This release includes 4 security fixes for security teams reviewing exposed deployments.
Topics
+14 more
Affected surfaces
Summary
AI summaryHTTP/SSE transport, card persistence with cardId, and compound workflow tools are introduced.
Full changelog
What's New in v2.1.0
Major Features
- HTTP/SSE Transport — Deploy as an HTTP server for M365 Copilot, Copilot Studio, and ChatGPT (
TRANSPORT=sse) - Card Persistence — Session-scoped card store with
cardIdreferences. Tools returncardIdand accept it as input, reducing token overhead in multi-step workflows - Compound Workflow Tools —
generate_and_validateandcard_workflowfor multi-step pipelines in a single call - MCP Prompts — 3 guided prompts:
create-adaptive-card,review-adaptive-card,convert-data-to-card - MCP Resource Templates — Parameterized URIs:
ac://hosts/{hostName},ac://examples/{intent} - Designer Preview — Card-producing tools now include a link to preview at https://adaptivecards.microsoft.com/designer
Security & Enterprise
- Auth Middleware — API key and bearer token authentication for HTTP transport (
MCP_API_KEY,MCP_AUTH_MODE=bearer) - Input Size Guards — Configurable limits on card complexity, data rows, and input size (DoS prevention)
- Rate Limiting — Token bucket per tool with integer-precision tracking (
MCP_RATE_LIMIT=true) - API Error Sanitization — Redacts API keys, passwords, and base64 secrets from error messages
- Secret Scanning — GitHub secret scanning + push protection enabled on this repo
- Branch Protection — PRs required with approval, status checks enforced, force push blocked
LLM Providers
- Azure OpenAI —
AZURE_OPENAI_API_KEY+AZURE_OPENAI_ENDPOINT - Ollama — Local model support via
OLLAMA_BASE_URL - Fetch Timeouts — 60s timeout on all LLM calls (120s for Ollama)
- Response Validation — All providers validate response structure before parsing
Observability
- Debug Logging — Structured JSON logging to stderr (
DEBUG=adaptive-cards-mcp) - Telemetry — Opt-in tool-call metrics with duration and output size tracking (
MCP_TELEMETRY=true) - Suggested Fixes — Validation errors now include
suggestedFixwith descriptions and JSON patches - Structured Error Logging — Stack traces captured for post-mortem debugging
Developer Experience
- ESLint + Prettier — Code style enforcement configuration
- Coverage Reporting — vitest coverage with V8 provider and threshold enforcement
- Graceful Shutdown — SIGINT/SIGTERM handlers with proper close ordering
- CONTRIBUTING.md — Developer guide with architecture overview and PR checklist
- CHANGELOG.md — Full release history
Stats
- 9 MCP tools (up from 7): added
generate_and_validate,card_workflow - 3 MCP prompts (new)
- 2 resource templates (new)
- 909 tests passing across 19 test files (up from 862/12)
- 2 production dependencies (removed unused
zod)
Breaking Changes
None. All existing tools and APIs are backward-compatible.
Installation
# Claude Code
claude mcp add adaptive-cards-mcp -- npx adaptive-cards-mcp
# HTTP/SSE (for M365 Copilot, Copilot Studio)
TRANSPORT=sse PORT=3001 npx adaptive-cards-mcp
# npm library
npm install adaptive-cards-mcp
npm: https://www.npmjs.com/package/adaptive-cards-mcp
0
Security Fixes
- API error sanitization redacts API keys, passwords, and base64 secrets from error messages
- Input size guards add configurable limits to prevent DoS attacks
- Rate limiting per tool via token bucket (`MCP_RATE_LIMIT=true`)
- Auth middleware adds API key and bearer token authentication for HTTP transport
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About VikrantSingh01/adaptive-cards-mcp
AI-powered Adaptive Card generation for Teams, Outlook, Copilot, and ChatGPT. 9 MCP tools for generating, validating, optimizing, templating, and transforming cards with accessibility scoring and host compatibility checks.
Related context
Beta — feedback welcome: [email protected]