fix(deps): update module github.com/stacklok/toolhive to v0.8.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.7.2 → v0.8.2

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.8.2

Compare Source

What's Changed

• Make healthchecks for remote workloads optional by @​dmjb in #​3462
• Bump Helm chart to 0.5.28 for ToolHive v0.8.1 release by @​jerm-dro in #​3467

Full Changelog: stacklok/toolhive@v0.8.1...v0.8.2

v0.8.1

Compare Source

What's Changed

• Skip token injection when token exchange active by @​jhrozek in #​3385
• Make private IP error message context-agnostic by @​yrobla in #​3403
• Map thvCABundle to OIDCConfig.CACertPath by @​jhrozek in #​3391
• Add authorization and callback handlers for authserver by @​jhrozek in #​3370
• Return 404 for not-found errors in workload API endpoints by @​dmjb in #​3409
• feat(auth): persist OAuth tokens across workload restarts by @​flfeurmou-indeed in #​3382
• add bearerToken type to MCPExternalAuthConfig CRD by @​amirejaz in #​3224
• Update registry from toolhive-registry release v2026.01.23 by @​github-actions[bot] in #​3416
• Add StatusReporter abstraction for vMCP runtime by @​4t8dd in #​3159
• bump version of yardstick to 1.1.1 by @​yrobla in #​3420
• Bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 by @​dependabot[bot] in #​3412
• Bump github.com/sigstore/sigstore from 1.10.0 to 1.10.4 by @​dependabot[bot] in #​3414
• Update toolhive images to v0.8.0 by @​renovate[bot] in #​3404
• Fix authorization bypass for unknown MCP methods by @​yrobla in #​3406
• Update anthropics/claude-code-action digest to 8341a56 by @​renovate[bot] in #​3415
• Bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 by @​dependabot[bot] in #​3379
• Fix race condition when deleting workload just after creation by @​dmjb in #​3422
• Add bug-triage Claude agent for issue management by @​JAORMX in #​3405
• fix(#​3411) - waitForStatefulSet waits for the latest generation by @​jerm-dro in #​3413
• Add header forward middleware for remote MCP servers by @​jhrozek in #​3423
• Add E2E tests for group endpoints by @​dmjb in #​3402
• authserver DCR hardening: Add grant_types and response_types allowlis… by @​jhrozek in #​3425
• Refactor RBAC management to eliminate code duplication by @​yrobla in #​3368
• Add token endpoint handler by @​jhrozek in #​3408
• Add KeyManager for signing key lifecycle to authserver by @​jhrozek in #​3407
• Add EmbeddingServer CRD for deploying HuggingFace embedding models by @​ptelang in #​3323
• Update the registry format converters to support a few missing properties by @​rdimitrov in #​3426
• Update registry from toolhive-registry release v2026.01.24 by @​github-actions[bot] in #​3432
• Update registry from toolhive-registry release v2026.01.24 by @​github-actions[bot] in #​3434
• Update registry from toolhive-registry release v2026.01.26 by @​github-actions[bot] in #​3435
• Update anthropics/claude-code-action digest to f642197 by @​renovate[bot] in #​3431
• Preserve _meta fields in vMCP backend responses by @​yrobla in #​3354
• Use very high port numbers in unit tests by @​dmjb in #​3441
• Return 400 for bad clients instead of 500s by @​dmjb in #​3438
• E2E tests for client API endpoints by @​dmjb in #​3442
• Add header forward configuration and wire middleware in runner by @​jhrozek in #​3427
• Add E2E scenarios for registry tests by @​dmjb in #​3444
• Add writeup on CLI implementation best practices by @​dmjb in #​3445
• fix(#​3448) - vMCP operator deterministically orders servers by @​jerm-dro in #​3450
• Update registry from toolhive-registry release v2026.01.27 by @​github-actions[bot] in #​3454
• Update workload commands to comply with logging guidelines by @​eleftherias in #​3443
• Update anthropics/claude-code-action digest to 231bd75 by @​renovate[bot] in #​3455
• Fix concurrency bug with groups by @​dmjb in #​3447
• Add e2e test for version endpoint by @​dmjb in #​3446
• Bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 by @​dependabot[bot] in #​3453
• Implement tests for missing workload API endpoints by @​dmjb in #​3449
• Update helm/kind-action digest to ef37e7f by @​renovate[bot] in #​3437
• Add K8sReporter implementation and status reporting documentation by @​yrobla in #​3456
• Dedupe redirect URL validation for authserver + allow app-specific redirect URLs by @​jhrozek in #​3451
• Add CLI flags for header forward configuration by @​jhrozek in #​3452
• fix: improve stability of remote MCP server connections by @​flfeurmou-indeed in #​3417
• Add POST /oauth/register handler for dynamic client registration by @​jhrozek in #​3428

