This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
Summary
AI summaryUpdates Schema & migration, Engine improvements, and New across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | High |
Sorare Fantasy Football adapter with 18 tools and bcrypt-salted login, JWT caching ~30 days. Sorare Fantasy Football adapter with 18 tools and bcrypt-salted login, JWT caching ~30 days. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | High |
New LOGIN_TOKEN AuthType for declarative bcrypt-style sign-in handshakes. New LOGIN_TOKEN AuthType for declarative bcrypt-style sign-in handshakes. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | High |
GraphQL schema-slicing proxy automatically added to every GraphQL connector. GraphQL schema-slicing proxy automatically added to every GraphQL connector. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Feature | High |
Adds Sorare Fantasy Football adapter with 18 tools, bcrypt‑salted login, JWT cached ~30 days. Adds Sorare Fantasy Football adapter with 18 tools, bcrypt‑salted login, JWT cached ~30 days. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Feature | High |
Introduces LOGIN_TOKEN AuthType for declarative bcrypt‑style sign‑in handshakes. Introduces LOGIN_TOKEN AuthType for declarative bcrypt‑style sign‑in handshakes. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Feature | High |
Automatically adds GraphQL schema‑slicing proxy to every GRAPHQL connector, providing five helper tools. Automatically adds GraphQL schema‑slicing proxy to every GRAPHQL connector, providing five helper tools. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Feature | Low |
Provides five multilingual MDX guides for Sorare integration on the marketing site and corresponding Markdown guides in docs/guides/ for discoverability. Provides five multilingual MDX guides for Sorare integration on the marketing site and corresponding Markdown guides in docs/guides/ for discoverability. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Dependency | Low |
McpServerModule now includes LoginTokenService as a provider to fix cloud downtime issue. McpServerModule now includes LoginTokenService as a provider to fix cloud downtime issue. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
| Performance | Low |
GraphqlEngine learns static and schema methods for improved handling of GraphQL operations. GraphqlEngine learns static and schema methods for improved handling of GraphQL operations. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Performance | Low |
GraphqlEngine gains static and schema methods for more efficient GraphQL operation handling. GraphqlEngine gains static and schema methods for more efficient GraphQL operation handling. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Bugfix | Medium |
Fixed sale-offer prices showing zero by querying receiverSide.amounts instead of senderSide.amounts. Fixed sale-offer prices showing zero by querying receiverSide.amounts instead of senderSide.amounts. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Corrected several Sorare query field names against the production SDL. Corrected several Sorare query field names against the production SDL. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Bugfix | Medium |
Fixes sale‑offer prices showing zero by querying receiverSide.amounts instead of senderSide.amounts in sorare_live_sale_offers and sorare_get_card_by_slug. Fixes sale‑offer prices showing zero by querying receiverSide.amounts instead of senderSide.amounts in sorare_live_sale_offers and sorare_get_card_by_slug. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Bugfix | Medium |
Corrects several Sorare query field names to match the production SDL. Corrects several Sorare query field names to match the production SDL. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Bugfix | Medium |
Ensures McpServerModule registers LoginTokenService as a provider, resolving cloud downtime after PR #199. Ensures McpServerModule registers LoginTokenService as a provider, resolving cloud downtime after PR #199. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Refactor | Low |
AuthType enum gains LOGIN_TOKEN; new ConnectorAuthCache model added in Prisma migration. AuthType enum gains LOGIN_TOKEN; new ConnectorAuthCache model added in Prisma migration. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high |
— |
| Refactor | Low |
Adds LOGIN_TOKEN enum value to AuthType and introduces ConnectorAuthCache model via Prisma migration. Adds LOGIN_TOKEN enum value to AuthType and introduces ConnectorAuthCache model via Prisma migration. Source: granite4.1:30b@2026-05-19-audit Confidence: high |
— |
| Other | Low |
Added five Sorare integration guides and login-token-auth documentation. Added five Sorare integration guides and login-token-auth documentation. Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low |
— |
Full changelog
First release that ships a full GraphQL story end-to-end. The Sorare Fantasy Football adapter lands, the new `LOGIN_TOKEN` AuthType lets adapters describe any bcrypt-style sign-in handshake declaratively, and every GraphQL connector — catalog or user-created — now gets a server-side schema-slicing proxy baked in so agents can drive APIs whose introspection is disabled or whose SDL is too large for the context window.
New: Sorare Fantasy Football adapter (18 tools)
Built-in adapter for Sorare's GraphQL API. Bcrypt-salted login, JWT cached for ~30 days, automatic re-issue 24 h before expiry and on any 401. Featured on the homepage with `priority: 100`.
