Skip to content

Maintenant

v1.2.15 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 6h Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

alerting container-monitoring devops docker go heartbeat
+12 more
self-hosted kubernetes monitoring network-security observability server-sent-events sqlite ssl-monitoring status-page uptime-kuma-alternative uptime-monitoring vue

Affected surfaces

auth

Summary

AI summary

Updates Upgrade notes, Tests, and https://docs.maintenant.dev/features/mcp/ across a mixed release.

Changes in this release

Feature Low

Added first OAuth test suite (`internal/mcp/oauth/server_test.go`) covering exact‑match acceptance, origin‑only rejection, and loopback allow‑listing.

Added first OAuth test suite (`internal/mcp/oauth/server_test.go`) covering exact‑match acceptance, origin‑only rejection, and loopback allow‑listing.

Source: llm_adapter@2026-06-04

Confidence: high
Bugfix Medium

Service worker no longer shadows backend OAuth routes, fixing blank SPA screen on redirect.

Service worker no longer shadows backend OAuth routes, fixing blank SPA screen on redirect.

Source: llm_adapter@2026-06-04

Confidence: low
Bugfix Medium

OAuth authorize endpoint now matches `redirect_uri` exactly instead of by origin only.

OAuth authorize endpoint now matches `redirect_uri` exactly instead of by origin only.

Source: llm_adapter@2026-06-04

Confidence: low
Bugfix Low

Documentation updated to clarify full‑URI matching and automatic loopback acceptance for `MAINTENANT_MCP_ALLOWED_REDIRECT_URIS`.

Documentation updated to clarify full‑URI matching and automatic loopback acceptance for `MAINTENANT_MCP_ALLOWED_REDIRECT_URIS`.

Source: llm_adapter@2026-06-04

Confidence: low
Full changelog

This release fixes two distinct bugs that broke the Claude MCP OAuth connection flow, each surfacing the same confusing symptom: a blank SPA screen instead of the authorization prompt. After this release, connecting Claude (web, Desktop, or Code) to a maintenant MCP server works without hard reloads or manual config workarounds.

Fixes

  • Service worker no longer shadows backend OAuth routes. The PWA service worker served the precached app shell for navigations to /oauth/authorize, so Claude's OAuth redirect was intercepted and rendered a blank SPA screen until a hard reload bypassed the worker. /oauth/, /.well-known/, and /mcp are now added to navigateFallbackDenylist, so the service worker never shadows backend-served routes. autoUpdate plus skipWaiting/clientsClaim roll the fix out to existing clients on their next visit ? no manual cache clear needed.

  • redirect_uri is now matched exactly, not by origin. The authorize endpoint compared only the redirect_uri origin (scheme://host), but the docs instruct configuring the full callback URI. A configured value like https://claude.ai/api/mcp/auth_callback never matched, so authorization failed with invalid redirect_uri ? which also surfaced as a blank SPA screen when the proxy served index.html on the 400 response. The endpoint now compares the full redirect_uri with simple string comparison (RFC 6749 �3.1.2.3). Loopback callbacks (localhost / 127.0.0.1 / ::1, any port or path) stay always-allowed for local clients, so Claude Desktop and Claude Code keep working out of the box.

Tests

  • First OAuth test suite added (internal/mcp/oauth/server_test.go) covering exact-match acceptance, origin-only rejection, and loopback allow-listing.

Upgrade notes

  1. No new environment variables and no migration. The fixes are picked up automatically: the frontend fix ships in the new build, and the service worker updates itself on the next visit.
  2. If you had previously worked around the redirect_uri mismatch by listing the origin (https://claude.ai) in MAINTENANT_MCP_ALLOWED_REDIRECT_URIS, change it to the full callback URI (https://claude.ai/api/mcp/auth_callback). Loopback callbacks no longer need to be listed at all.

Documentation

  • Updated: MCP ? clarifies exact full-URI matching and automatic loopback acceptance for MAINTENANT_MCP_ALLOWED_REDIRECT_URIS.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Maintenant

Get notified when new releases ship.

Sign up free

About Maintenant

Monitor everything with a single container

All releases →

Related context

Beta — feedback welcome: [email protected]