v0.8.0
Conduit v0.8.0
The headline this release is a multi-tenant HTTP bridge: one Conduit can now serve many HTTP/OpenAPI clients at once, each with its own token and its own set of servers. Plus the Playground gains Resources and Prompts, and a round of security hardening.
Multi-tenant HTTP bridge (per-client scoping)
Register HTTP clients in Settings → Integrations, each with its own bearer token and profile. One bridge process serves them all and resolves every request's token to its own scope, so two Open WebUI instances (or any two OpenAPI clients) can see entirely different tools through the same Conduit. The bridge connects the union of every registered client's profile, then filters each request, tools/list, search, call, status, and the OpenAPI spec, down to exactly what that token is allowed to see. Nothing leaks across tenants.
Also new
- Resources & Prompts in the Playground. New Tools / Resources / Prompts tabs: list a server's resources and read one, or fill a prompt's arguments and render it. The full MCP surface Conduit proxies, not just tools.
- Per-client scope, persisted and editable. A connected client now shows its effective scope ("sees the 'Billing' profile, 3 servers"), and you can re-scope it in place without disconnecting.
- Test connection in the add/edit server dialog: verify a server (and its secrets) actually connects before saving, with per-transport validation and a duplicate-name warning.
- Activity error detail. Failed tool calls now record and show the failure message and per-call latency; click a failed row to see why it failed.
- Continue client support (
~/.continue/config.yaml). Thanks @BharadwajKanneveti (#49). - A complete OpenAPI spec: a
serversblock, abearerAuthsecurity scheme, and real error responses, so OpenAPI clients can model auth and failures.
Security
- Constant-time comparison for the bridge bearer token.
- CORS no longer reflects the caller's Origin or sends credentials, and cross-site browser requests are refused. Once a scoped client is registered, the bridge closes anonymous access.
- The SSRF connect-guard now also blocks IPv6 link-local and cloud-metadata addresses (including the AWS IPv6 metadata address), not just IPv4 169.254.x.
- Client-config reads and backups reject non-regular files (devices, FIFOs) and cap size.
- Downstream HTTP calls retry safely on a connection failure or a 429 (honoring Retry-After), never on a 5xx.
Upgrading
After installing 0.8.0, reconnect your clients so they relaunch the updated gateway. The multi-tenant bridge needs the new binary.
Full changelog: see CHANGELOG.md.