You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Critical: Bearer-auth middleware was never actually enforced on the
HTTP/SSE MCP transport.ELESYNC_TOKEN could be set and the server would
behave as if it were protected, but every request was silently let through
unauthenticated. Root cause: FastMCP does not cache a Starlette app on self.app/self._app — streamable_http_app()/sse_app() each build a
fresh instance on every call, and the previous code tried to attach
middleware to an app object that never existed. Fixed by wrapping the
app-builder methods themselves so the middleware attaches to whichever
instance is actually served, for both streamable-http and sse
transports. If you run EleSync's HTTP/SSE transport with a token
configured, upgrade immediately — prior versions provided no enforcement
regardless of configuration.
Regression tests added (tests/test_mcp_auth.py) that build the real
Starlette app and assert unauthenticated/wrong-token requests get 401 and
correctly-authenticated requests do not — covering the exact gap that let
the original bug ship silently.
Restored an unconditional import in mcp_server.py that a prior lint pass
had removed as a seeming duplicate, which left a NameError latent on the
direct-token code path.
Removed a stale [[tool.mypy.overrides]] section referencing numpy,
which isn't a dependency anywhere in the codebase.
Removed a dead label parameter in elesync/usb.py.
index.html: use <code> instead of <span> for the install command
(semantics/accessibility).
Strengthened test_empty_query_returns_recent to use explicit
out-of-order timestamps, so the test can no longer pass by accident
regardless of whether ORDER BY actually works.
Renamed test_recall_hides_unscoped_client_nothing to test_unrestricted_client_sees_all — the old name inverted its own
meaning.