v0.3.22

What's Changed

• [test] Add tests for envutil.deriveAPIFromServerURL — http scheme and edge cases by @github-actions[bot] in #6708
• Guard coverage: add explicit sub_issue_write read-write classification test by @Copilot in #6710
• [log] Add debug logging to jq middleware filter functions by @github-actions[bot] in #6715
• [Repo Assist] refactor(guard): extract parseDIFCTagsFromAny helper in wasm_parse.go by @github-actions[bot] in #6743
• [test-improver] Improve tests for tracing package by @github-actions[bot] in #6716
• Refactor duplicated DIFC tag parsing in WASM response handling by @Copilot in #6748
• Refactor DIFC/guard helper ownership to restore package boundaries by @Copilot in #6749
• Refactor duplicated owner/repo/number parsing in REST backend caller by @Copilot in #6751
• Centralize logger level wrapper registration by @Copilot in #6752
• Correct AGENTS.md default path for MCP_GATEWAY_WASM_CACHE_DIR by @Copilot in #6750
• Refactor duplicated MCP handler config setup in transport and routed server paths by @Copilot in #6753
• Harden jsonschema/v5 validation diagnostics and remote schema fetching by @Copilot in #6747

Full Changelog: v0.3.21...v0.3.22

v0.3.21

What's Changed

• 🔄 chore: update schema URL to v0.76.1 by @github-actions[bot] in #6565
• [Repo Assist] refactor(rust-guard): merge identical security-alert match arms and add actions_get tests by @github-actions[bot] in #6583
• Refactor duplicated backend registration failure reporting in tool registry by @Copilot in #6589
• rust-guard: collapse duplicated repo-write match arms and add pre-emptive tool coverage by @Copilot in #6587
• Clarify logger fallback contract and add direct fallback-handler coverage by @Copilot in #6590
• Improve OTel trace signal quality: stack traces, route cardinality, rate-limit status, and container resource metadata by @Copilot in #6588
• [test] Add tests for server.enforceToolCallLimit by @github-actions[bot] in #6598
• [Repo Assist] refactor: extract RecordSpanError helper to eliminate duplicate span error recording by @github-actions[bot] in #6632
• [test-improver] Improve tests for server HMAC middleware by @github-actions[bot] in #6601
• Refactor tracing expansion placement and extract shared JSON deep-clone utility by @Copilot in #6636
• rust-guard: remove per-item secrecy Vec clones in PR/issue labeling by @Copilot in #6641
• Strengthen TOML parse-error guarantees and clarify tracing key precedence by @Copilot in #6640
• refactor(difc): extract EvaluateCoarseAccess to eliminate duplicated Phase 2 logic by @Copilot in #6639
• [log] Add debug logging to launcher.go by @github-actions[bot] in #6600
• Add explicit DIFC labeling for list_issue_fields in GitHub guard by @Copilot in #6637
• Refactor span error recording into tracing helper and unify error-path instrumentation by @Copilot in #6638
• [log] Add logging to EvaluateCoarseAccess in difc/pipeline_decisions.go by @github-actions[bot] in #6650
• [test-improver] Improve tests for tracing span helpers by @github-actions[bot] in #6651
• [test] Add tests for logger error paths: MarkdownLogger.Close, FileLogger.Log, Logger.Print by @github-actions[bot] in #6647
• fix(proxy): use RecordSpanError for DIFC access-denied spans by @lpcox in #6679
• perf(rust-guard): eliminate wasted allocations in apply_tool_labels and project-item loop by @lpcox in #6680
• rust-guard: add issue_write_ff_remote_mcp_issue_fields to WRITE_OPERATIONS and tool_rules by @lpcox in #6678
• fix(tracing): semconv v1.27.0→v1.34.0, fix mcp.tool_call attribute misuse, add server.address by @Copilot in #6683
• refactor: extract shared DIFC enforcement pipeline to internal/guard/pipeline.go by @Copilot in #6685
• docs: reconcile documentation with implementation (9 discrepancies) by @Copilot in #6686
• refactor: move collaborator_permission to proxy, add strutil.RandomBytes by @Copilot in #6687
• refactor: extract repeated OTEL span-start patterns into named tracing helpers by @Copilot in #6684
• [Repo Assist] refactor: move TruncateSessionID from auth to strutil by @github-actions[bot] in #6704

Full Changelog: v0.3.20...v0.3.21

v0.3.20

What's Changed

• Enforce per-session tool call limits in allow-only guard policies by @Copilot in #6533
• Fix DIFC proxy handling for top-level array responses on comment list endpoints by @Copilot in #6538
• [test] Add tests for logger.RPCMessageType.JSONLEvent by @github-actions[bot] in #6541
• Refactor semantic outliers into config/guard/tracing ownership files by @Copilot in #6543
• [log] Add debug logging to gateway startup flow in cmd/root.go by @github-actions[bot] in #6547
• docs: correct MCP_GATEWAY_WASM_CACHE_DIR default to log-dir sibling path by @Copilot in #6549
• [test-improver] Improve tests for mcp http_transport by @github-actions[bot] in #6550

