Release Notes - v0.22.0

Release Date: October 2025

🚀 New Features

OAuth Token Automatic Refresh

• Background token refresh infrastructure with event-driven per-provider architecture
• Monitors OAuth lifecycle events from Docker Desktop via Server-Sent Events (SSE)
• Proactive token refresh triggers at 10 seconds before expiry (aligns with OAuth library behavior)
• Automatic retry mechanism handles TokenSource caching with exponential backoff (30s, 1min, 2min, 4min, 8min...)
• Event-driven provider lifecycle - providers created on login, destroyed on logout
• Dynamic server support - automatic DCR client registration when using mcp-add
• Tool handlers OAuth-agnostic - token management fully background, no impact on tool execution

Client Support

• Added OpenAI Codex client configuration (#165)

🔧 Improvements

SDK Update

• Updated to MCP Go SDK 1.0.0 (#167)
  • Latest protocol features and improvements
  • Enhanced stability and performance

Catalog Management

• Use v3 catalog URL when mcp-oauth-dcr feature is enabled (#168)
• Improved catalog URL override logic to preserve custom URLs
• Added URL validation before overriding catalog URLs
• Better handling of catalog version selection

OAuth CLI Improvements

• Fixed CLI commands for remote MCP OAuth servers (#169)
  • docker mcp oauth authorize now works after mcp-add
  • DCR client registration automatic for dynamic tools
• Moved DCR cleanup to oauth revoke (safer server disable)
  • docker mcp server disable → Just removes from registry
  • docker mcp oauth revoke → Full cleanup (tokens + DCR client)
• Unified OAuth server checks using IsRemoteOAuthServer() helper
• mcp-add registers DCR clients enabling immediate OAuth authorization

Error Handling

• Gateway continues when images cannot be pulled (#163)
  • Failed image pulls no longer stop gateway initialization
  • Better resilience for partial failures

🐛 Bug Fixes

• Fixed double-close panics with sync.Once on provider Stop()
• Prevented goroutine leaks from concurrent GetOAuthApp calls
• Made all backoff sleeps interruptible by SSE events for responsive event handling
• Fixed EventLoginSuccess to trigger server reload (not just create provider)
• Fixed provider cleanup - wrapper goroutines remove dead providers from map
• Prevented infinite loops with max retry count and expiry tracking

📚 Documentation

• OAuth provider architecture documentation
• TokenSource caching analysis with Mermaid sequence diagrams
• Event-driven lifecycle state machine
• Clean architecture plan and implementation guide
• Known limitations documented (TokenSource caching, notification volume)

Full Changelog: v0.21.0...v0.22.0

Release Notes - v0.21.0

Release Date: September 26, 2025

🚀 New Features

OAuth 2.0 Dynamic Client Registration (DCR)

• Added support for OAuth 2.0 Dynamic Client Registration (RFC 7591) for MCP servers
• Implemented automatic OAuth 2.0 Authorization Server Discovery (RFC 8414) and Protected Resource Metadata (RFC 9728)
• Added new mcp-oauth-dcr feature flag to enable/disable DCR functionality
• Automatic OAuth server discovery from MCP server 401 responses
• Public client registration using PKCE for enhanced security
• Secure token storage via docker-credential-desktop
• Automatic token refresh handling with client pool invalidation
• Complete WWW-Authenticate header parsing (RFC 6750) with fallback to well-known endpoints
• Full compliance with OAuth 2.0/2.1 and MCP Authorization specifications

Self-Contained Image Support

• Gateway now supports hosting self-contained MCP server images without requiring a catalog (#151)
• Changed self-contained image prefix from docker.io/ to docker:// for clearer semantics
• Enables running MCP servers directly from Docker images

Client Support

• Added support for Claude Code and Opencode AI clients (#156)
• Added Zed editor client configuration (#143)
• JSON parsing with comment support using tailscale/hujson for Zed's settings.json

🔧 Improvements

• Added metrics middleware to dynamic tools for better observability
• Default verify-signatures setting now disabled when running in a container (#152)
• Provide ResourceURL when registering DCR for improved OAuth flow (#153)
• Made ls/list commands consistent across the CLI (#141, #144)

🏗️ Code Structure Changes

• Moved internal package to pkg for better public API exposure
• Moved integration tests to improve project organization

📚 Documentation

• Added documentation for importing OSS MCP registry
• Updated documentation for new mcp-oauth-dcr feature flag
• Various documentation improvements and typo fixes

🐛 Bug Fixes

• Fixed WWW-Authenticate header handling when header is missing or invalid
• Added fallback to use well-known OAuth endpoint discovery
• Resolved Accept header conflict issues in remote MCP connections
• Various code simplifications and cleanup

What's Changed

• Add client name to telemetry metrics. by @cmrigney in #137

Full Changelog: v0.19.0...v0.20.0

What's Changed

• Handle --verbose flag in tools call by @slimslenderslacks in #125
• Update Windows location of Goose config.yaml file by @slimslenderslacks in #124
• Dynamic MCP Servers by @slimslenderslacks in #113
• Show server list command by @bobbyhouse in #128
• Add telemetry for initialize by @cmrigney in #132
• Suggest the --global flag by @slimslenderslacks in #127
• Updates for supporting OfficialRegistry by @slimslenderslacks in #131

New Contributors

• @bobbyhouse made their first contribution in #128

Full Changelog: v0.18.0...v0.19.0

What's Changed

• Respect http and https proxies in the gateway by @cmrigney in #118
• Show error when OAuth provider doesn't exist by @kgprs in #121

Full Changelog: v0.17.0...v0.18.0