MCP Gateway v0.5.0 - 2025-08-06 - Enterprise Operability, Auth, Configuration & Observability

This enterprise-focused release delivers 42 resolved issues with major improvements to authentication, configuration management, error handling, and developer experience. Building on v0.4.0's security foundation, v0.5.0 brings enhanced JWT security, comprehensive UI/UX improvements, and strengthened input validation across all endpoints.

🏆 Enterprise Operability Achievements

This release enhances production readiness with:

• Enhanced JWT Security – Mandatory token expiration enforcement when configured
• Masked Sensitive Data – Authentication credentials properly hidden in API responses
• Improved Error Handling – User-friendly messages with actionable guidance
• Better Observability – Enhanced status reporting and service visibility
• Developer Productivity – File-specific linting and comprehensive Makefile improvements
• Stronger Validation – XSS prevention and input validation across all endpoints

Important: Admin UI remains development-only with enhanced security defaults. Never expose it in production. Build your own production UI with appropriate security controls. Refer to the Securing MCP Gateway documentation.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions. Use only with trusted upstream MCP servers. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM. Please refer to SECURITY.md and our Roadmap for more info.

✨ Highlights

• 🔐 JWT Token Security – Mandatory expiration when REQUIRE_TOKEN_EXPIRATION=true (#425)
• 🎭 Masked Auth Values – Sensitive credentials hidden in all API responses (#601, #602)
• 🧪 Enhanced Test Tool – Default values, array/boolean handling, multiline support (#620-#644)
• 🛠️ Developer Experience – File-specific linting with make lint filename (#410, #660)
• 📊 Better Visibility – MCP Server Name column in tools/resources overview (#506, #624)
• 🔍 Security Scanning – Snyk, DevSkim, and nodejsscan integration (#590, #638, #639)
• ✅ UI Improvements – Checkbox selection, better error messages, form fixes (#392, #619)
• 📝 SPDX Compliance – Automated file header verification (#315, #317, #656)

🚨 Important Updates

• UI Enabled by Default – .env.example now sets MCPGATEWAY_UI_ENABLED=true for easier onboarding
• API Docs Authentication – New DOCS_BASIC_AUTH_ENABLED flag for securing documentation endpoints
• Enhanced Validation – Stricter rules for gateway URLs, tool names, and input parameters
• Improved Scripts – Consolidated run-gunicorn.sh with better error handling (#397, #430)

🆕 Added

Security & Authentication

• JWT Token Expiration (#425) – Mandatory expiration with REQUIRE_TOKEN_EXPIRATION=true
• Masked Credentials (#601, #602) – Auth values hidden in gateway API responses
• API Docs Auth (#663) – Basic authentication for /docs with DOCS_BASIC_AUTH_ENABLED
• XSS Prevention (#576) – RPC method validation against injection attacks
• SPDX Headers (#315, #317, #656) – Automated license compliance checking

Developer Experience

• File-Specific Linting (#410, #660):

  make lint filename.py     # Lint single file
  make lint dirname/        # Lint directory
  make lint-changed        # Lint git changes

• Enhanced Makefile (#365, #397, #507, #597):

  • .PHONY declarations for all targets
  • Prevented multiple server startups
  • Better formatting and organization
  • Consolidated scripts and improved readability

• Test Tool Enhancements:

  • Default value display (#623, #644)
  • Boolean input fixes (#622)
  • Array input parsing (#620, #641)
  • Multiline text support (#650)

UI/UX Improvements

• Checkbox Selection (#392, #619) – Multi-select for servers, tools, resources
• MCP Server Name Column (#506, #624) – Better visibility in global views
• Connection String Export (#154) – One-click client configuration
• Time Server Integration (#403, #637) – Added to docker-compose for testing
• Error Message Clarity (#357, #363, #569, #629, #648) – Actionable validation feedback

Code Quality & Testing

• Security Scanners:

  • Snyk integration (#638, #639)
  • DevSkim static analysis (#590, #592)
  • nodejsscan for JavaScript (#499)

• Web Linting (#390, #614) – CI/CD integration with jshint, jscpd, markuplint

• Package Linters (#615, #616) – check-manifest and pyroma for PyPI compliance

🐛 Fixed

Critical Gateway Issues

• Gateway ID null in Create API (#521)
• Duplicate registration bypass (#603, #649)
• Silent update failures in UI (#630)
• Invalid URL validation (#578)
• STREAMABLEHTTP transport validation (#662)
• GitHub MCP Server registration (#584)

