Skip to content

Releases: github/gh-aw-mcpg

v0.2.12

03 Apr 03:56
@github-actions github-actions
v0.2.12
ffd3b1b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.12 Latest
Latest

🌟 Release Highlights

This release focuses on reliability and observability β€” introducing automated health monitoring for backend MCP servers, improved documentation, and several quality-of-life fixes.

✨ What's New

  • Periodic Health Monitoring & Auto-Restart (#3022): MCP Gateway now continuously monitors backend MCP servers and automatically restarts them if they become unhealthy (per spec Β§8). This means fewer manual interventions when a backend server crashes or hangs β€” the gateway recovers on its own.

πŸ› Bug Fixes & Improvements

  • Session Expiry During Long-Running Tasks (#3079): Fixed an issue where safeoutputs sessions could expire during extended agent task executions, causing failures near the end of long operations.
  • Firewall/API-Proxy Image Alignment (#3012): Corrected a version mismatch where firewall agent and API-proxy container images were pinned to an outdated version (0.25.6), ensuring consistent behavior across all gateway components.
  • jq Middleware Improvements (#3026): Internal improvements to the jq payload processing middleware following a module review β€” improves correctness and maintainability of large payload handling.

πŸ“š Documentation

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.12
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • chore: Upgrade agentic workflows to gh-aw v0.65.3 by @lpcox in #3007
  • fix: align firewall agent/api-proxy images to 0.25.6 by @lpcox in #3012
  • πŸ”„ chore: update schema URL to v0.65.2 by @github-actions[bot] in #2991
  • [Repo Assist] refactor(server): remove writeJSONResponse passthrough wrapper by @github-actions[bot] in #3001
  • docs: document OIDC auth for HTTP servers and advanced CLI flags by @lpcox in #3017
  • refactor: deduplicate search scope and author integrity in tool_rules.rs by @lpcox in #3019
  • feat: periodic health monitoring and auto-restart for backend servers (spec Β§8) by @lpcox in #3022
  • refactor: jq middleware improvements from gojq module review by @lpcox in #3026
  • refactor: remove redundant config default fallbacks in server and launcher by @lpcox in #3032
  • fix: prevent safeoutputs session expiry during long-running agent tasks by @Copilot in #3079
  • πŸ”„ chore: update schema URL to v0.65.5 by @github-actions[bot] in #3060

Full Changelog: v0.2.11...v0.2.12

Contributors

lpcox
Assets 8
Loading

v0.2.11

01 Apr 04:12
@github-actions github-actions
v0.2.11
1631b99
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.11

🌟 Release Highlights

This release focuses on reliability and performance improvements, including accurate health monitoring, faster WASM guard startup, and a self-contained config schema β€” plus an expanded test suite and numerous internal code quality improvements.

✨ What's New

  • Embedded config schema (#2933): The MCP Gateway config JSON schema is now bundled directly into the binary via go:embed, eliminating the dependency on the external schema URL. No internet access needed to validate your configuration.

  • Debug logging for HTTP transport (#2906): Added a debug logger to the MCP HTTP transport layer, making it easier to trace request/response flows when troubleshooting backend connectivity issues.

πŸ› Bug Fixes & Improvements

  • Accurate health endpoint (#2938): The /health endpoint now reports real server status and uptime rather than stale or approximate values β€” health checks and monitoring tools will reflect the true state of backend MCP servers.

⚑ Performance

  • WASM guard startup time reduced (#2956): Added a wazero compilation cache for WASM security guards. Subsequent guard loads reuse compiled artifacts, significantly reducing startup overhead for deployments using WASM-based guards.

