v0.28.3

What's Changed

• Resolve authz ConfigMap for VirtualMCPServer by @blkt in #5290
• Upgrade golang.org/x/crypto to v0.52.0 by @amirejaz in #5366
• Enable Renovate vulnerability alerts to trigger immediately by @amirejaz in #5367
• Restore ServerBuilder.WithMiddleware and WithRoute by @reyortiz3 in #5369
• Mirror MCPExternalAuthConfig Valid=False onto consumer CR conditions by @tgrunnagle in #5354
• Release v0.28.3 by @toolhive-release-app[bot] in #5370

Full Changelog: v0.28.2...v0.28.3

v0.28.2

What's Changed

• Honor --allow-private-ip on thv registry login --registry by @reyortiz3 in #5353
• Remove unreachable functions identified by deadcode analysis by @ChrisJBurns in #5355
• Fix DCR failure for authorization servers with non-root issuer paths by @amirejaz in #5357
• Wire OBO dispatch arms and reconciler branch by @tgrunnagle in #5345
• Release v0.28.2 by @toolhive-release-app[bot] in #5363

Full Changelog: v0.28.1...v0.28.2

v0.28.1

What's Changed

• Use shared toolhive-core redis client for session storage by @reyortiz3 in #5324
• Bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 by @dependabot[bot] in #5330
• fix(operator): inject THV_SESSION_REDIS_PASSWORD for MCPServer by @dallinstevens in #5286
• fix: validate k8s export volume format by @immanuwell in #5319
• Update dependency kyverno/chainsaw to v0.2.15 by @renovate[bot] in #5297
• Update kyverno/action-install-chainsaw action to v0.2.15 by @renovate[bot] in #5298
• Update module github.com/pelletier/go-toml/v2 to v2.3.1 by @renovate[bot] in #5311
• Use events.k8s.io in registry-api Role by @rdimitrov in #5340
• Preserve fresh per-request identity in vMCP backend transports by @tgrunnagle in #5335
• Factor thv-operator main into app.Run; add proxyrunner Run helper by @tgrunnagle in #5332
• Add CIMD document fetch/validate and extend SSRF protections by @amirejaz in #5320
• Add default OBO handler hooks and vMCP/proxy converter stubs by @tgrunnagle in #5338
• Inject spawn seam in RunWorkloadDetached to stop orphan test processes by @tgrunnagle in #5346
• Release v0.28.1 by @toolhive-release-app[bot] in #5352

New Contributors

• @immanuwell made their first contribution in #5319

Full Changelog: v0.28.0...v0.28.1

v0.28.0

What's Changed

• Update module github.com/modelcontextprotocol/registry to v1.7.7 [SECURITY] by @renovate[bot] in #5230
• Add TOOLHIVE_SKIP_UPDATE_CHECK env var to disable update checks by @lujunsan in #5264
• Add RFC 7523 JWT Bearer grant package by @jhrozek in #5262
• Extract DCR resolver into pkg/auth/dcr by @tgrunnagle in #5198
• Wire identityFromToken into the OAuth2 upstream provider by @jhrozek in #5222
• Add API endpoint to refresh the registry cache by @rdimitrov in #5268
• Retry OAuth token refresh on infrastructure 4xx by @gkatz2 in #5170
• docs: remove stale chart version bump guidance from check-contribution skill by @wucm667 in #5211
• Configure rate limits on VirtualMCPServer PR A by @Sanskarzz in #5079
• Migrate CLI OAuth flow to pkg/auth/dcr resolver by @tgrunnagle in #5250
• Drop legacy registry schema from release artifacts by @rdimitrov in #5273
• Watch authz ConfigMaps from VirtualMCPServer by @blkt in #5271
• Split api-workloads E2E suite into parallel entries by @jhrozek in #5275
• Update module github.com/stacklok/toolhive-catalog to v0.20260513.0 by @renovate[bot] in #5274
• Add identityFromToken to MCPExternalAuthConfig CRD by @jhrozek in #5269
• Reset RunWorkload retry counter after stable run by @gkatz2 in #5172
• Drop per-component CRD and controller gating from operator install by @ChrisJBurns in #5281
• Fix wrapper name in api-compat workflow comments by @ChrisJBurns in #5282
• Pin helm-crd-wrapper to v0.0.1 by @ChrisJBurns in #5283
• Fix operator RBAC for event recording by @pl4nty in #5243
• Add GitHub Copilot CLI as a supported MCP client by @danbarr in #5287
• Wire identityFromToken through authserver config and runtime by @jhrozek in #5285
• References printcolumn shows raw JSON instead of useful summary by @Sanskarzz in #5267
• Fix audit events logged as INFO+2 instead of AUDIT by @kimjune01 in #5256
• Update github/codeql-action digest to 9e0d7b8 by @renovate[bot] in #5295
• Update module github.com/cedar-policy/cedar-go to v1.6.1 by @renovate[bot] in #5307
• Update golang.org/x/exp/jsonrpc2 digest to 74f9aab by @renovate[bot] in #5296
• Update module github.com/google/cel-go to v0.28.1 by @renovate[bot] in #5309
• Deep-copy shared fixtures in mapMCPServerToWebhookConfig subtests by @jhrozek in #5310
• Add --session-ttl flag and fix three session timeout bugs by @JAORMX in #5117
• Update module github.com/charmbracelet/x/ansi to v0.11.7 by @renovate[bot] in #5308
• Deflake transientRefresher singleflight test by @jhrozek in #5312
• Move HeaderForward helpers to pkg/vmcp/headerforward by @lorr1 in #5302
• Update anthropics/claude-code-action digest to 51ea8ea by @renovate[bot] in #5294
• Update module github.com/stacklok/toolhive-catalog to v0.20260518.0 by @renovate[bot] in #5313
• Bump toolhive-core on release day via Renovate by @reyortiz3 in #5315
• Drop empty PULLS column from registry list and search output by @danbarr in #5314
• fix(operator): add startup probe to proxyrunner deployment by @gabrielcosi in #5300
• Bump toolhive-core to v0.0.20 by @reyortiz3 in #5316
• Wire HeaderForward into vMCP per-session HTTP client by @lorr1 in #5301
• Bump toolhive-core to v0.0.21 and use shared redis client by @reyortiz3 in #5318
• Release v0.28.0 by @toolhive-release-app[bot] in #5322