Tool & Resource Handling

• REST tool update failures (#579)
• Inconsistent tool name lengths (#631, #651)
• Long input name reflection (#598)
• Invalid "STREAMABLE" value (#610)
• Edit forms not populating (#591, #633, #648)

Authentication & Security

• Missing auth credentials (#471, #472)
• Unmasked sensitive data (#601)
• XSS in RPC methods (#576)

🔄 Changed

Configuration Defaults

• UI Enabled – .env.example sets MCPGATEWAY_UI_ENABLED=true
• Enhanced Validation – Stricter rules across all inputs
• Better Scripts – Single run-gunicorn.sh with improved features

Performance & Reliability

• Improved connection handling and timeouts
• Better stateful session management
• Enhanced resource cleanup

📦 Upgrade Instructions

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.5.0

2. Review new settings in .env:

   cp .env.example .env
   # Check new DOCS_BASIC_AUTH_ENABLED setting

3. Run database migrations (automatic in Docker/Kubernetes):

   make db-upgrade

---

🌟 Release Contributors

This release demonstrates strong community growth with 14 new contributors joining the project!

🏆 Top Contributors in 0.5.0

• Mihai Criveti (@crivetimihai) - Release coordinator, infrastructure, security
• Madhav Kandukuri (@madhav165) - XSS prevention, validation, security fixes
• Keval Mahajan (@kevalmahajan) - UI enhancements, test tool improvements
• Manav Gupta - File-specific linting, Makefile improvements
• Rakhi Dutta (@rakdutta) - Comprehensive error message improvements
• Shoumi Mukherjee (@shoummu1) - Array parsing, tool fixes, UI improvements

🎉 New Contributors

• JimmyLiao - STREAMABLEHTTP transport validation
• Arnav Bhattacharya - File header verification script
• Guoqiang Ding - Tool parameter conversion, API docs auth
• Pascal Roessner - MCP Gateway Name in tools overview
• Kumar Tiger - Duplicate gateway name fix
• Shamsul Arefin - JavaScript validation, UUID support
• Emmanuel Ferdman - Prompt service test fixes
• Tomas Pilar - Gateway response fixes, auth flags
• ChrisPC-39 - UI enablement, tool search

💪 Returning Contributors

• Nayana R Gowda - Redundant expressions, formatting
• Mohan Lakshmaiah - Tool name consistency
• Abdul Samad - Continued UI polish
• Satya - Gateway URL validation

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.5.0
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.4.0…v0.5.0

🛡️ MCP Gateway v0.4.0 - 2025-07-22 - Security, Resilience, Test Coverage and Bugfixing

🛡️ MCP Gateway v0.4.0 – 2025-07-22

This milestone release achieves 100% compliance across all multiple linters, 82% unit test coverage, 60% doctest coverage and new UI test automation while delivering resilience features, comprehensive testing infrastructure, and critical bug fixes. With over 52 issues resolved, v0.4.0 represents our commitment to enterprise-grade security and code quality.

🏆 Security & Quality Achievements

This release sets new standards for code quality and security:

• 100% Linter Compliance – Zero issues across Bandit, HTMLHint, Stylelint, ESLint, Retire.js, and nodejsscan
• 100% Docstring Coverage – Every function and class fully documented
• 10/10 Pylint Score – Code quality rating maintained
• 60% Doctest Coverage – Enhanced documentation with executable examples
• 82% Pytest Coverage – Enhanced pytest suite, with additional e2e tests and input validation
• New test-ui - playwright based UI test automation (e.g. make dev & bg; make test-ui-headless)
• Smart Retry Mechanisms – Resilient connections with exponential backoff

Important: Admin UI remains development-only. Never expose it in production. Build your own production UI with appropriate security controls. Refer to the Securing MCP Gateway documentation.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions, and incomplete functionality. Use only with trusted upstream MCP servers. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM. Please refer to SECURITY.md and our Roadmap for more info and upcoming features.

✨ Highlights

• 🔒 Zero Security Issues – All security scanners pass (#421, #415, #552)
• 🔄 Smart Retry Mechanism – HTTPX client with exponential backoff for resilient connections (#456)
• 🧪 Security Test Suite – Comprehensive input validation testing framework (#552)
• 🔧 Test Connectivity Tool – Debug MCP server connections with detailed diagnostics (#181)
• 💾 Persistent Filter State – UI filters and preferences now persist across sessions (#177)
• 📚 60% Doctest Coverage – Executable documentation examples (#249)
• 🐳 Docker HEALTHCHECK – Production-ready container health monitoring (#362)
• 📊 E2E Acceptance Tests – Complete end-to-end validation documentation (#399)

