UPinar/contrastapi

v1.32.2 Feature

This release adds 1 notable feature for engineering teams evaluating rollout.

Published 22d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

ReleasePort's take

Light signal

editorial:auto 13d

The mcp_tool_safe decorator now raises ToolError for AppException instead of returning ErrorResponse; truncation of AppException messages prevents ValidationError from escaping unhandled in the decorator.

Why it matters: Update MCP tools to v1.32.2 immediately to adopt the new error‑raising behavior and message truncation, which mitigates potential unhandled validation errors in production workloads.

Summary

AI summary

The mcp_tool_safe decorator now raises ToolError to set isError: true for error envelopes.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Truncation of AppException message prevents ValidationError from escaping unhandled in decorator. Truncation of AppException message prevents ValidationError from escaping unhandled in decorator. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	mcp_tool_safe decorator now raises ToolError for AppException instead of returning ErrorResponse. mcp_tool_safe decorator now raises ToolError for AppException instead of returning ErrorResponse. Source: llm_adapter@2026-05-21 Confidence: high	—
Refactor	Medium	AppException.__init__ truncates self.message to 500 characters, matching ErrorDetail max_length. AppException.__init__ truncates self.message to 500 characters, matching ErrorDetail max_length. Source: llm_adapter@2026-05-21 Confidence: high	—
Other	Medium	Added test helper mcp_error_payload to extract JSON error envelope from new wire format. Added test helper mcp_error_payload to extract JSON error envelope from new wire format. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Summary

Hotfix for a latent MCP spec violation in the mcp_tool_safe decorator that affected error envelopes from all 49 MCP tools. On AppException, the decorator returned an ErrorResponse body — which FastMCP wraps into result.structuredContent with isError: false — instead of raising ToolError, which sets isError: true on the wire as the spec requires.

Agent clients that switch on result.isError (the spec-conformant path) treated every error as success and parsed the error payload as data.

Bug fix

`mcp_tool_safe` decorator now raises `ToolError`

Before:

except AppException as e:
    return ErrorResponse(error=e.to_error_detail())  # isError=false, payload in structuredContent

After:

except AppException as e:
    payload = ErrorResponse(error=e.to_error_detail()).model_dump_json(exclude_none=True)
    raise ToolError(payload) from None  # isError=true, payload embedded in content[0].text

FastMCP catches ToolError, prepends "Error executing tool {name}: ", and emits the payload inside result.content[0].text with isError: true.

Test helper for the new error envelope shape

mcp_error_payload(response) extracts the JSON error envelope from the new wire format:

Asserts result.isError is True
Strips the FastMCP "Error executing tool {name}: " prefix
Returns parsed {"error": {...}} payload

11 error-path MCP tests migrated to this helper.

Hardening fold-in

AppException.__init__ now truncates self.message to 500 chars, matching ErrorDetail.message Pydantic max_length=500. This eliminates a latent path where a long message would cause to_error_detail() itself to raise ValidationError inside the decorator's except AppException block (which would escape unhandled). Two regression tests added.

Production verification

cve_lookup with bad input → isError: true + code: invalid_argument
sigma_rule_lookup with bad UUID → isError: true + code: invalid_argument
domain_report with malformed domain → isError: true + code: invalid_argument
Full suite: 2376 passed (was 2374, +2 regression)
Ruff: clean

No catalogue / schema change

MCP_TOOL_COUNT stays at 52
Tool list, schema, and PivotHint Literal unchanged
No MCP Registry republish required (no contract surface change — only error envelope encoding)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.