Skip to content

πŸ›‘οΈ MCP Gateway v0.4.0 - 2025-07-22 - Security, Resilience, Test Coverage and Bugfixing
Compare
Choose a tag to compare
@crivetimihai crivetimihai released this 22 Jul 22:25
· 157 commits to main since this release
v0.4.0
b7468c2

πŸ›‘οΈ MCP Gateway v0.4.0 – 2025-07-22

This milestone release achieves 100% compliance across all multiple linters, 82% unit test coverage, 60% doctest coverage and new UI test automation while delivering resilience features, comprehensive testing infrastructure, and critical bug fixes. With over 52 issues resolved, v0.4.0 represents our commitment to enterprise-grade security and code quality.

πŸ† Security & Quality Achievements

This release sets new standards for code quality and security:

  • 100% Linter Compliance – Zero issues across Bandit, HTMLHint, Stylelint, ESLint, Retire.js, and nodejsscan
  • 100% Docstring Coverage – Every function and class fully documented
  • 10/10 Pylint Score – Code quality rating maintained
  • 60% Doctest Coverage – Enhanced documentation with executable examples
  • 82% Pytest Coverage – Enhanced pytest suite, with additional e2e tests and input validation
  • New test-ui - playwright based UI test automation (e.g. make dev & bg; make test-ui-headless)
  • Smart Retry Mechanisms – Resilient connections with exponential backoff

Important: Admin UI remains development-only. Never expose it in production. Build your own production UI with appropriate security controls. Refer to the Securing MCP Gateway documentation.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions, and incomplete functionality. Use only with trusted upstream MCP servers. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM. Please refer to SECURITY.md and our Roadmap for more info and upcoming features.

✨ Highlights

  • πŸ”’ Zero Security Issues – All security scanners pass (#421, #415, #552)
  • πŸ”„ Smart Retry Mechanism – HTTPX client with exponential backoff for resilient connections (#456)
  • πŸ§ͺ Security Test Suite – Comprehensive input validation testing framework (#552)
  • πŸ”§ Test Connectivity Tool – Debug MCP server connections with detailed diagnostics (#181)
  • πŸ’Ύ Persistent Filter State – UI filters and preferences now persist across sessions (#177)
  • πŸ“š 60% Doctest Coverage – Executable documentation examples (#249)
  • 🐳 Docker HEALTHCHECK – Production-ready container health monitoring (#362)
  • πŸ“Š E2E Acceptance Tests – Complete end-to-end validation documentation (#399)

🚨 Important Security Updates

  • Secure Defaults Continue – Admin UI and API disabled by default
  • Enhanced Error Handling – Replaced assert statements with proper exceptions (#412)
  • Fixed Critical Bugs – Resolved STREAMABLEHTTP transport issues (#213) and auth failures (#232)
  • Improved Input Validation – Extended validation to RPC endpoints (#361)

πŸ†• Added

Resilience & Reliability

  • HTTPX Smart Retry Client (#456):

    • Exponential backoff with jitter
    • Configurable retry attempts and intervals
    • Automatic recovery from transient failures
    • Environment variables: HTTP_MAX_RETRIES, HTTP_RETRY_BACKOFF_FACTOR

  • Docker Health Monitoring (#362):

    • HEALTHCHECK directive in Containerfile
    • Proper health endpoints for Kubernetes/Docker
    • Automatic container restart on failures

Developer Experience

  • Test MCP Server Connectivity (#181) – Comprehensive debugging tool in Admin UI
  • Persistent UI State (#177) – Filter selections persist across browser sessions
  • Contextual Help Tooltips (#233) – Hover help throughout the interface
  • mcp-cli Documentation (#46) – Complete guide for CLI integration
  • JSON-RPC Examples (#19) – Detailed curl commands for API testing

Security & Testing

  • Input Validation Test Suite (#552) – Comprehensive security-focused tests
  • Additional Security Scanners (#415, #499) – Added nodejsscan for JavaScript
  • E2E Test Documentation (#399) – Complete acceptance testing guide
  • 60% Doctest Coverage (#249) – Executable documentation examples

Code Quality

  • 100% Docstring Coverage (#467) – Every function documented
  • 10/10 Pylint Score (#210) – Perfect code quality rating
  • Zero Web Lint Issues (#338) – Clean JavaScript and HTML
  • Dead Code Detection (#305) – Vulture and unimport integration

πŸ› Fixed

Critical Issues

  • STREAMABLEHTTP Transport (#213) – Fixed transport initialization failures
  • Authentication Failures (#232) – Resolved "Auth to None" errors
  • Gateway Authentication (#471, #472) – Fixed auth credentials not being populated
  • XSS Vulnerabilities (#361) – Added validation to RPC endpoints
  • Invalid Transport Types (#359) – Gateway now properly validates transports

