Update stacklok/toolhive to v0.28.3

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	patch	v0.28.2 → v0.28.3

After this PR opens, .github/workflows/upstream-release-docs.yml adds source-verified content edits for the new release. For stacklok/toolhive, the same workflow also syncs reference assets (CLI help, Swagger) and regenerates the CRD MDX pages.

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.28.3

Compare Source

What's Changed

• Resolve authz ConfigMap for VirtualMCPServer by @​blkt in #​5290
• Upgrade golang.org/x/crypto to v0.52.0 by @​amirejaz in #​5366
• Enable Renovate vulnerability alerts to trigger immediately by @​amirejaz in #​5367
• Restore ServerBuilder.WithMiddleware and WithRoute by @​reyortiz3 in #​5369
• Mirror MCPExternalAuthConfig Valid=False onto consumer CR conditions by @​tgrunnagle in #​5354
• Release v0.28.3 by @​toolhive-release-app[bot] in #​5370

Full Changelog: stacklok/toolhive@v0.28.2...v0.28.3

---

Configuration

📅 Schedule: (in timezone America/New_York)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Docs update for toolhive v0.28.3

At a glance

Upstream	stacklok/toolhive v0.28.2 → v0.28.3
Hand-written changes	2 commit(s)
Reference assets	refreshed (separate commit)
Gaps	0
Release contributors	4 auto-assigned (see sidebar)
Action required	Spot-check skill-authored prose for accuracy

Summary of changes

Summary of changes

• Added primaryUpstreamProvider documentation (new
  spec.authServerConfig.primaryUpstreamProvider field on VirtualMCPServer)
  in docs/toolhive/guides-vmcp/authentication.mdx, including the deprecation
  notice for the previous spec.incomingAuth.authzConfig.inline.primaryUpstreamProvider
  location (Resolve authz ConfigMap for VirtualMCPServer toolhive#5290).
• Added the group_entity_type (Kubernetes groupEntityType) Cedar config
  field with a worked transitive-policy example in
  docs/toolhive/concepts/cedar-policies.mdx and
  docs/toolhive/reference/authz-policy-reference.mdx. Documents the enterprise
  ClaimGroup in PlatformRole pattern that motivated Resolve authz ConfigMap for VirtualMCPServer toolhive#5290.
• Updated entities_json description in docs/toolhive/concepts/cedar-policies.mdx
  to call out the "[]" default and its role for transitive policies.
• Added a Kubernetes-troubleshooting note for AuthzConfigMapNotFound and
  AuthzConfigMapInvalid condition reasons on the AuthConfigured condition
  in docs/toolhive/guides-k8s/auth-k8s.mdx.
• Added a troubleshooting note for ExternalAuthConfigValidated=False mirrored
  onto consumer CRs (MCPServer/MCPRemoteProxy/VirtualMCPServer) from the
  source MCPExternalAuthConfig in docs/toolhive/guides-k8s/auth-k8s.mdx
  (Mirror MCPExternalAuthConfig Valid=False onto consumer CR conditions toolhive#5354).

Run cost

Session	Turns	Cost (USD)
Generation	112	$6.4996
Editorial review	38	$2.8291
Total	150	$9.3287

How this PR was built

Two Claude Opus sessions run per release: a generation pass
(upstream-release-docs skill, 6 phases) followed by a fresh-
context editorial pass (docs-review). Prettier/ESLint
auto-fixes are applied after.

Auto-synced paths — do not hand-edit these in review:

• docs/toolhive/reference/cli/
• docs/toolhive/reference/crds/
• static/api-specs/

If a "Gaps needing human context" section is present above,
each entry includes a paste-ready Helper prompt for local
Claude a reviewer can use to resolve the gap.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs-website	Ready	Preview, Comment	Jun 2, 2026 11:50pm

[claude]

Claude finished @renovate[bot]'s task in 8m 25s —— View job

---

Upstream release docs: toolhive v0.28.3

Pushed source-verified docs edits for v0.28.3 in 715b8d5.

Doc-relevant PRs (verified against v0.28.3 source)

• Resolve authz ConfigMap for VirtualMCPServer toolhive#5290 — vMCP configMap authz fix + new CRD fields. Schema deltas (auto-refreshed) confirmed in static/api-specs/crds/{virtualmcpservers,mcpservers,mcpremoteproxies,mcpexternalauthconfigs}.schema.json.
• Mirror MCPExternalAuthConfig Valid=False onto consumer CR conditions toolhive#5354 — MCPExternalAuthConfig Valid=False mirrored onto consumer CR conditions (verified in cmd/thv-operator/controllers/external_auth_mirror.go).
• Restore ServerBuilder.WithMiddleware and WithRoute toolhive#5369 (SDK builder restore), #5366 / #5367 (deps/infra), and #5370 (release PR) — no docs impact.

