v0.1.19

🌟 Release Highlights

This release focuses on guard and security improvements, agentic workflow tooling, and reliability fixes — including a notable resource leak fix in the routed server.

✨ What's New

• Trusted bot integrity elevation — First-party bots (dependabot[bot], github-actions[bot], github-merge-queue[bot], copilot) now automatically receive approved integrity in DIFC labeling, enabling smoother policy enforcement for automated workflows without manual tagging. (#2144)

• Repo-assist agentic workflow — A new repo-assist agentic workflow with an integrated guard policy has been added, expanding the gateway's out-of-the-box automation capabilities. (#2131, #2134)

🐛 Bug Fixes & Improvements

• Routed server resource leak fixed — A connection/resource leak in the routed server has been resolved, along with hardcoded version string corrections that could cause misleading diagnostics. (#2107)

• TOML configuration documentation corrected — Fixed a broken \$\{PWD} volume mount example, clarified the \$\{VAR} expansion note, and documented previously undocumented tools field behaviour in the TOML config. (#2121) See the Configuration Guide.

🔧 Internal

Code quality improvements including DIFC struct consolidation, DeduplicateStrings helper extraction, Rust guard cleanup, and schema/workflow toolchain upgrades to v0.61.2.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.19
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• 🔄 chore(schema): update schema URL to v0.61.1 by @github-actions[bot] in #2101
• Remove dead contributor-verification scaffolding and fix redundant MCP unwrapping in rust-guard by @Copilot in #2105
• refactor: extract checkBoolFailure helper in parseLabelAgentResponse by @Copilot in #2106
• fix: routed server resource leak and hardcoded version strings by @Copilot in #2107
• refactor: consolidate duplicate DIFC filtered-item struct and tagsToStrings by @Copilot in #2111
• fix: suppress dead_code warning on is_forked_pull_request_with_callback by @lpcox in #2118
• chore: upgrade gh-aw agent config and recompile workflows to v0.61.2 by @lpcox in #2128
• Fix broken ${PWD} volume mount, misleading ${VAR} note, and undocumented tools field behaviour in TOML config by @Copilot in #2121
• refactor: extract DeduplicateStrings helper to eliminate duplicated dedup logic by @Copilot in #2123
• Add agentic workflow repo-assist by @lpcox in #2131
• chore: add guard policy to repo-assist workflow by @lpcox in #2134
• feat(guard): elevate trusted first-party bot integrity to approved by @lpcox in #2144

Full Changelog: v0.1.18...v0.1.19

v0.1.18

🌟 Release Highlights

This release extends MCP Gateway's DIFC (Decentralized Information Flow Control) security coverage to GitHub Projects tools, ensuring consistent data labeling across more of the GitHub MCP server surface area.

✨ What's New

• DIFC labeling for GitHub Projects tools — GitHub Projects tool responses are now properly labeled with secrecy and integrity tags, aligning Projects data with the same security guarantees already applied to other GitHub MCP tools. This matters for deployments using guard policies that rely on DIFC labels to enforce data flow rules. See the Guard Response Labeling docs for details. (#2095)

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.18
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• feat(guard): add DIFC labeling for GitHub Projects tools by @Copilot in #2095

Full Changelog: v0.1.17...v0.1.18

v0.1.17

🌟 Release Highlights

This release improves observability for DIFC (Decentralized Information Flow Control) filtering by co-locating filter events with RPC traffic in the JSONL log, along with build and lint fixes to stabilize the codebase.

⚡ Improvements

• DIFC filter events now appear in rpc-messages.jsonl — Filter events triggered during tool calls are written to the same JSONL stream as RPC request/response traffic (#2077). This makes it significantly easier to correlate which tool call triggered a DIFC filter event when analyzing logs, without needing a separate log file.

🐛 Bug Fixes

• Build fix: type mismatch in LogDifcFilteredItem — Resolved a compile error where *JSONLFilteredItem was incorrectly passed to LogMessage, which only accepts *JSONLRPCMessage (#2080).
• Lint fix: missing FilteredItemLogEntry type — Added the FilteredItemLogEntry struct and buildFilteredItemLogEntry function referenced by tests but absent from production code (#2078).
• Rust guard fix: restored #[allow(dead_code)] on is_bot helper — The attribute was accidentally removed in a prior cleanup, causing a warning for a function used only in test code (#2074).

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.17
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• fix: restore #[allow(dead_code)] on is_bot helper by @lpcox in #2074
• fix: add FilteredItemLogEntry type and buildFilteredItemLogEntry to fix lint failure by @Copilot in #2078
• fix: type mismatch in LogDifcFilteredItem causes build failure by @Copilot in #2080
• refactor: move DIFC filter events into JSONL log by @lpcox in #2077

Full Changelog: v0.1.16...v0.1.17

v0.1.16

What's Changed

• 🔄 chore: update schema URL to v0.58.2 by @github-actions[bot] in #1892
• [log] difc: add debug logging to path_labels.go by @github-actions[bot] in #1888
• [test] Add tests for mcp.callSDKMethod and related dispatch functions by @github-actions[bot] in #1889
• [test-improver] Improve tests for config/rules package by @github-actions[bot] in #1890
• fix: suppress staticcheck SA1012 for intentional nil context test by @lpcox in #1895
• chore: upgrade gh-aw v0.56.2 → v0.58.2 with recompiled workflows by @lpcox in #1898
• Fix SA1012 staticcheck lint failure in sdk_method_dispatch_test.go by @Copilot in #1897
• Fix documentation discrepancies from nightly audit by @Copilot in #1896
• chore: scope all workflows to github/gh-aw-mcpg with min-integrity unapproved by @lpcox in #1906
• fix: remove unavailable tools from smoke-copilot workflow by @lpcox in #1911
• fix: eliminate duplicate sys tool delegation block via callSysServer helper by @Copilot in #1910
• refactor: eliminate duplicate code patterns in internal/difc package by @Copilot in #1916
• chore: disable issue-monster scheduled runs by @lpcox in #1917
• docs: fix documentation discrepancies from reconciliation report 2026-03-13 by @Copilot in #1919
• feat: add Rust Guard Improver daily workflow by @lpcox in #1920
• refactor: deduplicate code across logger, validation, and launcher packages by @lpcox in #1926
• fix(config): remove dead *toml.ParseError pointer assertion and use %w error wrapping by @Copilot in #1929
• tty: add IsStdoutTerminal, StderrTerminalWidth, and IsInteractiveTerminal by @Copilot in #1931
• refactor: semantic function clustering — absorb dockerutil, reduce duplication, move outlier free functions by @Copilot in #1933
• feat: add Guard Status Tracker workflow for issue #1711 by @lpcox in #1938
• refactor: eliminate duplicate dispatch, config resolution, and label flow patterns by @Copilot in #1953
• docs: fix 4 documentation discrepancies from nightly reconciliation by @Copilot in #1959
• [log] difc/agent: add debug logging to bulk label operations by @github-actions[bot] in #1965
• fix: correct write-sink accept patterns in README examples by @lpcox in #1969
• chore: cleanup stale docs and trim README by @lpcox in #1976
• chore: restructure README around quickstart and guard policies by @lpcox in #1979
• refactor: Move guard-policy parsing, AllowOnly factory, and DIFC sink state to proper packages by @Copilot in #1987
• fix: gofmt formatting in connection_pool_test.go by @Copilot in #1993
• [test] Add tests for config.fetchAndFixSchema transformations and launcher.cleanupIdleConnections closed state by @github-actions[bot] in #1973
• [test-improver] Improve tests for logger package by @github-actions[bot] in #1974
• refactor: eliminate duplicate code in DIFC labels and RPC logger by @Copilot in #2006
• rust-guard: deduplicate MCP unwrapping and remove dead code in permissions.rs by @Copilot in #2013
• fix: suppress dead_code warnings in github-guard by @lpcox in #2014
• Corrected DIFC terminology by @lpcox in #2022
• docs: add missing env vars to AGENTS.md by @Copilot in #2029
• rust-guard: Extract duplicated repo_visibility_* helpers and clean up stale #[allow(dead_code)] in constants by @Copilot in #2030
• fix: remove unused cleared variable causing lint failure by @Copilot in #2038
• [log] Add debug logging to difc/sink_server_ids by @github-actions[bot] in #2034
• 🔄 chore: update schema URL to v0.59.0 by @github-actions[bot] in #2044
• docs: fix /health endpoint description and expand CONTRIBUTING.md core features by @Copilot in #2059
• docs: fix FIRST_TIME_CONTRIBUTOR integrity level classification by @Copilot in #2062
• [rust-guard] Remove dead helpers + extract repeated private-repo integrity expression by @Copilot in #2060
• Fix failing integration test: update playwright tool count and naming format by @Copilot in #2067
• [WIP] [67489714827] Fix the failing GitHub Actions workflow lint by @Copilot in #2069
• feat(difc): structured logging for every filtered item by @lpcox in #2066

