Changelog

​

Features

• WorkOS Platform SSO: Migrated to WorkOS AuthKit for enterprise single sign-on, providing improved authentication reliability and expanded IdP compatibility
• Dynamic Security Mode: Configure security mode (monitor or block) directly from the Control Plane UI with real-time gateway updates—no restarts required
• Per-Gateway Data Exporters: Each gateway can now have its own exporter configuration, enabling flexible data routing to different destinations per environment
• Organization License Tiers: Support for free and licensed organization tiers with tier-specific feature availability
• Centralized Analytics Export: Analytics data is now exported through the Control Plane, providing unified observability across all gateways

​

Security

• Enhanced Redirect URI Validation: Improved validation to block dangerous URI schemes and enforce HTTPS for non-localhost callbacks, aligned with RFC 8252 security recommendations
• Improved OAuth Error Handling: Structured error codes and user-friendly notifications for Dynamic Client Registration (DCR) failures

​

Improvements

• Cursor-based pagination for security incidents page for better performance with large datasets
• Unified console logging format across all components
• Organization-scoped MCP server names allow different organizations to use the same server names

​

Bug Fixes

• Fixed RBAC policy inheritance to correctly apply organization-level access policies at runtime
• Fixed empty allowlist now correctly interpreted as “deny all” instead of “no policy”
• Fixed group intersection logic when multiple RBAC levels are configured
• Fixed monitor mode to allow sessions to continue while logging threats
• Fixed various authentication and invitation flow issues
• Fixed exporter configuration and analytics timing issues

​

Features

• Interactive Onboarding: New guided onboarding experience with step-by-step tour overlay, progress checklist, and replay functionality for new users
• Single Upstream Mode: Simplified configuration option for gateways with a single MCP server, including UI toggle, modals for enabling/disabling, and server swap functionality
• Multi-Architecture Builds: Docker images now support multiple CPU architectures for broader deployment compatibility

​

Security

• Enhanced PII Scrubbing: Fixed conflicts between entity detectors for more accurate PII detection
• API Key Detection: Added standard API key pattern recognition to the privacy scrubber
• Organization Isolation: Fixed cross-organization MCP server access issues and improved security for race conditions

​

Bug Fixes

• Fixed capability-level RBAC configuration propagation in centralized mode
• Fixed capability fetching for API key authenticated servers
• Resolved server name and URL validation issues in the UI
• Fixed bulk server assignment bypassing single upstream mode validation
• Fixed invitation system issues
• Corrected routing and mutation issues in single upstream mode
• Resolved stale cache issues affecting UI performance

​

Improvements

• Optimized session management and data loading for faster UI responsiveness

​

Features

• Microsoft Entra ID Support: Full Azure Active Directory integration for enterprise SSO with group synchronization and automatic role mapping
• Per-Organization Identity Providers: Each organization can now configure its own IdP, enabling true multi-tenant deployments with isolated authentication
• MCP Server Catalog: Browse and add from 20+ pre-configured MCP servers
• User Onboarding Flow: New guided onboarding experience with domain configuration and organization selection for first-time users

​

Security

• Encryption Key Rotation: Gateways now receive automatic key rotation notifications
• Service-to-Service Authentication: Added security key authentication between RBAC-admin and Golf API
• Exporter Access Control: Separate read-only and read-write configurations for audit log exporters
• Fixed Elasticsearch adapter resource leak

​

Bug Fixes

• Fixed organization switching and JIT role fetching issues
• Fixed Control Plane not updating IdPs/exporters correctly
• Fixed critical navigation and state issues in the UI
• Fixed circuit breaker issues when fetching roles
• Fixed user provisioning when logging into new organizations via Platform SSO
• Fixed OAuth resource indicator in single upstream mode

​

Breaking Changes

• Global admin roles removed in favor of organization-scoped administration

​

Features

• Multi-Organization Support: Manage multiple organizations from a single Control Plane with isolated analytics, policies, and configurations
• Cursor Integration: Connect Golf Gateway directly to Cursor IDE
• Simplified Gateway Setup: Streamlined “Add to Client” experience with auto-generated connection instructions

​

Security

• Enhanced credential encryption and token storage
• Improved isolation between organizations

​

Improvements

• Various stability and performance improvements

​

Features

• Mutual TLS: Secure communication between gateways and MCP servers
• Simplified Certificates: Easier deployments with automatic certificate generation

​

Improvements

• Improved API key authentication for third-party servers
• Various stability and deployment improvements

​

Features

• Gateway Visibility: See which gateways are assigned to each MCP server
• Server Capabilities: View MCP server capabilities and annotations directly in the portal
• Multi-Gateway Management: Improved admin experience for managing multiple gateways

​

Improvements

• Better display of gateway URLs across deployment modes
• Various UI polish and stability fixes

​

Initial Release

​

Notes

• GPU-accelerated builds available with -gpu suffix (e.g., v4.3.1-gpu)