Skip to content

buildepicshit/Wick

v0.5.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-tools c# debugging diagnostics .net exception-handling
+8 more
game-development godot godot-engine godot4 mcp mcp-server model-context-protocol roslyn

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Schema‑honesty breaking change: SceneTools and GodotTools now throw McpException on errors instead of fake nodes or string envelopes.

Full changelog

First tagged release following the phase-3 engineering-excellence + OSS launch audit.

32/32 audit issues closed across 9 PRs (#43–#52). Highlights:

  • Honesty-of-surface: removed `sharp-peak` DAP leak, hardcoded `EditorConnected: false`, stub `SceneContext`, dead `BridgeExceptionSource`, and `TestResultParser` phantom capability. Tool catalog now matches what the MCP SDK actually registers (guarded by a drift-detection test).
  • Schema honesty (wire-breaking): `SceneTools` + `GodotTools` throw `McpException` on errors instead of returning fake "(error)" nodes or `{error:"..."}` string envelopes.
  • Security sprint: bounded stdout/stderr in `DotNetCli` (no OOM via malicious csproj), subprocess args migrated to `ProcessStartInfo.ArgumentList`, scene path + extra-args validation rejects `--script`-style RCE paths, `scene_load_resource` validates `res://` prefix, bridge handler error messages scrubbed.
  • Type design: `BridgeResponse` is a sealed discriminated union; `BuildSeverity`/`BuildTarget`/`WickBridgeErrorCode` are real enums; analyzer DTOs expose only `IReadOnlyList` / `IReadOnlyDictionary<,>`.
  • Lifecycle & logging: narrowed bare catches across the transport layer, `ILogger` replaces `Console.Error.WriteLine` in the bridge plumbing, LSP/DAP clients dispose on process exit.

Full triage: `docs/planning/2026-04-16-phase-3-audit-findings.md`.

Tests: 220/220 green (208 unit + 12 integration), 0 warnings, 0 errors.

Version: sourced from `Directory.Build.props`; MCP server reads it from the assembly at startup.

Versioning note

This release supersedes a briefly-pushed `v0.4.0` tag that was removed when we caught a version-conflation error — the pre-existing CHANGELOG `[0.4.0]` entry was for Phase 1 feature completeness (2026-04-12); this audit introduces wire-breaking schema-honesty changes and warrants the minor bump.

Carried forward for v1.0 prep

  • `SymbolKind` enum (audit #34 secondary — spans 3 distinct closed-set domains)
  • Full wire-shape discriminated unions for the four MCP-facing result types (`SceneModifyResult`, `LaunchGameResult`, `StopGameResult`, `RuntimeQueryResult`) — intentional wire-break deferred to v1.0

Breaking Changes

  • SceneTools and GodotTools throw McpException on errors instead of returning fake '(error)' nodes or '{error:"..."}' string envelopes.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track buildepicshit/Wick

Get notified when new releases ship.

Sign up free

About buildepicshit/Wick

Native C# MCP server for Godot Engine — 53 tools across 5 pillars: Roslyn-enriched exception telemetry, scene tree inspection, C# symbol navigation, MSBuild orchestration, and GDScript analysis. .NET 10, TCP JSON-RPC bridge, 219 tests.

All releases →

Related context

Beta — feedback welcome: [email protected]