Documentation Index
Fetch the complete documentation index at: https://docs.strata.io/llms.txt
Use this file to discover all available pages before exploring further.
- Config: Fixed
MAVERICS_DEBUG_MODE=truebeing silently ignored when alogger:block was configured. Setting the env var now correctly forces DEBUG-level logging as documented.
What’s new
MCPSignificantly expanded MCP observability so operators can run at info and still get full session traceability and audit coverage — no more flipping to debug to reconstruct what happened.- Every MCP request log now carries a hashed mcpSessionID, giving you end-to-end correlation across a client-to-Maverics session without exposing the raw Mcp-Session-Id credential.
- Proxy-path logs also carry an upstreamMCPSessionID, so you can follow a single interaction from the client, through Maverics, to the upstream MCP server on the same line.
- Every tool call emits a single tool call completed log at info with an outcome of success, tool_error, or failed — consistent across bridge and proxy modes.
- Every list-tools call emits a single list tools completed log at info with the outcome and tool count.
- Session register/unregister and upstream session established/terminated events are now surfaced at info.
- Raw session IDs never appear in logs or traces.
Fixed
MCP ProxyFixed an issue where responses from upstream MCP servers using gzip compression could reach the client corrupted or unreadable. Compressed responses are now handled correctly.Improvements
LoggingAudit and security events now log at info level. This makes them visible in standard log pipelines without needing to lower global log thresholds, so your SIEM and observability tooling will pick them up by default.- Logout: Fix bug where logout redirect URLs containing pre-existing query parameters (e.g., Azure B2C custom policy endpoints with
?p=<policy>) produced malformed URLs with duplicate?characters, causing downstream parameters likeid_token_hintandstateto be silently dropped
- MCP Proxy: Fix path parameter handling and improve tolerance for common schema quirks in MCP bridge apps built from OpenAPI specs
- OIDC Provider: Add token brokering (experimental) to the OIDC provider. Clients can exchange a Maverics access token for upstream service tokens using standard RFC 8693 token exchange. The initial release supports session passthrough mode, which returns a cached upstream token. Token brokering integrates with existing OPA token minting policies for authorization.
- Telemetry: Add W3C
traceparentheader propagation to maintain a stable traceID across the entire request lifecycle. When a request enters the Orchestrator, the traceID is preserved and forwarded to all downstream services — including identity providers and MCP endpoints — enabling true end-to-end distributed tracing with a single, consistent identifier. This is especially valuable when the Orchestrator acts as an auth provider to an AI Identity Gateway, where a single user prompt can trigger a chain of token exchanges, policy evaluations, and tool invocations across multiple services. With a stable traceID, operators can trace an AI gateway request from initial authentication through policy evaluation, token minting, and downstream MCP tool calls, correlating every hop in a single distributed trace.
- SAML Provider: Make NameID name qualifiers optional
- SAML Provider: Fix WS-Fed name claim incorrectly being included in SAML assertions
- SAML Provider: Correct XML namespacing across all SAML response types
- Telemetry: Add stable Secure Orchestrator ID (
soid) to all log entries and OTel telemetry (service.instance.id) for deployment correlation - OIDC Connector: Add configurable error handling for authentication callbacks
- OIDC Provider: Fix state parameter encoding in form post response mode
- Security: Resolved security issues
- MCP Proxy: Gracefully re-establish session with the upstream MCP server and retry the request when the session is terminated
- Proxy Apps: Allow service extensions to be reused across all application types by loosening namespace validation
- Connectors: HYPR connector now reads custom HTML files from the configuration bundle
- MCP Proxy: Gracefully re-establish sessions with upstream and retry requests when a session is terminated
- Proxy Apps: Allow service extensions to be reused across all app types
- Connectors: Support reading custom HTML files from the configuration bundle for Hypr integrations
- TLS: Add max version configuration for all TLS settings
- Session: Fixed an issue where empty sessions were persisted when the SLO endpoint terminated an unestablished session
- MCP Proxy: Add configurable scopes and token lifetimes for all MCP protocol operations
- Security: Resolved security issues
- Security: Resolved CVE-2026-2405
- MCP Proxy: Respect outbound authorization policy when making list tools requests
- SAML Apps: Enable claims mapping and the BuildClaims service extension to be used together
- MCP Proxy: Explicitly handle session termination errors that are returned from the upstream
- OIDC Connector: Add client assertion authentication mechanism (rfc 7523)
- OIDC Connector: Add support for JWT client assertion authentication as part of the token exchange grant
- OIDC Provider: Demonstrate JWT client authentication can be used with authcode, token-exchange grants
- OIDC Provider: Make openid scope and scope param optional
- SAML Provider: Ensure SAML Response elements are ordered correctly
- OIDC Provider: Add Subject and Actor token claims to token minting policy