feat: Add Webhook Notification Plugin #1113
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manavgup
requested review from
crivetimihai,
kevalmahajan and
madhav165
as code owners
Adds comprehensive webhook notification system for MCP Gateway events. Features: - HTTP webhook notifications for events, violations, and state changes - Multiple authentication methods (Bearer, API Key, HMAC signatures) - Retry logic with exponential backoff - Customizable payload templates per event type - Event filtering and concurrent webhook delivery - Comprehensive test coverage (unit + integration) - Full documentation and testing guide Supported Events: - Tool execution (success/error) - PII detection violations - Rate limit violations - Resource fetch operations - Prompt fetch operations Configuration: - Added WebhookNotification plugin to plugins/config.yaml - Disabled problematic ClamAV and AI Artifacts plugins - Example webhook.site integration for testing 🤖 Generated with Claude Code Co-Authored-By: Claude <[email protected]>
crivetimihai
force-pushed
the
feat/webhook-notification-plugin
branch
from
ffde7c1 to
67f7428
Compare
crivetimihai
approved these changes
Sep 27, 2025
CrazyDubya
added a commit
to CrazyDubya/mcp-context-forge
that referenced
this pull request
Nov 15, 2025
* fix: Support Kubernetes versions with vendor suffixes in Helm chart (#1010) * fix: Support Kubernetes versions with vendor suffixes in Helm chart Fixes #931 by changing kubeVersion constraint from '>=1.21.0' to '>=1.21.0-0'. This allows Helm to properly handle vendor-specific version suffixes like '1.31.10-eks-931bdca' from AWS EKS and other Kubernetes distributions. The '-0' suffix tells Helm's semantic versioning parser to accept any version >= 1.21.0 including those with pre-release/build metadata suffixes. Signed-off-by: Diego Riosalido <[email protected]> * chore: Bump chart version to 0.7.0 --------- Signed-off-by: Diego Riosalido <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Update AGENTS.md Signed-off-by: Mihai Criveti <[email protected]> * Token scoping issue (#1014) * added token scoping middleware to streamable http middleware Signed-off-by: Keval Mahajan <[email protected]> * improved raising response for errors Signed-off-by: Keval Mahajan <[email protected]> * updated test cases Signed-off-by: Keval Mahajan <[email protected]> * minor change Signed-off-by: Keval Mahajan <[email protected]> * added docstring Signed-off-by: Keval Mahajan <[email protected]> --------- Signed-off-by: Keval Mahajan <[email protected]> * Updated wrapper configurations (#1015) Signed-off-by: Keval Mahajan <[email protected]> * fix: jwt audience verification should be independent from token expiration (#1017) * fix: jwt audience verfication should be independent from token expiration Signed-off-by: Philip Miglinci <[email protected]> * Rebase Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Philip Miglinci <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * feat: add tool metadata and http headers to plugin tool hooks (#854) * rebase: rebased with main, fixing merge conflicts Signed-off-by: Teryl Taylor <[email protected]> * fix: plugin cleanup to support multiple external plugins. Signed-off-by: Teryl Taylor <[email protected]> * fix(lint): fixed linting issues Signed-off-by: Teryl Taylor <[email protected]> * feat(error): update error handling with enforce_ignore_error Signed-off-by: Teryl Taylor <[email protected]> * fix(plugins): updated documentation and addressed PR comments. Signed-off-by: Teryl Taylor <[email protected]> * fix(lint): fixed linting issue Signed-off-by: Teryl Taylor <[email protected]> * feat(plugins): added initial http header hooks. Signed-off-by: Teryl Taylor <[email protected]> * fix(comments): update docstrings to fix linting. Signed-off-by: Teryl Taylor <[email protected]> * fix: linting issue. Signed-off-by: Teryl Taylor <[email protected]> * feat: added hooks to the plugin manager for http pre/post header requests. Signed-off-by: Teryl Taylor <[email protected]> * feat: added tool metadata and headers to tool payloads. Signed-off-by: Teryl Taylor <[email protected]> * fix: fixed model to support passing tool metadata. Signed-off-by: Teryl Taylor <[email protected]> * feat: added example header plugin for tools. Signed-off-by: Teryl Taylor <[email protected]> * fix: refactored ToolMetaData, GatewayMetadata, removed http hooks, fixed test cases Signed-off-by: Teryl Taylor <[email protected]> * adding handlers for pluginerror and pluginviolationerror Signed-off-by: Shriti Priya <[email protected]> * fix for headers pydantic error in tool, plugin violation error handler Signed-off-by: Shriti Priya <[email protected]> * Error handling changes with test cases modification Signed-off-by: Shriti Priya <[email protected]> * fixing flake8 issues Signed-off-by: Shriti Priya <[email protected]> * refactored error handling in prompt and resource services, added unit tests for meta data, fixed existing tests. Signed-off-by: Teryl Taylor <[email protected]> * fix: made original_name optional Signed-off-by: Teryl Taylor <[email protected]> * tests(tools): added test to check both gateway and tool metadata Signed-off-by: Teryl Taylor <[email protected]> * tests(headers): added tool header tests Signed-off-by: Teryl Taylor <[email protected]> * tests(tool_post_invoke): tests cases for tool post invoke metadata. Signed-off-by: Teryl Taylor <[email protected]> * fix(tool): check whether tools payload headers are None Signed-off-by: Teryl Taylor <[email protected]> * docs(plugins): added some documentation on the headers and meta data. Signed-off-by: Teryl Taylor <[email protected]> * fix: updated error response values Signed-off-by: Teryl Taylor <[email protected]> * Rebase Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Teryl Taylor <[email protected]> Signed-off-by: Shriti Priya <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Teryl Taylor <[email protected]> Co-authored-by: Shriti Priya <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * fixed duplication of app_root_path for static files (#1028) Signed-off-by: Keval Mahajan <[email protected]> * Update MANIFEST.in Signed-off-by: Mihai Criveti <[email protected]> * Update MANIFEST.in Signed-off-by: Mihai Criveti <[email protected]> * Add Dynamic Client Registration Tutorial (#1029) * Add Dynamic Client Registration Tutorial Signed-off-by: Philip Miglinci <[email protected]> * docs: clarify swimlane chart, remove docker compose service name Signed-off-by: Philip Miglinci <[email protected]> * docs: extend README, update ToC Signed-off-by: Philip Miglinci <[email protected]> * docs: add a docs sectino about dcr Signed-off-by: Philip Miglinci <[email protected]> * Update docs for build Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Philip Miglinci <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Jakob Steiner <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Update docs with .env.example and new PLATFORM_ADMIN_EMAIL Signed-off-by: Mihai Criveti <[email protected]> * Feat 534/config validation startup checks (#976) * Adding config validation and startup checks Signed-off-by: Veeresh K <[email protected]> * added config validation and security checks Signed-off-by: Veeresh K <[email protected]> * testcases are fixed Signed-off-by: Veeresh K <[email protected]> * correct pylint warnings Signed-off-by: Veeresh K <[email protected]> * Rebase and change defaults to not exit app Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Veeresh K <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * removed permission (#1036) Signed-off-by: rakdutta <[email protected]> * whitesource Signed-off-by: Mihai Criveti <[email protected]> * ICA Vault Plugin: Replaces the Bearer token with a token received from backend (#1027) * Plugin first version Signed-off-by: popagruia <[email protected]> * Fixed logging Signed-off-by: popagruia <[email protected]> * fix: improve vault plugin implementation - Fixed linting issues (removed unused import, fixed whitespace) - Added missing __init__.py file for proper Python package structure - Fixed typos in documentation (system_tag_prefix, vault_handling) - Added vault plugin registration to plugins/config.yaml - Improved plugin description clarity * fix: improve vault plugin error handling and robustness - Added proper error handling for missing/invalid vault header - Fixed incorrect docstring (was copied from PII filter) - Added proper database session cleanup with try/finally - Added validation for oauth_config token_url field - Improved logging for debugging --------- Signed-off-by: popagruia <[email protected]> Co-authored-by: popagruia <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Support for Content-Type: application/x-www-form-urlencoded (#1026) * add support for application/x-www-form-urlencoded content type Signed-off-by: Mohan Lakshmaiah <[email protected]> * url_encoded test cases update Signed-off-by: Mohan Lakshmaiah <[email protected]> * fixing doctest Signed-off-by: Mohan Lakshmaiah <[email protected]> * docs: add FORGE_CONTENT_TYPE environment variable to README - Document new env variable in Basic configuration section - Add usage note for URL-encoded form data support - Closes #978 * rebase Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mohan Lakshmaiah <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mohan Lakshmaiah <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * feat(helm): add image pull secrets support and enhance ingress TLS configuration (#1038) - Add global imagePullSecrets support across all deployments (mcpgateway, postgres, redis, pgadmin, redis-commander, mcp-fast-time-server, and migration job) - Fix template syntax in _helpers.tpl for fullnameOverride (add missing dash) - Add TLS configuration support to ingress with schema validation - Improve pgAdmin probe configuration with longer timeouts and delays for better stability - Update values.yaml with TLS configuration options and cert-manager annotations This enables deployment in environments requiring private registry authentication and adds support for HTTPS/TLS termination at the ingress level. Co-authored-by: Naveed, Muhammad Shahrukh [JJCUS] <[email protected]> * Update docs Signed-off-by: Mihai Criveti <[email protected]> * Update docs Signed-off-by: Mihai Criveti <[email protected]> * Update docs Signed-off-by: Mihai Criveti <[email protected]> * Pandoc MCP Server (#1044) Signed-off-by: Mihai Criveti <[email protected]> * Massive mcp server and plugin update (#1051) * MCP Servers and Plugins Signed-off-by: Mihai Criveti <[email protected]> * Formatting Signed-off-by: Mihai Criveti <[email protected]> * Update Readme Signed-off-by: Mihai Criveti <[email protected]> * Update plugin Signed-off-by: Mihai Criveti <[email protected]> * Update plugins Signed-off-by: Mihai Criveti <[email protected]> * Update docs Signed-off-by: Mihai Criveti <[email protected]> * Update chmod Signed-off-by: Mihai Criveti <[email protected]> * Update headers Signed-off-by: Mihai Criveti <[email protected]> * Update headers Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * OAuth token multitenancy closes #1078 (user-scoped tokens) and #1023 (token refresh) (#1084) * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Update alembic migration - fix 0.7.0 upgrade Signed-off-by: Mihai Criveti <[email protected]> * Closes #1023 - implement token refresh Signed-off-by: Mihai Criveti <[email protected]> * Closes #1023 - implement token refresh Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Documentation update readmes (#1087) * Documentation updates Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates (#1088) Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates (#1089) Signed-off-by: Mihai Criveti <[email protected]> * Test tokens (#1090) * Test tokens Signed-off-by: Mihai Criveti <[email protected]> * llms-mcp-server-python Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Update mcp servers (#1091) * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * Fixes OAuth after addition of signature to state (#1097) * copied from main Signed-off-by: Madhav Kandukuri <[email protected]> * testing changes Signed-off-by: Madhav Kandukuri <[email protected]> * Fix oauth code Signed-off-by: Madhav Kandukuri <[email protected]> * Fix tests in test_oauth_router Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * remove debug_team_dropdown.md Signed-off-by: Madhav Kandukuri <[email protected]> * String issue fixed Signed-off-by: Madhav Kandukuri <[email protected]> --------- Signed-off-by: Madhav Kandukuri <[email protected]> * feat: add opa policy input data mapping support (#1102) * feat: add opa policy input data mapping support Signed-off-by: Frederico Araujo <[email protected]> * chore: drop debugging print statement Signed-off-by: Frederico Araujo <[email protected]> --------- Signed-off-by: Frederico Araujo <[email protected]> * fix: multi-arch support for opa server (#1106) Signed-off-by: Frederico Araujo <[email protected]> * docs: add Terraform MCP Server and Gateway integration guide (#1083) This commit adds documentation explaining the Terraform MCP Server, its key features, and how to integrate it with the MCP Gateway. The content is based on the official documentation and adapted for usage and reference. Signed-off-by: Alexander Cobas Rodríguez <[email protected]> * copied from main Signed-off-by: Madhav Kandukuri <[email protected]> * testing changes Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * remove debug_team_dropdown.md Signed-off-by: Madhav Kandukuri <[email protected]> * copied from fix-oauth Signed-off-by: Madhav Kandukuri <[email protected]> * OAuth for test gateway Signed-off-by: Madhav Kandukuri <[email protected]> * testing Signed-off-by: Madhav Kandukuri <[email protected]> * testing Signed-off-by: Madhav Kandukuri <[email protected]> * Fix tests Signed-off-by: Madhav Kandukuri <[email protected]> * Update doctest for check_health_for_gatways Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * Fix pylint issues Signed-off-by: Madhav Kandukuri <[email protected]> * UI multi tenancy gaps (#1040) * visibility fix, team id in consistency fix, other minor fixes * fixed test cases * lint web fixes Signed-off-by: Satya <[email protected]> * updated tools view metadata * metadata visibility check Tools, A2A Signed-off-by: Satya <[email protected]> * rebase Signed-off-by: Satya <[email protected]> * lint-web fix Signed-off-by: Satya <[email protected]> * fix for private visibility to user specific Signed-off-by: Satya <[email protected]> --------- Signed-off-by: Satya <[email protected]> * The system executed 5 runs with a 0% success rate, an average response time of 0.393 ms, and an error rate of 0%. (#1103) Signed-off-by: NAYANAR <[email protected]> Co-authored-by: NAYANAR <[email protected]> * Pass auth headers when gateway auth is None (#1115) * code change as in issue Signed-off-by: Madhav Kandukuri <[email protected]> * Update tests Signed-off-by: Madhav Kandukuri <[email protected]> * Update README.md * WIP: Plugin Framework Specification Document (#1118) * docs: initial revision plugins spec Signed-off-by: Teryl Taylor <[email protected]> * docs(spec): moved plugin spec and broke into subpages. Signed-off-by: Teryl Taylor <[email protected]> * docs(spec): added some administrative hooks to spec Signed-off-by: Teryl Taylor <[email protected]> * (feat): Markdown fixes and added future hooks. Signed-off-by: Ian Molloy <[email protected]> --------- Signed-off-by: Teryl Taylor <[email protected]> Signed-off-by: Ian Molloy <[email protected]> Co-authored-by: Teryl Taylor <[email protected]> Co-authored-by: Ian Molloy <[email protected]> * plugins spec update Signed-off-by: Mihai Criveti <[email protected]> * jwt-extract-issue Signed-off-by: Santhana Krishnan <[email protected]> * Rebase Signed-off-by: Mihai Criveti <[email protected]> * feat: add webhook notification plugin (#1113) Adds comprehensive webhook notification system for MCP Gateway events. Features: - HTTP webhook notifications for events, violations, and state changes - Multiple authentication methods (Bearer, API Key, HMAC signatures) - Retry logic with exponential backoff - Customizable payload templates per event type - Event filtering and concurrent webhook delivery - Comprehensive test coverage (unit + integration) - Full documentation and testing guide Supported Events: - Tool execution (success/error) - PII detection violations - Rate limit violations - Resource fetch operations - Prompt fetch operations Configuration: - Added WebhookNotification plugin to plugins/config.yaml - Disabled problematic ClamAV and AI Artifacts plugins - Example webhook.site integration for testing * Fix: Global Tools not listed for A2A Agents (Issue #841) (#1123) * a2a Signed-off-by: rakdutta <[email protected]> * a2a Signed-off-by: rakdutta <[email protected]> * a2a tool testing Signed-off-by: rakdutta <[email protected]> * test Signed-off-by: rakdutta <[email protected]> * test Signed-off-by: rakdutta <[email protected]> * return Signed-off-by: rakdutta <[email protected]> * Rebase Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: rakdutta <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * fix auth value db constraint (#1120) Signed-off-by: Shoumi <[email protected]> * Fix tool refresh for OAuth (#1119) * Update deduplicated tools Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * Lint fix Signed-off-by: Madhav Kandukuri <[email protected]> * Clean up code Signed-off-by: Madhav Kandukuri <[email protected]> * Fix addition and deletion Signed-off-by: Madhav Kandukuri <[email protected]> * Fix some lint issues Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * Add tests Signed-off-by: Madhav Kandukuri <[email protected]> * Fix test Signed-off-by: Madhav Kandukuri <[email protected]> * fix: remove trailing whitespace from tests --------- Co-authored-by: Mihai Criveti <[email protected]> * feat: add content moderation plugin with IBM support (#1114) * feat: add content moderation plugin with IBM support Add comprehensive content moderation plugin supporting: - IBM Watson Natural Language Understanding - IBM Granite Guardian via Ollama - OpenAI, Azure Content Safety, AWS Comprehend - Pattern-based fallback for offline operation - Configurable thresholds and actions (block/warn/redact) - Content caching and audit logging - Multiple moderation hooks with intelligent fallbacks * plugins update Signed-off-by: Mihai Criveti <[email protected]> * fix tests Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Implementation for Issue #1035: Add team column to admin tables (#1107) * team add in tool list table Signed-off-by: rakdutta <[email protected]> * gateway Signed-off-by: rakdutta <[email protected]> * server Signed-off-by: rakdutta <[email protected]> * prompt Signed-off-by: rakdutta <[email protected]> * resource Signed-off-by: rakdutta <[email protected]> * resource Signed-off-by: rakdutta <[email protected]> * doctest Signed-off-by: rakdutta <[email protected]> * pytest Signed-off-by: rakdutta <[email protected]> * pytest Signed-off-by: rakdutta <[email protected]> * ruff isort Signed-off-by: rakdutta <[email protected]> * remove print Signed-off-by: rakdutta <[email protected]> * rebase and test Signed-off-by: Mihai Criveti <[email protected]> * rebase and test Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: rakdutta <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * feat: add ENABLE_OVERWRITE_BASE_HEADERS environment variable and docu… (#1080) * feat: add ENABLE_OVERWRITE_BASE_HEADERS environment variable and documentation - Add ENABLE_OVERWRITE_BASE_HEADERS configuration option to .env.example - Document ENABLE_OVERWRITE_BASE_HEADERS in README.md configuration table - Update Helm values.yaml to include ENABLE_OVERWRITE_BASE_HEADERS setting - Add ENABLE_OVERWRITE_BASE_HEADERS documentation to proxy authentication guides - Update header passthrough documentation with base headers override section - Add environment variable mapping in config.py for proper .env file reading - Implement base header override logic in passthrough_headers.py - Add logging for header override status in main.py startup - Include comprehensive unit tests for base header override functionality - Fix trailing newlines in various documentation files This enables advanced users to allow passthrough headers to override gateway base headers like Content-Type when ENABLE_OVERWRITE_BASE_HEADERS=true, while maintaining secure defaults (disabled by default). * rebase and test Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Naveed, Muhammad Shahrukh [JJCUS] <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Feature 285/pydantic v2 config validation (#1110) * added validate env, test coverage scripts Signed-off-by: Veeresh K <[email protected]> * added documentation Signed-off-by: Veeresh K <[email protected]> * configuration reference doc Signed-off-by: Veeresh K <[email protected]> * fixed lint issue Signed-off-by: Veeresh K <[email protected]> * Fix docstrings and validation scripts Signed-off-by: Veeresh K <[email protected]> * rebase and test Signed-off-by: Mihai Criveti <[email protected]> * fix: revert password validation to 8 char minimum and LOG_TO_FILE default - Changed minimum password length requirement from 12 to 8 characters - Restored LOG_TO_FILE default to false in .env.example - Updated documentation to reflect correct password requirements - Maintains backward compatibility with existing configurations * fix: make password validation respect configured values - Password validation now uses PASSWORD_MIN_LENGTH config (default 8) - Fixed boolean format consistency in .env.example (all lowercase) - Password requirements default to false (not enforced) - Validation warnings adapt to actual configured minimums - No more hardcoded validation values --------- Signed-off-by: Veeresh K <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Sticky Header Bar for easy access to team and other functionality (#1021) * Signed-off-by: Keval Mahajan <[email protected]> * fixed stylelinting Signed-off-by: Keval Mahajan <[email protected]> * fix: handle Pydantic v2 SecretStr in JWT token creation After the Pydantic v2 migration, jwt_secret_key and auth_encryption_secret are now SecretStr objects. This fix ensures we extract the actual string value when passing to JWT encode/decode functions. Fixes login failure with 'Expected a string value' error. Signed-off-by: Mihai Criveti <[email protected]> * rebase and test Signed-off-by: Mihai Criveti <[email protected]> * fix: revert unintended .env.example password change * rebase and test Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Keval Mahajan <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * fix: add metrics recording for prompts, resources, and servers (#1127) * fix: add metrics recording for prompts, resources, and servers Implements missing metrics recording functionality to track: - Prompt template invocations with response times and error tracking - Resource read operations with success/failure metrics - Server/gateway forwarding operations with performance metrics All metrics now properly record execution counts, response times, and error messages for comprehensive observability. Closes #699 * fix: remove duplicate prompt metrics recording from API layer The prompt endpoints in main.py were recording metrics directly, causing double-counting since the service layer now also records metrics. Removed duplicate recording to ensure metrics are only recorded once per execution at the service layer where they belong. Also cleaned up unused imports (time, select, DbPrompt). * fix: correct doctest expected output format * fix: remove duplicate tool metrics recording in _invoke_a2a_tool The _invoke_a2a_tool method was recording metrics directly, causing double-counting since invoke_tool (which calls _invoke_a2a_tool) also records metrics. Removed the duplicate recording to ensure metrics are only recorded once per tool invocation. * fix: update doctest to avoid module path issues * fix: resolve pylint R1705 no-else-return issue * Add email_team_member_history table for tracking team member actions (#1012) * member history Signed-off-by: rakdutta <[email protected]> * doctest Signed-off-by: rakdutta <[email protected]> * doctest Signed-off-by: rakdutta <[email protected]> * interrogate Signed-off-by: rakdutta <[email protected]> * migration and pytest Signed-off-by: rakdutta <[email protected]> * team_member_id add Signed-off-by: rakdutta <[email protected]> * team member history Signed-off-by: rakdutta <[email protected]> * hist approved join Signed-off-by: rakdutta <[email protected]> * alembic revision Signed-off-by: rakdutta <[email protected]> * fix: reconcile team member history tracking after rebase - Update test expectations to account for additional commits in history tracking - Ensure consistent action names across all services (use 'added' not 'member-added') - Fix conflicts from rebase against latest main branch * rebase and test Signed-off-by: Mihai Criveti <[email protected]> * fix: improve alembic migration for cross-database compatibility - Replace utc_now() import with inline datetime.now(timezone.utc) for portability - Use database-agnostic boolean condition (TRUE OR 1) for SQLite/PostgreSQL/MySQL - Generate unique UUIDs for history records during migration - Simplify SQL query to avoid nested subqueries that may not work in all databases - Ensure proper handling of NULL role values with fallback to 'member' * fix: use database-specific boolean comparison in migration PostgreSQL requires strict type matching for boolean columns. Use TRUE for PostgreSQL and 1 for MySQL/SQLite to ensure compatibility across all supported databases. Fixes migration error: 'operator does not exist: boolean = integer' * fix: use server_default instead of default in oauth migration PostgreSQL requires server_default for column defaults in Alembic migrations. Using Python-side default causes issues during table creation. - Change default=False to server_default=sa.false() for boolean - Change default=sa.func.now() to server_default=sa.func.now() Fixes: 'current transaction is aborted' error during migration * Fix postgres issues Signed-off-by: Mihai Criveti <[email protected]> * fix: resolve Bandit B608 SQL injection warning in migration Replace f-string SQL query construction with separate static queries for each database dialect. This eliminates the potential SQL injection vector flagged by Bandit, even though the original code was safe since we controlled the values. - Use separate sa.text() calls for PostgreSQL vs MySQL/SQLite - No dynamic string interpolation in SQL queries - Maintains database-specific boolean handling Fixes Bandit warning: B608 hardcoded_sql_expressions * Set secure cookies to false for default .env Signed-off-by: Mihai Criveti <[email protected]> * fix: prevent transaction abort in OAuth migration The migration was trying to drop an index that might not exist, and even though it caught the exception, PostgreSQL aborts the entire transaction when any error occurs. This causes all subsequent operations to fail with 'current transaction is aborted'. Fixed by: - Checking if index exists before attempting to drop it - Database-specific queries to check index existence - No exceptions thrown, preventing transaction abort This ensures the migration runs successfully on PostgreSQL, MySQL, and SQLite whether the index exists or not. * Fix DB migration Signed-off-by: Mihai Criveti <[email protected]> * Fix compose Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: rakdutta <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * Fix: Get /a2a/ returns 500 due to datatype mistmatch (#1128) * Update a2a_service.py Signed-off-by: Alyssa Novelia <[email protected]> * add signature Signed-off-by: Alyssa Novelia <[email protected]> * fix: Update all callers to use user_info parameter The list_agents_for_user function signature was changed to accept user_info instead of user_email, but the callers weren't updated. This caused pylint errors E1123 and E1120. Updated all 3 call sites: - mcpgateway/main.py:1779 - mcpgateway/admin.py:2156 - mcpgateway/admin.py:8648 All callers still pass the extracted email string (backward compatible), and the function handles both string and dict formats. Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Alyssa Novelia <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * PR for Plugin Management API and UI to Admin Dashboard - closes #1129 (#1130) * Plugins UI Signed-off-by: Mihai Criveti <[email protected]> * Plugins UI fixed Signed-off-by: Mihai Criveti <[email protected]> * Plugins UI fixed Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * pylint Signed-off-by: Mihai Criveti <[email protected]> * Fix resource filter (#1131) Signed-off-by: Mihai Criveti <[email protected]> * Update tests Signed-off-by: Madhav Kandukuri <[email protected]> * Fix header propagation so we don's send X-Vault-Headers to mcp server (#1134) * Fix header propagation so we don's send X-Vault-Headers to mcp server * remove old del * Added a test example --------- Co-authored-by: popagruia <[email protected]> * comment limit for tools Signed-off-by: Keval Mahajan <[email protected]> * minor fix Signed-off-by: Keval Mahajan <[email protected]> * Local Catalog of MCP servers for MCP Registry & Marketplace (295) (#1132) * Local registry Signed-off-by: Mihai Criveti <[email protected]> * Update catalog Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog Signed-off-by: Mihai Criveti <[email protected]> * streamable http tools registration variable consistency Signed-off-by: Keval Mahajan <[email protected]> * linting fixes Signed-off-by: Keval Mahajan <[email protected]> * minor vulture fix Signed-off-by: Keval Mahajan <[email protected]> * Rebase and lint Signed-off-by: Mihai Criveti <[email protected]> * Rebase and lint Signed-off-by: Mihai Criveti <[email protected]> * Rebase and lint Signed-off-by: Mihai Criveti <[email protected]> * Rebase and lint Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Signed-off-by: Keval Mahajan <[email protected]> Co-authored-by: Keval Mahajan <[email protected]> * docs: revise and consolidate plugin specification and design docs (#1139) * docs: fix inconsistencies Signed-off-by: Frederico Araujo <[email protected]> * docs: revise and refactor plugin specification docs Signed-off-by: Frederico Araujo <[email protected]> * docs: update adr references Signed-off-by: Frederico Araujo <[email protected]> * docs: update toc Signed-off-by: Frederico Araujo <[email protected]> * docs: update nav Signed-off-by: Frederico Araujo <[email protected]> * docs: update plugins spec Signed-off-by: Frederico Araujo <[email protected]> * docs: update diagrams Signed-off-by: Frederico Araujo <[email protected]> --------- Signed-off-by: Frederico Araujo <[email protected]> * Fix encode in SecretStr (#1133) * Fix SecretStr encode Signed-off-by: Madhav Kandukuri <[email protected]> * Fix typo Signed-off-by: Madhav Kandukuri <[email protected]> * Fix oauth tests Signed-off-by: Madhav Kandukuri <[email protected]> * Fix linting issues Signed-off-by: Madhav Kandukuri <[email protected]> * feat: add LLMGuard security guardrails plugin (#1018) * making cryptography version compatible with llmguard Signed-off-by: Shriti Priya <[email protected]> * lower bound Signed-off-by: Shriti Priya <[email protected]> * Initial plugin implementation using llmguard Signed-off-by: Shriti Priya <[email protected]> * changes for input and output filters Signed-off-by: Shriti Priya <[email protected]> * documentation on functions of llmguard.py Signed-off-by: Shriti Priya <[email protected]> * Adding documentation and minor bug fixes Signed-off-by: Shriti Priya <[email protected]> * linting changes Signed-off-by: Shriti Priya <[email protected]> * Updating cryptogrpahy dependency in conatinerfile for llmguard Signed-off-by: Shriti Priya <[email protected]> * Reverting the cryptogrpahy package version in root pyproject.toml Signed-off-by: Shriti Priya <[email protected]> * Updating manifest.in file Signed-off-by: Shriti Priya <[email protected]> * adding make test in container Signed-off-by: Shriti Priya <[email protected]> * fix: fixed retry on client plugin connection. Signed-off-by: Teryl Taylor <[email protected]> * Changing port for llmguard Signed-off-by: Shriti Priya <[email protected]> * Pre-caching the scanners during container build Signed-off-by: Shriti Priya <[email protected]> * test cases Signed-off-by: Shriti Priya <[email protected]> * filters and sanitizers Signed-off-by: Shriti Priya <[email protected]> * Vault caching for anonymize and deanoymize, examples Signed-off-by: Shriti Priya <[email protected]> * vault caching and expiry ttl, vault leak detection and redis caching Signed-off-by: Shriti Priya <[email protected]> * adding test cases Signed-off-by: Shriti Priya <[email protected]> * Adding test cases for vault and sanitizers Signed-off-by: Shriti Priya <[email protected]> * Documentation and test cases for LLMGuardPlugin Signed-off-by: Shriti Priya <[email protected]> * Updating readme for plugin Signed-off-by: Shriti Priya <[email protected]> * Updating readme for plugin Signed-off-by: Shriti Priya <[email protected]> * Updating readme for plugin Signed-off-by: Shriti Priya <[email protected]> * Updating readme for plugin Signed-off-by: Shriti Priya <[email protected]> * Updating yaml formatting in documentation Signed-off-by: Shriti Priya <[email protected]> * Adding some examples, test cases for complex policiies and documentation update Signed-off-by: Shriti Priya <[email protected]> * Pandoc MCP Server (#1044) Signed-off-by: Mihai Criveti <[email protected]> * Massive mcp server and plugin update (#1051) * MCP Servers and Plugins Signed-off-by: Mihai Criveti <[email protected]> * Formatting Signed-off-by: Mihai Criveti <[email protected]> * Update Readme Signed-off-by: Mihai Criveti <[email protected]> * Update plugin Signed-off-by: Mihai Criveti <[email protected]> * Update plugins Signed-off-by: Mihai Criveti <[email protected]> * Update docs Signed-off-by: Mihai Criveti <[email protected]> * Update chmod Signed-off-by: Mihai Criveti <[email protected]> * Update headers Signed-off-by: Mihai Criveti <[email protected]> * Update headers Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * OAuth token multitenancy closes #1078 (user-scoped tokens) and #1023 (token refresh) (#1084) * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Fix oauth token multitenancy Signed-off-by: Mihai Criveti <[email protected]> * Update alembic migration - fix 0.7.0 upgrade Signed-off-by: Mihai Criveti <[email protected]> * Closes #1023 - implement token refresh Signed-off-by: Mihai Criveti <[email protected]> * Closes #1023 - implement token refresh Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Documentation update readmes (#1087) * Documentation updates Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates (#1088) Signed-off-by: Mihai Criveti <[email protected]> * Documentation updates (#1089) Signed-off-by: Mihai Criveti <[email protected]> * Test tokens (#1090) * Test tokens Signed-off-by: Mihai Criveti <[email protected]> * llms-mcp-server-python Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Update mcp servers (#1091) * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> * Update MCP Servers Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * PM MCP Server Signed-off-by: Mihai Criveti <[email protected]> * Fixes OAuth after addition of signature to state (#1097) * copied from main Signed-off-by: Madhav Kandukuri <[email protected]> * testing changes Signed-off-by: Madhav Kandukuri <[email protected]> * Fix oauth code Signed-off-by: Madhav Kandukuri <[email protected]> * Fix tests in test_oauth_router Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * remove debug_team_dropdown.md Signed-off-by: Madhav Kandukuri <[email protected]> * String issue fixed Signed-off-by: Madhav Kandukuri <[email protected]> --------- Signed-off-by: Madhav Kandukuri <[email protected]> * feat: add opa policy input data mapping support (#1102) * feat: add opa policy input data mapping support Signed-off-by: Frederico Araujo <[email protected]> * chore: drop debugging print statement Signed-off-by: Frederico Araujo <[email protected]> --------- Signed-off-by: Frederico Araujo <[email protected]> * fix: multi-arch support for opa server (#1106) Signed-off-by: Frederico Araujo <[email protected]> * docs: add Terraform MCP Server and Gateway integration guide (#1083) This commit adds documentation explaining the Terraform MCP Server, its key features, and how to integrate it with the MCP Gateway. The content is based on the official documentation and adapted for usage and reference. Signed-off-by: Alexander Cobas Rodríguez <[email protected]> * copied from main Signed-off-by: Madhav Kandukuri <[email protected]> * testing changes Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * remove debug_team_dropdown.md Signed-off-by: Madhav Kandukuri <[email protected]> * copied from fix-oauth Signed-off-by: Madhav Kandukuri <[email protected]> * OAuth for test gateway Signed-off-by: Madhav Kandukuri <[email protected]> * testing Signed-off-by: Madhav Kandukuri <[email protected]> * testing Signed-off-by: Madhav Kandukuri <[email protected]> * Fix tests Signed-off-by: Madhav Kandukuri <[email protected]> * Update doctest for check_health_for_gatways Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * Fix pylint issues Signed-off-by: Madhav Kandukuri <[email protected]> * UI multi tenancy gaps (#1040) * visibility fix, team id in consistency fix, other minor fixes * fixed test cases * lint web fixes Signed-off-by: Satya <[email protected]> * updated tools view metadata * metadata visibility check Tools, A2A Signed-off-by: Satya <[email protected]> * rebase Signed-off-by: Satya <[email protected]> * lint-web fix Signed-off-by: Satya <[email protected]> * fix for private visibility to user specific Signed-off-by: Satya <[email protected]> --------- Signed-off-by: Satya <[email protected]> * The system executed 5 runs with a 0% success rate, an average response time of 0.393 ms, and an error rate of 0%. (#1103) Signed-off-by: NAYANAR <[email protected]> Co-authored-by: NAYANAR <[email protected]> * Pass auth headers when gateway auth is None (#1115) * code change as in issue Signed-off-by: Madhav Kandukuri <[email protected]> * Update tests Signed-off-by: Madhav Kandukuri <[email protected]> * Update README.md * Update README.md Signed-off-by: Shriti Priya <[email protected]> * Update README.md Signed-off-by: Shriti Priya <[email protected]> * WIP: Plugin Framework Specification Document (#1118) * docs: initial revision plugins spec Signed-off-by: Teryl Taylor <[email protected]> * docs(spec): moved plugin spec and broke into subpages. Signed-off-by: Teryl Taylor <[email protected]> * docs(spec): added some administrative hooks to spec Signed-off-by: Teryl Taylor <[email protected]> * (feat): Markdown fixes and added future hooks. Signed-off-by: Ian Molloy <[email protected]> --------- Signed-off-by: Teryl Taylor <[email protected]> Signed-off-by: Ian Molloy <[email protected]> Co-authored-by: Teryl Taylor <[email protected]> Co-authored-by: Ian Molloy <[email protected]> * plugins spec update Signed-off-by: Mihai Criveti <[email protected]> * Removing files Signed-off-by: Shriti Priya <[email protected]> * Removing files Signed-off-by: Shriti Priya <[email protected]> * Adding default allow response Signed-off-by: Shriti Priya <[email protected]> * Linting fixes, caching regex and toxicity filter, docker-compose edits Signed-off-by: Shriti Priya <[email protected]> * Update README.md Signed-off-by: Shriti Priya <[email protected]> * Update README.md Signed-off-by: Shriti Priya <[email protected]> * Update README.md Signed-off-by: Shriti Priya <[email protected]> * fix: solve linting issues Signed-off-by: Shriti Priya <[email protected]> --------- Signed-off-by: Shriti Priya <[email protected]> Signed-off-by: Teryl Taylor <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Signed-off-by: Madhav Kandukuri <[email protected]> Signed-off-by: Frederico Araujo <[email protected]> Signed-off-by: Alexander Cobas Rodríguez <[email protected]> Signed-off-by: Satya <[email protected]> Signed-off-by: NAYANAR <[email protected]> Signed-off-by: Ian Molloy <[email protected]> Co-authored-by: Teryl Taylor <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> Co-authored-by: Madhav Kandukuri <[email protected]> Co-authored-by: Frederico Araujo <[email protected]> Co-authored-by: alex-cobas <[email protected]> Co-authored-by: Madhav Kandukuri <[email protected]> Co-authored-by: Satya <[email protected]> Co-authored-by: Nayana R Gowda <[email protected]> Co-authored-by: NAYANAR <[email protected]> Co-authored-by: terylt <[email protected]> Co-authored-by: Ian Molloy <[email protected]> * Fix catalog search (#1144) * Fix catalog serve Signed-off-by: Mihai Criveti <[email protected]> * Fix catalog serve Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Fix disabled plugins listing Signed-off-by: Mihai Criveti <[email protected]> * Pass headers from plugin to server connection functions (#1142) * Fix SecretStr encode Signed-off-by: Madhav Kandukuri <[email protected]> * Fix linting issues Signed-off-by: Madhav Kandukuri <[email protected]> * Pass headers to connect to server functions Signed-off-by: Madhav Kandukuri <[email protected]> * Linting fixes Signed-off-by: Madhav Kandukuri <[email protected]> * fix: preserve tools/resources/prompts when editing OAuth2 gateways without URL change (#1146) * fix: preserve tools/resources/prompts when editing OAuth2 gateways without URL change Fixes #1025 Problem: When editing an MCP server with OAuth2 authentication (e.g., adding tags or updating description), all tools, resources, and prompts would disappear from the gateway. Users had to manually click 'Fetch Tools' to restore them. Root Cause: The admin UI sends all gateway fields (including the unchanged URL) during edits. The code was checking 'if gateway_update.url is not None' to determine whether to re-fetch tools from the server. Since the URL was always present (even when unchanged), it would attempt to re-initialize the gateway connection. For OAuth2 servers using authorization_code grant type, this re-initialization would fail because: 1. The context doesn't have the user's OAuth token 2. Re-fetch returns 0 tools 3. The cleanup logic deletes all existing tools as 'no longer available' Solution: Check if the URL value actually changed, not just if it was provided: url_changed = (gateway_update.url is not None and self.normalize_url(str(gateway_update.url)) != gateway.url) Only re-fetch tools when the URL truly changed. This preserves existing tools, resources, and prompts for OAuth2-authenticated gateways when editing other fields like tags, description, visibility, etc. Testing: Verified with Asana MCP Server: - Created OAuth2 gateway with Asana - Completed OAuth flow and fetched 42 tools - Edited gateway tags - ✅ Tools persisted (previously would have been deleted) Signed-off-by: Manav Gupta <[email protected]> * rebase Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Manav Gupta <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> * docs: update plugins usage and document built-in plugins (#1147) * docs: normalized plugin names Signed-off-by: Frederico Araujo <[email protected]> * docs: update to plugins docs Signed-off-by: Frederico Araujo <[email protected]> * docs: add available plugins page Signed-off-by: Frederico Araujo <[email protected]> --------- Signed-off-by: Frederico Araujo <[email protected]> * Update UX (#1152) Signed-off-by: Mihai Criveti <[email protected]> * Update ux catalogs (#1153) * Update UX filters mcp servers Signed-off-by: Mihai Criveti <[email protected]> * Update partial for mcp registry Signed-off-by: Mihai Criveti <[email protected]> * Update partial for mcp registry Signed-off-by: Mihai Criveti <[email protected]> * Update partial for mcp registry Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * fix: piifilter dead code (#1149) Signed-off-by: Frederico Araujo <[email protected]> * fix: remove unused variable (#1150) Signed-off-by: Frederico Araujo <[email protected]> * fix: lint issues across plugins (#1151) Signed-off-by: Frederico Araujo <[email protected]> * Config tab (#1154) * Config tab Signed-off-by: Mihai Criveti <[email protected]> * Config tab Signed-off-by: Mihai Criveti <[email protected]> * Add fast time server Signed-off-by: Mihai Criveti <[email protected]> * Pylint Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * Config tab (#1155) * Config tab Signed-off-by: Mihai Criveti <[email protected]> * Config tab Signed-off-by: Mihai Criveti <[email protected]> * Add fast time server Signed-off-by: Mihai Criveti <[email protected]> * Pylint Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * docs: normalize project name (#1157) Signed-off-by: Frederico Araujo <[email protected]> * Add scale.md (#1165) * Add scale docs Signed-off-by: Mihai Criveti <[email protected]> * Add scale docs Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> * feat: Implement OAuth Dynamic Client Registration (DCR) and PKCE support (#1158) * test: Add TDD Red Phase tests for DCR and PKCE (RFC 7591, 7636) Add comprehensive test suite for OAuth Dynamic Client Registration and PKCE following Test-Driven Development (Red Phase). All tests will fail until implementation is complete. Tests Added: - test_oauth_manager_pkce.py (22 tests) * PKCE parameter generation (RFC 7636) * Authorization URL with code_challenge * State storage with code_verifier * Token exchange with PKCE validation * Security properties validation - test_dcr_service.py (35 tests) * AS metadata discovery (RFC 8414) * Client registration (RFC 7591) * Get-or-register pattern * Update/delete operations * Issuer validation and error handling - test_dcr_flow_integration.py (12 tests) * Complete PKCE flow with database * Complete DCR flow end-to-end * Security validations (replay prevention, expiry) * Error handling scenarios All tests use shared test_db fixture from tests/conftest.py. Related to #979 Test Status: 🔴 RED - Tests will fail until implementation * feat: Implement PKCE and DCR core functionality (TDD Green Phase) Implement OAuth Dynamic Client Registration and PKCE support following RFCs 7591, 7636, and 8414. This is the TDD Green Phase implementation. Test Results: 27/45 tests passing (60%) - PKCE tests: 17/22 passing (77%) - DCR tests: 10/23 passing (43%) Changes: 1. PKCE Support (RFC 7636): - Add code_verifier column to oauth_states table - Implement _generate_pkce_params() for PKCE generation - Implement _create_authorization_url_with_pkce() - Update _store_authorization_state() to store code_verifier - Implement _validate_and_retrieve_state() to return state data - Update _exchange_code_for_tokens() to include code_verifier - Wire PKCE through initiate/complete authorization flows 2. DCR Service (RFC 7591): - Create DcrService with AS metadata discovery (RFC 8414) - Implement register_client() for dynamic registration - Implement get_or_register_client() pattern - Implement update_client_registration() - Implement delete_client_registration() - Add metadata caching for performance - Add DcrError exception class 3. Database Models: - Add RegisteredOAuthClient model for DCR storage - Add code_verifier to OAuthState model - Add relationship to Gateway model 4. Configuration: - Add 10 DCR configuration settings - Add oauth_discovery_enabled setting - Add oauth_preferred_code_challenge_method setting 5. Database Migrations: - Migration 61ee11c482d6: Add code_verifier column - Migration 2f67b12600b4: Add registered_oauth_clients table Remaining work: - Fix mocking issues in some tests (module-level variable patches) - Add admin DCR router (Phase 1.4) - Update OAuth router integration - Documentation updates Related to #979 * fix: Fix unit test mocking issues for PKCE and DCR tests Fix failing unit tests by correcting mock setups: Test Results: 33/45 passing (73% - up from 60%) - PKCE tests: 22/22 passing (100%) ✅ - DCR tests: 11/23 passing (48%) Changes: - Fix _state_lock patching (module-level vs instance) - Fix aiohttp.ClientSession mocking for async context managers - Add token_storage mock for initiate_authorization_code_flow test - Fix issuer mismatch in discovery test mocks - Clear metadata cache in caching test All PKCE tests now passing. Remaining DCR test failures are due to mock setup complexity, not implementation bugs. Related to #979 * fix: Fix remaining DCR test issues - ALL TESTS PASSING ✅ Fix final test issues to achieve 100% test pass rate: Test Results: 45/45 passing (100%) ✅✅✅ - PKCE tests: 22/22 passing (100%) - DCR tests: 23/23 passing (100%) Changes: - Fix aiohttp.ClientSession mocking for discovery tests - Clear metadata cache in tests for isolation - Use unique gateway_id and issuer for each test (avoid UNIQUE constraints) - Add Gateway objects to database before RegisteredOAuthClient - Fix Gateway model attributes (use slug/url instead of server_url/command) - Properly encrypt registration_access_token in update tests - Update encrypted secret assertions (check length instead of prefix) All unit tests for PKCE and DCR now passing! Related to #979 * fix: Fix test_dcr_implementation.sh heredoc issues Fix script hanging by: - Remove 'set -e' to allow test counting instead of immediate exit - Replace problematic heredocs with single-line Python commands - Suppress stderr warnings (security warnings from config) - Use grep for file content checks instead of Python heredocs Script now runs to completion and reports: - 5 tests passed (PKCE, DCR service, database, config) - 2 tests failed (admin router not yet implemented) - Warnings for documentation (Phase 1.4 tasks) Related to #979 * feat: Implement Phase 1.4 - Integrate DCR into OAuth router - Auto-detect missing client_id when gateway has issuer - Auto-trigger DCR client registration when DCR is enabled - Store registered credentials and update gateway oauth_config - Add admin endpoints for viewing/managing registered OAuth clients - Integrate with existing PKCE implementation in OAuthManager Endpoints added: - GET /oauth/registered-clients - List all registered clients - GET /oauth/registered-clients/{gateway_id} - Get client for gateway - DELETE /oauth/registered-clients/{client_id} - Delete registered client Closes #979 Phase 1.4 * fix: Set auth_type=oauth when DCR auto-registers client When DCR automatically registers a client, we now also update the gateway's auth_type field to 'oauth' to ensure subsequent connections know to use OAuth authentication. This ensures the gateway initialization logic correctly skips immediate connection attempts for OAuth authorization code flows. * fix: Auto-detect OAuth and add OAuth option to UI - Added 'OAuth 2.0' option to auth_type dropdown in admin UI - Auto-detect auth_type='oauth' when oauth_config is present - Applied to both create and edit gateway endpoints - Users no longer need to manually select OAuth auth type This fixes the issue where OAuth-protected MCP servers (like Reddit MCP) would fail to register because auth_type wasn't automatically set. * feat: Assemble OAuth config from UI form fields + add issuer field Backend changes (admin.py): - Collect individual OAuth fields from UI form - Assemble into oauth_config object - Support both JSON string (API) and form fields (UI) - Applied to both create and edit endpoints UI changes (admin.html): - Added oauth_issuer field (required for DCR) - Updated Client ID placeholder for DCR - Added help text explaining DCR auto-registration - Applied to both Add and Edit gateway forms Now users can configure OAuth gateways via UI with proper DCR support. If client_id is empty but issuer is provided, DCR will auto-register the client. * feat: Add DCR help text and