dunialabs/peta-core

📦 Highlights

• Added opt-in support for the modern MCP protocol version `2026-07-28`, including modern HTTP routing, protocol-version negotiation, OAuth-protected resource metadata, and validation for modern JSON-RPC request/response behavior.
• Added dual-era downstream compatibility so the gateway can route to both legacy SDK transports and modern stateless HTTP MCP servers while preserving existing legacy behavior by default.
• Improved OAuth client compatibility for URL-based MCP clients with stricter client metadata validation, safer metadata fetching, issuer handling documentation, redirect URI checks, and default MCP scopes for URL-registered clients.

🐛 Fixes and Improvements

• Hardened modern MCP post-merge behavior around app rewrites, global request routing, subscription bus handling, server discovery, and grant enforcement.
• Added support for fake-IP DNS environments when fetching OAuth client metadata, with deployment and security documentation updates.
• Preserved browser tab behavior during desk OAuth authorization flows.
• Added a dual-era MCP compatibility smoke harness with legacy HTTP, legacy stdio, and modern HTTP fixtures to exercise gateway behavior across protocol eras.

📦 Operational Notes

• Modern MCP support remains controlled by environment configuration, including `MCP_2026_ENABLED`, downstream enablement, supported protocol versions, and optional allow lists for client and tenant IDs.
• This release includes a Prisma migration adding OAuth client metadata fields for modern MCP compatibility. Run the normal deployment migration flow before serving the new build.

📦 Highlights

• Improved MCP Streamable HTTP resumability by wiring persisted event replay into the upstream transport. SSE reconnects can now use `Last-Event-ID` within the same session, with replay scoped to that session to prevent cross-client event leakage.
• Hardened session reconnect behavior after explicit `DELETE /mcp` termination. Peta Core now allows one short grace-period reuse of a server-issued session ID only for the same authenticated identity and token fingerprint, while continuing to reject unknown client-selected session IDs.
• Clarified and enforced the current reverse-request boundary for shared downstream connections. Standard downstream server-initiated `sampling`, `roots`, and `elicitation` requests are no longer advertised as supported in the shared managed runtime.

🐛 Fixes and Improvements

• Preserved MCP progress and cancellation semantics across the proxy boundary. Progress notifications are routed back to the originating upstream session with the client's original progress token, and upstream cancellation notifications are translated to the actual downstream in-flight request ID.
• Isolated resource subscription state by downstream connection scope, preventing shared managed and per-user temporary sessions from receiving or unsubscribing each other's resource updates.
• Added HTTP-to-SSE fallback for downstream remote server connection startup when Streamable HTTP negotiation fails and the server configuration supports fallback.
• Strengthened request and event persistence handling with session-scoped replay validation, durable-first event IDs, and broader tests for persistent event ordering and reconnect behavior.
• Fixed reconnect handling in authentication middleware and moved generated session IDs to UUID-based values while retaining compatibility with existing 32-character session IDs.
• Removed duplicate Intercom OAuth handling in server startup logic.

📦 Operational Notes

• Downstream MCP servers that require standard reverse requests (`sampling`, `roots`, or `elicitation`) still need a dedicated downstream session model; these capabilities are intentionally not exposed in the current shared managed connection mode.
• Clients reconnecting an SSE stream should continue using `GET /mcp` with `Mcp-Session-Id` and include `Last-Event-ID` when available so missed events can be replayed safely.

📦 Highlights

• Added first-class OAuth support for HubSpot, Intercom, and Slack template servers, covering authorization-code exchange, persisted provider metadata, and runtime credential injection for downstream launches.
• Added owner-side OAuth reauthorization for existing template servers, so Peta Console and related control-plane clients can refresh stored connector credentials without recreating the server configuration.

🐛 Fixes and Improvements

• Hardened Intercom OAuth handling by validating stored access tokens against Intercom's `/me` endpoint, persisting the provider region needed at runtime, and clearing stale OAuth state when Intercom later rejects the token.
• Tightened redirect URI persistence for browser-based OAuth flows by keeping redirect metadata only after compliance checks, which improves reauthorization safety for Peta Desk and other browser-driven clients.
• Expanded regression coverage around server creation, configuration, and OAuth lifecycle handling for HubSpot, Intercom, Slack, and reauthorization flows.

📦 Operational Notes

• Slack OAuth requires Token Rotation to be enabled in the Slack OAuth application settings.
• Intercom does not issue refresh tokens; Peta Core now treats it as a validated long-lived token flow and will disable or unconfigure affected servers if the provider reports that the token is no longer valid.
• Reauthorization uses the server's persisted `configTemplate.oAuthConfig` and encrypted OAuth state instead of pulling fresh cloud template metadata during the exchange.