New Contributors

• @​ptelang made their first contribution in #​3323

Full Changelog: stacklok/toolhive@v0.8.0...v0.8.1

v0.8.0

Compare Source

What's Changed

• Fix keyctl password not re-prompted after incorrect entry by @​JAORMX in #​3334
• Update toolhive images to v0.7.2 by @​renovate[bot] in #​3336
• Update registry from toolhive-registry release v2026.01.19 by @​github-actions[bot] in #​3333
• Add thv status command for detailed workload info by @​carlos-gn in #​3161
• Call audit config validation in vMCP server by @​yrobla in #​3340
• Update anthropics/claude-code-action digest to a017b83 by @​renovate[bot] in #​3326
• Simplify redirect URI validation in autheserver upstream package to use fosite by @​jhrozek in #​3339
• Add contributor guidelines for issue claiming and expectations by @​JAORMX in #​3341
• Fix race condition in auth server tests by @​dmjb in #​3343
• Create E2E suite for ToolHive REST API by @​dmjb in #​3288
• Update module github.com/olekukonko/tablewriter to v1.1.3 by @​renovate[bot] in #​3324
• Update actions/cache digest to 8b402f5 by @​renovate[bot] in #​3322
• Add UserInfo fetching support to authserver's upstream OAuth2 provider by @​jhrozek in #​3344
• Fix 413 error conversion bug in request body middleware by @​dmjb in #​3350
• Add shared pkg/oauth for OAuth/OIDC types and constants by @​jhrozek in #​3349
• Update registry from toolhive-registry release v2026.01.20 by @​github-actions[bot] in #​3352
• Remove VMCP-specific env var from generic auth code by @​yrobla in #​3342
• Consolidate PKCE to use golang.org/x/oauth2 stdlib functions by @​jhrozek in #​3351
• Add OAuth handler infrastructure and discovery endpoints by @​jhrozek in #​3321
• Fix workload update API by using background context for async operation by @​amirejaz in #​3307
• Update maintainers by @​jhrozek in #​3355
• Add dynamic/static mode support to VirtualMCPServer operator by @​yrobla in #​3235
• Run the API E2E test server as a standalone process by @​dmjb in #​3356
• feat(vmcp): integrate a dummy optimizer by @​jerm-dro in #​3312
• Update alpine Docker tag to v3.23.2 by @​renovate[bot] in #​2895
• Add UserStorage interface to authserver for multi-IDP support by @​jhrozek in #​3358
• Bump MCP Inspector source image and add to Renovate by @​danbarr in #​3364
• Update registry from toolhive-registry release v2026.01.21 by @​github-actions[bot] in #​3365
• Add SPDX license headers to all Go files by @​JAORMX in #​3366
• Add validation in create workloads endpoint by @​dmjb in #​3367
• Add logging guidelines by @​eleftherias in #​3338
• fix: correct transport type reporting in workload list endpoint by @​Sanskarzz in #​3313
• Document SPDX license header requirements by @​JAORMX in #​3371
• Remove none secrets provider by @​JAORMX in #​3369
• fix(config): migrate another telemetry config by @​jerm-dro in #​3328
• Fix SSE response processor rewrite logic by @​blkt in #​3381
• Handle context cancellation in proxy logs by @​eleftherias in #​3378
• Add MCPRemoteProxy controller integration tests by @​ChrisJBurns in #​3376
• Update anchore/sbom-action action to v0.22.0 by @​renovate[bot] in #​3387
• Update registry from toolhive-registry release v2026.01.22 by @​github-actions[bot] in #​3392
• Update actions/setup-python digest to a309ff8 by @​renovate[bot] in #​3394
• Update anthropics/claude-code-action digest to 2316a9a by @​renovate[bot] in #​3390
• Migrate proposals to toolhive-rfcs repository by @​JAORMX in #​3395
• Update peter-evans/create-pull-request digest to c0f553f by @​renovate[bot] in #​3374
• First phase of API e2e tests by @​dmjb in #​3348

New Contributors

• @​Sanskarzz made their first contribution in #​3313

Full Changelog: stacklok/toolhive@v0.7.2...v0.8.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🔒 MCP Security Scan Results

✅ adb-mysql-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ agentql-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ arxiv-mcp-server

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ astra-db-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ aws-diagram

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ aws-documentation

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ blender-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ brightdata-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ browserbase-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ chroma-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

✅ chrome-devtools-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ context7

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ graphlit-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ heroku-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ ida-pro-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ launchdarkly-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ magic-mcp

• Status: Warning
• Message: Could not parse scan results (insecure_ignore is enabled): Expecting property name enclosed in double quotes: line 1 column 2 (char 1)

✅ mcp-clickhouse

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-neo4j-aura-manager

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ mcp-neo4j-cypher

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-neo4j-memory

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ mcp-server-box

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ mcp-server-circleci

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ mcp-server-neon

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ netbird

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ notion

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ onchain-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ pagerduty-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ phoenix-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

✅ playwright-mcp

• Status: Passed
• Tools scanned: 0
• Result: No security issues detected

⚠️ sentry-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ supabase-mcp-server

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

⚠️ tavily-mcp

• Status: Warning
• Message: No JSON output found in scan results (insecure_ignore is enabled)

---

Summary: Scanned 33 MCP server(s), all passed security checks. ✅

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 8 additional dependencies were updated

Details:

Package	Change
github.com/go-openapi/errors	v0.22.4 -> v0.22.6
github.com/secure-systems-lab/go-securesystemslib	v0.9.1 -> v0.10.0
github.com/sigstore/rekor	v1.4.3 -> v1.5.0
github.com/sigstore/sigstore	v1.10.0 -> v1.10.4
github.com/theupdateframework/go-tuf/v2	v2.3.0 -> v2.4.1
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251202230838-ff82c1b0f217 -> v0.0.0-20251222181119-0a764e51fe1b
google.golang.org/grpc	v1.77.0 -> v1.78.0
google.golang.org/protobuf	v1.36.10 -> v1.36.11