Skip to content

EleSync v1.9.1

Latest

Choose a tag to compare

@Alphanymous Alphanymous released this 06 Jul 15:04

Fixed

  • Critical: Bearer-auth middleware was never actually enforced on the
    HTTP/SSE MCP transport.
    ELESYNC_TOKEN could be set and the server would
    behave as if it were protected, but every request was silently let through
    unauthenticated. Root cause: FastMCP does not cache a Starlette app on
    self.app/self._app — streamable_http_app()/sse_app() each build a
    fresh instance on every call, and the previous code tried to attach
    middleware to an app object that never existed. Fixed by wrapping the
    app-builder methods themselves so the middleware attaches to whichever
    instance is actually served, for both streamable-http and sse
    transports. If you run EleSync's HTTP/SSE transport with a token
    configured, upgrade immediately
    — prior versions provided no enforcement
    regardless of configuration.
  • Regression tests added (tests/test_mcp_auth.py) that build the real
    Starlette app and assert unauthenticated/wrong-token requests get 401 and
    correctly-authenticated requests do not — covering the exact gap that let
    the original bug ship silently.
  • Restored an unconditional import in mcp_server.py that a prior lint pass
    had removed as a seeming duplicate, which left a NameError latent on the
    direct-token code path.
  • Removed a stale [[tool.mypy.overrides]] section referencing numpy,
    which isn't a dependency anywhere in the codebase.
  • Removed a dead label parameter in elesync/usb.py.
  • index.html: use <code> instead of <span> for the install command
    (semantics/accessibility).
  • Strengthened test_empty_query_returns_recent to use explicit
    out-of-order timestamps, so the test can no longer pass by accident
    regardless of whether ORDER BY actually works.
  • Renamed test_recall_hides_unscoped_client_nothing to
    test_unrestricted_client_sees_all — the old name inverted its own
    meaning.