security: Upgrade fastmcp 3.1.1 → 3.2.0 (CVE-2026-32871)

[williajm]

Summary

• Upgrades fastmcp from 3.1.1 to 3.2.0 to resolve CVE-2026-32871 / GHSA-vv7q-7jx5-f767 (SSRF & Path Traversal in OpenAPI Provider)
• This repo doesn't use the vulnerable OpenAPIProvider feature, but 3.2.0 includes a broader security hardening pass (restricted $ref resolution, path traversal prevention in skill downloads, JWT algorithm fixes, PyJWT upgrade for CVE-2026-32597)

Test plan

• CI passes
• Verify MCP server starts and tools register correctly

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

🧪 Test Results for a5f643c

Summary

✅ All tests passed!

Test Suite	Status	Passed	Failed	Skipped	Duration
Unit Tests - Python 3.11	✅	966	0	0	14s
Unit Tests - Python 3.14	✅	966	0	0	15s
Unit Tests - Python 3.13	✅	966	0	0	15s
Unit Tests - Python 3.12	✅	966	0	0	15s
Integration	✅	5	0	0	0s
E2E	✅	29	0	0	38s

| Total | ✅ | 3898 | 0 | 0 | - |

📊 Coverage

Coverage reports are available in the workflow artifacts.

📦 Download Reports

• Coverage HTML Report (Python 3.11)
• Coverage HTML Report (Python 3.12)
• Coverage HTML Report (Python 3.13)
• Coverage HTML Report (Python 3.14)
• Test Results (JUnit XML)

---

📊 View Full Report |
📝 All Checks