Release Notes Action Items for mcpg 0.3.23 → 0.3.25
This issue summarizes upstream release notes for the mcpg dependency between the previously pinned version (0.3.23) and the new pinned version (0.3.25), highlighting items that may need follow-up in ado-aw.
The companion version-bump PR is titled chore(deps): update MCPG_VERSION to 0.3.25.
Releases analyzed
Breaking changes
- "API key" surface renamed to "Agent ID"; compat aliases removed (v0.3.24):
Rename gateway "API key" surface to Agent ID with compat aliases and X-Agent-ID routing + Remove deprecated API-key aliases and complete AgentID rename (v0.3.24). The MCPG gateway no longer accepts the old API-key–based env var / header surface. ado-aw uses MCP_GATEWAY_API_KEY (pipeline variable) mapped to MCPG_API_KEY env var, and references api_key in the McpgGatewayConfig struct (src/compile/extensions/mod.rs). These references may need to be updated to the new MCP_GATEWAY_AGENT_ID / X-Agent-ID surface. Verify that the compiled pipelines still authenticate correctly to MCPG with v0.3.24+.
Security fixes
$ENV expansion disabled in tool response filters (v0.3.25): security: disable $ENV in tool response filters and sync validation compile options (v0.3.25). MCPG now blocks $ENV variable expansion in tool response filter expressions to prevent environment variable leakage or injection through crafted tool responses. No ado-aw changes expected, but verify any custom filter expressions used in MCPG configuration remain functional.
Notable features for ado-aw to adopt
/reflect endpoint for live DIFC label snapshots (v0.3.24): Add unauthenticated /reflect endpoint for live DIFC label snapshots in gateway and proxy modes (v0.3.24). A new diagnostics endpoint on the MCPG allows inspection of live DIFC labels without authentication. ado-aw's audit/diagnostic tooling could use this endpoint to surface DIFC label state for debugging prompt-injection or tool-filtering issues.
- Metadata endpoint allowlisting (v0.3.25):
Proxy: allowlist metadata endpoints and passthrough unrecognized reads with empty DIFC labels (v0.3.25). The MCPG proxy now allowlists metadata endpoints and passes through unrecognized reads. This may resolve prior issues where certain MCP client liveness/metadata calls were incorrectly blocked by the proxy.
This issue was opened automatically by the dependency version updater workflow.
Generated by Dependency Version Updater · sonnet46 2.9M · ◷
Release Notes Action Items for
mcpg0.3.23→0.3.25This issue summarizes upstream release notes for the
mcpgdependency between the previously pinned version (0.3.23) and the new pinned version (0.3.25), highlighting items that may need follow-up in ado-aw.The companion version-bump PR is titled
chore(deps): update MCPG_VERSION to 0.3.25.Releases analyzed
Breaking changes
Rename gateway "API key" surface to Agent ID with compat aliases and X-Agent-ID routing+Remove deprecated API-key aliases and complete AgentID rename(v0.3.24). The MCPG gateway no longer accepts the old API-key–based env var / header surface. ado-aw usesMCP_GATEWAY_API_KEY(pipeline variable) mapped toMCPG_API_KEYenv var, and referencesapi_keyin theMcpgGatewayConfigstruct (src/compile/extensions/mod.rs). These references may need to be updated to the newMCP_GATEWAY_AGENT_ID/X-Agent-IDsurface. Verify that the compiled pipelines still authenticate correctly to MCPG with v0.3.24+.Security fixes
$ENVexpansion disabled in tool response filters (v0.3.25):security: disable $ENV in tool response filters and sync validation compile options(v0.3.25). MCPG now blocks$ENVvariable expansion in tool response filter expressions to prevent environment variable leakage or injection through crafted tool responses. No ado-aw changes expected, but verify any custom filter expressions used in MCPG configuration remain functional.Notable features for ado-aw to adopt
/reflectendpoint for live DIFC label snapshots (v0.3.24):Add unauthenticated /reflect endpoint for live DIFC label snapshots in gateway and proxy modes(v0.3.24). A new diagnostics endpoint on the MCPG allows inspection of live DIFC labels without authentication. ado-aw's audit/diagnostic tooling could use this endpoint to surface DIFC label state for debugging prompt-injection or tool-filtering issues.Proxy: allowlist metadata endpoints and passthrough unrecognized reads with empty DIFC labels(v0.3.25). The MCPG proxy now allowlists metadata endpoints and passes through unrecognized reads. This may resolve prior issues where certain MCP client liveness/metadata calls were incorrectly blocked by the proxy.This issue was opened automatically by the dependency version updater workflow.