Update stacklok/toolhive to v0.28.0

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	minor	v0.27.2 → v0.28.0

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.28.0

Compare Source

What's Changed

• Update module github.com/modelcontextprotocol/registry to v1.7.7 [SECURITY] by @​renovate[bot] in #​5230
• Add TOOLHIVE_SKIP_UPDATE_CHECK env var to disable update checks by @​lujunsan in #​5264
• Add RFC 7523 JWT Bearer grant package by @​jhrozek in #​5262
• Extract DCR resolver into pkg/auth/dcr by @​tgrunnagle in #​5198
• Wire identityFromToken into the OAuth2 upstream provider by @​jhrozek in #​5222
• Add API endpoint to refresh the registry cache by @​rdimitrov in #​5268
• Retry OAuth token refresh on infrastructure 4xx by @​gkatz2 in #​5170
• docs: remove stale chart version bump guidance from check-contribution skill by @​wucm667 in #​5211
• Configure rate limits on VirtualMCPServer PR A by @​Sanskarzz in #​5079
• Migrate CLI OAuth flow to pkg/auth/dcr resolver by @​tgrunnagle in #​5250
• Drop legacy registry schema from release artifacts by @​rdimitrov in #​5273
• Watch authz ConfigMaps from VirtualMCPServer by @​blkt in #​5271
• Split api-workloads E2E suite into parallel entries by @​jhrozek in #​5275
• Update module github.com/stacklok/toolhive-catalog to v0.20260513.0 by @​renovate[bot] in #​5274
• Add identityFromToken to MCPExternalAuthConfig CRD by @​jhrozek in #​5269
• Reset RunWorkload retry counter after stable run by @​gkatz2 in #​5172
• Drop per-component CRD and controller gating from operator install by @​ChrisJBurns in #​5281
• Fix wrapper name in api-compat workflow comments by @​ChrisJBurns in #​5282
• Pin helm-crd-wrapper to v0.0.1 by @​ChrisJBurns in #​5283
• Fix operator RBAC for event recording by @​pl4nty in #​5243
• Add GitHub Copilot CLI as a supported MCP client by @​danbarr in #​5287
• Wire identityFromToken through authserver config and runtime by @​jhrozek in #​5285
• References printcolumn shows raw JSON instead of useful summary by @​Sanskarzz in #​5267
• Fix audit events logged as INFO+2 instead of AUDIT by @​kimjune01 in #​5256
• Update github/codeql-action digest to 9e0d7b8 by @​renovate[bot] in #​5295
• Update module github.com/cedar-policy/cedar-go to v1.6.1 by @​renovate[bot] in #​5307
• Update golang.org/x/exp/jsonrpc2 digest to 74f9aab by @​renovate[bot] in #​5296
• Update module github.com/google/cel-go to v0.28.1 by @​renovate[bot] in #​5309
• Deep-copy shared fixtures in mapMCPServerToWebhookConfig subtests by @​jhrozek in #​5310
• Add --session-ttl flag and fix three session timeout bugs by @​JAORMX in #​5117
• Update module github.com/charmbracelet/x/ansi to v0.11.7 by @​renovate[bot] in #​5308
• Deflake transientRefresher singleflight test by @​jhrozek in #​5312
• Move HeaderForward helpers to pkg/vmcp/headerforward by @​lorr1 in #​5302
• Update anthropics/claude-code-action digest to 51ea8ea by @​renovate[bot] in #​5294
• Update module github.com/stacklok/toolhive-catalog to v0.20260518.0 by @​renovate[bot] in #​5313
• Bump toolhive-core on release day via Renovate by @​reyortiz3 in #​5315
• Drop empty PULLS column from registry list and search output by @​danbarr in #​5314
• fix(operator): add startup probe to proxyrunner deployment by @​gabrielcosi in #​5300
• Bump toolhive-core to v0.0.20 by @​reyortiz3 in #​5316
• Wire HeaderForward into vMCP per-session HTTP client by @​lorr1 in #​5301
• Bump toolhive-core to v0.0.21 and use shared redis client by @​reyortiz3 in #​5318
• Release v0.28.0 by @​toolhive-release-app[bot] in #​5322

New Contributors

• @​pl4nty made their first contribution in #​5243
• @​kimjune01 made their first contribution in #​5256
• @​gabrielcosi made their first contribution in #​5300

Full Changelog: stacklok/toolhive@v0.27.2...v0.28.0

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Docs update for toolhive v0.28.0

At a glance

Upstream	stacklok/toolhive v0.27.2 → v0.28.0
Hand-written changes	2 commit(s)
Reference assets	refreshed (separate commit)
Gaps	0
Release contributors	16 auto-assigned (see sidebar)
Action required	Spot-check skill-authored prose for accuracy

Summary of changes

Summary of changes

• Added GitHub Copilot CLI to the supported clients table and a new
  "Configuration locations" section in docs/toolhive/reference/client-compatibility.mdx
  (stacklok/toolhive#5287).
• Added a new "Extract identity from the token response" section in
  docs/toolhive/guides-k8s/auth-k8s.mdx covering the identityFromToken
  OAuth 2.0 upstream field, with a cross-link tip in
  docs/toolhive/guides-vmcp/authentication.mdx (stacklok/toolhive#5269,
  stacklok/toolhive#5222, stacklok/toolhive#5285).
• Added a "Rate limit a VirtualMCPServer" section in
  docs/toolhive/guides-k8s/rate-limiting.mdx covering the new
  spec.config.rateLimiting field, with prerequisites for Redis session
  storage and OIDC incoming auth (stacklok/toolhive#5079).
• Documented the new --session-ttl flag in docs/toolhive/guides-cli/run-mcp-servers.mdx,
  the thv vmcp serve flag reference in docs/toolhive/guides-vmcp/local-cli.mdx,
  and the vMCP TTL discussion in
  docs/toolhive/guides-vmcp/scaling-and-performance.mdx
  (stacklok/toolhive#5117).
• Added a "How do I disable update checks?" FAQ entry covering the new
  TOOLHIVE_SKIP_UPDATE_CHECK environment variable in
  docs/toolhive/faq.mdx (stacklok/toolhive#5264).

