Release 1.27.1 - Routing Observability, Security Hardening, and the airegistry-tools Fix
July 2026
Upgrading from 1.27.0
This section covers everything you need to know to upgrade from 1.27.0 to 1.27.1.
Breaking Changes
There are no breaking changes in this release.
New Environment Variables
No new required environment variables in this release.
One optional override is available (no action needed in a standard deployment):
| Variable | Default | Description |
|---|---|---|
MCPGW_HTTP_ALLOWED_HOSTS
| mcpgw-server
| Optional. Comma-separated host allowlist for the mcpgw server's FastMCP DNS-rebinding protection. This is a code-level default in the mcpgw server, not wired into any deployment surface, because the default mcpgw-server already matches the service name the registry front door uses across Docker Compose, ECS Service Connect, and Kubernetes. Override it only if you front mcpgw under a custom service name (set it via Helm extraEnv / Compose extra_env / Terraform mcpgw_extra_env), or set * to disable host/origin protection entirely (discouraged).
|
Upgrade Instructions
Docker Compose
cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1
# No new required env vars; MCPGW_HTTP_ALLOWED_HOSTS defaults to mcpgw-server.
# Then rebuild and restart:
./build_and_run.shKubernetes / Helm (EKS)
cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1
# REQUIRED: subchart values changed in this release (image tags), so rebuild the
# packaged subcharts before upgrading -- a plain helm upgrade would otherwise use
# stale packaged .tgz subcharts.
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update
# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yamlTerraform / ECS
cd mcp-gateway-registry
git pull origin main
git checkout 1.27.1
# No new tfvars required. Redeploy so the mcpgw / registry / auth tasks pull the
# updated images (the airegistry-tools fix ships in the mcpgw image).
cd terraform/aws-ecs
terraform plan
terraform applyMajor Features
Per-target routing observability (target_kind)
The auth-server /validate metrics now carry a bounded target_kind label on mcpgw_registry_auth_request_total and mcpgw_registry_auth_request_duration, so operators can see how gateway traffic splits across routed target types: a2a_agent, virtual_mcp_server, mcp_server, control_plane, and unknown.
- Classification is an allowlist derived from the request path shape: a request is attributed to a data-plane target only on an explicit match, so
/api/*, static, and oauth2 control-plane calls are never miscounted as MCP-server traffic. - Ships with a PromQL cookbook in
docs/OBSERVABILITY.md(routing split, data-plane-only, per-kind success/latency, share-of-total) andscripts/generate-routing-traffic.sh, a load generator that drives all three axes so the metric populates for demos and smoke checks.
What's New
Observability
- Add
target_kindlabel to the auth-request metric and a "Target-type routing" PromQL cookbook indocs/OBSERVABILITY.md(#1496) - Add
scripts/generate-routing-traffic.shto drive MCP-server, A2A-agent, and control-plane traffic for populating the routing metric (#1496)
Security Fixes
- Reject reserved wildcard names in server-path and scope writes, preventing a caller from claiming an overbroad path/scope (#1484)
- Harden
get_skill_content(mcpgw server) against registry path traversal by validatingskill_namebefore interpolating it into the registry URL path (#1476) - Eliminate a ReDoS in
gitlab_url_utilsURL parsing (CodeQL 603/604) (#1487) - Remove the unused
create-indexes.jsand add it to.gitignore, clearing a CodeQL JavaScript finding (#1488)
Tooling and Documentation
- Add orchestrated and headless pipeline wrappers for the usage-report skill:
run_report.sh(Half A),finish_report.sh(Half B),generate_commentary_headless.sh, andrun_report_headless.sh(cron entrypoint), plus SKILL.md docs for the two-command and headless workflows (#1499) - Fix the A2A reverse-proxy testing commands and surface the discovery/routing topology in
simple_agents_test.py(nested-token flattening, corrected agent path,messageIdin the JSON-RPC payload, and inline routing proof) - Add clickable video links to the egress-auth and platform-demo slides so the links work in the PDF export
Bug Fixes
- Fix the built-in airegistry-tools MCP server showing Unhealthy and returning 405 to clients. FastMCP 3.x (adopted in 1.26.0 for multi-replica / stateless-http support) enables host/origin DNS-rebinding protection by default, which rejected the registry's reverse-proxy
Host: mcpgw-serverwith a 421; that failed the health check, so nginx dropped the/airegistry-tools/location block. The mcpgw server now configures FastMCP transport security to allow the front-door host (defaultmcpgw-server), keeping protection on. Fixes across Docker Compose, ECS, and EKS with no per-surface config (#1497)
Closed Issues
| Issue | Title | Closed By |
|---|---|---|
| #1498 | airegistry-tools MCP server unhealthy (FastMCP 3.x 421) leads to 405 for clients | PR #1497 |
Pull Requests Included
| PR | Title |
|---|---|
| #1499 | feat(usage-report): orchestrated + headless pipeline wrappers |
| #1497 | fix(mcpgw): allow reverse-proxy Host so airegistry-tools stays healthy (FastMCP 3.x 421) |
| #1496 | feat(metrics): add target_kind label to auth-request metric for MCP vs agent routing |
| #1488 | remove create-indexes.js and add to gitignore |
| #1487 | fix(security): eliminate ReDoS in gitlab_url_utils URL parsing |
| #1485 | chore: update image tags to 1.27.0 |
| #1484 | Reject reserved wildcard names in server-path / scope writes |
| #1476 | Harden get_skill_content against registry path traversal |
Contributors
Thank you to all contributors for this release:
Support
Full Changelog: 1.27.0...1.27.1## What's Changed
- chore: update image tags to 1.27.0 by @github-actions[bot] in #1485
- remove create-indexes.js and add to gitignore by @omrishiv in #1488
- fix(security): eliminate ReDoS in gitlab_url_utils URL parsing by @omrishiv in #1487
- Harden get_skill_content against registry path traversal by @omrishiv in #1476
- Reject reserved wildcard names in server-path by @omrishiv in #1484
- fix(mcpgw): allow reverse-proxy Host so airegistry-tools stays healthy (FastMCP 3.x 421) by @aarora79 in #1497
- feat(metrics): add target_kind label to auth-request metric for MCP vs agent routing by @aarora79 in #1496
- feat(usage-report): orchestrated + headless pipeline wrappers by @aarora79 in #1499
Full Changelog: 1.27.0...1.27.1