[ca] CLI Version Update: MCP Gateway v0.2.7, APM v0.8.6 #23313
Description
Two CLI/tool versions have been updated in pkg/constants/constants.go and workflow lock files regenerated via make recompile.
Summary
| Tool | Previous | New | Released |
|---|---|---|---|
MCP Gateway (gh-aw-mcpg) |
v0.2.6 |
v0.2.7 |
2026-03-27 |
| APM (Agent Package Manager) | v0.8.5 |
v0.8.6 |
2026-03-27 |
No changes required for: Claude Code (latest), Copilot CLI (latest), Codex (latest), GitHub MCP Server (v0.32.0 current=latest), Playwright MCP (0.0.68 current=latest), Playwright Browser (v1.58.2 current=latest).
Update MCP Gateway v0.2.6 → v0.2.7
Release Date: 2026-03-27
Features
- GHEC Tenant Support (feat: GHEC tenant support for proxy and guard URL parsing gh-aw-mcpg#2481, fix: port-safe GHEC detection in deriveAPIFromServerURL gh-aw-mcpg#2484): MCP Gateway now correctly handles GitHub Enterprise Cloud tenants in both proxy routing and guard URL parsing, including port-safe GHEC detection in API URL derivation. Configure via
GITHUB_SERVER_URLorGITHUB_API_URL. - Trusted Users in AllowOnly Guard (feat: add trusted-users list to AllowOnly guard policy for user integrity elevation gh-aw-mcpg#2584): The
allow-onlyguard policy now supports atrusted-userslist, enabling fine-grained control over who can perform sensitive operations.
Bug Fixes & Improvements
- Transparent Session Reconnection (fix: reconnect expired MCP backend sessions transparently, extend server session timeout gh-aw-mcpg#2597): Expired MCP backend sessions are reconnected automatically with extended session timeout.
- HTTP Backend Compatibility (Fix HTTP 400 on tools/list for HTTP backends with custom auth headers (Atlassian MCP) gh-aw-mcpg#2608): Fixed HTTP 400 errors on
tools/listfor HTTP backends with custom auth headers (e.g., Atlassian MCP). - Guard Write Classification (fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork gh-aw-mcpg#2613): Pre-emptive write classification for
set_variable,upload_release_asset, andsync_forktools. - Schema Fetch Reliability (fix: add retry with exponential backoff to schema fetch for transient HTTP errors gh-aw-mcpg#2582): Retry logic with exponential backoff for transient HTTP errors on startup.
- Accurate DIFC Filter Notices (fix: distinguish secrecy vs integrity in filtered notice gh-aw-mcpg#2518): Filter notices now correctly distinguish secrecy vs. integrity violations.
- Trusted Bot Elevation Fix (rust-guard: fix configured trusted bot elevation in apply_tool_labels + deduplicate item collection gh-aw-mcpg#2574): Corrected trusted-bot elevation in
apply_tool_labels.
View All Merged PRs
- fix: port-safe GHEC detection in deriveAPIFromServerURL gh-aw-mcpg#2484 — fix: port-safe GHEC detection in deriveAPIFromServerURL
- feat: GHEC tenant support for proxy and guard URL parsing gh-aw-mcpg#2481 — feat: GHEC tenant support for proxy and guard URL parsing
- fix: distinguish secrecy vs integrity in filtered notice gh-aw-mcpg#2518 — fix: distinguish secrecy vs integrity in filtered notice
- docs: add proxy mode env vars to ENVIRONMENT_VARIABLES.md and link gateway compatibility reference from README gh-aw-mcpg#2541 — docs: add proxy mode env vars to ENVIRONMENT_VARIABLES.md
- rust-guard: fix configured trusted bot elevation in apply_tool_labels + deduplicate item collection gh-aw-mcpg#2574 — rust-guard: fix configured trusted bot elevation in apply_tool_labels
- fix: add retry with exponential backoff to schema fetch for transient HTTP errors gh-aw-mcpg#2582 — fix: add retry with exponential backoff to schema fetch
- feat: add trusted-users list to AllowOnly guard policy for user integrity elevation gh-aw-mcpg#2584 — feat: add trusted-users list to AllowOnly guard policy
- fix: reconnect expired MCP backend sessions transparently, extend server session timeout gh-aw-mcpg#2597 — fix: reconnect expired MCP backend sessions transparently
- Fix HTTP 400 on tools/list for HTTP backends with custom auth headers (Atlassian MCP) gh-aw-mcpg#2608 — Fix HTTP 400 on tools/list for HTTP backends with custom auth headers
- fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork gh-aw-mcpg#2613 — fix(guard): pre-emptive write classification for set_variable, upload_release_asset, sync_fork
Full Changelog: github/gh-aw-mcpg@v0.2.6...v0.2.7
Impact Assessment
- Risk: Low–Medium
- Affects: MCP Gateway sandbox container, GHEC enterprise users, guard policy configuration
- Docker Image:
ghcr.io/github/gh-aw-mcpg:v0.2.7
Package Links
- Repository: https://github.com/github/gh-aw-mcpg
- Release Notes: https://github.com/github/gh-aw-mcpg/releases/tag/v0.2.7
Update APM v0.8.5 → v0.8.6
Release Date: 2026-03-27
Bug Fixes
- Batch bug fixes (fix: batch bug fixes -- installer fallback, target registry, lockfile idempotency microsoft/apm#456): installer fallback, target registry, lockfile idempotency
- Windows antivirus file-lock errors (Fix Windows antivirus file-lock errors during apm install microsoft/apm#440): Fixed file-lock errors during
apm installon Windows - ADO spaces in repo names (fix: allow spaces in ADO repository names when parsing URLs microsoft/apm#437): Allow spaces in Azure DevOps repository names when parsing URLs
- Claude commands deployment gate (fix: gate .claude/commands/ deployment behind integrate_claude flag microsoft/apm#443): Gate
.claude/commands/deployment behindintegrate_claudeflag - Path traversal in SSH URLs (fix: reject path traversal in SSH URL parsing microsoft/apm#458): Reject path traversal in SSH URL parsing (security fix)
- Linux bundled OpenSSL (fix: exclude bundled OpenSSL libs from Linux binary microsoft/apm#466): Exclude bundled OpenSSL libs from Linux binary
- Deterministic Build IDs (fix: sort instruction discovery order for deterministic Build IDs across platforms microsoft/apm#468): Sort instruction discovery for deterministic Build IDs across platforms
- Auth popup deduplication (fix: share AuthResolver across install to prevent duplicate auth popups microsoft/apm#424): Share AuthResolver across install to prevent duplicate auth popups
View All Merged PRs
- fix: batch bug fixes -- installer fallback, target registry, lockfile idempotency microsoft/apm#456 — fix: batch bug fixes — installer fallback, target registry, lockfile idempotency
- Fix Windows antivirus file-lock errors during apm install microsoft/apm#440 — Fix Windows antivirus file-lock errors during apm install
- fix: allow spaces in ADO repository names when parsing URLs microsoft/apm#437 — fix: allow spaces in ADO repository names when parsing URLs
- fix: gate .claude/commands/ deployment behind integrate_claude flag microsoft/apm#443 — fix: gate .claude/commands/ deployment behind integrate_claude flag
- fix: reject path traversal in SSH URL parsing microsoft/apm#458 — fix: reject path traversal in SSH URL parsing
- fix: exclude bundled OpenSSL libs from Linux binary microsoft/apm#466 — fix: exclude bundled OpenSSL libs from Linux binary
- fix: sort instruction discovery order for deterministic Build IDs across platforms microsoft/apm#468 — fix: sort instruction discovery order for deterministic Build IDs
- fix: share AuthResolver across install to prevent duplicate auth popups microsoft/apm#424 — fix: share AuthResolver across install to prevent duplicate auth popups
Full Changelog: microsoft/apm@v0.8.5...v0.8.6
Impact Assessment
- Risk: Low
- Affects: APM CLI installation, Windows users, ADO repository support, SSH URL handling
- Security: Path traversal fix in SSH URL parsing
Package Links
- Repository: https://github.com/microsoft/APM
- Release Notes: https://github.com/microsoft/apm/releases/tag/v0.8.6
References:
Generated by CLI Version Checker · ◷
- expires on Mar 30, 2026, 4:13 AM UTC
Metadata
Metadata
Type
Fields
Give feedbackNo fields configured for issues without a type.