• Duration Tracking: Millisecond-precision timing for all operations
• Throughput Metrics: Request counts and rates over time
• Comparative Analysis: Side-by-side comparison of multiple resources

Error Tracking

• Error Rate Monitoring: Percentage of failed operations with color-coded health indicators
  • 🟢 Green: <5% errors (healthy)
  • 🟡 Yellow: 5-20% errors (degraded)
  • 🔴 Red: >20% errors (unhealthy)
• Error-Prone Analysis: Identify resources with highest failure rates
• Status Code Tracking: HTTP response codes and error messages
• Root Cause Analysis: Detailed traces with full context

Interactive Dashboards

• Tools Dashboard (/admin/observability/tools) - MCP tool invocation metrics
• Prompts Dashboard (/admin/observability/prompts) - Prompt rendering performance
• Resources Dashboard (/admin/observability/resources) - Resource fetch operations
• Metrics Summary (/admin/observability/metrics) - At-a-glance health status
• Auto-Refresh: Dashboards update every 60 seconds automatically

Trace Visualization

• Gantt Chart Timeline: Visual representation of span execution order and timing
  • Time scale from trace start to end
  • Duration bars positioned by start time
  • Critical path highlighting (longest dependency chain)
  • Interactive tooltips and zoom
• Flame Graphs: Hierarchical view of nested operations
  • Call stack visualization with parent-child relationships
  • Width proportional to duration
  • Color-coded by operation type
  • Interactive zoom, pan, and search
• Trace Details: Complete trace metadata, attributes, and context
• Span Explorer: Drill down into individual operations with detailed metrics

What Gets Traced

• Tool invocations - Full lifecycle with arguments, results, and timing
• Prompt rendering - Template processing and message generation
• Resource fetching - URI resolution, caching, and content retrieval
• HTTP requests - Complete request/response tracing with timing
• Database queries - SQLAlchemy instrumentation for query performance
• Plugin execution - Pre/post hooks if plugins are enabled

Configuration & Retention

# Enable internal observability
OBSERVABILITY_ENABLED=true

# Automatically trace HTTP requests
OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Retention and limits
OBSERVABILITY_TRACE_RETENTION_DAYS=7
OBSERVABILITY_MAX_TRACES=100000

# Trace sampling (1.0 = 100%, 0.1 = 10%)
OBSERVABILITY_SAMPLE_RATE=1.0

# Exclude paths (regex patterns)
OBSERVABILITY_EXCLUDE_PATHS=/health,/healthz,/ready,/metrics,/static/.*

Why This Matters

• No External Dependencies: No need for Phoenix, Jaeger, Tempo, or other observability platforms
• Self-Hosted: All trace data stays in your database
• Development & Testing: Perfect for local development and testing environments
• Quick Performance Analysis: Identify bottlenecks without additional infrastructure
• Cost Effective: No additional observability platform costs
• Privacy: Sensitive data never leaves your infrastructure

Use Cases

• Identify slow tools and optimize critical paths
• Debug performance issues with detailed trace inspection
• Track error rates and identify problematic operations
• Analyze usage patterns and resource consumption
• Monitor production performance trends
• Understand request flow with visual timelines

See the Internal Observability Documentation for comprehensive guides, examples, and screenshots.

⚡ Performance Optimizations (30-70% faster)

Response Compression Middleware (#1298, #1292)

• Multi-Algorithm Support - Brotli, Zstd, and GZip with automatic negotiation
• Bandwidth Reduction - 30-70% smaller responses for text content (JSON, HTML, CSS, JS)
• Algorithm Priority - Brotli (best compression) > Zstd (fastest) > GZip (universal)
• Smart Compression - Only compresses responses >500 bytes to avoid overhead
• Optimal Settings - Balanced compression levels for CPU/bandwidth trade-off:
  • Brotli quality 4 (0-11 scale) for best compression ratio
  • Zstd level 3 (1-22 scale) for fastest compression
  • GZip level 6 (1-9 scale) for balanced performance
• Cache-Friendly - Adds Vary: Accept-Encoding header for proper cache behavior
• Zero Client Changes - Transparent to API clients, browsers handle decompression
• Browser Support - Brotli supported by 96%+ of browsers, GZip universal fallback

orjson JSON Serialization (#1294)

• Performance Gains - 5-6x faster serialization, 1.5-2x faster deserialization vs stdlib json
• Compact Output - 7% smaller JSON payloads for reduced bandwidth
• Rust Implementation - Fast, correct JSON library (RFC 8259 compliant)
• Native Type Support - datetime, UUID, numpy arrays, Pydantic models handled natively
• Zero Configuration - Drop-in replacement for stdlib json, transparent to clients
• Production Ready - Used by Reddit, Stripe for high-throughput APIs
• API Benefits:
  • 15-30% higher throughput
  • 10-20% lower CPU usage
  • 20-40% faster response times

🦀 Rust Plugin Framework (#1289, #1249)

• Optional Rust-Accelerated Plugins - PyO3-based framework with automatic Python fallback
• PII Filter (Rust) - 5-100x faster than Python implementation:
  • Bulk detection: ~100x faster (Python: 2287ms → Rust: 22ms)
  • Single pattern: ~5-10x faster across all PII types
  • Memory efficient with Rust's ownership model
• Auto-Detection - Automatically selects Rust or Python at runtime
• UI Integration - Plugin catalog displays implementation type (🦀 Rust / 🐍 Python)
• Comprehensive Testing - Unit tests, integration tests, differential tests, benchmarks
• CI/CD Pipeline - Automated builds, tests, and publishing
• Multi-Platform Builds - Linux (x86_64, aarch64), macOS (universal2), Windows (x86_64)
• Zero Breaking Changes - Pure Python fallback when Rust not available
• Installation - pip install mcp-contextforge-gateway[rust]

📄 Pagination & Scale

Comprehensive API Pagination (#1224, #1277)

• All admin endpoints with configurable page sizes (1-500 items)
• Maintains backward compatibility with legacy list format
• Total count and page metadata included in responses
• Navigation links with query parameter support

HTMX-Based UI Pagination

• Seamless client-side pagination for admin UI
• New /admin/tools/partial endpoint for HTMX-based pagination
• Pagination controls with keyboard navigation support
• Tested with up to 10,000 tools for performance validation
• Tag filtering works within paginated results

Database Optimization

• New composite indexes for efficient paginated queries
• Indexes on created_at + id for tools, servers, resources, prompts, gateways
• Team-scoped indexes for multi-tenant pagination performance
• Auth events and API tokens indexed for audit log pagination

11 Configuration Variables - Fine-tuned pagination behavior:

• PAGINATION_DEFAULT_PAGE_SIZE - Default items per page (default: 50)
• PAGINATION_MAX_PAGE_SIZE - Maximum allowed page size (default: 500)
• PAGINATION_CURSOR_THRESHOLD - Threshold for cursor-based pagination (default: 10000)
• PAGINATION_CURSOR_ENABLED - Enable cursor-based pagination (default: true)
• PAGINATION_INCLUDE_LINKS - Include navigation links in responses (default: true)
• Additional settings for sort order, caching, and offset limits

Pagination Utilities - New mcpgateway/utils/pagination.py module:

• Offset-based pagination for simple use cases (<10K records)
• Cursor-based pagination for large datasets (>10K records)
• Automatic strategy selection based on result set size

🔌 REST API Passthrough

Complete REST Tool Configuration (#746, #1273)

