Skip to content

Update stacklok/toolhive to v0.33.0#1005

Merged
JAORMX merged 5 commits into
mainfrom
renovate/stacklok-toolhive-0.x
Jul 2, 2026
Merged

Update stacklok/toolhive to v0.33.0#1005
JAORMX merged 5 commits into
mainfrom
renovate/stacklok-toolhive-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
stacklok/toolhive minor v0.32.0v0.33.0

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.


Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.33.0

Compare Source

What's Changed

Full Changelog: stacklok/toolhive@v0.32.0...v0.33.0


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


Docs update for toolhive v0.33.0

At a glance

Upstream stacklok/toolhive v0.32.0v0.33.0
Hand-written changes 2 commit(s)
Reference assets refreshed (separate commit)
Gaps 0
Release contributors 3 auto-assigned (see sidebar)
Action required Spot-check skill-authored prose for accuracy

Summary of changes

  • Added "Cross-application access (XAA)" outgoing-auth section in docs/toolhive/guides-vmcp/authentication.mdx, marked experimental, covering the ID-JAG two-step exchange (stacklok/toolhive#5691).
  • Updated docs/toolhive/guides-k8s/rate-limiting.mdx to note that per-tool vMCP rate limits key on the resolved backend tool name when the optimizer is enabled (stacklok/toolhive#5522).

Run cost

Session Turns Cost (USD)
Generation 62 $5.1589
Editorial review 37 $2.7035
Total 99 $7.8624
How this PR was built

Two Claude Opus sessions run per release: a generation pass
(upstream-release-docs skill, 6 phases) followed by a fresh-
context editorial pass (docs-review). Prettier/ESLint
auto-fixes are applied after.

Auto-synced paths — do not hand-edit these in review:

  • static/api-specs/
  • docs/toolhive/reference/cli/ (toolhive only)
  • docs/toolhive/reference/crds/

If a "Gaps needing human context" section is present above,
each entry includes a paste-ready Helper prompt for local
Claude
a reviewer can use to resolve the gap.

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-website Ready Ready Preview, Comment Jul 1, 2026 9:31pm

Request Review

@renovate renovate Bot added the autogen-docs Pull requests generated by automated release workflows label Jul 1, 2026
@github-actions github-actions Bot marked this pull request as draft July 1, 2026 19:54
@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Claude finished @renovate[bot]'s task in 5m 16s —— View job


Upstream release docs — ToolHive v0.33.0

Done. Committed source-verified edits for the two doc-relevant PRs in this release.

  • Discover changes in v0.32.0 → v0.33.0
  • Deep-dive verification against upstream source
  • Audit existing docs for impact
  • Implement source-verified doc updates
  • Run prettier + eslint
  • Commit & push

What changed

  • docs/toolhive/guides-vmcp/authentication.mdx — Added a new "Cross-application access (XAA)" outgoing-auth section (marked experimental), covering the two-step ID-JAG exchange: Step A (RFC 8693) at the IdP, Step B (RFC 7523) at the target AS. Documents required and optional fields, secret refs, and when to reach for xaa versus tokenExchange / upstreamInject. Sourced from stacklok/toolhive#5691 and verified against cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go and pkg/vmcp/auth/strategies/xaa.go at the v0.33.0 tag.
  • docs/toolhive/guides-k8s/rate-limiting.mdx — Added an info admonition explaining that when the optimizer is enabled, per-tool vMCP rate limit buckets key on the resolved backend tool name (not the call_tool meta-tool). Sourced from stacklok/toolhive#5522 and verified against pkg/vmcp/ratelimit/decorator.go and pkg/vmcp/server/serve_optimizer.go.

Skipped / notes

  • stacklok/toolhive#5693 (E2E test fix) and stacklok/toolhive#5520 (dep bump) — internal, no docs impact.
  • CRD schema descriptions changed IDPIdP across many fields; those live in auto-generated static/api-specs/toolhive-crds/*.schema.json and are refreshed by the workflow, not hand-edited.
  • subjectTokenType was also added to the tokenExchange object on the vMCP schema, but as a passthrough / future-proofing knob (currently accepts only the ID-token URN). No prose change needed until additional URNs are supported.
  • Local npm run build fails on this branch because the MCP metadata plugin can't reach its external data source from the sandbox, unrelated to these edits.
    · Branch: renovate/stacklok-toolhive-0.x

Cover new v0.33.0 features:
- Add "Cross-application access (XAA)" section to the vMCP
  authentication guide, marked experimental, covering the
  two-step ID-JAG exchange added in stacklok/toolhive#5691.
- Note in the rate limiting guide that per-tool vMCP buckets
  now key on the resolved backend tool name when the optimizer
  is enabled (stacklok/toolhive#5522).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Claude finished @renovate[bot]'s task in 5m 23s —— View job


Editorial review — ToolHive v0.33.0 docs

Editorial pass complete. Pushed 4e70ad7 with two clarity fixes to the new XAA section in docs/toolhive/guides-vmcp/authentication.mdx.

  • Read the changed files (authentication.mdx, rate-limiting.mdx)
  • Cross-check against upstream pkg/vmcp/auth/strategies/xaa.go and pkg/vmcp/ratelimit/decorator.go at v0.33.0
  • Identify actionable fixes
  • Apply edits
  • Run prettier + eslint (no changes needed)
  • Commit & push

Fixes applied

  1. authentication.mdx:421-422 — "The IdP and target authorization server credentials are stored in Kubernetes Secrets" implied the whole IdP/target-AS config was Secret-backed. Only the client secrets are; URLs and client IDs live in the CR spec as plaintext. Rewrote as "Store the IdP and target authorization server client secrets in Kubernetes Secrets".

  2. authentication.mdx:447 — YAML comment on targetAudience read "identifies the target resource AS for the ID-JAG audience claim". Because the sibling targetResource field is the RFC 8707 resource indicator, calling targetAudience the "resource AS" invited confusion between the two. Rewrote as "URL of the target authorization server, used as the ID-JAG audience claim".

Deliberately skipped

  • "log a warning at startup" — the warning actually fires during per-backend Validate() (wire-up), but "startup" is a fine user-facing simplification.
  • "Omitting targetClientId and targetClientSecretRef" — upstream check is targetClientID == "" only, but users almost always set both together; ambiguity is negligible.
  • "Both token URLs must be HTTPS" — omits the localhost HTTP exception, but that's a deliberate simplification that matches the security posture the section is trying to communicate.
  • rate-limiting.mdx:237-246 info admonition — verified against pkg/vmcp/ratelimit/decorator.go:20,47-48; the "resolved backend tool name" claim and the actionable takeaway ("configure per-tool overrides using the backend tool names") match the source comments exactly. No changes needed.
    · Branch: renovate/stacklok-toolhive-0.x

Clarify two spots in the new XAA outgoing-auth prose:

- "credentials are stored in Kubernetes Secrets" implied the whole
  IdP/target-AS config was Secret-backed. Only the client secrets are;
  URLs and client IDs live in the CR spec.
- YAML comment on targetAudience called it the "target resource AS",
  which collides with the sibling targetResource field (RFC 8707 resource
  indicator). Rewrite as "URL of the target authorization server".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@github-actions github-actions Bot requested review from jhrozek and reyortiz3 July 1, 2026 20:06
@github-actions github-actions Bot marked this pull request as ready for review July 1, 2026 20:06
jerm-dro
jerm-dro previously approved these changes Jul 1, 2026

@jerm-dro jerm-dro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optimizer / Rate Limit changes LGTM

reyortiz3
reyortiz3 previously approved these changes Jul 1, 2026
Comment thread docs/toolhive/guides-vmcp/authentication.mdx Outdated
Comment thread docs/toolhive/guides-vmcp/authentication.mdx
Comment thread docs/toolhive/guides-vmcp/authentication.mdx
Comment thread docs/toolhive/guides-vmcp/authentication.mdx Outdated
Comment thread docs/toolhive/guides-vmcp/authentication.mdx Outdated
Switch the reference example to the validated source: discovered
pattern, clarify subjectProviderName and idpClientId recommendations,
and fix HTTPS enforcement and ID-JAG audience wording.

@jhrozek jhrozek left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with the XAA fixups

@JAORMX JAORMX merged commit 0734b7b into main Jul 2, 2026
15 checks passed
@JAORMX JAORMX deleted the renovate/stacklok-toolhive-0.x branch July 2, 2026 03:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

autogen-docs Pull requests generated by automated release workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants