changelogs for 1.5.6

[akshaydeo]

Summary

This PR releases core v1.5.14, framework v1.3.14, transports v1.5.6, and bumps all dependent plugins to their respective .14 patch versions. It delivers a broad set of new capabilities across MCP authentication, key rotation, OTel metrics, Bedrock/Anthropic compatibility, and UI improvements, alongside a number of targeted bug fixes and refactors.

Changes

• Direct API Key Header — Providers can now receive an API key passed directly via a request header (feat: direct api key header #3817)
• MCP Per-User Auth — Introduced MCPCredentialStore abstraction, per-user MCP credential reconciliation, and a new per-user header auth type with lazy-auth submission flow (refactor: introduce MCPCredentialStore abstraction in MCP credential resolution #3656, refactor: centralize mcp connection lifecycle into AcquireClientConn and decouple credentials from plugin gate #3702, feat: add mcp per-user headers auth type with credential storage and submission flow #3703, feat: add mcp per-user headers auth flow ui wiring #3704, feat: reconcile per-user MCP credentials on VK and MCP client changes #3705)
• MCP TLS Configuration — Added configurable TLS (insecureSkipVerify, caCertPem) for HTTP/SSE MCP client connections (feat: add TLS configuration support for MCP HTTP/SSE client connections #3779, feat: add tlsConfig (insecureSkipVerify, caCertPem) for HTTP/SSE MCP client connections in Bifrost Helm chart #3783)
• MCP Sessions Management — Filter, search, and pagination on the MCP sessions list API and table, plus a can_reauth identity gate (feat: add can_reauth identity gate for user-mode MCP session rows #3823, feat: add filter/search/pagination to MCP sessions list API #3824, feat: add filtering and pagination to MCP sessions table #3825)
• Key Rotation — Keys now rotate on 401/402/403 responses; returns 502 upstream_credentials_exhausted when all keys are permanently exhausted. Added triggered_rotation to KeyAttemptRecord and tightened bifrost_key_rotation_events_total semantics (feat: add triggered_rotation to KeyAttemptRecord and tighten bifrost_key_rotation_events_total semantics #3430, feat: rotate keys on 401/402/403 and return 502 upstream_credentials_exhausted when all keys are permanently dead #3491)
• OTel Metrics — Added OTel spec-compatible metrics (backward compatible) with provider cache and semantic cache attributes in metrics export (adds otel spec compatible metrics (backward compatible) #3865, feat: adds provider cache and semantic cache attributes in metrics export #3816)
• Opus 4.8 Support — System message handling and general compatibility for Opus 4.8 (fix: opus 4.8 compatibility #3868, feat: system messages handling for opus 4.8 #3878)
• Dimension Rankings — New GetDimensionRankings API and dashboard tabs for team, customer, BU, and user rankings (feat: add GetDimensionRankings API and dashboard tabs for team, customer, BU, and user rankings #3766)
• Model Pricing Attributes — additional_attributes field on model pricing rows with management API and UI editor (feat: add additional_attributes to model pricing rows with management API and UI editor #3829)
• Prompt Cache Retention — Added prompt cache retention parameter on responses requests (fix: add prompt cache retention parameter on responses request #3810)
• Tool Call Execution UI — Inline tool-call execution, stop streaming, bulk execute/submit, and a redesigned tool-call UI (feat: add tool call execution, stop streaming, and redesign tool call UI #3837, feat: add bulk execute/submit support for multiple pending tool calls #3843)
• Sheet Navigation — Prev/next keyboard navigation and URL state across virtual key, MCP client, and routing rule sheets (feat: add useSheetNavigation hook and SheetNavigationButtons component #3739, feat: add keyboard navigation and URL state for virtual key detail sheet #3740, feat: add prev/next navigation to MCPClientSheet #3744, feat: add prev/next navigation to RoutingRuleInfoSheet #3745)
• Bedrock Tool Name Truncation — Truncate Bedrock function/tool names to the provider length limit
• Bedrock Guardrails — Set guardrail config in Bedrock requests built from responses (fix: set guardrail config in bedrock request from responses #3862)
• Anthropic Tool Use — Default tool_use input to {} when arguments are absent (fix: default Anthropic tool_use input to {} when arguments are absent #3880)
• Responses Streaming — Fixed responses stream events (fix: responses stream events #3838)
• Compat Flow — Fixed missing parameter parsing on the compat flow (fixes missing parameter parsing on compat flow #3881)
• Passthrough API Version — Set a default API version in passthrough requests as a fallback (fix: set default api version in passthrough requests as a fallback #3853)
• Virtual Key Updates — Avoid overriding optional fields during virtual key update (avoid overriding optional fields in virtual key update #3855)
• User-Mode Flows — Gate user-mode flows on caller user_id, skip temp token mint, and unify flow/credential kind filtering for pending flows (fix: gate user-mode flows on caller user_id and skip temp token mint #3841, fix: unify flow/credential kind filtering so pending flows follow their auth kind #3859)
• Partial Tool Calls — Handle partial tool call execution failures and return successful results (fix: handle partial tool call execution failures and return successful results #3849)
• URL Query Escaping — Support escaped characters in URL query parameters (fix: URI-encode search query params to prevent special characters breaking navigation #3826)
• MCP Auth Errors — Inline banner and retry support for MCP auth-required errors (feat: add MCP auth required error handling with inline banner and retry support #3856)
• Renamed Resolvers — staticHeadersResolver/serverOAuthResolver renamed to sharedHeadersResolver/sharedOAuthResolver (refactor: rename staticHeadersResolver/serverOAuthResolver to sharedHeadersResolver/sharedOAuthResolver #3840)
• Starlark Nested Tool Calls — Exposed RunWithPluginPipeline on ClientManager and routed Starlark nested tool calls through the canonical plugin gate (refactor: expose RunWithPluginPipeline on ClientManager and route Starlark nested tool calls through canonical plugin gate #3794)
• Deferred-Fill OAuth Removed — Removed deferred-fill user-mode OAuth flow support (refactor: remove deferred-fill user-mode OAuth flow support #3839)
• Go 1.26.3 — Upgraded toolchain to Go 1.26.3 (go 1.26.3 upgrade #3782)