Tools (live-audited against api.sorare.com with real credentials, 17/19 happy-path pass, the two remaining are deliberate NOT_FOUND probes against fake IDs):
- Identity & wallet: `sorare_current_user`, `sorare_wallet_balance`, `sorare_my_trophies_summary`, `sorare_user_by_slug`
- Cards & inventory: `sorare_list_my_cards`, `sorare_get_card_by_slug`, `sorare_list_player_cards`
- Players & form: `sorare_search_player`, `sorare_player_recent_scores`, `sorare_player_floor_price`
- Market & auctions: `sorare_live_sale_offers`, `sorare_token_prices`, `sorare_get_auction`, `sorare_get_lineup`
- Generic GraphQL escape hatch (auto-injected for every GraphQL connector): `sorare_graphql_schema_url`, `sorare_graphql_schema`, `sorare_graphql_query`, `sorare_graphql_mutation`, `sorare_graphql_subscription`
Five multilingual MDX guides for the marketing site (en/de/it × ChatGPT/Claude/OpenClaw/generic MCP) plus five SEO-targeted Markdown guides under `docs/guides/` so GitHub Search surfaces `sorare-to-mcp`, `connect-sorare-to-claude`, `connect-sorare-to-chatgpt`, `connect-sorare-to-openclaw`, `connect-sorare-to-cloud`.
New: `LOGIN_TOKEN` AuthType
A declarative spec for APIs that POST credentials → receive a long-lived bearer, optionally with client-side bcrypt against a salt fetched from the upstream. Adapter authors describe the entire flow in JSON; no per-provider code.
The shared `LoginTokenService` handles salt fetch → bcrypt → `signIn` → token cache (in-memory + AES-256-GCM-encrypted DB row in the new `connector_auth_cache` table) → proactive refresh ≥ 24 h before expiry → forced re-login on 401, all behind a per-key mutex.
Wired into both the REST and GraphQL engines (`injectAuth` + 401-retry path). Field-by-field reference: `docs/connectors/login-token-auth.md`.
New: GraphQL schema-slicing proxy — every GraphQL connector, automatically
Every connector of type `GRAPHQL` — both catalog adapters and user-created connectors — automatically receives five generic helper tools at creation time:
| Tool | What it does |
|---|---|
| `_graphql_schema_url` | Returns the URL of the SDL. |
| `_graphql_schema` | Proxy + filter the SDL through the MCP server. Default = compact summary (~20–30 KB), `type: "X"` = one type's full definition (~1–5 KB), `search: "keyword"` = matching type blocks, `full: true` = entire SDL. Solves both "introspection is disabled in production" and "the SDL is 200 K tokens". |
| `_graphql_query` / `_mutation` / `_subscription` | Execute arbitrary GraphQL operations; the document and variables are tool params. |
Catalog adapters get them via `adapters/catalog.ts.withGraphqlBuiltins`; user-created connectors get them via `connectors.controller.ts`, parallel to the existing DATABASE auto-tools logic.
The `GraphqlSchemaService` caches the SDL per URL for 24 h and parses block boundaries with a tiny line-based scanner — no full GraphQL parser dependency.
Engine improvements
- `GraphqlEngine` learns `method: "static"` (return `endpointMapping.path` verbatim, no HTTP call) and `method: "schema"` (delegate to `GraphqlSchemaService`).
- A new `path: "$paramName" + variablesFromParam` form lets generic tools take the GraphQL document and the variables map from tool params at runtime (used by the three op-builtins).
- `AdapterMeta` gains optional `featured?: boolean` and `priority?: number` so the marketing site can rank adapters in the home rail without a code change there.
Schema & migration
- Prisma schema: `AuthType` enum gains `LOGIN_TOKEN`; new `ConnectorAuthCache` model. Migration `20260518000000_add_login_token_auth` ships in this release.
Documentation
- New: `docs/guides/sorare-to-mcp.md`, `connect-sorare-to-claude.md`, `connect-sorare-to-chatgpt.md`, `connect-sorare-to-openclaw.md`, `connect-sorare-to-cloud.md`.
- New: `docs/connectors/login-token-auth.md`.
- `docs/tool-definition.md` gets a LOGIN_TOKEN authConfig section and a GraphQL section covering `method: "static"`, `method: "schema"`, and the `$param + variablesFromParam` pattern.
- README: new 🎮 Gaming & Web3 — featured rail putting Sorare in front, plus a Featured adapter walkthroughs sub-section under Connector guides linking the five Sorare guides for in-repo discoverability.
Fixes
- Sale-offer prices came back as zero because the query read `senderSide.amounts` — for a sale offer the sender is the seller, not the buyer. Switched `sorare_live_sale_offers` and `sorare_get_card_by_slug` to `receiverSide.amounts` so prices actually show up.
- Several Sorare query field names were wrong against the real schema (`football.players(search:…)`, `currentUser.football.myCards`, `Player.cards`, `So5AppearanceBonusInterface.name`). All rewritten against the production SDL.
- The cloud went down briefly after #199 because `McpServerModule` registers its own copy of `RestEngine` / `GraphqlEngine` and didn't have `LoginTokenService` as a provider — fixed in #201.
Tests
746 backend tests pass (up from 694 at v0.1.24). New coverage:
- `LoginTokenService` unit specs (login flow, cache hit, force-relogin, fallback TTL, missing token error).
- `GraphqlSchemaService` unit specs (full / type slice / search / summary / cache).
- `GraphqlEngine` specs for the new `static` / `schema` / `$param` paths.
- `graphql-builtins` unit specs (slugify edge cases + five-tool shape).
- Catalog parametrised tests now assert every GRAPHQL adapter exposes the five builtins.
Pull requests in this release
#199 #201 #204 #205 #206 #207 #208 #209 #210 #211
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About AnythingMCP
All releases →Related context
Beta — feedback welcome: [email protected]