v0.12.0

We’re excited to announce the release of Obot MCP Gateway v0.12.0! This release brings powerful new roles, expanded audit capabilities, and a wide range of UI, backend, and integration improvements.

✨ Big Updates

• Auditor & Owner Roles: New roles separate system management from sensitive data access — only Auditors can view all server and chat details, while only Owners can assign the Auditor role. Admins can no longer see these sensitive details unless they’re also assigned as Auditors.
• Admin Dashboard Upgrades: New "Deployments and Connections" dashboard for easily visualizing and operating on MCP servers in bulk.
• Okta Group Support for Access Control Rules: You can now use Okta groups when configuring Access Control Rules, making it easier to manage permissions with your existing identity provider.
• Customizable Remote MCP Connections: Authors can now configure Remote MCP entries with user-supplied or static HTTP headers, and inject user-supplied values into templated URLs.
• Expanded Power User Capabilities: Power Users and Power User Plus now have access to usage stats and audit log metadata (excluding sensitive data) for their MCP servers.
• Kubernetes & Helm Enhancements: Helm charts now support affinity, tolerations, nodeSelector, and Kubernetes-recommended labels for smoother deployment and upgrade of Obot.

🛠 Other Notable Improvements

• UI/UX Polish: Refined navigation, dynamic chevrons, improved table columns, and enhanced project sharing styling.
• Sensitive Data Handling: Better masked value display and multi-line support in sensitive fields.
• Database & Logging: Improved DB logging and clarified requirements.
• Bug Fixes: Numerous fixes for table filtering, sorting, admin tools, and Safari-specific UI issues.
• Documentation: Expanded guides, including improved Entra setup walkthroughs.

⚠️ Important Upgrade Notes

Please review the following before upgrading:

Transition to Owner Role

The new Owner role now sits above the Admin role as the most privileged role in the system. To leverage it's ability to assign the Auditor role, you must assign one or more initial Owners via the OBOT_SERVER_AUTH_OWNER_EMAILS environment variable. This has the same semantics as the OBOT_SERVER_AUTH_ADMIN_EMAILS environment variable.

Embedded DB no longer the default for Helm installs

For Helm installs, Obot no longer defaults to a built-in Postgres database. An external database is required for production setups, but the embedded database remains available for evaluation. You must either provide a database connection string via config.OBOT_SERVER_DSN, or explicitly opt into the embedded database for testing by setting dev.useEmbeddedDb to true.

If you are upgrading and were previously using the embedded database, you must set the dev.useEmbeddedDb to true when you upgrade.

Okta users have to update their issuer URL

For Okta users, after updating to this release, you will need to modify the Issuer URL in the Okta auth provider configuration. This is due to our new support for Okta groups.

You must set it to https://.okta.com with no path in the URL.
See https://docs.obot.ai/configuration/auth-providers#okta-enterprise-only for more information, as there are some settings you must tweak in your Okta workspace in order for Obot to work with the groups in your directory.

If you find that you are unable to log in to adjust this setting, restart Obot with the environment variable OBOT_SERVER_FORCE_ENABLE_BOOTSTRAP=true so that you can log in as the bootstrap user again in order to change the setting.

