TL;DR

  • Control-plane RBAC, stricter JWT validation, and secret redaction boost security.
  • Extensive new LLM and MCP mock builders across all clients.
  • LLM optimisation report and realistic AI agent testing features added.

Key Changes

MockServer 7.2.0 brings significant updates, focusing on security and advanced AI/LLM testing capabilities.

  • Security Enhancements:

    • Control-plane Role-Based Authorization (RBAC): Now available (off by default), allowing granular access control to MockServer’s control plane operations based on roles (admin, mutate, read). This integrates with OIDC authentication for secure environments.
    • JWT Validation: The JWTValidator now exclusively accepts asymmetric algorithms (RS*, ES*, PS*, EdDSA), rejecting HMAC algorithms to prevent algorithm-confusion forgery.
    • Secret Redaction: An opt-in feature (redactSecretsInLog) masks sensitive header values (e.g., Authorization, Cookie) and configured JSON body fields in logs and the dashboard, improving data privacy.
    • DOMPurify Update: Pinned dompurify to 3.4.11 to address multiple security advisories.
  • AI, LLM & Agent Protocols:

    • LLM & MCP Mock Builders: Idiomatic builders for LLM-mocking (completions, tool calls, streaming, multi-turn conversations) and MCP-server-mocking are now available in all eight clients (Java, Node, Python, Ruby, Go, Rust, .NET, PHP).
    • LLM Optimisation Export: Proxy LLM calls through MockServer to generate a one-click optimisation brief (Markdown) or structured JSON report. This report identifies inefficiencies like repeated system prompts, low cache-hit rates, and model overspend, providing estimated savings and fix guidance. A dashboard verdict (A–F grade) and new KPIs (cache-hit rate, one-shot rate) are included.
    • Enhanced Embedding & Rerank Mocking: httpLlmResponse embeddings now support Gemini, Ollama, and Bedrock. A new rerank action mocks Cohere and Voyage endpoints.
    • A2A Mock Builder: Supports streaming (withStreaming()) and push notifications (withPushNotifications(webhookUrl)) for realistic agent-to-agent interaction testing.
    • Strict Structured-Output Enforcement: The enforceOutputSchema option ensures mocked completions conform to their outputSchema, failing loudly with a 502 if not, mimicking real provider behavior.
    • Provider-Correct LLM Chaos Error Bodies: Error injection now emits realistic error shapes for various providers (Anthropic, OpenAI, Gemini, Ollama), allowing for accurate testing of SDK retry/backoff logic.

Impact for QA Teams

These updates significantly enhance MockServer’s utility for QA. Teams can now establish more secure testing environments with fine-grained access control and better protect sensitive data in logs. The extensive AI/LLM mocking features enable realistic testing of complex AI integrations, allowing for performance optimization, cost analysis, and robust error handling validation for LLM-powered applications.