DVARA 1.1.0 — Native MCP, SSO Presets, and Turnkey Kubernetes
DVARA 1.1.0 is generally available today. This release takes three capabilities that were technically possible in 1.0.x and makes them first-class: native MCP protocol support, drop-in SSO with verified Keycloak and Auth0 presets, and turnkey Kubernetes deployment validated end-to-end on GKE and DOKS.
Everything below ships in every install. There is no feature paywall — the same governance core, the same MCP Proxy, the same agentic controls. 1.1.0 is a drop-in upgrade from 1.0.x.
Native MCP — speak the protocol, keep the governance
In 1.0.0 the MCP Proxy governed tool calls over a REST surface. In 1.1.0 the gateway speaks native MCP (protocol revision 2025-06-18) on both sides, behind the same transport-agnostic governance filter chain.
Northbound, DVARA exposes a native /mcp Streamable-HTTP endpoint. Point Claude Desktop, Cursor, or any MCP-compatible agent straight at your gateway and it gets a per-tenant tools/list — namespaced as {serverId}__{tool}, scanned for tool poisoning — and a tools/call that runs through the full chain: policy evaluation, argument-level tool policies, human approval gates enforced at execution, PII scanning, and signed, chained audit. The client sees a standard MCP server; you get governance and a complete audit trail transparently, on call one.
A note on transports. The MCP spec defines two standard transports — stdio and Streamable HTTP, the latter having superseded the older HTTP+SSE transport. Northbound, DVARA's /mcp endpoint is Streamable HTTP by design — the one network-native transport that carries per-tenant auth and scales across pods; stdio- or SSE-only clients reach it through a local bridge such as mcp-remote. Southbound, DVARA reaches upstream MCP servers through a pooled native client, dispatched per server on its configured transport: Streamable HTTP, stdio, and the legacy HTTP+SSE transport for older servers — while DVARA's existing REST integration remains the default and is unchanged. Native is opt-in per upstream.
The agent governance you already had — loop detection with auto-kill, the unified LLM + MCP session timeline, approval queues — now extends across native MCP traffic without a protocol translation layer in the middle. See Native MCP Support in the docs for the full protocol surface — transports, namespacing, and the documented limits.
Drop-in SSO — Keycloak and Auth0 presets
Wiring an external identity provider into the DVARA Console used to mean hand-mapping OIDC claims. 1.1.0 ships verified configuration presets for Keycloak and Auth0 — tested against real IdPs, with step-by-step setup guides. Activate a preset with a Spring profile, point it at your realm or tenant, and SSO to the Console works, including Auth0's namespaced claim URIs out of the box. SAML 2.0 and generic OIDC remain supported for everything else.
Turnkey Kubernetes — verified GKE and DOKS
Running DVARA on managed Kubernetes is now a documented, validated path rather than an exercise. We brought the stack up end-to-end on two clouds and wrote the recipes down:
- GKE — Autopilot or Standard, Cloud SQL over private IP, Workload Identity for secrets, GCE Ingress with managed TLS.
- DigitalOcean Kubernetes (DOKS) — DO Managed PostgreSQL, a plain Kubernetes Secret, Traefik v3 ingress with Let's Encrypt.
The Helm chart now injects the signed license into every component from a single platform Secret, so all three services boot from one source of truth. Per-cloud guides are in the docs, with reference recipes you can adapt to your own cluster.
Usage visibility
Every token through the LLM gateway and every MCP call is metered per tenant, with a monthly usage report you can export — for cost attribution, chargeback, and capacity planning. Universal on every install, as it has been since 1.0.
Upgrade
1.1.0 is a drop-in upgrade. Pull the 1.1.0 images (or the oci://ghcr.io/dvarahq/charts/dvara:1.1.0 chart), keep your existing license and configuration, and roll. The Spring Boot 4.1.0 platform bump and a round of base-image and dependency CVE fixes come along for free.
If you are new to DVARA: it is self-managed, activated by a signed license key, with bring-your-own-key credentials so provider keys and request data never leave your perimeter. Start with a 30-day, all-features trial license — every feature unlocked, including native MCP and agentic governance, no credit card. Get the trial or, for production licensing or a managed deployment in your region, talk to us. The release is live now.