fix(deps): update module github.com/stacklok/toolhive to v0.3.11

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/stacklok/toolhive	v0.3.7 -> v0.3.11

---

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.3.11

Compare Source

What's Changed

• reverts cosign installer to 3.10.1 from 4 due to breaking change by @​ChrisJBurns in #​2248

Full Changelog: stacklok/toolhive@v0.3.10...v0.3.11

v0.3.10

Compare Source

🚀 Toolhive v0.3.10 is live!

This release focuses on improving code organization, OIDC flexibility, and OAuth security—plus some helpful updates to our developer experience.

Developer Experience & Documentation
• Developer guide now reflects Go 1.25 requirements
• Added CI validation to ensure consistent proposal naming

Architecture & Operator
• Cleaner operator code with runconfig ConfigMap logic now properly separated
• Improved controller helpers extracted for better code reusability
• Moved common authorization constants to shared helpers for easier maintenance

OIDC & Authentication
• OIDC resolver refactored with a more flexible generic interface for different config sources
• OAuth client secrets now support migration and backward compatibility—existing workloads continue to work seamlessly during upgrades

Infrastructure & Remote Proxy
• New MCPRemoteProxy CRD definition added, setting the foundation for remote proxy support
• Registry updated to latest toolhive-registry release (v2025.10.17)

Dependency Updates
• Bumped anchore/sbom-action → v0.20.8
• Bumped sigstore/cosign-installer → v4
• Dependabot configuration removed (now using Renovate for dependency management)

👋 Welcome to our newest contributor @​mohamedfawas! 🥳

🔗 Full changelog: stacklok/toolhive@v0.3.9...v0.3.10

v0.3.9

Compare Source

What's Changed

• Improves Running of ToolHive Operator Tests (unit/integration) by @​ChrisJBurns in #​2175
• exclude mocks from codecov by @​ChrisJBurns in #​2177
• fixes test assertion that fails intermittently if not exact order match by @​ChrisJBurns in #​2180
• renames transport mocks file for consistency by @​ChrisJBurns in #​2179
• Update registry from toolhive-registry release v2025.10.14 by @​github-actions[bot] in #​2183
• Fix already used OAuth callback port handling to prevent "Invalid redirect URI" errors by @​amirejaz in #​2121
• Remove pointer-to-interface anti-pattern in OAuthFlowResult by @​kofort9 in #​2182
• Add proposal for Remote MCP Server Proxy Support by @​JAORMX in #​2151
• Set a 2% threshold for codecov by @​rdimitrov in #​2187
• Enables RunConfig ConfigMap Operator Mode and Bumps toolHive ProxyRunner Images to 0.3.8 by @​ChrisJBurns in #​2191
• Refactor buildRunnerConfig to reduce cyclomatic complexity by @​JAORMX in #​2186
• Remove duplicate pull_request trigger from operator-ci workflow by @​JAORMX in #​2185
• Properly upgrade jsonschema library from v5 to v6 by @​JAORMX in #​2168
• Update Kubernetes test versions to latest supported releases by @​JAORMX in #​2194
• Support RFC 9728 well-known paths with resource components by @​jhrozek in #​2197
• Fix export and detail API inconsistencies for remote auth config by @​amirejaz in #​2198
• Remove registry-related labels from the example config by @​jhrozek in #​2199
• Update anthropics/claude-code-action digest to e8bad57 by @​renovate[bot] in #​2206
• Update registry from toolhive-registry release v2025.10.15 by @​github-actions[bot] in #​2205
• Adds Missing OIDC RunConfig for Operator by @​ChrisJBurns in #​2201
• Correctly construct resource_metadata per RFC 9728 Section 3.1 by @​jhrozek in #​2203
• Secure OAuth client secret storage and prevent API exposure by @​amirejaz in #​2204
• Forces use of runconfig via configmap for Operator and ProxyRunner by @​ChrisJBurns in #​2196
• Add MCPGroup CRD proposal for Kubernetes operator by @​JAORMX in #​2207
• Rename design docs to THV-####-name by @​blkt in #​2200
• removes unused flag driven code for podTemplateSpec patch and permission profiles in operator by @​ChrisJBurns in #​2219
• Removes oidc,authz,audit,toolsfilter and OTel flag driven config from Operator by @​ChrisJBurns in #​2220
• ToolHive Re-Attachment fix by @​therealnb in #​2118
• Log middleware names instead of numeric indices by @​JAORMX in #​2218
• Fixes race conditions in stdio transport tests by @​ChrisJBurns in #​2222
• Removes Old Unused Flag Driven OIDC Functions in Operator by @​ChrisJBurns in #​2221
• Update anchore/sbom-action action to v0.20.7 by @​renovate[bot] in #​2223
• Update registry from toolhive-registry release v2025.10.16 by @​github-actions[bot] in #​2225
• Add MCPExternalAuthConfig CRD and controller by @​JAORMX in #​2150
• Add seccomp profile to operator container security context by @​JAORMX in #​2209
• Update registry from toolhive-registry release v2025.10.16 by @​github-actions[bot] in #​2229

New Contributors

• @​kofort9 made their first contribution in #​2182
• @​therealnb made their first contribution in #​2118

Full Changelog: stacklok/toolhive@v0.3.8...v0.3.9

v0.3.8

Compare Source

🚀 ToolHive v0.3.8 is here!

This release focuses on expanding authentication capabilities, improving MCP support, and strengthening test coverage across the platform.

Authentication & Security

• OAuth 2.0 Token Exchange (RFC 8693) is now supported, enabling secure token acquisition for external authentication
• Token exchange middleware allows automatic swapping of downstream tickets for upstream credentials
• Client secrets for token exchange can now be configured via environment variables for better security practices

MCP (Model Context Protocol) Enhancements

• MCP parser updated to support the latest specification
• Secrets management is now available in the ToolHive MCP server for handling sensitive data
• MCPRegistry feature promoted to stable status with full documentation and e2e test coverage
• Telemetry failures no longer interfere with MCP responses, improving reliability

Session Management

• New pluggable storage backend system gives you flexibility in how sessions are stored and managed

Testing & Quality

• Integration tests added for the ToolHive Operator
• New e2e tests for MCPRegistry functionality
• Improved test isolation with dynamic port allocation in proxy tests

Documentation & Examples

• New Runtime Authoring Guide to help you build custom runtimes
• Updated middleware documentation with comprehensive coverage
• Kubernetes examples now use thv run consistently
• Removed deprecated permissionProfile from K8s examples

Infrastructure & Fixes

• Updated Podman socket path for macOS compatibility
• Corrected content length handling when mutating API calls
• Test utilities reorganized under test directory for better structure
• Upgraded to Go 1.25.2
• Multiple dependency updates (controller-runtime v0.22.3, golang.org/x/oauth2 v0.32.0, jsonschema v6, and more)

👋 Welcome to our newest contributor @​abhiii71! 🎉

🔗 Full changelog: stacklok/toolhive@v0.3.7...v0.3.8

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/stacklok/[email protected] requires go >= 1.25.2; switching to go1.25.3
go: downloading go1.25.3 (linux/amd64)
go: download go1.25.3: golang.org/[email protected]: verifying module: checksum database disabled by GOSUMDB=off