Update module github.com/stacklok/toolhive to v0.29.3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.29.1 → v0.29.3

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.29.3

Compare Source

🚀 Toolhive v0.29.3 is live!

A small maintenance release that makes ToolHive's unauthenticated proxy default visible — surfacing it in logs and docs in response to GHSA-hfrv-94x5-85p2 — alongside internal release-tooling automation. No breaking changes and no behavioral changes to existing deployments.

🐛 Bug Fixes

• An MCPServer, MCPRemoteProxy, standalone CLI, or vMCP running without OIDCConfigRef (or any other auth source) now emits a Warn-level log stating that every request is forwarded under a synthetic local-user identity with no credential check, and the README/CRD docs are corrected to describe identity enforcement as conditional on configuring an authentication source — the unauthenticated default itself is unchanged (#​5488)

🧹 Misc

• Release notes generation and the Slack release announcement are now automated in CI when a release is published, keeping a maintainer in the loop via review-then-publish (#​5487)

📦 Dependencies

Module	Version
github.com/stacklok/toolhive-catalog	v0.20260610.0

Full commit log

What's Changed

• Update module github.com/stacklok/toolhive-catalog to v0.20260610.0 by @​renovate[bohttps://github.com/stacklok/toolhive/pull/5485l/5485
• Automate release notes generation and Slack announce by @​reyortihttps://github.com/stacklok/toolhive/pull/5487l/5487
• Surface unauthenticated proxy default in logs and docs by @​ChrisJBurhttps://github.com/stacklok/toolhive/pull/5488l/5488
• Release v0.29.3 by @​toolhive-release-app[bohttps://github.com/stacklok/toolhive/pull/5489l/5489

Full Changelog: stacklok/toolhive@v0.29.2...v0.29.3

🔗 Full changelog: stacklok/toolhive@v0.29.2...v0.29.3

What's Changed

• Update module github.com/stacklok/toolhive-catalog to v0.20260610.0 by @​renovate[bot] in #​5485
• Automate release notes generation and Slack announce by @​reyortiz3 in #​5487
• Surface unauthenticated proxy default in logs and docs by @​ChrisJBurns in #​5488
• Release v0.29.3 by @​toolhive-release-app[bot] in #​5489

Full Changelog: stacklok/toolhive@v0.29.2...v0.29.3

v0.29.2

Compare Source

🚀 Toolhive v0.29.2 is live!

A hardening-focused patch release: two security fixes, an operator-chart regression safety net via helm-unittest, an OTLP header delivery fix, an OAuth public-client TTL fix, continued vMCP New/Serve refactor scaffolding, and the deprecation of the MCPRegistry CRD.

🔄 Deprecations

• MCPRegistry CRD deprecated in favour of the toolhive-registry-server Helm chart — the CRD remains fully functional but now emits a kubectl deprecation warning and an operator Warning event; it will be removed in a future release (#​5470)

🐛 Bug Fixes

• OAuth/OIDC discovery endpoints (RFC 9728 protected-resource metadata, RFC 8414 authorization-server metadata, OIDC discovery, JWKS) now work for stdio-backed MCP servers with an embedded auth server, instead of returning 404 (#​5479)
• Long-lived public OAuth clients registered via Dynamic Client Registration are no longer evicted after 30 days of active use — their TTL now refreshes on each successful token exchange, preventing spurious invalid_client failures (#​5469)
• OTLP exporter headers supplied via OTEL_EXPORTER_OTLP_HEADERS are no longer silently dropped on the POST /api/v1/workloads path, so collectors requiring an auth header now receive telemetry ([#​5474]#​5474))
• Overriding operator.serviceAccount.name in the operator Helm chart no longer breaks the deployment — every reference now routes through the same serviceAccountName helper (#​5476)
• Prevented a path-traversal weakness in LocalStore.getFilePath so state-store file operations can no longer escape the base directory (#​5464, Fixes [#​4736]#​4736))
• Added baseline X-Content-Type-Options: nosniff and Cross-Origin-Resource-Policy: same-origin security headers to every thv REST API response (#​5458)

🧹 Misc

• vMCP refactor (epic #​5419): introduced a stateless, identity-explicit core VMCP constructor (#​5457), added the Serve transport skeleton and ServerConfig (#​5467), wired the Cedar admission seam into the core so list and call enforce one shared decision (#​5459), moved the SDK hooks and two-phase session creation under Serve (#​5471), and domain-typed the elicitation seam (#​5456) — all additive, with server.New behavior unchanged
• Added helm-unittest regression coverage for the operator and operator-crds charts: CRD install/keep toggles (#​5468), a default-install baseline ([#​5473]#​5473)), value-driven scenario suites ([#​5475]#​5475)), and security-posture/naming suites (#​5477)
• Documented the Redis Cluster slot invariant and filtered stray un-prefixed members in the auth-server token storage (#​5210)

📦 Dependencies

Module	Version
github.com/stacklok/toolhive-core	v0.0.24
golang.org/x/exp/jsonrpc2	055de63
github/codeql-action	8aad20d
anthropics/claude-code-action	fbda2eb

What's Changed

• Domain-type the ElicitationRequester seam by @​tgrunnagle in #​5456
• fix(api): add X-Content-Type-Options and Cross-Origin-Resource-Policy headers by @​amirejaz in #​5458
• Update golang.org/x/exp/jsonrpc2 digest to 055de63 by @​renovate[bot] in #​5463
• Update github/codeql-action digest to 8aad20d by @​renovate[bot] in #​5462
• Update anthropics/claude-code-action digest to fbda2eb by @​renovate[bot] in #​5460
• Implement stateless core VMCP constructor by @​tgrunnagle in #​5457
• Add helm-unittest suite for operator-crds toggles by @​ChrisJBurns in #​5468
• Wire Cedar admission seam into vMCP core by @​tgrunnagle in #​5459
• Add vMCP Serve skeleton and ServerConfig by @​tgrunnagle in #​5467
• Add helm-unittest baseline for operator chart by @​ChrisJBurns in #​5473
• Deprecate MCPRegistry CRD with runtime warning by @​ChrisJBurns in #​5470
• Add scenario helm-unittest suites for operator chart by @​ChrisJBurns in #​5475
• Send OTLP export headers delivered via EnvVars by @​reyortiz3 in #​5474
• Fix operator ServiceAccount name consistency by @​ChrisJBurns in #​5476
• Add operator chart helm-unittest suites for posture and naming by @​ChrisJBurns in #​5477
• Update module github.com/stacklok/toolhive-core to v0.0.23 by @​renovate[bot] in #​5317
• Renew public client TTL on successful token exchange by @​mani-muon in #​5469
• Update module github.com/stacklok/toolhive-core to v0.0.24 by @​reyortiz3 in #​5480
• Prevent path traversal in LocalStore.getFilePath by @​immanuwell in #​5464
• Move SDK hooks and two-phase session creation under Serve by @​tgrunnagle in #​5471
• Wire RFC 9728 discovery into HTTP and stdio transports by @​jhrozek in #​5479
• Address Redis Cluster mode review follow-ups for #​5153 by @​reyortiz3 in #​5210
• Remove yrobla from CODEOWNERS by @​ChrisJBurns in #​5486
• Release v0.29.2 by @​toolhive-release-app[bot] in #​5484

🔗 Full changelog: stacklok/toolhive@v0.29.1...v0.29.2

New Contributors

• @​mani-muon made their first contribution in #​5469

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/go-chi/chi/v5	v5.2.5 -> v5.3.0
golang.org/x/exp/jsonrpc2	v0.0.0-20260529124908-c761662dc8c9 -> v0.0.0-20260603202125-055de637280b