github agentic-community/mcp-gateway-registry 1.27.1
1.27.1 - Routing Observability, Security Hardening, and the airegistry-tools Fix

3 hours ago

Release 1.27.1 - Routing Observability, Security Hardening, and the airegistry-tools Fix

July 2026


Upgrading from 1.27.0

This section covers everything you need to know to upgrade from 1.27.0 to 1.27.1.

Breaking Changes

There are no breaking changes in this release.

New Environment Variables

No new required environment variables in this release.

One optional override is available (no action needed in a standard deployment):

Variable Default Description
MCPGW_HTTP_ALLOWED_HOSTS mcpgw-server Optional. Comma-separated host allowlist for the mcpgw server's FastMCP DNS-rebinding protection. This is a code-level default in the mcpgw server, not wired into any deployment surface, because the default mcpgw-server already matches the service name the registry front door uses across Docker Compose, ECS Service Connect, and Kubernetes. Override it only if you front mcpgw under a custom service name (set it via Helm extraEnv / Compose extra_env / Terraform mcpgw_extra_env), or set * to disable host/origin protection entirely (discouraged).

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1

# No new required env vars; MCPGW_HTTP_ALLOWED_HOSTS defaults to mcpgw-server.
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1

# REQUIRED: subchart values changed in this release (image tags), so rebuild the
# packaged subcharts before upgrading -- a plain helm upgrade would otherwise use
# stale packaged .tgz subcharts.
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1

# No new tfvars required. Redeploy so the mcpgw / registry / auth tasks pull the
# updated images (the airegistry-tools fix ships in the mcpgw image).
cd terraform/aws-ecs
terraform plan
terraform apply

Major Features

Per-target routing observability (target_kind)

The auth-server /validate metrics now carry a bounded target_kind label on mcpgw_registry_auth_request_total and mcpgw_registry_auth_request_duration, so operators can see how gateway traffic splits across routed target types: a2a_agent, virtual_mcp_server, mcp_server, control_plane, and unknown.

  • Classification is an allowlist derived from the request path shape: a request is attributed to a data-plane target only on an explicit match, so /api/*, static, and oauth2 control-plane calls are never miscounted as MCP-server traffic.
  • Ships with a PromQL cookbook in docs/OBSERVABILITY.md (routing split, data-plane-only, per-kind success/latency, share-of-total) and scripts/generate-routing-traffic.sh, a load generator that drives all three axes so the metric populates for demos and smoke checks.

PR #1496


What's New

Observability

  • Add target_kind label to the auth-request metric and a "Target-type routing" PromQL cookbook in docs/OBSERVABILITY.md (#1496)
  • Add scripts/generate-routing-traffic.sh to drive MCP-server, A2A-agent, and control-plane traffic for populating the routing metric (#1496)

Security Fixes

  • Reject reserved wildcard names in server-path and scope writes, preventing a caller from claiming an overbroad path/scope (#1484)
  • Harden get_skill_content (mcpgw server) against registry path traversal by validating skill_name before interpolating it into the registry URL path (#1476)
  • Eliminate a ReDoS in gitlab_url_utils URL parsing (CodeQL 603/604) (#1487)
  • Remove the unused create-indexes.js and add it to .gitignore, clearing a CodeQL JavaScript finding (#1488)

Tooling and Documentation

  • Add orchestrated and headless pipeline wrappers for the usage-report skill: run_report.sh (Half A), finish_report.sh (Half B), generate_commentary_headless.sh, and run_report_headless.sh (cron entrypoint), plus SKILL.md docs for the two-command and headless workflows (#1499)
  • Fix the A2A reverse-proxy testing commands and surface the discovery/routing topology in simple_agents_test.py (nested-token flattening, corrected agent path, messageId in the JSON-RPC payload, and inline routing proof)
  • Add clickable video links to the egress-auth and platform-demo slides so the links work in the PDF export

Bug Fixes

  • Fix the built-in airegistry-tools MCP server showing Unhealthy and returning 405 to clients. FastMCP 3.x (adopted in 1.26.0 for multi-replica / stateless-http support) enables host/origin DNS-rebinding protection by default, which rejected the registry's reverse-proxy Host: mcpgw-server with a 421; that failed the health check, so nginx dropped the /airegistry-tools/ location block. The mcpgw server now configures FastMCP transport security to allow the front-door host (default mcpgw-server), keeping protection on. Fixes across Docker Compose, ECS, and EKS with no per-surface config (#1497)

Closed Issues

Issue Title Closed By
#1498 airegistry-tools MCP server unhealthy (FastMCP 3.x 421) leads to 405 for clients PR #1497

Pull Requests Included

PR Title
#1499 feat(usage-report): orchestrated + headless pipeline wrappers
#1497 fix(mcpgw): allow reverse-proxy Host so airegistry-tools stays healthy (FastMCP 3.x 421)
#1496 feat(metrics): add target_kind label to auth-request metric for MCP vs agent routing
#1488 remove create-indexes.js and add to gitignore
#1487 fix(security): eliminate ReDoS in gitlab_url_utils URL parsing
#1485 chore: update image tags to 1.27.0
#1484 Reject reserved wildcard names in server-path / scope writes
#1476 Harden get_skill_content against registry path traversal

Contributors

Thank you to all contributors for this release:


Support


Full Changelog: 1.27.0...1.27.1## What's Changed

  • chore: update image tags to 1.27.0 by @github-actions[bot] in #1485
  • remove create-indexes.js and add to gitignore by @omrishiv in #1488
  • fix(security): eliminate ReDoS in gitlab_url_utils URL parsing by @omrishiv in #1487
  • Harden get_skill_content against registry path traversal by @omrishiv in #1476
  • Reject reserved wildcard names in server-path by @omrishiv in #1484
  • fix(mcpgw): allow reverse-proxy Host so airegistry-tools stays healthy (FastMCP 3.x 421) by @aarora79 in #1497
  • feat(metrics): add target_kind label to auth-request metric for MCP vs agent routing by @aarora79 in #1496
  • feat(usage-report): orchestrated + headless pipeline wrappers by @aarora79 in #1499

Full Changelog: 1.27.0...1.27.1

Don't miss a new mcp-gateway-registry release

NewReleases is sending notifications on new releases.