πŸ“š Documentation

  • Updated CONTRIBUTING.md (#2957): Added missing internal packages (proxy, difc, syncutil) and documented proxy mode to help contributors navigate the codebase.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.11
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • πŸ”„ chore: update schema URL to v0.65.0 by @github-actions[bot] in #2919
  • Bundle MCP gateway config schema in binary via go:embed by @Copilot in #2933
  • [Repo Assist] test(server): add direct unit tests for SessionIDFromContext and NewSession by @github-actions[bot] in #2893
  • [log] mcp: add debug logger to http_transport.go by @github-actions[bot] in #2906
  • [test-improver] Improve tests for logger/jsonl_logger package by @github-actions[bot] in #2915
  • [test] Add tests for proxy.ServeHTTP, handleWithDIFC, passthrough, and forwardAndReadBody by @github-actions[bot] in #2916
  • [Repo Assist] refactor(logger): eliminate withLock duplication across 4 logger types by @github-actions[bot] in #2920
  • fix: track real server status and uptime in health endpoint by @Copilot in #2938
  • refactor: deduplicate withLock() across logger types by @Copilot in #2939
  • refactor: eliminate duplicate code patterns (logger + server) by @lpcox in #2950
  • perf: add wazero compilation cache and wasm guard improvements by @lpcox in #2956
  • docs: add missing packages and proxy mode to CONTRIBUTING.md by @lpcox in #2957
  • refactor: Deduplicate integrity label builders in Rust guard by @lpcox in #2963
  • refactor: Go SDK usage improvements from module review by @lpcox in #2967

Full Changelog: v0.2.10...v0.2.11

Contributors

lpcox
Loading

v0.2.10

31 Mar 03:45
@github-actions github-actions
v0.2.10
3b4c53f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.10

🌟 Release Highlights

This release focuses on security hardening with expanded DIFC label coverage, GitHub Actions OIDC authentication for HTTP MCP servers, and improved integrity filtering based on collaborator permissions.

✨ What's New

  • GitHub Actions OIDC Authentication (#2878): Custom HTTP MCP servers can now authenticate using GitHub Actions OIDC tokens β€” enabling more secure, credential-free authentication in CI/CD workflows. See the Proxy Mode docs for configuration details.

  • Collaborator Permission–Based Integrity Filtering (#2863): Integrity filtering now uses collaborator permission levels for more accurate and meaningful access control decisions, ensuring the right level of trust is applied based on actual repository permissions.

  • Expanded DIFC Labels for Write Tools (#2873): DIFC security labels now cover 30 additional write tools, closing gaps in information flow control coverage and reducing the attack surface for sensitive write operations. See the Guard Response Labeling docs.

  • DIFC Proxy Feature Enabled on All Guarded Workflows (#2885): The difc-proxy feature flag is now active across all guarded workflows, providing consistent DIFC enforcement throughout the request pipeline.

  • MCP Gateway Spec v1.9.0 (#2850): Updated to MCP Gateway specification version 1.9.0. See the Configuration docs for compatibility details.

πŸ› Bug Fixes & Improvements

  • Broader Guard Coverage for gh repo Operations (#2806): All modifying gh repo operations are now blocked by the guard, preventing unintended repository mutations.

  • Repo-Assist Min-Integrity Adjustment (#2890): The repo-assist minimum integrity level has been lowered to unapproved, allowing it to function correctly in more workflow scenarios.

  • Code Deduplication in Server & Guard Packages (#2852): Eliminated three duplicate-code patterns across server and guard packages, improving maintainability and reducing the risk of inconsistent behavior.

πŸ“š Documentation

  • Proxy Mode Auth Token Docs (#2821): The Proxy Mode guide now documents GITHUB_PERSONAL_ACCESS_TOKEN as an authentication option, clarifying supported token types for proxy mode configurations.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.10
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • Guard coverage: block all modifying gh repo operations by @Copilot in #2806
  • docs: add GITHUB_PERSONAL_ACCESS_TOKEN to proxy mode auth token docs by @Copilot in #2821
  • [log] Add debug logging to config/docker_helpers.go by @github-actions[bot] in #2824
  • [test-improver] Improve tests for version package by @github-actions[bot] in #2833
  • [test] Add tests for proxy.replaceNodesArray by @github-actions[bot] in #2834
  • πŸ”„ chore: update schema URL to v0.64.4 by @github-actions[bot] in #2836
  • bump MCPGatewaySpecVersion to 1.9.0 by @Copilot in #2850
  • rust-guard: remove dead permissions.rs and deduplicate username lookup by @Copilot in #2851
  • fix: eliminate three duplicate-code patterns across server and guard packages by @Copilot in #2852
  • feat: use collaborator permission level for integrity filtering by @lpcox in #2863
  • chore: upgrade gh-aw to v0.64.5 and recompile all workflows by @lpcox in #2871
  • feat(guard): add DIFC labels for 30 write tools and clean up stale entries by @lpcox in #2873
  • fix(guard): resolve all Rust clippy warnings by @lpcox in #2874
  • feat: GitHub Actions OIDC token authentication for custom HTTP MCP servers by @Copilot in #2878
  • feat: enable difc-proxy feature flag on all guarded workflows by @lpcox in #2885
  • fix: lower repo-assist min-integrity to unapproved by @lpcox in #2890

Full Changelog: v0.2.9...v0.2.10

Contributors

lpcox
Loading

v0.2.9

29 Mar 18:40
@github-actions github-actions
v0.2.9
e17005a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.9

🌟 Release Highlights

This release focuses on security guard hardening, documentation improvements, and internal code quality β€” tightening access controls, improving observability docs, and reducing technical debt.

πŸ” Security & Guard Improvements

  • Expanded write-op guard coverage β€” pin_issue and unpin_issue are now properly classified as write operations, and transfer_repository is unconditionally blocked to prevent accidental or malicious repository transfers. (#2750)
  • Trusted bot recognition β€” copilot-swe-agent is now recognized as a trusted first-party bot, ensuring correct policy application when it acts as an agent. (#2777)

πŸ“š Documentation

  • AWF pipeline environment variable lifecycle β€” A new reference doc covers how environment variables flow through AWF pipelines, helping operators understand variable scoping and availability. (#2781) β€” See docs/AWF_PIPELINE_ENVIRONMENT_VARIABLES.md
  • Trusted users & bot flags documented β€” The --trusted-bots and --trusted-users flags, trusted-users config, and PORT fallback behavior are now fully documented. (#2789) β€” See docs/CONFIGURATION.md

πŸ› Bug Fixes

  • Logging correctness β€” Fixed duplicate log entries in session.go and misuse of logUnified, eliminating noisy or misleading log output. (#2788)
  • Static analysis fix β€” Removed redundant io.Writer type annotation flagged by staticcheck (QF1011). (#2780)

πŸ”§ Internal Improvements

  • Shared httputil package extracted to eliminate duplicate JSON response helpers across mcp and cmd packages.
  • Reduced duplicate code across loggers, validation, and session handling.
  • Debug logger added to cmd/proxy.go for improved proxy observability.
  • Expanded test coverage for FileLogger, ParsePolicyMap, ParseServerGuardPolicy, BuildAllowOnlyPolicy, and the new httputil package.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.9
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • Guard coverage: add pin_issue/unpin_issue write ops; unconditionally block transfer_repository by @Copilot in #2750
  • [log] Add debug logger to cmd/proxy.go by @github-actions[bot] in #2752
  • [test-improver] Improve tests for logger/FileLogger by @github-actions[bot] in #2760
  • [test] Add tests for config.ParsePolicyMap, ParseServerGuardPolicy, BuildAllowOnlyPolicy by @github-actions[bot] in #2761
  • fix(guard): add copilot-swe-agent to trusted first-party bots by @Copilot in #2777
  • chore: recompile all workflows with gh-aw v0.64.3 by @lpcox in #2779
  • fix: remove redundant io.Writer type annotation (staticcheck QF1011) by @lpcox in #2780
  • docs: add AWF pipeline environment variable lifecycle reference by @Copilot in #2781
  • Remove duplicate logging in session.go, fix logUnified misuse by @Copilot in #2788
  • docs: document trusted-users, --trusted-bots/--trusted-users flags, and PORT fallback by @Copilot in #2789
  • refactor: reduce duplicate code in loggers, validation, and session handling by @Copilot in #2790
  • refactor: extract shared httputil, remove trivial wrappers in mcp and cmd by @Copilot in #2794
  • test: add unit tests for internal/httputil package by @lpcox in #2800

Full Changelog: v0.2.8...v0.2.9

Contributors

lpcox
Loading

v0.2.8

28 Mar 18:14
@github-actions github-actions
v0.2.8
2ab0c8d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.8

🌟 Release Highlights

v0.2.8 is a focused security, stability, and correctness release β€” hardening session handling, improving DIFC label precision, and resolving several race conditions and integration issues.

πŸ”’ Security Improvements

  • Session ID truncation in logs (#2731): Session IDs (API keys) are now consistently truncated across all log calls in session.go, preventing accidental plaintext credential exposure in log files and debug output.
  • Scoped DIFC labels (#2641): The generic secret secrecy tag has been replaced with scoped private:owner/repo labels, enabling finer-grained information flow control that accurately reflects the owning repository context. See the Guard Response Labeling docs for details.

πŸ› Bug Fixes

  • Race condition in session pool (#2634): Eliminated a race condition in SessionConnectionPool.Get that could cause intermittent failures under concurrent load.
  • GHEC proxy support via GITHUB_SERVER_URL (#2676): Proxy mode now correctly detects and routes requests when GITHUB_SERVER_URL points to a GitHub Enterprise Cloud (GHEC) instance. See the Proxy Mode docs.
  • WASM guard panic handling (#2698): WASM guard traps (panics) are now detected, logged with context, and the failed module is marked as such β€” preventing silent failures from propagating through the guard pipeline.
  • go-sdk integration fixes (#2647): Corrected content types, error messages, pagination behavior, and tool annotations in the go-sdk integration layer for more reliable MCP protocol compliance.

πŸ“š Documentation

  • gateway.port clarified (#2733): The docs now explicitly note that gateway.port does not affect the server's listen address (use --listen flag for that) and the trustedBots configuration field is now documented. See the Configuration docs.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.8
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • [Repo Assist] fix(launcher): eliminate race condition in SessionConnectionPool.Get by @github-actions[bot] in #2634
  • πŸ”„ chore: update schema URL to v0.64.2 by @github-actions[bot] in #2637
  • Replace secret secrecy tag with scoped private:owner/repo labels by @Copilot in #2641
  • rust-guard: consolidate github-baseline match arms + add Display for ScopeKind by @Copilot in #2640
  • refactor: move ExpandEnvArgs and NormalizeScopeKind to correct packages by @Copilot in #2645
  • refactor(proxy): extract writeJSONResponse and forwardAndReadBody helpers in handler.go by @Copilot in #2646
  • Fix go-sdk integration: content types, error messages, pagination, tool annotations by @Copilot in #2647
  • Remove unused callListMethod function by @lpcox in #2657
  • [test-improver] Improve tests for mcp package by @github-actions[bot] in #2567
  • [test] Add tests for server.logServerGuardPolicies by @github-actions[bot] in #2577
  • [test-improver] Improve tests for mcptest harness by @github-actions[bot] in #2631
  • [test] Add tests for server.registerAllTools and related tool_registry functions by @github-actions[bot] in #2656
  • fix: update mcp test mocks for SDK streamable transport by @lpcox in #2664
  • fix: confirm and surface proxy mode GITHUB_SERVER_URL support for GHEC by @Copilot in #2676
  • fix: replace ${PWD} with absolute path placeholder in config.toml serena entry by @Copilot in #2681
  • Add comprehensive safe-outputs configuration enforcement smoke tests by @Copilot in #2685
  • chore: recompile workflows for gh-aw v0.64.2 and fix safeoutput smoke tests by @lpcox in #2688
  • [log] Add debug logging to server/session.go by @github-actions[bot] in #2673
  • fix: detect and log WASM guard traps; mark module failed after panic by @Copilot in #2698
  • fix(security): truncate session IDs in all log calls in session.go by @Copilot in #2731
  • [log] Add debug logging to internal/proxy/graphql_rewrite.go by @github-actions[bot] in #2710
  • [test-improver] Improve tests for difc package by @github-actions[bot] in #2716
  • [test] Add tests for guard.parseResourceResponse and guard.parseCollectionLabeledData by @github-actions[bot] in #2717
  • docs: clarify gateway.port has no effect on listen address; document trustedBots field by @Copilot in #2733
  • fix: resolve duplicate test declarations and fix wantOperation defaults by @lpcox in #2737

Full Changelog: v0.2.7...v0.2.8

Contributors

lpcox
Loading

v0.2.7

27 Mar 00:12
@github-actions github-actions
v0.2.7
45c06fc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.7

🌟 Release Highlights

This release focuses on GitHub Enterprise Cloud (GHEC) tenant support, improved session reliability, and better HTTP backend compatibility β€” alongside several security guard enhancements and internal quality improvements.

