v0.29.2

🚀 Toolhive v0.29.2 is live!

A hardening-focused patch release: two security fixes, an operator-chart regression safety net via helm-unittest, an OTLP header delivery fix, an OAuth public-client TTL fix, continued vMCP New/Serve refactor scaffolding, and the deprecation of the MCPRegistry CRD.

🔄 Deprecations

• MCPRegistry CRD deprecated in favour of the toolhive-registry-server Helm chart — the CRD remains fully functional but now emits a kubectl deprecation warning and an operator Warning event; it will be removed in a future release (#5470)

🐛 Bug Fixes

• OAuth/OIDC discovery endpoints (RFC 9728 protected-resource metadata, RFC 8414 authorization-server metadata, OIDC discovery, JWKS) now work for stdio-backed MCP servers with an embedded auth server, instead of returning 404 (#5479)
• Long-lived public OAuth clients registered via Dynamic Client Registration are no longer evicted after 30 days of active use — their TTL now refreshes on each successful token exchange, preventing spurious invalid_client failures (#5469)
• OTLP exporter headers supplied via OTEL_EXPORTER_OTLP_HEADERS are no longer silently dropped on the POST /api/v1/workloads path, so collectors requiring an auth header now receive telemetry ([#5474]#5474))
• Overriding operator.serviceAccount.name in the operator Helm chart no longer breaks the deployment — every reference now routes through the same serviceAccountName helper (#5476)
• Prevented a path-traversal weakness in LocalStore.getFilePath so state-store file operations can no longer escape the base directory (#5464, Fixes [#4736]#4736))
• Added baseline X-Content-Type-Options: nosniff and Cross-Origin-Resource-Policy: same-origin security headers to every thv REST API response (#5458)

🧹 Misc

• vMCP refactor (epic #5419): introduced a stateless, identity-explicit core VMCP constructor (#5457), added the Serve transport skeleton and ServerConfig (#5467), wired the Cedar admission seam into the core so list and call enforce one shared decision (#5459), moved the SDK hooks and two-phase session creation under Serve (#5471), and domain-typed the elicitation seam (#5456) — all additive, with server.New behavior unchanged
• Added helm-unittest regression coverage for the operator and operator-crds charts: CRD install/keep toggles (#5468), a default-install baseline ([#5473]#5473)), value-driven scenario suites ([#5475]#5475)), and security-posture/naming suites (#5477)
• Documented the Redis Cluster slot invariant and filtered stray un-prefixed members in the auth-server token storage (#5210)

📦 Dependencies

Module	Version
github.com/stacklok/toolhive-core	v0.0.24
golang.org/x/exp/jsonrpc2	055de63
github/codeql-action	8aad20d
anthropics/claude-code-action	fbda2eb

What's Changed

• Domain-type the ElicitationRequester seam by @tgrunnagle in #5456
• fix(api): add X-Content-Type-Options and Cross-Origin-Resource-Policy headers by @amirejaz in #5458
• Update golang.org/x/exp/jsonrpc2 digest to 055de63 by @renovate[bot] in #5463
• Update github/codeql-action digest to 8aad20d by @renovate[bot] in #5462
• Update anthropics/claude-code-action digest to fbda2eb by @renovate[bot] in #5460
• Implement stateless core VMCP constructor by @tgrunnagle in #5457
• Add helm-unittest suite for operator-crds toggles by @ChrisJBurns in #5468
• Wire Cedar admission seam into vMCP core by @tgrunnagle in #5459
• Add vMCP Serve skeleton and ServerConfig by @tgrunnagle in #5467
• Add helm-unittest baseline for operator chart by @ChrisJBurns in #5473
• Deprecate MCPRegistry CRD with runtime warning by @ChrisJBurns in #5470
• Add scenario helm-unittest suites for operator chart by @ChrisJBurns in #5475
• Send OTLP export headers delivered via EnvVars by @reyortiz3 in #5474
• Fix operator ServiceAccount name consistency by @ChrisJBurns in #5476
• Add operator chart helm-unittest suites for posture and naming by @ChrisJBurns in #5477
• Update module github.com/stacklok/toolhive-core to v0.0.23 by @renovate[bot] in #5317
• Renew public client TTL on successful token exchange by @mani-muon in #5469
• Update module github.com/stacklok/toolhive-core to v0.0.24 by @reyortiz3 in #5480
• Prevent path traversal in LocalStore.getFilePath by @immanuwell in #5464
• Move SDK hooks and two-phase session creation under Serve by @tgrunnagle in #5471
• Wire RFC 9728 discovery into HTTP and stdio transports by @jhrozek in #5479
• Address Redis Cluster mode review follow-ups for #5153 by @reyortiz3 in #5210
• Remove yrobla from CODEOWNERS by @ChrisJBurns in #5486
• Release v0.29.2 by @toolhive-release-app[bot] in #5484

🔗 Full changelog: v0.29.1...v0.29.2

New Contributors

• @mani-muon made their first contribution in #5469