Releases · CodesWhat/portkey-admin-mcp

18 Jun 16:38

github-actions

v0.3.8

3832669

Release v0.3.8 Latest

Latest

Marketplace validation release for LobeHub and other MCP catalogs. No Portkey Admin API surface changes.

Added

Register a built-in plan_portkey_admin_workflow MCP prompt so clients and catalogs can discover an invokable prompt; the prompt validates argument lengths, embeds the workflow guide as an MCP resource, and reminds clients to treat user task text as lower-priority context.
Register a static portkey-admin://docs/workflow-guide MCP resource with safe usage guidance and assistant-priority annotations for discovery-first Portkey Admin workflows.
Add MCP e2e coverage for prompt/resource capabilities, listing, prompt rendering, resource reading, and no-key catalog inspection.

Changed

Allow the shared MCP service factory to initialize without PORTKEY_API_KEY so marketplaces can inspect server capabilities before users provide secrets. Direct PortkeyService construction and actual Admin API calls still require real credentials.
GitHub Releases now use the matching CHANGELOG.md version section as the release body (with the auto-generated PR list appended), instead of auto-generated notes alone.

Fixed

Use LobeHub's lowercase codeswhat-portkey-admin-mcp badge slug so owner-claim scans match the marketplace page exactly.

What's Changed

🔧 config(release): use CHANGELOG section as GitHub Release notes by @scttbnsn in #14

Full Changelog: v0.3.7...v0.3.8

Contributors

scttbnsn

Assets 2

11 Jun 18:49

github-actions

v0.3.7

a7276c8

Release v0.3.7

Security hardening, pagination params, compact tool responses, and a major test-coverage expansion from a four-domain code review — plus this is the first release cut entirely by automation and published to npm via OIDC trusted publishing with SLSA provenance attestation. Tool-param additions are additive; no breaking API surface changes.

Security

Sanitize the caller-supplied MCP-Protocol-Version header before echoing it in HTTP error responses — truncated to 64 chars and restricted to [A-Za-z0-9._-], closing an unvalidated-input reflection path.
Remove Redis configuration details from the unauthenticated /auth/info response to reduce infrastructure fingerprinting.
Send Strict-Transport-Security only when TLS is enabled, instead of emitting HSTS on plain-HTTP responses.
Emit a startup warning when ALLOWED_ORIGINS=* is combined with MCP_AUTH_MODE=none.
Hash service-cache map keys with SHA-256 so plaintext API keys are never used as in-process cache identifiers.
Route health checks through BaseService so they receive the same SSRF URL validation and structured error parsing as every other upstream call.
create_api_key description now warns that the key secret is returned exactly once and will appear in MCP transcripts and LLM context.

Added

Pagination params on six list tools — list_virtual_keys, list_configs, list_all_users, list_user_invites, list_mcp_server_capabilities, and list_mcp_server_user_access now accept optional current_page/page_size inputs; the two MCP-server lists also surface has_more.
Cross-field validation for create_api_key — the workspace key type now requires workspace_id at the Zod schema layer.
140 new tests (suite: 114 → 269) covering 13 previously untested tool modules, Clerk JWT auth mode, DELETE /mcp and SSE GET /mcp session endpoints, abort/timeout and upstream-error propagation paths, and contract schemas with live-recorded fixtures for workspaces and users.

Changed

Compact JSON tool responses (~157 call sites) — tool responses no longer pretty-print, reducing response token usage on every tool call.
Lazy Redis import — the redis client loads only when the Redis event store is actually constructed.
create_integration/update_integration preserve empty strings instead of silently dropping them.
migrate_prompt/promote_prompt internal lookups request a small page instead of a full listing.
PORTKEY_BASE_URL validated once per service container, failing fast with a single clear error.
HTTP transport repositioned as proof of concept — there is no hosted version; stdio via npx is the supported transport.

Release automation (new in this cycle)

Merging a version bump to main now cuts the whole release: auto-tag → full CI against the tag → npm publish via OIDC trusted publishing (no stored tokens, provenance attested) → GitHub Release → MCP Registry. See docs/RELEASE.md.