Skip to content

logly/mureo

v0.9.13 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 7d AI Agents & Assistants
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

advertising agentic-ai ai-agents claude-code cli codex
+11 more
cursor facebook-ads gemini-cli google-ads marketing marketing-automation mcp meta-ads model-context-protocol python search-console

Affected surfaces

auth

Summary

AI summary

Updates PRs in this release, https://github.com/logly/mureo/issues/149, and configure across a mixed release.

Changes in this release

Feature Medium

Adds "Plugin credentials" section to `mureo configure` UI for per-account credential input.

Adds "Plugin credentials" section to `mureo configure` UI for per-account credential input.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Introduces HTTP route `GET /api/credentials/plugins` returning plugin credential metadata.

Introduces HTTP route `GET /api/credentials/plugins` returning plugin credential metadata.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Introduces HTTP route `POST /api/credentials/plugins/save` for persisting plugin credential values.

Introduces HTTP route `POST /api/credentials/plugins/save` for persisting plugin credential values.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Medium

Adds Python module `mureo.web.plugin_credentials` exposing credential operations programmatically.

Adds Python module `mureo.web.plugin_credentials` exposing credential operations programmatically.

Source: llm_adapter@2026-05-27

Confidence: high
Bugfix Low

Removes need for operators to manually edit `claude_desktop_config.json` env vars for plugin API keys.

Removes need for operators to manually edit `claude_desktop_config.json` env vars for plugin API keys.

Source: llm_adapter@2026-05-27

Confidence: high
Full changelog

mureo configure registers installed-plugin per-account credentials

Closes #149 Part 2 (Part 1 — the secret: bool flag on AccountCredentialField — shipped in v0.9.12).

Added — Plugin credentials in the configure UI

mureo configure gains a "Plugin credentials" section under the Setup tab. For every installed provider (built-in or third-party) that declares non-empty account_credential_fields, the section renders one collapsible form. Each declared field becomes an input:

  • secret=True<input type="password" autocomplete="new-password"> with a "leave blank to keep current value" placeholder. Secret inputs are cleared on successful save so the next view never holds the plaintext.
  • secret=False → plain text input with the declared placeholder.
  • required=True shown with * after the label.

Submitting persists the values to ~/.mureo/credentials.json at {<provider_name>: {<field_key>: <value>}} — the same JSON shape built-in Google Ads / Meta Ads adapters already read via FilesystemSecretStore.load(), so plugins pick up the values without additional wiring. Operators no longer need to hand-edit env vars in claude_desktop_config.json to deliver an API key to a plugin.

New HTTP routes

Two new endpoints under the existing CSRF + Host-header gate:

  • GET /api/credentials/plugins — returns {plugins: [{provider_name, display_name, fields: [...]}]}, sorted by provider_name, filtered to providers with non-empty account_credential_fields.
  • POST /api/credentials/plugins/save — writes one provider's values. Response envelope is {status: "ok", provider_name, accepted_keys} where accepted_keys is the subset this call actually changed (blank-secret-skipped entries are absent).

Save policy:

| Condition | Result |
|---|---|
| Unknown provider | 400 unknown_provider |
| Non-string value | 400 invalid_field_value |
| required=True field with no value to persist | 400 required_field_missing |
| Unknown field key in body | Silently dropped (stale-UI defence) |
| Blank secret=True value with existing stored value | Keep existing |
| Blank secret=True value with no existing stored value, required=True | 400 required_field_missing |
| Blank secret=False value, required=True | 400 required_field_missing |

New module mureo.web.plugin_credentials

The same two operations are exposed as a Python API for programmatic callers — useful for plugin test harnesses and alternate configure UIs. Secret values never appear in mureo's log output; only the list of accepted keys is logged for auditability.

PRs in this release

  • #150 — feat(configure): register installed-plugin per-account credentials via the UI

Upgrade

pip install --upgrade mureo

No code changes required for callers or existing plugins. Plugin authors whose authentication model includes a per-account API key (or any other per-account secret) can now declare AccountCredentialField(secret=True, required=True, ...) on their provider and operators will register the value through the configure UI, no env-var hand-editing required.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track logly/mureo

Get notified when new releases ship.

Sign up free

About logly/mureo

Framework for AI agents (Claude Code, Cursor, Codex, Gemini) to operate Google Ads, Meta Ads, and Search Console. Grounded in a local STRATEGY.md — not metric-chasing. Defense-in-depth security, local-first. Apache 2.0.

All releases →

Related context

Beta — feedback welcome: [email protected]