Full Changelog: v0.1.15...v0.1.16

v0.1.15

🌟 Release Highlights

This release focuses on write-sink guard capabilities, expanding how MCP Gateway controls data flow to backend servers — with simplified wildcard configuration, comprehensive scope-type support, and a notable RFC 6901 path-matching fix.

✨ What's New

• Write-Sink Guard (#1772, #1773): A new write-sink guard type lets you control which tools can write data to backend MCP servers, enforcing data flow policies at the gateway level.
• Wildcard Accept for Write-Sink (#1868): Configure write-sink guards with accept = ["*"] to allow all repositories — simplifying permissive policies without enumerating every repo.
• Full Scope-Type Coverage for Write-Sink (#1828): Write-sink accept rules now support all repository scope types (owner-wildcard, owner/repo, and bare owner), with complete documentation and tests.

🐛 Bug Fixes & Improvements

• RFC 6901 Path Matching Fix (#1863): extractIndexFromPath now correctly handles JSON Pointer (/-prefixed) paths per RFC 6901, preventing silent mismatches in DIFC path label resolution.
• WASM Guard Reliability (#1849): Corrected a malformed WASM binary and stale test expectation in guard tests, ensuring WASM-based guards compile and behave correctly.
• Schema Updated to v0.57.2 (#1755): Configuration validation now targets the latest schema version.

📚 Documentation

• DIFC Flags & Environment Variables (#1790): README now documents all DIFC-related CLI flags and environment variables, making it easier to configure data flow control.
• README Consistency (#1803): Resolved inconsistencies across documentation files and the README for a more reliable reference.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.15
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• added write sink by @lpcox in #1772
• added write sink by @lpcox in #1773
• test: add server-level tests for write-sink and allow-only guard policies by @lpcox in #1783
• docs: add missing DIFC flags and environment variables to README by @claude in #1790
• Refactor duplicate code patterns in logger and DIFC packages by @claude in #1791
• Refactor duplicate code patterns in DIFC package by @claude in #1792
• [log] Add debug logging to difc/path_labels.go by @github-actions[bot] in #1727
• [test] Add tests for config.NormalizeGuardPolicy and guard policy helpers by @github-actions[bot] in #1728
• [test-improver] Improve tests for tty package by @github-actions[bot] in #1742
• 🔄 chore: update schema URL to v0.57.2 by @github-actions[bot] in #1755
• [test] Add tests for mcp HTTP transport pure functions by @github-actions[bot] in #1788
• [test-improver] Improve tests for logger/rpc_logger package by @github-actions[bot] in #1789
• fix: remove duplicate test functions in internal/mcp by @lpcox in #1801
• docs: Fix inconsistent documentation files and update README by @claude in #1803
• feat: document and test write-sink accept rules for all repos scope types by @lpcox in #1828
• [log] Add debug logging to guard_policy.go by @github-actions[bot] in #1817
• [test] Add tests for guard.parseLabelAgentResponse by @github-actions[bot] in #1818
• [test-improver] Improve tests for guard package: cover pure parser functions by @github-actions[bot] in #1819
• Completing task by @claude in #1843
• Fix context-in-struct anti-pattern and add wazero best practices by @claude in #1834
• Refactor: extract isValidTokenString helper to eliminate duplicate validation logic by @claude in #1833
• Remove duplicate integrity constant declarations in guard_policy.go by @claude in #1832
• fix: correct malformed WASM binary and stale test expectation in guard tests by @lpcox in #1849
• refactor: extract duplicate code patterns into helpers by @claude in #1855
• [log] cmd/flags_difc: add debug logging for DIFC policy and mode resolution by @github-actions[bot] in #1856
• Fix extractIndexFromPath RFC 6901 prefix matching and clean up test comments by @Copilot in #1863
• [test] Add tests for difc package: getItems, AddIntegrityTags, Intersect, checkFlowHelper by @github-actions[bot] in #1860
• feat: add wildcard accept ["*"] for write-sink guards by @lpcox in #1868
• [test-improver] Improve tests for mcp schema package by @github-actions[bot] in #1867
• fix: remove duplicate TestNormalizeInputSchema_NilSchema by @lpcox in #1873

