Skip to content

mcp-data-platform-v1.65.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 20 May 03:14
· 94 commits to main since this release
v1.65.0
23f2087
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

Adds HTTP Basic auth (RFC 7617) to the api-gateway toolkit. Operators can now onboard the long tail of REST APIs that never moved off Basic (Jenkins, on-prem Jira / Confluence Server / DC, internal apps) without standing up a sidecar to translate Basic to Bearer.

What changed

auth_mode: basic joins the existing none, bearer, api_key, oauth2_client_credentials, and oauth2_authorization_code modes. Outbound requests get Authorization: Basic base64(username:password) per RFC 7617. The password config key was already on the platform's encryption-at-rest sensitive-keys list, so encryption and admin-API redaction work without additional changes.

Validation enforces RFC 7617 §2 (no : in the userid) and rejects CR/LF/NUL in either field as header-smuggling vectors. Smuggling defenses run before the RFC check, so a payload that contains both (e.g. alice\r\nX-Injected: 1) surfaces the security-relevant error first. Empty password is permitted to support the legacy token-in-userid pattern some APIs use.

Operator-visible changes

New connection config

config:
  base_url: "https://jenkins.example.com"
  auth_mode: "basic"
  username: "svc-account"
  password: "the-api-token"
Field Required Notes
auth_mode: basic yes Selects the new mode.
username yes The userid. Stored in cleartext at rest because RFC 7617 §2 sends it in clear after base64 decoding regardless. Rejected if it contains :, CR, LF, or NUL.
password no The password. Encrypted at rest via the platform FieldEncryptor. Admin API redacts to [REDACTED]. May be empty for the legacy token-in-userid pattern. Rejected if it contains CR, LF, or NUL.

Admin portal

The API connection editor in the admin portal now offers Basic (RFC 7617) on the auth-mode dropdown, with username and (sensitive) password fields.

Behavior preserved

  • No wire-format changes.
  • No database migrations.
  • No public API changes.
  • Existing connections (none, bearer, api_key, OAuth) are untouched.

Upgrade notes

  • No operator action required beyond rolling the pod. Existing connections continue to work; the new mode is purely additive.
  • To use Basic auth on a new connection, select Basic in the portal or PUT /api/v1/admin/connection-instances/api/<name> with auth_mode: basic and username / password set.

Detailed changes

  • #447 / #448. New AuthModeBasic constant and basicAuth authenticator. New Username / Password config fields. validateBasicAuth enforces RFC 7617 plus CR/LF/NUL smuggling defenses (in that order so the security error wins when both apply). NewAuthenticator dispatch and the invalid-mode error message updated. UI: new dropdown option plus username/password form fields in ConnectionsPanel.tsx. Docs updated across README.md, docs/server/api-gateway.md, docs/llms.txt, and docs/llms-full.txt. Patch coverage 100% on the 37 changed executable lines.

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v1.65.0

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_1.65.0_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_1.65.0_linux_amd64.tar.gz

Full changelog

v1.64.1...v1.65.0

Assets 25
Loading