Rolling upstream release action items — mcpg
This is the single canonical tracking issue for action items from new mcpg releases. The update-awf-version workflow appends a comment here for each version bump going forward — the most recent activity lives in the comments below. This body consolidates everything filed so far.
Latest pinned version covered: 0.3.32
Consolidated history (earliest → latest)
0.3.12 → 0.3.23 (was #882)
- OTel span attributes aligned with gen_ai semantic conventions (v0.3.16): MCPG now emits OTel spans following the OpenTelemetry gen_ai semconv. ado-aw's audit analyzer (
src/audit/analyzers/otel.rs) may need updating if it relies on specific MCPG span field names.
- Per-session tool call limits in allow-only guard policies (v0.3.20): MCPG enforces per-session limits in allow-only mode; ado-aw could expose as a configurable field (e.g.,
tools.call-limit:).
- Timeout fields added to embedded JSON schema (v0.3.23): MCPG config schema now includes timeout fields; ado-aw should review whether to surface in
engine: or tools: front-matter.
- Security: GHE Cloud data residency proxy routing fix (v0.3.23): GraphQL requests were routed to wrong upstream for GHE Cloud data-residency tenants; fixed automatically on version bump.
0.3.23 → 0.3.24 (was #903)
- Breaking: "API key" surface renamed to "Agent ID" (v0.3.24): Deprecated compatibility aliases removed; gateway now uses
X-Agent-ID for routing. Audit MCPG config types in src/compile/extensions/mod.rs for any removed alias fields.
- Unauthenticated
/reflect endpoint for live DIFC label snapshots (v0.3.24): New diagnostics endpoint; ado-aw's audit/status commands could use this for richer DIFC diagnostics.
0.3.23 → 0.3.25 (was #931)
- Security:
$ENV expansion disabled in tool response filters (v0.3.25): Prevents environment variable leakage/injection through crafted tool responses. Verify any custom filter expressions remain functional.
- Metadata endpoint allowlisting (v0.3.25): MCPG proxy now allowlists metadata endpoints and passes through unrecognized reads; may resolve prior MCP client liveness/metadata call blocking.
0.3.25 → 0.3.26 (was #1059)
- OTLP multi-endpoint fan-out via
GH_AW_OTLP_ENDPOINTS (v0.3.26): MCPG supports sending OTel telemetry to multiple OTLP endpoints; ado-aw could expose in compiled pipeline variables.
- Deprecation:
MCP_GATEWAY_API_KEY → MCP_GATEWAY_AGENT_ID (v0.3.26): run.sh now reads MCP_GATEWAY_AGENT_ID with deprecated fallback for MCP_GATEWAY_API_KEY. ado-aw generates pipelines that set MCP_GATEWAY_API_KEY (src/compile/agentic_pipeline.rs, src/compile/common.rs); migrate to MCP_GATEWAY_AGENT_ID before the fallback is removed.
0.3.25 → 0.3.27 (was #1119)
- GitHub MCP Server v1.3.0 support (v0.3.27): MCPG routes PR commits and supports
get_file_blame spec; verify GitHub MCP extension config + network allowlists are compatible.
refusal-labels guard policy (v0.3.27): New guard policy type for classifying agent refusals; ado-aw could expose in MCPG configuration.
MCP_GATEWAY_SHUTDOWN_TIMEOUT env var documented (v0.3.27): ado-aw could expose in generated pipeline teardown steps.
0.3.25 → 0.3.28 (was #1169)
- Security: wazero WASM guard hardening (v0.3.28): Added memory cap and backend call limit to wazero WASM runtime; protects against malicious/malformed WASM guards. Consumers benefit automatically on upgrade.
0.3.25 → 0.3.29 (was #1185)
- Security: DIFC labeling gaps covered (v0.3.28):
get_code_quality_finding, ui_get, add_gpg_key, add_ssh_key previously lacked DIFC integrity/secrecy labels; gap now closed. Older MCPG versions did not enforce integrity for these operations.
- Opt-in observed URL domain audit pipeline (v0.3.29): Records which URL domains appear in MCP tool responses + write sinks; ado-aw could expose opt-in flag and surface data in
ado-aw audit reports.
0.3.29 → 0.3.31 (was #1242)
- Gateway domain validation widened to RFC-1123 topology hostnames (v0.3.30): Accepts topology hostnames like
my-server.namespace.svc.cluster.local; fixes unexpected validation errors.
- Prompt passthrough via go-sdk (v0.3.31): Fixes context propagation + adds prompt passthrough through SDK-mediated backend calls.
- DIFC proxy GHEC data-residency REST API host derivation fix (v0.3.31): Fixes wrong API host calculation for GHEC data-residency deployments.
0.3.29 → 0.3.32 (was #1253) — canonical
- GitHub reaction operations classified as
WRITE_OPERATIONS (v0.3.32): Adding/removing emoji reactions now subject to DIFC integrity enforcement. Agents calling GitHub reaction APIs require adequate DIFC integrity clearance. This is a security tightening — confirm DIFC integrity level is configured correctly.
Consolidated by the Deps Release-Notes Consolidator workflow. Superseded per-release issues were closed and point here.
Generated by Deps Release-Notes Consolidator · 319.3 AIC · ⌖ 17.7 AIC · ⊞ 6.6K · ◷
Rolling upstream release action items —
mcpgThis is the single canonical tracking issue for action items from new
mcpgreleases. Theupdate-awf-versionworkflow appends a comment here for each version bump going forward — the most recent activity lives in the comments below. This body consolidates everything filed so far.Latest pinned version covered:
0.3.32Consolidated history (earliest → latest)
0.3.12→0.3.23(was #882)src/audit/analyzers/otel.rs) may need updating if it relies on specific MCPG span field names.tools.call-limit:).engine:ortools:front-matter.0.3.23→0.3.24(was #903)X-Agent-IDfor routing. Audit MCPG config types insrc/compile/extensions/mod.rsfor any removed alias fields./reflectendpoint for live DIFC label snapshots (v0.3.24): New diagnostics endpoint; ado-aw'saudit/statuscommands could use this for richer DIFC diagnostics.0.3.23→0.3.25(was #931)$ENVexpansion disabled in tool response filters (v0.3.25): Prevents environment variable leakage/injection through crafted tool responses. Verify any custom filter expressions remain functional.0.3.25→0.3.26(was #1059)GH_AW_OTLP_ENDPOINTS(v0.3.26): MCPG supports sending OTel telemetry to multiple OTLP endpoints; ado-aw could expose in compiled pipeline variables.MCP_GATEWAY_API_KEY→MCP_GATEWAY_AGENT_ID(v0.3.26):run.shnow readsMCP_GATEWAY_AGENT_IDwith deprecated fallback forMCP_GATEWAY_API_KEY. ado-aw generates pipelines that setMCP_GATEWAY_API_KEY(src/compile/agentic_pipeline.rs,src/compile/common.rs); migrate toMCP_GATEWAY_AGENT_IDbefore the fallback is removed.0.3.25→0.3.27(was #1119)get_file_blamespec; verify GitHub MCP extension config + network allowlists are compatible.refusal-labelsguard policy (v0.3.27): New guard policy type for classifying agent refusals; ado-aw could expose in MCPG configuration.MCP_GATEWAY_SHUTDOWN_TIMEOUTenv var documented (v0.3.27): ado-aw could expose in generated pipeline teardown steps.0.3.25→0.3.28(was #1169)0.3.25→0.3.29(was #1185)get_code_quality_finding,ui_get,add_gpg_key,add_ssh_keypreviously lacked DIFC integrity/secrecy labels; gap now closed. Older MCPG versions did not enforce integrity for these operations.ado-aw auditreports.0.3.29→0.3.31(was #1242)my-server.namespace.svc.cluster.local; fixes unexpected validation errors.0.3.29→0.3.32(was #1253) — canonicalWRITE_OPERATIONS(v0.3.32): Adding/removing emoji reactions now subject to DIFC integrity enforcement. Agents calling GitHub reaction APIs require adequate DIFC integrity clearance. This is a security tightening — confirm DIFC integrity level is configured correctly.Consolidated by the Deps Release-Notes Consolidator workflow. Superseded per-release issues were closed and point here.