Full Changelog: v0.3.19...v0.3.20

v0.3.19

What's Changed

• [test] Add tests for proxy response_transform uncovered branches by @github-actions[bot] in #6318
• [log] Add debug logging to WASM compilation cache lifecycle by @github-actions[bot] in #6321
• [test-improver] Improve tests for cmd package: applyFlagOrEnv coverage by @github-actions[bot] in #6322
• [Repo Assist] fix(cmd): apply OTEL_SERVICE_NAME env var override to tracing config by @github-actions[bot] in #6344
• docs: refresh release highlights for v0.3.18 by @Copilot in #6358
• [test] Add tests for guard.callWasmFunction buffer retry logic by @github-actions[bot] in #6359
• [test-improver] Improve tests for config package by @github-actions[bot] in #6371
• [log] Add debug logging to httputil GitHub HTTP helpers by @github-actions[bot] in #6370
• [Repo Assist] refactor(guard): extract decodeWasmCallResult and unmarshalWasmResponse helpers by @github-actions[bot] in #6397
• [test] Add tests for config.validateToolResponseFilters and config.validateServerAuth by @github-actions[bot] in #6405
• [log] Add debug logger to mcp/collaborator_permission.go by @github-actions[bot] in #6419
• [test-improver] Improve tests for httputil package by @github-actions[bot] in #6420
• docs: make root config examples discoverable from Quick Start and config reference by @Copilot in #6431
• Reconcile guard-policy tags with docs and clarify stdin config behavior in Quick Start by @Copilot in #6434
• Refactor collaborator-permission tool helpers into internal/httputil by @Copilot in #6433
• Close GitHub guard DIFC gaps for search_commits and FF list_issues variant by @Copilot in #6432
• testify: fix assertion anti-patterns, promote require.NoError, expand JSONEq by @Copilot in #6471
• rust-guard: replace magic integrity strings with constants; add security-tool label tests by @Copilot in #6470
• [Repo Assist] refactor(rust-guard): use policy_integrity constants and add security-tool label tests by @github-actions[bot] in #6466
• Standardize gateway JSONL records with event/_schema and millisecond timestamps by @Copilot in #6485
• [test] Add tests for sys.DetectContainerID and refactor for testability by @github-actions[bot] in #6486
• chore: upgrade gh-aw workflows to v0.75.4 by @lpcox in #6493

Full Changelog: v0.3.18...v0.3.19

v0.3.18

🌟 Release Highlights

This release focuses on hardening the WASM guard subsystem, improving code quality through targeted refactoring, and expanding test coverage for the Rust guard and collaborator permission packages.

✨ What's New

• WASM guard robustness (#6290, #6296): The wazero-based guard runtime now handles oversized call_backend responses via a size-hint protocol, uses larger I/O buffers, improves cache reconfiguration locking, and adds fallback-path coverage — making guard execution more reliable under high-load and edge-case conditions.

• DIFC flags module (#6243): Guard policy override logic has been refactored into a dedicated DIFC flags module, improving maintainability and consistency of security policy enforcement.

🐛 Bug Fixes & Improvements

• Config map expansion (#6289): Stdin config map expansion no longer duplicates environment/header logic, reducing the risk of subtle configuration drift.
• Flag/env override helper (#6288): A shared applyFlagOrEnv helper eliminates duplicated flag-override patterns across CLI commands.

🔬 Testing & Reliability

• Expanded Rust guard test coverage for GraphQL node paths and GitHub URL repo extraction (#6284, #6291).
• Improved unit tests for the MCP collaborator permission package (#6249).
• Added debug logging to proxy/graphql_rewrite.go for easier diagnostics (#6248).

🐳 Docker Image

docker pull ghcr.io/github/gh-aw-mcpg:v0.3.18
# or
docker pull ghcr.io/github/gh-aw-mcpg:latest

Supported platforms: linux/amd64, linux/arm64

---

What's Changed

• Refactor guard policy override helper into DIFC flags module by @Copilot in #6243
• [test-improver] Improve tests for mcp collaborator permission package by @github-actions[bot] in #6249
• [log] Add debug logging to proxy/graphql_rewrite.go by @github-actions[bot] in #6248
• [Repo Assist] test(rust-guard): add GraphQL path and URL-parsing tests for helpers.rs by @github-actions[bot] in #6284
• refactor: extract applyFlagOrEnv helper to eliminate duplicate flag-override logic by @Copilot in #6288
• Harden wazero guard I/O defaults, cache reconfiguration locking, and fallback-path coverage by @Copilot in #6290
• Refactor stdin config map expansion to remove duplicated env/header logic by @Copilot in #6289
• Add rust-guard helper test coverage for GraphQL node paths and GitHub URL repo extraction by @Copilot in #6291
• fix(go-fan): remove edit tool, embed module summary in issue body by @Copilot in #6292
• Handle oversized WASM call_backend responses via size-hint protocol + larger guard buffers by @Copilot in #6296

Full Changelog: v0.3.17...v0.3.18

v0.3.17

What's Changed

• 🔄 chore: update schema URL to v0.74.8 by @github-actions[bot] in #6186
• rust-guard: hoist invariant response-path labels and dedupe PR number extraction by @Copilot in #6211
• [Repo Assist] perf(rust-guard): hoist invariant label calls and dedup PR number extraction by @github-actions[bot] in #6201
• Deduplicate get_collaborator_permission REST fetch logic across unified server and proxy by @Copilot in #6208
• gojq: dual-error timeout diagnostics, disable $ENV in schema filter, document WithVariables pattern by @Copilot in #6210
• refactor: extract DoGitHubGET helper to eliminate duplicated GitHub HTTP request construction by @Copilot in #6209
• docs: add OTel/Sentry tracing documentation by @lpcox in #6227
• [test] Add tests for proxy.restBackendCaller.CallTool uncovered tool cases by @github-actions[bot] in #6236

Full Changelog: v0.3.16...v0.3.17

v0.3.16

What's Changed

• fix: bump smoke-otel-tracing mcpg to v0.3.14 by @lpcox in #6136
• feat(tracing): align span attributes with gen_ai semantic conventions by @lpcox in #6153
• [log] guard: add debug logging to parsePathLabeledResponse and parseCollectionLabeledData by @github-actions[bot] in #6154
• refactor: move outlier functions to semantically correct files by @Copilot in #6152
• [test-improver] Improve tests for proxy TLS package by @github-actions[bot] in #6160

Full Changelog: v0.3.15...v0.3.16

v0.3.15

What's Changed

• [test] Add tests for strutil.RandomHex error path and fix SanitizeArgs dead code by @github-actions[bot] in #6112
• fix(tracing): append /v1/traces to OTLP endpoint per spec by @lpcox in #6137
• fix(tracing): use URL parsing for /v1/traces path append by @lpcox in #6141

Full Changelog: v0.3.14...v0.3.15

v0.3.14

What's Changed

• chore: bump smoke-otel-tracing mcpg to v0.3.13 by @lpcox in #6114
• Extract BaseResponseWriter to httputil to eliminate duplicate status-capture code by @Copilot in #6106
• Refactor duplicated OTEL tracer-holder logic in unified and proxy handlers by @Copilot in #6107
• fix: flush tracing spans on /close endpoint shutdown by @lpcox in #6115
• ci: pin container.yml GitHub Actions to immutable SHAs by @Copilot in #6109
• cobra: enable traverse hooks, drop completion no-op override, add proxy GroupID by @Copilot in #6108

Full Changelog: v0.3.13...v0.3.14

v0.3.13

What's Changed

• [test-improver] Improve tests for cmd stdout_config by @github-actions[bot] in #5911
• Raise PR enrichment buffer to 64 KB in Rust guard by @Copilot in #5938
• Cache compiled custom JSON schemas for repeated custom server validation by @Copilot in #5940
• Rust guard: remove redundant rate-limit branch and make reset parsing allocation-free by @Copilot in #5941
• Reconcile docs with implemented CLI, linting, and test override behavior by @Copilot in #5926
• chore: recompile smoke-otel-tracing lock file by @lpcox in #5962
• [test] Add tests for server.nonceCache.evictExpired by @github-actions[bot] in #5965
• [test-improver] Improve tests for middleware package by @github-actions[bot] in #5972
• 🔄 chore: update schema URL to v0.74.4 by @github-actions[bot] in #5985
• [log] Add debug logging to LoadGatewayTLS by @github-actions[bot] in #5971
• [Repo Assist] perf(rust-guard): hoist invariant integrity/secrecy calls outside per-item loops by @github-actions[bot] in #6005
• Reconcile AGENTS/CONTRIBUTING docs with current config and auth behavior by @Copilot in #6018
• ci: pin actions/github-script to immutable SHA and upgrade to v9.0.0 by @Copilot in #6016
• [test] Add tests for server.parseRateLimitResetFromText edge cases by @github-actions[bot] in #6021
• Upgrade go-sdk to v1.6.0 and consolidate session-missing detection by @Copilot in #6017
• Refactor env int parsing and clarify logger sink intent by @Copilot in #6019
• Refactor Docker -e passthrough handling into shared envutil walker by @Copilot in #6034
• Reconcile docs with MCP_GATEWAY_PORT runtime behavior and Rust guard test guidance by @Copilot in #6039
• [log] Add debug logging to GitHub API URL derivation by @github-actions[bot] in #6043
• feat: enable Sentry OTLP export in smoke-otel-tracing by @lpcox in #6064
• fix: add sentry.io to network allowlist for OTLP export by @lpcox in #6073
• fix: use array format with x-sentry-auth header for Sentry OTLP by @lpcox in #6079
• [test-improver] Improve tests for config package: fix flaky network error test by @github-actions[bot] in #6050
• [Repo Assist] test(rust-guard): add list_commits tests for default-branch vs feature-branch integrity by @github-actions[bot] in #6095
• fix: use x-sentry-token header for Sentry OTLP auth by @lpcox in #6082

Full Changelog: v0.3.12...v0.3.13