UPinar/contrastapi

v1.32.7 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 20d MCP Security & Auth

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-agents ai-security api claude cve security

+13 more

domain-recon email-security email-validation llm-tools mcp mitre-atlas mitre-d3fend model-context-protocol osint sigma-rules threat-intelligence vulnerability-management web-intel

Summary

AI summary

Added support for Smithery's proprietary ai.smithery/events/list JSON‑RPC method.

Changes in this release

Type	Severity	Summary	CVE
Feature	Medium	Added `ai.smithery/events/list` method to MCP fast-path for Smithery scoring probe. Added `ai.smithery/events/list` method to MCP fast-path for Smithery scoring probe. Source: llm_adapter@2026-05-21 Confidence: high	—
Dependency	Medium	No dependency changes; only internal method mapping adjustments. No dependency changes; only internal method mapping adjustments. Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Increased TEST_COUNT from 2402 to 2404 to include events/list envelope and cost-guard tests. Increased TEST_COUNT from 2402 to 2404 to include events/list envelope and cost-guard tests. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Removed temporary debug log added in v1.32.6 after diagnostic purpose completed. Removed temporary debug log added in v1.32.6 after diagnostic purpose completed. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	Refactored v1.32.5 triggers/list fast-path into `_SMITHERY_PROBE_RESULT` method table. Refactored v1.32.5 triggers/list fast-path into `_SMITHERY_PROBE_RESULT` method table. Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Low	Refactored fast-path into `_SMITHERY_PROBE_RESULT` dict in `app/core/mcp_proxy.py`. Refactored fast-path into `_SMITHERY_PROBE_RESULT` dict in `app/core/mcp_proxy.py`. Source: granite4.1:30b@2026-05-22-audit Confidence: low	—

Full changelog

TL;DR

v1.32.5 shipped a triggers/list fast-path based on Smithery's user-facing "Failed to list triggers" inspector text. Smithery's inspector kept showing the same warning post-deploy. v1.32.6 added a temp debug log to the /mcp/ middleware, captured one Smithery probe, and revealed the actual JSON-RPC method:

ai.smithery/events/list — Smithery's proprietary namespace, not a standard MCP method.

v1.32.7 ships the real fix.

What changed

app/core/mcp_proxy.py — refactored the v1.32.5 fast-path into a _SMITHERY_PROBE_RESULT: dict[str, bytes] method table:
- triggers/list → {"triggers":[]} (kept for MCP draft-spec forward compat)
- ai.smithery/events/list → {"events":[]} (Smithery's actual scoring probe)
Removed the v1.32.6 temp debug log (single-shot diagnostic, served its purpose).
TEST_COUNT 2402 → 2404 (+2 events/list envelope + cost-guard tests).

Debug trail (S241, 15 May)

v1.32.5 ship: triggers/list fast-path verified via curl, but Smithery inspector still showed -32602.
Multi-variant curl tests (different params, IDs, headers): all returned {"triggers": []} correctly — fast-path works.
v1.32.6 ship: 22-line logger.warning for any method matching /trigger/i OR UA matching /smithery/i.
Smithery inspector re-triggered (~15 min later). One log line captured: method='ai.smithery/events/list' input_value='ai.smithery/events/list' from FastMCP's 28-Pydantic-arm validation error.
v1.32.7 ship: real method added to fast-path. Smithery inspector confirms Capabilities found: 52 tools, 3 prompts, 3 resources with no warning (vs. previous "Failed to list triggers").

Verification

Live curl (post-deploy):
- ai.smithery/events/list id=8888 → {"result": {"events": []}} ✅
- triggers/list id=42 → {"result": {"triggers": []}} ✅ (still works)
- tools/list → 52 tools (no regression) ✅
Smithery inspector: worked ✅
Pytest: 2404 passed, ruff clean.

What did NOT change

MCP_TOOL_COUNT, MCP_RESOURCE_COUNT, MCP_PROMPT_COUNT unchanged.
No tier/pricing/rate-limit changes.
No schema or REST endpoint change.

Expected catalog impact

Smithery rolling-window scoring expected to regenerate 85 → 99 over 7-14 days as the failed-probe history rolls off.

Hotfix on top of v1.32.5. v1.32.6 was a single-purpose diagnostic ship — intentionally not tagged or released.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track UPinar/contrastapi

Get notified when new releases ship.

About UPinar/contrastapi

Security intelligence API with 31 MCP tools for CVE/EPSS/KEV lookup, domain recon (DNS/WHOIS/SSL/subdomains/CT logs), IOC/threat intel, OSINT (email/phone/username), and code security scanning (secrets, injection). Free 100 req/hr.

All releases →

Related context

Related tools

Earlier breaking changes

v1.33.11 `bulk_sigma_rule_lookup` now costs 1 credit per `rule_id`, changing from flat 1 credit/call.