This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
ReleasePort's take
Light signalOpenAPI 3.1 specifications now import cleanly with automatic downgrade to OpenAPI 3.0 equivalents, and parameter schemas coerce string arguments to correct types.
Why it matters: Upgrade to v0.1.24 immediately to benefit from seamless spec imports and reliable type coercion for connector parameters.
Summary
AI summaryOpenAPI 3.1 docs now import cleanly and param schemas coerce strings to numbers/booleans.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
SSRF allowlist editable from admin UI, merges with SSRF_ALLOWED_HOSTS env var SSRF allowlist editable from admin UI, merges with SSRF_ALLOWED_HOSTS env var Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Public API DTOs expose complete schemas in /api/docs-json endpoint Public API DTOs expose complete schemas in /api/docs-json endpoint Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Connector health check endpoint auto-detected from imported OpenAPI specs Connector health check endpoint auto-detected from imported OpenAPI specs Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Health check test classifies responses with colored UI banners by status Health check test classifies responses with colored UI banners by status Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Tool test endpoint accepts MCP-standard arguments format with backward compatibility Tool test endpoint accepts MCP-standard arguments format with backward compatibility Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Failed connector tests include suggested fix link to SSRF allowlist page Failed connector tests include suggested fix link to SSRF allowlist page Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Low |
Deprecated tools receive a deprecated badge instead of remaining as zombies Deprecated tools receive a deprecated badge instead of remaining as zombies Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Feature | Low |
Public API DTOs are decorated with @ApiProperty, exposing full schemas via /api/docs-json Public API DTOs are decorated with @ApiProperty, exposing full schemas via /api/docs-json Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
| Dependency | Medium |
Database migration adds connectors.healthcheck_path additive, nullable column Database migration adds connectors.healthcheck_path additive, nullable column Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Database migrations add mcp_tools.operation_id and deprecated_at columns Database migrations add mcp_tools.operation_id and deprecated_at columns Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Re-importing spec preserves operator customizations and full invocation history Re-importing spec preserves operator customizations and full invocation history Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
MCP tool parameter schemas coerce string arguments to correct types MCP tool parameter schemas coerce string arguments to correct types Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
OpenAPI 3.1 docs import cleanly with automatic downgrade to 3.0 equivalents OpenAPI 3.1 docs import cleanly with automatic downgrade to 3.0 equivalents Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
OpenAPI 3.1 documents now import cleanly after downgrading to 3.0 equivalents OpenAPI 3.1 documents now import cleanly after downgrading to 3.0 equivalents Source: granite4.1:30b@2026-05-23-audit Confidence: low |
— |
Full changelog
Six customer-driven fixes from the FastAPI / koch-filesystem-bridge integration:
Connector import / parsing
- #163 — OpenAPI 3.1 docs (FastAPI ≥ 0.100, NestJS modern, spring-doc 3.x, Hono) now import cleanly. Internal normalizer downgrades 3.1-only constructs (`type: [X,'null']`, `anyOf+null`, `const`, `examples` plural, `exclusiveMinimum:`) to their 3.0 equivalents and relabels the document to `3.0.3` so swagger-parser accepts it. `info.summary` stripped defensively.
- #168 — Re-importing a spec no longer wipes operator customisations. Tools are matched by `operationId` first, then `(method, path)`. Custom `responseMapping` and the operator's `isEnabled` toggle survive. Tools removed from upstream get a `deprecated` badge instead of staying as zombies; role assignments and invocation history preserved.
Tool runtime
- #169 — MCP tool param schemas use `z.coerce.*` for `integer` / `number` / `boolean` / `date-time`, so clients that serialize arguments as strings (`{"top_k": "5"}`) pass validation. Coercion still rejects non-coercible strings (`"abc"`).
Test / debug UX
- #165 — `Connector.healthcheckPath` auto-detected from imported OpenAPI specs (`/health`, `/healthz`, `/_health`, `/ping`, `/status`, or first GET with no required params). Editable from the connector detail page. Test response now classifies the result as `ok` / `auth_failed` (401–403) / `not_found` (404 + hint) / `unreachable` (DNS/SSRF/timeout) / `error`. UI banners coloured by kind.
- #162 — All public-API DTOs decorated with `@ApiProperty`. `/api/docs-json` now exposes proper schemas for everything (CreateConnectorDto, LoginDto, ImportToolsDto, …). Tool test endpoint accepts MCP-standard `{ arguments: {...} }` alongside legacy `{ params: {...} }`.
Security / on-prem
- #166 — SSRF allowlist editable from `/admin/settings#ssrf` (global, ADMIN-only). DB-backed list merges with `SSRF_ALLOWED_HOSTS` env var. Failing connector tests due to SSRF carry a `suggestedFix` link straight to the allowlist page.
DB migrations (both additive, nullable, no backfill)
- `connectors.healthcheck_path`
- `mcp_tools.operation_id`, `mcp_tools.deprecated_at`
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About AnythingMCP
All releases →Related context
Beta — feedback welcome: [email protected]