Skip to content

Fork Sync Branch develop#2

Open
btl-bot wants to merge 38 commits into
BTLzdravtech:developfrom
jztan:develop
Open

Fork Sync Branch develop#2
btl-bot wants to merge 38 commits into
BTLzdravtech:developfrom
jztan:develop

Conversation

@btl-bot

@btl-bot btl-bot commented Jul 2, 2026

Copy link
Copy Markdown

No description provided.

jztan and others added 30 commits June 27, 2026 10:18
When REDMINE_OAUTH_TEST_TOKEN is stale, introspection returns an empty
scope, which made test_scope_advertising_subset_of_sandbox_scopes fail
with a misleading 'name drift' message. Assert the token is active first
so the real cause (re-mint the bearer) is surfaced.
joserfc 1.3.4 through 1.6.5 fails to apply JWSRegistry.max_payload_length
to RFC 7797 unencoded (b64=false) JWS payloads (CWE-400, uncontrolled
resource consumption); fixed upstream in 1.6.6. joserfc is transitive via
authlib and fastmcp, so add a direct >=1.6.7,<2 floor to pyproject.toml so
the fix reaches PyPI installs, not only the lockfile. Lock resolves 1.7.1.
Reflect the v2.4.0 release (2026-06-27): current version, empty
Unreleased queue, and a Latest release recap covering the demo page,
journal field-change details fix, joserfc CVE floor, and extended
prompt-injection wrapping.

Recast the MCP Prompts (workflow layer) item from a planned
differentiator to parked: no evidence of user demand, thin value-add
over a plain-English request to a strong client model, and only
internal motives. Revisit via a single validation prompt and only if
the MCP Apps track needs workflow definitions.
Drop the duplicated empty-Unreleased clause from Project Status, rename
Next Release to Latest Release and lead with the v2.4.0 recap.

Add a dated gate status to the 2026-07-28 spec track: as of 2026-06-27
the gate is still closed (FastMCP v3.4.1 carries no 2026-07-28 support;
official Python SDK targets beta 2026-06-30, stable 2026-07-27).
Move interactive UI (MCP Apps) out of the vague v3.1+ post-spec list
into its own section. Apps shipped in Jan 2026 and is not gated on the
2026-07-28 spec, so it can proceed in parallel.

Capture the reference-adopter direction, the demand validation in
flight (discussion #168 with five view mockups), and the planned
read-only triage-board first slice with its transport and
app-callback auth unknowns. View breadth stays gated on the #168
signal. Fix cross-references in the gate-status and parked-Prompts
notes.
Add opt-in legacy-per-user auth mode: per-request Redmine API key via
X-Redmine-API-Key header for instances too old for OAuth. Fail-closed
startup attestation, fingerprint-only logging, reachability-only health
probe, optional identity audit.
Replace the four mode write-ups with a decision table plus collapsed
details for the advanced modes, keeping legacy mode visible by default.
Move the OAuth endpoint reference (including POST /revoke) into the
OAuth2 setup guide so nothing removed from the README is left
undocumented, and note the X-Redmine-API-Key requirement for
legacy-per-user clients in the MCP Client Configuration section.
Add an SVG showing the reverse-proxy passthrough flow for
legacy-per-user mode (client sends X-Redmine-API-Key over HTTPS, proxy
terminates TLS and forwards over loopback, the server fail-closes on a
missing or invalid key and runs each request as the user's own Redmine
identity) and embed it under the 'What it is' section.
Adds three features surfaced while reviewing downstream forks:

- tracker field in issue serialization (_issue_to_dict and the selective
  field path) and as a selectable value in the fields parameter of the
  issue listing and search tools; returned by default.
- list_project_trackers: project-scoped tracker discovery, complementing
  the existing instance-wide list_redmine_trackers.
- create_checklist_item (RedmineUP Checklists, gated by
  REDMINE_CHECKLISTS_ENABLED and blocked in read-only mode) and is_section
  exposure in get_checklist output.

The time entry report tool from one fork was evaluated and dropped:
Redmine's TimelogController#report serves only HTML and CSV, so
/time_entries/report.json returns 406 rather than JSON.
Bumps [joserfc](https://github.com/authlib/joserfc) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/authlib/joserfc/releases)
- [Changelog](https://github.com/authlib/joserfc/blob/main/docs/changelog.rst)
- [Commits](authlib/joserfc@1.7.1...1.7.2)

---
updated-dependencies:
- dependency-name: joserfc
  dependency-version: 1.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

@sireko sireko left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants