olgasafonova/productplan-mcp-server

Security

• Sanitize non-JSON response bodies before reaching MCP caller (HG-2). pkg/productplan/errors.go previously stuffed raw response bodies into APIError.Details, which then rendered into Error() and surfaced verbatim to the MCP caller via internal/api/client.go:161. Multi-line HTML error pages and stack traces could flow through unbounded. New sanitizeBodyForCaller truncates at first newline and caps at 200 chars; full body remains available to operators via server-side request logging. Surfaced by the 4-axis portfolio audit.

Fixed

• Handler default error path, stale test count, and return-value descriptions
• Remove stale tool references, add enum constraints, resolve lint findings

Changed

• Internal refactor: typedHandler generic eliminates parse/validate boilerplate across handlers (no behavior change)

Infrastructure

• make check regression target wired into CI
• go.sum integrity check + govulncheck (advisory) on every CI run
• CODEOWNERS protects workflow files from drive-by PRs
• Auto-dispatch mcp-registry.yml from release workflow
• Dependabot groups Go dependency updates (less PR noise)
• Beads issue tracking initialized; .gitattributes declares the beads merge driver
• Deslop baseline committed for cloud-routine regression detection

Dependencies

• actions/github-script 8 → 9
• softprops/action-gh-release 2 → 3
• Multiple Docker actions (login, setup-buildx, metadata, build-push) on latest majors

What's Changed

• ci: bump actions/checkout from 4 to 6 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/12
• ci: bump actions/github-script from 7 to 8 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/13
• ci: bump actions/setup-go from 5 to 6 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/14
• ci: bump actions/download-artifact from 7 to 8 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/15
• ci: bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/16
• ci: bump docker/login-action from 3 to 4 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/17
• ci: bump docker/build-push-action from 6 to 7 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/18
• ci: bump docker/setup-buildx-action from 3 to 4 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/19
• ci: bump docker/metadata-action from 5 to 6 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/20
• ci: bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/22
• ci: bump actions/github-script from 8 to 9 by @dependabot[bot] in https://github.com/olgasafonova/productplan-mcp-server/pull/23
• ci: auto-dispatch mcp-registry.yml from release workflow by @olgasafonova in https://github.com/olgasafonova/productplan-mcp-server/pull/24
• deslop: add baseline by @olgasafonova in https://github.com/olgasafonova/productplan-mcp-server/pull/25

New Contributors

• @olgasafonova made their first contribution in https://github.com/olgasafonova/productplan-mcp-server/pull/24

Full Changelog: https://github.com/olgasafonova/productplan-mcp-server/compare/v5.0.0...v5.0.1