• Query & Header Mapping - Configure dynamic query parameter and header mappings
• Path Templates - URL path templates with variable substitution
• Timeout Management - Per-tool timeout settings (default: 20000ms)
• Endpoint Exposure Control - Toggle passthrough endpoint visibility with expose_passthrough flag
• Security Controls - Host allowlists for allowed upstream hosts/schemes
• Plugin Chain Support - Pre and post-request plugin integration
• Base URL Extraction - Automatic extraction from tool URLs
• Admin UI Integration - "Advanced: Add Passthrough" button with dynamic field generation

REST Tool Validation (#1273)

• URL structure validation (scheme and netloc)
• Path template validation (leading slash enforcement)
• Timeout validation (positive integers)
• Allowlist validation (regex-based)
• Plugin chain validation (restricted to safe plugins: deny_filter, rate_limit, pii_filter, response_shape, regex_filter, resource_filter)
• Integration type enforcement (REST-specific fields only for integration_type='REST')

🔐 Ed25519 Certificate Signing

Digital Certificate Authentication

• Sign and verify certificates using Ed25519 cryptographic signatures
• Ensures certificate authenticity and prevents tampering
• Built on proven Ed25519 algorithm (RFC 8032)
• Zero-dependency Python implementation using cryptography library

Key Generation Utility

• Built-in key generation tool at mcpgateway/utils/generate_keys.py
• Generates secure Ed25519 private keys in base64 format
• Simple command-line interface for development and production

Key Rotation Support

• Graceful key rotation with zero downtime
• Configure both current (ED25519_PRIVATE_KEY) and previous (PREV_ED25519_PRIVATE_KEY) keys
• Automatic fallback to previous key during rotation
• Supports rolling updates in distributed deployments

Kubernetes & Helm Support

• Secret management via values.yaml configuration
• JSON Schema validation in values.schema.json
• External Secrets Operator integration examples
• Complete Helm chart documentation

🔒 Multi-Tenancy & Security Fixes

RBAC Vulnerability Patch (#1248, #1250)

• Fixed unauthorized access to resource status toggling
• Ownership checks now enforced for all resource operations
• Toggle permissions restricted to resource owners only

Team-Scoped Uniqueness (#1246)

• Enforced unique constraints within teams for prompts, resources, and agents
• Prompts: unique within (team_id, owner_email, name)
• Resources: unique within (team_id, owner_email, uri)
• A2A Agents: unique within (team_id, owner_email, slug)
• Dropped legacy single-column unique constraints for multi-tenant compatibility

Ownership Enforcement (#1209, #1210)

• Implemented ownership checks for public resources
• Users can only edit/delete their own public resources
• Prevents unauthorized modification of team-shared resources

ID-Based Resource Endpoints (#1184)

• All prompt and resource endpoints now use unique IDs for lookup
• Prevents naming conflicts across teams and owners
• Enhanced API security and consistency
• Migration compatible with SQLite, MySQL, and PostgreSQL

🛠️ Developer & Operations Tools

Support Bundle Generation (#1197)

• Automated diagnostics collection with sanitized logs, configuration, and system information
• Command-line tool: mcpgateway --support-bundle --output-dir /tmp --log-lines 1000
• API endpoint: GET /admin/support-bundle/generate?log_lines=1000
• Admin UI: "Download Support Bundle" button in Diagnostics tab
• Automatic sanitization of secrets (passwords, tokens, API keys)

LLM Chat Interface (#1202, #1200, #1236)

• Built-in MCP client with LLM chat service for virtual servers
• Agent-enabled tool orchestration with MCP protocol integration
• Redis-based session consistency (LLMChat add session consistency using redis #1236) for multi-worker distributed environments
  • Concurrent user management with worker coordination
  • Session isolation and race condition prevention
  • Redis locks and TTLs for consistency
• Direct testing of virtual servers and tools from Admin UI

System Statistics in Metrics (#1228, #1232)

• Comprehensive system monitoring in metrics page
• CPU, memory, disk usage, and network statistics
• Process information and resource consumption
• System health indicators for production monitoring

Performance Testing Framework (#1203, #1204, #1226)

• Load testing and benchmarking capabilities
• Production-scale load data generator for multi-tenant testing (Epic: Production-Scale Load Data Generator for Multi-Tenant Testing #1225, PR: Fix Load Testing Framework and TokenUsageLog SQLite Bug closes #1225 #1226)
• Benchmark MCP server for performance analysis ([Feature]: Benchmark MCP Server for Load Testing and Performance Analysis #1219, Benchmark mcp server closes #1219 #1220, Benchmark mcp server #1221)
• Fixed TokenUsageLog SQLite bug in load testing framework

Metrics Export Enhancement (#1218)

• Export all metrics data for external analysis and integration

🔐 SSO & Authentication

Microsoft Entra ID Support (#1212, #1211)

• Complete Entra ID integration with environment variable configuration

Generic OIDC Provider Support (#1213)

• Flexible OIDC integration for any compliant provider

Keycloak Integration (#1217, #1216, #1109)

• Full Keycloak support with application/x-www-form-urlencoded

OAuth Timeout Configuration (#1201)

• Configurable OAUTH_DEFAULT_TIMEOUT for OAuth providers

🔌 Plugin Framework Enhancements

Plugin Client-Server mTLS Support (#1196)

• Mutual TLS authentication for external plugins

Complete OPA Plugin Hooks (#1198, #1137)

• All missing hooks implemented in OPA plugin

Plugin Linters & Quality (#1240)

• Comprehensive linting for all plugins with automated fixes

Plugin Compose Configuration (#1174)

• Enhanced plugin and catalog configuration in docker-compose

🌐 Protocol & Platform

MCP Tool Output Schema Support (#1258, #1263, #1269)

• Full support for MCP tool outputSchema field
• Database and service layer implementation (feat: Tool output schema support in db and service layer #1263)
• Admin UI support for viewing and editing output schemas (Add UI Support for MCP Tool outputSchema Field closes #1258 #1269)
• Preserves output schema during tool discovery and invocation

Multiple StreamableHTTP Content (#1188, #1189)

• Support for multiple content blocks in StreamableHTTP responses

s390x Architecture Support (#1138, #1206)

• Container builds for IBM Z platform (s390x)

System Monitor MCP Server (#977)

• Go-based MCP server for system monitoring and metrics

💻 Admin UI Enhancements

Inspectable Auth Credentials (#1336, #1370)

• Admins can now view and verify passwords, tokens, and custom headers
• Toggle buttons for masking/unmasking sensitive input values
• Fixed saved custom headers not visible when editing MCP servers
• Quality of life improvements for admins when managing MCP servers

---

🆕 Added

📊 Internal Observability System (#1401, #1400)

Core Infrastructure

• Built-in observability system with database-backed storage (SQLite/PostgreSQL/MariaDB)
• Self-contained performance monitoring without external platform dependencies
• Comprehensive trace analytics with interactive Admin UI visualizations
• Automatic HTTP request tracing with configurable sampling and exclusions

Database Schema

• observability_traces table - Trace metadata with trace_id, start/end times, status
• observability_spans table - Operation details with parent-child relationships
• observability_span_attributes table - Custom key-value metadata
• observability_span_events table - Log events within spans
• Performance indexes on trace_id, span_id, operation, start_time for fast queries

Instrumentation

• ObservabilityMiddleware - Automatic HTTP request tracing with trace/span creation
• SQLAlchemy Instrumentation - Database query tracing with query text and duration
• Tool/Prompt/Resource Tracing - Automatic instrumentation for MCP operations
• Plugin Execution Tracing - Pre/post hook execution if plugins enabled

Admin UI Dashboards

• Tools Dashboard (/admin/observability/tools) - Tool invocation metrics with usage charts, latency analysis, error rates
• Prompts Dashboard (/admin/observability/prompts) - Prompt rendering performance with frequency, latency, errors
• Resources Dashboard (/admin/observability/resources) - Resource fetch operations with access patterns and performance
• Metrics Summary (/admin/observability/metrics) - Overall health status with summary cards
• Trace List (/admin/observability/traces) - Recent traces with filtering
• Trace Detail (/admin/observability/traces/{trace_id}) - Comprehensive trace analysis

Visualization Components

• Gantt Chart Timeline - Visual timeline with span execution order, duration bars, critical path highlighting
• Flame Graphs - Hierarchical visualization with zoom, pan, search, and interactive exploration
• Summary Cards - At-a-glance health status, most used, slowest, and most error-prone resources
• Performance Charts - Interactive Chart.js visualizations for usage, latency, error rates
• Detailed Metrics Tables - Latency percentiles (p50, p90, p95, p99), invocation counts, error rates

Configuration

• OBSERVABILITY_ENABLED - Master switch for internal observability (default: false)
• OBSERVABILITY_TRACE_HTTP_REQUESTS - Auto-trace HTTP requests (default: true)
• OBSERVABILITY_TRACE_RETENTION_DAYS - Days to retain trace data (default: 7)
• OBSERVABILITY_MAX_TRACES - Maximum traces to store (default: 100000)
• OBSERVABILITY_SAMPLE_RATE - Trace sampling rate (default: 1.0 = 100%)
• OBSERVABILITY_EXCLUDE_PATHS - Regex patterns to exclude (default: /health,/metrics,/static/.*)
• OBSERVABILITY_METRICS_ENABLED - Enable metrics collection (default: true)
• OBSERVABILITY_EVENTS_ENABLED - Enable event logging (default: true)

Retention & Cleanup

• Scheduled cleanup job for automatic trace retention enforcement
• FIFO deletion when maximum trace limit exceeded
• Configurable retention days (1-365)
• Automatic cleanup of old traces to prevent unbounded growth

Documentation

• Complete guide: docs/docs/manage/observability/internal-observability.md (823 lines)
• Configuration reference with all environment variables
• Dashboard usage guides with examples
• Trace visualization documentation
• Performance metrics explanation (percentiles, health indicators)

⚡ Performance Optimizations

Response Compression Middleware (#1298, #1292)

• Multi-algorithm support: Brotli, Zstd, GZip with automatic content negotiation
• 30-70% bandwidth reduction for text-based content (JSON, HTML, CSS, JS)
• Smart compression threshold (minimum 500 bytes)
• Configurable compression levels per algorithm
• Cache-friendly with Vary: Accept-Encoding header
• Zero client changes required (transparent compression/decompression)
• 5 environment variables for fine-tuning:
  • COMPRESSION_ENABLED - Enable/disable (default: true)
  • COMPRESSION_MINIMUM_SIZE - Minimum size to compress (default: 500 bytes)
  • COMPRESSION_GZIP_LEVEL - GZip level (default: 6)
  • COMPRESSION_BROTLI_QUALITY - Brotli quality (default: 4)
  • COMPRESSION_ZSTD_LEVEL - Zstd level (default: 3)

orjson JSON Serialization (#1294)

• 5-6x faster JSON encoding, 1.5-2x faster decoding vs stdlib json
• 7% smaller JSON payloads for reduced bandwidth usage
• Rust-based implementation (RFC 8259 compliant)
• Native support for datetime, UUID, numpy arrays, Pydantic models
• Drop-in replacement with zero configuration
• Production-ready (used by Reddit, Stripe)
• Benchmark script: scripts/benchmark_json_serialization.py
• 15-30% higher API throughput, 10-20% lower CPU usage, 20-40% faster response times
• 29 comprehensive unit tests with 100% code coverage
• Implementation: mcpgateway/utils/orjson_response.py

🦀 Rust Plugin Framework (#1289, #1249)

• Complete PyO3-based framework for building high-performance plugins
• PII Filter (Rust): 5-100x faster than Python implementation
  • Bulk detection: ~100x faster (Python: 2287ms → Rust: 22ms)
  • Single pattern: ~5-10x faster across all PII types
  • Memory efficient with Rust's ownership model
• Auto-detection: Automatically selects Rust or Python implementation at runtime
• UI integration: Plugin catalog displays implementation type (🦀 Rust / 🐍 Python)
• Comprehensive testing: Unit tests, integration tests, differential tests, benchmarks
• CI/CD pipeline: Automated builds, tests, and publishing
• Multi-platform builds: Linux (x86_64, aarch64), macOS (universal2), Windows (x86_64)
• Zero breaking changes: Pure Python fallback when Rust not available
• Optional installation: pip install mcp-contextforge-gateway[rust]

📄 REST API and UI Pagination (#1224, #1277)

Paginated REST API Endpoints

• All admin API endpoints now support pagination with configurable page size
• /admin/tools endpoint returns paginated response with data, pagination, and links keys
• Maintains backward compatibility with legacy list format
• Configurable page size (1-500 items per page, default: 50)
• Total count and page metadata included in responses
• Navigation links with query parameter support

Database Indexes for Pagination

• New composite indexes for efficient paginated queries
• Indexes on created_at + id for tools, servers, resources, prompts, gateways
• Team-scoped indexes for multi-tenant pagination performance
• Auth events and API tokens indexed for audit log pagination

UI Pagination with HTMX

• Seamless client-side pagination for admin UI
• New /admin/tools/partial endpoint for HTMX-based pagination
• Pagination controls with keyboard navigation support
• Tested with up to 10,000 tools for performance validation
• Tag filtering works within paginated results

Pagination Configuration - 11 new environment variables:

• PAGINATION_DEFAULT_PAGE_SIZE - Default items per page (default: 50)
• PAGINATION_MAX_PAGE_SIZE - Maximum allowed page size (default: 500)
• PAGINATION_CURSOR_THRESHOLD - Threshold for cursor-based pagination (default: 10000)
• PAGINATION_CURSOR_ENABLED - Enable cursor-based pagination (default: true)
• PAGINATION_INCLUDE_LINKS - Include navigation links in responses (default: true)
• Additional settings for sort order, caching, and offset limits

Pagination Utilities - New mcpgateway/utils/pagination.py module:

• Offset-based pagination for simple use cases (<10K records)
• Cursor-based pagination for large datasets (>10K records)
• Automatic strategy selection based on result set size
• Navigation link generation with query parameter support

Comprehensive Test Coverage - 1,089+ lines of pagination tests

• Integration tests for paginated endpoints
• Unit tests for pagination utilities
• Performance validation with large datasets

🔌 REST Passthrough Configuration (#746, #1273)

Query & Header Mapping

• Configure dynamic query parameter and header mappings for REST tools
• Path templates with variable substitution
• Per-tool timeout settings (default: 20000ms for REST passthrough)
• Endpoint exposure control with expose_passthrough flag

Security & Plugin Integration

• Host allowlists for allowed upstream hosts/schemes
• Plugin chain support for pre and post-request processing
• Base URL extraction from tool URLs
• Admin UI integration with "Advanced: Add Passthrough" button

REST Tool Validation (#1273)

• URL structure validation (scheme and netloc)
• Path template validation (leading slash enforcement)
• Timeout validation (positive integers)
• Allowlist validation (regex-based)
• Plugin chain validation (restricted to safe plugins: deny_filter, rate_limit, pii_filter, response_shape, regex_filter, resource_filter)
• Integration type enforcement (REST-specific fields only for integration_type='REST')

New Tool Columns - Added 9 new columns to tools table via Alembic migration 8a2934be50c0:

• base_url - Base URL for REST passthrough
• path_template - Path template for URL construction
• query_mapping - JSON mapping for query parameters
• header_mapping - JSON mapping for headers
• timeout_ms - Request timeout in milliseconds
• expose_passthrough - Boolean flag to enable/disable passthrough
• allowlist - JSON array of allowed hosts/schemes
• plugin_chain_pre - Pre-request plugin chain
• plugin_chain_post - Post-request plugin chain

🔐 Ed25519 Certificate Signing

Digital Certificate Signing

• Sign and verify certificates using Ed25519 cryptographic signatures
• Ensures certificate authenticity and prevents tampering
• Built on proven Ed25519 algorithm (RFC 8032)
• Zero-dependency Python implementation using cryptography library

Key Generation Utility

• Built-in key generation tool at mcpgateway/utils/generate_keys.py
• Generates secure Ed25519 private keys in base64 format
• Simple command-line interface for development and production

Key Rotation Support

• Graceful key rotation with zero downtime
• Configure both current (ED25519_PRIVATE_KEY) and previous (PREV_ED25519_PRIVATE_KEY) keys
• Automatic fallback to previous key during rotation
• Supports rolling updates in distributed deployments

Environment Variable Configuration - 3 new variables:

• ENABLE_ED25519_SIGNING - Enable/disable signing (default: "false")
• ED25519_PRIVATE_KEY - Current signing key (base64-encoded)
• PREV_ED25519_PRIVATE_KEY - Previous key for rotation (base64-encoded)

Kubernetes & Helm Support

• Secret management via values.yaml configuration
• JSON Schema validation in values.schema.json
• External Secrets Operator integration examples
• Complete Helm chart documentation

🛠️ Developer & Operations Tools

Support Bundle Generation (#1197)

• Automated diagnostics collection with sanitized logs, configuration, and system information
• Command-line tool: mcpgateway --support-bundle --output-dir /tmp --log-lines 1000
• API endpoint: GET /admin/support-bundle/generate?log_lines=1000
• Admin UI: "Download Support Bundle" button in Diagnostics tab
• Automatic sanitization of secrets (passwords, tokens, API keys)

LLM Chat Interface (#1202, #1200, #1236)

• Built-in MCP client with LLM chat service for virtual servers
• Agent-enabled tool orchestration with MCP protocol integration
• Redis-based session consistency (LLMChat add session consistency using redis #1236) for multi-worker distributed environments
  • Concurrent user management with worker coordination
  • Session isolation and race condition prevention
  • Redis locks and TTLs for consistency
• Direct testing of virtual servers and tools from Admin UI

System Statistics in Metrics (#1228, #1232)

• Comprehensive system monitoring in metrics page
• CPU, memory, disk usage, and network statistics
• Process information and resource consumption
• System health indicators for production monitoring

Performance Testing Framework (#1203, #1204, #1226)

• Load testing and benchmarking capabilities
• Production-scale load data generator for multi-tenant testing (Epic: Production-Scale Load Data Generator for Multi-Tenant Testing #1225, PR: Fix Load Testing Framework and TokenUsageLog SQLite Bug closes #1225 #1226)
• Benchmark MCP server for performance analysis ([Feature]: Benchmark MCP Server for Load Testing and Performance Analysis #1219, Benchmark mcp server closes #1219 #1220, Benchmark mcp server #1221)
• Fixed TokenUsageLog SQLite bug in load testing framework

Metrics Export Enhancement (#1218)

• Export all metrics data for external analysis and integration

🔐 SSO & Authentication Enhancements (#1212, #1213, #1216, #1217)

Microsoft Entra ID Support (#1212, #1211)

• Complete Entra ID integration with environment variable configuration

Generic OIDC Provider Support (#1213)

• Flexible OIDC integration for any compliant provider

Keycloak Integration (#1217, #1216, #1109)

• Full Keycloak support with application/x-www-form-urlencoded

OAuth Timeout Configuration (#1201)

• Configurable OAUTH_DEFAULT_TIMEOUT for OAuth providers

🔌 Plugin Framework Enhancements (#1196, #1198, #1137, #1240, #1289)

Plugin Client-Server mTLS Support (#1196)

• Mutual TLS authentication for external plugins

Complete OPA Plugin Hooks (#1198, #1137)

• All missing hooks implemented in OPA plugin

Plugin Linters & Quality (#1240)

• Comprehensive linting for all plugins with automated fixes

Plugin Compose Configuration (#1174)

• Enhanced plugin and catalog configuration in docker-compose

🌐 Protocol & Platform Enhancements

MCP Tool Output Schema Support (#1258, #1263, #1269)

• Full support for MCP tool outputSchema field
• Database and service layer implementation (feat: Tool output schema support in db and service layer #1263)
• Admin UI support for viewing and editing output schemas (Add UI Support for MCP Tool outputSchema Field closes #1258 #1269)
• Preserves output schema during tool discovery and invocation

Multiple StreamableHTTP Content (#1188, #1189)

• Support for multiple content blocks in StreamableHTTP responses

s390x Architecture Support (#1138, #1206)

• Container builds for IBM Z platform (s390x)

System Monitor MCP Server (#977)

• Go-based MCP server for system monitoring and metrics

📚 Documentation Enhancements

Observability Documentation

• docs/docs/manage/observability/internal-observability.md (823 lines) - Complete internal observability guide
• docs/docs/manage/observability/observability.md (450 lines) - OpenTelemetry and external platforms
• docs/docs/manage/observability/phoenix.md (365 lines) - Arize Phoenix integration

Integration Guides

• Langflow MCP Server Integration (Docs: Langflow MCP Server integration documentation #1205) - Documentation for Langflow integration
• SSO Tutorial Updates ([Feature Request]: Authentication & Authorization - GitHub SSO Integration Tutorial (Depends on #220) #277) - Comprehensive GitHub SSO integration tutorial

Configuration

• Environment Variable Documentation (Update env variables #1215) - Updated and clarified environment variable settings
• Documentation Formatting Fixes (Fix docs newlines #1214) - Fixed newlines and formatting across documentation

💻 Admin UI Enhancements (#1336, #1370)

Inspectable Auth Credentials (#1336, #1370)

• Admins can now view and verify passwords, tokens, and custom headers
• Toggle buttons for masking/unmasking sensitive input values
• Fixed saved custom headers not visible when editing MCP servers
• Quality of life improvements for admins when managing MCP servers

---

🐛 Fixed

🔒 Critical Multi-Tenancy & RBAC Bugs

RBAC Vulnerability Patch (#1248, #1250)

• Fixed unauthorized access to resource status toggling
• Ownership checks now enforced for all resource operations
• Toggle permissions restricted to resource owners only

Backend Multi-Tenancy Issues (#969)

• Comprehensive fixes for team-based resource scoping

Team Member Re-addition (#959)

• Fixed unique constraint preventing re-adding team members

Public Resource Ownership (#1209, #1210)

• Implemented ownership checks for public resources
• Users can only edit/delete their own public resources
• Prevents unauthorized modification of team-shared resources

Incomplete Visibility Implementation (#958)

• Fixed visibility enforcement across all resource types

🔐 Security & Authentication Fixes

JWT Token Fixes (#1254, #1255, #1262, #1261)

• Fixed JWT jti mismatch between token and database record ([Bug]: JWT jti mismatch between token and database record #1254, Fix jti consistency for token creation #1255)
• Fixed JWT token following default expiry instead of UI configuration (Fix JWT token follows default variable payload expiry instead of UI #1262)
• Fixed API token expiry override by environment variables ([Bug]: API Token Expiry Issue: UI Configuration overridden by default env Variable #1261)

Cookie Scope & RBAC Redirects (#1252, #448)

