[ca] Update MCP Gateway (gh-aw-mcpg) v0.1.8 → v0.1.14

[github-actions]

Updated DefaultMCPGatewayVersion in pkg/constants/constants.go from v0.1.8 to v0.1.14. All 166 workflow lock files regenerated via make recompile.

Summary

• MCP Gateway: v0.1.8 → v0.1.14 ⚠️ contains breaking changes
• All other tools: no version changes (Claude Code, Copilot CLI, Codex, GitHub MCP Server, Playwright MCP, Playwright Browser all up to date)

Update: MCP Gateway v0.1.8 → v0.1.14

• Previous: v0.1.8 → New: v0.1.14
• Release Timeline: v0.1.9 (2026-03-06), v0.1.10 (2026-03-10), v0.1.11 (2026-03-10), v0.1.12 (2026-03-10), v0.1.13 (2026-03-10), v0.1.14 (2026-03-11 TODAY)

Breaking Changes (v0.1.12)

The following CLI flags and environment variables were removed in v0.1.12:

Removed Flag	Removed Env Var	Migration
--enable-guards	MCP_GATEWAY_ENABLE_GUARDS	Guards auto-enabled when allow-only policy is present
--enable-config-extensions	MCP_GATEWAY_CONFIG_EXTENSIONS	Extension fields always accepted; no flag needed
--session-secrecy	MCP_GATEWAY_SESSION_SECRECY	Session labels set automatically by guards
--session-integrity	MCP_GATEWAY_SESSION_INTEGRITY	Session labels set automatically by guards

Critical Fix (v0.1.14)

Write-Sink Guard for DIFC-Compatible Output Servers (github/gh-aw-mcpg#1760)

Resolves a critical DIFC compatibility issue that prevented safeoutputs and other output servers from working correctly when the GitHub guard is active. The new WriteSinkGuard:

• Mirrors agent secrecy tags onto the resource
• Returns OperationWrite instead of OperationReadWrite, bypassing failing read integrity check
• Auto-upgrades noop guards after DIFC detection — no manual configuration needed

View Full Changelog (v0.1.9 → v0.1.14)

v0.1.9 (2026-03-06)

• MCP Protocol 2025-11-25 negotiation (latest spec)
• go-sdk v1.4.0 upgrade with consolidated protocol constants, removed deprecated HTTPTransport
• Config Schema v0.53.6 validation
• customSchemas documentation with domain uppercase constraint
• Bug fixes: duplicate test function, GitHub MCP test session fixture
• Code health: centralized duplicate constants, consolidated micro-files

v0.1.10 (2026-03-10)

• GitHub DIFC enforcement with WASM guards (feat: Add GitHub DIFC enforcement with WASM guards, guard policies, and LabelAgent integration gh-aw-mcpg#1674): WASM-based guard system for allow-only policies
• WASM baked into gateway Docker image (github-guard: bake WASM into gateway image, align test/release workflows, and rename user-facing flags to "guards" gh-aw-mcpg#1693)
• Routed URL host advertisement and allow-only key normalization (fix: routed URL host advertisement and allow-only key normalization gh-aw-mcpg#1683)
• Schema updated to v0.55.0
• LabelAgent integration for DIFC enforcement

v0.1.11 (2026-03-10)

• Fixed release workflow WASM build: typo targets: → target: in setup-rust-toolchain (fix: use 'target' (singular) for setup-rust-toolchain action input gh-aw-mcpg#1715)
• Schema validation updated to v0.57.0 (🔄 chore: update schema URL to v0.57.0 gh-aw-mcpg#1713)

v0.1.12 (2026-03-10) — BREAKING

• Zero-config DIFC activation: configure guard-policies with allow-only rule, gateway auto-enables guards
• Removed 4 CLI flags/env vars (see Breaking Changes above)
• Schema validation now correctly handles extension fields by stripping before schema validation

v0.1.13 (2026-03-10)

• Guard policy fallback corrected: non-noop guards now preserved when server guard policies exist (Fix guard fallback to preserve non-noop guards when server guard policies exist gh-aw-mcpg#1741)
• Gateway output URLs use 127.0.0.1 instead of Gateway.Domain to prevent connectivity check failures (fix: don't use Gateway.Domain in gateway output URLs gh-aw-mcpg#1753)
• Integration tests more stable with polling-based stderr wait (Fix flaky integration tests with polling-based stderr wait gh-aw-mcpg#1746)

v0.1.14 (2026-03-11)

• Write-Sink Guard for DIFC-compatible output servers (feat: write-sink guard for DIFC-compatible output servers gh-aw-mcpg#1760)
• Critical fix for safeoutputs compatibility with GitHub guard active

View Migration Guide

1. Remove any usage of --enable-guards, --enable-config-extensions, --session-secrecy, --session-integrity flags
2. Remove any usage of MCP_GATEWAY_ENABLE_GUARDS, MCP_GATEWAY_CONFIG_EXTENSIONS, MCP_GATEWAY_SESSION_SECRECY, MCP_GATEWAY_SESSION_INTEGRITY environment variables
3. Guards now auto-activate when guard-policies with allow-only rule is configured — no additional flags needed
4. Docker image: ghcr.io/github/gh-aw-mcpg:v0.1.14

Impact Assessment

• Risk: Medium (breaking CLI flag changes, but auto-migration via guard auto-detection)
• Affects: Workflows using MCP Gateway with DIFC/guard configuration; safeoutputs output server compatibility
• Critical: v0.1.14 fixes a production issue with safeoutputs when GitHub guard is active

Package Links

• Repository: https://github.com/github/gh-aw-mcpg
• Release Notes v0.1.14: https://github.com/github/gh-aw-mcpg/releases/tag/v0.1.14
• Docker Image: ghcr.io/github/gh-aw-mcpg:v0.1.14

References:

• §22946871060

Generated by CLI Version Checker · ◷

• expires on Mar 13, 2026, 10:02 AM UTC