Run cost

Session	Turns	Cost (USD)
Generation	161	$12.4569
Editorial review	103	$8.3143
Total	264	$20.7712

How this PR was built

Two Claude Opus sessions run per release: a generation pass
(upstream-release-docs skill, 6 phases) followed by a fresh-
context editorial pass (docs-review). Prettier/ESLint
auto-fixes are applied after.

Auto-synced paths — do not hand-edit these in review:

• docs/toolhive/reference/cli/
• docs/toolhive/reference/crds/
• static/api-specs/

If a "Gaps needing human context" section is present above,
each entry includes a paste-ready Helper prompt for local
Claude a reviewer can use to resolve the gap.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	May 19, 2026 10:20pm

[claude]

Claude finished @renovate[bot]'s task in 15m 34s —— View job

---

Upstream release docs: toolhive v0.28.0

• Phase 1: Discovery
• Phase 2: Deep-dive into major features
• Phase 3: Docs impact map
• Phase 4: Source-verified implementation
• Phase 5: Self-check (prettier + eslint clean; build error is from MCP-metadata plugin needing network, unrelated to these edits)
• Phase 6: Commit + SUMMARY.md

Summary

Wrote source-verified hand-written docs for the user-facing changes in toolhive v0.28.0. Auto-generated CLI/CRD/API reference files were already refreshed by the workflow.

Files changed (hand-written):

• docs/toolhive/reference/client-compatibility.mdx - Added GitHub Copilot CLI row and a Configuration locations section (stacklok/toolhive#5287).
• docs/toolhive/guides-k8s/auth-k8s.mdx - Added an "Extract identity from the token response" subsection covering identityFromToken, updated synthesis-mode wording (stacklok/toolhive#5269, stacklok/toolhive#5222, stacklok/toolhive#5285).
• docs/toolhive/guides-vmcp/authentication.mdx - Added a cross-link tip for identityFromToken next to the existing tokenResponseMapping tip.
• docs/toolhive/guides-k8s/rate-limiting.mdx - Added a "Rate limit a VirtualMCPServer" section with the new spec.config.rateLimiting field, Redis + OIDC prerequisites, and a worked example (stacklok/toolhive#5079).
• docs/toolhive/guides-cli/run-mcp-servers.mdx - Added an "Override the session timeout" section for the new --session-ttl flag (stacklok/toolhive#5117).
• docs/toolhive/guides-vmcp/local-cli.mdx - Added --session-ttl to the thv vmcp serve flag reference table.
• docs/toolhive/guides-vmcp/scaling-and-performance.mdx - Noted that the 30-minute TTL is now overridable via --session-ttl.
• docs/toolhive/faq.mdx - Added a "How do I disable update checks?" Q&A covering TOOLHIVE_SKIP_UPDATE_CHECK and its coupling to usage metrics (stacklok/toolhive#5264).

Verification:

• All claims (env var name + semantics, Copilot CLI config path/format, identityFromToken paths and validation rules, rate-limiting CEL rules, --session-ttl flag defaults) verified against stacklok/toolhive source at the v0.28.0 tag via gh api.
• Prettier and ESLint pass clean on the changed files.
• Local npm run build fails inside the action sandbox because the MCP-metadata plugin can't reach external server endpoints; the Vercel preview build (already green on this PR) covers the production path.
• branch

[claude]

Claude finished @renovate[bot]'s task in 9m 31s —— View job

---

Docs review: toolhive v0.28.0 release docs

• Read all changed docs files (8 hand-written)
• Cross-check claims against upstream v0.28.0 source
• Apply editorial fixes
• Run prettier + eslint (skipped locally - npm restricted in sandbox; CI will validate)
• Commit and push (ac1238b)

Summary

Verified the previous commit's source-verified docs against upstream v0.28.0 (via gh api) and applied two editorial fixes to docs/toolhive/guides-k8s/auth-k8s.mdx:

1. Clarity (line 799): "resolves identity from gjson dot-notation paths into the token response body" had awkward "from X into Y" grammar. Reworded to "extracts identity from the token response body using gjson dot-notation paths."
2. Accuracy (lines 822-824): "identityFromToken and userInfo can both be set, but only one is used at runtime" was ambiguous about which wins. Source code (pkg/authserver/upstream/oauth2.go) confirms identityFromToken takes precedence and the userinfo HTTP call is skipped entirely. Made this explicit.

Cross-checks that passed

• TOOLHIVE_SKIP_UPDATE_CHECK env var name and gating behavior (pkg/updates/client.go)
• thv run --session-ttl 2h default + thv vmcp serve --session-ttl 30m default
• identityFromToken paths (1-256 char validation), @upstreamjwt modifier semantics, tk- synthesized-subject prefix
• VirtualMCPServer rateLimiting CEL rules (Redis required, incomingAuth.type=oidc required for per-user)
• GitHub Copilot CLI config path (~/.copilot/mcp-config.json) and schema

No content was added beyond refinement of what the prior commit wrote. SUMMARY.md and auto-generated reference assets were left untouched per workflow protocol.

branch ·

[jhrozek]

I pushed a fixup for the identityFromToken examples, now the changes do look good to me

[danbarr]

Updates specifically related to my client addition (Copilot CLI) are good to go.