🚨 Important Security Updates

• Secure Defaults Continue – Admin UI and API disabled by default
• Enhanced Error Handling – Replaced assert statements with proper exceptions (#412)
• Fixed Critical Bugs – Resolved STREAMABLEHTTP transport issues (#213) and auth failures (#232)
• Improved Input Validation – Extended validation to RPC endpoints (#361)

🆕 Added

Resilience & Reliability

• HTTPX Smart Retry Client (#456):

  • Exponential backoff with jitter
  • Configurable retry attempts and intervals
  • Automatic recovery from transient failures
  • Environment variables: HTTP_MAX_RETRIES, HTTP_RETRY_BACKOFF_FACTOR

• Docker Health Monitoring (#362):

  • HEALTHCHECK directive in Containerfile
  • Proper health endpoints for Kubernetes/Docker
  • Automatic container restart on failures

Developer Experience

• Test MCP Server Connectivity (#181) – Comprehensive debugging tool in Admin UI
• Persistent UI State (#177) – Filter selections persist across browser sessions
• Contextual Help Tooltips (#233) – Hover help throughout the interface
• mcp-cli Documentation (#46) – Complete guide for CLI integration
• JSON-RPC Examples (#19) – Detailed curl commands for API testing

Security & Testing

• Input Validation Test Suite (#552) – Comprehensive security-focused tests
• Additional Security Scanners (#415, #499) – Added nodejsscan for JavaScript
• E2E Test Documentation (#399) – Complete acceptance testing guide
• 60% Doctest Coverage (#249) – Executable documentation examples

Code Quality

• 100% Docstring Coverage (#467) – Every function documented
• 10/10 Pylint Score (#210) – Perfect code quality rating
• Zero Web Lint Issues (#338) – Clean JavaScript and HTML
• Dead Code Detection (#305) – Vulture and unimport integration

🐛 Fixed

Critical Issues

• STREAMABLEHTTP Transport (#213) – Fixed transport initialization failures
• Authentication Failures (#232) – Resolved "Auth to None" errors
• Gateway Authentication (#471, #472) – Fixed auth credentials not being populated
• XSS Vulnerabilities (#361) – Added validation to RPC endpoints
• Invalid Transport Types (#359) – Gateway now properly validates transports

UI/UX Fixes

• Dark Theme (#366) – Fixed visibility and contrast issues
• Server Connectivity Test (#367) – Repaired broken test functionality
• Duplicate Server Names (#476) – UI now shows proper error messages
• Edit Forms (#354) – Fixed fields not populating when editing
• Annotations (#356) – Made annotations properly editable
• Resource Data (#352) – Fixed incorrect data mapping
• Text Editor Spacing (#355) – Removed excessive empty space
• Console Warnings (#374) – Eliminated metrics-loading errors

API & Backend

• Federation HTTPS (#424) – Now respects X-Forwarded-Proto headers
• Version Endpoint (#369, #382) – Returns proper semantic version
• Test Server URL (#396) – Fixed incorrect URL construction
• Gateway Separator (#387) – Respects GATEWAY_TOOL_NAME_SEPARATOR
• UI-Disabled Mode (#378) – Tests handle disabled UI properly

Infrastructure

• Makefile Improvements (#371, #433) – Better Docker/Podman detection
• GHCR Push (#384) – Fixed incorrect pushes on PRs
• OpenAPI Title (#522) – Fixed formatting in specification
• Test Isolation (#495) – Tests no longer affect production database
• Configuration Cleanup (#419) – Removed unused lock_file_path

🔄 Changed

• Security by Default:

  • Admin UI disabled: MCPGATEWAY_UI_ENABLED=false
  • Admin API disabled: MCPGATEWAY_ADMIN_API_ENABLED=false
  • Enable only for trusted development environments

• Code Quality Milestones:

  • 100% Docstring Coverage – Use make interrogate to verify
  • 10/10 Pylint Score – Use make pylint to check
  • Zero Security Issues – Use make bandit to scan
  • Clean Web Code – Use make lint-web to verify

• Enhanced Error Handling:

  • Replaced all assert statements with proper exceptions
  • Better error messages for user guidance
  • Improved logging for debugging

🔐 Security Notes

New Security Tools

Run the security lint suite locally:

make security-all     # Run all security scanners
make bandit           # Python security analysis
make nodejsscan       # JavaScript security analysis  
make grype            # Container vulnerability scan
make trivy            # Comprehensive security scan
make lint-web         # Web code quality check
make sonar-up-docker pysonar-scanner # Run sonarqube locally and submit code

📦 Upgrade Instructions

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.4.0

2. Review new retry settings in .env:

   # Copy latest example with retry config
   cp .env.example .env

Docker / Compose / Kubernetes deployments also support alembic migrations on startup.

---

🌟 Release Contributors

Thanks to our amazing contributors who made this security-focused release possible!

🏆 Top Contributors in 0.4.0

• Mihai Criveti (@crivetimihai) - Release coordinator, security improvements, code quality, review, and extensive testing infrastructure
• Madhav Kandukuri (@madhav165) - Major input validation framework, security fixes, and test coverage improvements
• Keval Mahajan (@kevalmahajan) - HTTPX retry mechanism implementation and UI improvements
• Manav Gupta (@manavgup) - Comprehensive doctest coverage and Playwright test suite

🎉 New Contributors

Welcome to our first-time contributors who joined us in 0.4.0:

• Satya (@TS0713) - Fixed duplicate server name handling and invalid transport type validation
• Guoqiang Ding (@dgq8211) - Improved tool description display with proper line wrapping
• Rakhi Dutta (@rakdutta) - Enhanced error messages for better user experience
• Nayana R Gowda - Fixed CodeMirror layout spacing issues
• Mohan Lakshmaiah - Contributed UI/UX improvements and test case updates
• Shoumi Mukherjee - Fixed resource data handling in the UI
• Reeve Barreto (@reevebarreto) - Implemented the Test MCP Server Connectivity feature
• ChrisPC-39/Sebastian - Achieved 10/10 Pylint score and added security scanners
• Jason Frey (@fryguy9) - Improved GitHub Actions with official IBM Cloud CLI action

💪 Returning Contributors

Thank you to our dedicated contributors who continue to strengthen MCP Gateway:

• Thong Bui - REST API enhancements including PATCH support and path parameters
• Abdul Samad - Dark mode improvements and UI polish

This release represents a true community effort with contributions from developers around the world. Your dedication to security, code quality, and user experience has made MCP Gateway more robust than ever!

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.4.0
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: [Compare v0.3.1…v0.4.0](v0.3.1...v...

🔐 MCP Gateway v0.3.1 - 2025-01-11 Security, XSS protection and Data Validation (Pydantic, UI)

🔐 MCP Gateway v0.3.1 – 2025-01-11

This security-focused release delivers comprehensive input validation, output escaping, and data sanitization to protect against XSS and injection attacks when handling data from untrusted MCP servers. It also includes UI improvements and code quality enhancements.

🔒 Security First: Defense in Depth

This release prioritizes defense in depth with multiple layers of security validation:

• Input Validation Framework – Comprehensive validation for all API endpoints
• Output Escaping – HTML-escaped display of user-controlled content in UI
• Data Sanitization – Protection against XSS injection from untrusted MCP servers
• Secure Defaults – Admin UI and API disabled by default (development-only features)
• Automated Security Pipeline – 24+ security tools including CodeQL, Bandit, Trivy, and OSV-Scanner

Important: The Admin UI is for development only and must never be exposed in production. It's designed for localhost-only access with trusted MCP servers. For production, disable it completely and use only the REST API with proper authentication.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM.

✨ Highlights

• 🛡️ Comprehensive Security Hardening – Input validation for all /admin and main API endpoints with configurable rules (#339, #340)
• 🔒 XSS Protection – Enhanced output handling ensures all user-controlled content is properly HTML-escaped (#336)
• ✅ Zero Lint Status – Resolved all 312 code quality issues across the web stack (#338)
• 🔧 Test Connectivity Tool – New debugging feature to validate gateway connections (#181)
• 💾 Persistent UI State – Filters and view preferences now persist across page refreshes (#177)
• 🎨 Revamped UI Components – Metrics and version tabs rewritten for consistency
• 🧪 UI-Disabled Mode Support – Fixed unit tests to handle configurations with UI disabled (#378)
• 🏷️ Semantic Versioning – Version endpoint now includes proper semantic version, not just git revision (#369)

🚨 Important Limitations

• Not Multi-Tenant Ready – Deploy as single-tenant component; implement user isolation, RBAC, and resource management in your application layer - many of the features to support true multi-tenancy and additional security policies and tools are coming slated for release 0.7.0 - 0.8.0
• Admin UI is Development-Only – Never expose in production; build your own production UI with appropriate security controls
• Beta Software – Validate all MCP servers before connecting; expect breaking changes between releases

🆕 Added

Security Enhancements

• Comprehensive Input Validation Framework (#339, #340):

