github agentic-community/mcp-gateway-registry 1.24.4
1.24.4 - Hybrid Search RRF, UI and Backend Performance, Server Metadata PUT/PATCH, GitLab Skill Sources
on GitHub

9 hours ago

June 2026

Upgrading from 1.24.3

This section covers everything you need to know to upgrade from 1.24.3 to 1.24.4.

Breaking Changes

There are no breaking changes in this release. All new endpoints are additive and the existing POST /api/servers/register?overwrite=true continues to work for full re-registration.

New Environment Variables

Variable Default Description
NGINX_ENABLE_IPV6 false Enable in-pod nginx reverse proxy IPv6 listeners. Set to true on IPv6-only or dual-stack Kubernetes clusters so the entrypoint adds listen [::]:8080; and listen [::]:8443 ssl; (required for the load balancer and kubelet readiness probe to reach the pod over IPv6). The nginx counterpart to BIND_HOST=:: for uvicorn.

The existing GITHUB_EXTRA_HOSTS variable is now also used for self-hosted GitLab SSRF allowlist entries when fetching skills via the new GitLab API v4 translation. No syntax change; just include your private GitLab hostnames in the same comma-separated list.

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.4

# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

This release modifies subchart files (charts/mcpgw/templates/secret.yaml, charts/mcpgw/reserved-env-names.txt). Stack-chart consumers MUST rebuild dependencies so the packaged subchart .tgz files pick up the change. Skipping this step will silently use stale subcharts. 

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.4

# REQUIRED: Rebuild dependencies (subchart files changed)
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.4

# Update your .tfvars with any new variables
cd terraform/aws-ecs
terraform plan
terraform apply

DockerHub Images

Pre-built images are available: 

docker pull mcpgateway/registry:1.24.4
docker pull mcpgateway/auth-server:1.24.4
docker pull mcpgateway/currenttime-server:1.24.4
docker pull mcpgateway/realserverfaketools-server:1.24.4
docker pull mcpgateway/fininfo-server:1.24.4
docker pull mcpgateway/mcpgw-server:1.24.4
docker pull mcpgateway/metrics-service:1.24.4

Major Features

Hybrid search Reciprocal Rank Fusion (RRF) scoring

Search relevance is significantly improved by replacing additive vector + keyword scoring with Reciprocal Rank Fusion. RRF combines rankings from multiple retrievers in a way that is robust to score-scale differences and dominant-modality bias (the previous additive approach often let one modality drown out the other).

Why this matters:

  • More balanced results when a query matches strongly in one modality and weakly in another
  • Removes the need to hand-tune per-query score weights
  • The RRF formula (1 / (k + rank)) is a well-known IR technique with predictable behaviour

Companion admin APIs to detect and reindex servers/agents/skills with missing embeddings landed alongside (closes #1158), making it easy to catch and fix gaps without a full reindex.

PR #1157

UI and backend performance: N+1 elimination + dashboard fetch dedup

The registry UI was getting visibly sluggish as the number of registered servers, agents, and skills grew. This release addresses the fan-out and redundant fetching across the API, service/repository layers, and the React dashboard.

Backend - N+1 and full-collection-scan elimination:

  • Route-level N+1s removed: list_agents, discover_agents_by_skills, the federation export routes, registry_routes.list_servers, and wellknown_routes no longer call is_*_enabled(path) per item. They read the is_enabled field already present on each document.
  • Restricted-user listings: filtered (non-wildcard) access used to fetch the entire server collection and filter in Python. New list_by_ids() repository method (both DocumentDB and file backends) fetches only the accessible paths via a single $in query.
  • Lexical search: removed expensive per-result count and tool-list fetches.
  • Dashboard server listing: /api/servers no longer loads full tool_list payloads when only num_tools is needed (exclude_tool_list supported); server counts use a dedicated count() instead of materializing and counting list_all().
  • Tool validation N+1: tool_validation_service now batches get_all_states() (backend-agnostic) instead of calling get_state(path) per server.
  • Auth scope N+1: map_cognito_groups_to_scopes calls get_all_group_mappings() once and inverts the {scope: [groups]} shape in memory.
  • Security-scan index: added a compound (server_path/skill_path, scan_timestamp: -1) index so get_latest seeks instead of scanning the unbounded scan history.

Frontend - duplicate dashboard fetch:

  • useServerStats previously ran its triple limit=2000 fetch (servers/agents/skills) independently in both Layout and Dashboard - 6 requests per page view. Lifted into a shared ServerStatsProvider mounted once in ProtectedRoute; now the fetch runs once and is shared by all consumers.

PR #1151

Server metadata PUT and PATCH endpoints

Customers can now update an MCP server's metadata (tags, description, custom metadata, routing fields) without re-registering the entire record. Two new endpoints mirror the agent update surface:

  • PUT /api/servers/{path} - full-replacement metadata update
  • PATCH /api/servers/{path} - RFC 7396 JSON Merge Patch update

Highlights:

  • Requires the modify_service UI permission, plus owner-or-admin authorization
  • Optional If-Match weak-ETag concurrency control (412 on stale write)
  • Audit trail entries include the new had_if_match dimension for measuring optimistic-concurrency adoption
  • Credential fields (auth_scheme, auth_credential, auth_header_name, custom_headers) are explicitly rejected with 422 - credential rotation continues to go through the dedicated PATCH /api/servers/{path}/auth-credential endpoint
  • Deployment-shape fields (deployment, local_runtime) cannot be flipped via these endpoints
  • Size caps enforced at the model layer: server_name <=256, description <=4096, tags <=50 entries x 64 chars, metadata <=64 KB serialized JSON

PR #1179

GitLab as a skill source (private GitLab repos supported)

The registry can now fetch skills from self-hosted GitLab instances. Previously only GitHub.com and raw.githubusercontent.com were trusted; this release adds:

  • URL translation from GitLab /-/raw/ URLs to the GitLab API v4 (/api/v4/projects/.../repository/files/.../raw)
  • Authentication header injection for trusted GitLab hosts
  • Pagination cap to prevent runaway requests on misbehaving APIs
  • Hostnames listed in GITHUB_EXTRA_HOSTS are trusted for both GitHub and GitLab purposes (the variable name is preserved for backward compatibility)

PR #1128 (initial implementation), PR #1170 (review followups), PR #1176 (pagination cap)

"All Agents" wildcard for IAM group Agent Access

Operators can now grant a group access to all current and future agents via a wildcard in the IAM Group editor instead of selecting them individually. The wildcard is canonicalized server-side so different forms (*, all, etc.) all resolve to the same access semantics.

PR #1191

Codex and CLI (curl) options in the Connect modal

The "Connect to MCP Server" modal now includes copy-pasteable instructions for two more clients:

  • Codex CLI - configuration block for OpenAI's Codex agent
  • curl (CLI) - raw curl one-liner for shell scripts and CI

This complements the existing Claude Code, Claude Desktop, VS Code, and Cursor entries.

PR #1161, PR #1166 (Claude Code instructions in mcpgw search tool)

Optional IPv6 listeners for IPv6-only Kubernetes clusters

The in-pod nginx reverse proxy now supports IPv6 listeners. Set NGINX_ENABLE_IPV6=true to add listen [::]:8080; and listen [::]:8443 ssl; to the generated nginx config - required on IPv6-only or dual-stack Kubernetes clusters where the load balancer and kubelet readiness probe reach the pod over IPv6.

PR #1162 (initial implementation), PR #1167 (POSIX-compatible sed in entrypoint)

What's New

Search Quality

  • Replace additive scoring with Reciprocal Rank Fusion in hybrid search (#1157)
  • Admin APIs to detect and reindex missing embeddings (#1157, closes #1158)

API and Backend

  • PUT /api/servers/{path} and PATCH /api/servers/{path} for metadata updates (#1179)
  • Server registration accepts empty/missing metadata and defaults to {} (#1175, #1188; closes #1165)
  • POST /api/servers/register now persists visibility="public" instead of silently dropping it; absent visibility on GET is normalized (#1186, closes #1181)
  • Strict-canonical server.json upload handling (omitted $schema, vendor _meta namespace) (#1180, closes #1178)

Authentication and Authorization

  • "All Agents" wildcard in IAM group Agent Access editor, with canonicalization on the API (#1191, closes #1189)

Performance

  • N+1 elimination across list_agents, discover_agents_by_skills, federation export routes, list_servers, wellknown_routes, tool validation, and Cognito-to-scope mapping (#1151)
  • New list_by_ids() repository method - restricted users no longer fetch the full server collection (#1151)
  • New get_all_states() and count() repository methods (#1151)
  • New compound index on (server_path, scan_timestamp: -1) for faster latest-scan lookups (#1151)
  • Frontend ServerStatsProvider halves dashboard fetch traffic (6 -> 3 requests per page view) (#1151)

Frontend Improvements

  • Codex and CLI (curl) options in the Connect modal (#1161, closes #1159)
  • JSON upload correctly handles canonical and _meta namespace shapes (#1180, closes #1178)

Infrastructure and Helm

  • Optional IPv6 listeners for nginx reverse proxy (#1162, #1167)
  • mcpgw subchart now derives REGISTRY_EXTERNAL_URL from global.domain and routingMode (#1166)

MCP Gateway (mcpgw) Server

  • New search_registry tool exposed; intelligent_tool_finder deprecated (closed via #1166)
  • Claude Code server-connection instructions surfaced through the search tool (#1166)

Skills (GitLab support)

  • Translate GitLab /-/raw/ URLs to API v4 for private repos (#1128)
  • Address review feedback on GitLab translation (#1170)
  • Cap pagination on GitLab API requests (#1176)

Documentation

  • Consolidated docs/demo-videos.md index and README link (#1196, closes #1190)
  • Roadmap updated for June 2026 (#1171)

Bug Fixes

  • Order generic /servers/{path} PUT/PATCH after specific subpaths so /auth-credential and /versions/default keep working (caught during integration testing of #1179)
  • Allow empty metadata on server fields and default to {} (#1175, closes #1165)
  • Persist visibility="public" on /servers/register and normalize absent values on GET (#1186, closes #1181)
  • Handle strict-canonical server.json on JSON upload (#1180, closes #1178)
  • Cap GitLab pagination to prevent runaway requests (#1176)
  • Use POSIX-compatible newlines in sed for IPv6 listener injection (#1167)
  • Address GitLab URL translation review feedback (#1170)

Closed Issues

Issue Title Closed By
#1190 docs: add a single docs/demo-videos.md indexing all demo videos + link from README PR #1196
#1189 feat(ui): add "All Agents" wildcard option to IAM group Agent Access (frontend-only) PR #1191
#1181 bug: /api/servers/register silently drops visibility="public" and skips visibility validation PR #1186
#1178 fix(ui): JSON upload misses fields when canonical server.json omits $schema or uses _meta vendor namespace PR #1180
#1165 Server registration fails when metadata field is omitted PR #1175, PR #1188
#1164 Add PUT/PATCH endpoints for server metadata updates PR #1179
#1160 feat(search): per-entity-type vector search pipelines for large registries manual
#1159 feat(ui): add Codex and CLI (curl) options to Connect modal PR #1161
#1158 feat(search): admin APIs to detect and reindex missing embeddings PR #1157
#1156 fix(search): replace additive scoring with Reciprocal Rank Fusion PR #1157
#1155 feat(mcpgw): add search_registry tool, deprecate intelligent_tool_finder PR #1157
#1124 Rename peer_token_missing_total to follow Prometheus Gauge naming convention manual

Pull Requests Included

PR Title
#1197 chore(deps): bump starlette to 1.0.1 across remaining lockfiles
#1196 docs: add consolidated demo-videos.md index + README link (#1190)
#1195 build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/currenttime
#1194 build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/realserverfaketools
#1193 build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/example-server
#1192 build(deps): bump starlette from 0.52.1 to 1.0.1 in /agents/a2a
#1191 feat(ui): add "All Agents" wildcard option to IAM group Agent Access (#1189)
#1188 fix(api): metadata round-trip follow-ups to PR #1175 (#1165)
#1186 fix(api): persist visibility="public" on /servers/register and normalize absent on GET (#1181)
#1185 chore(deps): bump react-router and react-router-dom in /frontend
#1184 chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /auth_server
#1183 chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /servers/example-server
#1182 chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /agents/a2a
#1180 fix(ui): handle strict-canonical server.json on JSON upload (#1178)
#1179 feat(api): add PUT/PATCH endpoints for server metadata updates
#1176 cap gitlab pagination
#1175 fix: allow empty metadata server fields defaults to {}
#1171 docs: update roadmap with current milestone progress
#1170 fix(gitlab): address review feedback from PR #1128
#1167 fix(nginx): use POSIX-compatible newlines in sed for IPv6 listener injection
#1166 feat(mcpgw): add Claude Code server connection instructions to search tool
#1162 feat(nginx): optional IPv6 listeners for IPv6-only clusters
#1161 feat(ui): add Codex and CLI (curl) options to Connect modal
#1157 fix(search): replace additive scoring with Reciprocal Rank Fusion
#1151 Fix/address UI sluggishness
#1128 feat(gitlab): translate GitLab /-/raw/ URLs to API v4 for private repos

Security Dependency Updates

Package Previous Updated Scope
starlette 0.52.1 1.0.1 /agents/a2a (#1192), all remaining lockfiles (#1197)
starlette 1.0.0 1.0.1 /servers/currenttime (#1195), /servers/realserverfaketools (#1194), /servers/example-server (#1193)
aiohttp 3.13.5 3.14.0 /auth_server (#1184), /servers/example-server (#1183), /agents/a2a (#1182)
react-router, react-router-dom (bump) (bump) /frontend (#1185)

Contributors

Thank you to all contributors for this release:

Plus automated dependency upgrades from Dependabot.

Support

Full Changelog: 1.24.3...1.24.4

What's Changed

  • fix(search): replace additive scoring with Reciprocal Rank Fusion by @aarora79 in #1157
  • Fix/address UI sluggishness by @omrishiv in #1151
  • feat(ui): add Codex and CLI (curl) options to Connect modal by @aarora79 in #1161
  • feat(mcpgw): add Claude Code server connection instructions to search tool by @aarora79 in #1166
  • feat(nginx): optional IPv6 listeners for IPv6-only clusters by @thalescosta in #1162
  • fix(nginx): use POSIX-compatible newlines in sed for IPv6 listener injection by @aarora79 in #1167
  • feat(gitlab): translate GitLab /-/raw/ URLs to API v4 for private repos by @madhuc-ghub in #1128
  • fix(gitlab): address review feedback from PR #1128 by @aarora79 in #1170
  • docs: update roadmap with current milestone progress by @aarora79 in #1171
  • cap gitlab pagination by @omrishiv in #1176
  • feat(api): add PUT/PATCH endpoints for server metadata updates by @aarora79 in #1179
  • fix(ui): handle strict-canonical server.json on JSON upload (#1178) by @aarora79 in #1180
  • fix(api): persist visibility="public" on /servers/register and normalize absent on GET (#1181) by @aarora79 in #1186
  • fix: allow empty metadata server fields defaults to {} by @omrishiv in #1175
  • fix(api): metadata round-trip follow-ups to PR #1175 (#1165) by @aarora79 in #1188
  • feat(ui): add "All Agents" wildcard option to IAM group Agent Access (#1189) by @aarora79 in #1191
  • docs: add consolidated demo-videos.md index + README link (#1190) by @aarora79 in #1196
  • build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/currenttime by @dependabot[bot] in #1195
  • build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/realserverfaketools by @dependabot[bot] in #1194
  • build(deps): bump starlette from 1.0.0 to 1.0.1 in /servers/example-server by @dependabot[bot] in #1193
  • chore(deps): bump react-router and react-router-dom in /frontend by @dependabot[bot] in #1185
  • chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /auth_server by @dependabot[bot] in #1184
  • chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /servers/example-server by @dependabot[bot] in #1183
  • chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /agents/a2a by @dependabot[bot] in #1182
  • build(deps): bump starlette from 0.52.1 to 1.0.1 in /agents/a2a by @dependabot[bot] in #1192
  • chore(deps): bump starlette to 1.0.1 across remaining lockfiles by @aarora79 in #1197
  • ci: bump tfvars.example examples that pin a semver tag by @aarora79 in #1199
  • chore: update image tags to 1.24.4 by @github-actions[bot] in #1198
  • fix: bump terraform variables.tf public-ECR image defaults to 1.24.4 by @aarora79 in #1200

New Contributors

Full Changelog: 1.24.3...1.24.4

Check out latest releases or
releases around agentic-community/mcp-gateway-registry 1.24.4

Don't miss a new mcp-gateway-registry release

NewReleases is sending notifications on new releases.

Get notifications