From 692a1e50170c0399d060f4ad073cc8aa3e07f03d Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 13 Mar 2026 10:23:39 +0000
Subject: [PATCH] Update ToolHive reference docs for v0.12.0

---
 docs/toolhive/reference/crd-spec.md | 23 ++++++++++++++++++++++-
 static/api-specs/toolhive-api.yaml  | 16 ++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/docs/toolhive/reference/crd-spec.md b/docs/toolhive/reference/crd-spec.md
index e1efbe16..61dfbb3e 100644
--- a/docs/toolhive/reference/crd-spec.md
+++ b/docs/toolhive/reference/crd-spec.md
@@ -389,7 +389,7 @@ _Appears in:_
 | `logLevel` _string_ | LogLevel sets the logging level for the Virtual MCP server.<br />The only valid value is "debug" to enable debug logging.<br />When omitted or empty, the server uses info level logging. |  | Enum: [debug] <br />Optional: \{\} <br /> |
 | `timeouts` _[vmcp.config.TimeoutConfig](#vmcpconfigtimeoutconfig)_ | Timeouts configures timeout settings. |  | Optional: \{\} <br /> |
 | `failureHandling` _[vmcp.config.FailureHandlingConfig](#vmcpconfigfailurehandlingconfig)_ | FailureHandling configures failure handling behavior. |  | Optional: \{\} <br /> |
-| `sessionManagementV2` _boolean_ | SessionManagementV2 enables session-scoped backend client lifecycle.<br />When true, vMCP creates real backend connections per session via MultiSessionFactory<br />and routes tool calls directly through the session rather than the global router.<br />Defaults to false; existing behaviour is completely unchanged when disabled. |  | Optional: \{\} <br /> |
+| `sessionManagementV2` _boolean_ | SessionManagementV2 enables session-scoped backend client lifecycle.<br />When true, vMCP creates real backend connections per session via MultiSessionFactory<br />and routes tool calls directly through the session rather than the global router.<br />Defaults to true. Set explicitly to false to opt out. | true | Optional: \{\} <br /> |
 
 
 #### vmcp.config.OptimizerConfig
@@ -2450,6 +2450,26 @@ _Appears in:_
 | `dialTimeout` _string_ | DialTimeout is the timeout for establishing connections.<br />Format: Go duration string (e.g., "5s", "1m"). | 5s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$` <br />Optional: \{\} <br /> |
 | `readTimeout` _string_ | ReadTimeout is the timeout for socket reads.<br />Format: Go duration string (e.g., "3s", "1m"). | 3s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$` <br />Optional: \{\} <br /> |
 | `writeTimeout` _string_ | WriteTimeout is the timeout for socket writes.<br />Format: Go duration string (e.g., "3s", "1m"). | 3s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$` <br />Optional: \{\} <br /> |
+| `tls` _[api.v1alpha1.RedisTLSConfig](#apiv1alpha1redistlsconfig)_ | TLS configures TLS for connections to the Redis/Valkey master.<br />Presence of this field enables TLS. Omit to use plaintext. |  | Optional: \{\} <br /> |
+| `sentinelTls` _[api.v1alpha1.RedisTLSConfig](#apiv1alpha1redistlsconfig)_ | SentinelTLS configures TLS for connections to Sentinel instances.<br />Presence of this field enables TLS. Omit to use plaintext.<br />When omitted, sentinel connections use plaintext (no fallback to TLS config). |  | Optional: \{\} <br /> |
+
+
+#### api.v1alpha1.RedisTLSConfig
+
+
+
+RedisTLSConfig configures TLS for Redis connections.
+Presence of this struct on a connection type enables TLS for that connection.
+
+
+
+_Appears in:_
+- [api.v1alpha1.RedisStorageConfig](#apiv1alpha1redisstorageconfig)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `insecureSkipVerify` _boolean_ | InsecureSkipVerify skips TLS certificate verification.<br />Use when connecting to services with self-signed certificates. |  | Optional: \{\} <br /> |
+| `caCertSecretRef` _[api.v1alpha1.SecretKeyRef](#apiv1alpha1secretkeyref)_ | CACertSecretRef references a Secret containing a PEM-encoded CA certificate<br />for verifying the server. When not specified, system root CAs are used. |  | Optional: \{\} <br /> |
 
 
 #### api.v1alpha1.RegistryFilter
@@ -2583,6 +2603,7 @@ _Appears in:_
 - [api.v1alpha1.OAuth2UpstreamConfig](#apiv1alpha1oauth2upstreamconfig)
 - [api.v1alpha1.OIDCUpstreamConfig](#apiv1alpha1oidcupstreamconfig)
 - [api.v1alpha1.RedisACLUserConfig](#apiv1alpha1redisacluserconfig)
+- [api.v1alpha1.RedisTLSConfig](#apiv1alpha1redistlsconfig)
 - [api.v1alpha1.TokenExchangeConfig](#apiv1alpha1tokenexchangeconfig)
 
 | Field | Description | Default | Validation |
diff --git a/static/api-specs/toolhive-api.yaml b/static/api-specs/toolhive-api.yaml
index ca3f44c4..4977b816 100644
--- a/static/api-specs/toolhive-api.yaml
+++ b/static/api-specs/toolhive-api.yaml
@@ -1103,10 +1103,26 @@ components:
           type: string
         sentinel_config:
           $ref: '#/components/schemas/storage.SentinelRunConfig'
+        sentinel_tls:
+          $ref: '#/components/schemas/storage.RedisTLSRunConfig'
+        tls:
+          $ref: '#/components/schemas/storage.RedisTLSRunConfig'
         write_timeout:
           description: WriteTimeout is the timeout for write operations (e.g., "3s").
           type: string
       type: object
+    storage.RedisTLSRunConfig:
+      description: |-
+        SentinelTLS configures TLS for Sentinel connections.
+        Falls back to TLS config when nil.
+      properties:
+        ca_cert_file:
+          description: CACertFile is the path to a PEM-encoded CA certificate file.
+          type: string
+        insecure_skip_verify:
+          description: InsecureSkipVerify skips certificate verification.
+          type: boolean
+      type: object
     storage.RunConfig:
       description: |-
         Storage configures the storage backend for the auth server.