344 cors security headers #761

crivetimihai · 2025-08-16T19:22:37Z

Issues #344 & #533: Security Headers and CORS Configuration Implementation

Summary

Successfully implemented comprehensive security headers and CORS configuration for MCP Gateway to prevent common attacks including XSS, clickjacking, MIME sniffing, and cross-origin attacks. This implementation addresses both issue #344 (basic security headers) and issue #533 (configurable security headers for Admin UI) in a cohesive solution.

Implementation Overview

🔒 Configurable Security Headers Middleware

Created mcpgateway/middleware/security_headers.py with the SecurityHeadersMiddleware class that adds configurable security headers to all responses:

Headers Implemented (addressing all 9 nodejsscan findings):

X-Content-Type-Options: nosniff - Prevents MIME type sniffing attacks
X-Frame-Options: DENY - Prevents clickjacking attacks (configurable: DENY/SAMEORIGIN)
X-XSS-Protection: 0 - Modern browser CSP approach (configurable)
X-Download-Options: noopen - Prevents IE download execution (configurable)
Referrer-Policy: strict-origin-when-cross-origin - Controls referrer information
Content-Security-Policy - Comprehensive XSS and injection protection (Admin UI compatible)
Strict-Transport-Security - Forces HTTPS connections (configurable, HTTPS only)

Headers Removed:

X-Powered-By - Server technology disclosure (configurable removal)
Server - Server version information (configurable removal)

iframe Embedding Control:

Default: DENY - Prevents all iframe embedding for security
Configurable options:
- X_FRAME_OPTIONS=SAMEORIGIN - Allow same-domain embedding
- X_FRAME_OPTIONS="" - Disable frame protection (not recommended)
CSP complement - frame-ancestors 'none' provides additional protection

Admin UI Compatibility:

CSP allows required CDNs: Tailwind CSS, Alpine.js, Chart.js, CodeMirror
Meta tag support: Security policies also added as meta tags for static analysis tools
Dual implementation: Both HTTP headers (runtime) and meta tags (static analysis)

🌐 Environment-Aware CORS Configuration

Enhanced CORS configuration with intelligent environment-based origin management:

Development Environment:

Auto-configures origins: localhost:3000, localhost:8080, 127.0.0.1:3000, etc.
Includes gateway port automatically
HTTP origins allowed for development convenience

Production Environment:

HTTPS-only origins from APP_DOMAIN: https://domain.com, https://app.domain.com
No wildcard origins in production
Secure defaults enforced

🍪 Secure Cookie Utilities & Admin Integration

Created `mcpgateway/utils/security_cookies.py`:

set_auth_cookie() / clear_auth_cookie() - JWT token management
set_session_cookie() / clear_session_cookie() - Session management
Automatic security attributes: HttpOnly, Secure (production), SameSite

Updated `mcpgateway/admin.py`:

Replaced manual cookie setting with secure cookie utilities
Proper security attributes for Admin UI authentication
Environment-aware security (secure in production, configurable in development)

⚙️ Comprehensive Security Configuration

Enhanced mcpgateway/config.py with 15 new security settings:

# Environment & Domain
environment: str = "development"
app_domain: str = "localhost"

# Cookie Security  
secure_cookies: bool = True
cookie_samesite: str = "lax"

# CORS Configuration
cors_allow_credentials: bool = True

# Security Headers (all configurable)
security_headers_enabled: bool = True
x_frame_options: str = "DENY"
x_content_type_options_enabled: bool = True
x_xss_protection_enabled: bool = True
x_download_options_enabled: bool = True
hsts_enabled: bool = True
hsts_max_age: int = 31536000  # 1 year
hsts_include_subdomains: bool = True
remove_server_headers: bool = True

📁 Enhanced Environment Configuration

Single `.env.example` with Production Guidance:

Comprehensive documentation for all 15+ security settings
"PRODUCTION:" labels for critical security settings
Environment behavior explanations for automatic configuration
Security implications documented for each option
Best practice recommendations included

Example additions:

#####################################
# Security Headers Configuration
#####################################

# Enable security headers middleware (true/false)
SECURITY_HEADERS_ENABLED=true

# X-Frame-Options setting (DENY, SAMEORIGIN, or ALLOW-FROM uri)
# DENY: Prevents all iframe embedding (recommended for security)
# SAMEORIGIN: Allows embedding from same domain only
# To enable iframe embedding: Change to SAMEORIGIN or disable with ""
X_FRAME_OPTIONS=DENY

# HSTS (HTTP Strict Transport Security) settings  
HSTS_ENABLED=true
HSTS_MAX_AGE=31536000  # 1 year in seconds
HSTS_INCLUDE_SUBDOMAINS=true

# Remove server identification headers (true/false)
REMOVE_SERVER_HEADERS=true

🧪 Expanded Test Coverage

Enhanced test suite with 48 new tests across 4 test files:

New Test Files:

tests/security/test_security_headers.py - HTTP header behavior testing
tests/security/test_security_cookies.py - Cookie security validation
tests/security/test_standalone_middleware.py - Middleware isolation testing
tests/security/test_configurable_headers.py - Configuration option testing

Test Coverage Areas:

Individual header configuration - Each header can be enabled/disabled
Environment-aware behavior - Development vs production differences
Admin UI compatibility - CSP allows required resources
Static analysis compatibility - Meta tags complement HTTP headers
Backward compatibility - Existing configurations still work

🔧 Enhanced Static Analysis Support

Updated `make nodejsscan`:

Scans both static and template files for comprehensive coverage
Detects meta tags in HTML templates (2 fewer findings on templates)
Documents limitations of static analysis vs runtime security

Meta Tag Implementation:

Added security meta tags to mcpgateway/templates/admin.html:

<meta http-equiv="Content-Security-Policy" content="..." />
<meta http-equiv="X-Frame-Options" content="DENY" />
<meta http-equiv="X-Content-Type-Options" content="nosniff" />
<meta http-equiv="X-XSS-Protection" content="1; mode=block" />
<meta http-equiv="X-Download-Options" content="noopen" />

Security Implementation Status

✅ Issue #344 (Basic Security Headers):

✅ Essential security headers implemented
✅ Environment-aware CORS configuration
✅ Secure cookie utilities
✅ Production-ready defaults

✅ Issue #533 (Configurable Admin UI Security):

✅ Configurable security headers (15 settings)
✅ Admin UI cookie security updated
✅ Static analysis tool compatibility
✅ Meta tag support for nodejsscan
✅ Enhanced Makefile for comprehensive scanning

📊 nodejsscan Analysis Results:

Area	Before	After	Improvement
Static Files	9 findings	9 findings	HTTP headers not detectable by static analysis
Template Files	N/A	7 findings	Meta tags reduced findings by 2
Runtime Security	❌ None	✅ Complete	All 9 security measures implemented via HTTP headers

Remaining nodejsscan findings are expected limitations:

HSTS - HTTP header only (properly implemented)
Cookie HttpOnly - Python middleware only (properly implemented)
X-Powered-By removal - Runtime middleware only (properly implemented)
HPKP - Deprecated, should not be implemented

Architecture & Documentation

📋 Architecture Decision Record:

ADR-0014 - Documents technical decisions and trade-offs
Covers both issues [CHORE]: Implement additional security headers and CORS configuration #344 and [SECURITY FEATURE]: Add Additional Configurable Security Headers to APIs for Admin UI #533 comprehensively
Future enhancement guidance included

📚 Documentation Updated:

README.md - Enhanced security section with all new settings
SECURITY.md - Updated to reflect automatic security features
docs/docs/architecture/security-features.md - Marked issues as completed
docs/docs/architecture/roadmap.md - Updated issue status
docs/docs/manage/securing.md - Added configuration guidance

Deployment Notes

Configuration Approach:

Single .env.example file with comprehensive inline documentation for both development and production use, eliminating need for separate environment files.