Full Changelog: v0.1.14...v0.1.15

v0.1.14

🌟 Release Highlights

This release resolves a critical DIFC compatibility issue that prevented output servers (such as safeoutputs) from working correctly when the GitHub guard is active.

✨ What's New

Write-Sink Guard for DIFC-Compatible Output Servers (#1760)

When the GitHub guard is active, agents accumulate integrity tags (e.g., unapproved:github/gh-aw*, approved:github/gh-aw*). Output servers using noop guards returned empty labels, causing DIFC read evaluation to fail — the resource integrity was lower than the agent's integrity.

The new WriteSinkGuard fixes this by:

• Mirroring agent secrecy tags onto the resource, preventing secrecy violations for private repositories
• Returning OperationWrite instead of OperationReadWrite, bypassing the failing read integrity check
• Auto-upgrading noop guards to write-sink guards after DIFC detection — no manual configuration needed

Check	Before (Noop Guard)	After (Write-Sink Guard)
Read integrity	❌ fails — empty < agent tags	✅ skipped (OperationWrite)
Write integrity	✅ no requirements	✅ no requirements
Write secrecy	❌ agent tags ⊄ empty	✅ resource mirrors agent tags

See docs/GUARD_RESPONSE_LABELING.md for more on DIFC guard behavior.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.14
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• updated to v0.1.13 by @lpcox in #1757
• feat: write-sink guard for DIFC-compatible output servers by @lpcox in #1760

Full Changelog: v0.1.13...v0.1.14

v0.1.13

🌟 Release Highlights

This release focuses on correctness and reliability improvements — two important bug fixes ensure guards and gateway URL routing behave as expected in production deployments.

🐛 Bug Fixes & Improvements

• Guard policy fallback corrected (#1741): When a server has explicit guard policies configured, non-noop guards are now correctly preserved rather than being discarded during fallback resolution. This ensures security policies are consistently enforced when mixing per-server and global guard configurations.

• Gateway output URLs use localhost (#1753): Gateway-advertised URLs (consumed by host-side connectivity checks) now correctly resolve to 127.0.0.1 instead of the configured Gateway.Domain. The domain mapping for container access is handled downstream, so using the domain in output URLs caused connectivity check failures.

🔧 Reliability

• Integration tests are more stable with polling-based stderr wait, eliminating intermittent failures in CI (#1746).
• A daily smoke test workflow for AllowOnly guard policies provides continuous validation of guard enforcement (#1729).
• CI workflows now use the standard GHCR image directly, removing redundant local build steps (#1731, #1736).

