logly/mureo

v0.7.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

advertising agentic-ai ai-agents claude-code cli codex

+11 more

cursor facebook-ads gemini-cli google-ads marketing marketing-automation mcp meta-ads model-context-protocol python search-console

Affected surfaces

auth

Summary

AI summary

Currency‑agnostic Meta Ads spend column added and BYOD Google Ads zero‑impressions regression fixed.

Full changelog

PyPI re-publish of v0.7.0 with the post-#54 fixes folded in. The original 0.7.0 was uploaded to PyPI by the GitHub Release workflow when PR #54 merged (2026-04-29 05:26 UTC) and predates these patches. PyPI's file-name reuse policy does not allow re-uploading the same version, so the consolidated fix set ships as 0.7.1.

What's new since 0.7.0

Added

Currency-agnostic Meta Ads spend column — Meta exports the spend header as Amount spent (XXX) where XXX is the account's ISO currency code (JPY / USD / EUR / GBP / KRW / INR / etc.). The previous JPY-only path rejected non-JPY accounts; the new _resolve_spend_idx strips the suffix and _to_float strips a leading currency symbol from cell values. Cost values are stored raw in the account's own currency. (#58)

Fixed

Meta Ads adapter alias corrections for de_DE / es_ES / fr_FR — 7 mismatched header strings replaced with strings observed in real Ads Manager exports across 9 locales. (#56)
BYOD Google Ads zero-impressions/zero-clicks regression — _to_int in mureo/byod/clients.py now tolerates float-formatted strings like "98.0" (what the bundled Apps Script writes), so /daily-check and /search-term-cleanup see real impressions/clicks instead of zeros. (#60)
BYOD Meta get_performance_report now surfaces result_indicator — the per-campaign output dict gained a result_indicator field so the agent can detect CV-definition mismatches (e.g. a link_click-optimized campaign masquerading as a high-CV-rate winner against a true lead-optimized sibling). (#61)

Changed

All bundled command skills now name the specific MCP tools to call — fixes a reproducible BYOD failure mode where the agent looked for raw CSVs in the project directory and aborted because BYOD data lives under ~/.mureo/byod/. (#62)
Japanese BYOD walkthrough (docs/byod.ja.md) added — native Japanese counterpart of docs/byod.md, restructured for Japanese readability rather than direct translation. README.ja.md deep links repointed to the Japanese doc. (#57, #59)

Security

Resolved 8 CodeQL Code Scanning alerts in OAuth + GAQL paths: response-splitting via Location header, clear-text logging of OAuth URL / GAQL query content, and incomplete URL substring sanitization in tests. OAuth-URL validation now runs before any wizard session mutation. (#64)

Install

pip install --upgrade mureo

Full changelog: CHANGELOG.md → 0.7.1

Security Fixes

Resolved CodeQL alerts: prevented response‑splitting via `Location` header, removed clear‑text logging of OAuth URL/GAQL query content, and fixed incomplete URL substring sanitization in tests (OAuth validation now runs pre‑mutation).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track logly/mureo

Get notified when new releases ship.

About logly/mureo

Framework for AI agents (Claude Code, Cursor, Codex, Gemini) to operate Google Ads, Meta Ads, and Search Console. Grounded in a local STRATEGY.md — not metric-chasing. Defense-in-depth security, local-first. Apache 2.0.

All releases →