• Aligned cookie scope with app root path
• Fixed custom base path support (e.g., /api instead of /mcp)
• Proper RBAC redirects for custom app paths

OAuth & Login Issues (#1048, #1101, #1117, #1181, #1190)

• Fixed HTTP login requiring SECURE_COOKIES=false warning ([Bug]: Login issue - Serving over HTTP requires SECURE_COOKIES=false (warning required) #1048, Add secure cookie warnings for HTTP development login issues #1181)
• Fixed login failures in v0.7.0 ([Bug]:login issue #1101, [Bug]:Login not working with 0.7.0 version #1117)
• Fixed virtual MCP server access with JWT instead of OAuth ([Bug]: In 0.7.0 Accessing Virtual MCP server requires OAUTH, earlier it worked with JWT #1190)

CSP & Iframe Embedding (#922, #1241)

• Fixed iframe embedding with consistent CSP and X-Frame-Options headers

🔧 UI/UX & Display Fixes

UI Margins & Layout (#1272, #1276, #1275)

• Fixed UI margin issues and catalog display

Request Payload Visibility (#1098, #1242)

• Fixed request payload not visible in UI

Tool Annotations (#835)

• Added custom annotation support for tools

Header-Modal Overlap (#1178, #1179)

• Fixed header overlapping with modals

Passthrough Headers (#861, #1024)

• Fixed passthrough header parameters not persisted to database
• Plugin tool_prefetch hook can now access PASSTHROUGH_HEADERS and tags

🛠️ Infrastructure & Build Fixes

CI/CD Pipeline Verification (#1257)

• Complete build pipeline verification with all stages

Makefile Clean Target (#1238)

• Fixed Makefile clean target for proper cleanup

UV Lock Conflicts (#1230, #1234, #1243)

• Resolved conflicting dependencies with semgrep

Deprecated Config Parameters (#1237)

• Removed deprecated 'env=...' parameters in config.py

Bandit Security Scan (#1244)

• Fixed all bandit security warnings

Test Warnings & Mypy Issues (#1268)

• Fixed test warnings and mypy type issues

🧪 Test Reliability & Quality Improvements (#1281, #1283, #1284, #1291)

Gateway Test Stability (#1281)

• Fixed gateway test failures and eliminated warnings
• Integrated pytest-httpx for cleaner HTTP mocking
• Eliminated RuntimeWarnings from improper async context manager mocking
• Added url-normalize library for consistent URL normalization
• Reduced test file complexity by 388 lines (942 → 554 lines)
• Consolidated validation tests into parameterized test cases

Logger Test Reliability (#1283, #1284)

• Resolved intermittent logger capture failures
• Scoped logger configuration to prevent inter-test conflicts (fix: Testing logger intermittent failures and type-checking in auth #1283)
• Fixed email verification logic error in auth.py (email_verified_at vs is_email_verified) (fix: Testing logger intermittent failures and type-checking in auth #1283)
• Fixed caplog logger name specification for reliable debug message capture (fix: Intermittent logger failure in test_passthrough_headers #1284)
• Added proper type hints and improved type safety

Prompt Test Fixes (#1291)

• Fixed test failures and prompt-related test issues

🐳 Container & Deployment Fixes

Gateway Registration on MacOS (#625)

• Fixed gateway registration and tool invocation on MacOS

Non-root Container Users (#1231)

• Added non-root user to scratch Go containers

Container Runtime Detection

• Improved Docker/Podman detection in Makefile

---

🔄 Changed

🗄️ Database Schema & Multi-Tenancy Enhancements (#1246, #1273)

Scoped Uniqueness for Multi-Tenant Resources (#1246):

• Enforced team-scoped uniqueness constraints for improved multi-tenancy isolation
  • Prompts: unique within (team_id, owner_email, name) - prevents naming conflicts across teams
  • Resources: unique within (team_id, owner_email, uri) - ensures URI uniqueness per team/owner
  • A2A Agents: unique within (team_id, owner_email, slug) - team-scoped agent identifiers
  • Dropped legacy single-column unique constraints (name, uri) for multi-tenant compatibility
• ID-Based Resource Endpoints ([Bug]: Update Prompt and Resource endpoints to use unique IDs instead of name or uri #1184) - All prompt and resource endpoints now use unique IDs for lookup
  • Prevents naming conflicts across teams and owners
  • Enhanced API security and consistency
  • Migration compatible with SQLite, MySQL, and PostgreSQL
• Enhanced Prompt Editing ([Bug]:Edit prompt does not send team_id in form data #1180) - Prompt edit form now correctly includes team_id in form data
• Plugin Hook Updates - PromptPrehookPayload and PromptPosthookPayload now use prompt_id instead of name
• Resource Content Schema - ResourceContent now includes id field for unique identification

REST Passthrough Configuration (#1273):

• New Tool Columns - Added 9 new columns to tools table via Alembic migration 8a2934be50c0:
  • base_url - Base URL for REST passthrough
  • path_template - Path template for URL construction
  • query_mapping - JSON mapping for query parameters
  • header_mapping - JSON mapping for headers
  • timeout_ms - Request timeout in milliseconds
  • expose_passthrough - Boolean flag to enable/disable passthrough
  • allowlist - JSON array of allowed hosts/schemes
  • plugin_chain_pre - Pre-request plugin chain
  • plugin_chain_post - Post-request plugin chain

🔧 API Schemas (#1273)

ToolCreate Schema

• Enhanced with passthrough field validation and auto-extraction logic

ToolUpdate Schema

• Updated with same validation logic for modifications

ToolRead Schema

• Extended to expose passthrough configuration in API responses

⚙️ Configuration & Defaults (#1194)

APP_DOMAIN Default

• Updated default URL to be compatible with Pydantic v2

OAUTH_DEFAULT_TIMEOUT

• New configuration for OAuth provider timeouts

Environment Variables

• Comprehensive cleanup and documentation updates

🧹 Code Quality & Developer Experience Improvements (#1271, #1233)

Consolidated Linting Configuration (#1271)

• Single source of truth for all Python linting tools
• Migrated ruff and interrogate configs from separate files into pyproject.toml
• Enhanced ruff with import sorting checks (I) and docstring presence checks (D1)
• Unified pre-commit hooks to match CI/CD pipeline enforcement
• Reduced configuration sprawl: removed .ruff.toml and .interrogaterc
• Better IDE integration with comprehensive real-time linting

CONTRIBUTING.md Cleanup (#1233)

• Simplified contribution guidelines

Lint-smart Makefile Fix (#1233)

• Fixed syntax error in lint-smart target

Plugin Linting (#1240)

• Comprehensive linting across all plugins with automated fixes

Deprecation Removal

• Removed all deprecated Pydantic v1 patterns

---

🔒 Security Enhancements

Authentication & Authorization

• RBAC Vulnerability Patch - Fixed unauthorized resource access ([Bug]: RBAC Vulnerability: Unauthorized Access to Resource Status Toggling #1248)
• JWT Token Security - Resolved jti mismatches and expiry override issues ([Bug]: JWT jti mismatch between token and database record #1254, Fix jti consistency for token creation #1255, Fix JWT token follows default variable payload expiry instead of UI #1262, [Bug]: API Token Expiry Issue: UI Configuration overridden by default env Variable #1261)
• Cookie Scope Security - Aligned cookie scope with app root path (fix: align cookie scope and RBAC redirects with app root path #1252)
• Ownership Enforcement - Strict ownership checks for public resources ([Feature]: Finalize RBAC / ABAC implementation to Implement Ownership Checks for Public Resources #1209)

Plugin Security

• Plugin mTLS Support - Mutual TLS for external plugin communication (feat: plugin client server mtls support #1196)
• Plugin Chain Validation - Restricted to known safe plugins for REST passthrough (Rest pass api 746 #1273)

Infrastructure Security

• Support Bundle Sanitization - Automatic secret redaction in diagnostic bundles ([Feature]: Support Bundle Generation - Automated Diagnostics Collection #1197)
• CSP Headers - Proper Content-Security-Policy for iframe embedding (Fix iframe embedding with consistent CSP and X-Frame-Options headers #1241)
• Non-root Containers - Added non-root user to Go containers (fix: Add non-root user to scratch go containers #1231)

---

🏗️ Infrastructure

Performance & Scale

• Multi-Architecture Support - s390x platform builds for IBM Z (Add support to build MCP Gateway for s390x platform #1206)
• Complete Build Verification - End-to-end CI/CD pipeline testing (Add CI/CD verification for complete build pipeline #1257)
• Performance Testing Framework - Production-scale load testing capabilities (Performance testing  #1204)
• System Monitoring - Comprehensive system statistics and health indicators ([Feature] Show system statistics in metrics page #1228)

Deployment

• PostgreSQL 17 → 18 Upgrade - Automated upgrade utility with data migration
• Helm Chart Updates - Enhanced secret management and External Secrets Operator examples
• Docker Compose Enhancements - Improved plugin and catalog configuration (feat: compose plugins and catalog config #1174)

---

📚 Documentation

Observability

• Internal Observability Guide - Complete documentation with examples and screenshots (823 lines)
• OpenTelemetry Integration - Vendor-agnostic observability platform guide (450 lines)
• Phoenix Integration - Arize Phoenix AI observability setup (365 lines)

API & Integration

• REST Passthrough Configuration - Complete REST API passthrough guide
• SSO Integration Tutorials - GitHub, Entra ID, Keycloak, and generic OIDC
• Langflow Integration - Documentation for Langflow MCP server integration

Operations

• Support Bundle Usage - CLI, API, and Admin UI documentation
• Performance Testing Guide - Load testing and benchmarking documentation
• LLM Chat Interface - MCP-enabled tool orchestration guide

Security

• Ed25519 Certificate Signing - Complete security documentation and best practices
• Key Rotation Guide - Zero-downtime key rotation procedures

---

📦 Migration Guide

Environment Configuration Updates

Observability Configuration (new in 0.9.0)

# Enable internal observability
OBSERVABILITY_ENABLED=true

# Automatically trace HTTP requests
OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Retention and limits
OBSERVABILITY_TRACE_RETENTION_DAYS=7
OBSERVABILITY_MAX_TRACES=100000

# Trace sampling (1.0 = 100%, 0.1 = 10%)
OBSERVABILITY_SAMPLE_RATE=1.0

# Exclude paths (regex patterns)
OBSERVABILITY_EXCLUDE_PATHS=/health,/healthz,/ready,/metrics,/static/.*

# Enable metrics and events
OBSERVABILITY_METRICS_ENABLED=true
OBSERVABILITY_EVENTS_ENABLED=true

Performance Optimizations (new in 0.9.0)

# Response Compression (enabled by default)
COMPRESSION_ENABLED=true
COMPRESSION_MINIMUM_SIZE=500
COMPRESSION_GZIP_LEVEL=6
COMPRESSION_BROTLI_QUALITY=4
COMPRESSION_ZSTD_LEVEL=3

Pagination Configuration (new in 0.9.0)

# Pagination Settings
PAGINATION_DEFAULT_PAGE_SIZE=50
PAGINATION_MAX_PAGE_SIZE=500
PAGINATION_CURSOR_THRESHOLD=10000
PAGINATION_CURSOR_ENABLED=true
PAGINATION_INCLUDE_LINKS=true

Ed25519 Certificate Signing (new in 0.9.0)

# Certificate Signing (disabled by default)
ENABLE_ED25519_SIGNING=false
ED25519_PRIVATE_KEY=<base64-encoded-key>
PREV_ED25519_PRIVATE_KEY=<base64-encoded-key>  # For key rotation

OAuth Configuration Updates

# OAuth Timeout (new in 0.9.0)
OAUTH_DEFAULT_TIMEOUT=30

# Microsoft Entra ID (new in 0.9.0)
SSO_ENTRA_ENABLED=true
SSO_ENTRA_CLIENT_ID=your-client-id
SSO_ENTRA_CLIENT_SECRET=your-secret
SSO_ENTRA_TENANT_ID=your-tenant-id

# Generic OIDC Provider (new in 0.9.0)
SSO_GENERIC_ENABLED=true
SSO_GENERIC_PROVIDER_ID=keycloak
SSO_GENERIC_CLIENT_ID=your-client-id
SSO_GENERIC_CLIENT_SECRET=your-secret
SSO_GENERIC_AUTHORIZATION_URL=https://auth.example.com/authorize
SSO_GENERIC_TOKEN_URL=https://auth.example.com/token
SSO_GENERIC_USERINFO_URL=https://auth.example.com/userinfo

Rust Plugin Framework (optional)

# Install Rust-accelerated plugins (optional)
pip install mcp-contextforge-gateway[rust]

Database Migration

Database migrations run automatically on startup. Backup recommended before upgrading from 0.8.0 → 0.9.0:

# Backup your database first (REQUIRED)
cp mcp.db mcp.db.backup.$(date +%Y%m%d_%H%M%S)

# Update .env with new 0.9.0 settings (see above)

# Start the server - migrations run automatically
make dev  # or make serve for production

PostgreSQL 17 → 18 Upgrade

Docker Compose users must run the upgrade utility before starting the stack.

# Stop existing stack
docker compose down

# Run automated upgrade (recommended)
make compose-upgrade-pg18

# Start upgraded stack
make compose-up

# Verify upgrade
docker compose exec postgres psql -U postgres -c 'SELECT version();'
# Should show: PostgreSQL 18.x

# (Optional) Clean up old volume after verification
docker volume rm mcp-context-forge_pgdata

Manual Upgrade (without Make):

# Stop stack
docker compose down

# Run upgrade
docker compose -f docker-compose.yml -f compose.upgrade.yml run --rm pg-upgrade

# Copy pg_hba.conf
docker compose -f docker-compose.yml -f compose.upgrade.yml run --rm pg-upgrade \
  sh -c "cp /var/lib/postgresql/OLD/pg_hba.conf /var/lib/postgresql/18/docker/pg_hba.conf"

# Start upgraded stack
docker compose up -d

---

🚨 Breaking Changes

PostgreSQL 17 → 18 Upgrade Required

Docker Compose users must run the upgrade utility before starting the stack.

The default PostgreSQL image has been upgraded from version 17 to 18. This is a major version upgrade that requires a one-time data migration using pg_upgrade.

