chore: bump version to 1.0.0-RC-3 (#4195)

* chore: bump version to 1.0.0-RC-3

Release-readiness pass covering Phases 0-6 of
docs/docs/development/release-management.md plus partial Phases 9-13.

Version & metadata
- Bump version to 1.0.0-RC-3 across four canonical locations via bump2version;
  extend .bumpversion.cfg with sections for Containerfile.scratch, tools_rust/
  wrapper/Cargo.toml, charts/mcp-stack/Chart.yaml (version + appVersion), and
  SECURITY.md so future bumps cover them too.
- Replace hardcoded "1.0.0-RC-2" strings in mcpgateway/observability.py with the
  package __version__; fix pylint ungrouped-imports by moving the import into
  the existing delayed First-Party block.
- Sweep ~55 stale RC-2 references across README, docs, charts, and docs/docs/**
  (roadmap and CHANGELOG historical sections retained as-is).
- Draft CHANGELOG entry consolidating 242 commits since RC-2 into a single
  [1.0.0-RC-3] section, folding in the pre-existing UNRELEASED and GA-labelled
  drafts; remove those obsolete sections.
- Restructure docs/docs/architecture/roadmap.md: new Release 1.0.0-RC-3 section
  built from the 294 closed GitHub milestone items categorized into Epics,
  Features, Security, Bugs, Performance, Testing, Documentation, Chores;
  rebuild Release 1.0.0 section from the 104 pending items (79 carried over
  from RC-3 milestone after bulk-move plus 25 dedicated GA items).
- Bump container base images across Containerfile, Containerfile.lite, and
  Containerfile.scratch: ubi10/ubi-minimal -> 10.1-1776071394, ubi10/ubi ->
  10.1-1776145136, manylinux2014 -> 2026.04.08-5.

Dependency updates
- Refresh dependencies across 15 Python manifests via
  .github/tools/update_dependencies.py; honor the repo-wide exclude-newer=10
  days uv policy by reverting bumps that land inside the window
  (prometheus-client, pydantic, python-multipart, uvicorn, langchain-ollama,
  hypothesis, opentelemetry-*, granian, memray).
- Preserve three intentional pins (requests==2.33.0, schemathesis<4.11.0,
  protobuf<7.0.0) per inline comments; revert starlette floor because
  prometheus-fastapi-instrumentator 7.1.0 caps at <1.0.0 with no newer release.
- cargo update across mcp-servers/rust/{fast-test-server,filesystem-server},
  tools_rust/{wrapper,mcp_runtime}; fix five pre-existing clippy findings via
  cargo clippy --fix plus one manual cmp_owned fix in
  mcp_runtime/src/config.rs.
- go get -u across all four Go modules; bump go.mod toolchain directives and
  the Makefile LINT_GO_TOOLCHAIN from go1.25.8 to go1.26.2, clearing three
  stdlib govulncheck findings (GO-2026-4871, GO-2026-4946, GO-2026-4870).
- Bump CDN pins in scripts/cdn_resources.py, scripts/download-cdn-assets.sh,
  and mcpgateway/templates/admin.html: alpinejs 3.15.8 -> 3.15.11, dompurify
  3.3.2 -> 3.4.0; regenerate and verify SRI hashes. Four major-version bumps
  (HTMX, marked, CodeMirror, Font Awesome) deferred to follow-up issues.
- Bump pillow to 12.2.0 in mcp-servers/python/qr_code_server/uv.lock to close
  GHSA-whj4-6x5x-4v2j (CVE-2026-40192).

Makefile and release-doc improvements
- Remove 28 stale rust-* targets that referenced the long-removed plugins_rust/
  aggregator (dropped in PR #3147); keep rust-ensure-deps, rust-check (now
  iterates the four real crates), and rust-mcp-runtime-*. Simplify install-dev,
  dist, and wheel by removing dead ENABLE_RUST_BUILD=1 call-sites.
- Replace gitleaks with detect-secrets in the release doc, SECURITY.md,
  docs/docs/architecture/security-features.md, and the Makefile (phantom
  gitleaks target, security-all fallback, and help text); the project has used
  detect-secrets with .secrets.baseline for some time.
- Drop make pre-commit from the release doc since pre-commit hooks run on every
  commit in CI; keeping it as a release gate was redundant.

