Release v1.0.21 - Admin Tooling, Centralized Logging, and ARM64 Support

April 2026

Upgrading from v1.0.20

This section covers everything you need to know to upgrade from v1.0.20 to v1.0.21.

Breaking Changes

There are no breaking changes in this release. All new features use sensible defaults and existing deployments will continue to work without configuration changes.

New Environment Variables

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.21

# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.21

# Update values.yaml with any new app log variables, then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.21

# Update your .tfvars with any new variables
cd terraform/aws-ecs
terraform plan
terraform apply

DockerHub Images

Pre-built images are available:

docker pull mcpgateway/registry:v1.0.21
docker pull mcpgateway/auth-server:v1.0.21
docker pull mcpgateway/currenttime-server:v1.0.21
docker pull mcpgateway/realserverfaketools-server:v1.0.21
docker pull mcpgateway/mcpgw-server:v1.0.21
docker pull mcpgateway/fininfo-server:v1.0.21
docker pull mcpgateway/metrics-service:v1.0.21

Major Features

Admin Data Export

A new Data Export section in the admin Settings page allows downloading registry data as JSON files for debugging, auditing, and backup. Supports 11 collections: Servers, Agents, Skills, Virtual Servers, Federation Peers, Federation Configs, Registry Card, IAM Users, IAM Groups, IAM M2M Clients, and Scopes. Download individual collections or use the Download All as ZIP button (powered by JSZip) with per-collection progress indicators. Includes a sensitive data warning banner and a dedicated scopes export endpoint that dumps full server_access rules. Admin-only access, not visible to non-admin users.

PR #908

Centralized Log Rotation, Storage, and Retrieval

Production-grade application logging with RotatingFileHandler (50 MB, 5 backups) for both the registry and auth-server. Optional MongoDB storage via a non-blocking MongoDBLogHandler with buffered background writes and TTL-based auto-expiry. Admin REST API endpoints (GET /api/admin/logs for querying with filters, GET /api/admin/logs/export for JSONL download, GET /api/admin/logs/metadata for available services and levels) and a Settings UI Log Viewer with filtering by service, level, hostname, search text, and time range. Security includes MongoDB regex injection prevention via re.escape(), rate limiting (10 requests per 60 seconds per user), and max search length validation. MongoDB logging is ON by default; disable with APP_LOG_CENTRALIZED_ENABLED=false. File-based rotation is always active.

PR #888, PR #900, PR #905

Multi-Architecture Docker Images (ARM64)

Docker images are now built for both amd64 and arm64 architectures using Docker Buildx multi-platform builds. ARM64 users (Apple Silicon Macs, AWS Graviton instances) can now pull and run images natively without emulation overhead.

PR #865

Per-Skill Auth Credentials and Content Drift Detection

Skills now support per-skill authentication credentials (API keys, Bearer tokens) stored with the skill card. Multi-file skill support allows skills to reference multiple source files. Content drift detection compares the current skill content against the registered version and flags changes, helping operators detect when upstream skill definitions have been modified.

PR #849, PR #898

What's New

Admin Tooling

• Admin Data Export page with 11 collection types and ZIP download (#908)
• Dedicated scopes export endpoint for full server_access rule dumps (#908)

Observability

• Centralized log rotation with RotatingFileHandler for registry and auth-server (#888)
• MongoDB log storage with non-blocking buffered writes and TTL auto-expiry (#888)
• Admin log retrieval API with filtering, export, and metadata endpoints (#888)
• Settings UI Log Viewer with service, level, hostname, and time range filters (#888)
• Post-merge fixes for log handler naming, defaults, and linting (#900)
• Graceful PermissionError handling in RotatingFileHandler (#905)

Skills

• Per-skill auth credentials for API key and Bearer token authentication (#849)
• Multi-file skill support for referencing multiple source files (#849)
• Content drift detection for upstream skill definition changes (#849)
• Post-merge fixes for auth, service layering, and env docs (#898)

Infrastructure

• Multi-arch Docker images for amd64 and arm64 (#865)
• Helm chart configmaps for application log settings (registry and auth-server) (#888)
• YAML anchor pattern for shared app log config in stack chart (#888)
• MCPGW OIDC/OAuth2 environment variable documentation in .env.example

Performance

• Remove in-memory agent registry and state cache in favor of direct repository queries (#907)
• Bulk get_all_states() method to eliminate N+1 queries in agent state lookups (#910)
• Aligned get_state() interface signatures across repository implementations (#910)

Security

• Scoped add_server_scope and remove_server_scope IAM actions to target group only (#909)
• Skip CSRF validation for Bearer token clients on toggle endpoints (#894)

Documentation

• README roadmap updated with release-based milestones (v1.0.20, v1.0.21, v1.0.22)
• What's New entries for Admin Data Export and Centralized Logging

Bug Fixes

• Fix CSRF validation blocking programmatic agent/skill toggle for Bearer token clients (#894)
• Fix add_server_scope and remove_server_scope applying to all groups instead of target group (#909)
• Fix PermissionError crash in RotatingFileHandler when log directory has restricted permissions (#905)
• Fix log handler naming conventions and default values after initial logging PR merge (#900)
• Fix N+1 query pattern in agent state lookups by adding bulk get_all_states() (#910)
• Fix get_state() signature divergence between file and DocumentDB repository implementations (#910)

Pull Requests Included

Security Dependency Updates

Contributors

Thank you to all contributors for this release:

• Amit Arora (@amitarora)
• Daniel Y (@daniely)
• Prateek Sinha (@prateeksinha)
• Omri Shiv (@omrishiv)
• Madhu C (@madhuc-ghub)

Support

• GitHub Issues
• GitHub Discussions
• Documentation

Full Changelog: v1.0.20...v1.0.21

What's Changed

• chore(deps): bump gitpython from 3.1.45 to 3.1.47 by @dependabot[bot] in #892
• chore(deps): bump postcss from 8.5.6 to 8.5.10 by @dependabot[bot] in #890
• fix: skip CSRF validation for Bearer token clients on toggle endpoints by @aarora79 in #894
• feat(skills): add auth credentials, multi-file support, and content drift detection by @madhuc-ghub in #849
• chore(skill): add stickiness metrics and most active instances to usage-report by @aarora79 in #899
• fix(skills): post-PR-849 follow-ups for auth, service layering, and env docs by @aarora79 in #898
• feat(logging): centralized log rotation, MongoDB storage, and retrieval API by @shekharprateek in #888
• fix(logging): post-PR-888 follow-ups for naming, defaults, linting, and docs by @aarora79 in #900
• fix(logging): handle PermissionError in RotatingFileHandler gracefully by @aarora79 in #905
• feat(settings): add admin Data Export page for downloading registry collections by @aarora79 in #908
• fix(scopes): scope server_access writes to target group only by @aarora79 in #909
• remove in-memory agent registry and state cache by @omrishiv in #907
• fix(agents): add bulk get_all_states() and align get_state() signatures by @aarora79 in #910
• chore(deps): bump postcss from 8.5.6 to 8.5.12 in /frontend by @dependabot[bot] in #887
• feat: build multi-arch Docker images (amd64 + arm64) by @danielfree in #865

New Contributors

• @madhuc-ghub made their first contribution in #849
• @danielfree made their first contribution in #865

Full Changelog: v1.0.20...v1.0.21