v0.2.25

🌟 Release Highlights

This release tightens GitHub guard security coverage, improves debug observability, strengthens the Rust guard implementation, and continues a broad internal code quality effort across the codebase.

🛡️ Security & Guard Improvements

• Expanded set_issue_fields DIFC coverage — The GitHub guard now correctly classifies set_issue_fields as a write operation with appropriate DIFC rule grouping, closing a coverage gap that could allow the tool to bypass integrity enforcement. (#4049, #4104)
• Rust guard reliability — Eliminated an unnecessary scopes.clone() in the label_agent path and introduced a DIFC_MODE constant for clearer mode handling in the Rust guard. (#4085)

✨ What's New

• Debug logging for config core — Configuration loading now emits structured debug output via the logger framework, making it easier to trace config resolution issues in production. (#4074)
• Rust test integration — A new test-rust Makefile target brings Rust guard tests into the standard make agent-finished verification pipeline. (#4086)

🔧 Internal Improvements

• Unified inbound response logging in SendRequestWithServerID to a single code path, reducing logging inconsistencies. (#4054)
• Deduplicated tracing and HTTP server setup across cmd/server packages. (#4048)
• Consolidated marshal/log paths and unified sanitized sys tool response logging. (#4106)
• Moved shared helpers out of specialized files and removed unnecessary micro-packages. (#4117)
• Refined testify assertions across the test suite for clearer failures and lint-aligned patterns. (#4051)
• Improved test coverage for sys/container and cmd.newCompletionCmd. (#4081, #4082)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.25
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 149.7K

---

What's Changed

• Refactor duplicated tracing and HTTP server setup paths in cmd/server packages by @Copilot in #4048
• [guard-coverage] Add set_issue_fields to github-guard write classification and DIFC rules by @Copilot in #4049
• Refine testify assertions in tests for clearer failures and lint-aligned patterns by @Copilot in #4051
• Refactor SendRequestWithServerID to use a single inbound response logging path by @Copilot in #4054
• [test-improver] Improve tests for sys/container package by @github-actions[bot] in #4081
• [Repo Assist] fix(rust-guard): eliminate scopes.clone() in label_agent + add DIFC_MODE constant by @github-actions[bot] in #4085
• [Repo Assist] build: add test-rust Makefile target and include Rust tests in agent-finished by @github-actions[bot] in #4086
• [log] Add debug logging to config_core.go by @github-actions[bot] in #4074
• [test] Add tests for cmd.newCompletionCmd by @github-actions[bot] in #4082
• Close GitHub guard coverage gap for set_issue_fields by aligning DIFC rule grouping by @Copilot in #4104
• Refactor duplicated marshal/log paths and unify sanitized sys tool response logging by @Copilot in #4106
• Refactor utility placement: move shared helpers out of specialized files and remove micro-packages/files by @Copilot in #4117

Full Changelog: v0.2.24...v0.2.25

v0.2.24

🌟 Release Highlights

This release fixes TLS certificate validation failures when using gh and git through the DIFC proxy, and removes a GITHUB_ENV dependency that limited portability.

⚠️ Breaking Changes

TLS CA trust no longer written to GITHUB_ENV — If your workflow relied on GITHUB_ENV being populated with the proxy CA certificate path, that behavior has been removed. CA trust is now configured exclusively via process environment variables set at proxy startup. Update your workflows to rely on the process environment instead of reading from GITHUB_ENV.

🐛 Bug Fixes & Improvements

Fixed git clone and gh repo clone failures through the DIFC TLS proxy (#4042) — Commands that perform HTTPS validation (git, gh, curl, Node.js fetch, Python requests) previously failed with certificate errors when routed through awmg proxy --tls. The proxy now automatically propagates the generated CA certificate to all standard trust environment variables at startup:

Variable	Client
GIT_SSL_CAINFO	git, gh
CURL_CA_BUNDLE	curl
NODE_EXTRA_CA_CERTS	Node.js
REQUESTS_CA_BUNDLE	Python requests
SSL_CERT_FILE	OpenSSL-based tooling

📚 Documentation

docs/PROXY_MODE.md has been updated with CA setup guidance for gh and git workflows that do not use GITHUB_ENV automation.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.24
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 188.5K

---

What's Changed

• Propagate DIFC proxy TLS CA trust to git/gh/curl via process environment by @Copilot in #4042

Full Changelog: v0.2.23...v0.2.24

v0.2.23

🌟 Release Highlights

This release delivers a targeted bug fix for DIFC proxy GraphQL endpoint routing, along with internal quality improvements to tests and debug logging.

🐛 Bug Fixes

• DIFC proxy GraphQL endpoint rewriting: Fixed incorrect endpoint rewriting for the github.com API base URL when using DIFC proxy mode. Requests to GraphQL endpoints are now correctly routed, resolving an edge case that could cause API calls to fail for standard GitHub.com configurations. (#4030)

🔧 Internal Improvements

• Improved debug logging for API key generation to aid in troubleshooting authentication flows (#4002)
• Expanded test coverage for AllowOnlyPolicy configuration parsing and scope normalization (#4012)
• Enhanced test coverage for the mcp/tool_result package (#4011)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.23
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 143.6K

---

What's Changed

• Repo Assist: require explicit noop safe output when no action is taken by @Copilot in #4026
• Fix DIFC proxy GraphQL endpoint rewriting for github.com API base by @Copilot in #4030
• [log] Add debug logging to GenerateRandomAPIKey in auth/apikey.go by @github-actions[bot] in #4002
• [test-improver] Improve tests for mcp/tool_result package by @github-actions[bot] in #4011
• [test] Add tests for config.AllowOnlyPolicy.UnmarshalJSON and NormalizeScopeKind by @github-actions[bot] in #4012

Full Changelog: v0.2.22...v0.2.23

v0.2.22

🌟 Release Highlights

This release focuses on reliability improvements for non-root container deployments and GHES compatibility, along with a documentation accuracy fix for the server tools allowlist feature.

🐛 Bug Fixes & Improvements

• Non-root container support — MCP Gateway can now run as a non-privileged user (e.g., via --user $(id -u):$(id -g) in Docker). Previously, a failure to write /etc/hosts would abort startup; it is now treated as a non-fatal warning, enabling secure, rootless container deployments. (#3985)

• GHES GraphQL routing fixed — GraphQL requests routed through the DIFC proxy to GitHub Enterprise Server instances with an /api/v3 base path were being forwarded to an invalid endpoint. Requests such as /api/graphql from the gh CLI are now correctly rewritten to <host>/api/graphql, ensuring end-to-end query preservation for GHES users. (#3970)

📚 Documentation

• tools field docs corrected — The Configuration Reference previously stated that the server tools field was unenforced. This has been corrected to reflect the actual runtime behavior: tools are filtered from tools/list responses and tools/call requests are denied for any tool not in the allowlist. (#3965)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.22
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 147.8K

---

What's Changed

• Correct tools field documentation to match runtime allowlist enforcement by @Copilot in #3965
• Refactor MCP connection response logging and timeout default handling to remove duplication by @Copilot in #3966
• [rust-guard] Deduplicate granular repo-write tool labeling and avoid repeated path scans in file secrecy checks by @Copilot in #3967
• Refactor URL derivation and helper ownership across envutil/config/mcp by @Copilot in #3968
• Fix GHES GraphQL path handling and end-to-end query preservation in DIFC proxy when upstream is /api/v3 by @Copilot in #3970
• Make /etc/hosts write non-fatal for non-root container execution by @lpcox in #3985

Full Changelog: v0.2.21...v0.2.22

v0.2.21

🌟 Release Highlights

This release focuses on timeout correctness for HTTP backends and MCP connection handling — ensuring gateway-configured execution budgets are respected end-to-end.

🐛 Bug Fixes & Improvements

• HTTP backend timeouts now honor configured budgets (#3911): A hardcoded 120-second transport-level cap was silently overriding any tool execution budget set in the gateway config. HTTP backends now correctly respect the configured timeout, preventing unexpected truncations on long-running tools.

