fix(deps): update module github.com/stacklok/toolhive to v0.9.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.8.2 → v0.9.3

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.9.3

Compare Source

What's Changed

• Fix Helm chart OCI publish path to match original registry location by @​ChrisJBurns in #​3635
• Add structured status conditions for ToolConfigRef and ExternalAuthConfigRef validation by @​ChrisJBurns in #​3634
• Fix ServiceAccount secret accumulation on OpenShift by @​ChrisJBurns in #​3627
• Bump e2e test lifecycle timeout as a stopgap by @​jhrozek in #​3675
• Use ServerExtensions type in registry format converters by @​rdimitrov in #​3673
• Simplify authserver's upstream provider interface by @​jhrozek in #​3638
• Add SigV4 request signing for AWS API authentication by @​jhrozek in #​3658
• Make base images for protocol builds configurable. by @​dmjb in #​3662
• Refactor MCPRemoteProxy integration tests with shared helpers by @​ChrisJBurns in #​3679
• Accept ECDSA signing keys in JWKS token validation by @​tgrunnagle in #​3674
• fix(proxy): Rewrite Host header for backends with strict host validation by @​jerm-dro in #​3688
• Fix data race in TokenValidator.ensureOIDCDiscovered by @​rdimitrov in #​3693
• Update registry from toolhive-registry release v2026.02.08 by @​github-actions[bot] in #​3695
• Update module github.com/lestrrat-go/httprc/v3 to v3.0.4 by @​renovate[bot] in #​3694
• Update anthropics/claude-code-action digest to 6c61301 by @​renovate[bot] in #​3696
• Update module golang.org/x/oauth2 to v0.35.0 by @​renovate[bot] in #​3697
• Enable parallel runners for golangci-lint by @​JAORMX in #​3701
• Update registry from toolhive-registry release v2026.02.09 by @​github-actions[bot] in #​3699
• Exclude unhealthy backends from vMCP capability aggregation by @​yrobla in #​3642
• Update module golang.org/x/sys to v0.41.0 by @​renovate[bot] in #​3698
• Remove unused MCPServerConfig struct by @​JAORMX in #​3704
• Update module github.com/stacklok/toolhive-core to v0.0.3 by @​renovate[bot] in #​3703
• Rename MCPClient type to ClientApp by @​JAORMX in #​3700
• Rename mcpClientConfig to clientAppConfig by @​JAORMX in #​3707
• Remove redundant expectedCount field from discovery tests by @​yrobla in #​3705
• Add SKILL.md parser and skill directory validator by @​JAORMX in #​3702
• Add HTTP-based PDP authorizer by @​ghaskins in #​3315
• Fix imagePullSecrets propagation to ProxyRunner by @​Sanskarzz in #​3557
• Update module github.com/go-git/go-git/v5 to v5.16.5 by @​renovate[bot] in #​3710
• Release v0.9.3 by @​stacklokbot in #​3711

