fix(deps): update module github.com/stacklok/toolhive to v0.6.16

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.6.7 → v0.6.16

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.6.16

Compare Source

What's Changed

• Apply default MaxDataSize when config value is zero by @​jhrozek in #​3061
• Add /status HTTP endpoint to vMCP server (#​2998) by @​jhrozek in #​3066
• Update toolhive images to v0.6.15 by @​renovate[bot] in #​3088
• Update registry from toolhive-registry release v2025.12.18 by @​github-actions[bot] in #​3090
• Update anthropics/claude-code-action digest to 0d19335 by @​renovate[bot] in #​3092
• Update registry.access.redhat.com/ubi10/ubi-minimal Docker tag to v10.1-1766033715 by @​renovate[bot] in #​3096
• add crd fields for vmcp audit config by @​yrobla in #​3098
• Set Format field for default Kubernetes registry by @​dmartinol in #​3099
• Update docker/setup-buildx-action action to v3.12.0 by @​renovate[bot] in #​3117
• Add core health monitoring infrastructure for vmcp backends by @​yrobla in #​3100
• Rotate K8s versions to add 1.35 for tests by @​danbarr in #​3124
• Update registry from toolhive-registry release v2025.12.20 by @​github-actions[bot] in #​3112
• Update anthropics/claude-code-action digest to 7145c3e by @​renovate[bot] in #​3123
• Update golang.org/x/exp/jsonrpc2 digest to 944ab1f by @​renovate[bot] in #​3122
• fix: set ObservedGeneration in all validateCOmpositeToolsRefs paths by @​slyt3 in #​2979
• Fix audit middleware to always restore request body by @​jhrozek in #​3060
• Update k8s.io/utils digest to 98d557b by @​renovate[bot] in #​3105
• Update registry from toolhive-registry release v2025.12.21 by @​github-actions[bot] in #​3129
• Update registry from toolhive-registry release v2025.12.22 by @​github-actions[bot] in #​3130
• fix error of invalid memory address on TestAudit by @​yrobla in #​3134
• Replace context.Background() with cmd.Context() in CLI commands by @​mohamedfawas in #​3095
• Update issue triage workflow by @​eleftherias in #​3135
• Update k8s.io/utils digest to 9d40a56 by @​renovate[bot] in #​3127
• Docs for Desired Error Handling by @​jerm-dro in #​3089
• Composite Tools: Fix plumbing for on-error-continue config by @​jerm-dro in #​3118
• cli: standardize error wrapping with %w (#​3040) by @​mohamedfawas in #​3094
• Update registry from toolhive-registry release v2025.12.23 by @​github-actions[bot] in #​3141
• Update k8s.io/utils digest to 718f0e5 by @​renovate[bot] in #​3140
• Add practical examples to major CLI commands by @​AlankarJagtap in #​3126
• Bump the operator values by @​rdimitrov in #​3145
• Update helm/kind-action digest to f5f117a by @​renovate[bot] in #​3137
• Update module github.com/lestrrat-go/httprc/v3 to v3.0.3 by @​renovate[bot] in #​3143
• Update kubernetes packages to v0.35.0 by @​renovate[bot] in #​3091
• Integrate health monitoring into vMCP server by @​yrobla in #​3101
• K8s Client: Apply Pod Spec Annotations by @​jerm-dro in #​3152
• Fix Failing Test: Remove Large File by @​jerm-dro in #​3154
• Update registry from toolhive-registry release v2025.12.24 by @​github-actions[bot] in #​3156
• Update registry from toolhive-registry release v2025.12.25 by @​github-actions[bot] in #​3158
• Update registry from toolhive-registry release v2025.12.26 by @​github-actions[bot] in #​3160
• Update registry from toolhive-registry release v2025.12.27 by @​github-actions[bot] in #​3162
• feat: Add tool annotations for improved LLM tool understanding by @​triepod-ai in #​3167
• Update registry from toolhive-registry release v2025.12.28 by @​github-actions[bot] in #​3170
• Update anchore/sbom-action action to v0.21.0 by @​renovate[bot] in #​3150
• Update registry from toolhive-registry release v2025.12.30 by @​github-actions[bot] in #​3172
• Update registry from toolhive-registry release v2025.12.31 by @​github-actions[bot] in #​3175
• Update registry from toolhive-registry release v2026.01.01 by @​github-actions[bot] in #​3176
• Update registry from toolhive-registry release v2026.01.02 by @​github-actions[bot] in #​3177
• fix: Convert secret.go subcommands from Run to RunE for proper error propagation by @​majiayu000 in #​3164
• fix: Standardize CLI output messages to use 'Workload' terminology by @​majiayu000 in #​3173
• fix: Ensure Toolhive Errors are Wrapped According to Docs by @​majiayu000 in #​3171
• cli: rename thv restart → thv start (add restart alias) by @​mohamedfawas in #​3151

New Contributors

• @​AlankarJagtap made their first contribution in #​3126
• @​triepod-ai made their first contribution in #​3167
• @​majiayu000 made their first contribution in #​3164

Full Changelog: stacklok/toolhive@v0.6.15...v0.6.16

v0.6.15

Compare Source

What's Changed

• Add OAuth/OIDC auth config to MCPRegistry CRD by @​blkt in #​3057
• adds slack alert for failed toolhive releases by @​ChrisJBurns in #​3086
• Update slackapi/slack-github-action action to v2.1.1 by @​renovate[bot] in #​3087

Full Changelog: stacklok/toolhive@v0.6.14...v0.6.15

v0.6.14

Compare Source

What's Changed

• Composite Tools Support Structured Content by @​jerm-dro in #​3009
• Adds PostgreSQL pgpass file support to the MCPRegistry operator by @​ChrisJBurns in #​2996
• includes vmcp in the images to update for toolhive by @​ChrisJBurns in #​3059
• Update toolhive images to v0.6.13 by @​renovate[bot] in #​3015
• Update registry from toolhive-registry release v2025.12.16 by @​github-actions[bot] in #​3065
• Add audit logging for composite workflow execution by @​yrobla in #​3011
• debugging test flakes by @​jerm-dro in #​3028
• FIX stdio URL bug with proxyMode by @​slyt3 in #​2935
• CompositeTools: fromJson function for manipulating text by @​jerm-dro in #​3063
• Add test for user identity capture in vMCP audit logs by @​yrobla in #​3029
• Add integration tests for audit log JSON output to files by @​yrobla in #​3033
• Fix YAML docs by @​jerm-dro in #​3070
• Update anthropics/claude-code-action digest to d7b6d50 by @​renovate[bot] in #​3072
• Bumps the registry to v1.4.0 by @​rdimitrov in #​3073
• Update registry from toolhive-registry release v2025.12.17 by @​github-actions[bot] in #​3080
• Fix inaccuracies in audit docs by @​jhrozek in #​3075
• fix(oauth): include refresh_token grant type in DCR requests by @​fredericlefeurmou in #​3076
• Fix Squid proxy crash loop on container restart by @​carlos-gn in #​3022
• fix: update workload status when health check fails for remote MCP servers by @​fredericlefeurmou in #​3077

New Contributors

• @​fredericlefeurmou made their first contribution in #​3076

Full Changelog: stacklok/toolhive@v0.6.13...v0.6.14

v0.6.13

Compare Source

What's Changed

• Bump operator versions by @​rdimitrov in #​3017
• Deprecate SSE proxy mode for stdio transport by @​carlos-gn in #​3008
• Composite Tools Supports DefaultResults for Skippable Steps by @​jerm-dro in #​3006
• Optimize VirtualMCP e2e test performance by @​yrobla in #​3012
• Update actions/cache digest to 9255dc7 by @​renovate[bot] in #​3019
• Remove RetryOnConflict Logic in Favour of Controller-Level Backoff by @​ChrisJBurns in #​3020
• Refactors ConfigMap management in the Operator to use reusable configmaps package by @​ChrisJBurns in #​3021
• Attempt to Deflake vMCP Tests by @​jerm-dro in #​3024
• Update registry from toolhive-registry release v2025.12.13 by @​github-actions[bot] in #​3026
• Update GitHub Artifact Actions (major) by @​renovate[bot] in #​3023
• Update registry from toolhive-registry release v2025.12.14 by @​github-actions[bot] in #​3027
• Update kindest/node Docker tag to v1.34.2 by @​renovate[bot] in #​3025
• add documentation for virtualmcp by @​yrobla in #​2931
• Temporarily skip flaky e2e tests by @​eleftherias in #​3037
• Fix workload restart API by using background context by @​eleftherias in #​3034
• Fix client registration by not skipping workloads by @​eleftherias in #​3035

Full Changelog: stacklok/toolhive@v0.6.12...v0.6.13

v0.6.12

Compare Source

What's Changed

• Update alpine Docker tag to v3.23.0 by @​renovate[bot] in #​2882
• Update registry from toolhive-registry release v2025.12.04 by @​github-actions[bot] in #​2886
• fix vmcp crd don't reconcile after podtemplatespec changes by @​yrobla in #​2817
• Require explicit authentication configuration in VirtualMCPServer by @​yrobla in #​2865
• validate that group membership changes trigger reconciliation by @​yrobla in #​2866
• Update module github.com/spf13/cobra to v1.10.2 by @​renovate[bot] in #​2887
• Bump the operator versions by @​rdimitrov in #​2889
• Revert "Update alpine Docker tag to v3.23.0" by @​rdimitrov in #​2894
• fix mcp controller and test status propagation by @​yrobla in #​2823
• Update module github.com/mark3labs/mcp-go to v0.43.2 by @​renovate[bot] in #​2892
• use status manager and constants on podtemplatespec reconciliation by @​yrobla in #​2888
• Fix legacy registry schema ID and file references by @​danbarr in #​2880
• Return error when custom registry is unreachable by @​JAORMX in #​2879
• Drop any code which writes to PID files by @​dmjb in #​2899
• Gracefully Shutdown Foreground Server on Interrupt by @​jerm-dro in #​2863
• Bump the registry-server version in the operator by @​rdimitrov in #​2904
• Fix VirtualMCPServer controller to check PodReady condition by @​JAORMX in #​2901
• Refactor CRD Telemetry Config Conversion for Reusability by @​jerm-dro in #​2908
• Update MCP protocol expert agent to spec 2025-11-25 by @​JAORMX in #​2911
• add validation tests to detect invalid configs by @​yrobla in #​2896
• Update registry from toolhive-registry release v2025.12.05 by @​github-actions[bot] in #​2912
• Implement CompositeToolRefs resolution in VirtualMCPServer converter by @​amirejaz in #​2885
• Fix: Added path configuration to registry server by @​dmartinol in #​2794
• Fix vMCP podTemplateSpec when only pod-level settings is applied by @​jhrozek in #​2897
• Update module github.com/lestrrat-go/httprc/v3 to v3.0.2 by @​renovate[bot] in #​2913
• Revert "Gracefully Shutdown Foreground Server on Interrupt (#​2863)" by @​dmjb in #​2916
• add examples of configuration for virtualmcp by @​yrobla in #​2900
• Disable failing vMCP test for k8s by @​dmjb in #​2919
• Ensure PID files are cleaned up after migration by @​dmjb in #​2905
• Move regex compilation to package-level variable in virtualmcpserver_controller #issue-2874 by @​deepika1214 in #​2875
• fixes generation of manifests via kubebuilder by @​eleftherias in #​2924
• Update module github.com/go-git/go-billy/v5 to v5.7.0 by @​renovate[bot] in #​2933
• Remove tool type column and rename created at to created in the thv list by @​carlos-gn in #​2917
• Update helm/kind-action digest to 2cd8ada by @​renovate[bot] in #​2937
• Add build auth file injection for protocol builds by @​JAORMX in #​2909
• Default anonymous authentication by @​dmartinol in #​2914
• adds permission for claude to make content write changes by @​ChrisJBurns in #​2925
• Add log level configuration support to VirtualMCPServer by @​4t8dd in #​2837
• Update module golang.org/x/sys to v0.39.0 by @​renovate[bot] in #​2943
• Gracefully Shutdown Foreground Server on Interrupt by @​jerm-dro in #​2927
• Instrument vMCP and Document o11y Configuration by @​jerm-dro in #​2906
• Validate ValidationStatus of referenced CompositeToolRefs by @​amirejaz in #​2944
• Fix logic bug in WaitForPodsReady that incorrectly reports pods as ready by @​slyt3 in #​2898
• Populate remote workload metadata in GetWorkload by @​carlos-gn in #​2929
• Update module golang.ngrok.com/ngrok/v2 to v2.1.1 by @​renovate[bot] in #​2928
