Skip to content

buildepicshit/Wick

v1.0.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

ai-tools c# debugging diagnostics .net exception-handling
+8 more
game-development godot godot-engine godot4 mcp mcp-server model-context-protocol roslyn

Affected surfaces

auth

Summary

AI summary

First stable release of Wick with a new in-process bridge auth requiring a shared-secret token.

Full changelog

First stable release. Wick.Runtime is now on NuGet: https://www.nuget.org/packages/Wick.Runtime/1.0.0

dotnet add package Wick.Runtime

Closes the post-v0.5 external engineering audit (canonical report at analysis/reports/Wick-analysis.md). 1 P0 + every P1 + most P2/P3 resolved in PR #54 + #55. 240/240 tests passing on ubuntu/windows/macos. 0 warnings.

Highlights

New

  • Wick.Runtime 1.0.0 on nuget.org — the in-process companion that catches AppDomain.UnhandledException + TaskScheduler.UnobservedTaskException and exposes live scene state to the MCP server. dotnet add package Wick.Runtime.
  • In-process bridge authWickBridgeServer now requires a 256-bit shared-secret token on every request (constant-time compare, env-propagated to spawned games via WICK_BRIDGE_TOKEN). WICK_BRIDGE_AUTH_DISABLED=1 for migration.
  • Cross-OS CIubuntu-latest, windows-latest, macos-latest matrix with NuGet cache + TRX artifact upload.
  • Tag-driven NuGet release pipeline — push a vX.Y.Z tag, package ships.

Fixed

  • GodotBridgeManager.GetSceneContext() was hardcoded to return null, breaking the headline demo claim. Now async, queries editor_scene_tree with a 1.5s bounded timeout.
  • runtime_launch_game previously silent-failed when WICK_GODOT_BIN was unset; now preflights and surfaces a structured godot_binary_not_found response. runtime_status exposes the resolved binary path.
  • docs/tools-reference.md was advertising ~70% wrong tool names — fully regenerated from DefaultToolGroups.cs.
  • docs/getting-started.md documented WickRuntime.Initialize() (does not exist) and omitted the required Tick() call. Replaced with the canonical example.
  • Verbose JSON-RPC tracing (every frame including file contents) was always-on to stderr; now defaults off, opt-in via WICK_RPC_TRACE.
  • Content-Length capped at 16 MiB in CSharpLspClient + GodotDapClient (was unbounded → OOM-by-peer).
  • Windows-CI flake in ExceptionPipelineTests (fixed Task.Delay replaced with poll-until-ready).

Removed

  • Legacy Wick.sln (only registered 2 of 6 source projects).

Security

  • New explicit threat model in SECURITY.md — in-scope vs out-of-scope, with the in-process bridge auth in scope and GDScript-side editor / runtime bridges (ports 6505 / 7777) on the v1.x roadmap.

Full changelog

See CHANGELOG.md.

Compatibility

  • Wick.Runtime targets net8.0 (Godot 4.6.1 mono runtime constraint).
  • Wick MCP server targets net10.0.

Breaking Changes

  • Legacy `Wick.sln` removed
  • `WickBridgeServer` now requires a 256‑bit shared‑secret token (`WICK_BRIDGE_TOKEN`) on every request; disable with `WICK_BRIDGE_AUTH_DISABLED=1` during migration

Security Fixes

  • In‑process bridge auth now uses constant‑time comparison of a 256‑bit shared‑secret token (`WICK_BRIDGE_TOKEN`), mitigating authentication bypass (explicitly scoped in updated SECURITY.md)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track buildepicshit/Wick

Get notified when new releases ship.

Sign up free

About buildepicshit/Wick

Native C# MCP server for Godot Engine — 53 tools across 5 pillars: Roslyn-enriched exception telemetry, scene tree inspection, C# symbol navigation, MSBuild orchestration, and GDScript analysis. .NET 10, TCP JSON-RPC bridge, 219 tests.

All releases →

Related context

Beta — feedback welcome: [email protected]