Summary of doc edits

• vMCP authentication (docs/toolhive/guides-vmcp/authentication.mdx): documented the new spec.authServerConfig.primaryUpstreamProvider field with the multi-upstream selection use case, plus a deprecation note for the previous spec.incomingAuth.authzConfig.inline.primaryUpstreamProvider location and the AuthzPrimaryUpstreamProviderDeprecated Warning event.
• Cedar concepts (docs/toolhive/concepts/cedar-policies.mdx): added the group_entity_type field to the configuration list, refreshed the entities_json description, and added a worked transitive-policy example (ClaimGroup in PlatformRole) that motivates the new field.
• Authz policy reference (docs/toolhive/reference/authz-policy-reference.mdx): added a Customizing the group entity type subsection with a YAML example and an explanation of why mismatched entity types silently deny.
• K8s auth troubleshooting (docs/toolhive/guides-k8s/auth-k8s.mdx): added entries for AuthzConfigMapNotFound / AuthzConfigMapInvalid (new condition reasons on AuthConfigured) and the ExternalAuthConfigValidated=False mirror behavior.

Auto-generated CRD schemas (static/api-specs/crds/*.schema.json) were already refreshed in this PR by the upstream workflow — not hand-edited.

Todo

• Phase 1: Discovery & categorize PRs
• Phase 2: Source-verify each PR
• Phase 3: Audit docs / build impact map
• Phase 4: Edit docs
• Phase 5: Validate (ESLint clean, Prettier clean; npm run build failed only on the mcp-metadata-plugin network fetch, unrelated to these edits — CI will run the real build)
• Phase 6: Push commit + write SUMMARY.md
  · Branch

[claude]

Claude finished @renovate[bot]'s task in 4m 16s —— View job

---

Editorial review: toolhive v0.28.3 docs

Pushed editorial pass on the v0.28.3 docs as db9b241.

Todo

• Identify files changed in the previous commit
• Run /docs-review over the changed docs files
• Apply editorial fixes
• Verify CRD field names and event reasons against static/api-specs/crds/*.schema.json
• Run lint/format checks (prettier + eslint clean)
• Commit and push

Editorial fixes applied

• docs/toolhive/concepts/cedar-policies.mdx

  • entities_json description (config field list): changed "Required when transitive policies (for example, ...) need a static entity store" to "Required when policies use transitive in checks against a static entity store (for example, ClaimGroup in PlatformRole)." The original phrasing made "transitive policies" the grammatical subject of "need," which read as a general claim about policies rather than a condition on the user's own configuration.
  • group_entity_type description (config field list): dropped "your enterprise entity store" to plain "your entity store." Avoids inadvertent confusion with Stacklok Enterprise framing, which carries product-specific meaning elsewhere in the docs.
  • "Customizing the group entity type" intro paragraph: removed the ---bracketed parenthetical and reworded the ClaimGroup/PlatformRole example into a follow-on sentence. Per the style guide, — / – / -- separators should be rephrased (commas, split sentences, or restructured), reserving spaced hyphens for list-style contexts.

• docs/toolhive/guides-vmcp/authentication.mdx

  • Deprecation note: "whenever it consumes it" → "whenever it reads the value" (less jargon-y for the controller-emits-event behavior). Split the trailing semicolon-joined clause into its own sentence and rephrased "planned for removal one release after the deprecation cycle" → "Removal of the deprecated location is planned for the release after the deprecation cycle," matching the upstream CRD description wording.

What I checked but did not change

• Troubleshooting entries in docs/toolhive/guides-k8s/auth-k8s.mdx for AuthzConfigMapNotFound/AuthzConfigMapInvalid and the ExternalAuthConfigValidated=False mirror behavior read clearly and slot correctly into the existing bold-paragraph troubleshooting pattern inside the <details> blocks.
• "Customizing the group entity type" section in docs/toolhive/reference/authz-policy-reference.mdx is appropriately differentiated from the cedar-policies.mdx version (the reference page carries the namespaced-names constraint; the concepts page motivates the use case).
• CRD field names and event/condition reasons: primaryUpstreamProvider, groupEntityType, AuthzPrimaryUpstreamProviderDeprecated, AuthzConfigMapNotFound, AuthzConfigMapInvalid, and ExternalAuthConfigValidated all match the auto-refreshed schemas in static/api-specs/crds/.
• Sidebar/IA placement: No new pages added; edits live on existing pages that already have the right inbound links and Next steps sections.
  · Branch

[tgrunnagle]

authentication.mdx and auth-k8s.mdx changes around resource condition and primary upstream provider check out.

Authz sections make sense but I did not work on the related changes so would defer.