This release adds 2 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Summary
AI summarytriggers/list now returns an empty list and null-id JSON‑RPC calls are correctly interpreted as notifications.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
`app/core/mcp_proxy.py` short-circuits `/mcp/` triggers/list, returning empty triggers. `app/core/mcp_proxy.py` short-circuits `/mcp/` triggers/list, returning empty triggers. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
JSON-RPC §5.3 null-id guard skips notifications with `id: null`. JSON-RPC §5.3 null-id guard skips notifications with `id: null`. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Performance | Medium |
Short-circuiting `triggers/list` reduces unnecessary processing overhead. Short-circuiting `triggers/list` reduces unnecessary processing overhead. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
`triggers/list` now returns empty triggers, removing Smithery penalty from server score. `triggers/list` now returns empty triggers, removing Smithery penalty from server score. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Refactor | Medium |
Added TODO comment for future spec removal of stub handler. Added TODO comment for future spec removal of stub handler. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Why this release
Smithery (and other catalog indexers) probe triggers/list as a scoring criterion. The MCP SDK does not implement that method, so FastMCP returns -32601/-32602 for every probe — Smithery treats it as a missing-feature penalty and decays the server score under a rolling window (observed 99 → 85 over ~5 days before this fix).
What changed
app/core/mcp_proxy.py—/mcp/ASGI middleware short-circuitstriggers/listbefore thetools/callgate, returning{"triggers": []}("supported, none exposed"). Forward-compatible with the eventual MCP spec adoption.- JSON-RPC §5.3 null-id guard —
"id" in _rpc and _rpc["id"] is not Nonefalls through for{"id": null}(notification interpretation), matching thetools/listfast-path contract. - TODO comment for post-spec removal so the stub doesn't silently mask a future real handler.
What did NOT change
- No new MCP tool / resource / prompt —
MCP_TOOL_COUNTstays 52. - No tier / pricing / rate-limit changes.
- No schema or REST endpoint change.
Verification
- 3 new tests in
test_mcp_rate_limit_gate.py— envelope shape, no-credit guard, null-id skip. - TEST_COUNT: 2399 → 2402.
- Live smoke (post-deploy):
triggers/listid=42 →{"result": {"triggers": []}}✅triggers/listid=null → HTTP 202 fall-through ✅tools/list→ 52 tools (no regression) ✅
Migration / agent guidance
None. Existing clients see no contract change. Catalog indexers (Smithery, Glama, mcp.so, PulseMCP) gain a successful triggers/list response on next probe.
Score regenerate window: ~7-14 days under Smithery's rolling penalty.
Hotfix on top of v1.32.4 (Plan A variable-cost MCP gate). Next planned release: v1.33.0 (tech_stack_cve_audit MCP-only composite — staged on backup-v1.33.0-uncommitted branch).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About UPinar/contrastapi
Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.
Related context
Related tools
Earlier breaking changes
- v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.
Beta — feedback welcome: [email protected]