ARTEMIS-X Bump mockserver.version from 7.1.0 to 7.2.0

[dependabot]

Bumps mockserver.version from 7.1.0 to 7.2.0.
Updates org.mock-server:mockserver-netty from 7.1.0 to 7.2.0

Updates org.mock-server:mockserver-core from 7.1.0 to 7.2.0

Release notes

Sourced from org.mock-server:mockserver-core's releases.

MockServer 7.2.0

[7.2.0] - 2026-06-22

Security

• Control-plane role-based authorization (off by default). With controlPlaneAuthorizationEnabled and a controlPlaneScopeMapping (e.g. platform-admins=admin,qa-team=mutate,viewers=read), an authenticated principal's scopes/groups are mapped to one of three hierarchical roles (admin ⊇ mutate ⊇ read): reads require read, every mutating operation requires mutate, and a principal lacking the role gets 403 Forbidden (recorded in the audit log). Fail-closed — use together with control-plane OIDC authentication. Covers all HttpState.handle operations plus the Netty-serviced /mockserver/configuration, /openapi.yaml and /llm/optimisationReport reads/writes. Not yet covered: the lifecycle endpoints (/bind, /stop, /status) and per-tool MCP authorization. See docs/code/tls-and-security.md.
• JWT control-plane validation rejects HMAC algorithms. JWTValidator verifies against a public-key JWK set, so it now accepts only asymmetric algorithms (RS*/ES*/PS*/EdDSA) and rejects HMAC (HS256/384/512), closing an algorithm-confusion forgery vector. Switch to an asymmetric key if you relied on HMAC.
• SCIM bearer-token enforcement now fails closed. When enforcement is enabled but no expected token is configured, requests are rejected instead of accepting any token, and the comparison is constant-time.
• Opt-in secret redaction in the event log and dashboard (redactSecretsInLog, default off). Masks sensitive header values (Authorization, Cookie, x-api-key, …) and configured JSON body fields in retrieved/exported logs and the dashboard event view. Matching and verification still see the original values, so behaviour is unchanged.
• Dashboard dompurify pinned to 3.4.11 via an npm overrides entry, clearing all 16 open Dependabot DOMPurify advisories (mXSS / DOM-clobbering / prototype-pollution).

Added

AI, LLM & agent protocols (LLM / MCP / A2A)

• LLM and MCP mock builders in every client. Idiomatic LLM-mocking (completions, tool calls, streaming physics, usage, embeddings, multi-turn conversations, provider failover) and MCP-server-mocking (tools, resources, prompts over JSON-RPC 2.0) builders are now available in all eight clients (Java, Node, Python, Ruby, Go, Rust, .NET, PHP), all producing the same wire JSON.
• LLM optimisation export. Proxy your agent's LLM calls through MockServer, then export a one-click optimisation brief (Markdown) or structured JSON bundle (LlmOptimisationReport) from captured traffic. Nine deterministic signals detect repeated system prompts, low cache-hit rates, unused tool schema, model overspend, large resent context, deterministic tool calls, oversized tool results, output-token bloat and duplicate calls — each with token counts, estimated USD saving, and structured fix guidance (copy-paste config snippet or example expectation where applicable). An in-product verdict (A–F grade and "$X recoverable" headline computed via per-call MAX attribution so the total is always ≤ actual spend) and two new session KPIs (cache-hit rate and one-shot rate) appear in the dashboard and the Markdown brief. New LLM Optimise dashboard screen (with verdict banner, "Copy verdict" button, and updated hero cards), GET /mockserver/llm/optimisationReport endpoint, and export_optimisation_report MCP tool. Export-only and deterministic; secrets are redacted. The Anthropic codec now maps the top-level system field so cache and repeated-prompt signals fire on Anthropic traffic.
• More embedding providers and rerank mocking. httpLlmResponse embeddings now cover Gemini, Ollama and Bedrock (Titan / Cohere-on-Bedrock) in addition to OpenAI/Azure, all deterministic and L2-normalised. A new rerank action mocks Cohere and Voyage rerank endpoints in the provider-correct envelope.

... (truncated)

Changelog

Sourced from org.mock-server:mockserver-core's changelog.

[7.2.0] - 2026-06-22

Security

• Control-plane role-based authorization (off by default). With controlPlaneAuthorizationEnabled and a controlPlaneScopeMapping (e.g. platform-admins=admin,qa-team=mutate,viewers=read), an authenticated principal's scopes/groups are mapped to one of three hierarchical roles (admin ⊇ mutate ⊇ read): reads require read, every mutating operation requires mutate, and a principal lacking the role gets 403 Forbidden (recorded in the audit log). Fail-closed — use together with control-plane OIDC authentication. Covers all HttpState.handle operations plus the Netty-serviced /mockserver/configuration, /openapi.yaml and /llm/optimisationReport reads/writes. Not yet covered: the lifecycle endpoints (/bind, /stop, /status) and per-tool MCP authorization. See docs/code/tls-and-security.md.
• JWT control-plane validation rejects HMAC algorithms. JWTValidator verifies against a public-key JWK set, so it now accepts only asymmetric algorithms (RS*/ES*/PS*/EdDSA) and rejects HMAC (HS256/384/512), closing an algorithm-confusion forgery vector. Switch to an asymmetric key if you relied on HMAC.
• SCIM bearer-token enforcement now fails closed. When enforcement is enabled but no expected token is configured, requests are rejected instead of accepting any token, and the comparison is constant-time.
• Opt-in secret redaction in the event log and dashboard (redactSecretsInLog, default off). Masks sensitive header values (Authorization, Cookie, x-api-key, …) and configured JSON body fields in retrieved/exported logs and the dashboard event view. Matching and verification still see the original values, so behaviour is unchanged.
• Dashboard dompurify pinned to 3.4.11 via an npm overrides entry, clearing all 16 open Dependabot DOMPurify advisories (mXSS / DOM-clobbering / prototype-pollution).

Added

AI, LLM & agent protocols (LLM / MCP / A2A)

• LLM and MCP mock builders in every client. Idiomatic LLM-mocking (completions, tool calls, streaming physics, usage, embeddings, multi-turn conversations, provider failover) and MCP-server-mocking (tools, resources, prompts over JSON-RPC 2.0) builders are now available in all eight clients (Java, Node, Python, Ruby, Go, Rust, .NET, PHP), all producing the same wire JSON.
• LLM optimisation export. Proxy your agent's LLM calls through MockServer, then export a one-click optimisation brief (Markdown) or structured JSON bundle (LlmOptimisationReport) from captured traffic. Nine deterministic signals detect repeated system prompts, low cache-hit rates, unused tool schema, model overspend, large resent context, deterministic tool calls, oversized tool results, output-token bloat and duplicate calls — each with token counts, estimated USD saving, and structured fix guidance (copy-paste config snippet or example expectation where applicable). An in-product verdict (A–F grade and "$X recoverable" headline computed via per-call MAX attribution so the total is always ≤ actual spend) and two new session KPIs (cache-hit rate and one-shot rate) appear in the dashboard and the Markdown brief. New LLM Optimise dashboard screen (with verdict banner, "Copy verdict" button, and updated hero cards), GET /mockserver/llm/optimisationReport endpoint, and export_optimisation_report MCP tool. Export-only and deterministic; secrets are redacted. The Anthropic codec now maps the top-level system field so cache and repeated-prompt signals fire on Anthropic traffic.
• More embedding providers and rerank mocking. httpLlmResponse embeddings now cover Gemini, Ollama and Bedrock (Titan / Cohere-on-Bedrock) in addition to OpenAI/Azure, all deterministic and L2-normalised. A new rerank action mocks Cohere and Voyage rerank endpoints in the provider-correct envelope.
• MockServer's MCP control plane gains prompts/list, prompts/get and sampling/createMessage over

... (truncated)

Commits

• 64620f2 release: set version 7.2.0
• b136b6f fix(site): strip heading <br/> from browser tab title and meta tags
• 0cc34da docs(ui): regenerate dashboard screenshots for current UI
• a0613d0 improve layout of page title
• 58c6236 feat(llm): in-product optimisation verdict + cache/model/tool-schema signals
• ebf7164 perf(ui): code-split Monaco editor out of the main dashboard bundle
• 33be4c0 perf(ui): cap demo JVM heap and unmount collapsed log group children
• 0687294 docs(ui): regenerate dashboard screenshots for current UI
• d752e31 feat(ui): load-scenario codegen uses rich client builders + live incremental ...
• 43b04c4 feat(ui): split Performance panel into Run & Monitor and Author sub-tabs
• Additional commits viewable in compare view

Updates org.mock-server:mockserver-client-java from 7.1.0 to 7.2.0

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.