build(deps): Bump mcp-contextforge-gateway from 1.0.0rc1 to 1.0.3

[dependabot]

Bumps mcp-contextforge-gateway from 1.0.0rc1 to 1.0.3.

Release notes

Sourced from mcp-contextforge-gateway's releases.

v1.0.3 - Auth & JWT Cleanup, Admin UI Fixes, FedRAMP/FIPS Hardening, and Bug Fixes

[1.0.3] - 2026-06-10 - Auth & JWT Cleanup, Admin UI Fixes, FedRAMP/FIPS Hardening, and Bug Fixes

Overview

Release 1.0.3 consolidates 61 PRs focused on authentication and JWT hardening, FedRAMP/FIPS compliance, rate-limiter and plugin improvements, performance/caching, and a broad set of bug fixes. This release cleans up the JWT token model, strengthens FIPS/STIG compliance, and improves multi-architecture builds and CI reliability:

• 🔐 Security & Auth - JWT token cleanup (UUID-based subjects, JIT credential resolution), OAuth audience parameter support, CSRF cookie name standardization, same-origin cookie auth for OAuth callbacks, API-token idle-timeout handling, SSO callback redirect fixes, PII redaction in logs, and CA-cert validation handling for authless MCPs.
• 🖥️ Admin UI - Alpine.js CSP migration and component consolidation, Teams panel loading fix, script-defer race-condition fix, SRI hash fixes, and plugin operator labels.
• 🛡️ FedRAMP / FIPS Compliance - Opt-in FIPS compliance mode with parameterized base images, additional STIG controls, dotfile permission modes, and /app ownership adjustments.
• 🧩 Plugins & Rate Limiting - Tightened plugin-bindings payload surface, dedicated Redis instance support for the rate limiter, CPEX plugin regression fixes and metadata resolution, and tool pre-invoke diagnostics.
• ⚡ Performance & Caching - AuthCache full-team-object storage, token-revocation caching, team cache hardening, metrics aggregation throttling, and a faster Rust fast-test server.
• 🏗️ Build & CI - Multi-architecture (s390x) wheels, merge-queue gates, FIPS-capable base images, container hardening, and node/Playwright CI fixes.
• 🐛 Bug Fixes - Observability Resources tab, migration blockers, gateway CRUD REST API, DB CHECK-constraint ordering, edge-mode health convergence, and Streamable HTTP /mcp redirect handling.

Added

🔐 Security & Auth

• 🎫 OAuth Audience Parameter (#4795) – Added OAuth audience parameter support for Atlassian and Auth0. Improves OAuth interoperability with providers that require an audience claim.
• 🕵️ PII Redaction in Logs (#5013) – Redact PII from log output. Strengthens privacy and compliance posture.

🛡️ FedRAMP / FIPS Compliance

• 🔒 Opt-in FIPS Compliance Mode (#4810) – Parameterized base images and added an opt-in FIPS compliance mode. Enables FedRAMP-aligned deployments.

🧩 Plugins & Rate Limiting

• 🧪 Tool Pre-Invoke Diagnostics (#4937) – Added diagnostics for tool pre-invoke modified payloads. Improves plugin debugging.
• 🚦 Separate Redis for Rate Limiter (#4859) – Enabled a dedicated Redis instance for the rate limiter. Isolates rate-limit state from the shared cache.

🏗️ Infrastructure

• 📡 Redis Configuration Publisher (#4926) – Added a Redis-based configuration publisher for the experimental dataplane. Lays groundwork for distributed config propagation.

Changed

🔐 Security & Auth

• 🎫 JWT Cleanup (#4816) – Removed unused data from JWT tokens, moved token subjects to user IDs (UUID), and resolved credentials just-in-time. Simplifies the token model and reduces token payload surface.
• 🧩 Alpine.js CSP Build (#4676) – Migrated Alpine.js to the Vite-bundled @alpinejs/csp build and eliminated unsafe-eval. Strengthens Content Security Policy compliance.

🗄️ Database & API

• 🔧 Admin Gateway CRUD REST Endpoints (#4808) – Added JSON support and RESTful endpoints for admin gateway CRUD operations. Improves API consistency and automation.

⚡ Performance & Caching

• 👥 AuthCache Full Team Objects (#4550) – Store full team objects in AuthCache to eliminate a secondary DB query. Reduces auth hot-path latency.
• 🎫 Token Revocation Caching (#4527) – Cache get_token_revocation / is_token_revoked to eliminate hot-path DB queries. Improves request throughput.

... (truncated)

Changelog

Sourced from mcp-contextforge-gateway's changelog.

[1.0.3] - 2026-06-10 - Auth & JWT Cleanup, Admin UI Fixes, FedRAMP/FIPS Hardening, and Bug Fixes

Overview

Release 1.0.3 consolidates 61 PRs focused on authentication and JWT hardening, FedRAMP/FIPS compliance, rate-limiter and plugin improvements, performance/caching, and a broad set of bug fixes. This release cleans up the JWT token model, strengthens FIPS/STIG compliance, and improves multi-architecture builds and CI reliability:

• 🔐 Security & Auth - JWT token cleanup (UUID-based subjects, JIT credential resolution), OAuth audience parameter support, CSRF cookie name standardization, same-origin cookie auth for OAuth callbacks, API-token idle-timeout handling, SSO callback redirect fixes, PII redaction in logs, and CA-cert validation handling for authless MCPs.
• 🖥️ Admin UI - Alpine.js CSP migration and component consolidation, Teams panel loading fix, script-defer race-condition fix, SRI hash fixes, and plugin operator labels.
• 🛡️ FedRAMP / FIPS Compliance - Opt-in FIPS compliance mode with parameterized base images, additional STIG controls, dotfile permission modes, and /app ownership adjustments.
• 🧩 Plugins & Rate Limiting - Tightened plugin-bindings payload surface, dedicated Redis instance support for the rate limiter, CPEX plugin regression fixes and metadata resolution, and tool pre-invoke diagnostics.
• ⚡ Performance & Caching - AuthCache full-team-object storage, token-revocation caching, team cache hardening, metrics aggregation throttling, and a faster Rust fast-test server.
• 🏗️ Build & CI - Multi-architecture (s390x) wheels, merge-queue gates, FIPS-capable base images, container hardening, and node/Playwright CI fixes.
• 🐛 Bug Fixes - Observability Resources tab, migration blockers, gateway CRUD REST API, DB CHECK-constraint ordering, edge-mode health convergence, and Streamable HTTP /mcp redirect handling.

Added

🔐 Security & Auth

• 🎫 OAuth Audience Parameter (#4795) – Added OAuth audience parameter support for Atlassian and Auth0. Improves OAuth interoperability with providers that require an audience claim.
• 🕵️ PII Redaction in Logs (#5013) – Redact PII from log output. Strengthens privacy and compliance posture.

🛡️ FedRAMP / FIPS Compliance

• 🔒 Opt-in FIPS Compliance Mode (#4810) – Parameterized base images and added an opt-in FIPS compliance mode. Enables FedRAMP-aligned deployments.

🧩 Plugins & Rate Limiting

• 🧪 Tool Pre-Invoke Diagnostics (#4937) – Added diagnostics for tool pre-invoke modified payloads. Improves plugin debugging.
• 🚦 Separate Redis for Rate Limiter (#4859) – Enabled a dedicated Redis instance for the rate limiter. Isolates rate-limit state from the shared cache.

🏗️ Infrastructure

• 📡 Redis Configuration Publisher (#4926) – Added a Redis-based configuration publisher for the experimental dataplane. Lays groundwork for distributed config propagation.

Changed

🔐 Security & Auth

• 🎫 JWT Cleanup (#4816) – Removed unused data from JWT tokens, moved token subjects to user IDs (UUID), and resolved credentials just-in-time. Simplifies the token model and reduces token payload surface.
• 🧩 Alpine.js CSP Build (#4676) – Migrated Alpine.js to the Vite-bundled @alpinejs/csp build and eliminated unsafe-eval. Strengthens Content Security Policy compliance.

🗄️ Database & API

• 🔧 Admin Gateway CRUD REST Endpoints (#4808) – Added JSON support and RESTful endpoints for admin gateway CRUD operations. Improves API consistency and automation.

⚡ Performance & Caching

• 👥 AuthCache Full Team Objects (#4550) – Store full team objects in AuthCache to eliminate a secondary DB query. Reduces auth hot-path latency.
• 🎫 Token Revocation Caching (#4527) – Cache get_token_revocation / is_token_revoked to eliminate hot-path DB queries. Improves request throughput.
• 🦀 Rust Fast-Test Server Speedup (#5059) – Sped up the Rust fast-test server. Reduces benchmark/test cycle time.

... (truncated)

Commits

• 65dcfe2 Release/v1.0.3 (#5159)
• 84cb8d1 fix: Disable CA Cert validation on authless MCPs (#5075)
• 7944992 fix: resolve teams panel not loading due to undefined getPaginationParams in ...
• c6acf5c fix(ui): add defer attribute to script tags to prevent Alpine.js race conditi...
• 6eb1ff7 fix(compose): repoint fast_test_server build context to renamed rust crate (#...
• b1663bf removed extra spaces introduced in yaml files #4983 (#5120)
• 285da49 perf: speed up rust fast-test server (#5059)
• a798fdf fix(fedramp): keep /app group-owned by root so FIPS 0750 mode survives arbitr...
• 9291a7d fix(sso): SSO callback redirect for non-admin users with team memberships (#4...
• d6b9076 Add hashed version to external repositories installed in pre-commit (#4983)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)