Skip to content

mcp-data-platform-v1.59.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 May 21:02
· 130 commits to main since this release
v1.59.0
a51d55f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.59.0 — HTTP API Gateway

This release adds an HTTP API Gateway toolkit that lets the platform proxy authenticated calls to any OpenAPI-described REST API. It is a sibling to the existing MCP Gateway, sharing its OAuth lifecycle, persona-scoped policy, audit trail, and admin-portal patterns. With this release the platform's outbound-integration story covers both MCP servers and arbitrary HTTP/JSON APIs through the same primitives.

Full design discussion: #364.

Highlights

HTTP API Gateway toolkit

A small, fixed MCP tool surface that does not grow with the number of registered connections or upstream endpoints:

  • api_list_endpoints(connection, query, limit?) — searches a connection's OpenAPI spec; returns ranked candidates with operation_id, method, path, summary, and tags.
  • api_get_endpoint_schema(connection, operation_id) — full parameter, request-body, and response schema for one operation.
  • api_invoke_endpoint(connection, operation_id, query_params?, body?) — invokes the operation by id; the platform handles auth, policy, redaction, audit, and pagination signalling.
  • api_export(connection, operation_id, query_params?, body?, sink) — streams the upstream response directly into S3 (registered only when export dependencies are wired). Mirrors the *_export stream-to-asset pattern used by trino_export.

Adding new connections does not add new MCP tools. Multiple connections multiplex through the connection argument, the same convention trino_query and s3_get_object already use.

Five authentication modes

Outbound credentials are field-encrypted at rest. Token refresh-on-demand mirrors the MCP Gateway.

  • none, bearer, api_key — basic header/credential modes (#377)
  • oauth2_client_credentials — server-to-server grant (#380)
  • oauth2_authorization_code + PKCE — user-driven grant with an admin re-auth handler that surfaces a portal prompt when refresh tokens are revoked (#381)

Persona-scoped policy, two layers

Authorization fires on listing, schema fetch, and invocation. Every call produces an audit row through the existing audit pipeline (#378):

  • Per-connection allow/deny on the calling persona
  • Per-(method, path-glob) allow/deny on the resolved operation

A persona may have access to a connection but still be restricted to GET /v1/foo/* and blocked from DELETE /v1/users/*.

Three ranking modes for endpoint discovery

api_list_endpoints supports three strategies (#382):

  • lexical — substring + token match. Fast, deterministic, no embedding dependency.
  • semantic — cosine similarity between the query embedding and each operation's pre-computed embedding.
  • hybrid — weighted blend (α · cosine + (1 − α) · lexical). Recovers precision when the user already knows the operation name while still surfacing semantic neighbors.

When an embedder is unavailable, semantic/hybrid degrade to lexical without erroring.

Pagination envelope

api_invoke_endpoint extracts pagination state into a normalized envelope so the model can iterate without re-parsing per-API conventions (#383). Detection order:

  1. RFC 5988 Link header with rel="next" (authoritative)
  2. OData @odata.nextLink
  3. Common body cursor fields (next_cursor, next, cursor, etc.)

When no signal is present the field is omitted from the response.

Admin portal: kind=api connection form

A new portal form handles the full connection lifecycle: registration, OpenAPI spec upload or URL, auth-mode configuration, OAuth bootstrap and re-auth, and revocation (#384). YAML config remains supported for stdio and single-tenant deployments.

Other changes

  • Dev fixtures: make dev now provisions two prebuilt deterministic fixture containers — a 12-tool MCP server and a 14-operation HTTP API with an OpenAPI 3.1 spec — so both gateways come up pre-explored against realistic upstreams (#389).
  • Field rename: api_invoke_endpoint and api_export renamed their URL-query argument from query to query_params, eliminating ambiguity with api_list_endpoints' natural-language query (#390). The original name only existed in intermediate snapshots; no prior released version is affected.
  • Dependency bumps: golang.org/x/crypto 0.50 → 0.51 (#386), github/codeql-action 4.35.3 → 4.35.4 (#385), sigstore/cosign-installer 4.1.1 → 4.1.2 (#387).

Upgrade notes

The API Gateway is purely additive — no migration steps for existing deployments. The toolkit registers itself only when at least one kind=api connection is configured.

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v1.59.0

Verification

All release artifacts are signed with Cosign:

cosign verify-blob --bundle mcp-data-platform_1.59.0_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_1.59.0_linux_amd64.tar.gz
Assets 25
Loading