Release 1.24.7 - Auth/Scope Hardening & Deployment Flexibility

June 2026

Overview

This release focuses on authentication and scope hardening alongside greater deployment flexibility. On the auth side, IdP groups are now filtered to the scope-relevant set at login (backed by a single bulk scope lookup), the /mcp-proxy internal token is hardened with a configurable short TTL and clock-skew leeway, signed JWTs are validated on both the registry and mcp-proxy hops, and datetime serialization and token-lifetime enforcement are fixed. On the deployment side, this release adds a full AWS CDK infrastructure option, lets ECS deployments reuse an existing VPC and subnets, and exposes a configurable AUTH_SERVER_URL Terraform variable for Cloud Map / FQDN setups. It also restores working Kubernetes / Helm (EKS) deployments by repointing the Keycloak and PostgreSQL images away from the removed Bitnami public ECR mirror. Rounding out the release are stale-embedding cleanup tooling, an audit dashboard executive summary, and on-demand A2A agent card pulls with a dry-run preview.

Note: token-mint audit / OTEL (#1215) moved to the 1.24.8 milestone.

Upgrading from 1.24.6

This section covers everything you need to know to upgrade from 1.24.6 to 1.24.7.

Breaking Changes

There are no breaking changes in this release. However, Kubernetes / Helm (EKS) operators must take action because of a required Keycloak image source change (see below).

Required action for EKS: Keycloak and PostgreSQL image source changed

Broadcom removed the free Bitnami catalog from both Docker Hub (docker.io/bitnami/*) and the AWS public ECR mirror (public.ecr.aws/bitnami/*). The stack chart previously pulled Keycloak and its bundled PostgreSQL from public.ecr.aws/bitnami/*, which now returns HTTP 404. Fresh EKS deployments, scale-ups, and node refreshes would fail with ImagePullBackOff.

This release repoints both images to the frozen Bitnami legacy archive on Docker Hub, which is still publicly pullable (PR #1287):

Note that bitnamilegacy images are frozen and no longer receive updates or security patches. This restores working deployments now; a future release will migrate the Helm surface onto the upstream quay.io/keycloak/keycloak image already used by Docker Compose, Terraform/ECS, and CDK. If you override the Keycloak image in your own values.yaml, update it to match.

New Environment Variables

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7

# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7

# REQUIRED: subchart templates and values changed in this release, so the
# packaged subchart .tgz files must be rebuilt before upgrading.
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

The helm dependency build and helm dependency update steps are mandatory for this release: files under charts/ changed (the Keycloak/PostgreSQL image source, the new allowedIdpGroups and internal-token values, and the registry Service/Deployment port cleanup). The packaged subchart .tgz files inside charts/mcp-gateway-registry-stack/charts/ are gitignored and only repackage when these commands run. A plain git pull followed by helm upgrade would silently use stale subcharts and miss the Keycloak image fix.

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7

# Update your .tfvars with any new variables (see AUTH_SERVER_URL below)
cd terraform/aws-ecs
terraform plan
terraform apply

This release adds an AUTH_SERVER_URL Terraform variable so ECS deployments can point the auth-server at a Cloud Map / FQDN endpoint (PR #1284). Review the new variable in variables.tf before applying.

Container Images

Pre-built images are published to Amazon ECR Public at public.ecr.aws/p3v1o3c6 by the "Release Docker Images" workflow on tag push:

docker pull public.ecr.aws/p3v1o3c6/registry:1.24.7
docker pull public.ecr.aws/p3v1o3c6/auth-server:1.24.7
docker pull public.ecr.aws/p3v1o3c6/mcpgw:1.24.7

Major Features

CDK infrastructure for MCP Gateway Registry

A complete AWS CDK deployment option has been added alongside the existing Terraform/ECS and Helm surfaces, giving teams a TypeScript-native infrastructure-as-code path for provisioning the gateway, registry, auth-server, Keycloak, and supporting AWS resources.

PR #903

Login-time IdP group filtering

Users with very large IdP group memberships (for example Entra ID accounts in hundreds or thousands of AD groups) previously caused X-Groups header bloat and per-request slowness. The registry now filters groups to the scope-relevant set at login. By default it auto-derives the allowlist from scope mappings; operators can also pin an explicit allowlist via ALLOWED_IDP_GROUPS.

PR #1279

On-demand A2A agent card pull with dry-run preview

Agent cards can now be pulled on demand for A2A agents, with a dry-run preview and overwrite support so operators can review what will change before committing.

PR #1263

What's New

Deployment

• Expose AUTH_SERVER_URL as a Terraform variable for ECS (Cloud Map / FQDN auth-server) (#1284)
• Enable use of existing VPC and subnets for AWS ECS deployment (#1264)
• Fix Keycloak and PostgreSQL image source for EKS by repointing to docker.io/bitnamilegacy/* (#1287)

Security / Authentication

• Harden the /mcp-proxy internal token with a configurable short TTL and clock-skew leeway (#1272)
• Validate signed JWT for the registry (#1262)
• Validate signed JWT for the mcp-proxy hop (#1260)
• Filter IdP groups to a scope-relevant set at login (#1279)
• Stop exposing the raw uvicorn app port (7860) as a registry Service port; the app binds loopback only and is fronted by in-pod nginx (#1278)

Performance

• Collapse per-group scope lookup into a single bulk query and add a group_mappings index (#1281)
• Remove N+1 calls for ratings and security-scans (#1258)

Audit and Reporting

• Add an executive summary band to the audit dashboard (#1274)
• Add a report-day reporter count to the usage-report executive summary (#1273)

Embeddings

• Add a stale-embedding CLI, no-op cleanup feedback, and FAQ as a follow-up to stale-index cleanup (#1261)
• Remove stale embeddings from the vector index after server/agent/skill deletion (#1232)

Connect-Config

• Persist per-server oauth_client_id and append_mcp_path (#1241)
• Document the write path for per-server oauth_client_id and append_mcp_path (#1256)

Infrastructure / Build

• Add CDK infrastructure for MCP Gateway Registry (#903)
• Restore docker/Dockerfile.mcp-server-light still referenced by compose (#1257)
• Remove unused dockerfiles and package.json (#1254)

Bug Fixes

• Fix datetime serialization causing GET /api/servers/groups/{group_name} to return 500, and enforce token lifetime (#1272)
• Templatize the auth-server hostname in nginx templates and fix the file-backend group mapping inversion (#1278)
• Validate signed JWT for the registry (#1262)
• Validate signed JWT for the mcp-proxy (#1260)
• Restore docker/Dockerfile.mcp-server-light still referenced by compose (#1257)

Closed Issues

Pull Requests Included

Security Dependency Updates

Contributors

Thank you to all contributors for this release:

• Amit Arora (@aarora79)
• omrishiv (@omrishiv)
• Ajay Misra (@ajmsra)
• Vrinda Bhandari (@vrindabhandari)
• Ahmed Hatem (@AhmedHatemMG)
• Harshit Kumar Gupta (@harshitkgupta)
• Gonçalo Faustino (@go-faustino)
• Akarsh Saklani (@Akarsh-2004)

Support

• GitHub Issues
• GitHub Discussions
• Documentation

Full Changelog: 1.24.6...1.24.7

What's Changed

• chore: update image tags to 1.24.6 by @github-actions[bot] in #1253
• build(deps): bump the uv group across 9 directories with 2 updates by @dependabot[bot] in #1252
• Remove unused dockerfiles and package.json by @omrishiv in #1254
• feat(connect-config): persist per-server oauth_client_id and append_mcp_path by @go-faustino in #1241
• fix(build): restore docker/Dockerfile.mcp-server-light still referenced by compose by @aarora79 in #1257
• docs(connect-config): document write path for per-server oauth_client_id / append_mcp_path by @aarora79 in #1256
• feat(infra): add CDK infrastructure for MCP Gateway Registry by @harshitkgupta in #903
• Remove N+1 calls for ratings and security-scans by @omrishiv in #1258
• fix: validate signed jwt for mcp-proxy by @omrishiv in #1260
• 1145 by @Akarsh-2004 in #1232
• feat(embeddings): stale-embedding CLI, no-op cleanup feedback, and FAQ (#1232 follow-up) by @aarora79 in #1261
• fix:validate signed jwt for registry by @omrishiv in #1262
• feat(usage-report): add report-day reporter count to executive summary by @aarora79 in #1273
• feat(audit): add executive summary band to audit dashboard by @aarora79 in #1274
• Filter IdP groups to scope-relevant set at login (fix X-Groups header bloat and per-request slowness) by @aarora79 in #1279
• feat(agents): on-demand A2A agent card pull with dry-run preview (#1030) by @vrindabhandari in #1263
• perf(auth): collapse per-group scope lookup into one bulk query (+ group_mappings index) by @aarora79 in #1281
• feat: Enable use of existing VPC and subnets for AWS ECS deployment. by @AhmedHatemMG in #1264
• Fix datetime serialization and token lifetime enforcement (#573, #889) by @ajmsra in #1272
• Update auth Server DNS Resolution in NGINX Templates and Align FileScopeRepository Group Mapping Behavior by @ajmsra in #1278
• feat(terraform): expose AUTH_SERVER_URL as a variable for ECS (#1283) by @aarora79 in #1284
• updating keycloak and postgres images by @omrishiv in #1287

New Contributors

• @Akarsh-2004 made their first contribution in #1232
• @AhmedHatemMG made their first contribution in #1264
• @ajmsra made their first contribution in #1272

Full Changelog: 1.24.6...1.24.7