• fix and test mcptoolconfig for vmcp by @​yrobla in #​2891
• Update module golang.org/x/mod to v0.31.0 by @​renovate[bot] in #​2952
• Add unauthenticated and headerinjection auth strategy to MCPExternalAuthConfig by @​yrobla in #​2915
• Use autoupdate github action to auto update all PRs. by @​dmjb in #​2958
• Bump the registry-server version in the operator to v0.4.2 by @​rdimitrov in #​2959
• Update kyverno/action-install-chainsaw action to v0.2.14 by @​renovate[bot] in #​2939
• Warn users about affected workloads when updating or deleting secrets by @​JAORMX in #​2945
• Update module golang.org/x/term to v0.38.0 by @​renovate[bot] in #​2965
• Update module github.com/onsi/gomega to v1.38.3 by @​renovate[bot] in #​2947
• Add design proposal for K8s-aware vMCP with dynamic backend discovery by @​jhrozek in #​2884
• Update module golang.org/x/oauth2 to v0.34.0 by @​renovate[bot] in #​2940
• Update peter-evans/create-pull-request digest to 22a9089 by @​renovate[bot] in #​2926
• Update module golang.org/x/sync to v0.19.0 by @​renovate[bot] in #​2942
• Add vulnerability exclusion support to govulncheck workflow by @​jhrozek in #​2972
• Bump the operator versions by @​rdimitrov in #​2974
• Update peter-evans/create-pull-request action to v8 by @​renovate[bot] in #​2973
• Update golang.org/x/exp/jsonrpc2 digest to 8475f28 by @​renovate[bot] in #​2966
• Fix VirtualMCPServer reconciliation for discovered auth config updates by @​yrobla in #​2957
• add test for composite workflow by reference by @​yrobla in #​2956
• Update module github.com/onsi/ginkgo/v2 to v2.27.3 by @​renovate[bot] in #​2946
• Update anthropics/claude-code-action digest to f0c8eb2 by @​renovate[bot] in #​2969
• Update module golang.org/x/net to v0.48.0 by @​renovate[bot] in #​2963
• Update kubernetes packages to v0.34.3 by @​renovate[bot] in #​2977
• Update anchore/sbom-action action to v0.20.11 by @​renovate[bot] in #​2975
• Add audit middleware to vMCP server by @​yrobla in #​2981
• Add OnDecline and OnCancel handlers for workflow steps by @​yrobla in #​2961
• Add configurable scopes to the auth info handler and expose them through CLI by @​jhrozek in #​2982
• Update opentelemetry-go monorepo by @​renovate[bot] in #​2967
• vMCP: Composite Tools supports non-string Arguments by @​jerm-dro in #​2971
• enable CRD upgrades via Helm with feature flags by @​ChrisJBurns in #​2809
• adds reusable Kubernetes secrets functionality in Operator by @​ChrisJBurns in #​2991
• Pass debug flag to detached process restart command by @​carlos-gn in #​2992
• Remove redundant ToolType field from Workload by @​carlos-gn in #​2932
• Add scopes field to MCPServer CRD for OIDC config by @​jhrozek in #​2988
• Update module github.com/sigstore/sigstore-go to v1.1.4 by @​renovate[bot] in #​2990
• Remove autoupdate for now by @​dmjb in #​3002
• Wire up audit config to vMCP CLI by @​yrobla in #​2987
• adds reusable Kubernetes configmap functionality in Operato for C/R/U actions by @​ChrisJBurns in #​2997
• Update registry from toolhive-registry release v2025.12.11 by @​github-actions[bot] in #​2930
• Consolidate and fix VirtualMCP E2E tests by @​yrobla in #​2978
• Simplify the registry auto-detection by @​rdimitrov in #​2976
• Wire scopes through VirtualMCPServer to auth middleware by @​jhrozek in #​3005
• Enable MCPRemoteProxy discovery in MCPGroup and VirtualMCPServer by @​amirejaz in #​2970
• Add backend routing capture to vMCP audit logs by @​yrobla in #​2983
• Update registry from toolhive-registry release v2025.12.12 by @​github-actions[bot] in #​3010
• Update actions/cache action to v5 by @​renovate[bot] in #​3007
• Vmcp rbac mcpremoteproxies by @​amirejaz in #​3013

New Contributors

• @​deepika1214 made their first contribution in #​2875
• @​carlos-gn made their first contribution in #​2917
• @​slyt3 made their first contribution in #​2898

Full Changelog: stacklok/toolhive@v0.6.11...v0.6.12

v0.6.11

Compare Source

Headline changes:

• Include ping checks for remote workloads.
• Allow build envs to include secrets from the secrets manager and environment variables on the host.

What's Changed

• Add Debug Logs for thv run Server Location by @​jerm-dro in #​2834
• bumps toolhive operator and registry api images by @​ChrisJBurns in #​2842
• Update actions/checkout digest to 8e8c483 by @​renovate[bot] in #​2844
• Implement ExternalAuthConfig discovery for VirtualMCPServer backends by @​amirejaz in #​2726
• upgrade go to 1.25.5 to fix GO-2025-4155 by @​ChrisJBurns in #​2846
• Update registry from toolhive-registry release v2025.12.03 by @​github-actions[bot] in #​2862
• Update golangci/golangci-lint-action action to v9.2.0 by @​renovate[bot] in #​2861
• Split out podTemplateBuilder to be reusable and cover with integration tests by @​jhrozek in #​2840
• Fix VirtualMCPServer OIDC configuration by implementing OIDCConfigurable interface by @​jhrozek in #​2821
• Refactor vMCP e2e tests to extract common helpers by @​jhrozek in #​2839
• Update build-env proposal with secure credential handling by @​JAORMX in #​2859
• Use gopkg.in/yaml.v3 not v2 by @​JAORMX in #​2868
• Change pinging logic for remote workloads by @​dmjb in #​2872
• Add --from-secret and --from-env flags to set-build-env by @​JAORMX in #​2860
• Display custom metadata in registry info text output by @​JAORMX in #​2871
• Use ubuntu-slim runner for lightweight CI jobs by @​JAORMX in #​2869
• List workloads once to ensure consistency by @​amirejaz in #​2867

New Contributors

• @​jerm-dro made their first contribution in #​2834

Full Changelog: stacklok/toolhive@v0.6.10...v0.6.11

v0.6.10

Compare Source

What's Changed

• Update toolhive images to v0.6.9 and registry server to v0.3.1 by @​renovate[bot] in #​2737
• Update registry from toolhive-registry release v2025.11.29 by @​github-actions[bot] in #​2808
• Make client_secret_env optional in vMCP OIDC config by @​jhrozek in #​2803
• Remove tokenCache documentation and examples by @​jhrozek in #​2801
• Update registry from toolhive-registry release v2025.11.30 by @​github-actions[bot] in #​2810
• Update module github.com/olekukonko/tablewriter to v1.1.2 by @​renovate[bot] in #​2812
• Add vMCP image to operator-deploy-local task by @​jhrozek in #​2802
• Update registry from toolhive-registry release v2025.12.01 by @​github-actions[bot] in #​2814
• remove mixed mode to simplify vmcp operation by @​yrobla in #​2798
• Fix vMCP error on partially set operational config by @​jhrozek in #​2813
• fix lint problems on main by @​yrobla in #​2816
• fix: propagate identity for token exchange + add real integration tests by @​yrobla in #​2769
• add tests for validating conflict resolution by @​yrobla in #​2818
• Refactor/typed backend auth strategy by @​jhrozek in #​2797
• Centralize container image references in e2e tests by @​4t8dd in #​2819
• Make client_id optional in vMCP OIDC config by @​jhrozek in #​2822
• Add PVC source support for MCPRegistry by @​jonburdo in #​2719
• Add Output Schema Support to CompositeToolSpec CRD by @​tgrunnagle in #​2824
• Proposal: Kubernetes source type for registry server by @​JAORMX in #​2829
• adds kubernetes registry config for registry server by @​ChrisJBurns in #​2830
• Update registry.access.redhat.com/ubi10/ubi-minimal Docker tag to v10.1-1764604111 by @​renovate[bot] in #​2828
• Update anthropics/claude-code-action digest to 6337623 by @​renovate[bot] in #​2827
• Update registry from toolhive-registry release v2025.12.02 by @​github-actions[bot] in #​2833
• Add support for Zed client by @​eleftherias in #​2836
• Add vMCP e2e tests for tool overrides and composite workflows by @​JAORMX in #​2826
• add RBAC resources for MCPRegistry API server by @​ChrisJBurns in #​2832

New Contributors

• @​jonburdo made their first contribution in #​2719

Full Changelog: stacklok/toolhive@v0.6.9...v0.6.10

v0.6.9

Compare Source

🚀 Toolhive v0.6.9 is live!

This release brings enhancements to MCP workflows, better registry customization, and improved developer experience across the board.

MCP & Workflows
• Smart transport auto-detection makes thv mcp commands easier to use
• Standard JSON Schema format now used for composite tool parameters
• Added RetryDelay to error handling in WorkflowStep CRD for more resilient workflows
• Extracted MCP client setup into reusable CreateInitializedMCPClient helper
• E2E tests now use mcp.LATEST_PROTOCOL_VERSION for better compatibility
• Removed token cache from vMCP for cleaner authentication flow

Registry & Deployment
• Registry server can now be configured with custom database connection details
• New podTemplateSpec field in MCPRegistry CRD lets you fully customize registry API deployments
• MergePodTemplateSpecs utility added for cleaner pod template composition
• Updated registry from toolhive-registry release v2025.11.28

Tool Filtering & Configuration
• New ExcludeAll option provides more flexible tool filtering controls
• Better error handling throughout vMCP code (replaced utilruntime.Must with proper error checks)
• Minor fixes for retryDelay handling improve reliability

Testing & Quality
• Added vMCP E2E tests using yardstick MCP server
• Proposal naming validation now only checks new files, reducing false positives

Infrastructure
• Updated docker/metadata-action to v5.10.0

👋 Welcome to our newest contributors @​ignorant05 and @​4t8dd! 🥳

🔗 Full changelog: stacklok/toolhive@v0.6.8...v0.6.9

What's Changed

• Update docker/metadata-action action to v5.10.0 by @​renovate[bot] in #​2760
• adds MergePodTemplateSpecs that merges podTemplateSpecs by @​ChrisJBurns in #​2770
• Use standard JSON Schema format for VMCP composite tool parameters by @​JAORMX in #​2651
• Fix proposal naming validation to only check new files by @​JAORMX in #​2788
• Update registry from toolhive-registry release v2025.11.28 by @​github-actions[bot] in #​2791
• Replace utilruntime.Must with proper error handling in vMCP code by @​JAORMX in #​2787
• Add smart transport auto-detection for thv mcp commands by @​JAORMX in #​2790
• Add vmcp e2e tests using yardstick MCP server by @​JAORMX in #​2778
• Enhancement: Added ExcludeAll option for toll filtering by @​ignorant05 in #​2789
• Use mcp.LATEST_PROTOCOL_VERSION in E2E tests by @​jhrozek in #​2793
• Add RetryDelay to ErrorHandling in WorkflowStep CRD by @​JAORMX in #​2776
• adds podTemplateSpec field to MCPRegistry CRD that allows user to customise registry api deployment by @​ChrisJBurns in #​2777
• Extract MCP client setup to CreateInitializedMCPClient helper by @​jhrozek in #​2796
• Two minor fixes for vMCP retryDelay handling by @​jhrozek in #​2795
• Issue 2680 by @​4t8dd in #​2757
• fix: remove tokencache from vmcp by @​yrobla in #​2799
• adds ability to configure database details for registry server by @​ChrisJBurns in #​2800

New Contributors

• @​ignorant05 made their first contribution in #​2789
• @​4t8dd made their first contribution in #​2757

Full Changelog: stacklok/toolhive@v0.6.8...v0.6.9

v0.6.8

Compare Source

What's Changed

• Add OAuth authorization server fallback for registration endpoint discovery by @​amirejaz in #​2711
• Add schema test ensuring the correct version by @​rdimitrov in #​2738
• Update registry from toolhive-registry release v2025.11.26 by @​github-actions[bot] in #​2739
• Add build environment configuration and validation by @​JAORMX in #​2740
• Add header injection authentication support by @​yrobla in #​2730
• fix: follow up for removing not needed value on secrets by @​yrobla in #​2744
• Remove redundant best_effort failure mode from composer by @​jhrozek in #​2746
• adds multi-configmap data source for registry by @​ChrisJBurns in #​2745
• removes unused registry helper functions by @​ChrisJBurns in #​2748
• Add new diagram to README by @​danbarr in #​2743
• Remove NewUpstreamRegistryFromUpstreamServers by @​rdimitrov in #​2752
• Update module github.com/cedar-policy/cedar-go to v1.3.1 by @​renovate[bot] in #​2751
• Update golang.org/x/exp/jsonrpc2 digest to 87e1e73 by @​renovate[bot] in #​2735
• Add CLI commands and template integration for build environment by @​JAORMX in #​2742
• adds dedicated podtemplatespec builder for registry server deployment by [@​ChrisJBurn

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/cedar-policy/cedar-go	v1.3.0 -> v1.3.1
golang.org/x/exp/jsonrpc2	v0.0.0-20251113190631-e25ba8c21ef6 -> v0.0.0-20251125195548-87e1e737ad39

[github-actions]

🔒 MCP Security Scan Results

✅ adb-mysql-mcp-server

• Status: Passed
• Tools scanned: 3
• Result: No security issues detected

✅ agentql-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ arxiv-mcp-server

• Status: Passed
• Tools scanned: 4
• Result: No security issues detected

✅ astra-db-mcp

• Status: Passed
• Tools scanned: 16
• Result: No security issues detected

✅ aws-diagram

• Status: Passed
• Tools scanned: 3
• Result: No security issues detected

✅ aws-documentation

• Status: Passed
• Tools scanned: 3
• Result: No security issues detected

✅ blender-mcp

• Status: Passed
• Tools scanned: 21
• Result: No security issues detected

✅ brightdata-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ browserbase-mcp-server

• Status: Passed
• Tools scanned: 9
• Result: No security issues detected

❌ chroma-mcp

• Status: Failed
• Tools scanned: 13
• Vulnerabilities found: 1

Security issues detected:

• [TF001] Data leak toxic flow detected. The same agent has access to at least one tool that produces untrusted content, one tool that can access private data, and one tool that can behave as a public sink. For more information, see https://explorer.invariantlabs.ai/docs/mcp-scan/issue-code-reference/#TF001

Allowed issues (not blocking):

• [TF002] Destructive toxic flow detected. The same agent has access to at least one tool that produces untrusted content and one tool that can behave destructively. For more information, see https://explorer.invariantlabs.ai/docs/mcp-scan/issue-code-reference/#TF002 (Allowed: ChromaDB is a vector database that requires both read and write operations for managing embeddings and collections)
• [W004] The MCP server is not in our registry. (Allowed: Server not in Invariant Labs registry - we verify provenance independently via our own checks.)

✅ chrome-devtools-mcp

• Status: Passed
• Tools scanned: 26
• Result: No security issues detected

✅ context7

• Status: Passed
• Tools scanned: 2
• Result: No security issues detected

✅ graphlit-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ heroku-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ ida-pro-mcp

• Status: Passed
• Tools scanned: 48
• Result: No security issues detected

✅ launchdarkly-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ magic-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ mcp-clickhouse

• Status: Passed
• Tools scanned: 3
• Result: No security issues detected

✅ mcp-jetbrains

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ mcp-neo4j-aura-manager

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ mcp-neo4j-cypher

• Status: Passed
• Tools scanned: 3
• Result: No security issues detected

✅ mcp-neo4j-memory

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ mcp-server-box

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ mcp-server-circleci

• Status: Passed
• Tools scanned: 16
• Result: No security issues detected

✅ mcp-server-neon

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ netbird

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ notion

• Status: Passed
• Tools scanned: 21
• Result: No security issues detected

✅ onchain-mcp

• Status: Passed
• Tools scanned: 10
• Result: No security issues detected

✅ pagerduty-mcp

• Status: Passed
• Tools scanned: 38
• Result: No security issues detected

✅ phoenix-mcp

• Status: Passed
• Tools scanned: 19
• Result: No security issues detected

❌ playwright-mcp

• Status: Failed
• Tools scanned: 22
• Vulnerabilities found: 2

Security issues detected:

• [W005] The tool is not in our registry, even though the server is.
• [W005] The tool is not in our registry, even though the server is.

Allowed issues (not blocking):

• [TF001] Data leak toxic flow detected. The same agent has access to at least one tool that produces untrusted content, one tool that can access private data, and one tool that can behave as a public sink. For more information, see https://explorer.invariantlabs.ai/docs/mcp-scan/issue-code-reference/#TF001 (Allowed: Data leak risk acceptable - tool designed for browser automation and web testing workflows where external content interaction is essential. Users should be aware of potential data exposure when automating web interactions.)
• [TF002] Destructive toxic flow detected. The same agent has access to at least one tool that produces untrusted content and one tool that can behave destructively. For more information, see https://explorer.invariantlabs.ai/docs/mcp-scan/issue-code-reference/#TF002 (Allowed: Destructive flow risk acceptable - browser automation tools are core functionality for web testing and automation. Users should only use with trusted prompts and on non-production systems.)

✅ sentry-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ supabase-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ tavily-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

---

Summary: Scanned 34 MCP server(s), found 3 security issue(s).

⚠️ Action Required: Security issues were detected. Please review and address them before merging.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 64 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.3 -> 1.25.5
github.com/sigstore/sigstore-go	v1.1.3 -> v1.1.4
github.com/cedar-policy/cedar-go	v1.3.0 -> v1.3.1
github.com/go-openapi/analysis	v0.23.0 -> v0.24.1
github.com/go-openapi/errors	v0.22.2 -> v0.22.4
github.com/go-openapi/jsonpointer	v0.21.1 -> v0.22.1
github.com/go-openapi/jsonreference	v0.21.0 -> v0.21.3
github.com/go-openapi/loads	v0.22.0 -> v0.23.2
github.com/go-openapi/runtime	v0.28.0 -> v0.29.2
github.com/go-openapi/spec	v0.21.0 -> v0.22.1
github.com/go-openapi/strfmt	v0.23.0 -> v0.25.0
github.com/go-openapi/swag	v0.24.1 -> v0.25.4
github.com/go-openapi/swag/cmdutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/conv	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/fileutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/jsonname	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/jsonutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/loading	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/mangling	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/netutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/stringutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/typeutils	v0.24.0 -> v0.25.4
github.com/go-openapi/swag/yamlutils	v0.24.0 -> v0.25.4
github.com/go-openapi/validate	v0.24.0 -> v0.25.1
github.com/lestrrat-go/httprc/v3	v3.0.1 -> v3.0.3
github.com/mark3labs/mcp-go	v0.43.1 -> v0.43.2
github.com/modelcontextprotocol/registry	v1.3.10 -> v1.4.0
github.com/prometheus/common	v0.66.1 -> v0.67.4
github.com/prometheus/otlptranslator	v0.0.2 -> v1.0.0
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/sigstore/rekor	v1.4.2 -> v1.4.3
github.com/sigstore/sigstore	v1.9.6-0.20250729224751-181c5d3339b3 -> v1.10.0
github.com/theupdateframework/go-tuf/v2	v2.2.0 -> v2.3.0
github.com/transparency-dev/formats	v0.0.0-20250825093915-4fde0c3c9ab1 -> v0.0.0-20251017110053-404c0d5b696c
go.mongodb.org/mongo-driver	v1.17.4 -> v1.17.6
go.opentelemetry.io/otel	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/prometheus	v0.60.0 -> v0.61.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.8.0 -> v1.9.0
go.yaml.in/yaml/v2	v2.4.2 -> v2.4.3
golang.ngrok.com/ngrok/v2	v2.1.0 -> v2.1.1
golang.org/x/crypto	v0.45.0 -> v0.46.0
golang.org/x/exp/event	v0.0.0-20251023183803-a4bb9ffd2546 -> v0.0.0-20251125195548-87e1e737ad39
golang.org/x/exp/jsonrpc2	v0.0.0-20251113190631-e25ba8c21ef6 -> v0.0.0-20251219203646-944ab1f22d93
golang.org/x/mod	v0.30.0 -> v0.31.0
golang.org/x/net	v0.47.0 -> v0.48.0
golang.org/x/oauth2	v0.33.0 -> v0.34.0
golang.org/x/sync	v0.18.0 -> v0.19.0
golang.org/x/sys	v0.38.0 -> v0.39.0
golang.org/x/term	v0.37.0 -> v0.38.0
golang.org/x/text	v0.31.0 -> v0.32.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250929231259-57b25ae835d4 -> v0.0.0-20251202230838-ff82c1b0f217
gopkg.in/evanphx/json-patch.v4	v4.12.0 -> v4.13.0
k8s.io/api	v0.34.2 -> v0.35.0
k8s.io/apimachinery	v0.34.2 -> v0.35.0
k8s.io/client-go	v0.34.2 -> v0.35.0
k8s.io/kube-openapi	v0.0.0-20250710124328-f3f2b991d03b -> v0.0.0-20250910181357-589584f1c912
k8s.io/utils	v0.0.0-20251002143259-bc988d571ff4 -> v0.0.0-20251222233032-718f0e51e6d2
sigs.k8s.io/json	v0.0.0-20241014173422-cfa47c3a1cc8 -> v0.0.0-20250730193827-2d320260d730