Skip to content

Release v0.3.7

Choose a tag to compare

View all tags
@github-actions github-actions released this 11 Jun 18:49
· 8 commits to main since this release
v0.3.7
a7276c8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security hardening, pagination params, compact tool responses, and a major test-coverage expansion from a four-domain code review — plus this is the first release cut entirely by automation and published to npm via OIDC trusted publishing with SLSA provenance attestation. Tool-param additions are additive; no breaking API surface changes.

Security

  • Sanitize the caller-supplied MCP-Protocol-Version header before echoing it in HTTP error responses — truncated to 64 chars and restricted to [A-Za-z0-9._-], closing an unvalidated-input reflection path.
  • Remove Redis configuration details from the unauthenticated /auth/info response to reduce infrastructure fingerprinting.
  • Send Strict-Transport-Security only when TLS is enabled, instead of emitting HSTS on plain-HTTP responses.
  • Emit a startup warning when ALLOWED_ORIGINS=* is combined with MCP_AUTH_MODE=none.
  • Hash service-cache map keys with SHA-256 so plaintext API keys are never used as in-process cache identifiers.
  • Route health checks through BaseService so they receive the same SSRF URL validation and structured error parsing as every other upstream call.
  • create_api_key description now warns that the key secret is returned exactly once and will appear in MCP transcripts and LLM context.

Added

  • Pagination params on six list toolslist_virtual_keys, list_configs, list_all_users, list_user_invites, list_mcp_server_capabilities, and list_mcp_server_user_access now accept optional current_page/page_size inputs; the two MCP-server lists also surface has_more.
  • Cross-field validation for create_api_key — the workspace key type now requires workspace_id at the Zod schema layer.
  • 140 new tests (suite: 114 → 269) covering 13 previously untested tool modules, Clerk JWT auth mode, DELETE /mcp and SSE GET /mcp session endpoints, abort/timeout and upstream-error propagation paths, and contract schemas with live-recorded fixtures for workspaces and users.

Changed

  • Compact JSON tool responses (~157 call sites) — tool responses no longer pretty-print, reducing response token usage on every tool call.
  • Lazy Redis import — the redis client loads only when the Redis event store is actually constructed.
  • create_integration/update_integration preserve empty strings instead of silently dropping them.
  • migrate_prompt/promote_prompt internal lookups request a small page instead of a full listing.
  • PORTKEY_BASE_URL validated once per service container, failing fast with a single clear error.
  • HTTP transport repositioned as proof of concept — there is no hosted version; stdio via npx is the supported transport.

Release automation (new in this cycle)

Merging a version bump to main now cuts the whole release: auto-tag → full CI against the tag → npm publish via OIDC trusted publishing (no stored tokens, provenance attested) → GitHub Release → MCP Registry. See docs/RELEASE.md.

What's Changed

  • v0.3.7: review-driven hardening, pagination, test coverage, release automation by @scttbnsn in #13

Full Changelog: v0.3.6...v0.3.7

Contributors

scttbnsn
Assets 2
Loading