📦 Highlights

• Added optional Peta Progressive Disclosure (PPD) for the MCP gateway. Deployments can now keep the existing flat tool list, expose a hybrid catalog-assisted flow, or switch to a strict catalog-first mode without changing the default behavior for existing clients.
• Introduced gateway-native discovery tools: `peta.catalog.search`, `peta.catalog.describe`, and `peta.catalog.execute`, along with admin APIs for discovery config, profile management, preview, reindexing, and catalog stats.

🐛 Fixes and Improvements

• Hardened discovery authorization and visibility handling so search, describe, and execute now stay aligned with normal server access, per-tool permissions, anonymous access rules, and approval-governed execution paths.
• Fixed multiple hybrid-mode exposure issues, including direct tool filtering consistency, invalid `profileId` fallbacks, accurate tool counts, temporary server visibility, and runtime alias resolution for catalog execution.
• Made catalog indexing safer and more resilient by avoiding destructive rebuild races, pruning stale rows correctly, skipping incomplete tool loads, and preventing temporary user-scoped server data from leaking into the global catalog.
• Restored timeout reset behavior for uncached proxy requests and tightened discovery profile risk rule validation for more predictable runtime behavior.

📦 Operational Notes

• PPD remains default-off. If no enabled non-flat discovery profile is configured, the gateway continues to expose tools in the existing flat mode.
• This release adds discovery-related Prisma schema changes and migrations, including new catalog/profile tables and cleanup of stale discovery visibility fields. Apply the bundled database migrations before enabling the feature in production.

📦 Highlights

• Added configurable result caching with admission control, multiple store backends, namespace versioning, structured `cache.*` request logs, exact purge semantics, and approval-aware cache safety protections.
• Added content-aware policy enforcement with an asynchronous HITL approval queue, approval audit metadata and pagination, execution result replay, synchronous wait polling, and multiple lifecycle hardening fixes across the proxy and admin surfaces.
• Expanded MCP runtime capabilities with anonymous public access via `/mcp/public`, CustomStdio support for user-configured tools, Docker runner support, user environment overrides, improved startup diagnostics, and more reliable lazy server wakeup after transport closure.
• Expanded auth and OAuth coverage with OAuth introspection, new Google auth variants, Pipedrive support, Canva and Zendesk provider support, refresh-token strategies, PKCE/code-verifier fixes, and related auth configuration parsing fixes.
• Added repository release automation for peta-core maintainers, including temporary-worktree release preparation, English release-note context generation, and semver-aware non-interactive Docker publishing.

🐛 Fixes and Improvements

• Fixed restore handler shutdown ordering, variable shadowing, validation, and post-shutdown error handling to avoid silent data loss and incomplete recovery paths.
• Hardened policy and approval behavior by returning all policy statuses in admin lists, enforcing version uniqueness with optimistic retry, correcting retry ordering, adding regex/glob guardrails, and cleaning up orphaned approval execution state more reliably.
• Improved Docker and skills deployment behavior by auto-detecting host skills paths via the Docker socket, rewriting child-container skills mounts correctly, and reloading skills servers after skill upload or deletion.
• Improved server configuration and runtime consistency across anonymous access updates, stdio launch config transforms, detected server name syncing, stale server-context protection, `stdioTemplate.cwd` propagation, and MCP App resource reference alignment.
• Fixed app resource result rewriting during resource reads so proxied resource references remain consistent after namespacing.
• Tightened cache correctness by moving lookups earlier in handler flows, integrating singleflight tenant scoping, snapshotting namespace versions at lookup time, preserving purge reasons and promotion metrics, validating required scope identity before exact cache purge, and normalizing `Uint8Array` cache payload handling.
• Updated deployment and admin documentation for policies, approvals, CustomStdio endpoints, result-cache environment variables, REST API and Skills positioning, and other recent MCP runtime capabilities.

📦 Operational Notes

• Docker images published from this workflow now support semver tags in addition to `latest` and dated tags.
• This release rolls up a broad set of previously unreleased platform changes. Operators should review policy, approval, cache, auth-provider, and CustomStdio-related configuration before upgrading.

