v1.1.0 — Adversarial audit hardening

Security & compliance hardening release

Resultado de 2 auditorias adversariais (/pesquisa Nível 3 + sweep manual).

Fixes (9 commits consolidados)

Setup & secrets

• setup.sh: tokens lidos com read -s (silent) — não vaza em bash history
• .env.example: warning contra APP_ID/SECRET compartilhado entre alunos (caso Cas Smith, nov/2025)
• 3 ad account IDs hardcoded substituídos por placeholders

Dependências

• fastmcp[code-mode]>=3.2.4 (CVE-2026-32871 SSRF patched)
• Removidos streamlit, fastapi, uvicorn da dep core do MCP (~100MB)
• pip-audit clean: 0 vulns conhecidas em 71 pacotes

Bugs

• audit.py:get_write_count_today() agora filtra kind == "write" (antes inflava counter com leituras e bloqueava writes legítimos)

Supply chain

• .github/workflows/audit.yml: pip-audit semanal + em PRs que tocam deps
• actions/checkout pinado por SHA (defesa vs tag-rewrite, TeamPCP March 2026)

Documentação

• SECURITY.md: threat model + CVE inventory + canal de reporte
• README.md: requer Claude Code ≥2.0.65 (CVE-2025-59536 RCE, CVE-2026-21852 env override)
• docs/auditoria-adversarial-2026-04-28.md: relatório completo da auditoria

CVEs cobertos no stack

CVE	Componente	Patched
CVE-2026-32871	FastMCP < 3.2.0	≥ 3.2.4 ✓
CVE-2025-59536	Claude Code < 1.0.111	≥ 2.0.65 documentado ✓
CVE-2026-21852	Claude Code env override	≥ 2.0.65 documentado ✓
CVE-2025-69196	FastMCP OAuth	coberto pelo pin ✓

Smoke test

uvx --from ./mcp-server meta-ads-mcp --help — green

v1.0.1 — Demo-only repositioning

Patch release clarifying the scope of this repo.

Changes

• Dashboard is now explicitly DEMO ONLY. Not for daily operations. After App Review approval, real operation happens via Claude Code + MCP `meta-ads-mcp`. You can disable the Vercel deployment after approval.
• Skill `meta-app-review-approval` is now self-sufficient. Added a Phase 0 with the dashboard blueprint (5 minimum requirements + reference implementation pattern). Anyone reading just the skill can replicate the approval process — they don't need to clone this repo.
• 5 anti-ban rules added inline to the skill (cross-referenced to `meta-ads-compliance` for full details).
• docs/04-operacao.md rewritten to remove dashboard from the operational flow.

Migration from v1.0.0

No code changes needed. Just re-read the docs to understand the new positioning:

• Dashboard = App Review demo (1-time use, then dispose)
• Operation = Claude Code + MCP (continuous)

v1.0.0 — Initial Release

First stable release of the Meta Ads + Claude Code starter.

What's included

• Dashboard (Next.js 15 + FastAPI on Vercel) — genericized, driven by env vars, ready to use as App Review demo
• 3 skills for Claude Code:
  • meta-ads-compliance — anti-ban rules, error codes, business hours warnings
  • meta-ads-warmup — accumulate API calls while waiting for App Review
  • meta-app-review-approval — full submission workflow with screencast captions
• MCP meta-ads-mcp pre-configured
• Docs — 5 markdown files covering setup → deploy → App Review → operation → troubleshooting
• Templates — App Review description + analyst instructions in pt-BR
• Scripts — interactive setup.sh, post-approval verify-tier.sh, warmup.py

Quickstart

git clone https://github.com/thaleslaray/meta-ads-claude-starter
cd meta-ads-claude-starter
./scripts/setup.sh
cd dashboard && vercel deploy --prod

Then claude from the repo root to start using.

Battle-tested

This formula approved by Meta App Review in 2 hours on first try for meta.escoladeautomacao.com.br (Apr 24, 2026).

Requirements

• Meta Business Manager (verified)
• App created at developers.facebook.com
• Node.js 20+
• Python 3.11+
• Vercel account (free tier OK)
• Claude Code installed