Why This Change:

• Postgres 18 introduces a new directory structure (/var/lib/postgresql/18/docker) for better compatibility with pg_ctlcluster
• Enables future upgrades using pg_upgrade --link without mount point boundary issues
• Aligns with official PostgreSQL Docker image best practices (see postgres#1259)

What Changed:

• docker-compose.yml: Updated from postgres:17 → postgres:18
• Volume mount: Changed from pgdata:/var/lib/postgresql/data → pgdata18:/var/lib/postgresql
• Added compose.upgrade.yml for automated upgrade process
• Added make compose-upgrade-pg18 target for one-command upgrades

Troubleshooting:

• Error: "data checksums mismatch" - Fixed automatically in upgrade script (disables checksums to match old cluster)
• Error: "no pg_hba.conf entry" - Fixed automatically by copying old pg_hba.conf during upgrade
• Error: "Invalid cross-device link" - Upgrade uses copy mode (not --link) to work across different Docker volumes

---

📋 Issues Closed

Observability (2 issues)

• Closes 📊 Epic: Internal Observability System - Performance Monitoring & Trace Analytics #1401 - Internal Observability System - Performance Monitoring & Trace Analytics (EPIC)
• Closes Observability #1400 - Observability implementation PR

Performance Optimizations (3 issues)

• Closes [Epic] ⚡ Performance - orjson JSON Serialization #1294 - orjson JSON Serialization for 5-6x faster JSON encoding/decoding
• Closes [Epic] 🗜️ Performance - Brotli/Zstd/GZip Response Compression #1292 - Brotli/Zstd/GZip Response Compression reducing bandwidth by 30-70%
• Closes 🦀 Epic: Rust-Powered PII Filter Plugin - 5-10x Performance Improvement #1249 - Rust-Powered PII Filter Plugin - 5-10x Performance Improvement

REST Integration (1 issue)

• Closes Adds RPC endpoints and updates RPC response and error handling #746 - REST Passthrough API configuration fields

Multi-Tenancy & RBAC (10 issues)

• Closes Backend Multi-Tenancy Issues - Critical bugs and missing features #969 - Backend Multi-Tenancy Issues - Critical bugs and missing features
• Closes UI Gaps in Multi-Tenancy Support - Visibility fields missing for most resource types #967 - UI Gaps in Multi-Tenancy Support - Visibility fields missing for most resource types
• Closes [Bug]: Unable to Re-add Team Member Due to Unique Constraint on (team_id, user_email) #959 - Unable to Re-add Team Member Due to Unique Constraint
• Closes [Bug]: Incomplete Visibility Implementation #958 - Incomplete Visibility Implementation
• Closes [Bug]: Alembic migrations fails in docker compose setup #946 - Alembic migrations fails in docker compose setup
• Closes [Bug]: Unique Constraint is not allowing Users to create servers/tools/resources/prompts with Names already used by another User #945 - Scoped uniqueness for prompts, resources, and A2A agents
• Closes [BUG] Bootstrap fails to assign platform_admin role due to foreign key constraint violation #926 - Bootstrap fails to assign platform_admin role due to foreign key constraint violation
• Closes [Bug]:Edit prompt does not send team_id in form data #1180 - Prompt editing to include team_id in form data
• Closes [Bug]: Update Prompt and Resource endpoints to use unique IDs instead of name or uri #1184 - Prompt and resource endpoints to use unique IDs instead of name/URI
• Closes [Bug]: RBAC Vulnerability: Unauthorized Access to Resource Status Toggling #1248 - RBAC Vulnerability: Unauthorized Access to Resource Status Toggling
• Closes [Feature]: Finalize RBAC / ABAC implementation to Implement Ownership Checks for Public Resources #1209 - Finalize RBAC/ABAC implementation for Ownership Checks on Public Resources

Pagination (2 issues)

• Closes Epic: REST API and UI Pagination for Large-Scale Multi-Tenant Deployments #1224 - Comprehensive API and UI Pagination Support
• Closes REST API and UI pagination #1277 - UI Pagination with HTMX and Performance Testing

Security & Authentication (11 issues)

• Closes [Bug]: JWT jti mismatch between token and database record #1254 - JWT jti mismatch between token and database record
• Closes Fix JWT token follows default variable payload expiry instead of UI #1262 - JWT token follows default variable payload expiry instead of UI
• Closes [Bug]: API Token Expiry Issue: UI Configuration overridden by default env Variable #1261 - API Token Expiry Issue: UI Configuration overridden by default env Variable
• Closes [Feature Request]: Support application/x-www-form-urlencoded Requests in MCP Gateway UI for OAuth2 / Keycloak Integration #1111 - Support application/x-www-form-urlencoded Requests in MCP Gateway UI for OAuth2 / Keycloak Integration
• Closes [Bug]: Creating an MCP OAUTH2 server fails if using API. #1094 - Creating an MCP OAUTH2 server fails if using API
• Closes [Bug]: after issue 1078 change, how to add X-Upstream-Authorization header when click Authorize in admin UI #1092 - After issue 1078 change, how to add X-Upstream-Authorization header when clicking Authorize in admin UI
• Closes [Bug]: Login issue - Serving over HTTP requires SECURE_COOKIES=false (warning required) #1048 - Login issue - Serving over HTTP requires SECURE_COOKIES=false
• Closes [Bug]:login issue #1101 - Login issue with v0.7.0
• Closes [Bug]:Login not working with 0.7.0 version #1117 - Login not working with 0.7.0 version
• Closes Add secure cookie warnings for HTTP development login issues #1181 - Secure cookie warnings for HTTP development
• Closes [Bug]: In 0.7.0 Accessing Virtual MCP server requires OAUTH, earlier it worked with JWT #1190 - Virtual MCP server requiring OAUTH instead of JWT in 0.7.0
• Closes [Bug]:MCP Gateway UI OAuth2 Integration Fails with Keycloak Due to Missing x-www-form-urlencoded Support #1109 - MCP Gateway UI OAuth2 Integration Fails with Keycloak

SSO Integration (4 issues)

• Closes [Feature Request]: Authentication & Authorization - Microsoft Entra ID Integration Support and Tutorial (Depends on #220) #1211 - Microsoft Entra ID Integration Support and Tutorial
• Closes Generic OIDC Provider Support via Environment Variables #1213 - Generic OIDC Provider Support via Environment Variables
• Closes Keycloak Integration Support with Environment Variables #1216 - Keycloak Integration Support with Environment Variables
• Closes [Feature Request]: Authentication & Authorization - GitHub SSO Integration Tutorial (Depends on #220) #277 - GitHub SSO Integration Tutorial

Developer Tools & Operations (7 issues)

• Closes [Feature]: Support Bundle Generation - Automated Diagnostics Collection #1197 - Support Bundle Generation - Automated Diagnostics Collection
• Closes [Feature Request]: In built MCP client - LLM Chat service for virtual servers with agentic capabilities and MCP Enabled Tool Orchestration #1200 - In built MCP client - LLM Chat service for virtual servers
• Closes LLMChat Multi-Worker: Add Documentation and Integration Tests (PR #1236 Follow-up) #1239 - LLMChat Multi-Worker: Add Documentation and Integration Tests
• Closes LLM Chat Interface with MCP Enabled Tool Orchestration #1202 - LLM Chat Interface with MCP Enabled Tool Orchestration
• Closes [Feature] Show system statistics in metrics page #1228 - Show system statistics in metrics page
• Closes Epic: Production-Scale Load Data Generator for Multi-Tenant Testing #1225 - Production-Scale Load Data Generator for Multi-Tenant Testing
• Closes [Feature]: Benchmark MCP Server for Load Testing and Performance Analysis #1219 - Benchmark MCP Server for Load Testing and Performance Analysis
• Closes [Feature]: Performance Testing & Benchmarking Framework #1203 - Performance Testing & Benchmarking Framework

Code Quality & Developer Experience (2 issues)

• Closes Consolidate and enhance linting tool configuration #1271 - Consolidated linting configuration in pyproject.toml
• Closes chore: Clean up CONTRIBUTING.md and fix Makefile lint-smart syntax error #1233 - CONTRIBUTING.md cleanup and lint-smart fix

Plugin Framework (4 issues)

• Closes 🦀 Epic: Rust-Powered PII Filter Plugin - 5-10x Performance Improvement #1249 - Rust-Powered PII Filter Plugin - 5-10x Performance Improvement
• Closes feat: plugin client server mtls support #1196 - Plugin client server mTLS support
• Closes [Feature Request]: Add missing hooks to OPA plugin #1137 - Add missing hooks to OPA plugin
• Closes Complete OPA plugin hook implementation" #1198 - Complete OPA plugin hook implementation

Platform & Protocol (4 issues)

• Closes [Bug]:Resource view error - mime type handling for resource added via mcp server #1381 - Resource view error - mime type handling for resource added via mcp server
• Closes [Feature Request]: Add support for IBM Watsonx.ai LLM provider #1348 - Add support for IBM Watsonx.ai LLM provider
• Closes [Bug]: MCP Tool outputSchema Field is Stripped During Discovery #1258 - MCP Tool outputSchema Field is Stripped During Discovery
• Closes [Feature Request]: Allow multiple StreamableHTTP content #1188 - Allow multiple StreamableHTTP content
• Closes [Feature Request]: Support for container builds for s390x #1138 - Support for container builds for s390x

Bug Fixes (10 issues)

• Closes [Feature Request]: Add toggles to password/sensitive textboxes to mask/unmask the input value. #1336 - Add toggles to password/sensitive textboxes to mask/unmask the input value
• Closes [Bug]: Configured Custom Headers do not show up when editing MCP servers #1370 - Saved custom headers not visible when editing MCP server
• Closes [Bug]:Unable to see request payload being sent #1098 - Unable to see request payload being sent
• Closes [Bug]: plugin that is using tool_prefetch hook cannot access PASSTHROUGH_HEADERS, tags for an MCP Server Need MCP-GW restart #1024 - plugin tool_prefetch hook cannot access PASSTHROUGH_HEADERS, tags
• Closes [Feature] Edit Button Functionality - A2A #1020 - Edit Button Functionality - A2A
• Closes [Bug]: Passthrough header parameters not persisted to database #861 - Passthrough header parameters not persisted to database
• Closes [Bug]: The header in UI overlaps with all the modals #1178 - Header overlaps with modals in UI
• Closes [Bug]: In 0.6.0 Version, IFraming the admin UI is not working. #922 - IFraming the admin UI is not working
• Closes [Bug]: Gateway unable to register gateway or call tools on MacOS #625 - Gateway unable to register gateway or call tools on MacOS
• Closes [Bug]: Current pyproject.toml configuration of optional project components contains conflicting components that need to be resolved for uv. #1230 - pyproject.toml conflicting dependencies with uv
• Closes [Bug]:MCP server with custom base path "/api" instead of "mcp" or "sse" is not working #448 - MCP server with custom base path "/api" not working
• Closes [Feature Request]: Adding Custom annotation for the tools #835 - Adding Custom annotation for tools
• Closes [Bug]: Add configurable limits for data cleaning / XSS prevention in .env.example and helm (draft) #409 - Add configurable limits for data cleaning / XSS prevention in .env.example and helm

Documentation (3 issues)

• Closes [Docs]: Several minor quirks in main README.md #1159 - Several minor quirks in main README.md
• Closes [Feature Request]: Role-Based Access Control (RBAC) - support generic oAuth provider or ldap provider #1093 - RBAC - support generic OAuth provider or ldap provider (documentation)
• Closes [Question]: 0.7.0 Release timeline #869 - 0.7.0 Release timeline

Total: 60+ issues closed

---

🌟 Release Contributors

This release represents a major milestone in MCP Gateway's production readiness with comprehensive observability, performance optimizations, and enhanced enterprise capabilities. With contributions from developers worldwide, 0.9.0 delivers groundbreaking improvements including built-in monitoring, 30-70% bandwidth reduction, 5-6x faster JSON processing, Rust-accelerated plugins, and comprehensive pagination infrastructure.

🏆 Top Contributors in 0.9.0

• Mihai Criveti (@crivetimihai) - Release coordination, internal observability system architecture and implementation, performance optimizations (compression, orjson), Rust plugin framework, pagination infrastructure, REST passthrough implementation, Ed25519 signing, multi-tenancy bug fixes, support bundle generation, comprehensive testing, and documentation updates
• Manav Gupta (@manavgup) - LLM chat interface with Redis session consistency, performance testing framework, benchmark MCP server
• Shoumi Mukherjee (@shoummu1) - JWT token fixes, secure cookie warnings, authentication improvements
• Veeresh (@nmveeresh) - Database schema enhancements, scoped uniqueness implementation
• Monshri (@monshri) - Plugin framework enhancements, OPA plugin improvements
• Terry (@terylt) - REST passthrough validation, plugin hook enhancements
• Gruia Popa (@popagruia) - Header propagation fixes, passthrough header persistence
• Satya (@TS0713) - Multi-tenancy UI improvements, visibility fixes
• Shams (@shams858) - Various bug fixes and quality improvements

---

🔗 Resources

Documentation

• Main Documentation: https://ibm.github.io/mcp-context-forge/
• Internal Observability Guide: https://ibm.github.io/mcp-context-forge/manage/observability/internal-observability/
• OpenTelemetry Integration: https://ibm.github.io/mcp-context-forge/manage/observability/observability/
• REST Passthrough Guide: https://ibm.github.io/mcp-context-forge/using/rest-passthrough/
• Ed25519 Signing Guide: https://ibm.github.io/mcp-context-forge/manage/securing/
• Pagination Documentation: https://ibm.github.io/mcp-context-forge/manage/api-usage/
• Performance Tuning: https://ibm.github.io/mcp-context-forge/testing/performance/
• SSO Integration: https://ibm.github.io/mcp-context-forge/manage/sso/
• Support Bundle Usage: https://ibm.github.io/mcp-context-forge/manage/diagnostics/

Source Code

• GitHub Repository: https://github.com/IBM/mcp-context-forge
• Release v0.9.0: https://github.com/IBM/mcp-context-forge/releases/tag/v0.9.0
• Milestone 0.9.0: https://github.com/IBM/mcp-context-forge/milestone/9
• CHANGELOG: https://github.com/IBM/mcp-context-forge/blob/main/CHANGELOG.md

Container Images

• GitHub Container Registry: https://ghcr.io/ibm/mcp-context-forge
• Image Tags: v0.9.0, 0.9.0, latest
• Multi-Architecture: AMD64, ARM64, s390x

Community

• Issue Tracker: https://github.com/IBM/mcp-context-forge/issues
• Discussions: https://github.com/IBM/mcp-context-forge/discussions
• Contributing Guide: https://github.com/IBM/mcp-context-forge/blob/main/CONTRIBUTING.md

Quick Start

# Pull the latest 0.9.0 image
docker pull ghcr.io/ibm/mcp-context-forge:0.9.0

# Or build from source
git clone https://github.com/IBM/mcp-context-forge.git
cd mcp-context-forge
git checkout v0.9.0
make venv install-dev
make dev

Observability Quick Start

# Enable internal observability
export OBSERVABILITY_ENABLED=true
export OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Start MCP Gateway
make dev

# Access observability dashboards
open http://localhost:4444/admin/observability

Performance Benchmarks

Response Compression:

# Test compression performance
curl -H "Accept-Encoding: br,gzip" http://localhost:4444/admin/tools
# Bandwidth reduction: 30-70% for JSON responses

JSON Serialization:

# Run benchmark script
python scripts/benchmark_json_serialization.py
# Expected results: 5-6x faster encoding, 1.5-2x faster decoding

Rust PII Filter:

# Install with Rust plugins
pip install mcp-contextforge-gateway[rust]
# Expected results: 5-100x faster PII detection

---

Next Planned Release: v1.0.0 (Q1 2026) - Production Hardening & Stability

---

This discussion was created from the release v0.9.0 - 2025-11-09 - Internal Observability, Performance Optimizations & Production Hardening.