Skip to content

Update stacklok/toolhive to v0.29.3#930

Merged
ChrisJBurns merged 4 commits into
mainfrom
renovate/stacklok-toolhive-0.x
Jun 10, 2026
Merged

Update stacklok/toolhive to v0.29.3#930
ChrisJBurns merged 4 commits into
mainfrom
renovate/stacklok-toolhive-0.x

Conversation

@renovate

@renovate renovate Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
stacklok/toolhive patch v0.29.1v0.29.3

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.


Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.29.3

Compare Source

🚀 Toolhive v0.29.3 is live!

A small maintenance release that makes ToolHive's unauthenticated proxy default visible — surfacing it in logs and docs in response to GHSA-hfrv-94x5-85p2 — alongside internal release-tooling automation. No breaking changes and no behavioral changes to existing deployments.

🐛 Bug Fixes

  • An MCPServer, MCPRemoteProxy, standalone CLI, or vMCP running without OIDCConfigRef (or any other auth source) now emits a Warn-level log stating that every request is forwarded under a synthetic local-user identity with no credential check, and the README/CRD docs are corrected to describe identity enforcement as conditional on configuring an authentication source — the unauthenticated default itself is unchanged (#​5488)

🧹 Misc

  • Release notes generation and the Slack release announcement are now automated in CI when a release is published, keeping a maintainer in the loop via review-then-publish (#​5487)

📦 Dependencies

Module Version
github.com/stacklok/toolhive-catalog v0.20260610.0
Full commit log

What's Changed

Full Changelog: stacklok/toolhive@v0.29.2...v0.29.3

🔗 Full changelog: stacklok/toolhive@v0.29.2...v0.29.3

What's Changed

Full Changelog: stacklok/toolhive@v0.29.2...v0.29.3

v0.29.2

Compare Source

🚀 Toolhive v0.29.2 is live!

A hardening-focused patch release: two security fixes, an operator-chart regression safety net via helm-unittest, an OTLP header delivery fix, an OAuth public-client TTL fix, continued vMCP New/Serve refactor scaffolding, and the deprecation of the MCPRegistry CRD.

🔄 Deprecations

  • MCPRegistry CRD deprecated in favour of the toolhive-registry-server Helm chart — the CRD remains fully functional but now emits a kubectl deprecation warning and an operator Warning event; it will be removed in a future release (#​5470)

🐛 Bug Fixes

  • OAuth/OIDC discovery endpoints (RFC 9728 protected-resource metadata, RFC 8414 authorization-server metadata, OIDC discovery, JWKS) now work for stdio-backed MCP servers with an embedded auth server, instead of returning 404 (#​5479)
  • Long-lived public OAuth clients registered via Dynamic Client Registration are no longer evicted after 30 days of active use — their TTL now refreshes on each successful token exchange, preventing spurious invalid_client failures (#​5469)
  • OTLP exporter headers supplied via OTEL_EXPORTER_OTLP_HEADERS are no longer silently dropped on the POST /api/v1/workloads path, so collectors requiring an auth header now receive telemetry ([#​5474]#​5474))
  • Overriding operator.serviceAccount.name in the operator Helm chart no longer breaks the deployment — every reference now routes through the same serviceAccountName helper (#​5476)
  • Prevented a path-traversal weakness in LocalStore.getFilePath so state-store file operations can no longer escape the base directory (#​5464, Fixes [#​4736]#​4736))
  • Added baseline X-Content-Type-Options: nosniff and Cross-Origin-Resource-Policy: same-origin security headers to every thv REST API response (#​5458)

🧹 Misc

  • vMCP refactor (epic #​5419): introduced a stateless, identity-explicit core VMCP constructor (#​5457), added the Serve transport skeleton and ServerConfig (#​5467), wired the Cedar admission seam into the core so list and call enforce one shared decision (#​5459), moved the SDK hooks and two-phase session creation under Serve (#​5471), and domain-typed the elicitation seam (#​5456) — all additive, with server.New behavior unchanged
  • Added helm-unittest regression coverage for the operator and operator-crds charts: CRD install/keep toggles (#​5468), a default-install baseline ([#​5473]#​5473)), value-driven scenario suites ([#​5475]#​5475)), and security-posture/naming suites (#​5477)
  • Documented the Redis Cluster slot invariant and filtered stray un-prefixed members in the auth-server token storage (#​5210)

📦 Dependencies

Module Version
github.com/stacklok/toolhive-core v0.0.24
golang.org/x/exp/jsonrpc2 055de63
github/codeql-action 8aad20d
anthropics/claude-code-action fbda2eb

What's Changed

🔗 Full changelog: stacklok/toolhive@v0.29.1...v0.29.2

New Contributors


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


Docs update for toolhive v0.29.3

At a glance

Upstream stacklok/toolhive v0.29.1v0.29.3
Hand-written changes 2 commit(s)
Reference assets refreshed (separate commit)
Gaps 0
Release contributors 7 auto-assigned (see sidebar)
Action required Spot-check skill-authored prose for accuracy

Summary of changes

  • Added MCPRegistry CRD deprecation warning at the top of the Registry Server quickstart in docs/toolhive/guides-registry/quickstart.mdx, steering new long-lived deployments to the toolhive-registry-server Helm chart (stacklok/toolhive#5470).
  • Updated the MCPRegistry CRD reference intro in scripts/lib/crd-intros.mjs and the regenerated docs/toolhive/reference/crds/mcpregistry.mdx to lead with a deprecation admonition pointing at the Helm chart (stacklok/toolhive#5470).
  • Updated the MCPRegistry DocCard summary on the CRD landing page (docs/toolhive/reference/crds/index.mdx) to flag the deprecation in the index listing.
  • Annotated the crds.install.registry row in docs/toolhive/guides-k8s/deploy-operator.mdx to flag MCPRegistry as deprecated where the CRD install toggle is documented.

Run cost

Session Turns Cost (USD)
Generation 117 $9.0106
Editorial review 27 $1.7630
Total 144 $10.7736
How this PR was built

Two Claude Opus sessions run per release: a generation pass
(upstream-release-docs skill, 6 phases) followed by a fresh-
context editorial pass (docs-review). Prettier/ESLint
auto-fixes are applied after.

Auto-synced paths — do not hand-edit these in review:

  • docs/toolhive/reference/cli/
  • docs/toolhive/reference/crds/
  • static/api-specs/

If a "Gaps needing human context" section is present above,
each entry includes a paste-ready Helper prompt for local
Claude
a reviewer can use to resolve the gap.

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot added the autogen-docs Pull requests generated by automated release workflows label Jun 10, 2026
@vercel

vercel Bot commented Jun 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Jun 10, 2026 9:42pm

Request Review

@github-actions github-actions Bot marked this pull request as draft June 10, 2026 21:27
@claude

claude Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Claude finished @renovate[bot]'s task in 10m 41s —— View job


Upstream release docs: toolhive v0.29.1 → v0.29.3

Pushed f43ede5 to renovate/stacklok-toolhive-0.x.

  • Phase 1: Discovery — 28 commits / 24 PRs enumerated, categorized
  • Phase 2: Deep dive — verified OIDCConfigRef SECURITY note and MCPRegistry deprecation marker against source at v0.29.3
  • Phase 3: Docs audit + impact map
  • Phase 4: Implementation — 5 files edited
  • Phase 5: prettier:fix + eslint:fix clean; build fails locally only on mcp-metadata-plugin network fetch (CI has thv available)
  • Phase 6: Committed and pushed; SUMMARY.md written for the workflow

Hand-written edits

  • docs/toolhive/guides-registry/quickstart.mdx — added a :::warning[MCPRegistry CRD is deprecated] admonition steering new long-lived deployments to deploy-helm
  • scripts/lib/crd-intros.mjs + regenerated docs/toolhive/reference/crds/mcpregistry.mdx — deprecation admonition in the CRD reference intro
  • docs/toolhive/reference/crds/index.mdx — DocCard summary now flags (deprecated)
  • docs/toolhive/guides-k8s/deploy-operator.mdxcrds.install.registry row annotated

Auto-regenerated (no hand-edit required)

The release's other user-facing changes surface through the auto-synced reference assets in this PR:

  • MCPServer / MCPRemoteProxy oidcConfigRef SECURITY note about the unauthenticated default (stacklok/toolhive#5488)
  • MCPRegistry CRD description deprecation prose (stacklok/toolhive#5470)
  • Redis Cluster TLS description (stacklok/toolhive#5210)
  • stateless field on registry remote/published metadata (catalog v0.20260610.0)

Items with no docs displacement

stacklok/toolhive#5479 (RFC 9728 discovery on stdio), stacklok/toolhive#5474 (OTLP env header fix), stacklok/toolhive#5469 (public OAuth client TTL refresh), stacklok/toolhive#5464 (path traversal), stacklok/toolhive#5458 (security headers), stacklok/toolhive#5476 (operator SA name) — all bug fixes that make existing behavior work as documented; no claims to revise.
· Branch

ChrisJBurns
ChrisJBurns previously approved these changes Jun 10, 2026
Surface the MCPRegistry CRD deprecation (stacklok/toolhive#5470) in:
- Registry Server quickstart, steering new long-lived deployments to the
  toolhive-registry-server Helm chart
- MCPRegistry CRD reference intro and landing-page summary
- Operator deploy guide's crds.install.registry row

The unauthenticated-proxy SECURITY note (stacklok/toolhive#5488) and the
Redis Cluster TLS description tweak surface automatically via the
regenerated CRD schemas; no hand-edit needed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude

claude Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Claude finished @renovate[bot]'s task in 3m 31s —— View job


Editorial review of v0.29.3 docs edits

Pushed 261ba59 to renovate/stacklok-toolhive-0.x.

  • Identify hand-edited files
  • Run editorial pass on each
  • Apply actionable fix
  • Format and lint (prettier + eslint both clean)
  • Commit and push

Edit applied

docs/toolhive/guides-registry/quickstart.mdx — in the deprecation warning, changed See [Deployment options](./deployment.mdx) for a comparison of the available methods. to See [Deploy the Registry Server](./deployment.mdx) for a comparison of the deployment methods.

The destination page's title is "Deploy the Registry Server", and every other reference to that page in guides-registry/ uses that exact link text (index, database, telemetry-metrics, and the quickstart's own Next steps). The style guide requires link text to match the destination's title/heading when referencing it by name. "deployment methods" also matches the ## Deployment methods heading on the target page, replacing the vaguer "available methods."

Findings left as-is

  • docs/toolhive/guides-k8s/deploy-operator.mdx — the row reads Install registry CRDs (MCPRegistry, deprecated). The comma is mildly ambiguous (could read as a two-item list), but the column is space-constrained and the meaning is unambiguous in context. No change.
  • docs/toolhive/reference/crds/mcpregistry.mdx and reference/crds/index.mdx — out of scope (auto-generated from scripts/lib/crd-intros.mjs). Both reviewed; wording is consistent and accurate.
  • scripts/lib/crd-intros.mjs — source for the two CRD reference files. Editing the source without regenerating the output would create drift, so left untouched.

Branch ·

@ChrisJBurns ChrisJBurns merged commit bea7cd2 into main Jun 10, 2026
4 checks passed
@ChrisJBurns ChrisJBurns deleted the renovate/stacklok-toolhive-0.x branch June 10, 2026 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

autogen-docs Pull requests generated by automated release workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants