This release adds 1 notable feature for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
ReleasePort's take
Light signalRelease v1.32.3 pre‑serializes the `tools/list` JSON‑RPC result at startup, serving matching POSTs via byte‑template concat and reducing warm‑path TTFB from 117 ms to 78 ms.
Why it matters: Performance improvement: warm‑path Time‑to‑First‑Byte drops -33% (117 ms → 78 ms). Plan monitoring rollout; expect latency gains in Smithery p50 (~558 ms → ~450 ms) after cold portion expires.
Summary
AI summaryPre‑serializing tools/list JSON‑RPC result reduces TTFB from 117 ms to 78 ms.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Exception logging sterilized to avoid CWE-200 Pydantic version disclosure via ValidationError docs URL. Exception logging sterilized to avoid CWE-200 Pydantic version disclosure via ValidationError docs URL. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
No schema migration or cache invalidation required; MCP_TOOL_COUNT unchanged at 52. No schema migration or cache invalidation required; MCP_TOOL_COUNT unchanged at 52. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Pre‑serializes FastMCP tools/list JSON‑RPC result at startup for warm POSTs. Pre‑serializes FastMCP tools/list JSON‑RPC result at startup for warm POSTs. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Serves matching POSTs via byte‑template concat in ASGI middleware, short‑circuiting per‑request Pydantic→JSON. Serves matching POSTs via byte‑template concat in ASGI middleware, short‑circuiting per‑request Pydantic→JSON. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Performance | Medium |
Observed warm‑path TTFB reduced from 117ms to 78ms (-33%). Observed warm‑path TTFB reduced from 117ms to 78ms (-33%). Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Expected Smithery 30d p50 latency drops from ~558ms toward ~450ms after cold portion. Expected Smithery 30d p50 latency drops from ~558ms toward ~450ms after cold portion. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Reduces warm-path server TTFB from 117 ms to 78 ms (-33%). Reduces warm-path server TTFB from 117 ms to 78 ms (-33%). Source: granite4.1:30b@2026-05-22-audit Confidence: low |
— |
| Refactor | Medium |
Adds `_tools_list_result_bytes` module global and `build_and_set_tools_list_cache()` helper in core/mcp_proxy.py. Adds `_tools_list_result_bytes` module global and `build_and_set_tools_list_cache()` helper in core/mcp_proxy.py. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Calls cache builder after sigma corpus load in core/lifespan.py, adding ~10‑50ms startup overhead. Calls cache builder after sigma corpus load in core/lifespan.py, adding ~10‑50ms startup overhead. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Other | Medium |
Adds 8 new tests in TestToolsListCache, increasing test count from 2376 to 2384. Adds 8 new tests in TestToolsListCache, increasing test count from 2376 to 2384. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Performance optimization — MCP tools/list fast-path
Pre-serialize the FastMCP tools/list JSON-RPC result at lifespan startup;
serve matching POSTs via a byte-template concat in the ASGI middleware
(envelope + cached result + per-request id splice), short-circuiting
FastMCP's per-request Pydantic→JSON path.
Observed impact (warm-path curl, post-deploy)
- Server TTFB 117ms → 78ms (-33%) on warm probes
- Smithery 30d p50 expected to drop from 558ms toward Anthropic-reference tier (~450ms after the TCP/TLS-dominated cold portion); 24-48h to settle as probe distribution rolls over
Implementation
core/mcp_proxy.py:_tools_list_result_bytesmodule global + async
build_and_set_tools_list_cache()helper + fast-path short-circuit in
_MCPIPForwardMiddleware.__call__()core/lifespan.py: await cache build after sigma corpus load
(one-shot at startup, ~10-50ms overhead)
JSON-RPC 2.0 §5.3 spec compliance
Fast-path is skipped when the request has no id key (notification).
FastMCP slow path handles notifications per spec — no spurious id:null
response from the fast-path.
Hardening (round 1 + round 2 /review fold-ins)
- Exception logging sterilized: only
type(e).__name__is logged in both
the startup cache builder and the fast-path handler (avoids CWE-200
Pydantic version disclosure via ValidationError docs URL) - Sentinel byte-match tests prove the fast-path is actually taken
(vs silently falling through to FastMCP) - Cache
None→ graceful fallback to slow path (never broken, only
degraded latency)
Test count
2376 → 2384 (+8 new tests in TestToolsListCache)
Surface compatibility
- Wire shape identical to FastMCP slow-path output (byte-equal for
valid requests) MCP_TOOL_COUNTunchanged (52)- No schema migration, no cache invalidation needed
- MCP Registry republish skipped (no schema/tool change)
Rollback: `git checkout v1.32.2` + rolling restart. Pre-serialize is
purely additive; reverting falls back to the existing FastMCP path.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About UPinar/contrastapi
Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.
Related context
Related tools
Earlier breaking changes
- v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.
Beta — feedback welcome: [email protected]