  • All /admin endpoints validated – tools, resources, prompts, gateways, and servers
  • All non-admin API endpoints validated for consistent data integrity
  • Configurable validation rules with sensible defaults:
    • Character restrictions: names ^[a-zA-Z0-9_\-\s]+$, tool names ^[a-zA-Z][a-zA-Z0-9_]*$
    • URL scheme validation: http://, https://, ws://, wss://
    • JSON nesting depth limits (default: 10 levels)
    • Field-specific length limits (names: 255, descriptions: 4KB, content: 1MB)
    • MIME type validation for resources
  • Clear error messages guide users to correct input formats

• Enhanced Output Handling (#336):

  • All user-controlled content properly HTML-escaped in Admin UI
  • Protected fields: prompt templates, tool names/annotations, resource content, gateway configs
  • Ensures data displays as intended without unexpected behavior

Features

• Test MCP Server Connectivity Tool (#181) – Debug and validate gateway connections from Admin UI
• Persistent Admin UI Filter State (#177) – View preferences persist across refreshes
• Revamped UI Components – Metrics and version tabs rewritten for consistency

Fixes

• Unit Test Compatibility (#378) – Tests now properly handle UI-disabled mode configurations
• Version Endpoint Enhancement (#369) – Now includes semantic version (e.g., "0.3.1") not just git revision

🔄 Changed

• Code Quality Achievement (#338):

  • Resolved all 312 code quality issues
  • Updated 14 JavaScript patterns
  • Corrected 2 HTML structure improvements
  • Standardized naming conventions
  • Removed unused code

• Security Defaults:

  • Admin UI disabled by default: MCPGATEWAY_UI_ENABLED=false
  • Admin API disabled by default: MCPGATEWAY_ADMIN_API_ENABLED=false
  • Update your .env file to explicitly enable these features

• Validation Configuration – New environment variables:

  VALIDATION_MAX_NAME_LENGTH=255
  VALIDATION_MAX_DESCRIPTION_LENGTH=4096
  VALIDATION_MAX_JSON_DEPTH=10
  VALIDATION_ALLOWED_URL_SCHEMES=["http://", "https://", "ws://", "wss://"]

• Performance – Validation overhead kept under 10ms per request

• Security Pipeline – Every PR now passes through 24+ automated security scans including:

  • SAST: CodeQL, Bandit, multiple type checkers
  • Dependency Scanning: OSV-Scanner, Trivy, npm audit
  • Container Security: Hadolint, Dockle, Trivy
  • Code Quality: Multiple linters ensuring maintainability

🔐 Security Notes

Defense in Depth Strategy

MCP Gateway is designed as one component in a comprehensive security strategy:

1. Upstream validation: Verify and trust all MCP servers before connection
2. Gateway validation: Input/output validation and sanitization (this release)
3. Downstream validation: Applications must implement their own security controls
4. Network isolation: Use firewalls and network policies
5. Monitoring: Implement logging and alerting for anomalies

Review Your Configuration

Admin features are now disabled by default for security:

MCPGATEWAY_UI_ENABLED=false        # Keep false in production
MCPGATEWAY_ADMIN_API_ENABLED=false # Keep false in production

Developer Security Tools

Run the same 24+ security scans locally that execute in CI/CD:

make pre-commit  # Run before every commit (includes Bandit)
make lint        # Full security and quality suite
make bandit      # Python security vulnerabilities
make trivy       # Container vulnerability scanning
make osv-scan    # Open source vulnerability database

📦 Upgrade Instructions (pypy)

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.3.1

2. Review security settings in your .env:

   # Copy from .env.example for secure defaults
   cp .env.example .env
   # Then enable only required features

📋 Production Deployment Checklist

When deploying MCP Gateway v0.3.1:

• Disable Admin UI (MCPGATEWAY_UI_ENABLED=false)
• Disable Admin API (MCPGATEWAY_ADMIN_API_ENABLED=false)
• Enable authentication for all endpoints
• Configure TLS/HTTPS with valid certificates
• Validate all MCP servers before connection
• Implement downstream validation in your applications
• Set up monitoring and anomaly detection
• Review validation rules for your use case

See the full Security Policy for complete deployment guidelines.

👥 Contributors

This security-focused release was delivered through excellent teamwork. Some of the items closed in 0.3.1 include:

• Security Implementation – Input validation framework (#339, #340) and output escaping (#336)
• Code Quality – Achieved zero lint status across 312 issues (#338)
• Testing Improvements – UI-disabled mode support (#378)
• Version Enhancement – Semantic versioning in API (#369)
• UI/UX Features – Test connectivity tool (#181) and persistent filter state (#177)

Special thanks to all contributors who helped make MCP Gateway more secure and robust!

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.3.1
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.3.0…v0.3.1

🚀 MCP Gateway v0.3.0 - Annotations, Alembic, Auto-Recovery and Multi-Server Tool Federations, DX

🚀 MCP Gateway v0.3.0 – 2025-07-08

This milestone release delivers powerful multi-server tool federations with rich annotations, enhanced UI management capabilities, and rock-solid stability improvements that make MCP Gateway ready for production workloads.

Note: This release introduces Alembic migrations to make future database schema changes seamless. These happen automatically, but in some cases, when upgrading from 0.1.0 - migration may not be possible and you will need to re-create your database. Ex: rm mcp.db.

✨ Highlights

• 🔗 Multi-Server Tool Federation – seamlessly aggregate tools, resources, and prompts across multiple MCP servers with intelligent namespace handling and UUID-based identity management.
• 🏷️ Rich Annotations & Metadata – enhanced tool and resource annotations with dynamic UI pickers for better discoverability and management.
• 🔄 Auto-Recovery & Resilience – automatic MCP server reactivation when services come back online, plus configurable connection retries with exponential backoff.
• 🎯 Dynamic UI Management – intuitive pickers for tool, resource, and prompt associations with real-time server status indicators.
• 📤 Enhanced Connection Export – one-click connection string generation for popular AI frameworks and clients.
• 🛠️ Developer Experience – comprehensive workstation setup guides, improved error handling, and cleaner database migrations.
• 🐹 Go MCP Server Reference – fast-time-server implementation showcasing best practices for high-performance MCP servers.

🆕 Added

• Namespace Composite Keys & UUIDs for robust tool identity across federated servers.
• Dynamic UI Picker for tool, resource, and prompt associations with live server filtering.
• Auto-activation system that automatically re-enables MCP servers when they recover.
• Configurable connection retries for databases and Redis with intelligent backoff strategies.
• Enhanced connection string export API and UI for seamless client integration.
• Go-based fast-time-server as a high-performance MCP server reference implementation.
• Developer Workstation Setup Guide covering Mac (Intel/ARM), Linux, and Windows environments.
• Improved file lock handling with proper /tmp directory usage for better multi-instance support.

🔄 Changed

• Database schema migration with separate enabled and reachable fields replacing the legacy is_active field.
• Enhanced path parameter handling for REST API virtualization with better substitution logic.
• Streamlined packaging with proper Alembic configuration inclusion in PyPI wheels.
• Modernized Pydantic patterns eliminating deprecation warnings and improving type safety.
• Improved UI responsiveness with better parameter input modal handling and validation.

🐛 Fixed

• Database migration packaging – Alembic configurations now properly included in pip installations.
• Field migration handling – smooth transition from is_active to enabled/reachable fields.
• File lock path creation – proper /tmp directory usage instead of current working directory.
• GitHub Remote Server addition flow now works reliably.
• Parameter input modals – close button functionality restored.
• Gateway reactivation warnings eliminated through proper Pydantic model handling.
• SBOM generation and documentation build targets now function correctly.
• Test suite stability with comprehensive Pydantic pattern updates.

🔐 Security

• Enhanced connection isolation with proper file locking mechanisms.
• Improved error handling that prevents information leakage.
• Database connection security with retry policies that don't expose credentials.

📦 Packaging & Deployment

• PyPI wheel improvements with complete Alembic migration support.
• Container optimization for better multi-instance deployments.
• Development tooling enhancements for contributor onboarding.

👥 New Contributors

We welcome new contributors who joined us in this release – thank you for your valuable contributions!

🙏 Returning Contributors who delivered excellence

• Mihai Criveti – release management, database migration architecture, Go time server implementation, comprehensive testing and stability improvements.
• Keval Mahajan – multi-server federation logic, UI picker implementation, auto-recovery system design.
• Madhav Kandukuri – namespace design, connection export enhancements, developer experience improvements.
• Abdul Samad – UI/UX refinements, parameter modal fixes, visual consistency improvements.
• Manav Gupta – packaging fixes, documentation improvements, build system enhancements.

Outstanding work making MCP Gateway production-ready! 🎉

---

🔮 What's Next in v0.4.0

The next release will focus on Bugfixes, Resilience & Code Quality with:

• Universal retry mechanisms with exponential backoff
• Comprehensive test coverage (90%+ target)
• Advanced security scanning and static analysis
• Performance profiling and optimization
• Enhanced documentation and developer guides

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.3.0
• 🐍 PyPI: [mcp-contextforge-gateway](https://pypi.org/project/mcp-contextforge-gateway/)
• 📈 Full changelog: [Compare v0.2.0…v0.3.0](v0.2.0...v0.3.0)
• 🎯 Roadmap: [View upcoming releases](https://ibm.github.io/mcp-context-forge/architecture/roadmap/)

MCP Gateway v0.2.0 – Streamable HTTP, Infra-as-Code, Dark Mode

🚀 MCP Gateway v0.2.0 – 2025-06-24

This feature-rich release introduces a Streamable HTTP transport, mcpgateway.translate to convert stdio to SSE, infrastructure-as-code assets, and a sleek dark-mode UI, while hardening stability and developer tooling across the board.

✨ Highlights

• 🌊 First-class Streamable HTTP transport – the gateway now speaks MCP’s new default protocol, with stateful-session & auth support. SSE still works, too. Introduced mcpgateway.translate to turn any stdio server into a SSE endpoint.
• 🛠️ Infra-as-Code – drop-in Terraform modules & Ansible roles for cloud installs.
• ⚡ Connection-string exporter – one-click UI / /servers/{id}/connect API for LangChain, Claude Desktop & friends.
• 🌒 Dark-mode Admin UI with a compact version-info panel.
• 🧑‍💻 Developer experience overhaul – 333 green unit tests, tox, pre-commit linters, coverage in CI, Python 3.11+.
• 🏗️ Deployment goodies – Helm charts accept external secrets/Redis, Fly.io guide, Docker-compose switches.
• 🔒 Security & hardening – connection-level time-outs, CVE scans, dependency bumps.

🆕 Added

• Streamable HTTP client/server transport with Basic/Bearer auth & session persistence.
• Connection-string export API/UI.
• Terraform modules & Ansible playbooks for cloud provisioning.
• Fast Go reference MCP server for benchmarking.
• Dark-mode theme, slimmer version-info widget, dev-onboarding checklist.
• tox config, pre-commit (ruff, flake8, yamllint), GH Actions pytest + coverage.
• Helm enhancements: external secrets/Redis, walkthrough; Fly.io deployment guide.

🔄 Changed

• Python ≥ 3.11 (CI on Ubuntu 24.04 / Python 3.12).
• Thorough Helm/Makefile/JWT helper refresh; tighter typing & linting; 333 unit tests now pass.
• Detailed context-merging algorithm notes added to docs.

🐛 Fixed

• SBOM workflow & make images/docs targets.
• GitHub Remote MCP server addition flow.
• REST path-parameter substitution, PATCH handling, 204 responses.
• Numerous flaky tests and mypy/flake8 violations.

🔐 Security

• Dependency bumps, security-policy updates, CVE scans wired into pre-commit & CI.

📦 Packaging & Deployment

• Helm charts accept external secrets & Redis.
• Docker-compose gains local-image switch; Fly.io guide.
• SBOM generation and license verification now reliable.

👥 New Contributors

Contributor	First delivered in 0.2.0
Abdul Samad	Dark-mode UI, compact version-info
Arun Babu Neelicattu	Raised minimum Python to 3.11
Manoj Jahgirdar	Docs home-page polish
Shoumi Mukherjee	Docs clean-ups & quick-start
Thong Bui	REST adapter path-params, PATCH, 204

Welcome aboard — your PRs made 0.2.0 shine! 🎉

🙏 Returning Contributors who went the extra mile

• Mihai Criveti – release mgmt, Helm refactor, full CI revamp, 333 green tests, security & build updates, mcpgateway.translate.
• Keval Mahajan – implemented Streamable HTTP transport, UI transport column, gateway time-outs, test fixes.
• Madhav Kandukuri – ADRs for federation & UX, dark-mode polish, connection-string export spec, stability fixes.
• Manav Gupta – SBOM & license fixes, Makefile targets, Docker/Fly.io docs.

Huge thanks for keeping the momentum going! 🚀

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.2.0
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.1.1…v0.2.0

MCP Gateway v0.1.1 - Wrapper, Helm & Stability Boost

📦 MCP Gateway v0.1.1 – 2025‑06‑15

This is a feature-packed minor release focused on stability, packaging, wrapper enhancements, and documentation polish. It builds upon the initial public release (v0.1.0) by refining the developer experience and broadening deployment capabilities.

✨ Highlights

• 🔁 New stdio-to-SSE wrapper (mcpgateway.wrapper) that allows legacy MCP clients to interact with modern gateways
• 📦 Run as a Python module: python3 -m mcpgateway.wrapper now supported thanks to package restructure
• 🧪 /ready endpoint for Kubernetes readiness probes
• 🧬 /version API and UI tab for runtime inspection
• 🚀 Helm charts, improved Makefile and CI/CD support
• 📚 Major documentation refresh: Quick starts, pip install, Docker, FAQs, debugging tips, ArgoCD

🆕 Added

• New mcpgateway.wrapper with CLI and stdio support to connect to authenticated SSE gateways
• /version endpoint (also available via UI tab and CLI --version)
• /ready endpoint for Kubernetes readiness probes
• New Helm charts and Kubernetes deployment assets
• Improved CLI entry point via mcpgateway script (uses Uvicorn under the hood)
• Python module now supports python3 -m mcpgateway.wrapper for stdio clients
• Documentation updates: quoting advice for zsh, docker quick start, dev container, FAQ, GitHub review process, PyPi setup, ArgoCD
• Makefile targets for ArgoCD
• Initial mcpgateway.translate support to turn stdio -> SSE. More features & protocol translation options coming soon.

🐛 Fixed

• Fixed errors when deleting gateways with active metrics
• Improved gateway addition logic when tools overlap — now adds missing tools without failure
• Resolved basic authentication header bugs for tools and gateways
• Captured detailed exceptions using ExceptionGroup support for better logs
• Corrected static path resolution when installing as a wheel

📦 Packaging & Deployment

• Renamed PyPi package to avoid conflicts (mcp-contextforge-gateway)
• Enhanced Makefile with docker-run-ssl-host and new publishing targets
• Added VS Code Dev Container + GitHub Codespaces support
• Added support for APP_ROOT_PATH when reverse proxying (e.g., behind /gateway)

👥 New Contributors

• @rakdutta, @MohanLaksh, @manavgup, @calculus-ask, @manojjahgirdar, @ryanmarc

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.1.1
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.1.0...v0.1.1

MCP Gateway 0.1.0 – Initial public release

Overview

Initial public release of MCP Gateway - a FastAPI-based gateway and federation layer for the Model Context Protocol (MCP).
This preview delivers a fully-featured core, production-grade deployment assets and an opinionated developer experience.

---

🚪 Core protocol & gateway

• 📡 MCP protocol implementation – initialise, ping, completion, sampling, JSON-RPC fallback
• 🌐 Gateway layer in front of multiple MCP servers with peer discovery & federation

🔄 Adaptation & transport

• 🧩 Virtual-server wrapper & REST-to-MCP adapter with JSON-Schema validation, retry & rate-limit policies
• 🔌 Multi-transport support – HTTP/JSON-RPC, WebSocket, Server-Sent Events and stdio

🖥️ User interface & security

• 📊 Web-based Admin UI (HTMX + Alpine.js + Tailwind) with live metrics
• 🛡️ JWT & HTTP-Basic authentication, AES-encrypted credential storage, per-tool rate limits

📦 Packaging & deployment recipes

• 🐳 Container images on GHCR, self-signed TLS recipe, health-check endpoint
• 🚀 Deployment recipes – Gunicorn config, Docker/Podman/Compose, Kubernetes, Helm, IBM Cloud Code Engine, AWS, Azure, Google Cloud Run

🛠️ Developer & CI tooling

• 📝 Comprehensive Makefile (80 + targets), linting, > 400 tests, CI pipelines & badges
• ⚙️ Dev & CI helpers – hot-reload dev server, Ruff/Black/Mypy/Bandit, Trivy image scan, SBOM generation, SonarQube helpers

🗄️ Persistence & performance

• 🐘 SQLAlchemy ORM with pluggable back-ends (SQLite default; PostgreSQL, MySQL, etc.)
• 🚦 Fine-tuned connection pooling (DB_POOL_SIZE, DB_MAX_OVERFLOW, DB_POOL_RECYCLE) for high-concurrency deployments

📈 Observability & metrics

• 📜 Structured JSON logs and /metrics endpoint with per-tool / per-gateway counters

📚 Documentation

• 🔗 MkDocs site – https://ibm.github.io/mcp-context-forge/

---

Installation (container quick-start)

docker run -d --name mcpgateway \
  -p 4444:4444 \
  -e HOST=0.0.0.0 \
  -e JWT_SECRET_KEY=my-test-key \
  -e BASIC_AUTH_USER=admin \
  -e BASIC_AUTH_PASSWORD=changeme \
  -e AUTH_REQUIRED=true \
  -e DATABASE_URL=sqlite:///./mcp.db \
  ghcr.io/ibm/mcp-context-forge:v0.1.0

Full Changelog: https://github.com/IBM/mcp-context-forge/commits/v0.1.0