This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+13 more
ReleasePort's take
Light signalThe email_security_posture REST endpoint is now functional again and a new correct route has been added. The deprecated /security-posture/{domain} route has been removed.
Why it matters: Patch to v1.32.1 immediately to restore the email_security_posture API functionality and avoid 404/500 errors on affected routes.
Summary
AI summaryFixed two bugs that made the email_security_posture REST endpoint and MCP tool non‑functional since v1.32.0.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Adds correct route path /v1/email/security-posture/{domain} for email_security_posture feature. Adds correct route path /v1/email/security-posture/{domain} for email_security_posture feature. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Restores functional email_security_posture REST endpoint previously returning 404. Restores functional email_security_posture REST endpoint previously returning 404. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Corrects PivotHint API mismatch causing HTTP 500 errors. Corrects PivotHint API mismatch causing HTTP 500 errors. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Removes deprecated route /security-posture/{domain}, now returns 404. Removes deprecated route /security-posture/{domain}, now returns 404. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Summary
Hotfix for two correlated bugs in the email_security_posture feature shipped in v1.32.0. Both REST endpoint and MCP tool were non-functional in production since the v1.32.0 ship — this release restores them.
Bugs fixed
1. Route path drift
The route decorator was registered at /security-posture/{domain} but catalogue, MCP tool definitions, README, tests, and the published manifest all advertised /v1/email/security-posture/{domain} (matching the sibling email_mx, email_disposable, email_verify pattern). External callers got 404; the MCP tool returned isError: false with a not_found error envelope inside the response.
2. PivotHint API mismatch
_email_posture_pivot_hints constructed PivotHint(tool=..., args={dict}, description=...) but the schema requires tool, input (string), reason. The wrong field names were silently accepted via extra=\"allow\", but the required input and reason fields were missing → ValidationError → HTTP 500 on every call to the (broken) registered path.
Verification (post-deploy)
GET /v1/email/security-posture/google.com→ 200 withposture_grade,posture_score, 3 well-formednext_callsGET /v1/security-posture/google.com→ 404 (correctly removed)- MCP
email_security_posturetool →isError: false+ valid posture data - 15 existing unit tests still pass; full suite 2374 passed; ruff clean
No catalogue / schema change
MCP_TOOL_COUNTstays at 52- Tool list, schema, and PivotHint Literal unchanged
- No MCP Registry republish required for indexers — they will see no surface change
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About UPinar/contrastapi
Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.
Related context
Related tools
Earlier breaking changes
- v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.
Beta — feedback welcome: [email protected]