Release Notes Action Items for mcpg 0.3.25 → 0.3.28
This issue summarizes upstream release notes for the mcpg dependency between the previously pinned version (0.3.25) and the new pinned version (0.3.28), highlighting items that may need follow-up in ado-aw.
The companion version-bump PR is titled chore(deps): update MCPG_VERSION to 0.3.28.
Releases analyzed
Security fixes
- wazero WASM guard security hardening — v0.3.28 added a memory cap and backend call limit to the wazero WASM runtime used to execute guard policies, plus interpreter-mode tests (
feat(guard): wazero security hardening — memory cap, backend call limit, interpreter tests). This protects against malicious or malformed WASM guards consuming unbounded resources. ado-aw consumers benefit automatically on upgrade. (v0.3.28)
Notable features for ado-aw to adopt
-
OTLP multi-endpoint fan-out via GH_AW_OTLP_ENDPOINTS — v0.3.26 added support for forwarding telemetry to multiple OTLP endpoints simultaneously (feat: OTLP multi-endpoint fan-out via GH_AW_OTLP_ENDPOINTS). ado-aw could expose this env var in generated pipeline steps to let operators route agent telemetry to multiple observability backends. (v0.3.26)
-
GitHub MCP Server v1.3.0 support — v0.3.27 added routing and guard coverage for new GitHub MCP Server v1.3.0 tools, including PR commits routing and get_file_blame (Support GitHub MCP Server v1.3.0: PR commits routing, get_file_blame spec, and guard docs). ado-aw should verify its pinned GitHub MCP Server version is compatible with or can benefit from the new routing. (v0.3.27)
-
refusal-labels guard policy — v0.3.27 introduced a refusal-labels guard policy that allows the MCP gateway to attach structured labels to refusals (Implement 'refusal-labels' guard policy and align health 'specVersion' with MCP Gateway v1.14.0). ado-aw maintainers may want to evaluate whether to configure this in generated pipelines for richer audit and detection data. (v0.3.27)
-
MCP_GATEWAY_SHUTDOWN_TIMEOUT env var — v0.3.27 documented a new env var for controlling the graceful shutdown timeout (docs: document MCP_GATEWAY_SHUTDOWN_TIMEOUT environment variable). ado-aw could expose this in generated pipeline teardown steps for operators who need longer shutdown windows. (v0.3.27)
Deprecations
MCP_GATEWAY_API_KEY deprecated in favour of MCP_GATEWAY_AGENT_ID — v0.3.26 changed run.sh to use MCP_GATEWAY_AGENT_ID with a deprecated fallback for MCP_GATEWAY_API_KEY (fix(run.sh): use MCP_GATEWAY_AGENT_ID with deprecated fallback for MCP_GATEWAY_API_KEY). If ado-aw sets MCP_GATEWAY_API_KEY in generated pipeline steps or documentation, it should migrate to MCP_GATEWAY_AGENT_ID. (v0.3.26)
This issue was opened automatically by the dependency version updater workflow.
Generated by Dependency Version Updater · 495.3 AIC · ⌖ 19.5 AIC · ⊞ 38.9K · ◷
Release Notes Action Items for
mcpg0.3.25→0.3.28This issue summarizes upstream release notes for the
mcpgdependency between the previously pinned version (0.3.25) and the new pinned version (0.3.28), highlighting items that may need follow-up in ado-aw.The companion version-bump PR is titled
chore(deps): update MCPG_VERSION to 0.3.28.Releases analyzed
Security fixes
feat(guard): wazero security hardening — memory cap, backend call limit, interpreter tests). This protects against malicious or malformed WASM guards consuming unbounded resources. ado-aw consumers benefit automatically on upgrade. (v0.3.28)Notable features for ado-aw to adopt
OTLP multi-endpoint fan-out via
GH_AW_OTLP_ENDPOINTS— v0.3.26 added support for forwarding telemetry to multiple OTLP endpoints simultaneously (feat: OTLP multi-endpoint fan-out via GH_AW_OTLP_ENDPOINTS). ado-aw could expose this env var in generated pipeline steps to let operators route agent telemetry to multiple observability backends. (v0.3.26)GitHub MCP Server v1.3.0 support — v0.3.27 added routing and guard coverage for new GitHub MCP Server v1.3.0 tools, including PR commits routing and
get_file_blame(Support GitHub MCP Server v1.3.0: PR commits routing, get_file_blame spec, and guard docs). ado-aw should verify its pinned GitHub MCP Server version is compatible with or can benefit from the new routing. (v0.3.27)refusal-labelsguard policy — v0.3.27 introduced arefusal-labelsguard policy that allows the MCP gateway to attach structured labels to refusals (Implement 'refusal-labels' guard policy and align health 'specVersion' with MCP Gateway v1.14.0). ado-aw maintainers may want to evaluate whether to configure this in generated pipelines for richer audit and detection data. (v0.3.27)MCP_GATEWAY_SHUTDOWN_TIMEOUTenv var — v0.3.27 documented a new env var for controlling the graceful shutdown timeout (docs: document MCP_GATEWAY_SHUTDOWN_TIMEOUT environment variable). ado-aw could expose this in generated pipeline teardown steps for operators who need longer shutdown windows. (v0.3.27)Deprecations
MCP_GATEWAY_API_KEYdeprecated in favour ofMCP_GATEWAY_AGENT_ID— v0.3.26 changedrun.shto useMCP_GATEWAY_AGENT_IDwith a deprecated fallback forMCP_GATEWAY_API_KEY(fix(run.sh): use MCP_GATEWAY_AGENT_ID with deprecated fallback for MCP_GATEWAY_API_KEY). If ado-aw setsMCP_GATEWAY_API_KEYin generated pipeline steps or documentation, it should migrate toMCP_GATEWAY_AGENT_ID. (v0.3.26)This issue was opened automatically by the dependency version updater workflow.