• MCP connect timeout uses consistent default (#3946): The 30-second hardcoded connect timeout was replaced with a named defaultConnectTimeout constant, and an invalid <= 0 guard was fixed. This makes timeout behavior predictable and easier to reason about.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.21
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 110.3K

---

What's Changed

• Honor gateway tool execution budgets for HTTP backends by removing hardcoded 120s transport cap by @Copilot in #3911
• [test-improver] Improve tests for tracing package by @github-actions[bot] in #3938
• [test] Add tests for oidc.extractJWTExpiry by @github-actions[bot] in #3939
• [Repo Assist] fix(mcp): replace hardcoded 30s with defaultConnectTimeout constant, fix <= 0 guard by @github-actions[bot] in #3946
• Fix gofmt alignment in jwt_expiry_test.go by @lpcox in #3954
• Fix TestFullDIFCConfigFromJSON timeout waiting for backend connections by @lpcox in #3960
• [Repo Assist] test(mcp): add connect-timeout default behaviour tests by @github-actions[bot] in #3947

Full Changelog: v0.2.20...v0.2.21

v0.2.20

🌟 Release Highlights

This release focuses on reliability, security, and observability — introducing a rate-limit circuit breaker for backend resilience, expanded guard coverage for MCP tool mutations, and improved OpenTelemetry tracing.

✨ What's New

• 🔌 Rate-Limit Circuit Breaker (#3799) — MCP Gateway now automatically trips a circuit breaker when GitHub MCP backend tool calls encounter rate limits. This prevents cascading failures and ensures smoother degradation under load, with automatic recovery when the upstream rate limit resets.

• 📡 Enhanced OpenTelemetry Tracing (#3857) — OTel spans now include richer resource attributes, standardized HTTP semconv attributes (method, path, status code), and cached tracer lookups — giving you better observability into request flows with less overhead.

• 🛡️ Expanded Guard Coverage (#3860) — 21 granular GitHub MCP server mutation tools are now classified with precise DIFC labels, improving security posture for deployments using tool-level access controls. Deprecated tool aliases and enable_toolset DIFC rules are also now properly enforced (#3762).

• 🔐 Collaborator Permission Fallback (#3831) — Response-level integrity functions now fall back to collaborator permissions when direct permission data is unavailable, ensuring more accurate integrity labeling across a broader range of repository access patterns.

🐛 Bug Fixes & Improvements

• HTTP backend connect timeout increased to 30s (#3782) — The default connect timeout for HTTP backends has been raised from 5s to 30s and is now configurable, reducing spurious timeouts for slow-starting backend servers.

• ValidatorClient pagination & LRU cache fix (#3789) — Fixed pagination handling in ValidatorClient and corrected LRU eviction behavior in filteredServerCache, preventing stale tool-list entries from affecting guard evaluation.

• WASM guard shutdown leak fixed (#3790) — Resolved a resource leak in wazero guard shutdown, fixed logging namespace alignment, and improved typed trap detection for more reliable guard lifecycle management.

📚 Documentation

• GITHUB_MCP_SERVER_TOKEN documented with correct priority order (#3761) — The token resolution order (GITHUB_MCP_SERVER_TOKEN → GITHUB_TOKEN → GITHUB_PERSONAL_ACCESS_TOKEN → GH_TOKEN) is now accurately documented. See the Environment Variables guide for details.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.20
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 161.4K

---

What's Changed

• [log] Add debug logging to config_env.go gateway env functions by @github-actions[bot] in #3630
• [test-improver] Improve tests for strutil.RandomHex by @github-actions[bot] in #3636
• [test] Add tests for config.validateGatewayConfig and validateTrustedBots by @github-actions[bot] in #3637
• [log] Add debug logging to GitHub token/URL resolution in envutil by @github-actions[bot] in #3684
• [test-improver] Improve tests for httputil package by @github-actions[bot] in #3693
• [test] Add tests for cmd.registerAllFlags, registerFlagCompletions, and OTLP flag defaults by @github-actions[bot] in #3694
• [log] Add debug logging to guard policy JSON unmarshaling by @github-actions[bot] in #3733
• [test-improver] Improve tests for logger startup package by @github-actions[bot] in #3742
• [Repo Assist] refactor: replace inline truncation with strutil/sanitize utilities by @github-actions[bot] in #3750
• docs: document GITHUB_MCP_SERVER_TOKEN and fix token priority order by @lpcox in #3761
• fix(guard): cover deprecated tool aliases, enable_toolset DIFC rule, and pre-emptive CLI entries by @lpcox in #3762
• refactor(config): extract shared validateServerAuth to deduplicate auth validation by @lpcox in #3764
• refactor: deduplicate logger mutex and withLock via lockable embedding by @lpcox in #3766
• logger: address CloseAllLoggers review comments — doc fix + tests by @Copilot in #3770
• Add stdin-path test coverage for stdio server auth validation by @Copilot in #3769
• fix(guard): add enable_toolset DIFC unit test + backport coverage changes from #3762 by @Copilot in #3768
• fix: update auth validation test assertions to match new error format by @lpcox in #3778
• fix: increase HTTP backend connect timeout from 5s to 30s and make configurable by @lpcox in #3782
• rust-guard: deduplicate search-query-fallback blocks and merge blocked-tool match arms by @Copilot in #3791
• fix: ValidatorClient pagination, logger, and filteredServerCache LRU eviction by @Copilot in #3789
• wazero: fix guard shutdown leak, logging namespace, and typed trap detection by @Copilot in #3790
• Rate-limit circuit breaker for GitHub MCP backend tool calls by @Copilot in #3799
• chore: upgrade gh-aw to v0.68.2 by @lpcox in #3811
• 🔄 chore: update schema URL to v0.68.3 by @github-actions[bot] in #3842
• [Repo Assist] refactor(mcp): extract logInboundRPCResponse helper in connection.go by @github-actions[bot] in #3847
• fix: remove restrictive bash allowlist from go-logger workflow by @lpcox in #3864
• docs: fix 4 documentation discrepancies from nightly reconciliation by @Copilot in #3859
• feat(tracing): OTel resource enrichment, semconv HTTP attributes, cached tracers by @Copilot in #3857
• rust-guard: merge duplicate search_issues/search_pull_requests arms; narrow labels pub use by @Copilot in #3858
• fix: add github/gh-aw to log analyzer allowed-repos by @lpcox in #3866
• Guard coverage: classify 21 granular github-mcp-server mutation tools by @Copilot in #3860
• Add collaborator permission fallback to response-level integrity functions by @dsyme in #3831
• [test] Add tests for cmd.newProxyCmd and cmd.detectGuardWasm by @github-actions[bot] in #3839
• [test-improver] Improve tests for server/circuit_breaker by @github-actions[bot] in #3837
• [log] log(envutil): add debug logging to env var parse fallbacks by @github-actions[bot] in #3825
• fix: remove restrictive bash allowlist from test-improver workflow by @lpcox in #3887
• refactor: extract logOutboundRPCRequest helper; complete flags.go env-var table by @Copilot in #3888
• Enable cli-proxy in Copilot agent workflows to stop gh CLI bypassing MCP Gateway by @Copilot in #3893
• refactor: eliminate three near-duplicate/outlier functions flagged by semantic analysis by @Copilot in #3897
• refactor(cmd): inline trivial getDefault* env-wrapper functions by @Copilot in #3894

New Contributors

• @dsyme made their first contribution in #3831

Full Changelog: v0.2.19...v0.2.20

v0.2.19

🌟 Release Highlights

This release delivers a critical stability fix for the WASM security guard alongside internal code quality improvements that keep the codebase lean and efficient.

🐛 Bug Fixes & Improvements

• Critical: WASM guard session poisoning on multi-byte UTF-8 content (#3713) — The WASM guard could panic when a tool response preview contained multi-byte UTF-8 characters (CJK text, emoji, accented characters). A byte-index slice across a character boundary triggered a Rust panic that became a WASM trap, permanently poisoning the guard instance and causing all subsequent MCP calls to fail with "WASM guard is unavailable after a previous trap". Fixed by using str::floor_char_boundary() for safe UTF-8-aware truncation at all three preview sites. Discovered in a real-world workflow processing Chinese-language content.

🔧 Internal Improvements

• Reduced redundant WASM allocations (#3710) — Eliminated a duplicate extract_repo_info JSON parse in the get_file_contents arm of the Rust guard, matching the pattern used by every other arm and reducing unnecessary allocations in the WASM runtime.
• Dead code removal (#3701) — Removed an unreachable match arm in collaborator_permission_floor and an unused MEDIUM_BUFFER_SIZE re-export, eliminating a lint suppression in the process.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.19
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 156.6K

---

What's Changed

• [Repo Assist] fix(rust-guard): remove redundant match arm and unused MEDIUM_BUFFER_SIZE re-export by @github-actions[bot] in #3701
• rust-guard: make LogLevel private and deduplicate extract_repo_info call by @Copilot in #3710
• fix(guard): use UTF-8 safe string truncation in output preview logging by @lpcox in #3713

Full Changelog: v0.2.18...v0.2.19

v0.2.18

🌟 Release Highlights

This release focuses on security hardening, improved observability, and code quality improvements — with a notable new DIFC integrity feature, more flexible tool filtering, and tighter spec compliance across the gateway.

✨ What's New

• Maintainer reaction endorsement for integrity promotion/demotion (#3666): Maintainers can now explicitly endorse or demote content integrity via reactions, giving fine-grained control over DIFC labeling decisions. See the Guard Response Labeling docs for details.

• Wildcard ["*"] support in allowed-tools filtering (#3445): Configure allowed-tools: ["*"] to permit all tools from a server without enumerating them individually — simplifying configs for permissive backends.

• OIDC fail-fast validation for TOML configs (#3538): OIDC misconfiguration is now caught at startup for TOML-configured servers, preventing silent failures at request time.

• DIFC labeling for create_pull_request_with_copilot (#3651): The Copilot PR creation tool now receives correct DIFC integrity labels, ensuring policy enforcement applies consistently.

• Expanded guard coverage for CLI write operations (#3609): Three previously uncovered CLI write operations are now pre-emptively included in WRITE_OPERATIONS, closing potential gaps in write-op integrity classification.

🐛 Bug Fixes & Improvements

• Gateway timeout defaults aligned with spec §4.1.3 (#3592): Startup and tool timeout defaults now match spec-mandated values; example config and docs corrected to match (#3652).

• HTTP connection errors now visible to operators (#3514): HTTP-level connection errors are logged to stderr, making network issues easier to diagnose in production.

• WriteJSONResponse trailing newline eliminated (#3466): JSON responses now use json.Marshal instead of the encoder, removing an extraneous trailing newline that could affect downstream parsers.

• gojq module security & compatibility fixes (#3451): Permissions, import collision, and module naming issues in the gojq dependency resolved, plus version upgrade.

• go-sdk upgraded to v1.5.0 (#3610): Brings latest MCP SDK improvements and addresses items from go-fan review.

📚 Documentation

• keepalive_interval and opentelemetry config fields documented (#3457): Both fields are now covered in the Configuration docs with correct defaults and usage guidance.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.18
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 161.5K

