🛡️ MCP Gateway v0.4.0 - 2025-07-22 - Security, Resilience, Test Coverage and Bugfixing

🛡️ MCP Gateway v0.4.0 – 2025-07-22

This milestone release achieves 100% compliance across all multiple linters, 82% unit test coverage, 60% doctest coverage and new UI test automation while delivering resilience features, comprehensive testing infrastructure, and critical bug fixes. With over 52 issues resolved, v0.4.0 represents our commitment to enterprise-grade security and code quality.

🏆 Security & Quality Achievements

This release sets new standards for code quality and security:

• 100% Linter Compliance – Zero issues across Bandit, HTMLHint, Stylelint, ESLint, Retire.js, and nodejsscan
• 100% Docstring Coverage – Every function and class fully documented
• 10/10 Pylint Score – Code quality rating maintained
• 60% Doctest Coverage – Enhanced documentation with executable examples
• 82% Pytest Coverage – Enhanced pytest suite, with additional e2e tests and input validation
• New test-ui - playwright based UI test automation (e.g. make dev & bg; make test-ui-headless)
• Smart Retry Mechanisms – Resilient connections with exponential backoff

Important: Admin UI remains development-only. Never expose it in production. Build your own production UI with appropriate security controls. Refer to the Securing MCP Gateway documentation.
Beta Software Notice: MCP Gateway is in early beta. Expect breaking changes between minor versions, and incomplete functionality. Use only with trusted upstream MCP servers. This is an OPEN SOURCE PROJECT with community-driven support and no official support from IBM. Please refer to SECURITY.md and our Roadmap for more info and upcoming features.

✨ Highlights

• 🔒 Zero Security Issues – All security scanners pass (#421, #415, #552)
• 🔄 Smart Retry Mechanism – HTTPX client with exponential backoff for resilient connections (#456)
• 🧪 Security Test Suite – Comprehensive input validation testing framework (#552)
• 🔧 Test Connectivity Tool – Debug MCP server connections with detailed diagnostics (#181)
• 💾 Persistent Filter State – UI filters and preferences now persist across sessions (#177)
• 📚 60% Doctest Coverage – Executable documentation examples (#249)
• 🐳 Docker HEALTHCHECK – Production-ready container health monitoring (#362)
• 📊 E2E Acceptance Tests – Complete end-to-end validation documentation (#399)

🚨 Important Security Updates

• Secure Defaults Continue – Admin UI and API disabled by default
• Enhanced Error Handling – Replaced assert statements with proper exceptions (#412)
• Fixed Critical Bugs – Resolved STREAMABLEHTTP transport issues (#213) and auth failures (#232)
• Improved Input Validation – Extended validation to RPC endpoints (#361)

🆕 Added

Resilience & Reliability

• HTTPX Smart Retry Client (#456):

  • Exponential backoff with jitter
  • Configurable retry attempts and intervals
  • Automatic recovery from transient failures
  • Environment variables: HTTP_MAX_RETRIES, HTTP_RETRY_BACKOFF_FACTOR

• Docker Health Monitoring (#362):

  • HEALTHCHECK directive in Containerfile
  • Proper health endpoints for Kubernetes/Docker
  • Automatic container restart on failures

Developer Experience

• Test MCP Server Connectivity (#181) – Comprehensive debugging tool in Admin UI
• Persistent UI State (#177) – Filter selections persist across browser sessions
• Contextual Help Tooltips (#233) – Hover help throughout the interface
• mcp-cli Documentation (#46) – Complete guide for CLI integration
• JSON-RPC Examples (#19) – Detailed curl commands for API testing

Security & Testing

• Input Validation Test Suite (#552) – Comprehensive security-focused tests
• Additional Security Scanners (#415, #499) – Added nodejsscan for JavaScript
• E2E Test Documentation (#399) – Complete acceptance testing guide
• 60% Doctest Coverage (#249) – Executable documentation examples

Code Quality

• 100% Docstring Coverage (#467) – Every function documented
• 10/10 Pylint Score (#210) – Perfect code quality rating
• Zero Web Lint Issues (#338) – Clean JavaScript and HTML
• Dead Code Detection (#305) – Vulture and unimport integration

🐛 Fixed

Critical Issues

• STREAMABLEHTTP Transport (#213) – Fixed transport initialization failures
• Authentication Failures (#232) – Resolved "Auth to None" errors
• Gateway Authentication (#471, #472) – Fixed auth credentials not being populated
• XSS Vulnerabilities (#361) – Added validation to RPC endpoints
• Invalid Transport Types (#359) – Gateway now properly validates transports

UI/UX Fixes

• Dark Theme (#366) – Fixed visibility and contrast issues
• Server Connectivity Test (#367) – Repaired broken test functionality
• Duplicate Server Names (#476) – UI now shows proper error messages
• Edit Forms (#354) – Fixed fields not populating when editing
• Annotations (#356) – Made annotations properly editable
• Resource Data (#352) – Fixed incorrect data mapping
• Text Editor Spacing (#355) – Removed excessive empty space
• Console Warnings (#374) – Eliminated metrics-loading errors

API & Backend

• Federation HTTPS (#424) – Now respects X-Forwarded-Proto headers
• Version Endpoint (#369, #382) – Returns proper semantic version
• Test Server URL (#396) – Fixed incorrect URL construction
• Gateway Separator (#387) – Respects GATEWAY_TOOL_NAME_SEPARATOR
• UI-Disabled Mode (#378) – Tests handle disabled UI properly

Infrastructure

• Makefile Improvements (#371, #433) – Better Docker/Podman detection
• GHCR Push (#384) – Fixed incorrect pushes on PRs
• OpenAPI Title (#522) – Fixed formatting in specification
• Test Isolation (#495) – Tests no longer affect production database
• Configuration Cleanup (#419) – Removed unused lock_file_path

🔄 Changed

• Security by Default:

  • Admin UI disabled: MCPGATEWAY_UI_ENABLED=false
  • Admin API disabled: MCPGATEWAY_ADMIN_API_ENABLED=false
  • Enable only for trusted development environments

• Code Quality Milestones:

  • 100% Docstring Coverage – Use make interrogate to verify
  • 10/10 Pylint Score – Use make pylint to check
  • Zero Security Issues – Use make bandit to scan
  • Clean Web Code – Use make lint-web to verify

• Enhanced Error Handling:

  • Replaced all assert statements with proper exceptions
  • Better error messages for user guidance
  • Improved logging for debugging

🔐 Security Notes

New Security Tools

Run the security lint suite locally:

make security-all     # Run all security scanners
make bandit           # Python security analysis
make nodejsscan       # JavaScript security analysis  
make grype            # Container vulnerability scan
make trivy            # Comprehensive security scan
make lint-web         # Web code quality check
make sonar-up-docker pysonar-scanner # Run sonarqube locally and submit code

📦 Upgrade Instructions

1. Update your package:

   pip install --upgrade mcp-contextforge-gateway==0.4.0

2. Review new retry settings in .env:

   # Copy latest example with retry config
   cp .env.example .env

Docker / Compose / Kubernetes deployments also support alembic migrations on startup.

---

🌟 Release Contributors

Thanks to our amazing contributors who made this security-focused release possible!

🏆 Top Contributors in 0.4.0

• Mihai Criveti (@crivetimihai) - Release coordinator, security improvements, code quality, review, and extensive testing infrastructure
• Madhav Kandukuri (@madhav165) - Major input validation framework, security fixes, and test coverage improvements
• Keval Mahajan (@kevalmahajan) - HTTPX retry mechanism implementation and UI improvements
• Manav Gupta (@manavgup) - Comprehensive doctest coverage and Playwright test suite

🎉 New Contributors

Welcome to our first-time contributors who joined us in 0.4.0:

• Satya (@TS0713) - Fixed duplicate server name handling and invalid transport type validation
• Guoqiang Ding (@dgq8211) - Improved tool description display with proper line wrapping
• Rakhi Dutta (@rakdutta) - Enhanced error messages for better user experience
• Nayana R Gowda - Fixed CodeMirror layout spacing issues
• Mohan Lakshmaiah - Contributed UI/UX improvements and test case updates
• Shoumi Mukherjee - Fixed resource data handling in the UI
• Reeve Barreto (@reevebarreto) - Implemented the Test MCP Server Connectivity feature
• ChrisPC-39/Sebastian - Achieved 10/10 Pylint score and added security scanners
• Jason Frey (@fryguy9) - Improved GitHub Actions with official IBM Cloud CLI action

💪 Returning Contributors

Thank you to our dedicated contributors who continue to strengthen MCP Gateway:

• Thong Bui - REST API enhancements including PATCH support and path parameters
• Abdul Samad - Dark mode improvements and UI polish

This release represents a true community effort with contributions from developers around the world. Your dedication to security, code quality, and user experience has made MCP Gateway more robust than ever!

---

🔗 Resources

• 📚 Docs: https://ibm.github.io/mcp-context-forge/
• 🐳 Container: ghcr.io/ibm/mcp-context-forge:v0.4.0
• 🐍 PyPI: mcp-contextforge-gateway
• 📈 Full changelog: Compare v0.3.1…v0.4.0