IBM/mcp-context-forge v0.5.0

MCP Gateway v0.5.0 - 2025-08-06 - Enterprise Operability, Auth, Configuration & Observability

on GitHub

This enterprise-focused release delivers 42 resolved issues with major improvements to authentication, configuration management, error handling, and developer experience. Building on v0.4.0's security foundation, v0.5.0 brings enhanced JWT security, comprehensive UI/UX improvements, and strengthened input validation across all endpoints.

🏆 Enterprise Operability Achievements

This release enhances production readiness with:

• Enhanced JWT Security – Mandatory token expiration enforcement when configured
• Masked Sensitive Data – Authentication credentials properly hidden in API responses
• Improved Error Handling – User-friendly messages with actionable guidance
• Better Observability – Enhanced status reporting and service visibility
• Developer Productivity – File-specific linting and comprehensive Makefile improvements
• Stronger Validation – XSS prevention and input validation across all endpoints

Important: Admin UI remains development-only with enhanced security defaults. Never expose it in production. Build your own production UI with appropriate security controls. Refer to the Securing MCP Gateway documentation.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions. Use only with trusted upstream MCP servers. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM. Please refer to SECURITY.md and our Roadmap for more info.

✨ Highlights

• 🔐 JWT Token Security – Mandatory expiration when REQUIRE_TOKEN_EXPIRATION=true (#425)
• 🎭 Masked Auth Values – Sensitive credentials hidden in all API responses (#601, #602)
• 🧪 Enhanced Test Tool – Default values, array/boolean handling, multiline support (#620-#644)
• 🛠️ Developer Experience – File-specific linting with make lint filename (#410, #660)
• 📊 Better Visibility – MCP Server Name column in tools/resources overview (#506, #624)
• 🔍 Security Scanning – Snyk, DevSkim, and nodejsscan integration (#590, #638, #639)
• ✅ UI Improvements – Checkbox selection, better error messages, form fixes (#392, #619)
• 📝 SPDX Compliance – Automated file header verification (#315, #317, #656)

🚨 Important Updates

• UI Enabled by Default – .env.example now sets MCPGATEWAY_UI_ENABLED=true for easier onboarding
• API Docs Authentication – New DOCS_BASIC_AUTH_ENABLED flag for securing documentation endpoints
• Enhanced Validation – Stricter rules for gateway URLs, tool names, and input parameters
• Improved Scripts – Consolidated run-gunicorn.sh with better error handling (#397, #430)

🆕 Added

Security & Authentication

• JWT Token Expiration (#425) – Mandatory expiration with REQUIRE_TOKEN_EXPIRATION=true
• Masked Credentials (#601, #602) – Auth values hidden in gateway API responses
• API Docs Auth (#663) – Basic authentication for /docs with DOCS_BASIC_AUTH_ENABLED
• XSS Prevention (#576) – RPC method validation against injection attacks
• SPDX Headers (#315, #317, #656) – Automated license compliance checking

Developer Experience

• File-Specific Linting (#410, #660):

  make lint filename.py     # Lint single file
  make lint dirname/        # Lint directory
  make lint-changed        # Lint git changes

• Enhanced Makefile (#365, #397, #507, #597):

  • .PHONY declarations for all targets
  • Prevented multiple server startups
  • Better formatting and organization
  • Consolidated scripts and improved readability

• Test Tool Enhancements:

  • Default value display (#623, #644)
  • Boolean input fixes (#622)
  • Array input parsing (#620, #641)
  • Multiline text support (#650)

UI/UX Improvements

• Checkbox Selection (#392, #619) – Multi-select for servers, tools, resources
• MCP Server Name Column (#506, #624) – Better visibility in global views
• Connection String Export (#154) – One-click client configuration
• Time Server Integration (#403, #637) – Added to docker-compose for testing
• Error Message Clarity (#357, #363, #569, #629, #648) – Actionable validation feedback

Code Quality & Testing

• Security Scanners:

  • Snyk integration (#638, #639)
  • DevSkim static analysis (#590, #592)
  • nodejsscan for JavaScript (#499)

• Web Linting (#390, #614) – CI/CD integration with jshint, jscpd, markuplint

• Package Linters (#615, #616) – check-manifest and pyroma for PyPI compliance

🐛 Fixed

Critical Gateway Issues

• Gateway ID null in Create API (#521)
• Duplicate registration bypass (#603, #649)
• Silent update failures in UI (#630)
• Invalid URL validation (#578)
• STREAMABLEHTTP transport validation (#662)
• GitHub MCP Server registration (#584)

Tool & Resource Handling

• REST tool update failures (#579)
• Inconsistent tool name lengths (#631, #651)
• Long input name reflection (#598)
• Invalid "STREAMABLE" value (#610)
• Edit forms not populating (#591, #633, #648)

Authentication & Security

• Missing auth credentials (#471, #472)
• Unmasked sensitive data (#601)
• XSS in RPC methods (#576)

🔄 Changed

Configuration Defaults

• UI Enabled – .env.example sets MCPGATEWAY_UI_ENABLED=true
• Enhanced Validation – Stricter rules across all inputs
• Better Scripts – Single run-gunicorn.sh with improved features

Performance & Reliability

• Improved connection handling and timeouts
• Better stateful session management
• Enhanced resource cleanup

📦 Upgrade Instructions

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.5.0

2. Review new settings in .env:

   cp .env.example .env
   # Check new DOCS_BASIC_AUTH_ENABLED setting

3. Run database migrations (automatic in Docker/Kubernetes):

   make db-upgrade

🌟 Release Contributors

This release demonstrates strong community growth with 14 new contributors joining the project!

🏆 Top Contributors in 0.5.0

• Mihai Criveti (@crivetimihai) - Release coordinator, infrastructure, security
• Madhav Kandukuri (@madhav165) - XSS prevention, validation, security fixes
• Keval Mahajan (@kevalmahajan) - UI enhancements, test tool improvements
• Manav Gupta - File-specific linting, Makefile improvements
• Rakhi Dutta (@rakdutta) - Comprehensive error message improvements
• Shoumi Mukherjee (@shoummu1) - Array parsing, tool fixes, UI improvements

🎉 New Contributors

• JimmyLiao - STREAMABLEHTTP transport validation
• Arnav Bhattacharya - File header verification script
• Guoqiang Ding - Tool parameter conversion, API docs auth
• Pascal Roessner - MCP Gateway Name in tools overview
• Kumar Tiger - Duplicate gateway name fix
• Shamsul Arefin - JavaScript validation, UUID support
• Emmanuel Ferdman - Prompt service test fixes
• Tomas Pilar - Gateway response fixes, auth flags
• ChrisPC-39 - UI enablement, tool search

💪 Returning Contributors

• Nayana R Gowda - Redundant expressions, formatting
• Mohan Lakshmaiah - Tool name consistency
• Abdul Samad - Continued UI polish
• Satya - Gateway URL validation

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.5.0
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.4.0…v0.5.0