Update stacklok/toolhive to v0.23.1

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	minor	v0.22.0 → v0.23.1

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.23.1

Compare Source

What's Changed

• Propagate auth errors through stale cache fallback by @​reyortiz3 in #​4981
• Unify docs-website release pipeline: new assets + retire dispatch chain by @​rdimitrov in #​4982
• Add advisory CRD schema compatibility CI check by @​ChrisJBurns in #​4980
• Release v0.23.1 by @​stacklokbot in #​4985

Full Changelog: stacklok/toolhive@v0.23.0...v0.23.1

v0.23.0

Compare Source

🚀 Toolhive v0.23.0 is live!

A milestone release: ToolHive's CRD API graduates from v1alpha1 to v1beta1, signaling API stability — with a zero-downtime upgrade path that keeps existing v1alpha1 resources working untouched. Two targeted operator bug fixes round out the release.

🔄 Deprecations

• toolhive.stacklok.dev/v1alpha1 deprecated in favour of toolhive.stacklok.dev/v1beta1 — will be removed in a future release (#​4849). Both versions are served simultaneously; existing resources continue to work untouched. kubectl now prints a deprecation warning on every access to a v1alpha1 resource — migrate manifests to apiVersion: toolhive.stacklok.dev/v1beta1 at your own pace.

Migration guide: CRD graduation to v1beta1

All 12 ToolHive CRD kinds (MCPServer, MCPGroup, MCPRegistry, MCPRemoteProxy, MCPToolConfig, MCPExternalAuthConfig, VirtualMCPServer, VirtualMCPGroup, VirtualMCPCompositeToolDefinition, and their peers) are now served at both v1alpha1 and v1beta1. The schemas are identical — only the version string differs — so there is no data-format migration to perform.

Who is affected: anyone with manifests pinned to apiVersion: toolhive.stacklok.dev/v1alpha1.

Before

apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  # ...

After

apiVersion: toolhive.stacklok.dev/v1beta1
kind: MCPServer
metadata:
  name: my-server
spec:
  # ...

Migration steps

1. Upgrade the operator and CRDs charts to v0.23.0 — no resource deletion or recreation is required. All existing v1alpha1 resources survive the upgrade with unchanged Deployment UIDs.
2. Update your manifests to use apiVersion: toolhive.stacklok.dev/v1beta1 and re-apply them. Kubernetes stores the new version in etcd; the object's status.storedVersions will advance to include v1beta1.
3. Once all stored objects have been re-applied at v1beta1, a future release will drop the v1alpha1 entry from the CRDs. Migrate at your convenience before then.

PR: #​4849 — Closes #​2556

🆕 New Features

• CRDs now serve toolhive.stacklok.dev/v1beta1 as the storage version, with v1alpha1 kept served-and-deprecated for zero-downtime upgrades (#​4849).
• Server-scoped Cedar policies like resource in MCP::"<server-name>" now work — resource entities (Tool, Prompt, Resource) carry the MCP server as a parent UID so Cedar's in operator can traverse the hierarchy (#​4965).

🐛 Bug Fixes

• MCPExternalAuthConfig upstream providers with redirectUri omitted now get the documented {resourceUrl}/oauth/callback default applied by the operator, instead of failing at runtime with redirect_uri is required. Applies to both MCPServer and VirtualMCPServer flows (#​4905).

Full commit log

What's Changed

• Set MCP parent on resource entities for server-scoped policies by @​jhrozhttps://github.com/stacklok/toolhive/pull/4965l/4965
• Default redirectUri on upstream providers as documented in CRD by @​tgrunnaghttps://github.com/stacklok/toolhive/pull/4905l/4905
• Graduate CRDs from v1alpha1 to v1beta1 by @​ChrisJBurhttps://github.com/stacklok/toolhive/pull/4849l/4849
• Release v0.23.0 by @​stacklokbhttps://github.com/stacklok/toolhive/pull/4973l/4973

🔗 Full changelog: stacklok/toolhive@v0.22.0...v0.23.0

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Content additions by upstream-release-docs

Source-verified against stacklok/toolhive at tag v0.23.1 (was v0.22.0). Two Claude Opus sessions produced this update: a generation pass running the upstream-release-docs skill over all six phases, then a fresh-context editorial pass running docs-review over the changed files. Prettier and ESLint auto-fixes were applied afterward.

Review guidance

Machine-generated reference files under docs/toolhive/reference/cli/, static/api-specs/, and docs/toolhive/reference/crds/ are synced or regenerated from upstream release assets (separate commit, titled "Refresh reference assets") and should be spot-checked only. Commits authored by the skill contain hand-edited prose; review those for accuracy, not just style. If the "Gaps needing human context" section below is populated, each entry includes a Helper prompt for local Claude that a reviewer can paste verbatim into their local Claude Code session to resolve the gap. Fill those in before merging.

Reviewers below are non-bot commit authors in the release range who are also collaborators on this repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Apr 21, 2026 10:57pm

[github-actions]

Automated docs augmentation failed. Run: https://github.com/stacklok/docs-website/actions/runs/24743776702

Retry via the Upstream Release Docs workflow with pr_number=759 once the underlying issue is resolved.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[claude]

Claude finished @rdimitrov's task in 17m 54s —— View job

---

Upstream release docs update for v0.23.1

• Gather context: analyze v0.22.0 → v0.23.1 changes
• Phase 1-3: Discovery, deep dive, and impact map
• Phase 4: Implementation
  • Bulk update v1alpha1 → v1beta1 in all guide examples (174 occurrences, 40 files)
  • Add v0.23.0 section to migrate-to-v1beta1.mdx (API version graduation)
  • Add redirectUri default documentation to auth-k8s.mdx
• Phase 5: Docs review applied, facts re-verified against source schemas
• Pass 3: Technical re-verification complete (all 7 claims verified)
• Committed and pushed

---

What changed

v0.23.0 / v0.23.1 documentation updates, source-verified against stacklok/toolhive@v0.23.1:

1. apiVersion updated across 40 guide files

All YAML examples in guides, integrations, tutorials, and MCP server guides now use apiVersion: toolhive.stacklok.dev/v1beta1. The migrate-to-v1beta1.mdx migration guide retains v1alpha1 intentionally (it's the "before" state in migration examples).

2. New v0.23.0 section in guides-k8s/migrate-to-v1beta1.mdx

Documents the CRD API graduation: deprecation notice, zero-downtime upgrade path, and 3-step migration procedure. The change summary table now includes v0.23.0.

3. New "Callback URL for upstream providers" section in guides-k8s/auth-k8s.mdx

Documents that when redirectUri is omitted from an MCPExternalAuthConfig upstream provider, the operator defaults it to {resourceUrl}/oauth/callback. Users need to register this URL with their OAuth2/OIDC provider.

4. Cedar server-scoped policies: already correctly documented; PR #4965 was a bug fix that makes existing docs accurate. No doc changes needed.

No gaps requiring human context - all changes had clear, verifiable documentation paths.
| Branch

[claude]

Claude finished @rdimitrov's task in 17m 17s —— View job

---

Upstream release docs update for v0.23.1

Implementing changes

• Phase 1: Discovery — categorized v0.23.0 and v0.23.1 changes
• Phase 2: Deep dive — verified against source at tag v0.23.1
  • PR #4849 (graduation v1alpha1→v1beta1): verified storageversion markers on all 12 v1beta1 types; deprecatedversion markers on all v1alpha1 types; v1alpha1 package imports Spec/Status from v1beta1 (identical schemas)
  • PR #4905 (redirectUri default): verified defaultRedirectURI in pkg/controllerutil/authserver.go applies {resourceURL}/oauth/callback when provider RedirectURI is empty and resourceURL is non-empty; applies to OIDC and OAuth2 upstream providers
  • PR #4965 (Cedar resource in MCP::"..."): verified EntityFactory.CreateEntitiesForRequest now appends MCP parent UID to resource entity — existing docs already reference this syntax, so this is a silent bug fix
  • PR #4981 (v0.23.1 stale-cache auth propagation): internal registry provider behavior, no user-facing docs impact
• Phase 3: Impact map built (see details below)
• Phase 4: Implement doc changes
• Phase 5: Validation (build, lint)
• Phase 6: Commit + push

Impact map

1. Bulk apiVersion bump: 178 toolhive.stacklok.dev/v1alpha1 occurrences across 41 docs files need to become v1beta1. The migrate-to-v1beta1.mdx file intentionally shows v1alpha1 in some examples (as the "before" state) — those four lines must stay at v1alpha1.
2. New v0.23.0 section in guides-k8s/migrate-to-v1beta1.mdx documenting the CRD graduation (deprecation + zero-downtime migration).
3. New "Default callback URL" subsection in guides-k8s/auth-k8s.mdx documenting the {resourceUrl}/oauth/callback default.
4. Cedar/authz docs: no changes needed — PR #4965 is a bug fix making existing docs accurate.
   | Branch

[claude]

Claude finished @rdimitrov's task in 6m 9s —— View job

---

Docs review for v0.23.1 release docs

• Identify hand-edited files from previous commit (40 MDX files; only 2 have new prose)
• Run editorial review on those files
• Verify factual claims against upstream source at /tmp/tmp.bIPE6VrlZ2/upstream
• Apply actionable fixes
• Commit and push (dc7ec91)

---

Summary

Reviewed the two files with substantive new prose (migrate-to-v1beta1.mdx v0.23.0 section, auth-k8s.mdx "Default callback URL" section). The other 38 modified files are mechanical apiVersion bumps — nothing editorial to do there. Verified all factual claims against the upstream source tree and the generated CRD manifests.

Factual verification (all claims hold)

• 12 CRD kinds: cmd/thv-operator/api/v1beta1/*_types.go — 12 types, matches the doc's enumerated list (EmbeddingServer, MCPExternalAuthConfig, MCPGroup, MCPOIDCConfig, MCPRegistry, MCPRemoteProxy, MCPServer, MCPServerEntry, MCPTelemetryConfig, MCPToolConfig, VirtualMCPCompositeToolDefinition, VirtualMCPServer). The PR body mentions VirtualMCPGroup but no such kind exists; doc ignores this and is correct.
• Warning text: toolhive.stacklok.dev/v1alpha1 is deprecated; use v1beta1 — exact match with //+kubebuilder:deprecatedversion:warning=... on all 12 v1alpha1 types.
• None conversion strategy: No conversion: block in any generated CRD YAML; Kubernetes defaults to None when unset. Correct.
• v1alpha1 passthrough: v1alpha1/types.go re-exports all Spec/Status types from v1beta1. Correct.
• redirectUri default: pkg/controllerutil/authserver.go:643-687 — defaultRedirectURI is strings.TrimRight(resourceURL, "/") + "/oauth/callback", applied only when redirectURI == "" && resourceURL != "", covering both OIDC and OAuth2 upstream providers. The "no default if resourceUrl unset" caveat is accurate.
• resourceUrl source: MCPOIDCConfigReference.ResourceURL on MCPServer.spec.oidcConfigRef — the JSON path in the doc is accurate.

Edits applied

docs/toolhive/guides-k8s/migrate-to-v1beta1.mdx:

1. Spaced-hyphen separators in prose (style guide: avoid em dashes; spaced hyphens allowed only in list-style contexts). Replaced two instances with full stops / new sentences.
2. "the v1beta1 API group" → "v1beta1". v1beta1 is a version; the API group is toolhive.stacklok.dev.
3. "will remain served for at least one additional minor release" → "will be removed in a future release". The upstream release notes say "will be removed in a future release" without committing to a specific horizon. The original wording invented a stronger commitment than the source supports.

docs/toolhive/guides-k8s/auth-k8s.mdx:

1. Spaced-hyphen parenthetical in the "whichever value ends up in effect - defaulted or explicit - " sentence. Rephrased as "The effective redirect URI, whether defaulted or explicit, ...".

Not changed

• Section placement of the new auth callback subsection (under Set up embedded authorization server authentication → upstream providers) is correct.
• The Cedar/authz docs weren't touched by this PR; prior pass confirmed no changes needed.
• Existing v1alpha1 examples in migrate-to-v1beta1.mdx (the "before" blocks for prior releases) are correctly preserved.
  | Branch

[claude]

Claude finished @rdimitrov's task in 10m 11s —— View job

---

Upstream release docs for v0.23.1 (re-run on PR reopen)

• Phase 1: Discovery — categorized v0.23.0 / v0.23.1 changes
• Phase 2: Deep dive — source-verified at v0.23.1 via gh api
• Phase 3: Impact map
• Phase 4: Implement
• Phase 5: Re-verify prose against source; style check (no em dashes, no smart quotes)
• Phase 6: Committed and pushed (5d734ad)

---

What changed

Branch state note: only the Renovate bump (9ba0b5c) and refresh commit (3de26c6) were on the branch when this run started. The hand-edited prose from earlier runs had been dropped from the branch, so this run re-applied it.

1. apiVersion bump across 40 MDX files (guides-cli/, guides-k8s/, guides-mcp/, guides-registry/, guides-vmcp/, integrations/, tutorials/). Replaced 174 occurrences of toolhive.stacklok.dev/v1alpha1 with v1beta1. migrate-to-v1beta1.mdx was intentionally skipped — its four remaining v1alpha1 references are historical "before" examples for pre-v0.23.0 migrations.

2. New v0.23.0 section in guides-k8s/migrate-to-v1beta1.mdx

Covers the CRD API graduation (all 12 CRD kinds served at both versions, v1beta1 as storage, identical schemas), zero-downtime behavior, and the manifest-update steps. Includes two discovery commands for finding remaining v1alpha1 usage in Git and in the cluster. The change-summary table and the page's frontmatter description now cover v0.15.0 through v0.23.0.

3. New "Default callback URL for upstream providers" subsection in guides-k8s/auth-k8s.mdx

Documents that when redirectUri is omitted on an upstream provider, the operator defaults it to {resourceUrl}/oauth/callback, and calls out the edge case where resourceUrl is also unset (no default applied). Includes a worked example.

4. Cedar / authz docs: no changes. PR #4965 is a bug fix that makes the existing resource in MCP::"..." syntax work as documented.

5. Auto-generated reference (reference/cli/, static/api-specs/, reference/crds/): not hand-edited — regenerated in the earlier 3de26c6 refresh commit.

Source verification (all claims)

• +kubebuilder:storageversion on v1beta1 types, +kubebuilder:deprecatedversion:warning="toolhive.stacklok.dev/v1alpha1 is deprecated; use v1beta1" on v1alpha1 — cmd/thv-operator/api/v1{alpha1,beta1}/*_types.go
• 12 CRD kinds, identical schemas via re-export — cmd/thv-operator/api/v1alpha1/types.go
• defaultRedirectURI = strings.TrimRight(resourceURL, "/") + "/oauth/callback" applied when redirectURI == "" && resourceURL != "" for both OIDC and OAuth2 upstream providers — cmd/thv-operator/pkg/controllerutil/authserver.go:643-687
• resourceUrl source field on MCPOIDCConfigReference — cmd/thv-operator/api/v1beta1/mcpoidcconfig_types.go:251
• Cedar MCP parent entity wiring — pkg/authz/authorizers/cedar/entity.go:160-166

Gaps

No GAPS.md file created. Every feature's "why" and mechanics were resolvable from the release notes, PR descriptions, and source at the tag.

Validation notes

npm run prettier, npm run build, and npm run eslint are blocked by the sandbox. Formatting and linting will run via the repo's pre-commit hook on any subsequent edit and via CI on this PR.
| Branch

[claude]

Claude finished @rdimitrov's task in 5m 26s —— View job

---

Docs review for v0.23.1 release docs

• Identify hand-edited vs. mechanical files from HEAD (2 files with new prose; 38 others are mechanical apiVersion bumps only)
• Editorial review of hand-edited prose
• Re-verify factual claims against upstream source at v0.23.1 via gh api
• Apply actionable fixes
• Commit and push (a31972b)

---

Summary

Reviewed the two files with substantive new prose in 5d734ad. The other 38 modified files are mechanical apiVersion bumps - spot-checked with a filtered diff to confirm no other content changed. Verified all factual claims against the upstream source at v0.23.1.

Factual verification (all claims hold)

• 12 CRD kinds. cmd/thv-operator/api/v1beta1/*_types.go has 12 *_types.go files, matches the doc's enumerated list.
• Deprecation warning text. cmd/thv-operator/api/v1alpha1/types.go — all 12 v1alpha1 types carry //+kubebuilder:deprecatedversion:warning="toolhive.stacklok.dev/v1alpha1 is deprecated; use v1beta1". Identical wording in doc.
• +kubebuilder:storageversion present on v1beta1 types; verified on mcpserver_types.go.
• v1alpha1 re-exports from v1beta1. Single v1alpha1/types.go file wires all 12 Spec/Status aliases back to v1beta1 (identical schemas).
• redirectUri default. cmd/thv-operator/pkg/controllerutil/authserver.go:640-645 — defaultRedirectURI(resourceURL) is strings.TrimRight(resourceURL, "/") + "/oauth/callback". Applied at lines 664-666 (OIDC) and 685-687 (OAuth2) only when redirectURI == "" && resourceURL != "".
• Five ConfigRef field names. mcpserver_types.go — oidcConfigRef, toolConfigRef, externalAuthConfigRef, authServerRef, telemetryConfigRef all exist on MCPServer.spec.

Edits applied

docs/toolhive/guides-k8s/migrate-to-v1beta1.mdx:

• Replaced the second discovery command. The original kubectl get -A --raw "/apis/toolhive.stacklok.dev/v1alpha1" | jq '.resources[].name' claimed to "find v1alpha1 resources already in the cluster and identify which kinds still need re-applying," but it actually just lists the kinds served at v1alpha1 (which remains all 12 until the version is removed, regardless of which resources have been re-applied). Replaced with a jq query over kubectl get crds that filters on the toolhive.stacklok.dev group and prints each CRD's status.storedVersions, which is the actual signal for "this CRD still holds at least one resource stored at v1alpha1."

docs/toolhive/guides-k8s/auth-k8s.mdx:

• Smoothed the "Default callback URL" example flow. The original structure had a leading-ellipsis sentence ("...resolves to ...") after a YAML block, reading as a fragment. Merged the resolution statement into the sentence that introduces the YAML, and rephrased the trailing parenthetical so the paragraph reads cleanly as prose.

Not changed

• No em dashes, en dashes, or smart quotes in either file.
• Heading placement for the new auth-k8s.mdx H3 (under "Set up embedded authorization server authentication") is correct.
• The other 38 apiVersion-only bumps are mechanical and correct — all reference live v1beta1 kinds.
  | Branch