Playwright test fixes
- Four conftests (tests/playwright/entities/test_entity_lifecycle.py,
  security/owasp/conftest.py, operations/conftest.py, teams/conftest.py) now
  prefer MCP_AUTH env var before falling back to locally-signed JWT, matching
  the pattern of the top-level api_request_context fixture. Fixes 128 tests
  that were failing or erroring with 401 because the Python Settings default
  JWT_SECRET_KEY (11 bytes) did not match the gateway's compose default
  (40 bytes). Refactoring tracked in issue #4190.

Packaging
- Exclude vite build artifacts (mcpgateway/static/bundle-*.js and
  mcpgateway/static/.vite/) from the sdist via MANIFEST.in; they are gitignored
  and regenerate per build with hashed filenames, so including them broke
  check-manifest and twine verify.

README badge
- Remove Bandit Security badge from README.md; the bandit.yml workflow was
  retired (renamed .inactive) and the badge 404'd. Bandit still runs locally
  via make bandit.

Follow-ups opened during this cycle
- #4162 Makefile plugins_rust/ references (partially resolved by this commit)
- #4163 JavaScript test coverage baseline
- #4165-#4168 CDN major-version bumps (HTMX, marked, CodeMirror, Font Awesome)
- #4190 Consolidate Playwright admin_api fixture

Accepted risks documented with the release
- basic-ftp (GHSA-6v7q-wjvx-w8wg) transitive devDep via retire.js; patched
  version blocked by repo min-release-age=10 npm policy until 2026-04-19.
  Dismissed on Dependabot with tolerable_risk justification.
- pytest CVE-2025-71176 (devDep) blocked by pytest-md-report cap at
  pytest<9; will resolve when upstream publishes a pytest 9 compatible
  release.

Signed-off-by: Jonathan Springer <jps@s390x.com>

* chore: address PR CI follow-ups

- Bump Go toolchain pin from 1.25.8 to 1.26.2 in .github/workflows/
  linting-full.yml and its paired sync-check assertions in
  tests/unit/test_go_toolchain_pinning.py so CI matches the Makefile's
  LINT_GO_TOOLCHAIN (already updated) and clears GO-2026-4871 /
  GO-2026-4946 / GO-2026-4870 on the CI runner.
- Rename Go module paths in a2a-agents/go/a2a-echo-agent/go.mod and
  mcp-servers/go/benchmark-server/go.mod from github.com/cmihai/
  mcp-context-forge/... to github.com/ibm/... to match the project's
  canonical GitHub location; update the stale GitHub Issues URL in
  docs/docs/manage/api-usage.md.
- Add missing `license = "Apache-2.0"` (plus a short description) to
  tools_rust/request_logging_masking_native_extension/pyproject.toml so
  the license-check CI job stops failing on missing license metadata for
  request-logging-masking-native-extension.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jonpspri

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.0-RC-2
+current_version = 1.0.0-RC-3
 commit = False
 tag = False
 sign-tags = True
@@ -24,3 +24,23 @@ replace = version="{new_version}"
 [bumpversion:file:pyproject.toml]
 search = version = "{current_version}"
 replace = version = "{new_version}"
+
+[bumpversion:file:Containerfile.scratch]
+search = version="{current_version}"
+replace = version="{new_version}"
+
+[bumpversion:file:tools_rust/wrapper/Cargo.toml]
+search = version = "{current_version}"
+replace = version = "{new_version}"
+
+[bumpversion:file(chart-version):charts/mcp-stack/Chart.yaml]
+search = version: {current_version}
+replace = version: {new_version}
+
+[bumpversion:file(chart-appversion):charts/mcp-stack/Chart.yaml]
+search = appVersion: "{current_version}"
+replace = appVersion: "{new_version}"
+
+[bumpversion:file:SECURITY.md]
+search = **Current Version: {current_version}**
+replace = **Current Version: {new_version}**

.github/workflows/linting-full.yml

@@ -39,7 +39,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
-          go-version: "1.25.8"
+          go-version: "1.26.2"
           cache-dependency-path: |
             a2a-agents/go/a2a-echo-agent/go.sum
             mcp-servers/go/benchmark-server/go.sum