v0.3.24

What's Changed

• 🔄 chore: update schema URL to gh-aw v0.78.2 by @github-actions[bot] in #7082
• [log] proxy/handler: add debug logging to forwardAndReadBody and writeEmptyResponse by @github-actions[bot] in #7066
• [Repo Assist] perf(middleware): skip json.Marshal for small text responses (fast path) by @github-actions[bot] in #7094
• [test] Add tests for mcpresult.ExtractTextContent by @github-actions[bot] in #7060
• [test-improver] Improve tests for mcp package by @github-actions[bot] in #7067
• docs: correct ${VAR} expansion scope and add missing internal packages by @Copilot in #7102
• refactor(mcp): extract withReconnectLock to eliminate reconnect boilerplate by @Copilot in #7103
• Refactor TimeoutPositive to reuse TimeoutMinimum and remove duplicated validator logic by @Copilot in #7105
• Refactor semantic function clustering targets: remove wrapper indirection and co-locate thin/misplaced functions by @Copilot in #7101
• Refactor cmd HTTP server lifecycle into shared serveAndWait helper by @Copilot in #7104
• [test] Add tests for schema compilation and guard policy error paths by @github-actions[bot] in #7112
• Rename gateway “API key” surface to Agent ID with compat aliases and X-Agent-ID routing by @Copilot in #7114
• 🔄 chore: update schema URL to v0.78.3 by @github-actions[bot] in #7138
• [log] Add debug logging to HTTP server lifecycle in serve.go by @github-actions[bot] in #7123
• [test-improver] Improve tests for launcher/health_monitor by @github-actions[bot] in #7124
• [Repo Assist] refactor(server): extract session ID header extraction into helper by @github-actions[bot] in #7151
• [Repo Assist] refactor: remove deprecated API key alias functions by @github-actions[bot] in #7150
• refactor: consolidate map utilities, deep clone, and logger constant by @Copilot in #7156
• docs: fix three documentation inaccuracies (port field, MCP methods, tracing var expansion) by @Copilot in #7157
• refactor(server): deduplicate session ID extraction into a shared helper by @Copilot in #7158
• Remove deprecated API-key aliases and complete AgentID rename by @Copilot in #7159
• [test] Add tests for launcher.handleErrorState and launcher.clearServerForRestart by @github-actions[bot] in #7161
• Add unauthenticated /reflect endpoint for live DIFC label snapshots in gateway and proxy modes by @Copilot in #7168
• fix(proxy): passthrough /rate_limit for CLI proxy liveness probe by @lpcox in #7187

