v0.9.0 - 2025-11-09 - Internal Observability, Performance Optimizations & Production Hardening

@crivetimihai

This release delivers detailed internal observability, major performance improvements, compression & pagination, REST API passthrough, Ed25519 certificate signing, and critical multi-tenancy fixes with 60+ issues resolved and 50+ PRs merged.

🏆 Major Achievements

Release 0.9.0 represents a major milestone in production readiness and operational excellence:

✅ 📊 Built-in Observability Platform - Self-contained performance monitoring with interactive dashboards, Gantt charts, flame graphs, and comprehensive trace analytics (no external platforms required!)
✅ ⚡ 30-70% Bandwidth Reduction - Multi-algorithm response compression (Brotli, Zstd, GZip) with zero client changes
✅ 🚀 5-6x Faster JSON Processing - orjson serialization for high-throughput APIs with 7% smaller payloads
✅ 🦀 5-100x Plugin Performance - Rust-accelerated PII filter with automatic Python fallback
✅ 📄 Comprehensive Pagination - HTMX-based UI pagination tested up to 10K records with database optimization
✅ 🔌 REST API Passthrough - Complete REST tool configuration with query/header mapping and plugin chains
✅ 🔐 Ed25519 Certificate Signing - Production-ready certificate authentication with zero-downtime key rotation
✅ 🛡️ Multi-Tenancy Security Fixes - Critical RBAC vulnerability patches and ownership enforcement
✅ 💬 LLM Chat Interface - Built-in MCP client with Redis-based session consistency for distributed environments

✨ Highlights

📊 Internal Observability System (NEW!)

Self-contained performance monitoring and trace analytics without external dependencies

The biggest feature of 0.9.0 is a comprehensive built-in observability system that provides production-grade monitoring, tracing, and analytics stored entirely in your database (SQLite/PostgreSQL/MariaDB) with interactive visualizations in the Admin UI.

Key Capabilities

Performance Analytics

Latency Percentiles: p50, p90, p95, p99 metrics for detailed performance analysis
Duration Tracking: Millisecond-precision timing for all operations
Throughput Metrics: Request counts and rates over time
Comparative Analysis: Side-by-side comparison of multiple resources

Error Tracking

Error Rate Monitoring: Percentage of failed operations with color-coded health indicators
- 🟢 Green: <5% errors (healthy)
- 🟡 Yellow: 5-20% errors (degraded)
- 🔴 Red: >20% errors (unhealthy)
Error-Prone Analysis: Identify resources with highest failure rates
Status Code Tracking: HTTP response codes and error messages
Root Cause Analysis: Detailed traces with full context

Interactive Dashboards

Tools Dashboard (/admin/observability/tools) - MCP tool invocation metrics
Prompts Dashboard (/admin/observability/prompts) - Prompt rendering performance
Resources Dashboard (/admin/observability/resources) - Resource fetch operations
Metrics Summary (/admin/observability/metrics) - At-a-glance health status
Auto-Refresh: Dashboards update every 60 seconds automatically

Trace Visualization

Gantt Chart Timeline: Visual representation of span execution order and timing
- Time scale from trace start to end
- Duration bars positioned by start time
- Critical path highlighting (longest dependency chain)
- Interactive tooltips and zoom
Flame Graphs: Hierarchical view of nested operations
- Call stack visualization with parent-child relationships
- Width proportional to duration
- Color-coded by operation type
- Interactive zoom, pan, and search
Trace Details: Complete trace metadata, attributes, and context
Span Explorer: Drill down into individual operations with detailed metrics

What Gets Traced

Tool invocations - Full lifecycle with arguments, results, and timing
Prompt rendering - Template processing and message generation
Resource fetching - URI resolution, caching, and content retrieval
HTTP requests - Complete request/response tracing with timing
Database queries - SQLAlchemy instrumentation for query performance
Plugin execution - Pre/post hooks if plugins are enabled

Configuration & Retention

# Enable internal observability
OBSERVABILITY_ENABLED=true

# Automatically trace HTTP requests
OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Retention and limits
OBSERVABILITY_TRACE_RETENTION_DAYS=7
OBSERVABILITY_MAX_TRACES=100000

# Trace sampling (1.0 = 100%, 0.1 = 10%)
OBSERVABILITY_SAMPLE_RATE=1.0

# Exclude paths (regex patterns)
OBSERVABILITY_EXCLUDE_PATHS=/health,/healthz,/ready,/metrics,/static/.*

Why This Matters

No External Dependencies: No need for Phoenix, Jaeger, Tempo, or other observability platforms
Self-Hosted: All trace data stays in your database
Development & Testing: Perfect for local development and testing environments
Quick Performance Analysis: Identify bottlenecks without additional infrastructure
Cost Effective: No additional observability platform costs
Privacy: Sensitive data never leaves your infrastructure

Use Cases

Identify slow tools and optimize critical paths
Debug performance issues with detailed trace inspection
Track error rates and identify problematic operations
Analyze usage patterns and resource consumption
Monitor production performance trends
Understand request flow with visual timelines

See the Internal Observability Documentation for comprehensive guides, examples, and screenshots.

⚡ Performance Optimizations (30-70% faster)

Response Compression Middleware (#1298, #1292)

Multi-Algorithm Support - Brotli, Zstd, and GZip with automatic negotiation
Bandwidth Reduction - 30-70% smaller responses for text content (JSON, HTML, CSS, JS)
Algorithm Priority - Brotli (best compression) > Zstd (fastest) > GZip (universal)
Smart Compression - Only compresses responses >500 bytes to avoid overhead
Optimal Settings - Balanced compression levels for CPU/bandwidth trade-off:
- Brotli quality 4 (0-11 scale) for best compression ratio
- Zstd level 3 (1-22 scale) for fastest compression
- GZip level 6 (1-9 scale) for balanced performance
Cache-Friendly - Adds Vary: Accept-Encoding header for proper cache behavior
Zero Client Changes - Transparent to API clients, browsers handle decompression
Browser Support - Brotli supported by 96%+ of browsers, GZip universal fallback

orjson JSON Serialization (#1294)

Performance Gains - 5-6x faster serialization, 1.5-2x faster deserialization vs stdlib json
Compact Output - 7% smaller JSON payloads for reduced bandwidth
Rust Implementation - Fast, correct JSON library (RFC 8259 compliant)
Native Type Support - datetime, UUID, numpy arrays, Pydantic models handled natively
Zero Configuration - Drop-in replacement for stdlib json, transparent to clients
Production Ready - Used by Reddit, Stripe for high-throughput APIs
API Benefits:
- 15-30% higher throughput
- 10-20% lower CPU usage
- 20-40% faster response times

🦀 Rust Plugin Framework (#1289, #1249)

