Fork Sync Branch develop#2
Open
btl-bot wants to merge 38 commits into
Open
Conversation
When REDMINE_OAUTH_TEST_TOKEN is stale, introspection returns an empty scope, which made test_scope_advertising_subset_of_sandbox_scopes fail with a misleading 'name drift' message. Assert the token is active first so the real cause (re-mint the bearer) is surfaced.
joserfc 1.3.4 through 1.6.5 fails to apply JWSRegistry.max_payload_length to RFC 7797 unencoded (b64=false) JWS payloads (CWE-400, uncontrolled resource consumption); fixed upstream in 1.6.6. joserfc is transitive via authlib and fastmcp, so add a direct >=1.6.7,<2 floor to pyproject.toml so the fix reaches PyPI installs, not only the lockfile. Lock resolves 1.7.1.
Reflect the v2.4.0 release (2026-06-27): current version, empty Unreleased queue, and a Latest release recap covering the demo page, journal field-change details fix, joserfc CVE floor, and extended prompt-injection wrapping. Recast the MCP Prompts (workflow layer) item from a planned differentiator to parked: no evidence of user demand, thin value-add over a plain-English request to a strong client model, and only internal motives. Revisit via a single validation prompt and only if the MCP Apps track needs workflow definitions.
Drop the duplicated empty-Unreleased clause from Project Status, rename Next Release to Latest Release and lead with the v2.4.0 recap. Add a dated gate status to the 2026-07-28 spec track: as of 2026-06-27 the gate is still closed (FastMCP v3.4.1 carries no 2026-07-28 support; official Python SDK targets beta 2026-06-30, stable 2026-07-27).
Move interactive UI (MCP Apps) out of the vague v3.1+ post-spec list into its own section. Apps shipped in Jan 2026 and is not gated on the 2026-07-28 spec, so it can proceed in parallel. Capture the reference-adopter direction, the demand validation in flight (discussion #168 with five view mockups), and the planned read-only triage-board first slice with its transport and app-callback auth unknowns. View breadth stays gated on the #168 signal. Fix cross-references in the gate-status and parked-Prompts notes.
Add opt-in legacy-per-user auth mode: per-request Redmine API key via X-Redmine-API-Key header for instances too old for OAuth. Fail-closed startup attestation, fingerprint-only logging, reachability-only health probe, optional identity audit.
Replace the four mode write-ups with a decision table plus collapsed details for the advanced modes, keeping legacy mode visible by default. Move the OAuth endpoint reference (including POST /revoke) into the OAuth2 setup guide so nothing removed from the README is left undocumented, and note the X-Redmine-API-Key requirement for legacy-per-user clients in the MCP Client Configuration section.
Add an SVG showing the reverse-proxy passthrough flow for legacy-per-user mode (client sends X-Redmine-API-Key over HTTPS, proxy terminates TLS and forwards over loopback, the server fail-closes on a missing or invalid key and runs each request as the user's own Redmine identity) and embed it under the 'What it is' section.
Adds three features surfaced while reviewing downstream forks: - tracker field in issue serialization (_issue_to_dict and the selective field path) and as a selectable value in the fields parameter of the issue listing and search tools; returned by default. - list_project_trackers: project-scoped tracker discovery, complementing the existing instance-wide list_redmine_trackers. - create_checklist_item (RedmineUP Checklists, gated by REDMINE_CHECKLISTS_ENABLED and blocked in read-only mode) and is_section exposure in get_checklist output. The time entry report tool from one fork was evaluated and dropped: Redmine's TimelogController#report serves only HTML and CSV, so /time_entries/report.json returns 406 rather than JSON.
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.7.1 to 1.7.2. - [Release notes](https://github.com/authlib/joserfc/releases) - [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst) - [Commits](authlib/joserfc@1.7.1...1.7.2) --- updated-dependencies: - dependency-name: joserfc dependency-version: 1.7.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
chore(deps): bump joserfc from 1.7.1 to 1.7.2
sireko
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.