[1.0.4] - 2026-06-22 - Rust Server Migration, Security Fixes, and Build Hardening
Overview
Release 1.0.4 consolidates 35+ PRs focused on Rust server migration, security and auth correctness, multi-architecture build hardening, and database reliability. This release migrates test servers to Rust and resolves a broad set of auth, CSRF, login, and container build issues:
- ๐ Security & Auth - Keycloak SSO role merging from
access_token,client_secret_basicsupport for SSO token exchange, CSRF exempt-path fixes, login redirect loop fix, and OAuthauth_typepropagation fix for tool creation. - ๐ฆ Rust Servers - Slow-time MCP test server migrated to Rust (breaking binary path change), Rust benchmark server added replacing Go, Rust A2A echo agent added for integration testing.
- ๐ก๏ธ FedRAMP / Build - s390x
rustupfix, hermetic wheel closure for s390x/ppc64le multiplatform builds,Containerfile.litevenv fix, PyPI UI bundle fix, PyO3 and Rust CI dependency updates. - ๐๏ธ Database & Performance - DB connection pool multiplication resolved, lazy log formatting migration across services, tag length made configurable via env vars.
- ๐ API - RFC 6585 HTTP status code compliance (429, etc.), HTTP 202 Accepted response support for async operations.
- ๐ง CI / DevOps - Hadolint via Docker image, docker-scan scoped to merge queue, linting-full moved to merge queue, npm audit fixes, release dependency lock refresh,
cpex-rate-limiterbump to 0.1.4.
Added
๐ Security & Auth
- ๐ client_secret_basic SSO Token Exchange (#5132) โ
client_secret_basicHTTP Basic Auth support for SSO token exchange. Broadens compatibility with OAuth 2.0 compliant identity providers.
๐ API
- ๐ RFC 6585 HTTP Status Code Compliance (#4797) โ RFC 6585 compliant HTTP status codes (429, etc.). Improves API standards conformance.
- โ HTTP 202 Accepted Response (#5210) โ HTTP 202 Accepted response support for async operations. Enables proper async API patterns.
๐ฆ Rust Servers
- โก Rust Benchmark Server (#5091) โ Rust benchmark server replaces the Go benchmark server; benchmark compose profiles rewired to build from
mcp-servers/rust/benchmark-server. Breaking: binary paths move from./dist/benchmark-serverto./target/release/benchmark-server. - ๐ค Rust A2A Echo Agent (#5092) โ Rust implementation of an A2A echo agent for integration testing. Provides a fast, low-overhead test target.
Changed
๐ฆ Rust Servers
- โก Slow-Time Server Migrated to Rust (#5090) โ Slow-time MCP test server migrated from Python to Rust. Breaking: binary paths and compose targets change; update any local scripts referencing the old Python entrypoint.
๐ง Infrastructure & DevOps
- ๐ Security Policy โ IBM PSIRT (#5225) โ Security vulnerability reporting redirected to IBM PSIRT. Aligns with IBM security disclosure process.
- ๐ฆ cpex-rate-limiter Bump to 0.1.4 (#5242) โ Bumped
cpex-rate-limiterdependency to 0.1.4. Picks up upstream rate-limiter fixes. - ๐ Lazy Log Formatting (#4749) โ Migrated f-string log calls to lazy
%-style across services. Avoids string interpolation overhead when log level is suppressed. - ๐ Configurable Tag Length (#5178) โ Tag length now configurable via environment variables. Enables site-specific tag truncation policy.
- ๐ CODEOWNERS Update (#5275) โ Updated code owners for certain topics. Ensures correct review routing.
๐ฅ๏ธ CI
- ๐ Linting-Full Moved to Merge Queue (#5189) โ Full repo lint sweep moved to merge queue gate. Reduces PR feedback noise while maintaining merge quality.
- ๐ Docker-Scan Scoped to Merge Queue (#5209) โ Docker vulnerability scan scoped to PR lint + merge-queue gate. Avoids redundant scans on every push.
- โฌ Hadolint via Docker Image (#5259) โ Hadolint run via Docker image to satisfy org Actions allowlist. Removes dependency on non-allowlisted GitHub Action.
- โฉ Skip CI for Secrets Baseline Commits (#5012) โ Full CI skipped for
detect-secretsbaseline-only commits. Reduces unnecessary CI load. - ๐ Pin buildx Version โ Pinned
setup-buildx-actionto a fixed version to avoid Docker Hub rate-limit failures. Prevents intermittent CI build failures from upstream rate limiting.