Optional Rust-Accelerated Plugins - PyO3-based framework with automatic Python fallback
PII Filter (Rust) - 5-100x faster than Python implementation:
- Bulk detection: ~100x faster (Python: 2287ms → Rust: 22ms)
- Single pattern: ~5-10x faster across all PII types
- Memory efficient with Rust's ownership model
Auto-Detection - Automatically selects Rust or Python at runtime
UI Integration - Plugin catalog displays implementation type (🦀 Rust / 🐍 Python)
Comprehensive Testing - Unit tests, integration tests, differential tests, benchmarks
CI/CD Pipeline - Automated builds, tests, and publishing
Multi-Platform Builds - Linux (x86_64, aarch64), macOS (universal2), Windows (x86_64)
Zero Breaking Changes - Pure Python fallback when Rust not available
Installation - pip install mcp-contextforge-gateway[rust]

📄 Pagination & Scale

Comprehensive API Pagination (#1224, #1277)

All admin endpoints with configurable page sizes (1-500 items)
Maintains backward compatibility with legacy list format
Total count and page metadata included in responses
Navigation links with query parameter support

HTMX-Based UI Pagination

Seamless client-side pagination for admin UI
New /admin/tools/partial endpoint for HTMX-based pagination
Pagination controls with keyboard navigation support
Tested with up to 10,000 tools for performance validation
Tag filtering works within paginated results

Database Optimization

New composite indexes for efficient paginated queries
Indexes on created_at + id for tools, servers, resources, prompts, gateways
Team-scoped indexes for multi-tenant pagination performance
Auth events and API tokens indexed for audit log pagination

11 Configuration Variables - Fine-tuned pagination behavior:

PAGINATION_DEFAULT_PAGE_SIZE - Default items per page (default: 50)
PAGINATION_MAX_PAGE_SIZE - Maximum allowed page size (default: 500)
PAGINATION_CURSOR_THRESHOLD - Threshold for cursor-based pagination (default: 10000)
PAGINATION_CURSOR_ENABLED - Enable cursor-based pagination (default: true)
PAGINATION_INCLUDE_LINKS - Include navigation links in responses (default: true)
Additional settings for sort order, caching, and offset limits

Pagination Utilities - New mcpgateway/utils/pagination.py module:

Offset-based pagination for simple use cases (<10K records)
Cursor-based pagination for large datasets (>10K records)
Automatic strategy selection based on result set size

🔌 REST API Passthrough

Complete REST Tool Configuration (#746, #1273)

Query & Header Mapping - Configure dynamic query parameter and header mappings
Path Templates - URL path templates with variable substitution
Timeout Management - Per-tool timeout settings (default: 20000ms)
Endpoint Exposure Control - Toggle passthrough endpoint visibility with expose_passthrough flag
Security Controls - Host allowlists for allowed upstream hosts/schemes
Plugin Chain Support - Pre and post-request plugin integration
Base URL Extraction - Automatic extraction from tool URLs
Admin UI Integration - "Advanced: Add Passthrough" button with dynamic field generation

REST Tool Validation (#1273)

URL structure validation (scheme and netloc)
Path template validation (leading slash enforcement)
Timeout validation (positive integers)
Allowlist validation (regex-based)
Plugin chain validation (restricted to safe plugins: deny_filter, rate_limit, pii_filter, response_shape, regex_filter, resource_filter)
Integration type enforcement (REST-specific fields only for integration_type='REST')

🔐 Ed25519 Certificate Signing

Digital Certificate Authentication

Sign and verify certificates using Ed25519 cryptographic signatures
Ensures certificate authenticity and prevents tampering
Built on proven Ed25519 algorithm (RFC 8032)
Zero-dependency Python implementation using cryptography library

Key Generation Utility

Built-in key generation tool at mcpgateway/utils/generate_keys.py
Generates secure Ed25519 private keys in base64 format
Simple command-line interface for development and production

Key Rotation Support

Graceful key rotation with zero downtime
Configure both current (ED25519_PRIVATE_KEY) and previous (PREV_ED25519_PRIVATE_KEY) keys
Automatic fallback to previous key during rotation
Supports rolling updates in distributed deployments

Kubernetes & Helm Support

Secret management via values.yaml configuration
JSON Schema validation in values.schema.json
External Secrets Operator integration examples
Complete Helm chart documentation

🔒 Multi-Tenancy & Security Fixes

RBAC Vulnerability Patch (#1248, #1250)

Fixed unauthorized access to resource status toggling
Ownership checks now enforced for all resource operations
Toggle permissions restricted to resource owners only

Team-Scoped Uniqueness (#1246)

Enforced unique constraints within teams for prompts, resources, and agents
Prompts: unique within (team_id, owner_email, name)
Resources: unique within (team_id, owner_email, uri)
A2A Agents: unique within (team_id, owner_email, slug)
Dropped legacy single-column unique constraints for multi-tenant compatibility

Ownership Enforcement (#1209, #1210)

Implemented ownership checks for public resources
Users can only edit/delete their own public resources
Prevents unauthorized modification of team-shared resources

ID-Based Resource Endpoints (#1184)

All prompt and resource endpoints now use unique IDs for lookup
Prevents naming conflicts across teams and owners
Enhanced API security and consistency
Migration compatible with SQLite, MySQL, and PostgreSQL

🛠️ Developer & Operations Tools

Support Bundle Generation (#1197)

Automated diagnostics collection with sanitized logs, configuration, and system information
Command-line tool: mcpgateway --support-bundle --output-dir /tmp --log-lines 1000
API endpoint: GET /admin/support-bundle/generate?log_lines=1000
Admin UI: "Download Support Bundle" button in Diagnostics tab
Automatic sanitization of secrets (passwords, tokens, API keys)

LLM Chat Interface (#1202, #1200, #1236)

Built-in MCP client with LLM chat service for virtual servers
Agent-enabled tool orchestration with MCP protocol integration
Redis-based session consistency (#1236) for multi-worker distributed environments
- Concurrent user management with worker coordination
- Session isolation and race condition prevention
- Redis locks and TTLs for consistency
Direct testing of virtual servers and tools from Admin UI

System Statistics in Metrics (#1228, #1232)

Comprehensive system monitoring in metrics page
CPU, memory, disk usage, and network statistics
Process information and resource consumption
System health indicators for production monitoring

Performance Testing Framework (#1203, #1204, #1226)

Load testing and benchmarking capabilities
Production-scale load data generator for multi-tenant testing (#1225, #1226)
Benchmark MCP server for performance analysis (#1219, #1220, #1221)
Fixed TokenUsageLog SQLite bug in load testing framework

Metrics Export Enhancement (#1218)

Export all metrics data for external analysis and integration

🔐 SSO & Authentication

Microsoft Entra ID Support (#1212, #1211)

Complete Entra ID integration with environment variable configuration

Generic OIDC Provider Support (#1213)

Flexible OIDC integration for any compliant provider

Keycloak Integration (#1217, #1216, #1109)

Full Keycloak support with application/x-www-form-urlencoded

OAuth Timeout Configuration (#1201)

Configurable OAUTH_DEFAULT_TIMEOUT for OAuth providers

🔌 Plugin Framework Enhancements

Plugin Client-Server mTLS Support (#1196)

Mutual TLS authentication for external plugins

Complete OPA Plugin Hooks (#1198, #1137)

All missing hooks implemented in OPA plugin

Plugin Linters & Quality (#1240)

Comprehensive linting for all plugins with automated fixes

Plugin Compose Configuration (#1174)

Enhanced plugin and catalog configuration in docker-compose

🌐 Protocol & Platform

MCP Tool Output Schema Support (#1258, #1263, #1269)

Full support for MCP tool outputSchema field
Database and service layer implementation (#1263)
Admin UI support for viewing and editing output schemas (#1269)
Preserves output schema during tool discovery and invocation

Multiple StreamableHTTP Content (#1188, #1189)

Support for multiple content blocks in StreamableHTTP responses

s390x Architecture Support (#1138, #1206)

Container builds for IBM Z platform (s390x)

System Monitor MCP Server (#977)

Go-based MCP server for system monitoring and metrics

💻 Admin UI Enhancements

Inspectable Auth Credentials (#1336, #1370)

Admins can now view and verify passwords, tokens, and custom headers
Toggle buttons for masking/unmasking sensitive input values
Fixed saved custom headers not visible when editing MCP servers
Quality of life improvements for admins when managing MCP servers

🆕 Added

📊 Internal Observability System (#1401, #1400)

Core Infrastructure

Built-in observability system with database-backed storage (SQLite/PostgreSQL/MariaDB)
Self-contained performance monitoring without external platform dependencies
Comprehensive trace analytics with interactive Admin UI visualizations
Automatic HTTP request tracing with configurable sampling and exclusions

Database Schema

observability_traces table - Trace metadata with trace_id, start/end times, status
observability_spans table - Operation details with parent-child relationships
observability_span_attributes table - Custom key-value metadata
observability_span_events table - Log events within spans
Performance indexes on trace_id, span_id, operation, start_time for fast queries

Instrumentation

ObservabilityMiddleware - Automatic HTTP request tracing with trace/span creation
SQLAlchemy Instrumentation - Database query tracing with query text and duration
Tool/Prompt/Resource Tracing - Automatic instrumentation for MCP operations
Plugin Execution Tracing - Pre/post hook execution if plugins enabled

Admin UI Dashboards

Tools Dashboard (/admin/observability/tools) - Tool invocation metrics with usage charts, latency analysis, error rates
Prompts Dashboard (/admin/observability/prompts) - Prompt rendering performance with frequency, latency, errors
Resources Dashboard (/admin/observability/resources) - Resource fetch operations with access patterns and performance
Metrics Summary (/admin/observability/metrics) - Overall health status with summary cards
Trace List (/admin/observability/traces) - Recent traces with filtering
Trace Detail (/admin/observability/traces/{trace_id}) - Comprehensive trace analysis

Visualization Components

Gantt Chart Timeline - Visual timeline with span execution order, duration bars, critical path highlighting
Flame Graphs - Hierarchical visualization with zoom, pan, search, and interactive exploration
Summary Cards - At-a-glance health status, most used, slowest, and most error-prone resources
Performance Charts - Interactive Chart.js visualizations for usage, latency, error rates
Detailed Metrics Tables - Latency percentiles (p50, p90, p95, p99), invocation counts, error rates

Configuration

OBSERVABILITY_ENABLED - Master switch for internal observability (default: false)
OBSERVABILITY_TRACE_HTTP_REQUESTS - Auto-trace HTTP requests (default: true)
OBSERVABILITY_TRACE_RETENTION_DAYS - Days to retain trace data (default: 7)
OBSERVABILITY_MAX_TRACES - Maximum traces to store (default: 100000)
OBSERVABILITY_SAMPLE_RATE - Trace sampling rate (default: 1.0 = 100%)
OBSERVABILITY_EXCLUDE_PATHS - Regex patterns to exclude (default: /health,/metrics,/static/.*)
OBSERVABILITY_METRICS_ENABLED - Enable metrics collection (default: true)
OBSERVABILITY_EVENTS_ENABLED - Enable event logging (default: true)

Retention & Cleanup

Scheduled cleanup job for automatic trace retention enforcement
FIFO deletion when maximum trace limit exceeded
Configurable retention days (1-365)
Automatic cleanup of old traces to prevent unbounded growth

Documentation

Complete guide: docs/docs/manage/observability/internal-observability.md (823 lines)
Configuration reference with all environment variables
Dashboard usage guides with examples
Trace visualization documentation
Performance metrics explanation (percentiles, health indicators)

⚡ Performance Optimizations

Response Compression Middleware (#1298, #1292)

Multi-algorithm support: Brotli, Zstd, GZip with automatic content negotiation
30-70% bandwidth reduction for text-based content (JSON, HTML, CSS, JS)
Smart compression threshold (minimum 500 bytes)
Configurable compression levels per algorithm
Cache-friendly with Vary: Accept-Encoding header
Zero client changes required (transparent compression/decompression)
5 environment variables for fine-tuning:
- COMPRESSION_ENABLED - Enable/disable (default: true)
- COMPRESSION_MINIMUM_SIZE - Minimum size to compress (default: 500 bytes)
- COMPRESSION_GZIP_LEVEL - GZip level (default: 6)
- COMPRESSION_BROTLI_QUALITY - Brotli quality (default: 4)
- COMPRESSION_ZSTD_LEVEL - Zstd level (default: 3)

orjson JSON Serialization (#1294)

5-6x faster JSON encoding, 1.5-2x faster decoding vs stdlib json
7% smaller JSON payloads for reduced bandwidth usage
Rust-based implementation (RFC 8259 compliant)
Native support for datetime, UUID, numpy arrays, Pydantic models
Drop-in replacement with zero configuration
Production-ready (used by Reddit, Stripe)
Benchmark script: scripts/benchmark_json_serialization.py
15-30% higher API throughput, 10-20% lower CPU usage, 20-40% faster response times
29 comprehensive unit tests with 100% code coverage
Implementation: mcpgateway/utils/orjson_response.py

🦀 Rust Plugin Framework (#1289, #1249)