debug logging - Added blue help text to Client Secret field explaining DCR - Applied to both Add and Edit forms - Added debug logging to show complete oauth_config assembly - Made OAuth authorization code fields always visible This makes it clear to users that Client ID and Client Secret can be left empty when using DCR. * debug: Add form field debugging to trace oauth_config issue Added logging to see what oauth_config_json and individual OAuth fields are being received from the form submission. * fix: Disable JavaScript OAuth config assembly, let backend handle it The JavaScript in admin.js was intercepting the form submission and assembling oauth_config with incorrect field names (token_url instead of token_endpoint). This caused the backend to receive pre-assembled but incorrect OAuth configuration. Changes: - Commented out OAuth config assembly in handleAddGatewayFormSubmit - Commented out OAuth config assembly in handleEditGatewayFormSubmit - Individual OAuth form fields now pass through to backend - Backend (admin.py) correctly assembles with proper field names - Supports DCR when client_id/client_secret are empty This fixes the issue where grant_type was always 'client_credentials' instead of respecting the user's selection of 'authorization_code'. * fix: Make Authorization Code the default OAuth grant type Changed the default selection in the grant type dropdown from 'client_credentials' to 'authorization_code' since that's the most common use case for OAuth-protected MCP servers and the flow we're testing for DCR/PKCE. Users can still select Client Credentials if needed, but Authorization Code is now the default for both Add and Edit gateway forms. * fix: Accept HTTP 200 for DCR registration (RFC 7591 compatibility) Some OAuth servers (like systemprompt-mcp-server) return HTTP 200 OK instead of HTTP 201 Created for successful client registration, even though RFC 7591 specifies 201. Changed the DCR service to accept both 200 and 201 as successful responses to improve compatibility with real-world OAuth servers. This allows DCR to work with the Reddit MCP server (systemprompt) which registers public clients (no client_secret) and returns 200. * fix: Support public clients (no secret) and fix OAuth field names Two critical fixes for DCR with public clients: 1. Handle public clients without client_secret: - Check if client_secret_encrypted is None before decrypting - Only add client_secret to oauth_config if it exists - This supports PKCE-only flows (RFC 7636) 2. Fix OAuth field name inconsistency: - Changed 'token_endpoint' -> 'token_url' - Changed 'authorization_endpoint' -> 'authorization_url' - OAuthManager expects these field names - Applied to both admin.py (form assembly) and oauth_router.py (DCR) This allows DCR to work with public OAuth clients like the Reddit MCP server (systemprompt-mcp-server) which uses PKCE without secrets. * feat: Implement OAuth Dynamic Client Registration (DCR) and PKCE support Implements Phase 1 of RFC 7591 (DCR) and RFC 7636 (PKCE) support for OAuth-protected MCP servers, as specified in issue #979. Core Implementation: - Added DcrService for AS metadata discovery (RFC 8414) and client registration (RFC 7591) - Implemented PKCE (Proof Key for Code Exchange) in OAuthManager for Authorization Code flows - Integrated DCR into oauth_router to auto-register when issuer present but client_id missing - Added RegisteredOAuthClient model to store DCR registrations with encrypted credentials - Added code_verifier field to OAuthState model for PKCE support - Created Alembic migrations for new database schema Configuration: - Added DCR settings: dcr_enabled, dcr_auto_register_on_missing_credentials, dcr_default_scopes - Added OAuth discovery settings: oauth_discovery_enabled, oauth_preferred_code_challenge_method - Added DCR security settings: dcr_allowed_issuers, dcr_token_endpoint_auth_method OAuth Enhancements: - Support for public OAuth clients (PKCE-only, no client_secret) - Accept both HTTP 200 and 201 for DCR registration responses - Fixed OAuth field name inconsistencies (authorization_url/token_url vs authorization_endpoint/token_endpoint) - Skip strict URL validation for OAuth-protected servers - Support both SSE and STREAMABLEHTTP transports for OAuth servers UI/UX Improvements: - Added OAuth 2.0 option to auth_type dropdown in admin UI - Added oauth_issuer field for DCR configuration - Made Authorization Code the default grant type - Added help text for Client ID and Client Secret fields explaining DCR - Backend now assembles oauth_config from individual form fields - Auto-detects auth_type="oauth" when OAuth config is present - Made OAuth authorization fields always visible when OAuth 2.0 is selected Testing: - 22 PKCE unit tests covering parameter generation, state storage, token exchange - 23 DCR unit tests covering AS discovery, client registration, error handling - 8 integration tests covering end-to-end DCR and PKCE flows - All 53 tests passing with proper database session isolation and aiohttp mocking - Imported OAuthState and RegisteredOAuthClient models in test conftest for schema creation Bug Fixes: - Fixed JavaScript in admin.js that was incorrectly assembling oauth_config - Handle missing client_secret for public clients in token exchange - Only decrypt client_secret if present (avoid NoneType errors) - Clear metadata cache in tests for proper isolation - Added debug logging for OAuth config assembly Validation: - Tested end-to-end with systemprompt-mcp-server (Reddit MCP) - Successfully completed DCR + PKCE + OAuth flow with real-world server - Verified token encryption/decryption works correctly - Confirmed PKCE code_challenge and code_verifier flow Closes #979 (Phase 1.4 - Integration into OAuth router) * fix: Remove unused imports in dcr_service.py Removed unused imports to fix ruff and flake8 linting errors: - timedelta (not used in the file) - Optional (not used in the file) All other imports (datetime, timezone, Any, Dict, List) are used. * fix: Update existing OAuth tests for PKCE implementation Updated existing OAuth tests to match the new PKCE implementation: 1. test_initiate_authorization_code_flow_success: - Now expects PKCE parameters in authorization URL - Removed mocking of old _create_authorization_url method - Validates code_challenge and code_challenge_method presence 2. test_complete_authorization_code_flow_success: - Updated _exchange_code_for_tokens call to include code_verifier - Stores code_verifier with state for PKCE validation 3. test_complete_authorization_code_flow_no_token_storag…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a comprehensive webhook notification system for MCP Gateway events with support for multiple authentication methods, retry logic, and customizable payload templates.
Features Added
plugins/webhook_notification/)Event Types Supported
Files Added/Modified
plugins/webhook_notification/webhook_notification.py- Main plugin implementationplugins/webhook_notification/README.md- Comprehensive documentationplugins/webhook_notification/TESTING.md- Testing procedures and examplesplugins/webhook_notification/test_config.yaml- Example test configurationplugins/webhook_notification/plugin-manifest.yaml- Plugin metadatatests/unit/mcpgateway/plugins/plugins/webhook_notification/- Complete test suiteplugins/config.yaml- Updated with webhook plugin configurationConfiguration Example
Testing
Documentation
Test Plan