---

What's Changed

• 🔄 chore: update schema URL to v0.67.3 by @github-actions[bot] in #3430
• [Repo Assist] refactor(proxy): use httputil.WriteJSONResponse for filtered/empty JSON writes by @github-actions[bot] in #3437
• [Repo Assist] refactor(logger): add InitGatewayLoggers and InitProxyLoggers helpers by @github-actions[bot] in #3438
• ci: add Rust guard unit tests to CI pipeline by @Copilot in #3396
• chore: increase daily-compliance-checker timeout to 45 minutes by @lpcox in #3453
• chore: increase nightly-docs-reconciler timeout to 45 minutes by @lpcox in #3456
• docs: document keepalive_interval and opentelemetry config fields by @lpcox in #3457
• Support wildcard ["*"] in allowed-tools filtering by @Copilot in #3445
• Deduplicate auth scheme parsing and random hex generation by @Copilot in #3450
• fix: gojq module review — permissions, collision, rename, upgrade by @Copilot in #3451
• fix: use json.Marshal in WriteJSONResponse to avoid trailing newline by @lpcox in #3466
• fix: restore method-style log prefix in listMCPItems by @Copilot in #3471
• refactor: extract generic listMCPItems helper for list* MCP operations by @lpcox in #3470
• chore: upgrade all workflows from v0.67.0 to v0.68.0 by @lpcox in #3504
• Deduplicate error CallToolResult construction, GitHub token and API URL lookups by @Copilot in #3507
• Fix: log HTTP connection errors to stderr for operator visibility by @Copilot in #3514
• Consolidate dual logging in server package to internal logger by @Copilot in #3510
• Fix integration tests broken by logging consolidation by @lpcox in #3516
• Deduplicate startup logging in cmd/root.go via logger helpers by @Copilot in #3515
• Consolidate duplicate container detection into sys.DetectContainerID by @Copilot in #3522
• Deduplicate OIDC missing env-var error message into shared helper by @Copilot in #3526
• go-sdk review: schema bypass canary test, ServerInfo logging, doc comments by @Copilot in #3531
• Fix rust-guard-test: remove unused is_update_operation and is_create_operation by @Copilot in #3536
• Reduce duplication in write-op integrity classification and MinIntegrity conversion by @Copilot in #3534
• Add OIDC fail-fast validation to TOML config path by @Copilot in #3538
• 🔄 Update schema URL to v0.68.1 by @github-actions[bot] in #3570
• Disable threat-detection in all workflows by @lpcox in #3583
• [Repo Assist] refactor: add strutil.TruncateRunes and remove lookupEnrichmentToken alias by @github-actions[bot] in #3574
• Fix lint: update test for removed lookupEnrichmentToken by @lpcox in #3586
• Rename TestLookupEnrichmentToken → TestLookupGitHubToken and wire to envutil by @Copilot in #3587
• fix: align gateway timeout defaults with spec §4.1.3 by @Copilot in #3592
• [log] config: migrate logConfig from legacy log.New to project debug logger by @github-actions[bot] in #3372
• [test-improver] Improve tests for config/validation_schema package by @github-actions[bot] in #3380
• [test] Add tests for logger.SlogHandler.Handle and related functions by @github-actions[bot] in #3381
• [log] Add debug logging to unified server utility functions by @github-actions[bot] in #3418
• [test] Add tests for logger.ToolsLogger.writeToFile and LogToolsForServer by @github-actions[bot] in #3427
• [test] Add tests for config.isDynamicTOMLPath and proxy.truncateForLog by @github-actions[bot] in #3500
• [test-improver] Improve tests for envutil package by @github-actions[bot] in #3566
• [test] Add tests for HTTPKeepaliveInterval, EnsureGatewayDefaults, SetDebug, and logger init functions by @github-actions[bot] in #3567
• Add pre-emptive guard entries for 3 CLI write operations missing from WRITE_OPERATIONS by @Copilot in #3609
• chore: upgrade go-sdk to v1.5.0 and address go-fan review items by @Copilot in #3610
• [Repo Assist] fix: remove redundant log.Printf calls from connection.go by @github-actions[bot] in #3640
• Fix incorrect default values in docs and example config for startup/tool timeouts and domain by @Copilot in #3652
• fix(rust-guard): remove redundant match arm in author_association_floor_from_str by @Copilot in #3654
• Add DIFC labeling rule for create_pull_request_with_copilot by @Copilot in #3651
• refactor: deduplicate reconnect telemetry and SSE deprecation logging in connection.go by @Copilot in...

v0.2.17

🌟 Release Highlights

This release brings container image flexibility, improved configuration validation, and several reliability fixes — making MCP Gateway more robust for production deployments.

✨ What's New

• SHA-256 digest support in container image references (#3352) — Container images can now be pinned by digest (e.g., image@sha256:…), enabling immutable, verifiable deployments. This is especially valuable in security-sensitive environments where image tags alone are insufficient.

• Fail-fast OIDC environment variable validation (#3367) — Invalid or missing OIDC configuration is now detected at startup rather than at runtime, surfacing misconfigurations immediately and preventing hard-to-diagnose failures later. See the Configuration Guide for details.

• OTLP headers now accept string format per spec v1.13.0 (#3338) — OpenTelemetry header configuration is now fully compliant with OTLP spec v1.13.0, improving interoperability with observability backends.

🐛 Bug Fixes & Improvements

• GraphQL authorAssociation injection fix (#3413) — Resolved incorrect field injection into User-type nodes in GraphQL responses, preventing malformed responses. Also adds proper 503 logging when policy is missing.

• Rust guard case-insensitive comparison fix (#3325) — Replaced to_lowercase() with eq_ignore_ascii_case() in the Rust guard for more correct and efficient string comparisons.

• Proxy handler lint fixes (#3415) — Non-constant format strings in the proxy handler have been corrected, improving code correctness and eliminating potential formatting issues.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.17
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 107.4K

---

What's Changed

• Update OTLP headers to accept string format (spec v1.13.0) by @Copilot in #3338
• [Repo Assist] fix(rust-guard): replace to_lowercase() with eq_ignore_ascii_case, remove stale dead_code by @github-actions[bot] in #3325
• [test] Add tests for server.peekRequestBody and config.isTransientHTTPError by @github-actions[bot] in #3317
• [log] Add debug logging to GraphQL owner/repo and search query extraction by @github-actions[bot] in #3308
• [test-improver] Improve tests for mcp/connection package by @github-actions[bot] in #3316
• Allow SHA-256 digests in container image references by @Copilot in #3352
• Fail-fast OIDC env var validation at config load time by @Copilot in #3367
• 🔄 Update schema URL to v0.67.2 by @github-actions[bot] in #3384
• Fix non-constant format string lint errors in proxy handler by @Copilot in #3415
• Fix GraphQL authorAssociation injection into User-type nodes; log 503 on missing policy by @Copilot in #3413

Full Changelog: v0.2.16...v0.2.17

v0.2.16

🌟 Release Highlights

This release closes a security gap in allowed-tools enforcement and updates the schema validation baseline to gh-aw v0.67.1.

🔒 Security Fix: Server-Side Allowed-Tools Enforcement

Previously, the tools allow-list in your server config was parsed but never enforced at runtime — a client with raw HTTP access could bypass it by sending tools/call requests directly for tools that should be restricted.

What changed:

• tools/call enforcement: Blocked tools are now rejected with a descriptive error (IsError: true) before any backend request is made. A 403 OTEL span status is set and a WARN log is emitted.
• tools/list defense-in-depth: Non-allowed tools are filtered out during backend registration — they never appear in tools/list responses and are never registered with the SDK server.
• O(1) lookup: Allowed-tool sets are pre-computed at startup (buildAllowedToolSets), adding no per-request overhead.

No config changes required. When tools is absent or empty, all tools remain accessible — existing configurations are unaffected.

Example allow-list config:

{
  "mcpServers": {
    "github": {
      "type": "stdio",
      "container": "ghcr.io/github/github-mcp-server:latest",
      "tools": ["search_code", "get_file_contents", "list_issues"]
    }
  }
}

See the Configuration Guide for full server config options.

🔧 Maintenance

• Updated MCP Gateway JSON schema validation URL to gh-aw v0.67.1 for reproducible, deterministic configuration validation.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.16
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release · ● 150.6K

---

What's Changed

• Gateway: enforce allowed-tools filtering server-side on tools/list and tools/call by @Copilot in #3334
• Gateway: enforce allowed-tools filtering server-side on tools/list and tools/call by @Copilot in #3333
• 🔄 chore: update schema URL to gh-aw v0.67.1 by @github-actions[bot] in #3318

Full Changelog: v0.2.15...v0.2.16