Complete PyO3-based framework for building high-performance plugins
PII Filter (Rust): 5-100x faster than Python implementation
- Bulk detection: ~100x faster (Python: 2287ms → Rust: 22ms)
- Single pattern: ~5-10x faster across all PII types
- Memory efficient with Rust's ownership model
Auto-detection: Automatically selects Rust or Python implementation at runtime
UI integration: Plugin catalog displays implementation type (🦀 Rust / 🐍 Python)
Comprehensive testing: Unit tests, integration tests, differential tests, benchmarks
CI/CD pipeline: Automated builds, tests, and publishing
Multi-platform builds: Linux (x86_64, aarch64), macOS (universal2), Windows (x86_64)
Zero breaking changes: Pure Python fallback when Rust not available
Optional installation: pip install mcp-contextforge-gateway[rust]

📄 REST API and UI Pagination (#1224, #1277)

Paginated REST API Endpoints

All admin API endpoints now support pagination with configurable page size
/admin/tools endpoint returns paginated response with data, pagination, and links keys
Maintains backward compatibility with legacy list format
Configurable page size (1-500 items per page, default: 50)
Total count and page metadata included in responses
Navigation links with query parameter support

Database Indexes for Pagination

New composite indexes for efficient paginated queries
Indexes on created_at + id for tools, servers, resources, prompts, gateways
Team-scoped indexes for multi-tenant pagination performance
Auth events and API tokens indexed for audit log pagination

UI Pagination with HTMX

Seamless client-side pagination for admin UI
New /admin/tools/partial endpoint for HTMX-based pagination
Pagination controls with keyboard navigation support
Tested with up to 10,000 tools for performance validation
Tag filtering works within paginated results

Pagination Configuration - 11 new environment variables:

PAGINATION_DEFAULT_PAGE_SIZE - Default items per page (default: 50)
PAGINATION_MAX_PAGE_SIZE - Maximum allowed page size (default: 500)
PAGINATION_CURSOR_THRESHOLD - Threshold for cursor-based pagination (default: 10000)
PAGINATION_CURSOR_ENABLED - Enable cursor-based pagination (default: true)
PAGINATION_INCLUDE_LINKS - Include navigation links in responses (default: true)
Additional settings for sort order, caching, and offset limits

Pagination Utilities - New mcpgateway/utils/pagination.py module:

Offset-based pagination for simple use cases (<10K records)
Cursor-based pagination for large datasets (>10K records)
Automatic strategy selection based on result set size
Navigation link generation with query parameter support

Comprehensive Test Coverage - 1,089+ lines of pagination tests

Integration tests for paginated endpoints
Unit tests for pagination utilities
Performance validation with large datasets

🔌 REST Passthrough Configuration (#746, #1273)

Query & Header Mapping

Configure dynamic query parameter and header mappings for REST tools
Path templates with variable substitution
Per-tool timeout settings (default: 20000ms for REST passthrough)
Endpoint exposure control with expose_passthrough flag

Security & Plugin Integration

Host allowlists for allowed upstream hosts/schemes
Plugin chain support for pre and post-request processing
Base URL extraction from tool URLs
Admin UI integration with "Advanced: Add Passthrough" button

REST Tool Validation (#1273)

URL structure validation (scheme and netloc)
Path template validation (leading slash enforcement)
Timeout validation (positive integers)
Allowlist validation (regex-based)
Plugin chain validation (restricted to safe plugins: deny_filter, rate_limit, pii_filter, response_shape, regex_filter, resource_filter)
Integration type enforcement (REST-specific fields only for integration_type='REST')

New Tool Columns - Added 9 new columns to tools table via Alembic migration 8a2934be50c0:

base_url - Base URL for REST passthrough
path_template - Path template for URL construction
query_mapping - JSON mapping for query parameters
header_mapping - JSON mapping for headers
timeout_ms - Request timeout in milliseconds
expose_passthrough - Boolean flag to enable/disable passthrough
allowlist - JSON array of allowed hosts/schemes
plugin_chain_pre - Pre-request plugin chain
plugin_chain_post - Post-request plugin chain

🔐 Ed25519 Certificate Signing

Digital Certificate Signing

Sign and verify certificates using Ed25519 cryptographic signatures
Ensures certificate authenticity and prevents tampering
Built on proven Ed25519 algorithm (RFC 8032)
Zero-dependency Python implementation using cryptography library

Key Generation Utility

Built-in key generation tool at mcpgateway/utils/generate_keys.py
Generates secure Ed25519 private keys in base64 format
Simple command-line interface for development and production

Key Rotation Support

Graceful key rotation with zero downtime
Configure both current (ED25519_PRIVATE_KEY) and previous (PREV_ED25519_PRIVATE_KEY) keys
Automatic fallback to previous key during rotation
Supports rolling updates in distributed deployments

Environment Variable Configuration - 3 new variables:

ENABLE_ED25519_SIGNING - Enable/disable signing (default: "false")
ED25519_PRIVATE_KEY - Current signing key (base64-encoded)
PREV_ED25519_PRIVATE_KEY - Previous key for rotation (base64-encoded)

Kubernetes & Helm Support

Secret management via values.yaml configuration
JSON Schema validation in values.schema.json
External Secrets Operator integration examples
Complete Helm chart documentation

🛠️ Developer & Operations Tools

Support Bundle Generation (#1197)

Automated diagnostics collection with sanitized logs, configuration, and system information
Command-line tool: mcpgateway --support-bundle --output-dir /tmp --log-lines 1000
API endpoint: GET /admin/support-bundle/generate?log_lines=1000
Admin UI: "Download Support Bundle" button in Diagnostics tab
Automatic sanitization of secrets (passwords, tokens, API keys)

LLM Chat Interface (#1202, #1200, #1236)

Built-in MCP client with LLM chat service for virtual servers
Agent-enabled tool orchestration with MCP protocol integration
Redis-based session consistency (#1236) for multi-worker distributed environments
- Concurrent user management with worker coordination
- Session isolation and race condition prevention
- Redis locks and TTLs for consistency
Direct testing of virtual servers and tools from Admin UI

System Statistics in Metrics (#1228, #1232)

Comprehensive system monitoring in metrics page
CPU, memory, disk usage, and network statistics
Process information and resource consumption
System health indicators for production monitoring

Performance Testing Framework (#1203, #1204, #1226)

Load testing and benchmarking capabilities
Production-scale load data generator for multi-tenant testing (#1225, #1226)
Benchmark MCP server for performance analysis (#1219, #1220, #1221)
Fixed TokenUsageLog SQLite bug in load testing framework

Metrics Export Enhancement (#1218)

Export all metrics data for external analysis and integration

🔐 SSO & Authentication Enhancements (#1212, #1213, #1216, #1217)

Microsoft Entra ID Support (#1212, #1211)

Complete Entra ID integration with environment variable configuration

Generic OIDC Provider Support (#1213)

Flexible OIDC integration for any compliant provider

Keycloak Integration (#1217, #1216, #1109)

Full Keycloak support with application/x-www-form-urlencoded

OAuth Timeout Configuration (#1201)

Configurable OAUTH_DEFAULT_TIMEOUT for OAuth providers

🔌 Plugin Framework Enhancements (#1196, #1198, #1137, #1240, #1289)

Plugin Client-Server mTLS Support (#1196)

Mutual TLS authentication for external plugins

Complete OPA Plugin Hooks (#1198, #1137)

All missing hooks implemented in OPA plugin

Plugin Linters & Quality (#1240)

Comprehensive linting for all plugins with automated fixes

Plugin Compose Configuration (#1174)

Enhanced plugin and catalog configuration in docker-compose

🌐 Protocol & Platform Enhancements

MCP Tool Output Schema Support (#1258, #1263, #1269)

Full support for MCP tool outputSchema field
Database and service layer implementation (#1263)
Admin UI support for viewing and editing output schemas (#1269)
Preserves output schema during tool discovery and invocation

Multiple StreamableHTTP Content (#1188, #1189)

Support for multiple content blocks in StreamableHTTP responses

s390x Architecture Support (#1138, #1206)

Container builds for IBM Z platform (s390x)

System Monitor MCP Server (#977)

Go-based MCP server for system monitoring and metrics

📚 Documentation Enhancements

Observability Documentation

docs/docs/manage/observability/internal-observability.md (823 lines) - Complete internal observability guide
docs/docs/manage/observability/observability.md (450 lines) - OpenTelemetry and external platforms
docs/docs/manage/observability/phoenix.md (365 lines) - Arize Phoenix integration

Integration Guides

Langflow MCP Server Integration (#1205) - Documentation for Langflow integration
SSO Tutorial Updates (#277) - Comprehensive GitHub SSO integration tutorial

Configuration

Environment Variable Documentation (#1215) - Updated and clarified environment variable settings
Documentation Formatting Fixes (#1214) - Fixed newlines and formatting across documentation

💻 Admin UI Enhancements (#1336, #1370)

Inspectable Auth Credentials (#1336, #1370)

Admins can now view and verify passwords, tokens, and custom headers
Toggle buttons for masking/unmasking sensitive input values
Fixed saved custom headers not visible when editing MCP servers
Quality of life improvements for admins when managing MCP servers

🐛 Fixed

🔒 Critical Multi-Tenancy & RBAC Bugs

RBAC Vulnerability Patch (#1248, #1250)

Fixed unauthorized access to resource status toggling
Ownership checks now enforced for all resource operations
Toggle permissions restricted to resource owners only

Backend Multi-Tenancy Issues (#969)

Comprehensive fixes for team-based resource scoping

Team Member Re-addition (#959)

Fixed unique constraint preventing re-adding team members

Public Resource Ownership (#1209, #1210)

Implemented ownership checks for public resources
Users can only edit/delete their own public resources
Prevents unauthorized modification of team-shared resources

Incomplete Visibility Implementation (#958)

Fixed visibility enforcement across all resource types

🔐 Security & Authentication Fixes

JWT Token Fixes (#1254, #1255, #1262, #1261)

Fixed JWT jti mismatch between token and database record (#1254, #1255)
Fixed JWT token following default expiry instead of UI configuration (#1262)
Fixed API token expiry override by environment variables (#1261)

Cookie Scope & RBAC Redirects (#1252, #448)

Aligned cookie scope with app root path
Fixed custom base path support (e.g., /api instead of /mcp)
Proper RBAC redirects for custom app paths

OAuth & Login Issues (#1048, #1101, #1117, #1181, #1190)

Fixed HTTP login requiring SECURE_COOKIES=false warning (#1048, #1181)
Fixed login failures in v0.7.0 (#1101, #1117)
Fixed virtual MCP server access with JWT instead of OAuth (#1190)

CSP & Iframe Embedding (#922, #1241)

Fixed iframe embedding with consistent CSP and X-Frame-Options headers

🔧 UI/UX & Display Fixes

UI Margins & Layout (#1272, #1276, #1275)

Fixed UI margin issues and catalog display

Request Payload Visibility (#1098, #1242)

Fixed request payload not visible in UI

Tool Annotations (#835)

Added custom annotation support for tools

Header-Modal Overlap (#1178, #1179)

Fixed header overlapping with modals

Passthrough Headers (#861, #1024)

Fixed passthrough header parameters not persisted to database
Plugin tool_prefetch hook can now access PASSTHROUGH_HEADERS and tags

🛠️ Infrastructure & Build Fixes

CI/CD Pipeline Verification (#1257)

Complete build pipeline verification with all stages

Makefile Clean Target (#1238)

Fixed Makefile clean target for proper cleanup

UV Lock Conflicts (#1230, #1234, #1243)

Resolved conflicting dependencies with semgrep

Deprecated Config Parameters (#1237)

Removed deprecated 'env=...' parameters in config.py

Bandit Security Scan (#1244)

Fixed all bandit security warnings

Test Warnings & Mypy Issues (#1268)

Fixed test warnings and mypy type issues

🧪 Test Reliability & Quality Improvements (#1281, #1283, #1284, #1291)

Gateway Test Stability (#1281)

Fixed gateway test failures and eliminated warnings
Integrated pytest-httpx for cleaner HTTP mocking
Eliminated RuntimeWarnings from improper async context manager mocking
Added url-normalize library for consistent URL normalization
Reduced test file complexity by 388 lines (942 → 554 lines)
Consolidated validation tests into parameterized test cases

Logger Test Reliability (#1283, #1284)

Resolved intermittent logger capture failures
Scoped logger configuration to prevent inter-test conflicts (#1283)
Fixed email verification logic error in auth.py (email_verified_at vs is_email_verified) (#1283)
Fixed caplog logger name specification for reliable debug message capture (#1284)
Added proper type hints and improved type safety

Prompt Test Fixes (#1291)

Fixed test failures and prompt-related test issues

🐳 Container & Deployment Fixes

Gateway Registration on MacOS (#625)

Fixed gateway registration and tool invocation on MacOS

Non-root Container Users (#1231)

Added non-root user to scratch Go containers

Container Runtime Detection

Improved Docker/Podman detection in Makefile

🔄 Changed

🗄️ Database Schema & Multi-Tenancy Enhancements (#1246, #1273)

Scoped Uniqueness for Multi-Tenant Resources (#1246):

Enforced team-scoped uniqueness constraints for improved multi-tenancy isolation
- Prompts: unique within (team_id, owner_email, name) - prevents naming conflicts across teams
- Resources: unique within (team_id, owner_email, uri) - ensures URI uniqueness per team/owner
- A2A Agents: unique within (team_id, owner_email, slug) - team-scoped agent identifiers
- Dropped legacy single-column unique constraints (name, uri) for multi-tenant compatibility
ID-Based Resource Endpoints (#1184) - All prompt and resource endpoints now use unique IDs for lookup
- Prevents naming conflicts across teams and owners
- Enhanced API security and consistency
- Migration compatible with SQLite, MySQL, and PostgreSQL
Enhanced Prompt Editing (#1180) - Prompt edit form now correctly includes team_id in form data
Plugin Hook Updates - PromptPrehookPayload and PromptPosthookPayload now use prompt_id instead of name
Resource Content Schema - ResourceContent now includes id field for unique identification

REST Passthrough Configuration (#1273):

New Tool Columns - Added 9 new columns to tools table via Alembic migration 8a2934be50c0:
- base_url - Base URL for REST passthrough
- path_template - Path template for URL construction
- query_mapping - JSON mapping for query parameters
- header_mapping - JSON mapping for headers
- timeout_ms - Request timeout in milliseconds
- expose_passthrough - Boolean flag to enable/disable passthrough
- allowlist - JSON array of allowed hosts/schemes
- plugin_chain_pre - Pre-request plugin chain
- plugin_chain_post - Post-request plugin chain

🔧 API Schemas (#1273)

ToolCreate Schema

Enhanced with passthrough field validation and auto-extraction logic

ToolUpdate Schema

Updated with same validation logic for modifications

ToolRead Schema

Extended to expose passthrough configuration in API responses

⚙️ Configuration & Defaults (#1194)

APP_DOMAIN Default

Updated default URL to be compatible with Pydantic v2

OAUTH_DEFAULT_TIMEOUT

New configuration for OAuth provider timeouts

Environment Variables

Comprehensive cleanup and documentation updates

🧹 Code Quality & Developer Experience Improvements (#1271, #1233)

Consolidated Linting Configuration (#1271)

Single source of truth for all Python linting tools
Migrated ruff and interrogate configs from separate files into pyproject.toml
Enhanced ruff with import sorting checks (I) and docstring presence checks (D1)
Unified pre-commit hooks to match CI/CD pipeline enforcement
Reduced configuration sprawl: removed .ruff.toml and .interrogaterc
Better IDE integration with comprehensive real-time linting

CONTRIBUTING.md Cleanup (#1233)

Simplified contribution guidelines

Lint-smart Makefile Fix (#1233)

Fixed syntax error in lint-smart target

Plugin Linting (#1240)

Comprehensive linting across all plugins with automated fixes

Deprecation Removal

Removed all deprecated Pydantic v1 patterns

🔒 Security Enhancements

Authentication & Authorization

RBAC Vulnerability Patch - Fixed unauthorized resource access (#1248)
JWT Token Security - Resolved jti mismatches and expiry override issues (#1254, #1255, #1262, #1261)
Cookie Scope Security - Aligned cookie scope with app root path (#1252)
Ownership Enforcement - Strict ownership checks for public resources (#1209)

Plugin Security

Plugin mTLS Support - Mutual TLS for external plugin communication (#1196)
Plugin Chain Validation - Restricted to known safe plugins for REST passthrough (#1273)

Infrastructure Security

Support Bundle Sanitization - Automatic secret redaction in diagnostic bundles (#1197)
CSP Headers - Proper Content-Security-Policy for iframe embedding (#1241)
Non-root Containers - Added non-root user to Go containers (#1231)

🏗️ Infrastructure

Performance & Scale

Multi-Architecture Support - s390x platform builds for IBM Z (#1206)
Complete Build Verification - End-to-end CI/CD pipeline testing (#1257)
Performance Testing Framework - Production-scale load testing capabilities (#1204)
System Monitoring - Comprehensive system statistics and health indicators (#1228)

Deployment

PostgreSQL 17 → 18 Upgrade - Automated upgrade utility with data migration
Helm Chart Updates - Enhanced secret management and External Secrets Operator examples
Docker Compose Enhancements - Improved plugin and catalog configuration (#1174)

📚 Documentation

Observability

Internal Observability Guide - Complete documentation with examples and screenshots (823 lines)
OpenTelemetry Integration - Vendor-agnostic observability platform guide (450 lines)
Phoenix Integration - Arize Phoenix AI observability setup (365 lines)

API & Integration

REST Passthrough Configuration - Complete REST API passthrough guide
SSO Integration Tutorials - GitHub, Entra ID, Keycloak, and generic OIDC
Langflow Integration - Documentation for Langflow MCP server integration

Operations

Support Bundle Usage - CLI, API, and Admin UI documentation
Performance Testing Guide - Load testing and benchmarking documentation
LLM Chat Interface - MCP-enabled tool orchestration guide

Security

Ed25519 Certificate Signing - Complete security documentation and best practices
Key Rotation Guide - Zero-downtime key rotation procedures

📦 Migration Guide

Environment Configuration Updates

Observability Configuration (new in 0.9.0)

# Enable internal observability
OBSERVABILITY_ENABLED=true

# Automatically trace HTTP requests
OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Retention and limits
OBSERVABILITY_TRACE_RETENTION_DAYS=7
OBSERVABILITY_MAX_TRACES=100000

# Trace sampling (1.0 = 100%, 0.1 = 10%)
OBSERVABILITY_SAMPLE_RATE=1.0

# Exclude paths (regex patterns)
OBSERVABILITY_EXCLUDE_PATHS=/health,/healthz,/ready,/metrics,/static/.*

# Enable metrics and events
OBSERVABILITY_METRICS_ENABLED=true
OBSERVABILITY_EVENTS_ENABLED=true

Performance Optimizations (new in 0.9.0)

# Response Compression (enabled by default)
COMPRESSION_ENABLED=true
COMPRESSION_MINIMUM_SIZE=500
COMPRESSION_GZIP_LEVEL=6
COMPRESSION_BROTLI_QUALITY=4
COMPRESSION_ZSTD_LEVEL=3

Pagination Configuration (new in 0.9.0)

# Pagination Settings
PAGINATION_DEFAULT_PAGE_SIZE=50
PAGINATION_MAX_PAGE_SIZE=500
PAGINATION_CURSOR_THRESHOLD=10000
PAGINATION_CURSOR_ENABLED=true
PAGINATION_INCLUDE_LINKS=true

Ed25519 Certificate Signing (new in 0.9.0)

# Certificate Signing (disabled by default)
ENABLE_ED25519_SIGNING=false
ED25519_PRIVATE_KEY=<base64-encoded-key>
PREV_ED25519_PRIVATE_KEY=<base64-encoded-key>  # For key rotation

OAuth Configuration Updates

# OAuth Timeout (new in 0.9.0)
OAUTH_DEFAULT_TIMEOUT=30

# Microsoft Entra ID (new in 0.9.0)
SSO_ENTRA_ENABLED=true
SSO_ENTRA_CLIENT_ID=your-client-id
SSO_ENTRA_CLIENT_SECRET=your-secret
SSO_ENTRA_TENANT_ID=your-tenant-id

# Generic OIDC Provider (new in 0.9.0)
SSO_GENERIC_ENABLED=true
SSO_GENERIC_PROVIDER_ID=keycloak
SSO_GENERIC_CLIENT_ID=your-client-id
SSO_GENERIC_CLIENT_SECRET=your-secret
SSO_GENERIC_AUTHORIZATION_URL=https://auth.example.com/authorize
SSO_GENERIC_TOKEN_URL=https://auth.example.com/token
SSO_GENERIC_USERINFO_URL=https://auth.example.com/userinfo

Rust Plugin Framework (optional)

# Install Rust-accelerated plugins (optional)
pip install mcp-contextforge-gateway[rust]

Database Migration

Database migrations run automatically on startup. Backup recommended before upgrading from 0.8.0 → 0.9.0:

# Backup your database first (REQUIRED)
cp mcp.db mcp.db.backup.$(date +%Y%m%d_%H%M%S)

# Update .env with new 0.9.0 settings (see above)

# Start the server - migrations run automatically
make dev  # or make serve for production

PostgreSQL 17 → 18 Upgrade

Docker Compose users must run the upgrade utility before starting the stack.

# Stop existing stack
docker compose down

# Run automated upgrade (recommended)
make compose-upgrade-pg18

# Start upgraded stack
make compose-up

# Verify upgrade
docker compose exec postgres psql -U postgres -c 'SELECT version();'
# Should show: PostgreSQL 18.x

# (Optional) Clean up old volume after verification
docker volume rm mcp-context-forge_pgdata

Manual Upgrade (without Make):

# Stop stack
docker compose down

# Run upgrade
docker compose -f docker-compose.yml -f compose.upgrade.yml run --rm pg-upgrade

# Copy pg_hba.conf
docker compose -f docker-compose.yml -f compose.upgrade.yml run --rm pg-upgrade \
  sh -c "cp /var/lib/postgresql/OLD/pg_hba.conf /var/lib/postgresql/18/docker/pg_hba.conf"

# Start upgraded stack
docker compose up -d

🚨 Breaking Changes

PostgreSQL 17 → 18 Upgrade Required

Docker Compose users must run the upgrade utility before starting the stack.

The default PostgreSQL image has been upgraded from version 17 to 18. This is a major version upgrade that requires a one-time data migration using pg_upgrade.

Why This Change:

Postgres 18 introduces a new directory structure (/var/lib/postgresql/18/docker) for better compatibility with pg_ctlcluster
Enables future upgrades using pg_upgrade --link without mount point boundary issues
Aligns with official PostgreSQL Docker image best practices (see postgres#1259)

What Changed:

docker-compose.yml: Updated from postgres:17 → postgres:18
Volume mount: Changed from pgdata:/var/lib/postgresql/data → pgdata18:/var/lib/postgresql
Added compose.upgrade.yml for automated upgrade process
Added make compose-upgrade-pg18 target for one-command upgrades

Troubleshooting:

Error: "data checksums mismatch" - Fixed automatically in upgrade script (disables checksums to match old cluster)
Error: "no pg_hba.conf entry" - Fixed automatically by copying old pg_hba.conf during upgrade
Error: "Invalid cross-device link" - Upgrade uses copy mode (not --link) to work across different Docker volumes

📋 Issues Closed

Observability (2 issues)

Closes #1401 - Internal Observability System - Performance Monitoring & Trace Analytics (EPIC)
Closes #1400 - Observability implementation PR

Performance Optimizations (3 issues)

Closes #1294 - orjson JSON Serialization for 5-6x faster JSON encoding/decoding
Closes #1292 - Brotli/Zstd/GZip Response Compression reducing bandwidth by 30-70%
Closes #1249 - Rust-Powered PII Filter Plugin - 5-10x Performance Improvement

REST Integration (1 issue)

Closes #746 - REST Passthrough API configuration fields

Multi-Tenancy & RBAC (10 issues)

Closes #969 - Backend Multi-Tenancy Issues - Critical bugs and missing features
Closes #967 - UI Gaps in Multi-Tenancy Support - Visibility fields missing for most resource types
Closes #959 - Unable to Re-add Team Member Due to Unique Constraint
Closes #958 - Incomplete Visibility Implementation
Closes #946 - Alembic migrations fails in docker compose setup
Closes #945 - Scoped uniqueness for prompts, resources, and A2A agents
Closes #926 - Bootstrap fails to assign platform_admin role due to foreign key constraint violation
Closes #1180 - Prompt editing to include team_id in form data
Closes #1184 - Prompt and resource endpoints to use unique IDs instead of name/URI
Closes #1248 - RBAC Vulnerability: Unauthorized Access to Resource Status Toggling
Closes #1209 - Finalize RBAC/ABAC implementation for Ownership Checks on Public Resources

Pagination (2 issues)

Closes #1224 - Comprehensive API and UI Pagination Support
Closes #1277 - UI Pagination with HTMX and Performance Testing

Security & Authentication (11 issues)

Closes #1254 - JWT jti mismatch between token and database record
Closes #1262 - JWT token follows default variable payload expiry instead of UI
Closes #1261 - API Token Expiry Issue: UI Configuration overridden by default env Variable
Closes #1111 - Support application/x-www-form-urlencoded Requests in MCP Gateway UI for OAuth2 / Keycloak Integration
Closes #1094 - Creating an MCP OAUTH2 server fails if using API
Closes #1092 - After issue 1078 change, how to add X-Upstream-Authorization header when clicking Authorize in admin UI
Closes #1048 - Login issue - Serving over HTTP requires SECURE_COOKIES=false
Closes #1101 - Login issue with v0.7.0
Closes #1117 - Login not working with 0.7.0 version
Closes #1181 - Secure cookie warnings for HTTP development
Closes #1190 - Virtual MCP server requiring OAUTH instead of JWT in 0.7.0
Closes #1109 - MCP Gateway UI OAuth2 Integration Fails with Keycloak

SSO Integration (4 issues)

Closes #1211 - Microsoft Entra ID Integration Support and Tutorial
Closes #1213 - Generic OIDC Provider Support via Environment Variables
Closes #1216 - Keycloak Integration Support with Environment Variables
Closes #277 - GitHub SSO Integration Tutorial

Developer Tools & Operations (7 issues)

Closes #1197 - Support Bundle Generation - Automated Diagnostics Collection
Closes #1200 - In built MCP client - LLM Chat service for virtual servers
Closes #1239 - LLMChat Multi-Worker: Add Documentation and Integration Tests
Closes #1202 - LLM Chat Interface with MCP Enabled Tool Orchestration
Closes #1228 - Show system statistics in metrics page
Closes #1225 - Production-Scale Load Data Generator for Multi-Tenant Testing
Closes #1219 - Benchmark MCP Server for Load Testing and Performance Analysis
Closes #1203 - Performance Testing & Benchmarking Framework

Code Quality & Developer Experience (2 issues)

Closes #1271 - Consolidated linting configuration in pyproject.toml
Closes #1233 - CONTRIBUTING.md cleanup and lint-smart fix

Plugin Framework (4 issues)

Closes #1249 - Rust-Powered PII Filter Plugin - 5-10x Performance Improvement
Closes #1196 - Plugin client server mTLS support
Closes #1137 - Add missing hooks to OPA plugin
Closes #1198 - Complete OPA plugin hook implementation

Platform & Protocol (4 issues)

Closes #1381 - Resource view error - mime type handling for resource added via mcp server
Closes #1348 - Add support for IBM Watsonx.ai LLM provider
Closes #1258 - MCP Tool outputSchema Field is Stripped During Discovery
Closes #1188 - Allow multiple StreamableHTTP content
Closes #1138 - Support for container builds for s390x

Bug Fixes (10 issues)

Closes #1336 - Add toggles to password/sensitive textboxes to mask/unmask the input value
Closes #1370 - Saved custom headers not visible when editing MCP server
Closes #1098 - Unable to see request payload being sent
Closes #1024 - plugin tool_prefetch hook cannot access PASSTHROUGH_HEADERS, tags
Closes #1020 - Edit Button Functionality - A2A
Closes #861 - Passthrough header parameters not persisted to database
Closes #1178 - Header overlaps with modals in UI
Closes #922 - IFraming the admin UI is not working
Closes #625 - Gateway unable to register gateway or call tools on MacOS
Closes #1230 - pyproject.toml conflicting dependencies with uv
Closes #448 - MCP server with custom base path "/api" not working
Closes #835 - Adding Custom annotation for tools
Closes #409 - Add configurable limits for data cleaning / XSS prevention in .env.example and helm

Documentation (3 issues)

Closes #1159 - Several minor quirks in main README.md
Closes #1093 - RBAC - support generic OAuth provider or ldap provider (documentation)
Closes #869 - 0.7.0 Release timeline

Total: 60+ issues closed

🌟 Release Contributors

This release represents a major milestone in MCP Gateway's production readiness with comprehensive observability, performance optimizations, and enhanced enterprise capabilities. With contributions from developers worldwide, 0.9.0 delivers groundbreaking improvements including built-in monitoring, 30-70% bandwidth reduction, 5-6x faster JSON processing, Rust-accelerated plugins, and comprehensive pagination infrastructure.

🏆 Top Contributors in 0.9.0

Mihai Criveti (@crivetimihai) - Release coordination, internal observability system architecture and implementation, performance optimizations (compression, orjson), Rust plugin framework, pagination infrastructure, REST passthrough implementation, Ed25519 signing, multi-tenancy bug fixes, support bundle generation, comprehensive testing, and documentation updates
Manav Gupta (@manavgup) - LLM chat interface with Redis session consistency, performance testing framework, benchmark MCP server
Shoumi Mukherjee (@shoummu1) - JWT token fixes, secure cookie warnings, authentication improvements
Veeresh (@nmveeresh) - Database schema enhancements, scoped uniqueness implementation
Monshri (@monshri) - Plugin framework enhancements, OPA plugin improvements
Terry (@terylt) - REST passthrough validation, plugin hook enhancements
Gruia Popa (@popagruia) - Header propagation fixes, passthrough header persistence
Satya (@TS0713) - Multi-tenancy UI improvements, visibility fixes
Shams (@shams858) - Various bug fixes and quality improvements

🔗 Resources

Documentation

Main Documentation: https://ibm.github.io/mcp-context-forge/
Internal Observability Guide: https://ibm.github.io/mcp-context-forge/manage/observability/internal-observability/
OpenTelemetry Integration: https://ibm.github.io/mcp-context-forge/manage/observability/observability/
REST Passthrough Guide: https://ibm.github.io/mcp-context-forge/using/rest-passthrough/
Ed25519 Signing Guide: https://ibm.github.io/mcp-context-forge/manage/securing/
Pagination Documentation: https://ibm.github.io/mcp-context-forge/manage/api-usage/
Performance Tuning: https://ibm.github.io/mcp-context-forge/testing/performance/
SSO Integration: https://ibm.github.io/mcp-context-forge/manage/sso/
Support Bundle Usage: https://ibm.github.io/mcp-context-forge/manage/diagnostics/

Source Code

GitHub Repository: https://github.com/IBM/mcp-context-forge
Release v0.9.0: https://github.com/IBM/mcp-context-forge/releases/tag/v0.9.0
Milestone 0.9.0: https://github.com/IBM/mcp-context-forge/milestone/9
CHANGELOG: https://github.com/IBM/mcp-context-forge/blob/main/CHANGELOG.md

Container Images

GitHub Container Registry: https://ghcr.io/ibm/mcp-context-forge
Image Tags: v0.9.0, 0.9.0, latest
Multi-Architecture: AMD64, ARM64, s390x

Community

Issue Tracker: https://github.com/IBM/mcp-context-forge/issues
Discussions: https://github.com/IBM/mcp-context-forge/discussions
Contributing Guide: https://github.com/IBM/mcp-context-forge/blob/main/CONTRIBUTING.md

Quick Start

# Pull the latest 0.9.0 image
docker pull ghcr.io/ibm/mcp-context-forge:0.9.0

# Or build from source
git clone https://github.com/IBM/mcp-context-forge.git
cd mcp-context-forge
git checkout v0.9.0
make venv install-dev
make dev

Observability Quick Start

# Enable internal observability
export OBSERVABILITY_ENABLED=true
export OBSERVABILITY_TRACE_HTTP_REQUESTS=true

# Start MCP Gateway
make dev

# Access observability dashboards
open http://localhost:4444/admin/observability

Performance Benchmarks

Response Compression:

# Test compression performance
curl -H "Accept-Encoding: br,gzip" http://localhost:4444/admin/tools
# Bandwidth reduction: 30-70% for JSON responses

JSON Serialization:

# Run benchmark script
python scripts/benchmark_json_serialization.py
# Expected results: 5-6x faster encoding, 1.5-2x faster decoding

Rust PII Filter:

# Install with Rust plugins
pip install mcp-contextforge-gateway[rust]
# Expected results: 5-100x faster PII detection

Next Planned Release: v1.0.0 (Q1 2026) - Production Hardening & Stability