Skip to main content

v2.2.0: LLM Proxy, Self-Service Signup, Skills System

Β· 4 min read
STOA Team
STOA Team
The STOA Platform Team

The biggest STOA release yet β€” 1,091 commits, 297 features, and a fundamental shift toward AI-native API management.

Highlights​

LLM Proxy & Cost Management​

  • Multi-provider LLM routing (OpenAI, Azure OpenAI, Mistral) with subscription-aware namespace selection
  • Per-tenant budget tracking with enforcement and circuit breakers
  • Anthropic cache token tracking for cost optimization
  • Dedicated LLM token tracking Grafana dashboard

Self-Service Signup​

  • End-to-end tenant provisioning flow: portal signup page, API provisioning endpoint, trial limits enforcement
  • Demo tenant automation for onboarding
  • Seed data for Chat Completions API with 2 subscription plans

MCP Protocol 2025-11-25​

  • Upgraded protocol with resources, prompts, and completion REST endpoints
  • Lazy MCP discovery with cache-first pattern
  • Tool schema validation at registration time
  • MCP spec compliance methods

OAuth 2.1 Hardening​

  • DPoP proof-of-possession binding (sender-constraint middleware)
  • RFC 7592 DCR management endpoints
  • Proxy hardening with circuit breaker + retry for OAuth and Control Plane calls

Skills System​

  • Gateway-native skills CRUD with circuit breaker health tracking
  • Lazy MCP discovery integration
  • Tool schema validation at registration

UAC (Universal API Contract)​

  • JSON Schema v1.0 validator library
  • OpenAPI reverse transform with round-trip conversion tests
  • LLM contract types for UAC binding

Gateway (Rust)​

CapabilityDescription
LLM ProxyMulti-provider routing (OpenAI, Azure, Mistral) with cost tracking and circuit breaker
Skills SystemCRUD operations with circuit breaker health tracking
MCP 2025-11-25Resources, prompts, completion endpoints, lazy discovery
DPoPSender-constraint middleware for token binding
DCR ManagementRFC 7592 endpoints
W3C TraceparentPropagation through proxy hops
Arena Enterprise20-dimension benchmark across 4 categories

Control Plane API (Python/FastAPI)​

12 new endpoints:

MethodPathDescription
POST/v1/tenants/provisionSelf-service tenant provisioning
POST/v1/tenants/exportTenant export for disaster recovery
POST/v1/tenants/importTenant import/restore
GET/POST/v1/billing/budgetsLLM budget service + provider config
GET/POST/v1/billing/consumersBilling consumer CRUD
GET/POST/v1/billing/modelsBilling models + budget check
GET/POST/v1/contractsContract lifecycle management
GET/POST/v1/data-governanceData governance endpoints
GET/POST/v1/piiPII masking middleware + admin endpoints
GET/v1/security/postureSecurity posture scanner
GET/v1/system/infoSystem info with edition/licensing
POST/v1/signupSelf-service signup

Additional improvements:

  • UAC v1.0 JSON Schema validator with OpenAPI reverse transform
  • SCIM-to-Gateway reconciliation service
  • PG audit trail with dual-write pattern
  • Usage metering pipeline

Console UI (React/TypeScript)​

  • Permission gates with PermissionGate component + Proxy Owner dashboard
  • LLM Cost Management dashboard with per-tenant budget visualization
  • Access Review dashboard for compliance workflows
  • Security Posture dashboard with token binding status
  • Live deployment dashboard with SSE logs and step progress
  • i18n framework with react-i18next (39+ strings extracted)
  • Floating AI assistant chat widget

Developer Portal (React/TypeScript)​

  • Self-service signup page
  • Chat Completions API enrichment panel with subscription flow
  • Unified Marketplace page
  • Execution taxonomy filters with 4-persona test coverage
  • MCP Developer Self-Service with tenant-scoped servers
  • Guided onboarding wizard
  • RBAC-aware widget visibility

Gateway Adapters​

New adapter support:

  • AWS API Gateway β€” API Proxy CRUD, Product quotas, Developer App management
  • Azure APIM β€” ARM REST API integration with XML policy support

Existing adapters enhanced:

  • Apigee X β€” Application support, idempotent developer creation
  • Kong β€” DB-less declarative config improvements
  • Gravitee β€” V4 API lifecycle support

Helm Chart​

New values:

KeyDefaultDescription
stoaGateway.llmProxy.enabledfalseEnable LLM proxy routing
stoaGateway.llmProxy.providers[]LLM provider configurations
stoaGateway.skills.enabledfalseEnable skills system
arena.enterprise.enabledfalseEnable enterprise arena CronJob

Infrastructure​

  • Gateway Arena Enterprise Layer β€” 20-dimension benchmark with CI95 confidence intervals
  • Platform Continuous Verification (L2) β€” 3 CUJs every 15 minutes
  • Keycloak 26.5.3 upgrade
  • SCIM protocol mapper + DCR onboarding API

Security​

  • DPoP proof-of-possession (RFC 9449)
  • PII masking middleware with admin endpoints
  • Security posture scanner service
  • Data governance endpoints

Breaking Changes​

None. All new features are opt-in via Helm values or API configuration.

Known Issues​

  • Gateway Shadow Mode not yet implemented (planned Q4 2026)
  • Terraform Provider in planning phase

Upgrade Guide​

# Helm upgrade
helm repo update stoa
helm upgrade stoa-platform stoa/stoa-platform -n stoa-system

# Verify
kubectl get pods -n stoa-system
curl https://api.<YOUR_DOMAIN>/health

For detailed upgrade verification, see the upgrade verification script.

What's Next​

See our Roadmap for upcoming plans:

  • Gateway Sidecar Mode β€” coexist with Kong, Envoy, and existing gateways
  • GitOps Reconciliation Operator (replacing AWX)
  • stoactl CLI tool (Go/Cobra)
  • Gateway Proxy Mode and Shadow Mode

Resources​

The STOA Team