TL;DR
- Control-plane RBAC, stricter JWT validation, and secret redaction boost security.
- Extensive new LLM and MCP mock builders across all clients.
- LLM optimisation report and realistic AI agent testing features added.
Key Changes
MockServer 7.2.0 brings significant updates, focusing on security and advanced AI/LLM testing capabilities.
Security Enhancements:
- Control-plane Role-Based Authorization (RBAC): Now available (off by default), allowing granular access control to MockServer’s control plane operations based on roles (
admin,mutate,read). This integrates with OIDC authentication for secure environments. - JWT Validation: The
JWTValidatornow exclusively accepts asymmetric algorithms (RS*, ES*, PS*, EdDSA), rejecting HMAC algorithms to prevent algorithm-confusion forgery. - Secret Redaction: An opt-in feature (
redactSecretsInLog) masks sensitive header values (e.g.,Authorization,Cookie) and configured JSON body fields in logs and the dashboard, improving data privacy. - DOMPurify Update: Pinned
dompurifyto3.4.11to address multiple security advisories.
- Control-plane Role-Based Authorization (RBAC): Now available (off by default), allowing granular access control to MockServer’s control plane operations based on roles (
AI, LLM & Agent Protocols:
- LLM & MCP Mock Builders: Idiomatic builders for LLM-mocking (completions, tool calls, streaming, multi-turn conversations) and MCP-server-mocking are now available in all eight clients (Java, Node, Python, Ruby, Go, Rust, .NET, PHP).
- LLM Optimisation Export: Proxy LLM calls through MockServer to generate a one-click optimisation brief (Markdown) or structured JSON report. This report identifies inefficiencies like repeated system prompts, low cache-hit rates, and model overspend, providing estimated savings and fix guidance. A dashboard verdict (A–F grade) and new KPIs (cache-hit rate, one-shot rate) are included.
- Enhanced Embedding & Rerank Mocking:
httpLlmResponseembeddings now support Gemini, Ollama, and Bedrock. A new rerank action mocks Cohere and Voyage endpoints. - A2A Mock Builder: Supports streaming (
withStreaming()) and push notifications (withPushNotifications(webhookUrl)) for realistic agent-to-agent interaction testing. - Strict Structured-Output Enforcement: The
enforceOutputSchemaoption ensures mocked completions conform to theiroutputSchema, failing loudly with a502if not, mimicking real provider behavior. - Provider-Correct LLM Chaos Error Bodies: Error injection now emits realistic error shapes for various providers (Anthropic, OpenAI, Gemini, Ollama), allowing for accurate testing of SDK retry/backoff logic.
Impact for QA Teams
These updates significantly enhance MockServer’s utility for QA. Teams can now establish more secure testing environments with fine-grained access control and better protect sensitive data in logs. The extensive AI/LLM mocking features enable realistic testing of complex AI integrations, allowing for performance optimization, cost analysis, and robust error handling validation for LLM-powered applications.
