Skip to content

v0.7.0 — candidate-safety tools + rmcp 2.0 / quick-xml 0.41

Latest

Choose a tag to compare

@fastrevmd-lab fastrevmd-lab released this 04 Jul 03:06
b6ae5e5

First tagged rust-junosmcp release since v0.6.3. Tool surface 15 → 17.

Added

  • commit_check_config (#95) — non-destructive commit check: loads a candidate, returns {success, diff, error?}, then discards it. Never activates config. Own token scope (least-privilege). 15 → 16.
  • discard_candidate (#107) — discard uncommitted candidate changes (rollback 0) to recover a candidate left dirty ("configuration database modified"). Never changes the running config. Own token scope. 16 → 17.
  • junos_config_diff (#108) — when the on-box config won't parse for the current mode (e.g. after a chassis-cluster change), the raw parse error now carries an actionable hint instead of leaving the caller blind.

Security

  • rmcp 0.8.5 → 2.0.0, closing RUSTSEC-2026-0189 (DNS rebinding in the Streamable HTTP transport). The transport now enforces a Host allowlist (default: loopback only). New flags --allowed-host <HOST> (repeatable) and --disable-host-check. Off-loopback deployments MUST pass --allowed-host for their LAN authority or clients receive HTTP 403.
  • quick-xml 0.36 → 0.41 (+ rustez 0.12.1 / rustnetconf 0.12.3), closing RUSTSEC-2026-0194 / RUSTSEC-2026-0195 (quick-xml DoS). JTAC-bundle redaction now suppresses quick-xml 0.41 GeneralRef entity events inside redacted elements — a bare version bump would have leaked entity fragments of secrets.

Full changelog: https://github.com/fastrevmd-lab/RustJunosMCP/blob/main/CHANGELOG.md
Diff: v0.6.3...v0.7.0