Version:

This project is part of pgEdge Labs and is under active development. APIs and features may change without notice.

Changelog

All notable changes to the pgEdge MCP Bridge will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Customisable OAuth login page: Support for custom login page templates with configurable title, CSS stylesheet URL, and logo, or a fully custom HTML login page served from a user-specified path
MCP Streamable HTTP transport: Support for the Streamable HTTP transport protocol, where POST requests with Accept: text/event-stream receive SSE-wrapped responses
Configurable timeouts: New timeout settings for SSE keepalive (server.sse_keepalive_interval), MCP subprocess reads (server.mcp_server.read_timeout), OAuth HTTP requests (auth.oauth.http_timeout), and federated OAuth HTTP requests (oauth_server.federated.http_timeout), all defaulting to 30s

Security: Redirect URI validation now requires exact path matching for localhost URIs, preventing open redirect attacks
Security: RSA signature verification now uses the correct hash algorithm for RS384 and RS512 (previously always used SHA256)
Security: Bearer token validation now holds a read lock during concurrent access, preventing data races
Security: Cryptographic random number generation now panics on failure instead of silently producing zero values
Security: Registration endpoint request body is now limited to 64KB to prevent memory exhaustion
Security: JWT verification error details are no longer leaked to clients
Reliability: Authorization code and refresh token deletion errors are now logged instead of silently discarded
Reliability: Federated authorization handler cleanup goroutine now properly shuts down on Close()
TLS: A warning is now logged when insecure_skip_verify is enabled

RFC 9728 Protected Resource Metadata: New /.well-known/oauth-protected-resource endpoint for OAuth resource discovery, required by Claude's connection flow
Root-path MCP endpoint: MCP handlers now accept requests at / in addition to /mcp, for compatibility with clients that POST directly to the server URL
Root-level registration endpoint: Dynamic client registration now served at /register in addition to /oauth/register

Registration endpoint: Metadata document now advertises /register as the canonical registration endpoint
Auth middleware: Added /oauth/callback, /.well-known/oauth-protected-resource, and /register to auth skip paths

OAuth Authorization Server: Built-in OAuth 2.0 Authorization Server for direct Claude Desktop integration
Implements OAuth 2.0 Authorization Code flow with PKCE (RFC 7636)
Publishes OAuth metadata at /.well-known/oauth-authorization-server (RFC 8414)
JWKS endpoint at /oauth/jwks for token verification
Built-in mode with local user management and bcrypt password hashing
Federated mode for delegating authentication to upstream IdPs (Google, Okta, etc.)
Dynamic client registration support (RFC 7591)
JWT access tokens with RS256 or ES256 signing
Refresh token rotation for long-lived sessions
New Endpoints:
GET /ready - Readiness check endpoint (verifies MCP subprocess is running)
GET /.well-known/oauth-authorization-server - OAuth server metadata
GET /oauth/jwks - JSON Web Key Set
GET/POST /oauth/authorize - Authorization endpoint
POST /oauth/token - Token endpoint
POST /oauth/register - Dynamic client registration

Configuration: Updated config file search order to /etc/pgedge/config.yaml then executable directory
Documentation: Comprehensive updates to reflect OAuth server capabilities and correct configuration field names

Licence: Added The PostgreSQL License file and documentation page
Copyright Headers: Added standard pgEdge copyright headers to all Go source files

Bidirectional Transport Bridge: Bridge between HTTP/SSE and stdio transports for the Model Context Protocol (MCP)
Server Mode: Wrap local stdio-based MCP servers and expose them over HTTP
JSON-RPC 2.0 over HTTP POST for requests/responses
Server-Sent Events (SSE) for server-initiated notifications
Configurable base path for API endpoints
Health check endpoint
Client Mode: Connect to remote HTTP MCP servers and expose via stdio
Automatic SSE reconnection with configurable retry logic
Configurable timeouts and connection pooling
Authentication:
Bearer token authentication (static tokens or validation endpoint)
OAuth 2.0/OIDC support with JWKS validation
Token introspection support
TLS/HTTPS:
Server-side TLS with configurable certificates
Client-side TLS with CA certificate verification
Mutual TLS (mTLS) support for client certificate authentication
Session Management:
Stateful sessions with automatic timeout and cleanup
Configurable maximum concurrent sessions
Session affinity via Mcp-Session-Id header
Process Management:
Automatic subprocess restart on failure
Configurable restart delays and maximum attempts
Graceful shutdown handling
CORS Support: Configurable cross-origin resource sharing for browser clients
Logging: Structured logging with configurable levels and JSON output format
Configuration: YAML-based configuration with environment variable substitution