V1.20.1

Stata-MCP v1.20.1

Release Date: June 19, 2026
Type: Security Fix

What's New

Resolves security alerts by hardening the Stata command guard against comment and frame-prefix bypasses.

Changes

• Guard: Stripped Stata block comments (/* */) before security validation to prevent dangerous commands from being hidden inside comments
• Guard: Stripped frame prefixes before command checks so dangerous commands cannot bypass detection via frame scoping
• Dependencies: Updated locked dependencies to resolve security alerts
• Tests: Added validator tests for block comment stripping and frame prefix stripping

V1.20.0

Stata-MCP v1.20.0

Release Date: June 14, 2026
Type: Bug Fix

What's New

Fixes summary crash for string columns containing numeric values and adds cross-format test coverage.

Changes

• Data Info: Fixed crash when summarizing string columns containing numeric values across DTA, CSV, and XLSX formats
• Tests: Added cross-format tests for string-numeric column handling and base type detection

V1.19.0

Stata-MCP v1.19.0

Release Date: June 9, 2026
Type: Security

What's New

Multi-layer security hardening across ado installation, Stata help, and Stata do execution, plus optional timeout support for do-file runs.

Changes

• Security (Ado Install): Moved ado_package_install behind the unsafe MCP server profile; the tool is no longer available in core or all profiles, requiring explicit opt-in via --unsafe
• Security (Ado Install): Added entry-point approval layer so stata-mcp install must explicitly approve ado installation capability before the tool becomes usable
• Security (Ado Install): Enforced alphanumeric package name validation to prevent command injection through malformed package names
• Security (Ado Install): Closed multiple security bypasses in the ado installation flow, including direct loader validation and centralized Stata command input validation
• Security (Stata Help): Hardened Stata help lookup with direct loader validation and refreshed help cache behavior to prevent unauthorized command execution paths
• Stata Do: Added optional timeout parameter for stata_do execution to prevent runaway Stata processes
• Stata Do: Use Stata return codes for install status detection instead of string parsing
• Dependencies: Bump starlette from 1.0.0 to 1.0.1

V1.18.2

Stata-MCP v1.18.2

Release Date: June 4, 2026
Type: Feature

What's New

Brings ANSI-colored output to the install subcommand, matching the visual standard already used by verify. Status lines now print in green/yellow/red/cyan depending on their [TAG] prefix.

Changes

• Installer: New output.py module ships ColorStream and colored_stdout(); handle_install wraps each install call with the context manager and prefixes its own prints with [ERROR] / [DONE] / [WARN]
• Verifier: _paint now reuses the shared _should_color(stream) and _wrap(code, text) helpers from output.py, so the NO_COLOR and TTY gate is defined exactly once
• Tests: 13 new tests in tests/test_color_stream.py for ColorStream; tests/test_install.py adds an end-to-end test asserting ANSI escapes for all four tags

V1.18.1

Stata-MCP v1.18.1

Release Date: June 3, 2026
Type: Refactor

What's New

Renames the Installer package to lowercase installer for PEP 8 conformance, and consolidates the Verifier module into the installer package since verification is conceptually part of the install workflow.

Changes

• Refactor: Rename src/stata_mcp/utils/Installer/ to src/stata_mcp/utils/installer/ (PEP 8 lowercase)
• Refactor: Move src/stata_mcp/utils/Verifier/verifier.py to src/stata_mcp/utils/installer/verifier.py
• Refactor: Update __init__.py to re-export Verifier, VerifyOutcome, VerifyResult, and color helpers from the unified installer package
• Refactor: Update internal imports in cli/_handlers.py and three test files to use the new module paths

V1.18.0

Stata-MCP v1.18.0

Release Date: June 3, 2026
Type: Feature

What's New

Adds a read-only verify subcommand for diagnosing whether MCP-for-Stata is registered in a target client, and rebrands the project to MCP-for-Stata per StataCorp request.

Changes

• Verify: Add stata-mcp verify to read-only check whether MCP-for-Stata is registered in a built-in MCP client or a custom JSON/TOML config file
• Verify: Flags suspicious stdio commands (localhost, http://) as warnings, with separate exit codes for file/key/parse/schema failures
• Installer: Add find_config_path and find_default_index read-only helpers, mirroring install_to_* path discovery
• Tests: Add 58 tests in tests/test_verify.py covering success, parse, schema, warnings, and CLI routing
• Rebrand: Rename project to MCP-for-Stata per StataCorp request (pyproject, CITATION, README across en/zh/es/fr)
• Build: Fix AGPL-3.0 SPDX classifier spelling in pyproject.toml that blocked uv sync

V1.17.3

Stata-MCP v1.17.3

Release Date: May 20, 2026
Type: Security Fix

What's New

This release patches 8 security vulnerabilities discovered during a comprehensive security audit, including a critical command injection via log_file_name parameter (issue #74).

Changes

• Security: Fix critical log_file_name injection vulnerability that allowed arbitrary Stata command execution via crafted log file names (closes #74).
• Security: Add dofile_path control character validation to prevent quote and backtick injection in Stata do commands.
• Security: Add log path traversal protection using resolve() and is_relative_to() checks.
• Security: Harden guard validator against colon-prefix bypasses (quietly:, capture:, noisily:).
• Security: Reject #delimit ; syntax in guard mode to prevent delimiter-based command smuggling.
• Security: Enhance macro expansion detection to catch local/global macro bypasses with arguments and compound quotes.
• Security: Add python, mata, java, and plugin commands to the dangerous commands blacklist.
• Tests: Add comprehensive regression tests for all 8 security fixes.
• Docs: Add Codex installation instructions to README and Chinese translation.

V1.17.2

Stata-MCP v1.17.2

Release Date: May 19, 2026
Type: Fix

What's New

Fixed stata-mcp update failing when installed via uv tool install by correcting the installation method detection logic.

Changes

• Update: Fix uv-tool installation detection by using sys.prefix instead of sys.executable.resolve() to avoid false pip detection caused by Python interpreter symlinks (closes #69).

V1.17.1

Stata-MCP v1.17.1

Release Date: May 18, 2026
Type: Feature

What's New

Installer now backs up config files before editing to prevent accidental data loss.

Changes

• Install: Backup config before edits with timestamped naming, abort on failure

V1.17.0

Stata-MCP v1.17.0

Release Date: May 16, 2026
Type: Feature

What's New

Overhaul the install system with custom config paths, nested key support, CLI-first installation, and Hermes Agent support.

Changes

• Install: Add --json-file and --json-index for custom config paths and nested keys; bare stata-mcp install now defaults to --all; add CLI-first fallback (claude mcp add, codex mcp add, openclaw mcp set, hermes mcp add) before writing config files directly.
• Agents: Officially support Hermes Agent as an MCP client with YAML config generation.
• Config: stata-mcp config show now supports Section.Key notation.
• CLI: Flatten config subcommand structure into show, set, and cli set.