Skip to content

mcp-data-platform-v0.4.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 Jan 19:02
· 438 commits to main since this release
v0.4.0
7f86fd9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release v0.4.0

Summary

Security hardening release that adds MCP protocol-level authorization enforcement and self-validating JWT access tokens.

Security Improvements

MCP Protocol-Level Authorization

Tool authorization is now enforced at the MCP protocol layer, intercepting all tools/call requests before they reach tool handlers. This ensures persona-based access control cannot be bypassed.

  • Intercepts requests at the MCP middleware layer
  • Validates authentication before tool execution
  • Enforces persona allow/deny rules per tool
  • Returns proper MCP error responses for unauthorized requests

JWT Access Tokens

OAuth access tokens are now signed JWTs instead of opaque strings:

  • Self-validating tokens (no database lookup required)
  • Contains user identity, roles, and upstream IdP claims
  • HMAC-SHA256 signed with configurable key
  • Standard JWT validation (issuer, expiration, signature)

Configuration Changes

New: OAuth Signing Key

Production deployments should configure a signing key for JWT access tokens:

oauth:
  enabled: true
  issuer: "https://mcp.example.com"
  signing_key: "${OAUTH_SIGNING_KEY}"  # Required for production

Generate a signing key:

openssl rand -base64 32

If not configured, a random key is generated at startup (tokens won't survive restart).

Bug Fixes

  • Fixed nil pointer dereference in extractToolName when request params are nil

New Files

File Description
pkg/middleware/mcp.go MCP protocol-level authorization middleware
pkg/middleware/mcp_test.go Tests for MCP middleware
pkg/auth/oauth.go OAuth JWT authenticator
pkg/auth/oauth_test.go Tests for OAuth authenticator

Modified Files

File Description
pkg/oauth/server.go JWT access token generation
pkg/platform/platform.go MCP middleware wiring, signing key init
pkg/platform/config.go Added SigningKey to OAuth config
docs/auth/oauth-server.md Documented signing key configuration
docs/reference/configuration.md Added OAuth config options

Upgrade Notes

  • No breaking changes - existing configurations continue to work
  • Recommended: Configure oauth.signing_key for production deployments
  • Access tokens issued before upgrade will be invalid after restart (if using auto-generated key)

Testing

go test -race ./...

Coverage: 85%+

Changelog

Others

  • 7f86fd9: Adds MCP protocol-level middleware for authorization enforcement and converts OAuth access tokens to signed JWTs. (#11) (@cjimti)

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v0.4.0

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_0.4.0_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_0.4.0_linux_amd64.tar.gz

Contributors

cjimti
Assets 25
Loading