Skip to content

mcp-data-platform-v0.28.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 Feb 23:24
· 321 commits to main since this release
v0.28.1
6e09d44
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's New

Embedded platform-info App

The platform-info MCP App is now compiled directly into the binary. No volume mounts, no assets_path config, no file deployment — it just works.

Before (v0.28.0): operators had to mount the HTML into the container and configure the path explicitly:

mcpapps:
  enabled: true
  apps:
    platform-info:
      assets_path: "/etc/mcp-apps/platform-info"
      entry_point: "index.html"
      tools:
        - platform_info

After (v0.28.1): zero configuration required. The app registers at startup automatically.

Branding remains opt-in via config:

mcpapps:
  apps:
    platform-info:
      config:
        brand_name: "ACME Data Platform"
        brand_url: "https://data.acme.com"
        logo_svg: "<svg ...>"

To replace the embedded HTML entirely with your own, set assets_path as before — the override path takes precedence.

MCP Apps Enabled by Default

mcpapps.enabled now defaults to true (previously false). The built-in platform-info app registers without any mcpapps: block in your config.

To disable all MCP Apps:

mcpapps:
  enabled: false

Smaller Docker Image

The production Dockerfile no longer copies the apps/ directory into the image. The HTML is inside the binary. The image is smaller and has one fewer layer.

Security Fixes

Six pre-existing gosec findings resolved:

Rule Location Fix
G120ParseForm without body size limit pkg/oauth/server.go Added http.MaxBytesReader (64 KB cap) before ParseForm on the token endpoint
G706 — log injection via session ID pkg/session/handler.go Session IDs sanitized via sanitizeLogValue before logging
G118 — goroutine with detached context pkg/middleware/mcp_audit.go Documented and suppressed: audit writes must outlive the MCP request
G118 — goroutine with detached context pkg/session/handler.go Documented and suppressed: session Touch must outlive the HTTP response
G118 — goroutine with detached context cmd/mcp-data-platform/main.go (shutdown) Documented and suppressed: application-level shutdown context, not request-scoped
G118 — false positive on signal handler cmd/mcp-data-platform/main.go Documented: cancel() is called inside the goroutine

Migration Guide

Upgrading from v0.28.0

If you had mcpapps.enabled: false — no change. Explicit false is still honored.

If you had no mcpapps: blockplatform-info will now auto-register. This is intentional. To suppress it, add mcpapps: { enabled: false }.

If you had mcpapps.enabled: true with platform-info configured — remove the assets_path, entry_point, and tools fields from the platform-info block. Keep config: if you use branding. The app is now served from the embedded binary regardless of those fields.

If you deployed via Kubernetes with platform-info mounted as a ConfigMap or volume — remove those volume mounts and volumes from the Deployment. No replacement step needed.

Docker Compose users — remove any apps/ volume bind mount for platform-info from your compose file.

Full Changelog

Features

  • Embed platform-info HTML in binary via //go:embed (apps/embed.go)
  • Add Content fs.FS field to AppDefinition for embedded-FS-backed apps
  • Change MCPAppsConfig.Enabled from bool to *bool; nil defaults to true
  • Add MCPAppsConfig.IsEnabled() helper (nil/unset → enabled)
  • Auto-register built-in platform-info in initMCPApps via registerBuiltinPlatformInfo()
  • Operator branding config merged at registration; explicit assets_path overrides embedded HTML
  • Remove query-results from default example configs (it was never a built-in; operators can still add it as a custom app)
  • Simplify configs/mcpapps-container.yaml and configs/mcpapps-dev.yaml

Security

  • pkg/oauth/server.go: add http.MaxBytesReader before ParseForm (G120)
  • pkg/session/handler.go: wrap sessionID with sanitizeLogValue in two log calls (G706)
  • pkg/middleware/mcp_audit.go, pkg/session/handler.go, cmd/mcp-data-platform/main.go: document intentional context.Background usage in fire-and-forget goroutines (G118)

Documentation

  • Dockerfile: remove obsolete COPY apps/ layer
  • docs/mcpapps/overview.md: document built-in platform-info; demote query-results to community example
  • docs/mcpapps/configuration.md: full rewrite for defaults-enabled model and built-in app
  • docs/mcpapps/tutorial.md: update deployment step for built-in vs custom-asset vs override modes
  • docs/mcpapps/development.md: update dev workflow for mcpapps-dev.yaml assets_path override
  • docs/reference/configuration.md: add mcpapps: section (was absent)
  • docs/llms.txt, docs/llms-full.txt: sync MCP Apps descriptions

Tests

  • pkg/mcpapps/types_test.go: Validate and ValidateAssets with Content fs.FS
  • pkg/mcpapps/resource_test.go: readAsset from embedded fstest.MapFS
  • pkg/platform/platform_test.go: IsEnabled tri-state; built-in registration; branding merge; assets_path override; invalid path error; disabled app skipped; Enabled: false leaves registry nil

Package Checksums

All artifacts are signed with Cosign and include SBOM and SLSA provenance. Verify any artifact:

cosign verify-blob \
  --bundle mcp-data-platform_0.28.1_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_0.28.1_linux_amd64.tar.gz
Assets 25
Loading