build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.4

[dependabot]

Bumps mcp-contextforge-gateway from 1.0.0rc1 to 1.0.4.

Release notes

Sourced from mcp-contextforge-gateway's releases.

v1.0.4 - Rust Migration, Docker Improvements, Security Enhancements, and Bug Fixes

[1.0.4] - 2026-06-22 - Rust Server Migration, Security Fixes, and Build Hardening

Overview

Release 1.0.4 consolidates 35+ PRs focused on Rust server migration, security and auth correctness, multi-architecture build hardening, and database reliability. This release migrates test servers to Rust and resolves a broad set of auth, CSRF, login, and container build issues:

• 🔐 Security & Auth - Keycloak SSO role merging from access_token, client_secret_basic support for SSO token exchange, CSRF exempt-path fixes, login redirect loop fix, and OAuth auth_type propagation fix for tool creation.
• 🦀 Rust Servers - Slow-time MCP test server migrated to Rust (breaking binary path change), Rust benchmark server added replacing Go, Rust A2A echo agent added for integration testing.
• 🛡️ FedRAMP / Build - s390x rustup fix, hermetic wheel closure for s390x/ppc64le multiplatform builds, Containerfile.lite venv fix, PyPI UI bundle fix, PyO3 and Rust CI dependency updates.
• 🗄️ Database & Performance - DB connection pool multiplication resolved, lazy log formatting migration across services, tag length made configurable via env vars.
• 🌐 API - RFC 6585 HTTP status code compliance (429, etc.), HTTP 202 Accepted response support for async operations.
• 🔧 CI / DevOps - Hadolint via Docker image, docker-scan scoped to merge queue, linting-full moved to merge queue, npm audit fixes, release dependency lock refresh, cpex-rate-limiter bump to 0.1.4.

Added

🔐 Security & Auth

• 🔑 client_secret_basic SSO Token Exchange (#5132) – client_secret_basic HTTP Basic Auth support for SSO token exchange. Broadens compatibility with OAuth 2.0 compliant identity providers.

🌐 API

• 📋 RFC 6585 HTTP Status Code Compliance (#4797) – RFC 6585 compliant HTTP status codes (429, etc.). Improves API standards conformance.
• ✅ HTTP 202 Accepted Response (#5210) – HTTP 202 Accepted response support for async operations. Enables proper async API patterns.

🦀 Rust Servers

• ⚡ Rust Benchmark Server (#5091) – Rust benchmark server replaces the Go benchmark server; benchmark compose profiles rewired to build from mcp-servers/rust/benchmark-server. Breaking: binary paths move from ./dist/benchmark-server to ./target/release/benchmark-server.
• 🤖 Rust A2A Echo Agent (#5092) – Rust implementation of an A2A echo agent for integration testing. Provides a fast, low-overhead test target.

Changed

🦀 Rust Servers

• ⚡ Slow-Time Server Migrated to Rust (#5090) – Slow-time MCP test server migrated from Python to Rust. Breaking: binary paths and compose targets change; update any local scripts referencing the old Python entrypoint.

🔧 Infrastructure & DevOps

• 🔒 Security Policy — IBM PSIRT (#5225) – Security vulnerability reporting redirected to IBM PSIRT. Aligns with IBM security disclosure process.
• 📦 cpex-rate-limiter Bump to 0.1.4 (#5242) – Bumped cpex-rate-limiter dependency to 0.1.4. Picks up upstream rate-limiter fixes.
• 📝 Lazy Log Formatting (#4749) – Migrated f-string log calls to lazy %-style across services. Avoids string interpolation overhead when log level is suppressed.
• 🔒 Configurable Tag Length (#5178) – Tag length now configurable via environment variables. Enables site-specific tag truncation policy.
• 🔒 CODEOWNERS Update (#5275) – Updated code owners for certain topics. Ensures correct review routing.

🖥️ CI

• 🔍 Linting-Full Moved to Merge Queue (#5189) – Full repo lint sweep moved to merge queue gate. Reduces PR feedback noise while maintaining merge quality.
• 🔒 Docker-Scan Scoped to Merge Queue (#5209) – Docker vulnerability scan scoped to PR lint + merge-queue gate. Avoids redundant scans on every push.
• ⬛ Hadolint via Docker Image (#5259) – Hadolint run via Docker image to satisfy org Actions allowlist. Removes dependency on non-allowlisted GitHub Action.
• ⏩ Skip CI for Secrets Baseline Commits (#5012) – Full CI skipped for detect-secrets baseline-only commits. Reduces unnecessary CI load.

... (truncated)

Changelog

Sourced from mcp-contextforge-gateway's changelog.

[1.0.4] - 2026-06-22 - Rust Server Migration, Security Fixes, and Build Hardening

Overview

Release 1.0.4 consolidates 35+ PRs focused on Rust server migration, security and auth correctness, multi-architecture build hardening, and database reliability. This release migrates test servers to Rust and resolves a broad set of auth, CSRF, login, and container build issues:

• 🔐 Security & Auth - Keycloak SSO role merging from access_token, client_secret_basic support for SSO token exchange, CSRF exempt-path fixes, login redirect loop fix, and OAuth auth_type propagation fix for tool creation.
• 🦀 Rust Servers - Slow-time MCP test server migrated to Rust (breaking binary path change), Rust benchmark server added replacing Go, Rust A2A echo agent added for integration testing.
• 🛡️ FedRAMP / Build - s390x rustup fix, hermetic wheel closure for s390x/ppc64le multiplatform builds, Containerfile.lite venv fix, PyPI UI bundle fix, PyO3 and Rust CI dependency updates.
• 🗄️ Database & Performance - DB connection pool multiplication resolved, lazy log formatting migration across services, tag length made configurable via env vars.
• 🌐 API - RFC 6585 HTTP status code compliance (429, etc.), HTTP 202 Accepted response support for async operations.
• 🔧 CI / DevOps - Hadolint via Docker image, docker-scan scoped to merge queue, linting-full moved to merge queue, npm audit fixes, release dependency lock refresh, cpex-rate-limiter bump to 0.1.4.

Added

🔐 Security & Auth

• 🔑 client_secret_basic SSO Token Exchange (#5132) – client_secret_basic HTTP Basic Auth support for SSO token exchange. Broadens compatibility with OAuth 2.0 compliant identity providers.

🌐 API

• 📋 RFC 6585 HTTP Status Code Compliance (#4797) – RFC 6585 compliant HTTP status codes (429, etc.). Improves API standards conformance.
• ✅ HTTP 202 Accepted Response (#5210) – HTTP 202 Accepted response support for async operations. Enables proper async API patterns.

🦀 Rust Servers

• ⚡ Rust Benchmark Server (#5091) – Rust benchmark server replaces the Go benchmark server; benchmark compose profiles rewired to build from mcp-servers/rust/benchmark-server. Breaking: binary paths move from ./dist/benchmark-server to ./target/release/benchmark-server.
• 🤖 Rust A2A Echo Agent (#5092) – Rust implementation of an A2A echo agent for integration testing. Provides a fast, low-overhead test target.

Changed

🦀 Rust Servers

• ⚡ Slow-Time Server Migrated to Rust (#5090) – Slow-time MCP test server migrated from Python to Rust. Breaking: binary paths and compose targets change; update any local scripts referencing the old Python entrypoint.

🔧 Infrastructure & DevOps

• 🔒 Security Policy — IBM PSIRT (#5225) – Security vulnerability reporting redirected to IBM PSIRT. Aligns with IBM security disclosure process.
• 📦 cpex-rate-limiter Bump to 0.1.4 (#5242) – Bumped cpex-rate-limiter dependency to 0.1.4. Picks up upstream rate-limiter fixes.
• 📝 Lazy Log Formatting (#4749) – Migrated f-string log calls to lazy %-style across services. Avoids string interpolation overhead when log level is suppressed.
• 🔒 Configurable Tag Length (#5178) – Tag length now configurable via environment variables. Enables site-specific tag truncation policy.
• 🔒 CODEOWNERS Update (#5275) – Updated code owners for certain topics. Ensures correct review routing.

🖥️ CI

• 🔍 Linting-Full Moved to Merge Queue (#5189) – Full repo lint sweep moved to merge queue gate. Reduces PR feedback noise while maintaining merge quality.
• 🔒 Docker-Scan Scoped to Merge Queue (#5209) – Docker vulnerability scan scoped to PR lint + merge-queue gate. Avoids redundant scans on every push.
• ⬛ Hadolint via Docker Image (#5259) – Hadolint run via Docker image to satisfy org Actions allowlist. Removes dependency on non-allowlisted GitHub Action.
• ⏩ Skip CI for Secrets Baseline Commits (#5012) – Full CI skipped for detect-secrets baseline-only commits. Reduces unnecessary CI load.
• 📌 Pin buildx Version – Pinned setup-buildx-action to a fixed version to avoid Docker Hub rate-limit failures. Prevents intermittent CI build failures from upstream rate limiting.

... (truncated)

Commits

• dc637b2 Release/v1.0.4 (#5311)
• 30a7057 fix(docker): hermetic wheel closure for s390x/ppc64le multiplatform builds (#...
• ada6ced added code changes for 202, only testing code remaining (#5210)
• 48288c1 fix(api): Login redirect loop (#5190) (#5203)
• 9fc7c8d fix(docker): Containerfile.lite ships empty venv, masked by stray || true (#5...
• 74a6aeb fix(playwright): user deletion FK cascade, team selector delegation, … (#5211)
• fc7422d Updating code owners for certain topics (#5275)
• f4dec63 fix(api): oauth offered as auth_type in Add Tool form but silently ignored by...
• 58d92ac fix: include workspace members in a2a image build (#5268)
• af50b2e chore: deprecate runtime sidecars and validation middleware (#5179)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)