build(deps): Bump mcp-contextforge-gateway from 1.0.0b2 to 1.0.0rc1

[dependabot]

Bumps mcp-contextforge-gateway from 1.0.0b2 to 1.0.0rc1.

Release notes

Sourced from mcp-contextforge-gateway's releases.

v1.0.0-RC1 - Security Hardening, Enterprise Controls & Quality

This release delivers enterprise security hardening, comprehensive RBAC improvements, and production-quality enforcement with 189 issues resolved.

🏆 Major Achievements

Release 1.0.0-RC1 hardens ContextForge for enterprise production deployments:

• 🔐 31 Features - Enterprise security controls, unified policy decision point (Cedar/OPA), tool circuit breakers, session affinity, zero-config TLS, elicitation support, unified search, self-service password reset, license compliance, encoded exfiltration detector, flexible UI sections
• 🔧 106 Bug Fixes - Authentication flows, RBAC, Admin UI, MCP protocol, team management, multi-tenancy, pre-commit hooks, pagination, token handling, migration compatibility, SSO/OAuth, session affinity
• 🛡️ 4 Security Hardening - ReDoS protection in validators and plugins, WebSocket token validation, encryption and secrets testing
• ⚡ 9 Performance - Plugin regex precompilation, crypto threadpool offload, Cedar async, llm-guard optimization
• 🧪 14 Testing - 80%+ code coverage gate, JMeter baseline, Playwright improvements, manual test plans, local load testing, edge-case boundary conditions, iFrame mode
• 🔧 22 Chores - SonarQube cleanup, dependency updates, Helm improvements, linting fixes, CI/CD migration validation, template scaffolding
• 📝 3 Documentation - Password reset guide, contributing guide fixes

Security Highlights: This release overhauls authentication defaults to be secure by default. JWT tokens now require JTI and expiration claims, basic auth is disabled for API endpoints, public registration is off by default, and admin lockout protection is enforced. Enterprise security controls add credential protection, SSRF prevention, and granular RBAC.

---

⚠️ Breaking Changes

🔐 Streamlined Authentication Model & Secure Defaults (#2555)

Action Required: Multiple authentication defaults have changed to secure-by-default values.

Token Validation Defaults

• REQUIRE_JTI now defaults to true - JWT tokens must include a JTI claim for revocation support
• REQUIRE_TOKEN_EXPIRATION now defaults to true - JWT tokens must include an expiration claim
• PUBLIC_REGISTRATION_ENABLED now defaults to false - Self-registration disabled by default

Migration: Existing tokens without JTI or expiration claims will be rejected. Generate new tokens with python -m mcpgateway.utils.create_jwt_token which includes these claims by default.

AdminAuthMiddleware

• Added API token authentication support for /admin/* routes
• Added platform admin bootstrap support for initial setup scenarios
• Unified authentication methods with main API authentication
• Admin UI uses session-based email/password login

Basic Auth Configuration

• API_ALLOW_BASIC_AUTH now defaults to false - Basic auth disabled for API endpoints by default
• DOCS_ALLOW_BASIC_AUTH remains false by default
• Gateway credentials scoped to local authentication only

Migration: If you use Basic auth for API access, either:

1. (Recommended) Migrate to JWT tokens: export MCPGATEWAY_BEARER_TOKEN=$(python -m mcpgateway.utils.create_jwt_token ...)
2. Set API_ALLOW_BASIC_AUTH=true to restore previous behavior

Note: Gateways without configured auth_value will send unauthenticated requests to remote servers. Configure per-gateway authentication for servers that require it.

... (truncated)

Commits

• bc42bbb Fix links
• 0c13cc9 update changelog (#3035)
• 92bc704 Changelog (#3034)
• fafd219 fix(auth): add jwks_uri column to SSOProvider and harden create_provider (#3026)
• 8610dc9 fix: normalize empty string X_FRAME_OPTIONS to None for iframe embedding (#2958)
• 1902707 chore: update all dependencies and align Containerfiles to UBI10 (#3020)
• 6f3fd3a Fix stateful session context propagation and affinity forwarding for appropri...
• ca07c47 fix(auth): prevent orphaned gateway records and isolate structured logger ses...
• 731db22 fix: enhance OAuth callback handling for error responses and missing authoriz...
• a235827 fix: update API token last_used and log usage stats (#2711)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)