Development:

ENVIRONMENT=development
SECURITY_HEADERS_ENABLED=true  # All headers enabled by default

Production:

ENVIRONMENT=production
APP_DOMAIN=yourdomain.com
MCPGATEWAY_UI_ENABLED=false     # PRODUCTION: Disable for security
MCPGATEWAY_ADMIN_API_ENABLED=false  # PRODUCTION: Disable for security
SECURE_COOKIES=true  # Automatically enforced in production

Testing & Verification

✅ Test Results:

1777/1788 tests passing (11 skipped expected)
48 new security tests - All passing
make test - Complete test suite passing
make verify - Package builds successfully
Security scans - Bandit shows no security issues

✅ Security Validation:

HTTP headers verified via live server testing
Admin UI compatibility confirmed
Cookie security validated
Static analysis support implemented
Environment-aware behavior tested

Security Benefits

Attack Prevention:

XSS Protection - CSP prevents script injection
Clickjacking Protection - X-Frame-Options prevents UI redressing (configurable for iframe embedding)
MIME Sniffing Prevention - X-Content-Type-Options stops content confusion
CSRF Protection - SameSite cookies prevent cross-site requests
Information Disclosure Prevention - Server headers removed
Download Security - X-Download-Options prevents IE execution

Compliance & Standards:

OWASP Guidelines - Follows web security best practices
Mozilla Observatory - Implements recommended headers
Static Analysis - Compatible with security scanning tools
Modern Browser Support - CSP-first approach for XSS prevention

Final Status

Status: ✅ COMPLETE - Both issues #344 and #533 fully implemented
Security Coverage: ✅ 9/9 nodejsscan findings addressed via HTTP headers
Configurability: ✅ 15 security settings for granular control
Admin UI: ✅ Fully compatible with enhanced security
Documentation: ✅ Comprehensive - ADR, README, security docs updated
Testing: ✅ 48 security tests - All passing
Production Ready: ✅ Yes - Secure defaults with configuration flexibility

This implementation provides enterprise-grade security with development-friendly defaults and full configurability as requested in both issues.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

