Release Overview
TurboMCP v1.1.0 represents the most significant security and architectural advancement in the library's history. This release introduces RFC 9449 Demonstration of Proof-of-Possession (DPoP) - a cutting-edge OAuth 2.0 security enhancement that cryptographically binds access tokens to client keys, preventing token theft and replay attacks.
Additionally, we're introducing revolutionary type-state capability builders with const-generic validation that makes impossible configurations unrepresentable in the type system - achieving zero-cost abstractions with compile-time safety guarantees.
Security First
Complete RFC 9449 DPoP implementation with multi-store support, HSM integration, and enterprise-grade key management.
Type Safety
Revolutionary const-generic builders that prevent impossible states at compile time with zero runtime overhead.
RFC 9449 DPoP Security Suite
The new turbomcp-dpop crate provides a complete implementation of RFC 9449 Demonstration of Proof-of-Possession. This security enhancement addresses one of OAuth 2.0's fundamental vulnerabilities: bearer token theft.
Security Problem: Bearer Token Vulnerability
Traditional OAuth 2.0 bearer tokens can be stolen and reused by attackers. If an attacker intercepts your access token, they can make API calls as if they were you.
DPoP Solution: Tokens are cryptographically bound to client keys, making stolen tokens useless without the corresponding private key.
use turbomcp_dpop::prelude::*;
use turbomcp::prelude::*;
#[derive(Clone)]
struct SecureAPIServer {
dpop_store: Arc<RwLock<DpopTokenStore>>,
}
#[server(
name = "secure-api-server",
version = "1.0.0",
description = "API server with RFC 9449 DPoP security"
)]
impl SecureAPIServer {
#[tool("Access protected resource with DPoP")]
async fn protected_operation(
&self,
ctx: Context,
resource_url: String
) -> McpResult<String> {
// Generate DPoP proof for the resource
let dpop_proof = dpop_token!(
ctx,
&resource_url,
"GET",
Some("additional-claims")
).await?;
ctx_info!(ctx, "DPoP proof generated for: {}", resource_url);
Ok(format!("Secure access granted with DPoP proof: {}", dpop_proof))
}
#[tool("Configure DPoP security level")]
async fn configure_security(
&self,
level: SecurityLevel
) -> McpResult<String> {
match level {
SecurityLevel::Memory => Ok("Using in-memory token store".to_string()),
SecurityLevel::Redis => Ok("Using Redis distributed store".to_string()),
SecurityLevel::HSM => Ok("Using Hardware Security Module".to_string()),
}
}
}Multi-Store Architecture
TurboMCP's DPoP implementation supports multiple storage backends to meet different security requirements:
Memory Store
- • Development & testing
- • Zero configuration
- • Fast performance
- • No persistence
Redis Store
- • Distributed systems
- • High availability
- • Automatic cleanup
- • Scalable storage
HSM Store
- • Enterprise security
- • Hardware protection
- • FIPS compliance
- • Audit trails
Hardware Security Module Integration
For the highest security requirements, TurboMCP supports integration with Hardware Security Modules (HSMs) including YubiHSM2 and PKCS#11 devices:
use turbomcp_dpop::hsm::*;
// YubiHSM2 integration
let hsm_config = HSMConfig::yubihsm2()
.with_connector("yhsm://localhost:12345")
.with_auth_key_id(1)
.with_wrap_key_id(2)
.build();
// PKCS#11 integration
let pkcs11_config = HSMConfig::pkcs11()
.with_library("/usr/lib/libpkcs11.so")
.with_slot_id(0)
.with_pin("1234")
.build();
// Automatic key rotation
let rotation_policy = KeyRotationPolicy::new()
.rotate_every(Duration::from_secs(3600)) // 1 hour
.backup_keys(5)
.with_hsm_backup()
.build();Type-State Capability Builders
TurboMCP v1.1.0 introduces revolutionary type-state builders that use const-generics to provide compile-time validation of capability configurations. These builders make impossible states unrepresentable in the type system.
Revolutionary Features
- Impossible configurations prevented at compile time
- Zero-cost abstractions - all validation happens at compile time
- SIMD optimization hints for performance-critical paths
- Enterprise security modes with automatic compliance
use turbomcp::builders::*;
// Compile-time safe capability configuration
let capabilities = CapabilityBuilder::new()
.with_tools(true)
.with_resources(true)
.with_prompts(true)
.with_simd_optimization_hints()
.enterprise_security_mode()
.build_const(); // ← Zero runtime overhead!