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.13
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• Add daily AllowOnly guard smoke test workflow by @lpcox in #1729
• Remove local build steps, use standard GHCR image by @lpcox in #1731
• Remove local container build from smoke-copilot workflow by @lpcox in #1736
• move mcpg to v0.1.12 by @lpcox in #1737
• Fix guard fallback to preserve non-noop guards when server guard policies exist by @claude in #1741
• Fix flaky integration tests with polling-based stderr wait by @lpcox in #1746
• fix: don't use Gateway.Domain in gateway output URLs by @lpcox in #1753

Full Changelog: v0.1.12...v0.1.13

v0.1.12

🌟 Release Highlights

This release simplifies DIFC (Data Information Flow Control) configuration by removing explicit guard CLI flags — guards now activate automatically when policies are configured.

⚠️ Breaking Changes

The following CLI flags and environment variables have been removed. If you are using them, update your configuration accordingly:

Removed Flag	Removed Env Var	Migration
--enable-guards	MCP_GATEWAY_ENABLE_GUARDS	Guards are now auto-enabled when an allow-only policy is present
--enable-config-extensions	MCP_GATEWAY_CONFIG_EXTENSIONS	Extension fields are always accepted; no flag needed
--session-secrecy	MCP_GATEWAY_SESSION_SECRECY	Session labels are now set automatically by guards
--session-integrity	MCP_GATEWAY_SESSION_INTEGRITY	Session labels are now set automatically by guards

✨ What's New

• Zero-config DIFC activation: Configure guard-policies with an allow-only rule and the gateway automatically enables DIFC guards — no additional flags required. This reduces configuration surface and eliminates a common source of misconfiguration.
• Schema validation with extension field stripping: Config validation now correctly handles extension fields (e.g., guard-policies) by stripping them before schema validation, enabling full spec compliance without rejecting valid configurations.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.12
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• cleanup: remove guard CLI flags, auto-detect DIFC from policies by @lpcox in #1723

Full Changelog: v0.1.11...v0.1.12

v0.1.11

🔧 Maintenance Release

This release delivers targeted infrastructure fixes and schema updates to keep MCP Gateway running reliably.

🐛 Bug Fixes

• Release workflow WASM build fixed (#1715): Corrected a typo (targets: → target:) in the setup-rust-toolchain action input. The incorrect key was silently ignored, causing the wasm32-wasip1 target to not be installed and breaking WASM guard compilation during releases.

🔧 Internal

• Schema validation updated to v0.57.0 (#1713): MCP Gateway now validates configurations against schema v0.57.0, ensuring compatibility with the latest MCP specification.

🐳 Docker Image

The Docker image for this release is available at:

docker pull ghcr.io/github/gh-aw-mcpg:v0.1.11
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

For complete details, see the full release notes.

Generated by Release

---

What's Changed

• fix: use 'target' (singular) for setup-rust-toolchain action input by @lpcox in #1715
• 🔄 chore: update schema URL to v0.57.0 by @github-actions[bot] in #1713

Full Changelog: v0.1.10...v0.1.11

v0.1.10

What's Changed

• 🔄 chore: pin schema URL to gh-aw v0.55.0 by @github-actions[bot] in #1658
• [test] Add tests for config.ExpandRawJSONVariables, expandVariablesCore, and validateMounts by @github-actions[bot] in #1666
• fix: 📚 Documentation Reconciliation Report - 2026-03-07 by @roberthallers in #1665
• Update GitHub Guard Terminology by @claude in #1669
• feat: Add GitHub DIFC enforcement with WASM guards, guard policies, and LabelAgent integration by @lpcox in #1674
• fix: routed URL host advertisement and allow-only key normalization by @lpcox in #1683
• github-guard: bake WASM into gateway image, align test/release workflows, and rename user-facing flags to "guards" by @lpcox in #1693
• Switch release workflow Rust setup to actions-rust-lang/setup-rust-toolchain by @Copilot in #1703
• Update copilot test expectations with proper behavior definitions and standardized report templates by @lpcox in #1702
• Upgrade agentic workflows by @lpcox in #1707

New Contributors

• @roberthallers made their first contribution in #1665

Full Changelog: v0.1.9...v0.1.10