Skip to content

[deps-release-notes] mcpg v0.3.25 action items #931

Description

@github-actions

Release Notes Action Items for mcpg 0.3.230.3.25

This issue summarizes upstream release notes for the mcpg dependency between the previously pinned version (0.3.23) and the new pinned version (0.3.25), highlighting items that may need follow-up in ado-aw.

The companion version-bump PR is titled chore(deps): update MCPG_VERSION to 0.3.25.

Releases analyzed

Breaking changes

  • "API key" surface renamed to "Agent ID"; compat aliases removed (v0.3.24): Rename gateway "API key" surface to Agent ID with compat aliases and X-Agent-ID routing + Remove deprecated API-key aliases and complete AgentID rename (v0.3.24). The MCPG gateway no longer accepts the old API-key–based env var / header surface. ado-aw uses MCP_GATEWAY_API_KEY (pipeline variable) mapped to MCPG_API_KEY env var, and references api_key in the McpgGatewayConfig struct (src/compile/extensions/mod.rs). These references may need to be updated to the new MCP_GATEWAY_AGENT_ID / X-Agent-ID surface. Verify that the compiled pipelines still authenticate correctly to MCPG with v0.3.24+.

Security fixes

  • $ENV expansion disabled in tool response filters (v0.3.25): security: disable $ENV in tool response filters and sync validation compile options (v0.3.25). MCPG now blocks $ENV variable expansion in tool response filter expressions to prevent environment variable leakage or injection through crafted tool responses. No ado-aw changes expected, but verify any custom filter expressions used in MCPG configuration remain functional.

Notable features for ado-aw to adopt

  • /reflect endpoint for live DIFC label snapshots (v0.3.24): Add unauthenticated /reflect endpoint for live DIFC label snapshots in gateway and proxy modes (v0.3.24). A new diagnostics endpoint on the MCPG allows inspection of live DIFC labels without authentication. ado-aw's audit/diagnostic tooling could use this endpoint to surface DIFC label state for debugging prompt-injection or tool-filtering issues.
  • Metadata endpoint allowlisting (v0.3.25): Proxy: allowlist metadata endpoints and passthrough unrecognized reads with empty DIFC labels (v0.3.25). The MCPG proxy now allowlists metadata endpoints and passes through unrecognized reads. This may resolve prior issues where certain MCP client liveness/metadata calls were incorrectly blocked by the proxy.

This issue was opened automatically by the dependency version updater workflow.

Generated by Dependency Version Updater · sonnet46 2.9M ·

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions