Update stacklok/toolhive to v0.27.2

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	patch	v0.27.1 → v0.27.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.27.2

Compare Source

What's Changed

• Update github/codeql-action digest to 68bde55 by @​renovate[bot] in #​5236
• Update anthropics/claude-code-action digest to 476e359 by @​renovate[bot] in #​5235
• Forward MCPServerEntry headerForward to vMCP outbound requests by @​ChrisJBurns in #​5239
• Tolerate spec-violating list methods on backend init by @​tgrunnagle in #​5232
• Bump github.com/in-toto/in-toto-golang from 0.9.0 to 0.11.0 by @​dependabot[bot] in #​5234
• Use corev1.PullPolicy instead of string for EmbeddingServer ImagePullPolicy by @​Sanskarzz in #​5240
• Namespace operator.* Helm helpers to prevent umbrella chart collisions by @​wucm667 in #​5245
• Recognize mcp-go authorization-required sentinels as auth by @​lorr1 in #​5225
• Delegate tokenexchange HTTP plumbing to pkg/oauthproto by @​jhrozek in #​5226
• Bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 by @​dependabot[bot] in #​5249
• Move tokenexchange under pkg/oauthproto by @​jhrozek in #​5251
• Apply OTEL config to workloads created via API by @​reyortiz3 in #​5254
• Fall back across Docker sockets on connect failure by @​samuv in #​5246
• fix(registry): surface legacy registry format as a structured API error by @​peppescg in #​5260
• Allow operators to inject baseline scopes into DCR registrations by @​jhrozek in #​5233
• Collapse registry provider error ladder into a helper by @​rdimitrov in #​5261
• Update module github.com/stacklok/toolhive-catalog to v0.20260511.0 by @​renovate[bot] in #​5227
• Update goreleaser/goreleaser-action digest to 1a80836 by @​renovate[bot] in #​5054
• Release v0.27.2 by @​toolhive-release-app[bot] in #​5263

Full Changelog: stacklok/toolhive@v0.27.1...v0.27.2

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Docs update for toolhive v0.27.2

At a glance

Upstream	stacklok/toolhive v0.27.1 → v0.27.2
Hand-written changes	2 commit(s)
Reference assets	refreshed (separate commit)
Gaps	0
Release contributors	10 auto-assigned (see sidebar)
Action required	Spot-check skill-authored prose for accuracy

Summary of changes

Summary of changes

• Added a Baseline scopes for DCR clients section to docs/toolhive/concepts/embedded-auth-server.mdx explaining the new baselineClientScopes field, including the invalid_scope failure mode it addresses and security guidance to keep the baseline narrow.
• Updated the embedded auth server configuration reference table in docs/toolhive/guides-k8s/auth-k8s.mdx to document the new baselineClientScopes field on MCPExternalAuthConfig.spec.embeddedAuthServer.
• Added a baselineClientScopes example and cross-link in docs/toolhive/guides-vmcp/authentication.mdx to cover the matching field on VirtualMCPServer.spec.authServerConfig.

Other v0.27.2 PRs were bug fixes, refactors, or operator-side robustness changes with no documented behavior to update. The CRD JSON schema deltas for the new field were auto-synced into static/api-specs/crds/ by the release workflow and surface through <CRDReference /> on the existing CRD reference pages.

Run cost

Session	Turns	Cost (USD)
Generation	79	$5.7729
Editorial review	48	$3.0189
Total	127	$8.7918

How this PR was built

Two Claude Opus sessions run per release: a generation pass
(upstream-release-docs skill, 6 phases) followed by a fresh-
context editorial pass (docs-review). Prettier/ESLint
auto-fixes are applied after.

Auto-synced paths — do not hand-edit these in review:

• docs/toolhive/reference/cli/
• docs/toolhive/reference/crds/
• static/api-specs/

If a "Gaps needing human context" section is present above,
each entry includes a paste-ready Helper prompt for local
Claude a reviewer can use to resolve the gap.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	May 12, 2026 7:07pm

[claude]

Claude finished @renovate[bot]'s task in 6m 14s —— View job

---

Updated docs for toolhive v0.27.2

Pushed 6f878b6 to the PR branch.

• Phase 1: Discover and categorize changes
• Phase 2: Deep-dive into doc-relevant PRs
• Phase 3: Audit existing docs for embedded auth/DCR references
• Phase 4: Document baselineClientScopes (3 files)
• Phase 5: Validate edits (prettier, eslint clean)
• Phase 6: Wrote SUMMARY.md and committed

What changed

The only user-facing addition in v0.27.2 is the new baselineClientScopes field on the embedded authorization server (PR stacklok/toolhive#5233). It surfaces on:

• MCPExternalAuthConfig.spec.embeddedAuthServer.baselineClientScopes
• VirtualMCPServer.spec.authServerConfig.baselineClientScopes

The operator unions these scopes into every DCR-registered client's scope set so clients that narrow scope at /oauth/register (notably Claude Code) can still request the baseline at /oauth/authorize. Verified the runtime union behavior at pkg/authserver/server/handlers/dcr.go at v0.27.2.

Hand-written edits

File	Change
docs/toolhive/concepts/embedded-auth-server.mdx	Added a Baseline scopes for DCR clients subsection under Key characteristics with security guidance.
docs/toolhive/guides-k8s/auth-k8s.mdx	Added a baselineClientScopes row to the MCPExternalAuthConfig configuration-reference table.
docs/toolhive/guides-vmcp/authentication.mdx	Added a baselineClientScopes snippet and concept cross-link inside Configure the embedded auth server.

The CRD JSON-schema deltas already in this PR (mcpexternalauthconfigs.schema.json, virtualmcpservers.schema.json) auto-flow into the generated CRD reference pages via the <CRDReference /> component, so no hand edits to docs/toolhive/reference/crds/ were needed.

All other v0.27.2 PRs were bug fixes, refactors, or operator-side robustness changes with no documented behavior to update (header forwarding bug fix is invisible to users; corev1.PullPolicy swap is type-only; Helm helper rename is internal; spec-violating list tolerance, mcp-go auth sentinels, OTEL via API, Docker socket fallback, legacy registry 502, and tokenexchange refactors all leave external surfaces unchanged).

Validation

• npm run prettier:fix — clean.
• npm run eslint — clean.
• npm run build — failed on the mcp-metadata-plugin external-data fetch (sandbox network restriction). PR CI will run the full build.
• Branch

[claude]

Claude finished @renovate[bot]'s task in 4m 53s —— View job

---

Editorial review of v0.27.2 docs changes

Pushed b3ca6cc — editorial polish on top of 6f878b6.

• Identify files changed in the previous commit (docs/toolhive/concepts/embedded-auth-server.mdx, docs/toolhive/guides-k8s/auth-k8s.mdx, docs/toolhive/guides-vmcp/authentication.mdx)
• Verify technical claims against upstream pkg/authserver/server/handlers/dcr.go at v0.27.2
• Apply /docs-review skill
• Apply editorial fixes
• Validate (prettier, eslint clean)
• Commit and push

Editorial findings and fixes

Primary: heading hierarchy

The new "Baseline scopes for DCR clients" content sat as an h3 inside ## Key characteristics on the concept page. That parent section is otherwise a flat bullet list of one-line traits, so a multi-paragraph h3 with security guidance underneath it created an awkward depth mismatch — readers scanning the TOC would expect the h3 to be a sub-aspect of "Key characteristics" rather than a standalone topic with its own configuration knob.

Fix: Promoted to a top-level ## Baseline scopes for DCR clients, sitting between Key characteristics and Session storage. The anchor slug (#baseline-scopes-for-dcr-clients) is unchanged, so existing cross-links from auth-k8s.mdx and authentication.mdx still resolve.

Secondary: verb choice

The original text used "unions"/"unioned" as a verb in all three files ("The server unions these scopes into…", "scopes that are unioned into…", "the embedded auth server unions those scopes into…"). "Union" as a verb is set-theory jargon that reads as awkward English even though it's precise.

Fix: Replaced with "merges"/"merged" throughout — preserves the union semantics and reads more naturally.

Secondary: prose tightening

• "register via DCR with a narrowed scope value, then later request a wider set of scopes" → "then request a wider set of scopes" (dropped redundant "later").
• "To work around this, configure…" → "To support this pattern, configure…" — the operator opts in to enable a client pattern, not to bypass a defect.
• vMCP page: "merges those scopes into every registered client" → "merges those scopes into every registered client's scope set" (consistent object across all three files; previously dropped the trailing noun phrase).

Reviewed but not changed

• Source-truth verification: Read pkg/authserver/server/handlers/dcr.go in the local upstream clone at v0.27.2. The documented behavior matches: ValidateScopes runs first, then if BaselineClientScopes is configured, unionScopes(scopes, baseline) becomes the effective scope set stored on the client. The startup-time guarantee that the baseline is a subset of ScopesSupported is described in the source comments at dcr.go:71-75 and matches the doc claim that "the auth server fails to start if any value is missing."
• The cross-page link pattern (concept page is the canonical source; k8s and vMCP pages link to it) is correct.
• The example clients named ("Claude Code, Cursor, and VS Code" on the concept page; "a pattern used by Claude Code, among others" on the vMCP page) are slightly different in specificity but consistent in intent — left as-is to avoid introducing new claims.
• The CRD schema deltas (mcpexternalauthconfigs.schema.json, virtualmcpservers.schema.json) auto-flow into the generated CRD reference pages and are out of scope per the workflow handoff.

Validation

• npm run prettier:fix — clean; touched only the table column widths in auth-k8s.mdx.
• npm run eslint — clean.

Branch ·

[jhrozek]

Not sure if this lets me approve but LGTM after my latest commit

[danbarr]

Merging as it appears the only generated prose was around the DCR scopes which @jhrozek already touched up. If any of the other reviewers landed changes that weren't captured by the workflow, please file as follow-up PRs.