📜 Full changelog

• Fix: don't bypass admin user to view user-owned mcp server by @StrongMonkey in #4368
• enhance: always pull MCP images in docker backend by @thedadams in #4381
• fix: dynamically show/hide nav chevrons by @ryu-man in #4365
• fix: improve audit logs timelline ticks by @ryu-man in #4362
• fix: multiple config prompt sequence by @njhale in #4391
• Fix: don't show user, user profile and mcp publisher when auth is disabled by @StrongMonkey in #4380
• fix: ignore templates for connect URL slug by @thedadams in #4400
• Fix: fix admin ACR to view entries and servers by @StrongMonkey in #4389
• fix: add support for server-to-client MCP requests by @thedadams in #4395
• feat: add new auditor an owner roles by @thedadams in #4319
• Update user email by @thedadams in #4412
• fix: prefer explicit owner over admin by @thedadams in #4413
• fix: remove 'Skip Step' button from access control rules dialog by @ryu-man in #4393
• fix: remove Groups from admin users page by @ivyjeong13 in #4414
• fix: ensure x axis ticks are rendered as integers by @ryu-man in #4398
• Enhance: Add regenerate tool preview button by @StrongMonkey in #4405
• fix: use right api call for workspace audit logs filters by @ivyjeong13 in #4415
• fix: swap power user roles in UI by @thedadams in #4423
• fix: improve performance when listing all servers in workspaces by @g-linville in #4424
• fix: use one if-else block to render the chat layout by @ryu-man in #4392
• fix: add admin authorization for MCP servers by @thedadams in #4429
• fix: put bootstrap user in basic user group by @thedadams in #4439
• fix: give auditor access to server details and logs by @thedadams in #4441
• fix: stop giving bootstrap user power user grups by @thedadams in #4442
• fix: revert broken events operation by @thedadams in #4443
• enhance: add table columns to applicable admin pages by @ivyjeong13 in #4431
• fix: entra user display names by @njhale in #4445
• fix: update optionHighlightIndex initialization and improve hove, highlight style by @ryu-man in #4401
• fix: do not show sensitive info automatically by @ryu-man in #4403
• Fix: Don't update url for mcp server that use url template by @StrongMonkey in #4419
• fix: list users for auditors by @thedadams in #4470
• feat: static header values by @g-linville in #4446
• fix: show access control to power user plus by @thedadams in #4471
• Fix user role display to show correct roles instead of just Admin/User by @Copilot in #4472
• Fix: revert regenerate tool preview by @StrongMonkey in #4448
• fix: list server instance with correct userID by @thedadams in #4465
• feat: give PUs and PUPs metadata audit access by @g-linville in #4476
• fix: give auditor access to read all by @thedadams in #4462
• fix: give power user plusses access to details by @thedadams in #4464
• Fix: delete all ACR when depromoted to power user by @StrongMonkey in #4483
• fix: ensure system tokens have basic group by @thedadams in #4518
• fix: allow PUPs to update servers created from their catalog entries by @g-linville in #4410
• fix: delete unauthorized MCPServers created from catalog entries in PUWs by @g-linville in #4411
• fix: strip Docker log header from output by @thedadams in #4523
• fix: do not create needless ACR for power users by @g-linville in #4519
• chore: separate catalog and workspace cleanup by @thedadams in #4520
• fix: adjust task chat width and submit btn height and position by @ryu-man in #4481
• fix: conditionally render output toggle button based on readOnly state by @ryu-man in #4480
• fix: handle when line is less than 8 bytes by @thedadams in #4528
• fix: correct user role migration by @thedadams in #4548
• feat(helm): affinity, tolerations and nodeSelector by @nlamirault in #4535
• feat: [Helm] Kubernetes recommanded labels by @nlamirault in #4533
• refactor: make sensitive textarea feels more native by @ryu-man in #4477
• fix: prevent loading users and groups in creation mode by @ryu-man in #4450
• fix: set created=true when creating a new identity by @g-linville in #4554
• fix: list everything in the admin dashboard, bypassing ACR checks by @g-linville in #4529
• chore: require a db dsn to be set unless a special dev value is enabled by @drpebcak in #4562
• chore: create custom image for base with postgres-17 installed by @drpebcak in #4565
• feat: deployed servers admin tab for MCP Servers by @ivyjeong13 in #4553
• fix: improve user and group loading logic by @ryu-man in #4559
• feat: add Audit Logs page with layout and content components by @ryu-man in #4531
• fix: enhance JSON diff highlighting functionality by @ryu-man in #4447
• enhance: static or user supplied header options for remote servers by @ivyjeong13 in #4574
• Fix: fix typo for template permission by @StrongMonkey in #4557
• Add DB logging and clarify DB requirements by @cjellick in #4198
• fix: conditionally render input if header is required by @ivyjeong13 in #4593
• fix: task & task run related admin fixes by @ivyjeong13 in #4589
• fix: skip mcp server in bulk update if it doesnt need update by @ivyjeong13 in #4597
• enhance: ui share project styling by @ivyjeong13 in #4596
• fix: properly report session not found errors by @thedadams in #4549
• enhance: support Okta groups by @g-linville in #4587
• Fix: properly cleaning up old server when upgrading by @StrongMonkey in #4578
• Fix: add upgrade-from-template to permission by @StrongMonkey in #4595
• fix: remove / from MCP server names for nanobot by @thedadams in #4610
• fix: filter/sort table related fixes by @ivyjeong13 in #4608
• Fix: fix two more places we could be orphaning mcp servers by @StrongMonkey in #4591
• fix: improve multilines ux for sensitive textarea component by @ryu-man in #4614
• docs: improve entra setup walkthrough by @njhale in #4645
• Fix: Don't call update-url when mcp is remote and use fixedUrl by @StrongMonkey in #4639
• fix: admin/deployment view related bugfixes by @ivyjeong13 in #4613
• fix: show only ACR servers count in user registry by @ryu-man in #4638
• enhance: filter github group list when an org restriction is configured by @njhale in #4646
• Fix: drop photo permission, use letter avatar for group picture by @StrongMonkey in #4650
• fix: create PUWs for owners on startup by @g-linville in #4657
• Fix: add proper powerWorkspaceID and userID by @StrongMonkey in #4658
• fix: improve count calculation for access control rules based on registry type by @ryu-man in #4661
• fix: use proper task property to filter table data by @ryu-man in #4653
• Fix: don't check for server.command by @StrongMonkey in #4660
• fix: reword required text to contain less domain knowledge by @drpebcak in #4668
• Fix: Rename everyone to 'All Obot Users' by @cjellick in #4666
• fix: include entries in server count calculation for users ACRs by @ryu-man in #4665
• enhance: ui: show URL template option for remote servers by @g-linville in #4671
• Fix: Don't show two dollar signs on placeholder by @cjellick in #4673
• fix: navigate properly and preserve searchparams when navigate back by @ryu-man in #4664
• fix audit logging by @cjellick in #4676
• fix: improve masked value display in SensitiveInput component by @ryu-man in #4675
• chore: ui: remove cline references by @g-linville in #4678
• fix: eliminate potential nil deref in authz by @g-linville in #4681
• fix: safari scroll fix and table columns overlap fix by @ivyjeong13 in #4684
• Fix: when using embedded db option, set strategy to Recreate by @StrongMonkey in #4685

Full Changelog: v0.11.0...v0.12.0

🚀 Getting Started

• Try the live demo: chat.obot.ai
• Install on Docker:

  docker run -d --name obot -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock \
  ghcr.io/obot-platform/obot:latest

• For more, see our Documentation

🙌 Thanks to Our Contributors

Finally, a special welcome and thank you to @nlamirault for their first contribution to this release!