chore(deps): update dependency stacklok/toolhive to v0.15.0

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	minor	v0.14.1 → v0.15.0

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.15.0

Compare Source

🚀 Toolhive v0.15.0 is live!

This release brings significant improvements to OIDC/auth configuration, policy enforcement, secrets management, and observability — along with some important breaking changes and deprecations to be aware of before upgrading.

⚠️ Breaking Changes

Please review these carefully before upgrading:

• Removed CRD fields — Several deprecated fields have been removed from MCPServer and MCPRemoteProxy. Manifests using spec.port, spec.targetPort, inline spec.tools, plaintext clientSecret, or thvCABundlePath will fail validation. See the [migration guide](#​4467) for field-by-field replacements.
• referencingServers → referencingWorkloads — The status field on MCPOIDCConfig, MCPToolConfig, MCPExternalAuthConfig, and MCPTelemetryConfig is now a structured {kind, name} array instead of a plain string list. Any scripts or tooling reading .status.referencingServers will need updating.
• Expanded Cedar policy enforcement — Cedar now covers optimizer meta-tools (find_tool, call_tool) and upstream IDP token claims. Deployments with Cedar enabled should review their policy sets, as operations that were previously unchecked may now be denied.

More Information

1. Removed Deprecated CRD Fields

Breaking Change — Operator Users

Six deprecated fields have been removed from MCPServer and MCPRemoteProxy CRDs. These fields were retained during v1alpha1 for backward compatibility but are now removed to eliminate API ambiguity and a security liability (plaintext clientSecret visible in etcd/audit logs).

Existing manifests using any of these fields will fail validation after upgrading. Apply the field mappings below before upgrading.

Migration

Removed Field	Replacement	Resource
spec.port	spec.proxyPort	MCPServer, MCPRemoteProxy
spec.targetPort	spec.mcpPort	MCPServer
spec.tools (inline ToolsFilter)	spec.toolConfigRef → MCPToolConfig	MCPServer
spec.oidcConfig.inline.clientSecret	spec.oidcConfig.inline.clientSecretRef (Secret reference)	MCPServer, MCPRemoteProxy, VirtualMCPServer
spec.oidcConfig.inline.thvCABundlePath	spec.oidcConfig.inline.caBundleRef (ConfigMap reference)	MCPServer, MCPRemoteProxy, VirtualMCPServer

Port fields

Direct rename in manifests:

# Before
spec:
  port: 9090
  targetPort: 3000

# After
spec:
  proxyPort: 9090
  mcpPort: 3000

Tools filter

Create a separate MCPToolConfig resource and reference it via spec.toolConfigRef.name.

Client secret

Move the plaintext value into a Kubernetes Secret and use clientSecretRef with name and key fields.

CA bundle path

Store the CA certificate in a ConfigMap and use caBundleRef.configMapRef with name and key fields. ToolHive handles the mount automatically.

PR: #​4467 — Fixes #​4250

---

2. ReferencingServers Replaced with Structured ReferencingWorkloads

Breaking Change — Status Field (4 CRDs)

The status.referencingServers field (a plain []string) has been replaced with status.referencingWorkloads (a structured array of {kind, name} objects) on four shared configuration CRDs:

• MCPOIDCConfig — #​4492
• MCPToolConfig — #​4506
• MCPExternalAuthConfig — #​4507
• MCPTelemetryConfig — #​4487, #​4508

The new WorkloadReference type includes a kind field with enum validation (MCPServer, VirtualMCPServer, MCPRemoteProxy), enabling shared config resources to distinguish which workload type is referencing them.

Before

status:
  referencingServers:
    - "my-server"
    - "my-other-server"

After

status:
  referencingWorkloads:
    - kind: MCPServer
      name: my-server
    - kind: VirtualMCPServer
      name: my-other-server

Impact: Any scripts, monitoring, or tooling that reads .status.referencingServers must be updated to read .status.referencingWorkloads[].name (and optionally .kind). The printer column in kubectl get output also reflects the new field.

Fixes #​4491

---

3. Expanded Cedar Policy Enforcement

Behavioral Change — May Deny Previously Allowed Operations

Cedar authorization has been extended to cover two previously unprotected code paths. Deployments with Cedar policies enabled should review their policy sets to ensure these operations are permitted as intended.

Optimizer meta-tools (find_tool, call_tool)

When the optimizer is enabled alongside Cedar authorization, the optimizer's find_tool and call_tool meta-tools replace real backend tools in tools/list responses. Previously, Cedar's default-deny policy would silently filter out these meta-tools, leaving clients with zero tools. Additionally, call_tool invocations and find_tool results were not checked against Cedar policies at all.

Now:

• tools/list: Meta-tools (find_tool, call_tool) pass through Cedar filtering; real backend tools are filtered as before
• tools/call → call_tool: The middleware extracts the inner tool_name argument and authorizes that backend tool against Cedar before execution
• tools/call → find_tool: The response is filtered through Cedar so clients cannot discover unauthorized tools

PR: #​4385 — Fixes #​4374, #​4373

Upstream IDP token claims

Cedar policies can now reference upstream Identity Provider claims (e.g., GitHub login, Okta groups) when the embedded auth server is active. Three gaps are closed:

• Upstream token reading: The Cedar authorizer can now read claims from upstream IDP tokens (previously only ToolHive-issued JWT claims were evaluated)
• Group extraction: Identity.Groups is now populated from upstream token claims using configurable claim names (defaults: groups, roles, cognito:groups)
• Group membership: CreatePrincipalEntity now builds THVGroup parent entities, making principal in THVGroup::"engineering" evaluate correctly

Operators can configure this via the primary_upstream_provider option in Cedar config. If the upstream token is opaque (non-JWT), the authorizer denies the request — there is no silent fallback.

PR: #​4448 — Closes #​4408

---

4. Deprecations

Two inline configuration fields on MCPServer have been deprecated in favour of shared configuration CRD references. Both fields continue to work in v0.15.0 but will be removed in v1beta1. Setting both the deprecated inline field and the new reference field on the same resource is rejected by CEL validation at admission time.

spec.oidcConfig → spec.oidcConfigRef (MCPOIDCConfig)

The inline spec.oidcConfig field is deprecated. Use spec.oidcConfigRef to reference a shared MCPOIDCConfig resource instead, with optional per-server audience and scopes overrides.

# Deprecated (still works in v0.15.0, removed in v1beta1)
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
spec:
  oidcConfig:
    type: inline
    inline:
      issuer: "https://auth.example.com"
      clientId: "my-client"
      clientSecretRef:
        name: oidc-secret
        key: client-secret

# Recommended
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
spec:
  oidcConfigRef:
    name: production-oidc        # References a shared MCPOIDCConfig
    audience: my-mcp-server      # Per-server audience (required)
    scopes:                      # Optional per-server scopes
      - openid

PR: #​4481 — Closes #​4248, Ref #​4253

spec.telemetry → spec.telemetryConfigRef (MCPTelemetryConfig)

The inline spec.telemetry field is deprecated. Use spec.telemetryConfigRef to reference a shared MCPTelemetryConfig resource instead, with an optional per-server serviceName override for distinct telemetry identity.

# Deprecated (still works in v0.15.0, removed in a future release)
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
spec:
  telemetry:
    enabled: true
    endpoint: "https://otel.example.com:4317"

# Recommended
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
spec:
  telemetryConfigRef:
    name: shared-otel-config
    serviceName: my-server-telemetry  # Optional per-server identity

PR: #​4482 — Ref #​4253

🔐 OIDC & Auth

• New MCPOIDCConfig CRD and controller for managing OIDC lifecycle at the platform level
• OIDC config is now wired into both MCPServer and VirtualMCPServer controllers
• JWKS keys are now resolved in-process for embedded auth servers, improving reliability
• Upstream IDP token claims (e.g. GitHub login, Okta groups) can now be evaluated by Cedar policies

🛡️ Policy Enforcement

• Cedar policies now cover find_tool and call_tool operations in the optimizer — including filtering discovery results and authorizing inner tool calls
• Upstream token reader wired into vMCP OIDC auth middleware for end-to-end enforcement

🔑 Secrets & Storage

• New DataStorage interface with cleaner Upsert/Create semantics
• Session manager migrated to DataStorage with session restore support
• Scoped and user secret providers are now fully wired across all callers
• Crash-safe migration added for legacy system secret keys
• Migration window fallback added to ScopedProvider for smoother upgrades

📡 Telemetry

• New MCPTelemetryConfig CRD and controller for managing telemetry configuration
• Wired into MCPServer with inline deprecation support
• OTEL distributed tracing and optional Sentry integration added to the API server

🧩 CRD & Operator Improvements

• ObservedGeneration added to MCPServer, MCPGroup, and MCPRegistry status
• Printer columns added to all CRDs for better kubectl visibility
• categories=toolhive marker added across all CRDs for easier discovery
• Status conditions added to MCPToolConfig, with a top-level Ready condition on MCPServer

🔁 Deprecations (still work in v0.15.0, will be removed in v1beta1)

• spec.oidcConfig on MCPServer and VirtualMCPServer is deprecated in favour of spec.oidcConfigRef → shared MCPOIDCConfig
• spec.telemetry on MCPServer is deprecated in favour of spec.telemetryConfigRef → shared MCPTelemetryConfig

🔧 Dependencies & Security

• Security update: go-git bumped to v5.17.1
• Various dependency bumps: httprc, golang.org/x/time, sqlite, and more

👋 Welcome to our newest contributor @​samuv — great to have you on board! 🎉

🔗 Full changelog: stacklok/toolhive@v0.14.1...v0.15.0

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.