// Impossible configurations are prevented at compile time
// This won't compile - you can't have sampling without tools:
// let invalid = CapabilityBuilder::new()
// .with_sampling(true) // ← Compiler error!
// .build_const();
// Pre-configured patterns for common use cases
let full_featured = CapabilityBuilder::full_featured()
.with_hsm_integration()
.build_const();
let minimal = CapabilityBuilder::minimal()
.with_stdio_only()
.build_const();
let sampling_focused = CapabilityBuilder::sampling_focused()
.with_enterprise_llm_providers()
.build_const();Compile-Time Safety Guarantees
The type-state builder system uses Rust's advanced type system to encode business rules as compile-time constraints:
✅ Valid Configurations
- • Tools + Resources + Prompts
- • Sampling + Tools (dependency)
- • Enterprise + HSM security
- • SIMD + Performance hints
❌ Prevented at Compile Time
- • Sampling without Tools
- • HSM without Enterprise mode
- • SIMD hints on non-SIMD targets
- • Invalid capability combinations
Performance & Quality Improvements
Beyond the major new features, v1.1.0 includes comprehensive performance optimizations and quality improvements:
Benchmark Modernization
- • Updated to
std::hint::black_box - • Eliminated deprecation warnings
- • More accurate performance measurements
- • Cross-platform benchmark consistency
WebSocket Enhancements
- • Updated tokio-tungstenite to v0.27.0
- • Optimized Message::Text API usage
- • Enhanced Redis AsyncIter safety
- • Improved connection reliability
Dependency & Security Updates
Comprehensive Updates
- • All workspace dependencies to latest stable versions
- • Security-focused dependency analysis
- • Eliminated deprecated API usage
- • Enhanced WebSocket example compatibility
- • Fixed all doctest compilation errors
- • Resolved import issues across crates
- • Comprehensive test suite improvements
- • Quality assurance validation
100% Backward Compatibility
Zero Breaking Changes Guarantee
TurboMCP v1.1.0 maintains 100% backward compatibility with all v1.0.x applications. All existing code continues to work unchanged.
- Optional Upgrades: New features are opt-in via feature flags or explicit usage
- Migration-Free: No code changes required for existing applications
- Protocol Compliance: Maintains complete MCP 2025-06-18 specification adherence
Getting Started with v1.1.0
Basic Installation
[dependencies]
turbomcp = "1.1"
# Or with specific features for DPoP security
turbomcp = { version = "1.1", features = ["dpop", "hsm"] }
# For type-state builders
turbomcp = { version = "1.1", features = ["type-state-builders"] }Quick Start with DPoP Security
use turbomcp::prelude::*;
use turbomcp_dpop::prelude::*;
#[derive(Clone)]
struct SecureServer;
#[server(
name = "secure-server",
version = "1.0.0",
description = "Server with DPoP security"
)]
impl SecureServer {
#[dpop_secured]
#[tool("Secure operation")]
async fn secure_operation(&self, ctx: Context) -> McpResult<String> {
ctx_info!(ctx, "Executing secure operation with DPoP proof");
Ok("Operation completed securely".to_string())
}
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let server = SecureServer;
server.run_stdio().await?;
Ok(())
}Enterprise Features
Advanced Security
- • RFC 9449 DPoP implementation
- • Hardware Security Module support
- • Multi-algorithm support (ES256, RS256)
- • Automatic key rotation policies
- • Enterprise audit trails
Type-Safe Architecture
- • Compile-time capability validation
- • Zero-cost abstraction guarantees
- • Impossible state prevention
- • Pre-configured enterprise patterns
- • SIMD optimization hints
Migration Guide
Effortless Migration
Upgrading from any v1.0.x version to v1.1.0 is straightforward - simply update your version number:
# In your Cargo.toml, change:
turbomcp = "1.0"
# to:
turbomcp = "1.1"That's it! All existing functionality continues to work exactly as before. New features like DPoP security and type-state builders are opt-in via explicit usage or feature flags.
What's Next
TurboMCP v1.1.0 establishes a new foundation for secure, type-safe MCP development. Our roadmap focuses on expanding these capabilities:
v1.2.0: Advanced Observability
OpenTelemetry integration, distributed tracing, and comprehensive security monitoring
v1.3.0: Extended DPoP Features
Additional HSM providers, zero-knowledge proofs, and advanced cryptographic protocols
v2.0.0: Cloud-Native Evolution
Kubernetes operators, service mesh integration, and enterprise deployment automation
Experience TurboMCP v1.1.0
Discover enterprise-grade security with RFC 9449 DPoP and revolutionary type-state builders.