📦 Overview

• Compare: https://github.com/dunialabs/peta-core/compare/v1.1.6...d89f4c1

📦 CustomStdio runtime improvements

• Added Docker runner support for `ServerCategory.CustomStdio`.
• When `PETA_CORE_IN_DOCKER=true`, non-`docker` stdio commands are automatically wrapped and executed inside `petaio/mcp-runner:latest`.
• Explicit `docker` commands keep their original behavior and are not re-wrapped.
• Added runtime probing for Docker socket, Docker CLI, and Docker daemon availability before launching wrapped commands.
• Added failure classification for wrapped `CustomStdio` execution, distinguishing runner startup failures from downstream command failures.
• Preserved admin-defined `stdioTemplate.cwd` during user configuration, so `CustomStdio` launch plans now retain working-directory context correctly.

📦 Reliability and diagnostics

• Added a new startup diagnostics pipeline for downstream connections.
• Startup diagnostics now capture transport errors, client errors, close events, and stderr output during connection establishment.
• Generic errors such as `Request timed out` or `Connection closed` are now replaced with more meaningful diagnostics when better evidence is available.
• Diagnostic formatting now includes structured details such as nested causes, network error metadata, MCP error data, and validation issues.
• Sensitive values such as tokens, passwords, secrets, and authorization fields are redacted from diagnostic output.
• Improved lazy-start lifecycle handling after transport closure.
• Lazy-start managed servers now preserve their existing context and transition back to `Sleeping` instead of being discarded after unexpected transport close.
• Temporary user-configured servers can now be restored from the active session launch config and woken up again correctly.
• + 1 more

🐛 OAuth and server configuration fixes

• Fixed OAuth `authConf` parsing in user server configuration flow.
• `YOUR_OAUTH_CODE` and `YOUR_OAUTH_REDIRECT_URL` are now validated safely using optional access instead of assuming all keys exist.
• PKCE verifier is now treated as optional and is only forwarded when present and non-empty.
• Added dedicated tests to verify OAuth template server configuration both with and without PKCE verifier input.
• Removed a temporary debug log introduced during OAuth parsing troubleshooting.

📝 Documentation and API docs

• Refreshed README to reflect recent MCP runtime capabilities and positioning updates.
• Expanded README coverage for anonymous public access, HTTPS and stdio custom tools, durable approval queue behavior, and observability workflows.
• Added detailed Admin API and User API documentation for `CustomStdio` (`category=5`) configuration flows.
• Documented Docker deployment behavior for `CustomStdio`, including the current v1 limitation that host project directories are not auto-mounted into runner containers.
• Updated deployment docs to explain `CustomStdio` behavior inside Docker environments.
• Refined README wording for Peta Console description.

🧪 Test and maintenance updates

• Added test coverage for:
• `CustomStdioRunner`
• `ConnectionStartupDiagnostics`
• `DownstreamTransportFactory`
• `ServerManager` lazy-start lifecycle
• `UserRequestHandler` OAuth configure-server flow
• Updated `npm test` to run a build before executing Jest.
• Extended Jest matching to include `tests/**/*.test.js`.
• + 2 more

📦 Merged Pull Requests

• `#12` Fix lazy server wakeup after transport close

📋 Full Changelog

• `0ee2c1c` docs: refresh README for recent MCP runtime updates
• `a0b46c7` Update Peta Console description in README
• `a3093f5` docs: add CustomStdio (category=5) API documentation for admin and user endpoints
• `de0e869` fix: Pass the stdioTemplate.cwd parameter
• `9b40a80` npm install
• `9b053d9` Add Docker runner support for CustomStdio
• `a7bee3a` Improve startup connection diagnostics
• `d3ec995` Fix lazy server wakeup after transport close
• + 4 more

📦 Notes

• No breaking API change was identified in this range.

📦 Release Summary

• This release updates Peta Core from `v1.1.4` to `v1.1.6`, focused on public anonymous MCP access, stdio-based custom server support, and follow-up fixes for server configuration and reconnect flows.

✨ Added

• Added anonymous access for public MCP servers through the `/mcp/public` endpoint.
• Added per-server `anonymousAccess` and `anonymousRateLimit` configuration support.
• Added database schema support for anonymous MCP access.
• Added stdio support for custom MCP tools in user configuration flows.
• Added `CustomStdio` (`category=5`) support with user-provided `stdioEnv` overrides.
• Added `transportType` to server query results for transport-aware handling.

🐛 Fixed

• Fixed anonymous MCP access and related server configuration handling.
• Fixed user notifications when `anonymousAccess` is updated.
• Fixed launch config update guards and detected server-name synchronization.
• Fixed stale server context overwrite during reconnect after server updates.
• Fixed launch config transform logic so category-specific rewrites only apply to the correct server types.

📝 Documentation

• Updated API documentation for anonymous access behavior and rate-limit semantics.

📦 Upgrade Notes

• Apply Prisma migration `20260307000000_add_anonymous_access_to_server` before deploying.
• Anonymous rate limiting is enforced per source IP, not per user.
• Tokenless requests to `/mcp` still return `401`; anonymous access is only available via `/mcp/public`.

📋 Full Changelog

• PR #8: Anonymous token-less access for public MCP endpoints
• PR #10: Stdio support for custom MCP tools in user configure and server handler
• Full Changelog: https://github.com/dunialabs/peta-core/compare/v1.1.4...v1.1.6

📦 Highlights

• Added content-aware tool policies with DSL-based evaluation and server/global policy resolution.
• Added persistent async HITL approval queue to replace the previous synchronous timeout-based approval flow.
• Added approval execution result replay and per-request-hash rate limiting.
• Added approval audit metadata and pagination support for admin APIs.
• Improved policy evaluation safety, retry ordering, approval lifecycle stability, and admin visibility.

✨ Added

• Content-aware tool policy engine for MCP tool calls.
• Async approval queue with persistent lifecycle tracking and deduplicated approval requests.
• Admin APIs for:
• policy CRUD
• effective policy resolution
• approval listing/detail/decision
• pending approval count
• Approval execution result storage and replay path.
• + 3 more

🐛 Fixed

• Prevented archived policies from being hidden permanently in admin list results.
• Cleaned up approval request state transitions to avoid orphaned `EXECUTING` records.
• Corrected retry ordering to avoid stale cache evaluation.
• Normalized `serverId` lookup behavior in admin policy resolution.
• Added regex and DSL matcher guardrails to improve policy evaluation safety.
• Replaced immediate approval errors with synchronous wait polling fallback.
• Hardened HITL approval lifecycle and client compatibility.
• Stabilized approval retries and wait-state handling.
• + 2 more

📝 Documentation

• Restructured README around Gateway / Runtime / Extensions.
• Added documentation for auto-recovery, request retry, REST API converter, Skills MCP, and lazy start.
• Added policy and approval admin API documentation.

📦 Database Migrations

• This release includes the following Prisma migrations:
• `20260227000000_add_content_aware_policies_hitl_queue`
• `20260227170000_add_tool_policy_set_version_uniqueness`
• `20260306013500_add_execution_result_to_approval_request`
• `20260306093000_add_approval_decision_audit_fields`

📦 Upgrade Notes

• Run database migrations before starting the new version.
• Review any admin-side integrations if they consume approval or policy APIs, because this release expands approval metadata, result replay fields, and policy management capabilities.

📋 Full Changelog

• `feat: add content-aware tool policies and async HITL approval queue`
• `fix: return all policy statuses in admin list endpoint to prevent archived policies from becoming permanently hidden`
• `fix: move approval request cleanup before retry check to prevent orphaned EXECUTING records`
• `fix: restore package.json version to match published release`
• `feat: add version uniqueness with optimistic retry for policy sets`
• `fix: normalize serverId and add server-side policy lookup in admin handler`
• `fix: correct retry ordering to prevent stale cache evaluation`
• `fix: add regex length guard and TTL cache for policy evaluation`
• + 14 more

📦 Release Scope

• Compare: https://github.com/dunialabs/peta-core/compare/v1.1.0...dd2eb74
• Commit range: `v1.1.0` (2026-02-09) to `dd2eb74` (2026-03-02)
• Total commits: 31
• Changed files: 41
• Diff stats: +1362 / -247
• Contributors: bc-dunia, Miles-YF, Asher367, bc, yufei, Miles-ZF, Miles

📦 Highlights

• Added OAuth Token Introspection support (`POST /introspect`, RFC 7662), with aligned token model and documentation updates.
• Added Canva OAuth provider support and token refresh strategies for both Canva and Zendesk.
• Improved Zendesk authorization flow with code verifier support and subdomain format normalization.
• Improved Docker deployment behavior with automatic host skills path detection via Docker socket and volume rewrite fixes.
• Strengthened security and runtime stability across OAuth/session lifecycle, token/JWT validation, shutdown/teardown, socket notifications, and restore handling.

✨ Features

• `feat: add canva oauth provider support`
• `feat(auth): add Canva and Zendesk token refresh strategies`
• `feat: auto-detect host skills path via Docker socket`
• `feat: Add code verifier to the zendesk authorization parameter`
• `Add OAuth introspection endpoint and clarify access token model`

🐛 Fixes and Hardening

• Security hardening for token validation and `JWT_SECRET` requirements.
• Enforced OAuth validity checks for sessions and safe DELETE behavior.
• Fixed MCP session teardown and reverse-request timeout handling.
• Hardened core shutdown and server cleanup paths.
• Prevented socket permission-change notifications from failing.
• Fixed critical restore-handler issues in shutdown ordering, variable shadowing, and error handling.
• Escaped OAuth consent template values and blocked redirects when fetching client metadata.
• Fixed OAuth interoperability details for Canva and Zendesk flows.

📝 Documentation

• Updated README with skills support and token metadata (`namespaces`, `tags`).
• Updated API/Admin API/Socket/Security/Deployment/Architecture/Reference docs.
• Updated Docker deployment docs and script for skills mount behavior.

📦 Compatibility Notes

• `JWT_SECRET` is now required when decrypting `launchConfig`; missing value now raises an error.
• Docker path rewrite logic now requires `PETA_CORE_IN_DOCKER="true"` explicitly.
• Zendesk `zendeskSubdomain` should be a plain subdomain (without `https://` and `.zendesk.com`).
• OAuth config key changed from `YOUR_OAUTH_CODE_VERIFIER` to `YOUR_OAUTH_PKCE_VERIFIER`.
• Canva refresh/code exchange no longer sends `scope`.

📦 Version Bumps

• `"version": "1.1.1"`
• `"version": "1.1.2"`

📋 Full Changelog (v1.1.0..HEAD)

• `7b56f48` (2026-02-10) fix(security): harden token validation and JWT secret config
• `966de9f` (2026-02-10) fix(auth): enforce OAuth validity for sessions and safe DELETE
• `8c3a37a` (2026-02-10) fix(mcp): cleanup session teardown and reverse-request timeouts
• `15f711f` (2026-02-10) fix(core): harden shutdown and server cleanup paths
• `2462a5d` (2026-02-10) fix(admin): validate configTemplate only where required
• `4389b72` (2026-02-10) fix(socket): prevent permission-change notify from rejecting
• `596ef68` (2026-02-10) fix(user): require JWT_SECRET when decrypting launchConfig
• `ecd266a` (2026-02-10) fix(oauth): escape consent page template values
• + 23 more

📦 ✨ Highlights

• New OAuth capabilities: Peta OAuth init flow, server creation via authorization‑code token exchange, Peta Console / Peta Desk submit code to exchange and start MCP servers, plus automatic startup and optional deployment of `peta-auth`.
• Added support for GitHub MCP server and Google Calendar MCP server.
• Skills and server capabilities: added Skills upload management APIs (10040–10043).

📦 ⚙️ Improvements

• Enhanced multi-auth server configuration; updated configuration behavior for CustomRemote / Template servers.
• Capabilities & session management: optimized persistence and overlay logic for server capabilities; automatic cleanup of inactive sessions; special handling for REST API–type servers.
• Admin & API behavior: /admin count protocols no longer require tokens; fixed incorrect `oauthCode` key usage; personal‑config servers now notify Peta Desk and clients after startup.

📦 🧰 Maintenance

• Dependencies: upgraded `modelcontextprotocol`, `@prisma/client`, `express`.
• Docker Compose network adjustments.
• Multiple refactors and documentation updates.

📦 ⚠️ Compatibility Notice (Must Read)

• This release is not backward compatible.
• You must update both Peta Console and Peta Desk to keep protocol and configuration behavior aligned.

📋 Changes

• Database Schema: New publicAccess boolean field in Server table (defaults to false)
• Permission Logic: When users have no explicit permissions, access is now determined by the publicAccess field instead of defaulting to true
• API Support: Full CRUD support for publicAccess in server management endpoints (create/query/update)
• Scope: Applies to both public servers and user-configured servers
• Socket.IO notifications sent to affected users when publicAccess changes
• MCP protocol notifications (tool/resource/prompt list changes) sent to active sessions
• Smart filtering: Only notifies users without explicit permissions
• Breaking Change: New servers default to publicAccess=false, requiring explicit user permission grants
• + 8 more

📋 Changes

• Implemented on-demand server startup mechanism - MCP servers now load configuration into memory but only launch when first called
• Automatic shutdown after 5 minutes of inactivity to conserve system resources
• Global control via LAZY_START_ENABLED environment variable (default: true)
• Per-server control via lazyStartEnabled database field
• Runtime configuration changes now properly handle lazy start enabled/disabled transitions
• Automatic retry mechanism when MCP server calls timeout
• Automatic server restart after multiple consecutive timeout failures
• Enhanced error recovery for better service stability
• + 7 more