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

# Core/Transports
go version  # should report go1.26.3
go test ./...

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

• Validate MCP per-user auth by configuring a per-user header auth type and confirming credentials are stored and reconciled on virtual key and MCP client changes.
• Validate key rotation by triggering a 401/402/403 from an upstream provider and confirming rotation occurs; exhaust all keys and confirm a 502 upstream_credentials_exhausted is returned.
• Validate OTel metrics output includes provider_cache and semantic_cache attributes.
• Validate Bedrock requests with tool names exceeding the provider limit are truncated correctly.
• Validate Opus 4.8 system message handling by sending a request with a system message to an Opus 4.8 endpoint.

Breaking changes

• Yes
• No

The deferred-fill user-mode OAuth flow has been removed (#3839). Any integrations relying on that flow must migrate to the new per-user credential store approach. The staticHeadersResolver and serverOAuthResolver identifiers have been renamed to sharedHeadersResolver and sharedOAuthResolver respectively (#3840); any direct references must be updated.

Related issues

#3817, #3656, #3702, #3703, #3704, #3705, #3779, #3783, #3823, #3824, #3825, #3430, #3491, #3865, #3816, #3868, #3878, #3766, #3829, #3810, #3837, #3843, #3739, #3740, #3744, #3745, #3862, #3880, #3838, #3881, #3853, #3855, #3841, #3859, #3849, #3826, #3856, #3840, #3794, #3839, #3782, #3724, #3814, #3836, #3869, #3886

Security considerations

• MCP per-user credentials are stored via the new MCPCredentialStore abstraction; ensure the backing store is appropriately access-controlled and that credential values are encrypted at rest.
• The direct API key header feature passes provider secrets via HTTP headers; ensure TLS is enforced on all ingress paths and that headers are not logged in plaintext.
• User-mode flows are now gated on caller user_id and temp token minting is skipped where appropriate, reducing the surface for privilege escalation.
• TLS configuration for MCP HTTP/SSE connections supports insecureSkipVerify; this should only be enabled in controlled environments.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 06358a1a-2c13-46a1-b4f1-f1a1de9ac9bd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-29-changelogs_for_1.5.6

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[akshaydeo]

• changelogs for 1.5.6 #3892 👈 (View in Graphite)
• bedrock function toolname truncation #3890
• adds metadata to hybdrid store payload #3888
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 5/5

This PR touches only changelog and version files; no production code paths are changed.

All 26 changed files are changelog entries and version number increments. There is nothing here that can introduce a runtime regression, data race, or behavior change. The only observations are a format inconsistency in transports/changelog.md and a missing issue reference in two changelog lines, neither of which affects correctness.

No files require special attention — all changes are documentation and version metadata.

Important Files Changed

Filename	Overview
transports/changelog.md	New changelog with emoji-formatted sections (✨ Features / 🐞 Fixed), different style from all other module changelogs which use plain bullet lists; no code changes.
core/changelog.md	New changelog with plain bullet list format; covers all major features and fixes included in core v1.5.14.
framework/changelog.md	New changelog with plain bullet list format; covers framework v1.3.14 features and fixes.
plugins/compat/version	Bumped from 0.1.12 to 0.1.13, following its own 0.1.x versioning scheme rather than the .14 patch suffix used by other plugins.
core/version	Bumped from 1.5.13 to 1.5.14; consistent with PR description.
transports/version	Bumped from 1.5.5 to 1.5.6; consistent with PR title and description.
plugins/governance/changelog.md	Changelog noting MCP per-user headers auth type support and dependency bump to core v1.5.14/framework v1.3.14.
plugins/telemetry/changelog.md	Changelog noting key rotation semantics tightening and provider/semantic cache attributes in metrics export.
plugins/logging/changelog.md	Changelog noting dimension rankings logging support and Starlark nested tool call routing refactor.
plugins/otel/changelog.md	Changelog noting provider and semantic cache attributes added to metrics export.

_{Reviews (3): Last reviewed commit: "changelogs for 1.5.6" | Re-trigger Greptile}

[akshaydeo]

Merge activity

• May 29, 4:25 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 29, 4:29 PM UTC: @akshaydeo merged this pull request with Graphite.