Conversation
- 🐛 fix: stop reflecting unsanitized MCP-Protocol-Version header in error responses - 🐛 fix: strip redis details from unauthenticated /auth/info - 🐛 fix: warn at startup when CORS wildcard is combined with auth mode none - 🐛 fix: only send HSTS when TLS is enabled - 🔄 refactor: extract getMcpProtocolVersion helper and shared isRecord type guard - 🔄 refactor: lazy-load redis client to cut serverless cold-start weight
…vice - 🐛 fix: store SHA-256 digests instead of plaintext API keys in service-cache map keys - 🐛 fix: route health checks through BaseService (restores SSRF validation + error parsing) - 🔄 refactor: drop redundant shared HealthService cache - 🔄 refactor: validate PORTKEY_BASE_URL once instead of per-subclass - ✨ feat: pagination params on virtual-key/config/user/invite list services - 🔄 refactor: cap internal prompt lookups with page_size in migrate/promote
- ✨ feat: current_page/page_size on virtual-key, config, user, invite, and MCP-server list tools - ✨ feat: surface has_more on MCP-server capability/user-access lists - 🐛 fix: schema-level validation for create_api_key workspace requirement - 🐛 fix: integration config builder no longer drops empty-string values - 📝 docs: warn that create_api_key secret lands in MCP transcripts - 🔄 refactor: dedupe formatFullName and analytics schemas, drop dead guards and casts - 📝 docs: explain SDK overload probing in tool registration internals
- 🔄 refactor: drop 2-space pretty-printing across ~157 tool response sites (~15-25% fewer response tokens)
- 🧪 test: unit coverage for 13 previously untested tool modules - 🧪 test: clerk auth mode, DELETE /mcp and SSE GET /mcp branches - 🧪 test: abort/timeout, upstream-error propagation, query-string and pagination edges - 🧪 test: workspaces/users contract schemas and fixtures - 🔧 config: guard smoke tests against CI, stale-build check for e2e
- 📝 docs: pagination params and response changes in README/ENDPOINTS - 📝 docs: security posture updates and audit follow-up - 📝 docs: changelog entry for review-driven changes
- 📝 docs: README marks HTTP transport as PoC with no hosted version - 📝 docs: Vercel guide framed as self-deploy reference, hosting not a goal
- 🔧 config: bump version to 0.3.7 in package.json, lockfile, server.json - 📝 docs(changelog): correct inaccurate 0.3.7 entries (HSTS direction, pagination tool list, integration empty-string fix) and date the release
- ✨ feat: auto-tag workflow tags vX.Y.Z when package.json version lands on main - ✨ feat: publish-npm job via OIDC trusted publishing with provenance (no stored token) - 🔧 config: registry publish now runs after npm publish, removing the wait - 📝 docs: rewrite RELEASE.md for the automated flow + one-time npm setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Full four-domain code review (security / performance / quality / testing) of the MCP server, with every actionable finding fixed, plus automated release infrastructure.
Security
MCP-Protocol-Versionheader in error responses/auth/infoBaseService(restores SSRF validation + error parsing)Features
current_page/page_sizeon six previously unpaginated list tools;has_moresurfaced on MCP-server listscreate_api_key+ secret-exposure warning in its descriptionPerformance
redisimport (cold-start weight)Tests
DELETE /mcp+ SSEGET /mcp, abort/error-propagation paths, contract schemas + live fixtures for workspaces/userslist_all_usersparam crash)Release automation
auto-tag.yml: tagsvX.Y.Zautomatically when a version bump lands on main and dispatches the Release workflowpublish-npmjob: OIDC trusted publishing with provenance — no stored npm token (trusted publisher already configured on npmjs.com)npm run ciDocs
Verification
npm run cigreen on final HEAD (lint, knip, typecheck, 253 tests, build, 16 e2e, README tool inventory).envconfirmed never committedMerging this PR auto-cuts the v0.3.7 release (tag → CI → npm publish with provenance → GitHub Release → MCP Registry).