Release Notes Action Items for mcpg 0.3.25 → 0.3.29
This issue summarizes upstream release notes for the mcpg dependency between the previously pinned version (0.3.25) and the new pinned version (0.3.29), highlighting items that may need follow-up in ado-aw.
The companion version-bump PR is titled chore(deps): update MCPG_VERSION to 0.3.29.
Releases analyzed
Deprecations
MCP_GATEWAY_API_KEY renamed to MCP_GATEWAY_AGENT_ID (v0.3.26): MCPG's run.sh now uses MCP_GATEWAY_AGENT_ID with a deprecated fallback for the old MCP_GATEWAY_API_KEY. ado-aw sets MCP_GATEWAY_API_KEY in src/compile/agentic_pipeline.rs, src/compile/common.rs, and src/compile/ir/output.rs. These should be updated to use MCP_GATEWAY_AGENT_ID before the deprecated fallback is removed in a future MCPG release.
Security fixes
- DIFC labeling gaps covered for
get_code_quality_finding, ui_get, add_gpg_key, add_ssh_key (v0.3.28): These four GitHub MCP operations previously lacked DIFC integrity/secrecy labels, meaning they could bypass data-flow integrity controls. The gap is now closed upstream; no ado-aw action required, but pipelines that called these operations on older MCPG were not receiving integrity enforcement for them.
- wazero WASM guard hardening — memory cap and backend call limit (v0.3.28): MCPG added memory caps and backend call limits to the wazero WASM guard runtime to prevent resource exhaustion from malformed or adversarial guard binaries. No ado-aw action required.
Notable features for ado-aw to adopt
- OTLP multi-endpoint fan-out via
GH_AW_OTLP_ENDPOINTS (v0.3.26): MCPG now supports fanning out OTel traces to multiple endpoints by setting the GH_AW_OTLP_ENDPOINTS environment variable (JSON array or comma-separated). ado-aw could expose this as a configuration option for operators who need to send MCP gateway traces to more than one collector endpoint.
refusal-labels guard policy (v0.3.27): MCPG added a new refusal-labels guard policy type (alongside the existing deny-labels and allow-only policies). ado-aw compiles MCPG guard configurations; this new policy type could be surfaced in the guard configuration front-matter.- Opt-in observed URL domain audit pipeline for tool responses and write sinks (v0.3.29): MCPG added an opt-in pipeline that records which URL domains appear in MCP tool responses and write sinks, useful for auditing egress at the application layer. ado-aw could expose this opt-in flag in pipeline configuration and surface the resulting data in
ado-aw audit reports.
This issue was opened automatically by the dependency version updater workflow.
Generated by Dependency Version Updater · 867 AIC · ⌖ 19 AIC · ⊞ 38.9K · ◷
Release Notes Action Items for
mcpg0.3.25→0.3.29This issue summarizes upstream release notes for the
mcpgdependency between the previously pinned version (0.3.25) and the new pinned version (0.3.29), highlighting items that may need follow-up in ado-aw.The companion version-bump PR is titled
chore(deps): update MCPG_VERSION to 0.3.29.Releases analyzed
Deprecations
MCP_GATEWAY_API_KEYrenamed toMCP_GATEWAY_AGENT_ID(v0.3.26): MCPG'srun.shnow usesMCP_GATEWAY_AGENT_IDwith a deprecated fallback for the oldMCP_GATEWAY_API_KEY. ado-aw setsMCP_GATEWAY_API_KEYinsrc/compile/agentic_pipeline.rs,src/compile/common.rs, andsrc/compile/ir/output.rs. These should be updated to useMCP_GATEWAY_AGENT_IDbefore the deprecated fallback is removed in a future MCPG release.Security fixes
get_code_quality_finding,ui_get,add_gpg_key,add_ssh_key(v0.3.28): These four GitHub MCP operations previously lacked DIFC integrity/secrecy labels, meaning they could bypass data-flow integrity controls. The gap is now closed upstream; no ado-aw action required, but pipelines that called these operations on older MCPG were not receiving integrity enforcement for them.Notable features for ado-aw to adopt
GH_AW_OTLP_ENDPOINTS(v0.3.26): MCPG now supports fanning out OTel traces to multiple endpoints by setting theGH_AW_OTLP_ENDPOINTSenvironment variable (JSON array or comma-separated). ado-aw could expose this as a configuration option for operators who need to send MCP gateway traces to more than one collector endpoint.refusal-labelsguard policy (v0.3.27): MCPG added a newrefusal-labelsguard policy type (alongside the existingdeny-labelsandallow-onlypolicies). ado-aw compiles MCPG guard configurations; this new policy type could be surfaced in the guard configuration front-matter.ado-aw auditreports.This issue was opened automatically by the dependency version updater workflow.