Full Changelog: v0.3.23...v0.3.24

v0.3.23

What's Changed

• [log] Add debug logging to unified server functions by @github-actions[bot] in #6769
• [Repo Assist] refactor(config): extract detailForKeyword to eliminate duplicate guidance strings by @github-actions[bot] in #6796
• [test-improver] Improve tests for proxy package by @github-actions[bot] in #6770
• [test] Add tests for server.copyToolCallLimits by @github-actions[bot] in #6766
• Document --otlp-sample-rate in tracing docs by @Copilot in #6798
• Refactor shared pagination/map-extraction paths and isolate server rate-limit helpers by @Copilot in #6799
• Refactor formatErrorContext to centralize schema guidance and remove duplicated addDetail logic by @Copilot in #6797
• [test] Add tests for config.LoadFromStdin and normalizeLocalType by @github-actions[bot] in #6808
• [log] Add debug logging to tracing span helper functions by @github-actions[bot] in #6812
• [test-improver] Improve tests for config package by @github-actions[bot] in #6813
• Refactor semantic clustering: collapse thin server/logger files and extract proxy address helper by @Copilot in #6831
• Collapse RPC logging split API and remove duplicated tag-branching by @Copilot in #6829
• Reconcile config/env docs with actual JSON stdin and launcher variable behavior by @Copilot in #6830
• refactor(logger): eliminate logger level factory duplication with generics by @Copilot in #6828
• Optimize Rust guard label sharing and tool classification lookups by @Copilot in #6846
• [test-improver] Improve tests for tracing package by @github-actions[bot] in #6502
• [Repo Assist] refactor(tracing): unify semconv import to v1.34.0 in span_helpers by @github-actions[bot] in #6853
• Align tracing semconv usage and enrich OTel span attributes by @Copilot in #6847
• fix(proxy): route /api/graphql to correct upstream for GHE Cloud data residency by @Copilot in #6861
• [test] Add tests for guard.wasmAlloc, wasmDealloc, tryCallWasmFunction allocator path, and decodeWasmCallResult by @github-actions[bot] in #6864
• refactor: consolidate orphaned variable file and single-function strutil files by @Copilot in #6867
• [log] Add debug logging to rate_limit.go by @github-actions[bot] in #6870
• 🔄 chore: update schema URL and embedded schema to gh-aw v0.77.5 by @github-actions[bot] in #6886
• [test-improver] Improve tests for cmd/flags_logging by @github-actions[bot] in #6871
• fix(schema): add timeout fields to embedded JSON schema by @lpcox in #6908
• [test] Add tests for config.detailForKeyword and formatErrorContext branches by @github-actions[bot] in #6907
• Refactor guard policy integrity normalization to remove duplicated validation paths by @Copilot in #6915
• refactor: remove direct pflag import from tracing.go by @Copilot in #6914
• Reconcile config/docs for TOML-only rate-limit fields and legacy JSON stdin aliases by @Copilot in #6916
• rust-guard: sort BLOCKED_TOOLS, use binary_search, promote login to #[cfg(test)] by @Copilot in #6913
• refactor: eliminate integrity-level duplication, relocate truncateCacheKeyForLog, extract jsonutil package by @Copilot in #6911
• [log] Add debug logging to guard Registry query methods by @github-actions[bot] in #6921
• [test-improver] Improve tests for mcp pagination helpers by @github-actions[bot] in #6922
• Rust guard: remove list_commits secrecy clone and add project-item path labeling regressions by @Copilot in #6941
• Reduce internal tty API surface to the only production-used helper by @Copilot in #6942
• [log] Replace stdlib log calls with logRouted debug logger in routed.go by @github-actions[bot] in #6959
• [test-improver] Improve tests for envutil package by @github-actions[bot] in #6960
• [Repo Assist] perf(rust-guard): eliminate redundant Vec deep-clones in get_file_contents and list_releases by @github-actions[bot] in #6990
• [test] Add tests for mcp.callSDKMethodWithReconnect and reconnectSDKTransport by @github-actions[bot] in #6956
• Consolidate integrity-level normalization/validation across config and guard by @Copilot in #6996
• Bump MCP Go SDK to v1.6.1 and add DisableStandaloneSSE upgrade canary by @Copilot in #6995
• Refactor MCP list methods via shared generic SDK pagination adapter by @Copilot in #6997
• Refactor remaining semantic-clustering outliers in config/server utilities by @Copilot in #6999
• Reconcile configuration/docs semantics and Go version guidance with current implementation by @Copilot in #6998
• [log] Add debug logging to tracing/provider.go by @github-actions[bot] in #7010
• [test-improver] Improve tests for strutil package by @github-actions[bot] in #7011
• [test] Add tests for strutil.CopyTrimmedStringIntMap by @github-actions[bot] in #7007
• Restore OpenTelemetry stdin schema support for headers and correct sample_rate docs by @Copilot in #7042
• [Repo Assist] test(rust-guard): add apply_tool_labels tests for gist operations by @github-actions[bot] in #7044
• Unify payload size threshold validation across TOML and stdin config paths by @Copilot in #7045
• Harden Cobra command behavior: graceful proxy shutdown, default consistency, and completion updates by @Copilot in #7047
• Collapse duplicate unregistered custom-type handling in config validation by @Copilot in #7043
• Deduplicate canonical guard-policy missing-key error message by @Copilot in #7046
• Refactor MCP text-result parsing and remove responseWriter StatusCode shadowing by @Copilot in #7041
• rust-guard: hoist list_releases merged integrity + add delete_gist secrecy/integrity contract test by @Copilot in #7048

Full Changelog: v0.3.22...v0.3.23

v0.3.22

What's Changed

• [test] Add tests for envutil.deriveAPIFromServerURL — http scheme and edge cases by @github-actions[bot] in #6708
• Guard coverage: add explicit sub_issue_write read-write classification test by @Copilot in #6710
• [log] Add debug logging to jq middleware filter functions by @github-actions[bot] in #6715
• [Repo Assist] refactor(guard): extract parseDIFCTagsFromAny helper in wasm_parse.go by @github-actions[bot] in #6743
• [test-improver] Improve tests for tracing package by @github-actions[bot] in #6716
• Refactor duplicated DIFC tag parsing in WASM response handling by @Copilot in #6748
• Refactor DIFC/guard helper ownership to restore package boundaries by @Copilot in #6749
• Refactor duplicated owner/repo/number parsing in REST backend caller by @Copilot in #6751
• Centralize logger level wrapper registration by @Copilot in #6752
• Correct AGENTS.md default path for MCP_GATEWAY_WASM_CACHE_DIR by @Copilot in #6750
• Refactor duplicated MCP handler config setup in transport and routed server paths by @Copilot in #6753
• Harden jsonschema/v5 validation diagnostics and remote schema fetching by @Copilot in #6747

Full Changelog: v0.3.21...v0.3.22

v0.3.21

What's Changed

• 🔄 chore: update schema URL to v0.76.1 by @github-actions[bot] in #6565
• [Repo Assist] refactor(rust-guard): merge identical security-alert match arms and add actions_get tests by @github-actions[bot] in #6583
• Refactor duplicated backend registration failure reporting in tool registry by @Copilot in #6589
• rust-guard: collapse duplicated repo-write match arms and add pre-emptive tool coverage by @Copilot in #6587
• Clarify logger fallback contract and add direct fallback-handler coverage by @Copilot in #6590
• Improve OTel trace signal quality: stack traces, route cardinality, rate-limit status, and container resource metadata by @Copilot in #6588
• [test] Add tests for server.enforceToolCallLimit by @github-actions[bot] in #6598
• [Repo Assist] refactor: extract RecordSpanError helper to eliminate duplicate span error recording by @github-actions[bot] in #6632
• [test-improver] Improve tests for server HMAC middleware by @github-actions[bot] in #6601
• Refactor tracing expansion placement and extract shared JSON deep-clone utility by @Copilot in #6636
• rust-guard: remove per-item secrecy Vec clones in PR/issue labeling by @Copilot in #6641
• Strengthen TOML parse-error guarantees and clarify tracing key precedence by @Copilot in #6640
• refactor(difc): extract EvaluateCoarseAccess to eliminate duplicated Phase 2 logic by @Copilot in #6639
• [log] Add debug logging to launcher.go by @github-actions[bot] in #6600
• Add explicit DIFC labeling for list_issue_fields in GitHub guard by @Copilot in #6637
• Refactor span error recording into tracing helper and unify error-path instrumentation by @Copilot in #6638
• [log] Add logging to EvaluateCoarseAccess in difc/pipeline_decisions.go by @github-actions[bot] in #6650
• [test-improver] Improve tests for tracing span helpers by @github-actions[bot] in #6651
• [test] Add tests for logger error paths: MarkdownLogger.Close, FileLogger.Log, Logger.Print by @github-actions[bot] in #6647
• fix(proxy): use RecordSpanError for DIFC access-denied spans by @lpcox in #6679
• perf(rust-guard): eliminate wasted allocations in apply_tool_labels and project-item loop by @lpcox in #6680
• rust-guard: add issue_write_ff_remote_mcp_issue_fields to WRITE_OPERATIONS and tool_rules by @lpcox in #6678
• fix(tracing): semconv v1.27.0→v1.34.0, fix mcp.tool_call attribute misuse, add server.address by @Copilot in #6683
• refactor: extract shared DIFC enforcement pipeline to internal/guard/pipeline.go by @Copilot in #6685
• docs: reconcile documentation with implementation (9 discrepancies) by @Copilot in #6686
• refactor: move collaborator_permission to proxy, add strutil.RandomBytes by @Copilot in #6687
• refactor: extract repeated OTEL span-start patterns into named tracing helpers by @Copilot in #6684
• [Repo Assist] refactor: move TruncateSessionID from auth to strutil by @github-actions[bot] in #6704

Full Changelog: v0.3.20...v0.3.21

v0.3.20

What's Changed

• Enforce per-session tool call limits in allow-only guard policies by @Copilot in #6533
• Fix DIFC proxy handling for top-level array responses on comment list endpoints by @Copilot in #6538
• [test] Add tests for logger.RPCMessageType.JSONLEvent by @github-actions[bot] in #6541
• Refactor semantic outliers into config/guard/tracing ownership files by @Copilot in #6543
• [log] Add debug logging to gateway startup flow in cmd/root.go by @github-actions[bot] in #6547
• docs: correct MCP_GATEWAY_WASM_CACHE_DIR default to log-dir sibling path by @Copilot in #6549
• [test-improver] Improve tests for mcp http_transport by @github-actions[bot] in #6550

Full Changelog: v0.3.19...v0.3.20

v0.3.19

What's Changed

• [test] Add tests for proxy response_transform uncovered branches by @github-actions[bot] in #6318
• [log] Add debug logging to WASM compilation cache lifecycle by @github-actions[bot] in #6321
• [test-improver] Improve tests for cmd package: applyFlagOrEnv coverage by @github-actions[bot] in #6322
• [Repo Assist] fix(cmd): apply OTEL_SERVICE_NAME env var override to tracing config by @github-actions[bot] in #6344
• docs: refresh release highlights for v0.3.18 by @Copilot in #6358
• [test] Add tests for guard.callWasmFunction buffer retry logic by @github-actions[bot] in #6359
• [test-improver] Improve tests for config package by @github-actions[bot] in #6371
• [log] Add debug logging to httputil GitHub HTTP helpers by @github-actions[bot] in #6370
• [Repo Assist] refactor(guard): extract decodeWasmCallResult and unmarshalWasmResponse helpers by @github-actions[bot] in #6397
• [test] Add tests for config.validateToolResponseFilters and config.validateServerAuth by @github-actions[bot] in #6405
• [log] Add debug logger to mcp/collaborator_permission.go by @github-actions[bot] in #6419
• [test-improver] Improve tests for httputil package by @github-actions[bot] in #6420
• docs: make root config examples discoverable from Quick Start and config reference by @Copilot in #6431
• Reconcile guard-policy tags with docs and clarify stdin config behavior in Quick Start by @Copilot in #6434
• Refactor collaborator-permission tool helpers into internal/httputil by @Copilot in #6433
• Close GitHub guard DIFC gaps for search_commits and FF list_issues variant by @Copilot in #6432
• testify: fix assertion anti-patterns, promote require.NoError, expand JSONEq by @Copilot in #6471
• rust-guard: replace magic integrity strings with constants; add security-tool label tests by @Copilot in #6470
• [Repo Assist] refactor(rust-guard): use policy_integrity constants and add security-tool label tests by @github-actions[bot] in #6466
• Standardize gateway JSONL records with event/_schema and millisecond timestamps by @Copilot in #6485
• [test] Add tests for sys.DetectContainerID and refactor for testability by @github-actions[bot] in #6486
• chore: upgrade gh-aw workflows to v0.75.4 by @lpcox in #6493

Full Changelog: v0.3.18...v0.3.19

v0.3.18

🌟 Release Highlights

This release focuses on hardening the WASM guard subsystem, improving code quality through targeted refactoring, and expanding test coverage for the Rust guard and collaborator permission packages.

✨ What's New

• WASM guard robustness (#6290, #6296): The wazero-based guard runtime now handles oversized call_backend responses via a size-hint protocol, uses larger I/O buffers, improves cache reconfiguration locking, and adds fallback-path coverage — making guard execution more reliable under high-load and edge-case conditions.

• DIFC flags module (#6243): Guard policy override logic has been refactored into a dedicated DIFC flags module, improving maintainability and consistency of security policy enforcement.

🐛 Bug Fixes & Improvements

• Config map expansion (#6289): Stdin config map expansion no longer duplicates environment/header logic, reducing the risk of subtle configuration drift.
• Flag/env override helper (#6288): A shared applyFlagOrEnv helper eliminates duplicated flag-override patterns across CLI commands.

🔬 Testing & Reliability

• Expanded Rust guard test coverage for GraphQL node paths and GitHub URL repo extraction (#6284, #6291).
• Improved unit tests for the MCP collaborator permission package (#6249).
• Added debug logging to proxy/graphql_rewrite.go for easier diagnostics (#6248).

🐳 Docker Image

docker pull ghcr.io/github/gh-aw-mcpg:v0.3.18
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

What's Changed

• Refactor guard policy override helper into DIFC flags module by @Copilot in #6243
• [test-improver] Improve tests for mcp collaborator permission package by @github-actions[bot] in #6249
• [log] Add debug logging to proxy/graphql_rewrite.go by @github-actions[bot] in #6248
• [Repo Assist] test(rust-guard): add GraphQL path and URL-parsing tests for helpers.rs by @github-actions[bot] in #6284
• refactor: extract applyFlagOrEnv helper to eliminate duplicate flag-override logic by @Copilot in #6288
• Harden wazero guard I/O defaults, cache reconfiguration locking, and fallback-path coverage by @Copilot in #6290
• Refactor stdin config map expansion to remove duplicated env/header logic by @Copilot in #6289
• Add rust-guard helper test coverage for GraphQL node paths and GitHub URL repo extraction by @Copilot in #6291
• fix(go-fan): remove edit tool, embed module summary in issue body by @Copilot in #6292
• Handle oversized WASM call_backend responses via size-hint protocol + larger guard buffers by @Copilot in #6296

Full Changelog: v0.3.17...v0.3.18

v0.3.17

What's Changed

• 🔄 chore: update schema URL to v0.74.8 by @github-actions[bot] in #6186
• rust-guard: hoist invariant response-path labels and dedupe PR number extraction by @Copilot in #6211
• [Repo Assist] perf(rust-guard): hoist invariant label calls and dedup PR number extraction by @github-actions[bot] in #6201
• Deduplicate get_collaborator_permission REST fetch logic across unified server and proxy by @Copilot in #6208
• gojq: dual-error timeout diagnostics, disable $ENV in schema filter, document WithVariables pattern by @Copilot in #6210
• refactor: extract DoGitHubGET helper to eliminate duplicated GitHub HTTP request construction by @Copilot in #6209
• docs: add OTel/Sentry tracing documentation by @lpcox in #6227
• [test] Add tests for proxy.restBackendCaller.CallTool uncovered tool cases by @github-actions[bot] in #6236

Full Changelog: v0.3.16...v0.3.17

v0.3.16

What's Changed

• fix: bump smoke-otel-tracing mcpg to v0.3.14 by @lpcox in #6136
• feat(tracing): align span attributes with gen_ai semantic conventions by @lpcox in #6153
• [log] guard: add debug logging to parsePathLabeledResponse and parseCollectionLabeledData by @github-actions[bot] in #6154
• refactor: move outlier functions to semantically correct files by @Copilot in #6152
• [test-improver] Improve tests for proxy TLS package by @github-actions[bot] in #6160

Full Changelog: v0.3.15...v0.3.16

v0.3.15

What's Changed

• [test] Add tests for strutil.RandomHex error path and fix SanitizeArgs dead code by @github-actions[bot] in #6112
• fix(tracing): append /v1/traces to OTLP endpoint per spec by @lpcox in #6137
• fix(tracing): use URL parsing for /v1/traces path append by @lpcox in #6141

Full Changelog: v0.3.14...v0.3.15