Fixed
๐ Security & Auth
- ๐ Keycloak SSO Role Merging from access_token (#5330) โ Merge Keycloak realm/client roles from
access_tokeninstead of onlyuserinfo/id_token. Fixes missing roles for clients with roles only inaccess_token. - ๐ CSRF Exempt Paths (#5157) โ Added missing API paths to
csrf_exempt_paths; fixed env drift between config and middleware. Prevents spurious CSRF rejections on valid API calls. - ๐ Login Redirect Loop (#5203) โ Fixed login redirect loop. Prevents infinite redirect cycle after authentication.
- ๐ง OAuth auth_type Ignored in Tool Creation (#5180) โ OAuth
auth_typeoffered in Add Tool form was silently ignored byPOST /toolsandPOST /admin/tools. Fix propagates auth type through tool creation pipeline.
๐งช Tests
- ๐งช Playwright: FK Cascade and Team Delegation (#5211) โ Fixed user deletion FK cascade and team selector delegation in Playwright tests. Stabilizes E2E test suite.
๐ก๏ธ FedRAMP / FIPS Compliance
- ๐ง python3 Symlink After subscription-manager (#5119) โ Re-assert
python3symlink aftersubscription-managerclobbers it in FedRAMP builds. Fixes Python invocation failure in RHEL-based FedRAMP images.
๐ฆ Rust / Build
- ๐ฆ PyO3 Dependency Update (#5208) โ Updated PyO3 dependency. Resolves compatibility issue with newer Rust toolchain.
- ๐ง Rust CI Dependencies (#5227) โ Updated Rust CI dependencies. Fixes CI failures from stale dependency pins.
- ๐ง s390x Containerfile rustup (#5207) โ Updated s390x Containerfile to use
rustupfor the latest Rust compiler. Fixes s390x builds broken by toolchain version mismatch. - ๐ฆ A2A Image Workspace Members (#5268) โ Include workspace members in the A2A image build. Fixes missing crates in multi-workspace Docker builds.
- ๐ณ Containerfile.lite Empty Venv (#5278) โ Fixed
Containerfile.liteshipping an empty venv masked by a stray|| true. Restores correct Python environment in the lite image. - ๐ณ Hermetic Wheel Closure s390x/ppc64le (#5287) โ Hermetic wheel closure for s390x/ppc64le multiplatform builds. Prevents platform-specific wheel contamination in multi-arch images.
- ๐ฆ PyPI Bundle UI Files (#5202) โ Bundle UI files on PyPI build. Fixes missing Admin UI assets in PyPI-installed package.
๐๏ธ Database & Infrastructure
- ๐ DB Connection Pool Multiplication (#4696) โ Resolved database connection pool multiplication. Prevents pool exhaustion under concurrent load.
- ๐ฆ Duplicate python-multipart in uv.lock (#5316) โ Removed duplicate
python-multipartentry inuv.lock. Fixes dependency resolution warnings. - ๐ฆ npm Audit Fix (#5301) โ Applied
npm audit fixfor UI dependency vulnerabilities.
Chores
| PR | Description | Author |
|---|---|---|
| #5179 | chore: deprecate runtime sidecars and validation middleware | lucarlig |
| #5302 | chore: refresh release dependency locks | lucarlig |
| #5308 | docs: add cargo-vet prune release step | lucarlig |
| #5173 | docs: add LLM Gateway feature documentation | jonpspri |
| #4846 | docs: clarify contribution guidelines | lucarlig |
| #4897 | docs: clarify section 14 manual testing expected behaviours | msureshkumar88 |
| #5242 | chore: bump cpex-rate-limiter to 0.1.4 | gandhipratik203 |
| #5275 | chore: update code owners for certain topics | brian-hussey |
| #5012 | chore: skip full CI for secrets baseline commits | lucarlig |
| #4749 | chore(logging): migrate f-string log calls to lazy %-style | msureshkumar88 |
| โ | chore(docker): update UBI image versions | msureshkumar88 |
| โ | fix(deps): update cryptography and msgpack | cafalchio |
| โ | chore: addressed dependabot security dependency issues | โ |
| โ | chore: refresh Go dependencies | โ |
| โ | chore: update Python versions in container images | โ |
| โ | chore: code quality gates pass | โ |