Merge branch 'main' into 4106-bug-rbac-issue-non-platform-admin-users-cannot-access-private-tools-despite-platform_admin-role

Author: bogdanmariusc10

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.0-RC-2
+current_version = 1.0.0-RC-3
 commit = False
 tag = False
 sign-tags = True
@@ -24,3 +24,23 @@ replace = version="{new_version}"
 [bumpversion:file:pyproject.toml]
 search = version = "{current_version}"
 replace = version = "{new_version}"
+
+[bumpversion:file:Containerfile.scratch]
+search = version="{current_version}"
+replace = version="{new_version}"
+
+[bumpversion:file:tools_rust/wrapper/Cargo.toml]
+search = version = "{current_version}"
+replace = version = "{new_version}"
+
+[bumpversion:file(chart-version):charts/mcp-stack/Chart.yaml]
+search = version: {current_version}
+replace = version: {new_version}
+
+[bumpversion:file(chart-appversion):charts/mcp-stack/Chart.yaml]
+search = appVersion: "{current_version}"
+replace = appVersion: "{new_version}"
+
+[bumpversion:file:SECURITY.md]
+search = **Current Version: {current_version}**
+replace = **Current Version: {new_version}**

.claude/skills/pr-risk-scoring/score_prs.py

@@ -11,6 +11,7 @@
     approvals_csv  Optional CSV with columns: pr_number,approvals
 """
 
+# Standard
 import csv
 import json
 import os
@@ -167,7 +168,7 @@ def compute_security_score(files, labels):
     return min(score, 5)
 
 
-PROD_PREFIXES = ("mcpgateway/", "plugins/", "plugins_rust/", "a2a-agents/", "mcp-servers/", "tools_rust/")
+PROD_PREFIXES = ("mcpgateway/", "plugins/", "a2a-agents/", "mcp-servers/", "tools_rust/")
 
 
 def compute_test_score(files):

.devcontainer/devcontainer.json

@@ -4,7 +4,11 @@
     "dockerfile": "Dockerfile",
     "context": ".."
   },
-  "features": {},
+  "features": {
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "lts"
+    }
+  },
   "postCreateCommand": ".devcontainer/postCreateCommand.sh",
   "customizations": {
     "vscode": {

.env.example

@@ -872,6 +872,15 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # Default: 10000 characters
 # MAX_PARAM_LENGTH=10000
 
+# CWE-400: Limits for user-supplied meta_data forwarded to upstream MCP servers.
+# Keeps arbitrarily large dicts from amplifying into downstream network/DB load.
+# Maximum number of top-level keys in meta_data (default: 16)
+# META_MAX_KEYS=16
+# Maximum nesting depth in meta_data (default: 2)
+# META_MAX_DEPTH=2
+# Maximum JSON-encoded byte size of meta_data (default: 4096)
+# META_MAX_BYTES=4096
+
 # Regex patterns for dangerous input (JSON array)
 # Used to detect and block malicious input patterns
 # Default patterns:
@@ -2127,6 +2136,11 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # TOOL_CONCURRENT_LIMIT=10
 # GATEWAY_TOOL_NAME_SEPARATOR=-
 
+# Maximum length of response text returned for non-JSON REST API responses
+# Longer responses are truncated to prevent exposing excessive sensitive data
+# Default: 5000 characters, Range: 1000-100000
+# REST_RESPONSE_TEXT_MAX_LENGTH=5000
+
 # Prompt Configuration
 # PROMPT_CACHE_SIZE=100
 # MAX_PROMPT_SIZE=102400

.github/CODEOWNERS

@@ -1,12 +1,11 @@
 # All files in the repo
-* @crivetimihai
-/.github/workflows/ @crivetimihai
+* @crivetimihai @brian-hussey
+/.github/workflows/ @crivetimihai @brian-hussey
 
 # Plugin framework
 /mcpgateway/plugins @araujof @terylt @jonpspri
 
 # Rust projects
-/plugins_rust/ @lucarlig @dima-zakharov
 /tools_rust/ @lucarlig @dima-zakharov
 /mcp-servers/rust/ @lucarlig @dima-zakharov
 

.github/workflows/dependency-review.yml

@@ -96,7 +96,17 @@ jobs:
             RPL-1.5,
             OSL-3.0,
             CPAL-1.0
-          allow-dependencies-licenses: "pkg:pypi/pylint-pydantic"
+
+          # To whitelist a specific dependency whose license would otherwise
+          # be denied (e.g. a transitively-pulled GPL package that has been
+          # legally reviewed and approved), add it to `allow-dependencies-licenses`
+          # as a comma-separated list of Package URLs (purl spec). Example:
+          #
+          #   allow-dependencies-licenses: "pkg:pypi/some-package, pkg:npm/another-pkg"
+          #
+          # Each entry exempts that one package from the `deny-licenses` check
+          # above while keeping the policy in force for every other dependency.
+          # See: https://github.com/actions/dependency-review-action#configuration-options
           license-check: true # (default)
           # ───────── UX tweaks ─────────
           warn-only: false # actually fail the workflow

.github/workflows/lint-web.yml

@@ -112,16 +112,25 @@ jobs:
       # -----------------------------------------------------------
       # 1️⃣  Node.js Setup
       # -----------------------------------------------------------
-      - name: 📦  Set up Node.js
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
-        with:
-          node-version: '20'
+      - name: 📦  Install Node.js 20
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ca-certificates curl gnupg
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+            | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+          echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main" \
+            | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y nodejs
+          node --version
+          npm --version
 
       # -----------------------------------------------------------
       # 🔧  Configure npm
       # -----------------------------------------------------------
       - name: 🔧  Upgrade npm to minimum required version
-        run: npm install -g npm@^11.10.0
+        run: sudo npm install -g npm@^11.10.0
 
       - name: 🔧  Configure npm registry
         run: npm config set registry https://registry.npmjs.org/

.github/workflows/lint.yml

@@ -33,6 +33,19 @@ concurrency:
 permissions:
   contents: read
 
+# Keep these pins in lockstep with the *_VERSION variables in the Makefile.
+# Linters are invoked via `uv tool run <tool>==<pin>` so CI and local runs
+# use identical versions regardless of the dev dependency group.
+env:
+  RUFF_VERSION: "0.15.1"
+  PYLINT_VERSION: "3.3.9"
+  PYLINT_PYDANTIC_VERSION: "0.3.5"
+  VULTURE_VERSION: "2.14"
+  INTERROGATE_VERSION: "1.7.0"
+  RADON_VERSION: "6.0.1"
+  YAMLLINT_VERSION: "1.38.0"
+  TOMLCHECK_VERSION: "0.2.3"
+
 jobs:
   # ---------------------------------------------------------------
   # Python linters - run on both mcpgateway/ and plugins/
@@ -45,20 +58,15 @@ jobs:
         target: [mcpgateway, plugins]
         tool:
           - id: ruff
-            setup: pip install ruff
-            cmd: "ruff check $TARGET"
+            cmd: "uv tool run ruff==$RUFF_VERSION check $TARGET"
           - id: vulture
-            setup: pip install vulture
-            cmd: 'vulture $TARGET --min-confidence 80 --exclude "*_pb2.py,*_pb2_grpc.py"'
+            cmd: 'uv tool run vulture==$VULTURE_VERSION $TARGET --min-confidence 80 --exclude "*_pb2.py,*_pb2_grpc.py"'
           - id: pylint
-            setup: "true"
-            cmd: "uv run pylint $TARGET --rcfile=.pylintrc.$TARGET --fail-on E --fail-under=10"
+            cmd: "uv tool run --with-editable . --with pylint-pydantic==$PYLINT_PYDANTIC_VERSION pylint==$PYLINT_VERSION $TARGET --rcfile=.pylintrc.$TARGET --fail-on E --fail-under=10"
           - id: interrogate
-            setup: pip install interrogate
-            cmd: "interrogate -vv $TARGET --fail-under 100"
+            cmd: "uv tool run interrogate==$INTERROGATE_VERSION -vv $TARGET --fail-under 100"
           - id: radon
-            setup: pip install radon
-            cmd: "radon cc $TARGET --min C --show-complexity && radon mi $TARGET --min B"
+            cmd: "uv tool run radon==$RADON_VERSION cc $TARGET --min C --show-complexity && uv tool run radon==$RADON_VERSION mi $TARGET --min B"
 
     name: "${{ matrix.tool.id }} (${{ matrix.target }})"
     runs-on: ubuntu-latest
@@ -75,19 +83,10 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: "3.12"
-          cache: pip
 
       - name: Set up uv
         uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
 
-      - name: Install project (editable mode)
-        run: |
-          python3 -m pip install --upgrade pip
-          pip install -e .[dev]
-
-      - name: Install tool
-        run: ${{ matrix.tool.setup }}
-
       - name: Run linter
         env:
           TARGET: ${{ matrix.target }}
@@ -103,8 +102,8 @@ jobs:
       matrix:
         include:
           - id: yamllint
-            setup: pip install yamllint
-            cmd: yamllint -c .yamllint .
+            setup: "true"
+            cmd: uv tool run yamllint==$YAMLLINT_VERSION -c .yamllint .
 
           - id: jsonlint
             setup: |
@@ -115,13 +114,13 @@ jobs:
                 xargs -0 -I{} jq empty "{}"
 
           - id: tomllint
-            setup: pip install tomlcheck
+            setup: "true"
             cmd: |
               find . -type f -name '*.toml' \
                 -not -path './plugin_templates/*' \
                 -not -path './mcp-servers/templates/*' \
                 -print0 |
-                xargs -0 -I{} tomlcheck "{}"
+                xargs -0 -I{} uv tool run tomlcheck==$TOMLCHECK_VERSION "{}"
 
     name: ${{ matrix.id }}
     runs-on: ubuntu-latest
@@ -140,6 +139,9 @@ jobs:
           python-version: "3.12"
           cache: pip
 
+      - name: Set up uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
       - name: Install tool
         run: ${{ matrix.setup }}
 

.github/workflows/linting-full.yml

@@ -39,17 +39,26 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
-          go-version: "1.25.8"
+          go-version: "1.26.2"
           cache-dependency-path: |
             a2a-agents/go/a2a-echo-agent/go.sum
             mcp-servers/go/benchmark-server/go.sum
             mcp-servers/go/fast-time-server/go.sum
             mcp-servers/go/slow-time-server/go.sum
 
-      - name: Set up Node.js
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
-        with:
-          node-version: "22"
+      - name: Install Node.js 22
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ca-certificates curl gnupg
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+            | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+          echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
+            | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y nodejs
+          node --version
+          npm --version
 
       - name: Set up Helm
         uses: azure/setup-helm@bf6a7d304bc2fdb57e0331155b7ebf2c504acf0a # v4

.github/workflows/playwright.yml

@@ -61,11 +61,22 @@ jobs:
           version: "0.9.2"
           python-version: "3.12"
 
-      - name: 🟢 Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-          cache: "npm"
+      - name: 🟢 Install Node.js 22
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ca-certificates curl gnupg
+          sudo mkdir -p /etc/apt/keyrings
+          curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+            | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+          echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
+            | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y nodejs
+          node --version
+          npm --version
+
+      - name: 🔧 Upgrade npm to minimum required version
+        run: sudo npm install -g npm@^11.10.0
 
       - name: 📦 Install gateway dependencies
         run: |