Changelog
Release ontransports/v1.6.3. Introduces OAuth 2.1 gateway auth for /mcp, vault-sourced virtual keys with automatic secret rotation, extended audit log filtering, DAC-scoped OAuth2 session management, IdP JWT validation on the MCP path, and new DeepSeek and AWS Bedrock Mantle providers. Includes a large number of bug fixes across governance, streaming, billing, MCP, and provider integrations.✨ Features
- Audit Log Advanced Filtering - Audit logs now support advanced filtering via dedicated search/select APIs backed by materialized views, with an updated UI table layout.
- DAC-Scoped OAuth2 Session Management - OAuth2 sessions scoped to dynamic access control can now be listed, retrieved, and revoked. A new
EnterpriseOAuth2IdentityResolverbinds virtual keys to users via the governance store cache. - IdP JWT Validation on
/mcp- Incoming IdP-issued JWTs on/mcpare validated and stamped with user identity. Bifrost-issued MCP tokens that fail IdP validation pass through. User-mode OAuth2 grants are revoked on user delete, and user liveness is enforced on MCP request and refresh paths. - Vault-Sourced Virtual Keys - Virtual key values now use
SecretVar, enabling resolution from HashiCorp Vault. Vault-sourced keys reload on cache flush, automatic vault secret rotation is propagated and broadcast to the in-memory virtual key map, and the vault cache TTL was raised from 1 hour to 24 hours. - New Secret Var Format - Guardrails and SCIM configuration now accept the new
{type, ref}secret var format alongside the deprecated{from_env, env_var}form. - Bedrock Guardrails Provider-Side Redaction - Bedrock guardrails now support provider-side redaction of flagged content.
- Async Access Profile Propagation - Access profile propagation now runs as an async background job with progress tracking instead of blocking the request.
- SCIM Attributes Summary Card - The post-setup dashboard now shows a summary card of configured SCIM attributes.
🚀 From OSS transports/v1.6.3
- DeepSeek added as a first-class provider with dedicated request handling and thinking-mode gating.
bedrock_mantleadded as a first-class provider with SigV4 key configuration, native-Anthropic and OpenAI-compatible routing, DB migration, and UI support.- Full OAuth 2.1 authorization server for
/mcp: discovery endpoints, dynamic client registration, authorize/token with PKCE and refresh token rotation, consent page, JWT Bearer authentication, session listing/revocation with a sweep worker, an OAuth Grants UI, and themcp_server_auth_modeconfig field. - Virtual keys now carry an expiry field enforced by governance at request time.
- ClickHouse log store added in beta, including a hybrid store mode.
- IPv6 support added to the HTTP transport.
- Per-MCP-server tool execution timeout configuration added.
- OpenAI Responses lifecycle methods (retrieve, delete, cancel, list input items) added with per-verb governance flags.
- MCP clients paginated query now supports filtering by
connection_type,auth_type,state,virtual_key, and server/client ID, with a faceted filter sidebar. - Models are now marked
is_deprecatedin pricing and catalog APIs instead of being filtered out. - Logs list now shows user, team, customer, and business-unit name columns with multi-value attribution cells.
- Error responses now carry latency information.
- Connectors can now attach multiple teams, customers, and business units.
- Support added for externally resolved supplemental budgets not tracked against a virtual key.
- Cost recalculation now streams progress via SSE and processes in batches.
- Vendor-prefix pricing fallback extended to OpenAI, Google, and xAI models.
- Complexity analyzer now uses stemming alongside exact keyword match and falls back sensibly when no signal is present.
x-goog-api-keyadded as a supported virtual-key header on the MCP auth path.
🐞 Fixed
- Governance Reset Baselines - Reset timestamps are now synced with usage baselines in governance.
- Bedrock Region From ARN - Bedrock region is derived from the model ARN when not explicitly configured.
- Cached Token Billing -
cached_tokensnow reports reads only per the OpenAI spec, so cache writes are not billed as reads. - Streaming Retries After SSE Errors - Streaming retries and fallbacks work correctly after SSE-embedded provider errors.
- Tier Cost Evaluation - Tier costs are evaluated via input tokens instead of total tokens.
- Failed Stream Billing - Billing fixed on failed Responses stream requests for Anthropic and Bedrock, and for image generation and edit streaming.
- Redacted Thinking Round-Trip -
redacted_thinkingblocks round-trip on chat completions so tool-use turns with extended thinking replay correctly. - Bedrock ConverseStream Egress - Bedrock ConverseStream egress now emits
contentBlockStopevents. - MCP Empty Tool Set Registration - MCP clients no longer register as connected with an empty tool set when
ListToolsfails during startup. - Deterministic MCP Tool Ordering - MCP tool ordering is now deterministic for prompt cache stability.
- Trace Store Memory Leak - Orphaned deferred spans are swept in trace store TTL cleanup, fixing a memory leak.
- Content Logging Bypass - Raw request/response payloads no longer bypass
disable_content_loggingviaErrorDetailsParsed. - URL-Encoded Team IDs - URL-encoded team IDs are decoded in fetch, update, and delete governance endpoints.
- Semantic Cache Embedding Keys - Semantic cache internal embedding keys now resolve like external requests.
📀 Base OSS version
transports/v1.6.3
