v0.0.4

What's new in 0.0.4

Upstream auth without plaintext secrets

• static_headers values support ${env:VAR} / ${file:path} secret references resolved at connect time — the registry and admin API only ever hold the reference
• OAuth2 client_credentials grant (auth=oauth_client_credentials): headless machine-to-machine tokens with in-memory caching and refresh; the client secret must itself be a secret reference (raw secrets are rejected). Importable standalone via client_credentials_hook() — no plugin required in library mode

Human-in-the-loop, programmable

• JSON decision API alongside the browser pages: GET /admin/hil/pending, POST /admin/hil/pending/{id}/approve|deny — Slack bots, custom UIs, and CI can decide
• Pluggable notifier on HumanApprovalPlugin(notifier=...); browser-open is just the default

Fast startup

• The daemon no longer blocks on introspecting every upstream at boot (startup_catalog: "background" default — serves instantly with the last-known catalog); "refresh" and "skip" modes available, create_gateway keeps blocking behavior by default
• POST /admin/servers/{id}/refresh re-introspects a single server without fanning out to the rest

Failure observability

• New observe-only hook seams: tool_error (denials, rejected confirmations, upstream failures) and connect_error (failed introspection) — the audit trail now covers failures, not just successes

Plus

• REST tools API (/admin/tools list / describe / invoke), in-process Gateway.call_tool() / client(), folder-per-plugin layout, agentos tool-poisoning scan + per-group rate limiting, patch re-validation in the store, deps on latest (fastmcp 3.4.2)

Full details in #5. Validated by 355 unit tests and 5 live end-to-end suites (24 checks for the new auth/HIL/startup surfaces alone).