UI/UX Fixes

  • Dark Theme (#366) – Fixed visibility and contrast issues
  • Server Connectivity Test (#367) – Repaired broken test functionality
  • Duplicate Server Names (#476) – UI now shows proper error messages
  • Edit Forms (#354) – Fixed fields not populating when editing
  • Annotations (#356) – Made annotations properly editable
  • Resource Data (#352) – Fixed incorrect data mapping
  • Text Editor Spacing (#355) – Removed excessive empty space
  • Console Warnings (#374) – Eliminated metrics-loading errors

API & Backend

  • Federation HTTPS (#424) – Now respects X-Forwarded-Proto headers
  • Version Endpoint (#369, #382) – Returns proper semantic version
  • Test Server URL (#396) – Fixed incorrect URL construction
  • Gateway Separator (#387) – Respects GATEWAY_TOOL_NAME_SEPARATOR
  • UI-Disabled Mode (#378) – Tests handle disabled UI properly

Infrastructure

  • Makefile Improvements (#371, #433) – Better Docker/Podman detection
  • GHCR Push (#384) – Fixed incorrect pushes on PRs
  • OpenAPI Title (#522) – Fixed formatting in specification
  • Test Isolation (#495) – Tests no longer affect production database
  • Configuration Cleanup (#419) – Removed unused lock_file_path

πŸ”„ Changed

  • Security by Default:

    • Admin UI disabled: MCPGATEWAY_UI_ENABLED=false
    • Admin API disabled: MCPGATEWAY_ADMIN_API_ENABLED=false
    • Enable only for trusted development environments

  • Code Quality Milestones:

    • 100% Docstring Coverage – Use make interrogate to verify
    • 10/10 Pylint Score – Use make pylint to check
    • Zero Security Issues – Use make bandit to scan
    • Clean Web Code – Use make lint-web to verify

  • Enhanced Error Handling:

    • Replaced all assert statements with proper exceptions
    • Better error messages for user guidance
    • Improved logging for debugging

πŸ” Security Notes

New Security Tools

Run the security lint suite locally:

make security-all     # Run all security scanners
make bandit           # Python security analysis
make nodejsscan       # JavaScript security analysis  
make grype            # Container vulnerability scan
make trivy            # Comprehensive security scan
make lint-web         # Web code quality check
make sonar-up-docker pysonar-scanner # Run sonarqube locally and submit code

πŸ“¦ Upgrade Instructions

  1. Update your package:

    pip install --upgrade mcp-contextforge-gateway==0.4.0

  2. Review new retry settings in .env:

    # Copy latest example with retry config
cp .env.example .env

Docker / Compose / Kubernetes deployments also support alembic migrations on startup.

🌟 Release Contributors

Thanks to our amazing contributors who made this security-focused release possible!

πŸ† Top Contributors in 0.4.0

  • Mihai Criveti (@crivetimihai) - Release coordinator, security improvements, code quality, review, and extensive testing infrastructure
  • Madhav Kandukuri (@madhav165) - Major input validation framework, security fixes, and test coverage improvements
  • Keval Mahajan (@kevalmahajan) - HTTPX retry mechanism implementation and UI improvements
  • Manav Gupta (@manavgup) - Comprehensive doctest coverage and Playwright test suite

πŸŽ‰ New Contributors

Welcome to our first-time contributors who joined us in 0.4.0:

  • Satya (@TS0713) - Fixed duplicate server name handling and invalid transport type validation
  • Guoqiang Ding (@dgq8211) - Improved tool description display with proper line wrapping
  • Rakhi Dutta (@rakdutta) - Enhanced error messages for better user experience
  • Nayana R Gowda - Fixed CodeMirror layout spacing issues
  • Mohan Lakshmaiah - Contributed UI/UX improvements and test case updates
  • Shoumi Mukherjee - Fixed resource data handling in the UI
  • Reeve Barreto (@reevebarreto) - Implemented the Test MCP Server Connectivity feature
  • ChrisPC-39/Sebastian - Achieved 10/10 Pylint score and added security scanners
  • Jason Frey (@fryguy9) - Improved GitHub Actions with official IBM Cloud CLI action

πŸ’ͺ Returning Contributors

Thank you to our dedicated contributors who continue to strengthen MCP Gateway:

  • Thong Bui - REST API enhancements including PATCH support and path parameters
  • Abdul Samad - Dark mode improvements and UI polish

This release represents a true community effort with contributions from developers around the world. Your dedication to security, code quality, and user experience has made MCP Gateway more robust than ever!

πŸ”— Resources

Contributors

crivetimihai, madhav165, and 5 other contributors
Assets 2
Loading