New Contributors

• @pl4nty made their first contribution in #5243
• @kimjune01 made their first contribution in #5256
• @gabrielcosi made their first contribution in #5300

Full Changelog: v0.27.2...v0.28.0

v0.27.2

What's Changed

• Update github/codeql-action digest to 68bde55 by @renovate[bot] in #5236
• Update anthropics/claude-code-action digest to 476e359 by @renovate[bot] in #5235
• Forward MCPServerEntry headerForward to vMCP outbound requests by @ChrisJBurns in #5239
• Tolerate spec-violating list methods on backend init by @tgrunnagle in #5232
• Bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0 by @dependabot[bot] in #5234
• Use corev1.PullPolicy instead of string for EmbeddingServer ImagePullPolicy by @Sanskarzz in #5240
• Namespace operator.* Helm helpers to prevent umbrella chart collisions by @wucm667 in #5245
• Recognize mcp-go authorization-required sentinels as auth by @lorr1 in #5225
• Delegate tokenexchange HTTP plumbing to pkg/oauthproto by @jhrozek in #5226
• Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 by @dependabot[bot] in #5249
• Move tokenexchange under pkg/oauthproto by @jhrozek in #5251
• Apply OTEL config to workloads created via API by @reyortiz3 in #5254
• Fall back across Docker sockets on connect failure by @samuv in #5246
• fix(registry): surface legacy registry format as a structured API error by @peppescg in #5260
• Allow operators to inject baseline scopes into DCR registrations by @jhrozek in #5233
• Collapse registry provider error ladder into a helper by @rdimitrov in #5261
• Update module github.com/stacklok/toolhive-catalog to v0.20260511.0 by @renovate[bot] in #5227
• Update goreleaser/goreleaser-action digest to 1a80836 by @renovate[bot] in #5054
• Release v0.27.2 by @toolhive-release-app[bot] in #5263

Full Changelog: v0.27.1...v0.27.2

v0.27.1

What's Changed

• Redact webhook response body from returned errors by @JAORMX in #5191
• Add omitempty to MCPGroupStatus JSON fields by @sharanrajt in #5181
• Cap webhook middleware request body at 1 MB by @JAORMX in #5192
• Update anthropics/claude-code-action digest to 9db782c by @renovate[bot] in #5164
• Update module github.com/stacklok/toolhive-catalog to v0.20260507.0 by @renovate[bot] in #5206
• Add Windows named-pipe support to the API listener by @samuv in #5201
• Restrict Windows named-pipe DACL to creating user by @samuv in #5214
• Add persistent DCRCredentialStore types and memory backend by @tgrunnagle in #5186
• Expose explicit primaryUpstreamProvider for Cedar authz on VirtualMCPServer by @tgrunnagle in #5199
• Use shared pkg/oauthproto helpers in tokenexchange by @jhrozek in #5212
• Skip WARN for non-POST Streamable HTTP requests by @danbarr in #5221
• Move pipe and socket URL handling to net/url by @samuv in #5215
• Guard RedisStorageConfig CEL rules with has() checks by @reyortiz3 in #5228
• Pin npipe round-trip and pipe lifecycle invariants by @samuv in #5216
• Add Redis backend for DCRCredentialStore by @tgrunnagle in #5195
• Wire persistent DCRCredentialStore into EmbeddedAuthServer by @tgrunnagle in #5196
• Add CRD-runtime drift detection test framework by @ChrisJBurns in #5209
• MCPGroup Ready column misleadingly shows MCPServersChecked condition by @Sanskarzz in #5241
• Release v0.27.1 by @toolhive-release-app[bot] in #5244

New Contributors

• @sharanrajt made their first contribution in #5181

Full Changelog: v0.27.0...v0.27.1

v0.27.0

What's Changed

• Support CIMD as preferred OAuth client registration for thv run by @amirejaz in #5085
• Add --client flag to thv llm setup and teardown by @yrobla in #5144
• Carry forward upstream refresh token on re-authorization by @jhrozek in #5132
• Add follow-up CIMD E2E and unit tests by @amirejaz in #5130
• Add authserver DCR credential store and resolver by @tgrunnagle in #5042
• Allow standalone Redis in auth server storage by @reyortiz3 in #4994
• Fix golangci-lint failures from Go 1.26 linter upgrade by @reyortiz3 in #5161
• Fix flaky VirtualMCPServer composite tool watch integration test by @reyortiz3 in #5163
• Correct Gemini CLI LLM gateway config to proxy mode by @yrobla in #5142
• Add --anthropic-path-prefix flag and auto-probe for Envoy AI Gateway by @yrobla in #5174
• Phase 5: Dynamic Webhook Middleware Kubernetes Controller by @Sanskarzz in #4564
• Automate Gemini CLI .env injection for LLM gateway proxy setup by @yrobla in #5175
• Strengthen test assertions in llm_gateway_test.go using jsonPointerGet by @yrobla in #5187
• Update github/codeql-action digest to e46ed2c by @renovate[bot] in #5165
• Update aws-sdk-go-v2 monorepo by @renovate[bot] in #5166
• Preserve runconfig-checksum on pod template overrides by @jhrozek in #5149
• Populate LLMSetupNote for Gemini CLI to warn on --tls-skip-verify no-op by @yrobla in #5188
• Publish thv llm commands and regenerate CLI reference docs by @yrobla in #5189
• Set User-Agent on OAuth token refresh requests by @gkatz2 in #5168
• Wire authserver DCR resolver and add structured logs by @tgrunnagle in #5044
• Return *oauth2.RetrieveError from tokenexchange by @jhrozek in #5082
• Update module github.com/stacklok/toolhive-catalog to v0.20260504.0 by @renovate[bot] in #5118
• fix(#5063): deterministically order env vars in DeployWorkload by @nalditopr in #5064
• fix(api,cli): stop auto-deriving RFC 8707 resource indicator from URL by @peppescg in #5204
• Expose DCR config in operator CRD for OAuth2 upstreams by @tgrunnagle in #5069
• Install local skill builds by name when tag differs by @samuv in #5182
• Add identity extractor for OAuth2 token responses by @jhrozek in #5200
• Add Redis Cluster mode support to auth server storage by @reyortiz3 in #5153
• Release v0.27.0 by @toolhive-release-app[bot] in #5207

New Contributors

• @nalditopr made their first contribution in #5064

Full Changelog: v0.26.1...v0.27.0

v0.26.1

What's Changed

• Make Cedar group entity type name configurable by @jhrozek in #5121
• Add authserver DCR discovery and config surface by @tgrunnagle in #5041
• fix(authserver): send scope explicitly on upstream token refresh by @dallinstevens in #5096
• test(e2e): add all-client LLM gateway e2e matrix + fix secret provider bugs by @yrobla in #5116
• Add --tls-skip-verify flag to thv llm setup, config set, and proxy start by @yrobla in #5136
• Auto-detect Docker Desktop socket on Linux by @samuv in #5122
• Consolidate ToolApplyConfig and LLMApplyConfig into pkg/llmgateway by @yrobla in #5138
• Include nested files when resolving git skills by @samuv in #5139
• Release v0.26.1 by @toolhive-release-app[bot] in #5140

New Contributors

• @dallinstevens made their first contribution in #5096

Full Changelog: v0.26.0...v0.26.1

v0.26.0

What's Changed

• Drop legacy ToolHive registry format references from docs by @rdimitrov in #5087
• Update module github.com/stacklok/toolhive-catalog to v0.20260428.0 by @renovate[bot] in #5080
• Update module github.com/shirou/gopsutil/v4 to v4.26.3 by @renovate[bot] in #5061
• Add interactive TUI dashboard for managing MCP servers by @peppescg in #4680
• Introduce LLMClientApp type to remove xcode from MCP API swagger enum by @yrobla in #5081
• Strengthen tool detection with binary presence check by @yrobla in #5083
• Add awsSts auth type support to vMCP by @tgrunnagle in #5019
• Update module github.com/moby/moby/client to v0.4.1 by @renovate[bot] in #5059
• thv llm: complete setup/teardown orchestration by @yrobla in #5068
• Align REGISTRY.md with configYAML-only MCPRegistry spec by @rdimitrov in #5088
• ci(release): mint GitHub App installation token instead of RELEASE_TOKEN PAT by @Nashon-Steffen in #5093
• Wire MCPRemoteProxy resourceOverrides.proxyDeployment.imagePullSecrets by @JAORMX in #5103
• Extract shared OAuthTokenSource into pkg/auth/tokensource by @yrobla in #5090
• fix(llm): use correct binary name for VS Code Insiders detection by @yrobla in #5109
• Preserve user fields in EmbeddingServer podTemplateSpec merge by @JAORMX in #5104
• Add explicit imagePullSecrets field to VirtualMCPServer by @JAORMX in #5107
• Add explicit imagePullSecrets field to MCPRegistry by @JAORMX in #5106
• Move llm setup/teardown orchestration to pkg/llm by @yrobla in #5112
• Add missing encoding/json import to virtualmcpserver_deployment.go by @jhrozek in #5114
• fix(test): use require instead of assert in TestBuildServerConfig to prevent nil panic by @wucm667 in #5098
• Detect imagePullSecrets drift on proxy Deployments by @jhrozek in #5113
• Add operator-level defaultImagePullSecrets across all controllers by @JAORMX in #5105
• Fix non-expiring upstream token handling and storage TTL bugs by @jhrozek in #5092
• Allow OAuth2 upstreams to omit userInfo config by @tgrunnagle in #5094
• Release v0.26.0 by @toolhive-release-app[bot] in #5131

New Contributors

• @wucm667 made their first contribution in #5098
• @toolhive-release-app[bot] made their first contribution in #5131

Full Changelog: v0.25.0...v0.26.0

v0.25.0

What's Changed

• Add thv llm command group with config types and management commands by @yrobla in #5032
• Improvements for the vmcp e2e test infrastructure by @yrobla in #5026
• pkg/llm: implement OIDC token source and thv llm token command by @yrobla in #5033
• llm: extract shared OIDC config, move business logic to pkg/llm, add E2E tests by @yrobla in #5049
• Expose hook for embedder-driven MCP elicitation by @JAORMX in #4934
• Treat 401/403 from auth-configured backends as healthy by @JAORMX in #4935
• Update dockerfile template base images by @renovate[bot] in #5058
• Update anthropics/claude-code-action digest to 567fe95 by @renovate[bot] in #5053
• Add localhost reverse proxy for LLM gateway by @yrobla in #5035
• pkg/llm: fix withPreemptiveRefresh composition and stale _AT on rotation by @yrobla in #5052
• Rename pkg/oauth to pkg/oauthproto and move DCR primitives by @tgrunnagle in #5036
• Apply request version to tag-less skill OCI install ref by @samuv in #5078
• Add thv registry convert command by @rdimitrov in #5071
• Strip Content-Length when wrapping tool filter response by @danbarr in #5077
• Drop legacy registry format support by @rdimitrov in #5067
• Update aws-sdk-go-v2 monorepo by @renovate[bot] in #5057
• Update module golang.ngrok.com/ngrok/v2 to v2.1.4 by @renovate[bot] in #5062
• Classify packager errors as 400 in skill build handler by @samuv in #5076
• Add tool adapter registry and per-tool LLM gateway implementations by @yrobla in #5065
• Add pkg/oauth grant-helper primitives by @jhrozek in #5045
• Release v0.25.0 by @stacklokbot in #5084

Full Changelog: v0.24.1...v0.25.0