Full Changelog: stacklok/toolhive@v0.9.2...v0.9.3

v0.9.2

Compare Source

What's Changed

• Add omitempty to UserinfoEndpoint JSON tag by @​jhrozek in #​3601
• Integration Tests for Embedded Auth Server by @​tgrunnagle in #​3556
• Adopt env package from toolhive-core by @​JAORMX in #​3572
• Fix audit middleware file handle leak on shutdown by @​jhrozek in #​3074
• Update registry from toolhive-registry release v2026.02.05 by @​github-actions[bot] in #​3612
• Add circuit breaker pattern to vMCP health monitoring by @​yrobla in #​3528
• add private Git repository authentication for MCPRegistry by @​ChrisJBurns in #​3577
• Update opentelemetry-go monorepo by @​renovate[bot] in #​3558
• Add bearer token support for remote auth proxy by @​jhrozek in #​3386
• Add token endpoint error handling integration tests by @​jhrozek in #​3611
• Align authserver DCR client scopes with discovery scopes_supported by @​jhrozek in #​3610
• Add shortNames to MCPServer CRD for consistency by @​Nashon-Steffen in #​3605
• Add TOML config file support with array-of-tables format by @​aponcedeleonch in #​3596
• Fix proxy hang on kubectl attach EOF by @​rcdailey in #​3584
• Add TOML nested tables format support by @​aponcedeleonch in #​3597
• Extract atomic file write utility to shared fileutils package by @​aponcedeleonch in #​3613
• Consolidate file locking and fix error handling in config_editor.go by @​aponcedeleonch in #​3617
• Update module github.com/go-chi/chi/v5 to v5.2.5 by @​renovate[bot] in #​3619
• Add code-server as a supported client by @​dmjb in #​3618
• Consolidate path traversal protection in one place by @​dmjb in #​3620
• Upstream Token Swap Middleware by @​tgrunnagle in #​3606
• Change workload manager to follow logging best practices by @​dmjb in #​3621
• Ensure API E2E tests clean up after themselves by @​dmjb in #​3588
• Bump Go to 1.25.7 to fix crypto/tls vulnerability (GO-2026-4337) by @​ChrisJBurns in #​3632
• Add OIDC provider methods and ID token validation by @​jhrozek in #​3580
• Add lazy OIDC discovery with retry by @​jhrozek in #​3579
• Add CEL-based AWS STS role mapper for claim-based IAM role selection by @​jhrozek in #​3609
• fix(#​3636): allow composite tools to use filtered backend tools by @​jerm-dro in #​3637
• Implement bearer token controller logic and environment variable management by @​amirejaz in #​3487
• Complete vMCP circuit breaker configuration and testing by @​yrobla in #​3615
• Update registry from toolhive-registry release v2026.02.06 by @​github-actions[bot] in #​3641
• Update module github.com/aws/aws-sdk-go-v2 to v1.41.1 by @​renovate[bot] in #​3640
• Add MistralVibe and Codex client configurations by @​aponcedeleonch in #​3594
• Update anthropics/claude-code-action digest to 006aaf2 by @​renovate[bot] in #​3633
• Update ghcr.io/stacklok/thv-registry-api Docker tag to v0.5.3 by @​renovate[bot] in #​3626
• Update anthropics/claude-code-action digest to b113f49 by @​renovate[bot] in #​3643
• Standardize proxy port field in MCPRemoteProxy by @​slyt3 in #​3257
• Consolidate list of supported clients in one place by @​dmjb in #​3644
• Add skill domain types, service interface, and HTTP client stub by @​JAORMX in #​3660
• Update renovate config to keep go.mod up to date by @​dmjb in #​3664
• Add hidden skill CLI command stubs by @​JAORMX in #​3668
• Add skill REST API route stubs and ServerBuilder wiring by @​JAORMX in #​3666
• Add Clients field to InstalledSkill by @​JAORMX in #​3667
• run task docs by @​JAORMX in #​3669
• Fix flakey unit tests by @​dmjb in #​3665
• Add missing mocks for skills service by @​dmjb in #​3670
• Bump Alpine base image in Go template to latest, pin by @​dmjb in #​3657
• Add publisher-provided extensions types and nested Kubernetes metadata by @​rdimitrov in #​3671
• Release v0.9.2 by @​stacklokbot in #​3672

New Contributors

• @​Nashon-Steffen made their first contribution in #​3605
• @​rcdailey made their first contribution in #​3584

Full Changelog: stacklok/toolhive@v0.9.1...v0.9.2

v0.9.1

Compare Source

What's Changed

• Update the arch docs for the registry by @​rdimitrov in #​3550
• Fix CRD Docs by @​aponcedeleonch in #​3555
• Embedded Auth Server Runner Integration by @​tgrunnagle in #​3540
• Integrate Embedded Auth Server with Runner by @​tgrunnagle in #​3541
• Adopt httperr from toolhive-core for HTTP error handling by @​JAORMX in #​3551
• Update proxy logging by @​eleftherias in #​3561
• Adopt validation package from toolhive-core by @​JAORMX in #​3564
• Update logging for transport, telemetry and auth by @​eleftherias in #​3565
• Add Google Gemini CLI client support with dynamic URL field mapping by @​aponcedeleonch in #​3552
• Add OIDC provider upstream support to authserver by @​jhrozek in #​3562
• Bump releaseo to v0.0.3 and preserve original release actor through workflow chain by @​danbarr in #​3560
• Fix the releaseo binary release version by @​danbarr in #​3575
• Update middleware documentation for completeness and accuracy by @​JAORMX in #​3554
• Update actions/checkout digest to de0fac2 by @​renovate[bot] in #​3576
• Add toolhive-release skill for automated release workflow by @​JAORMX in #​3549
• Add schema for the publisher provided toolhive extensions by @​rdimitrov in #​3581
• Update anthropics/claude-code-action digest to 6867bb3 by @​renovate[bot] in #​3578
• chore: fix SECURITY.md file extension casing by @​JAORMX in #​3587
• Update code reviewer agent by @​eleftherias in #​3585
• Add CLI validation for Desktop app alignment by @​samuv in #​3535
• Isolate PID file logic into statuses package by @​dmjb in #​3589
• Add inspector auto-cleanup on interrupt by @​carlos-gn in #​3573
• Update anchore/sbom-action action to v0.22.2 by @​renovate[bot] in #​3598
• Update module github.com/stacklok/toolhive-core to v0.0.2 by @​renovate[bot] in #​3595
• Fix zombie process when proxy stops due to health check failure by @​gkatz2 in #​3543
• Fix status file corruption issues by @​dmjb in #​3590
• Fix version discrepency by @​dmjb in #​3600
• Remove the helm chart bump skill by @​dmjb in #​3602
• uses prefix for app version by @​ChrisJBurns in #​3603
• Release v0.9.1 by @​stacklokbot in #​3604

Full Changelog: stacklok/toolhive@v0.9.0...v0.9.1

v0.9.0

Compare Source

What's Changed

• Update stacklok/releaseo action to v0.0.2 by @​renovate[bot] in #​3521
• triggers docs at the end of the release workflow by @​ChrisJBurns in #​3523
• Add core OAuth authorization server interface and implementation by @​jhrozek in #​3513
• Limit RBAC permissions for inline mode VirtualMCPServers by @​yrobla in #​3504
• Update module github.com/onsi/gomega to v1.39.1 by @​renovate[bot] in #​3526
• Update anthropics/claude-code-action digest to 01e756b by @​renovate[bot] in #​3525
• Update module github.com/onsi/ginkgo/v2 to v2.28.1 by @​renovate[bot] in #​3527
• Implement ExcludeAll feature for VirtualMCPServer tool filtering by @​JAORMX in #​3499
• Fix flakey unit tests by @​dmjb in #​3512
• Add bulk group operations to workloads api tests by @​dmjb in #​3514
• Fix proxyMode for direct transports to match transportType by @​amirejaz in #​3532
• Drop unused env file field in runconfig by @​dmjb in #​2215
• Add E2E tests for secrets management by @​dmjb in #​3485
• Add generic PrefixHandlers to transport config by @​tgrunnagle in #​3524
• Add embeddedAuthServer type to MCPExternalAuthConfig CRD by @​tgrunnagle in #​3488
• Persist DCR client credentials for OAuth session restoration by @​flfeurmou-indeed in #​3418
• Add Embedded Auth Server Configuration Support to Operator by @​tgrunnagle in #​3520
• Update module github.com/cedar-policy/cedar-go to v1.4.1 by @​renovate[bot] in #​3536
• fix: add custom YAML unmarshalers for registry metadata types by @​JAORMX in #​3545
• Update anthropics/claude-code-action digest to 70e16de by @​renovate[bot] in #​3537
• Fix OAuth token refresh context cancellation by @​gkatz2 in #​3539
• Update API logging by @​eleftherias in #​3547
• Update logs and proxy CLI logging by @​eleftherias in #​3546
• Add OAuth authorization server integration tests by @​jhrozek in #​3531
• Release v0.9.0 by @​stacklokbot in #​3548

New Contributors

• @​gkatz2 made their first contribution in #​3539

Full Changelog: stacklok/toolhive@v0.8.3...v0.9.0

v0.8.3

Compare Source

Unified Versioning

Starting with this release, all ToolHive components now share the same version number:

• CLI (thv)
• Container images
• Helm charts (toolhive-operator, toolhive-operator-crds)

The Helm charts now also reference container images with the same version tag, ensuring complete version alignment across the entire stack.

Why some versions appear to have "skipped"

You may notice that some components jumped version numbers:

Component	Previous Version	New Version
CLI	v0.8.2	v0.8.3
Container images	v0.8.2	v0.8.3
toolhive-operator chart	0.5.28	0.8.3
toolhive-operator-crds chart	0.0.106	0.8.3

This is expected. We unified all version numbers to simplify tracking and ensure consistency across the project. The actual changes in this release are patch-level—there are no breaking changes or major new features that would warrant the version jumps.

Benefits of unified versioning

• Simpler compatibility tracking: All components with the same version are guaranteed to work together
• Easier upgrades: No need to cross-reference compatibility matrices
• Clearer release communication: One version number for the entire release
• Chart and image alignment: Helm charts now deploy container images with matching version tags

Ref: #​1779

Future Simplification

We also have plans in the near future to remove the toolhive-operator-crds Chart in favour of a single toolhive-operator Chart. This is made possible by improvements in the CRD package and installation capabilities and allows us to simpify the experience for users by reducing the number of Charts they have to maintain their use of.

What's Changed

• Update anchore/sbom-action action to v0.22.1 by @​renovate[bot] in #​3465
• Update build and group commands logging strategy by @​eleftherias in #​3461
• Add configurable UserInfo field mapping and UserInfo support for authserver's OAuth provider by @​jhrozek in #​3466
• Integrate status reporting into vMCP runtime by @​yrobla in #​3457
• Update alpine Docker tag to v3.23.3 by @​renovate[bot] in #​3475
• Update registry from toolhive-registry release v2026.01.28 by @​github-actions[bot] in #​3473
• Remove unused docker image manager by @​eleftherias in #​3477
• Update anthropics/claude-code-action digest to 2817c54 by @​renovate[bot] in #​3476
• Update client commands logging strategy by @​eleftherias in #​3478
• Add PR size guidelines to prevent oversized PRs by @​dmjb in #​3482
• Add registry validation and structured errors by @​dmjb in #​3479
• Infrastructure improvements and bugfixes for vMCP by @​therealnb in #​3439
• E2E test case for discovery API by @​dmjb in #​3459
• Add CODEOWNERS by @​JAORMX in #​3483
• Update docker/login-action action to v3.7.0 by @​renovate[bot] in #​3484
• fix(vmcp): vmcp creates authz middleware by @​jerm-dro in #​3474
• Add authserver configuration with validation and auto-generation by @​jhrozek in #​3472
• Add headerForward to MCPRemoteProxy CRD by @​jhrozek in #​3458
• Update Go version to 1.25.6 to fix security vulnerabilities by @​ChrisJBurns in #​3490
• Update registry from toolhive-registry release v2026.01.28 by @​github-actions[bot] in #​3496
• Add deploying-vmcp-locally skill by @​jerm-dro in #​3494
• Update anthropics/claude-code-action digest to ff34ce0 by @​renovate[bot] in #​3498
• Add headerForward to workloads REST API by @​jhrozek in #​3495
• adds VERSION file ready for release process improvements by @​ChrisJBurns in #​3489
• Update module github.com/golang-jwt/jwt/v5 to v5.3.1 by @​renovate[bot] in #​3491
• Update actions/cache digest to cdf6c1f by @​renovate[bot] in #​3500
• Introduce service layer and improve API/CLI error handling by @​dmjb in #​3480
• Simplify controller and add E2E tests for status reporting by @​yrobla in #​3468
• Remove RedHat images by @​dmjb in #​3502
• Update swagger docs for registry API by @​dmjb in #​3503
• adds release action for creating release prs by @​ChrisJBurns in #​3505
• adds action that creates a release tag when release pr merged by @​ChrisJBurns in #​3506
• Remove unused message field from registry api by @​eleftherias in #​3507
• Improves Helm Chart workflows on PR / main runs by @​ChrisJBurns in #​3508
• Update config and secrets CLI logging by @​eleftherias in #​3509
• Replace string matching with JSON parsing in isRemoteWorkload - issue - 2941 by @​deepika1214 in #​2968
• Remove remaining references to UBI builds by @​dmjb in #​3510
• fix(vmcp) - template validation with functions by @​jerm-dro in #​3492
• Add unified Helm chart publishing to release workflow by @​ChrisJBurns in #​3511
• aligns versions of images to latest toolhive release by @​ChrisJBurns in #​3519
• Release v0.8.3 by @​stacklokbot in #​3522

New Contributors

• @​stacklokbot made their first contribution in #​3522

Full Changelog: stacklok/toolhive@v0.8.2...v0.8.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 18 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.5 -> 1.25.7
github.com/cedar-policy/cedar-go	v1.4.0 -> v1.4.1
github.com/golang-jwt/jwt/v5	v5.3.0 -> v5.3.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.3 -> v2.27.7
github.com/lestrrat-go/httprc/v3	v3.0.3 -> v3.0.4
github.com/prometheus/common	v0.67.4 -> v0.67.5
go.opentelemetry.io/otel	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/exporters/prometheus	v0.61.0 -> v0.62.0
go.opentelemetry.io/otel/metric	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/sdk	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/sdk/metric	v1.39.0 -> v1.40.0
go.opentelemetry.io/otel/trace	v1.39.0 -> v1.40.0
golang.org/x/oauth2	v0.34.0 -> v0.35.0
golang.org/x/sys	v0.40.0 -> v0.41.0
google.golang.org/genproto/googleapis/api	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20260128011058-8636f8732409
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251222181119-0a764e51fe1b -> v0.0.0-20260128011058-8636f8732409

[github-actions]

🔒 MCP Security Scan Results

⚠️ No MCP servers were scanned in this PR.