✨ What's New

  • GHEC Tenant Support (#2481, #2484): MCP Gateway now correctly handles GitHub Enterprise Cloud tenants in both proxy routing and guard URL parsing, including port-safe GHEC detection in API URL derivation. Configure via GITHUB_SERVER_URL or GITHUB_API_URL for seamless GHEC integration. See Proxy Mode docs for details.

  • Trusted Users in AllowOnly Guard (#2584): The allow-only guard policy now supports a trusted-users list, allowing specific users to receive elevated integrity levels β€” enabling fine-grained control over who can perform sensitive operations. See Guard Response Labeling.

πŸ› Bug Fixes & Improvements

  • Transparent Session Reconnection (#2597): Expired MCP backend sessions are now reconnected automatically and transparently, with an extended session timeout. No more unexpected disconnections from long-running workflows.

  • HTTP Backend Compatibility (#2608): Fixed HTTP 400 errors on tools/list for HTTP backends that use custom authentication headers (e.g., Atlassian MCP). The gateway now correctly forwards auth headers on capability discovery requests.

  • Guard Write Classification (#2613): Pre-emptive write classification added for set_variable, upload_release_asset, and sync_fork tools, ensuring these operations are correctly guarded before execution rather than after.

  • Schema Fetch Reliability (#2582): Added retry logic with exponential backoff for schema fetches, making the gateway resilient to transient HTTP errors on startup.

  • Accurate DIFC Filter Notices (#2518): Filter notices now correctly distinguish between secrecy and integrity violations, giving users clearer information about why a tool response was filtered.

  • Trusted Bot Elevation Fix (#2574): Corrected configured trusted-bot elevation in apply_tool_labels so explicitly trusted bots receive the correct integrity levels.

πŸ“š Documentation

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.7
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • fix: port-safe GHEC detection in deriveAPIFromServerURL by @Copilot in #2484
  • feat: GHEC tenant support for proxy and guard URL parsing by @lpcox in #2481
  • πŸ”„ chore: update schema URL to v0.63.1 by @github-actions[bot] in #2503
  • refactor: eliminate truncateForLog duplicate, simplify ValidateDIFCMode, split unified.go by @Copilot in #2497
  • [rust-guard] Consolidate identical repo-scoped match arms and extract approval-label promotion helper by @Copilot in #2508
  • Add DIFC integrity audit tests: detection failure rate, audit trail, safe_outputs blocking by @Copilot in #2514
  • fix: distinguish secrecy vs integrity in filtered notice by @Copilot in #2518
  • Remove duplicate log calls where global structured logger already covers the event by @Copilot in #2522
  • refactor: Extract shared LogConnectionError to eliminate duplicate connection error diagnostics by @Copilot in #2524
  • Extract syncutil.GetOrCreate to eliminate double-check locking duplication by @Copilot in #2531
  • docs: add proxy mode env vars to ENVIRONMENT_VARIABLES.md and link gateway compatibility reference from README by @Copilot in #2541
  • [test-improver] Improve tests for mcp package (ExpandEnvArgs) by @github-actions[bot] in #2499
  • [test] Add tests for server.callBackendTool DIFC phases by @github-actions[bot] in #2513
  • [log] Add debug logger to internal/server/guard_init.go by @github-actions[bot] in #2528
  • fix: update DIFC test assertions to match new notice format by @lpcox in #2552
  • refactor: relocate SysServer to server package, IsRunningInContainer to sys package by @Copilot in #2549
  • πŸ”„ chore: update schema URL to v0.64.0 by @github-actions[bot] in #2572
  • rust-guard: fix configured trusted bot elevation in apply_tool_labels + deduplicate item collection by @Copilot in #2574
  • [Repo Assist] refactor(cmd): add getDefault helpers for all DIFC flag env vars by @github-actions[bot] in #2569
  • fix: add retry with exponential backoff to schema fetch for transient HTTP errors by @Copilot in #2582
  • feat: add trusted-users list to AllowOnly guard policy for user integrity elevation by @Copilot in #2584
  • refactor(difc): reduce boilerplate duplication in agent.go and labels.go by @Copilot in #2591
  • fix: reconnect expired MCP backend sessions transparently, extend server session timeout by @Copilot in #2597
  • feat: add gateway issue dispatcher workflow by @lpcox in #2603
  • Fix HTTP 400 on tools/list for HTTP backends with custom auth headers (Atlassian MCP) by @Copilot in #2608
  • fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork by @Copilot in #2613
  • [log] Add debug logging to container detection in sys/container.go by @github-actions[bot] in #2598
  • fix: update HTTP backend mock tests for SDK streamable transport by @lpcox in #2619

Full Changelog: v0.2.6...v0.2.7

Contributors

lpcox
Loading

v0.2.6

24 Mar 22:20
@github-actions github-actions
v0.2.6
80771b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.6

🌟 Release Highlights

This release tightens security and correctness in the GitHub MCP guard layer, with improved DIFC labeling accuracy, expanded guard coverage, and developer-experience improvements.

πŸ› Bug Fixes & Improvements

  • Correct secrecy labeling for Actions data β€” actions_get and get_job_logs now derive secrecy from repository visibility rather than using an incorrect default, ensuring private repo workflow data is handled with appropriate confidentiality labels. (#2463)
  • Five GitHub MCP guard coverage gaps closed β€” Write-operation classification, DIFC labeling, and future-proofing fixes address gaps where certain tool responses were not correctly classified or labeled by the guard layer, improving overall security posture. (#2461)

πŸ”§ Internal Improvements

  • Go module drift detection β€” A new tidy-check Makefile target and CI step detect go.mod/go.sum drift automatically, preventing dependency inconsistencies from landing in the codebase. (#2456)
  • Enhanced debug logging for stdin config β€” Additional debug logging in config/config_stdin.go makes it easier to diagnose JSON-over-stdin configuration issues. (#2464)
  • DIFC format function test coverage β€” New tests for difc.formatIntegrityLevel and difc.formatSecrecyLevel improve confidence in label formatting correctness. (#2444)
  • Rust guard code cleanup β€” Removed dead code (is_owner), cleaned up stale #[allow(dead_code)] annotations, and extracted resolve_search_scope for clarity. (#2434)

πŸ“š Documentation

  • CONTRIBUTING.md accuracy fixes β€” Corrected discrepancies around port numbers, wazero references, and the test-container-proxy target to match current project reality. (#2471)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.6
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • rust-guard: remove dead is_owner, strip stale #[allow(dead_code)] on get_nested_str, extract resolve_search_scope by @Copilot in #2434
  • [test] Add tests for difc.formatIntegrityLevel and difc.formatSecrecyLevel by @github-actions[bot] in #2444
  • [WIP] Add tidy-check Makefile target and CI step for go.mod/go.sum drift detection by @Copilot in #2456
  • fix: use repo visibility for actions_get and get_job_logs secrecy by @lpcox in #2463
  • fix(guard): close 5 GitHub MCP guard coverage gaps β€” write classification, DIFC labeling, and future-proofing by @Copilot in #2461
  • [log] Add debug logging to config/config_stdin.go by @github-actions[bot] in #2464
  • docs: fix CONTRIBUTING.md discrepancies (port, wazero, test-container-proxy) by @Copilot in #2471

Full Changelog: v0.2.5...v0.2.6

Contributors

lpcox
Loading

v0.2.5

24 Mar 18:00
@github-actions github-actions
v0.2.5
d880454
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.5

🌟 Release Highlights

This release brings a new integrity audit workflow, a performance improvement to payload processing, and continued quality improvements.

✨ What's New

  • Daily Integrity Filtering Audit (#2439): A new automated workflow runs daily to audit integrity filtering behavior, improving observability and confidence in the guard/DIFC labeling pipeline.

⚑ Performance

  • Reduced Memory Allocation in Payload Preview (#2428): Eliminated a large string allocation when building payload previews, lowering memory pressure when handling large MCP tool responses.

πŸ”§ Internal

  • Updated schema URL to v0.63.0 for MCP protocol compatibility (#2431).
  • Improved test coverage for the proxy/graphql_rewrite package (#2426).

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.5
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • πŸ”„ chore: update schema URL to v0.63.0 by @github-actions[bot] in #2431
  • [Repo Assist] perf: avoid large string allocation when building payload preview by @github-actions[bot] in #2428
  • [test-improver] Improve tests for proxy/graphql_rewrite package by @github-actions[bot] in #2426
  • feat: add daily integrity filtering audit workflow by @lpcox in #2439

Full Changelog: v0.2.4...v0.2.5

Contributors

lpcox
Loading

v0.2.4

24 Mar 05:20
@github-actions github-actions
v0.2.4
8ea91b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.4

🌟 Release Highlights

This release improves proxy compatibility with github-script integrations and updates workflows for gh-aw v0.63.0, with a focus on correctness of response envelope handling.

✨ What's New

  • Proxy + github-script smoke tests β€” End-to-end tests now validate the proxy integration with github-script, catching regressions in real-world workflow scenarios. Workflows have been recompiled for compatibility with gh-aw v0.63.0. (#2412)

πŸ› Bug Fixes & Improvements

  • Proxy response envelope fix β€” Corrected malformed response envelopes in proxy mode, ensuring downstream github-script consumers receive well-structured JSON-RPC responses. Accompanying smoke tests help prevent regressions. (#2420)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.4
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • feat: add proxy+github-script smoke test, recompile workflows for gh-aw v0.63.0 by @lpcox in #2412
  • fix: proxy response envelopes + smoke test for github-script integration by @lpcox in #2420

Full Changelog: v0.2.3...v0.2.4

Contributors

lpcox
Loading

v0.2.3

24 Mar 03:49
@github-actions github-actions
v0.2.3
bc4b892
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.3

🌟 Release Highlights

This release focuses on correctness fixes in the Rust-based security guard layer, CLI robustness improvements, and expanded test coverage for configuration loading.

πŸ› Bug Fixes & Improvements

  • Guard: search_repositories labeling fixed β€” The Rust guard now uses the correct JSON pointer key when labeling search_repositories responses, ensuring results are properly integrity-labeled rather than silently skipped. (#2407)

  • Guard: GraphQL-format search results & bot-author filtering β€” The guard now correctly handles both REST (total_count) and GraphQL (totalCount) search response shapes, and bot-author filtering works reliably across formats. (#2403)

  • CLI: improved error handling and validation β€” SilenceErrors prevents duplicate error output, proxy mode is now validated at startup with a clear error message, and CLI flags for DIFC modes include shell completion enums for a better developer experience. (#2384)

  • Guard: dead code and stale logger removed β€” Cleaned up a dead logger in NoopGuard and removed stale #[allow(dead_code)] annotations in the Rust guard backend, reducing noise during builds. (#2382, #2393)

  • Build stability β€” Inline getDefault* helpers and renamed duplicate test functions to resolve build failures introduced by a partial refactor. (#2394)

πŸ§ͺ Testing

  • Added tests for config.LoadFromFile and related helpers, improving confidence in configuration parsing across TOML and JSON formats. (#2381)

πŸ”§ Internal

  • Updated MCP schema URL to v0.62.5. (#2345)
  • Repo-assist baseline updated to use ghcr.io/github/gh-aw-mcpg:v0.2.2. (#2388)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.2.3
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

For complete details, see the full release notes.

Generated by Release

What's Changed

  • Use published ghcr.io/github/gh-aw-mcpg:v0.2.2 for repo-assist baseli… by @lpcox in #2388
  • πŸ”„ chore: update schema URL to v0.62.5 by @github-actions[bot] in #2345
  • [Repo Assist] fix(cmd): SilenceErrors, remove dup log, validate proxy mode, add enum completions by @github-actions[bot] in #2384
  • [Repo Assist] refactor(cmd): inline trivial os.Getenv wrappers in flags_difc.go by @github-actions[bot] in #2383
  • [Repo Assist] fix(rust-guard): remove stale #[allow(dead_code)] from backend.rs by @github-actions[bot] in #2382
  • [test] Add tests for config.LoadFromFile and related helpers by @github-actions[bot] in #2381
  • Fix build: inline removed getDefault* helpers, rename duplicate tests by @lpcox in #2394
  • Fix NoopGuard dead logger, extract emptyAgentLabelsResult helper, resolve broken references from partial refactor by @Copilot in #2393
  • fix(rust-guard): use correct JSON pointer key for search_repositories response by @Copilot in #2407
  • fix(rust-guard): handle GraphQL-format search results and bot-author filtering by @lpcox in #2403

Full Changelog: v0.2.2...v0.2.3

Contributors

lpcox
Loading