By Category

AI Agents CAPA Releases CAPV Releases CAPVCD Releases CAPZ Releases Connectivity Continuous Deployment Developer Portal Documentation Fleet Management Observability Others Security

muster release v0.3.12

Jun 10, 2026 AI Agents muster v0.3.12

Changed

Release binaries now include darwin/amd64, darwin/arm64, windows/amd64, and windows/arm64 alongside the existing linux targets. Windows binaries are named muster-windows-<arch>.exe.

Fixed

Update mcp-oauth to v0.2.199: JWT access tokens issued for grants without an RFC 8707 resource parameter now carry an aud claim defaulting to the server’s resource identifier (RFC 9068 §2.2), instead of an empty audience that JWT-validating gateways (e.g. agentgateway) reject with 401 InvalidAudience. Existing grants self-heal on their next token refresh.

Added

AllowedClaims in TrustedIssuer, drop KubernetesSATrusts, fix JWT signing key wiring (#772) (04b5bd2)

muster.oauth.server.dex.allowPrivateIPOIDC: allows Dex OIDC discovery to reach issuer URLs that resolve to private/loopback IPs (e.g. Azure internal load balancers). Requires mcp-oauth#427. Emits a CWE-918 startup warning.

Fixed

deps: update module github.com/giantswarm/mcp-oauth to v0.2.186 (ca46984)
deps: update module github.com/giantswarm/mcp-toolkit to v0.2.5 (#780) (bcce33a)

CiliumNetworkPolicy egress now reaches an OIDC issuer (Dex) / HTTP MCP server fronted by a Cilium-managed ingress gateway VIP (LB-IPAM / L2, typical on-prem). New networkPolicy.cilium.ingressGateway rule allows egress to the gateway backend endpoints on their target ports (default: 10080/10443, selector: app.kubernetes.io/name=envoy in envoy-gateway-system).

Changed

attach release binaries to GitHub releases (#785) (77dbb0f)
deps: update go toolchain directive to v1.26.4 (#783) (ba9c3fd)