[ca] Update MCP Gateway v0.2.12 → v0.2.13

[github-actions]

This issue tracks the update of MCP Gateway (gh-aw-mcpg) from v0.2.12 to v0.2.13, released on 2026-04-04.

pkg/constants/version_constants.go has been updated and make recompile completed successfully (180/180 workflows).

Summary

• MCP Gateway: v0.2.12 → v0.2.13 ✅
• All other tools are up-to-date (GitHub MCP Server v0.32.0, Playwright MCP 0.0.70, Playwright Browser v1.59.1, Claude Code 2.1.92, Copilot 1.0.18, Codex 0.118.0)

Update MCP Gateway v0.2.12 → v0.2.13

• Previous: v0.2.12 → New: v0.2.13
• Released: 2026-04-04
• Docker Image: ghcr.io/github/gh-aw-mcpg:v0.2.13

Breaking Changes

None.

Key Features

• OpenTelemetry Tracing: MCP Gateway now exports traces via OpenTelemetry OTLP, providing end-to-end visibility into request flows through the proxy and backend MCP servers.
• Configurable Session Timeout: New MCP_GATEWAY_SESSION_TIMEOUT environment variable controls session timeout for unified mode (/mcp) stateful sessions (default: 2h). Previously hardcoded.

View Full Changelog

Security & Compliance

• Stricter auth validation (fix: compliance gaps — HTTP 400 for malformed auth headers, reject unknown TOML fields, random API key generation gh-aw-mcpg#3097): Malformed Authorization headers now correctly return HTTP 400. Unknown fields in TOML configuration are rejected at startup, and API keys are now randomly generated — closing several compliance gaps.
• Direct API bypass detection (W-1: Detect direct API bypass in integrity audit + add reusable MCP routing constraint gh-aw-mcpg#3134): The integrity audit now detects when agents attempt to call GitHub APIs directly, bypassing the gateway's routing constraint. A reusable MCP routing constraint has been added.
• Expanded guard coverage (Add pre-emptive guard coverage for 5 workflow run cancel/rerun operations gh-aw-mcpg#3095, Guard coverage: classify create_agent_task as read-write and blocked gh-aw-mcpg#3139): Five workflow run cancel/rerun operations are now guarded pre-emptively, and create_agent_task is correctly classified as a read-write blocked operation.

Bug Fixes

• Resolved duplicate test declarations in the server package that caused build failures (fix: resolve duplicate test declarations in server package gh-aw-mcpg#3098).

Documentation

• MCP_GATEWAY_SESSION_TIMEOUT is now fully documented, including supported duration formats and behavioral differences between routed and unified modes (docs: document MCP_GATEWAY_SESSION_TIMEOUT environment variable gh-aw-mcpg#3153).

All Merged PRs

• [Repo Assist] feat(envutil): add GetEnvDuration + configurable MCP_GATEWAY_SESSION_TIMEOUT gh-aw-mcpg#3068 - feat(envutil): add GetEnvDuration + configurable MCP_GATEWAY_SESSION_TIMEOUT
• [Repo Assist] refactor(proxy): extract writeDIFCForbidden helper gh-aw-mcpg#3067 - refactor(proxy): extract writeDIFCForbidden helper
• [log] refactor(difc): consolidate agent.go logging to use internal debug logger gh-aw-mcpg#2982 - refactor(difc): consolidate agent.go logging to use internal debug logger
• [test-improver] Improve tests for server session package gh-aw-mcpg#2989 - Improve tests for server session package
• [test-improver] Improve tests for logger/markdown_logger package gh-aw-mcpg#3058 - Improve tests for logger/markdown_logger package
• [test] Add tests for proxy.handleWithDIFC uncovered branches gh-aw-mcpg#3059 - Add tests for proxy.handleWithDIFC uncovered branches
• Add pre-emptive guard coverage for 5 workflow run cancel/rerun operations gh-aw-mcpg#3095 - Add pre-emptive guard coverage for 5 workflow run cancel/rerun operations
• fix: resolve duplicate test declarations in server package gh-aw-mcpg#3098 - fix: resolve duplicate test declarations in server package
• [log] Add debug logging to internal/difc/resource.go gh-aw-mcpg#3099 - Add debug logging to internal/difc/resource.go
• [rust-guard] Move test-only function out of production code; add missing field_names constants gh-aw-mcpg#3096 - Move test-only function out of production code; add missing field_names constants
• fix: compliance gaps — HTTP 400 for malformed auth headers, reject unknown TOML fields, random API key generation gh-aw-mcpg#3097 - fix: compliance gaps — HTTP 400 for malformed auth headers, reject unknown TOML fields, random API key generation
• 🔄 chore: update schema URL to v0.65.6 gh-aw-mcpg#3118 - chore: update schema URL to v0.65.6
• [Repo Assist] refactor(server): move logRuntimeError from auth.go to http_helpers.go gh-aw-mcpg#3119 - refactor(server): move logRuntimeError from auth.go to http_helpers.go
• W-1: Detect direct API bypass in integrity audit + add reusable MCP routing constraint gh-aw-mcpg#3134 - Detect direct API bypass in integrity audit + add reusable MCP routing constraint
• Guard coverage: classify create_agent_task as read-write and blocked gh-aw-mcpg#3139 - Guard coverage: classify create_agent_task as read-write and blocked
• 🔄 chore: update schema URL to v0.66.1 gh-aw-mcpg#3162 - chore: update schema URL to v0.66.1
• feat: OpenTelemetry OTLP trace export from MCP Gateway and proxy gh-aw-mcpg#3178 - feat: OpenTelemetry OTLP trace export from MCP Gateway and proxy
• [Repo Assist] refactor(auth): move generateRandomAPIKey to internal/auth package gh-aw-mcpg#3163 - refactor(auth): move generateRandomAPIKey to internal/auth package
• [Repo Assist] build: add test-race Makefile target for race condition detection gh-aw-mcpg#3164 - build: add test-race Makefile target for race condition detection
• docs: document MCP_GATEWAY_SESSION_TIMEOUT environment variable gh-aw-mcpg#3153 - docs: document MCP_GATEWAY_SESSION_TIMEOUT environment variable

View Migration Guide

1. The version constant in pkg/constants/version_constants.go has been updated to v0.2.13.
2. make recompile has been run — all 180 workflow files regenerated successfully.
3. No breaking changes; no code changes required beyond the version bump.
4. Optional: set MCP_GATEWAY_SESSION_TIMEOUT env var to customize stateful session timeout (default is 2h).

Impact Assessment

• Risk: Low — no breaking changes, security improvements included
• Affects: All workflows using the MCP Gateway container
• Notable: Security improvements (auth validation, direct API bypass detection, expanded guard coverage) make this update recommended promptly

Recommendations

Update is low-risk and includes meaningful security and observability improvements. Deploy at next opportunity.

Package Links

• Repository: https://github.com/github/gh-aw-mcpg
• Release Notes: https://github.com/github/gh-aw-mcpg/releases/tag/v0.2.13
• Docker Image: ghcr.io/github/gh-aw-mcpg:v0.2.13

References:

• §23992709014

Generated by CLI Version Checker · ● 186K · ◷

• expires on Apr 7, 2026, 2:45 AM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 172.6K · ◷

[github-actions]

This issue is being closed as outdated. A newer issue has been created: #24663

View newer issue

---

This action was performed automatically by the CLI Version Checker workflow.