…g Implementation (#786) * db.py update Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert alembic with main version Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * 138 view realtime logs in UI and export logs (CSV, JSON) (#747) * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI readme Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 749 reverse proxy (#750) * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * doctest improvements Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * (fix) Added missing prompts/get (#748) Signed-off-by: Ian Molloy <molloyim@us.ibm.com> * Adds RPC endpoints and updates RPC response and error handling (#746) * Fix rpc endpoints Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Remove commented code Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * remove duplicate code in session registry Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Linting fixes Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * 753 fix tool invocation invalid method (#754) * Fix tool invocation 'Invalid method' error with backward compatibility (#753) - Add backward compatibility for direct tool invocation (pre-PR #746 format) - Support both old format (method=tool_name) and new format (method=tools/call) - Add comprehensive test coverage for RPC tool invocation scenarios - Ensure graceful fallback to gateway forwarding when method is not a tool The RPC endpoint now handles tool invocations in both formats: 1. New format: method='tools/call' with name and arguments in params 2. Old format: method='tool_name' with params as arguments (backward compat) This maintains compatibility with existing clients while supporting the new standardized RPC method structure introduced in PR #746. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix flake8 E722: Replace bare except with Exception Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: suppress bandit security warnings with appropriate nosec comments (#755) - Added nosec B105 for ENV_TOKEN as it's an environment variable name, not a hardcoded secret - Added nosec B110 for intentional exception swallowing in cleanup/error handling paths - Both cases are legitimate uses where errors should be silently ignored to prevent cascading failures Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add agents file Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * pylint (#759) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Remove redundant title in readme. (#757) Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> * Update documentation with fixed image tag Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 185 186 import export (#769) * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: local network address translation in discovery module (#767) Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Well known (#770) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs with jsonrpc tutorial (#772) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 137 metadata timestamps (#776) * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Security headers CSP Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Display metadata for resources Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * eslint fix Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> * feat #262: MCP Langchain Agent (#781) * feat: Add bulk import UI modal for tools Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * feat: Add Langchain agent with OpenAI & A2A endpoints (refs #262) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * lint: prettier fix at ~L8090 (insert newline) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> --------- Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Issue 587/rest tool error (#778) * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * Rebase and lint / test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * edit column header (#777) Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Test case update (#775) * session_registry test case updates Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update for routers/reverse_proxy Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update to mcpgateway/reverse_proxy.py Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * Fix formatting issues from pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: add plugins cli, external plugin support, plugin template (#722) * feat: add support for external plugins Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat(plugins): add external mcp server and associated test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed yamllint issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed flake8 issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: define plugins cli and implement bootstrap command Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: implement install and package CLI commands Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: remote avoid insecure shell=True in subprocess invocation Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: move copier config to repository root Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: get default author from git config Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier settings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: copier config syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template modules Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: make template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: fix template issue Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: toml template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin mcp server initialization Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: init module for plugin framework Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add chuck runtime and container wrapping Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins config path Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add .env.template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add tools and resources support Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint yaml Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanups Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update manifest.in Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: linting Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin config variable Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(tests): fixed doctests for plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * refactor: external plugin server and plugin external API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs(plugins): removed subpackages from examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: update plugin docs to use public framework API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(plugin): added resource payloads to base plugin. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: udpate test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update tempalte makefile Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add template for native plugin Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add readme for native template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: force boostrap to be a subcommnand Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugin): added http streamable and error tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests for plugins CLI Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: deprecation warning Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add CLI tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: update plugin cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugins): added client hook tests for external plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: update template readmes Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint docstrings in cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors in docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add external plugin server tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanup Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix cli dryrun test Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix teardown of client http tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: skipping flaky tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: plugin lifecycle tools Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: add missing plugin lifecycle doc Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Experimental Oauth 2.0 support in gateway (#768) * Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Fix pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 744 annotations (#784) * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: plugins template (#783) * feat: update context forge target in template's project dependencies Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: exclude jinja files from reformatting tabs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins cli defaults Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: revert formatted Makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add optional packages Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update plugin template docs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update template readme Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> --------- Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * web lint Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic change Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * remove addtional line Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * Rebase and fix Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Ian Molloy <molloyim@us.ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: RAKHI DUTTA <rakdutta@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Ian Molloy <i.m.molloy@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Veeresh K <42322782+nmveeresh@users.noreply.github.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: Mohan Lakshmaiah <mohan.economist@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Shamsul Arefin <shams@rijuk.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Claude <noreply@anthropic.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

…g Implementation (IBM#786) * db.py update Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert alembic with main version Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * 138 view realtime logs in UI and export logs (CSV, JSON) (IBM#747) * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI readme Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 749 reverse proxy (IBM#750) * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * doctest improvements Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * (fix) Added missing prompts/get (IBM#748) Signed-off-by: Ian Molloy <molloyim@us.ibm.com> * Adds RPC endpoints and updates RPC response and error handling (IBM#746) * Fix rpc endpoints Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Remove commented code Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * remove duplicate code in session registry Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Linting fixes Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * 753 fix tool invocation invalid method (IBM#754) * Fix tool invocation 'Invalid method' error with backward compatibility (IBM#753) - Add backward compatibility for direct tool invocation (pre-PR IBM#746 format) - Support both old format (method=tool_name) and new format (method=tools/call) - Add comprehensive test coverage for RPC tool invocation scenarios - Ensure graceful fallback to gateway forwarding when method is not a tool The RPC endpoint now handles tool invocations in both formats: 1. New format: method='tools/call' with name and arguments in params 2. Old format: method='tool_name' with params as arguments (backward compat) This maintains compatibility with existing clients while supporting the new standardized RPC method structure introduced in PR IBM#746. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix flake8 E722: Replace bare except with Exception Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: suppress bandit security warnings with appropriate nosec comments (IBM#755) - Added nosec B105 for ENV_TOKEN as it's an environment variable name, not a hardcoded secret - Added nosec B110 for intentional exception swallowing in cleanup/error handling paths - Both cases are legitimate uses where errors should be silently ignored to prevent cascading failures Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add agents file Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * pylint (IBM#759) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Remove redundant title in readme. (IBM#757) Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> * Update documentation with fixed image tag Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 185 186 import export (IBM#769) * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: local network address translation in discovery module (IBM#767) Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Well known (IBM#770) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs with jsonrpc tutorial (IBM#772) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 137 metadata timestamps (IBM#776) * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Security headers CSP Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Display metadata for resources Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * eslint fix Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> * feat IBM#262: MCP Langchain Agent (IBM#781) * feat: Add bulk import UI modal for tools Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * feat: Add Langchain agent with OpenAI & A2A endpoints (refs IBM#262) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * lint: prettier fix at ~L8090 (insert newline) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> --------- Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Issue 587/rest tool error (IBM#778) * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * Rebase and lint / test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * edit column header (IBM#777) Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Test case update (IBM#775) * session_registry test case updates Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update for routers/reverse_proxy Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update to mcpgateway/reverse_proxy.py Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * Fix formatting issues from pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: add plugins cli, external plugin support, plugin template (IBM#722) * feat: add support for external plugins Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat(plugins): add external mcp server and associated test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed yamllint issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed flake8 issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: define plugins cli and implement bootstrap command Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: implement install and package CLI commands Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: remote avoid insecure shell=True in subprocess invocation Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: move copier config to repository root Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: get default author from git config Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier settings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: copier config syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template modules Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: make template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: fix template issue Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: toml template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin mcp server initialization Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: init module for plugin framework Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add chuck runtime and container wrapping Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins config path Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add .env.template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add tools and resources support Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint yaml Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanups Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update manifest.in Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: linting Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin config variable Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(tests): fixed doctests for plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * refactor: external plugin server and plugin external API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs(plugins): removed subpackages from examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: update plugin docs to use public framework API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(plugin): added resource payloads to base plugin. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: udpate test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update tempalte makefile Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add template for native plugin Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add readme for native template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: force boostrap to be a subcommnand Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugin): added http streamable and error tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests for plugins CLI Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: deprecation warning Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add CLI tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: update plugin cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugins): added client hook tests for external plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: update template readmes Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint docstrings in cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors in docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add external plugin server tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanup Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix cli dryrun test Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix teardown of client http tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: skipping flaky tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: plugin lifecycle tools Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: add missing plugin lifecycle doc Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Experimental Oauth 2.0 support in gateway (IBM#768) * Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Fix pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 744 annotations (IBM#784) * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: plugins template (IBM#783) * feat: update context forge target in template's project dependencies Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: exclude jinja files from reformatting tabs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins cli defaults Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: revert formatted Makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add optional packages Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update plugin template docs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update template readme Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> --------- Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * web lint Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic change Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * remove addtional line Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * Rebase and fix Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Ian Molloy <molloyim@us.ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: RAKHI DUTTA <rakdutta@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Ian Molloy <i.m.molloy@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Veeresh K <42322782+nmveeresh@users.noreply.github.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: Mohan Lakshmaiah <mohan.economist@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Shamsul Arefin <shams@rijuk.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Claude <noreply@anthropic.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

…g Implementation (IBM#786) * db.py update Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert alembic with main version Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * 138 view realtime logs in UI and export logs (CSV, JSON) (IBM#747) * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI readme Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 749 reverse proxy (IBM#750) * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * doctest improvements Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * (fix) Added missing prompts/get (IBM#748) Signed-off-by: Ian Molloy <molloyim@us.ibm.com> * Adds RPC endpoints and updates RPC response and error handling (IBM#746) * Fix rpc endpoints Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Remove commented code Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * remove duplicate code in session registry Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Linting fixes Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * 753 fix tool invocation invalid method (IBM#754) * Fix tool invocation 'Invalid method' error with backward compatibility (IBM#753) - Add backward compatibility for direct tool invocation (pre-PR IBM#746 format) - Support both old format (method=tool_name) and new format (method=tools/call) - Add comprehensive test coverage for RPC tool invocation scenarios - Ensure graceful fallback to gateway forwarding when method is not a tool The RPC endpoint now handles tool invocations in both formats: 1. New format: method='tools/call' with name and arguments in params 2. Old format: method='tool_name' with params as arguments (backward compat) This maintains compatibility with existing clients while supporting the new standardized RPC method structure introduced in PR IBM#746. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix flake8 E722: Replace bare except with Exception Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: suppress bandit security warnings with appropriate nosec comments (IBM#755) - Added nosec B105 for ENV_TOKEN as it's an environment variable name, not a hardcoded secret - Added nosec B110 for intentional exception swallowing in cleanup/error handling paths - Both cases are legitimate uses where errors should be silently ignored to prevent cascading failures Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add agents file Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * pylint (IBM#759) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Remove redundant title in readme. (IBM#757) Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> * Update documentation with fixed image tag Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 185 186 import export (IBM#769) * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: local network address translation in discovery module (IBM#767) Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Well known (IBM#770) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs with jsonrpc tutorial (IBM#772) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 137 metadata timestamps (IBM#776) * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Security headers CSP Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Display metadata for resources Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * eslint fix Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> * feat IBM#262: MCP Langchain Agent (IBM#781) * feat: Add bulk import UI modal for tools Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * feat: Add Langchain agent with OpenAI & A2A endpoints (refs IBM#262) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * lint: prettier fix at ~L8090 (insert newline) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> --------- Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Issue 587/rest tool error (IBM#778) * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * Rebase and lint / test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * edit column header (IBM#777) Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Test case update (IBM#775) * session_registry test case updates Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update for routers/reverse_proxy Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update to mcpgateway/reverse_proxy.py Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * Fix formatting issues from pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: add plugins cli, external plugin support, plugin template (IBM#722) * feat: add support for external plugins Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat(plugins): add external mcp server and associated test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed yamllint issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed flake8 issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: define plugins cli and implement bootstrap command Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: implement install and package CLI commands Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: remote avoid insecure shell=True in subprocess invocation Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: move copier config to repository root Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: get default author from git config Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier settings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: copier config syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template modules Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: make template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: fix template issue Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: toml template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin mcp server initialization Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: init module for plugin framework Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add chuck runtime and container wrapping Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins config path Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add .env.template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add tools and resources support Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint yaml Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanups Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update manifest.in Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: linting Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin config variable Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(tests): fixed doctests for plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * refactor: external plugin server and plugin external API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs(plugins): removed subpackages from examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: update plugin docs to use public framework API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(plugin): added resource payloads to base plugin. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: udpate test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update tempalte makefile Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add template for native plugin Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add readme for native template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: force boostrap to be a subcommnand Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugin): added http streamable and error tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests for plugins CLI Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: deprecation warning Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add CLI tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: update plugin cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugins): added client hook tests for external plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: update template readmes Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint docstrings in cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors in docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add external plugin server tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanup Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix cli dryrun test Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix teardown of client http tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: skipping flaky tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: plugin lifecycle tools Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: add missing plugin lifecycle doc Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Experimental Oauth 2.0 support in gateway (IBM#768) * Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Fix pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 744 annotations (IBM#784) * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: plugins template (IBM#783) * feat: update context forge target in template's project dependencies Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: exclude jinja files from reformatting tabs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins cli defaults Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: revert formatted Makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add optional packages Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update plugin template docs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update template readme Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> --------- Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * web lint Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic change Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * remove addtional line Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * Rebase and fix Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Ian Molloy <molloyim@us.ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: RAKHI DUTTA <rakdutta@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Ian Molloy <i.m.molloy@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Veeresh K <42322782+nmveeresh@users.noreply.github.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: Mohan Lakshmaiah <mohan.economist@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Shamsul Arefin <shams@rijuk.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Claude <noreply@anthropic.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

…g Implementation (IBM#786) * db.py update Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert alembic with main version Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * 138 view realtime logs in UI and export logs (CSV, JSON) (IBM#747) * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI readme Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 749 reverse proxy (IBM#750) * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * doctest improvements Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * (fix) Added missing prompts/get (IBM#748) Signed-off-by: Ian Molloy <molloyim@us.ibm.com> * Adds RPC endpoints and updates RPC response and error handling (IBM#746) * Fix rpc endpoints Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Remove commented code Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * remove duplicate code in session registry Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Linting fixes Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * 753 fix tool invocation invalid method (IBM#754) * Fix tool invocation 'Invalid method' error with backward compatibility (IBM#753) - Add backward compatibility for direct tool invocation (pre-PR IBM#746 format) - Support both old format (method=tool_name) and new format (method=tools/call) - Add comprehensive test coverage for RPC tool invocation scenarios - Ensure graceful fallback to gateway forwarding when method is not a tool The RPC endpoint now handles tool invocations in both formats: 1. New format: method='tools/call' with name and arguments in params 2. Old format: method='tool_name' with params as arguments (backward compat) This maintains compatibility with existing clients while supporting the new standardized RPC method structure introduced in PR IBM#746. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix flake8 E722: Replace bare except with Exception Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: suppress bandit security warnings with appropriate nosec comments (IBM#755) - Added nosec B105 for ENV_TOKEN as it's an environment variable name, not a hardcoded secret - Added nosec B110 for intentional exception swallowing in cleanup/error handling paths - Both cases are legitimate uses where errors should be silently ignored to prevent cascading failures Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add agents file Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * pylint (IBM#759) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Remove redundant title in readme. (IBM#757) Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> * Update documentation with fixed image tag Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 185 186 import export (IBM#769) * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: local network address translation in discovery module (IBM#767) Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Well known (IBM#770) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs with jsonrpc tutorial (IBM#772) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 137 metadata timestamps (IBM#776) * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Security headers CSP Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Display metadata for resources Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * eslint fix Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> * feat IBM#262: MCP Langchain Agent (IBM#781) * feat: Add bulk import UI modal for tools Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * feat: Add Langchain agent with OpenAI & A2A endpoints (refs IBM#262) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * lint: prettier fix at ~L8090 (insert newline) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> --------- Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Issue 587/rest tool error (IBM#778) * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * Rebase and lint / test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * edit column header (IBM#777) Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Test case update (IBM#775) * session_registry test case updates Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update for routers/reverse_proxy Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update to mcpgateway/reverse_proxy.py Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * Fix formatting issues from pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: add plugins cli, external plugin support, plugin template (IBM#722) * feat: add support for external plugins Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat(plugins): add external mcp server and associated test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed yamllint issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed flake8 issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: define plugins cli and implement bootstrap command Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: implement install and package CLI commands Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: remote avoid insecure shell=True in subprocess invocation Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: move copier config to repository root Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: get default author from git config Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier settings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: copier config syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template modules Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: make template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: fix template issue Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: toml template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin mcp server initialization Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: init module for plugin framework Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add chuck runtime and container wrapping Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins config path Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add .env.template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add tools and resources support Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint yaml Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanups Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update manifest.in Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: linting Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin config variable Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(tests): fixed doctests for plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * refactor: external plugin server and plugin external API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs(plugins): removed subpackages from examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: update plugin docs to use public framework API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(plugin): added resource payloads to base plugin. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: udpate test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update tempalte makefile Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add template for native plugin Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add readme for native template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: force boostrap to be a subcommnand Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugin): added http streamable and error tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests for plugins CLI Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: deprecation warning Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add CLI tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: update plugin cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugins): added client hook tests for external plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: update template readmes Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint docstrings in cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors in docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add external plugin server tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanup Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix cli dryrun test Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix teardown of client http tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: skipping flaky tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: plugin lifecycle tools Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: add missing plugin lifecycle doc Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Experimental Oauth 2.0 support in gateway (IBM#768) * Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Fix pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 744 annotations (IBM#784) * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: plugins template (IBM#783) * feat: update context forge target in template's project dependencies Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: exclude jinja files from reformatting tabs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins cli defaults Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: revert formatted Makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add optional packages Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update plugin template docs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update template readme Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> --------- Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * web lint Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic change Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * remove addtional line Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * Rebase and fix Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Ian Molloy <molloyim@us.ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: RAKHI DUTTA <rakdutta@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Ian Molloy <i.m.molloy@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Veeresh K <42322782+nmveeresh@users.noreply.github.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: Mohan Lakshmaiah <mohan.economist@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Shamsul Arefin <shams@rijuk.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Claude <noreply@anthropic.com>

crivetimihai added 9 commits August 16, 2025 19:39

Update CORS

a70a4ad

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update CORS

e4e54f6

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update CORS ADRs

007e569

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update CORS

04958a8

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update CORS

4e22a39

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Fix compose

88e2325

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update helm chart

4fa9f84

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update CORS docs

5fd7799

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Update test

acc4c03

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai marked this pull request as ready for review August 17, 2025 08:40

crivetimihai requested review from kevalmahajan and madhav165 as code owners August 17, 2025 08:40

crivetimihai requested a review from terylt August 17, 2025 08:40

crivetimihai merged commit a4e390c into main Aug 17, 2025
37 checks passed

crivetimihai deleted the 344-cors-security-headers branch August 17, 2025 08:50

This was referenced Aug 17, 2025

[AUTH FEATURE]: HTTP Header Passthrough (forward headers to MCP server) #208

Closed

[SECURITY FEATURE]: Add Additional Configurable Security Headers to APIs for Admin UI #533

Closed

crivetimihai self-assigned this Aug 17, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

344 cors security headers #761

344 cors security headers #761

Uh oh!

crivetimihai commented Aug 16, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

344 cors security headers #761

344 cors security headers #761

Uh oh!

Conversation

crivetimihai commented Aug 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Issues #344 & #533: Security Headers and CORS Configuration Implementation

Summary

Implementation Overview

🔒 Configurable Security Headers Middleware

Headers Implemented (addressing all 9 nodejsscan findings):

Headers Removed:

iframe Embedding Control:

Admin UI Compatibility:

🌐 Environment-Aware CORS Configuration

Development Environment:

Production Environment:

🍪 Secure Cookie Utilities & Admin Integration

Created mcpgateway/utils/security_cookies.py:

Updated mcpgateway/admin.py:

⚙️ Comprehensive Security Configuration

📁 Enhanced Environment Configuration

Single .env.example with Production Guidance:

🧪 Expanded Test Coverage

New Test Files:

Test Coverage Areas:

🔧 Enhanced Static Analysis Support

Updated make nodejsscan:

Meta Tag Implementation:

Security Implementation Status

✅ Issue #344 (Basic Security Headers):

✅ Issue #533 (Configurable Admin UI Security):

📊 nodejsscan Analysis Results:

Architecture & Documentation

📋 Architecture Decision Record:

📚 Documentation Updated:

Deployment Notes

Configuration Approach:

Development:

Production:

Testing & Verification

✅ Test Results:

✅ Security Validation:

Security Benefits

Attack Prevention:

Compliance & Standards:

Final Status

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

crivetimihai commented Aug 16, 2025 •

edited

Loading

Created `mcpgateway/utils/security_cookies.py`:

Updated `mcpgateway/admin.py`:

Single `.env.example` with Production Guidance:

Updated `make nodejsscan`: