Skip to content

CHANGELOG.md

Latest commit

 

History

History
240 lines (162 loc) · 11.3 KB

CHANGELOG.md

File metadata and controls

240 lines (162 loc) · 11.3 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Added

  • connect command now auto-generates session name when @session is omitted (e.g., mcpc connect mcp.apify.com creates @apify). If a session for the same server already exists with matching auth settings, it is reused instead of creating a duplicate.
  • --max-chars <n> global option to truncate output to a given number of characters (ignored in --json mode)
  • tools-call <tool> --help shows tool parameter schema (shortcut for tools-get)
  • "Did you mean?" suggestions for unknown commands, including reversed names (e.g., list-toolstools-list)
  • --json output documentation in --help for all commands, describing the MCP object shape returned
  • tools-get now shows an example tools-call command with placeholder arguments based on the tool's schema

Changed

  • JSON output for session info (mcpc @session --json and mcpc connect --json) now returns toolNames (array of tool name strings) instead of full tools objects, keeping it concise and consistent with the human-readable output
  • --schema and --schema-mode options moved from global scope to tools-get and tools-call only (removed from prompts-get)

Fixed

  • connect now verifies the server responds before reporting success; shows a warning with the actual error when the server is unreachable
  • HTTP 404 during initial connect no longer misclassified as "session expired"; error messages now include the actual HTTP error and server URL
  • build:readme script failing on macOS due to sed -i platform difference

0.2.4 - 2026-04-07

Security

  • Fixed XSS vulnerability in OAuth callback server: error messages from query parameters are now HTML-escaped before rendering
  • Replaced exec() with execFile() in browser opening to prevent potential shell injection via crafted OAuth authorization URLs
  • Added Host header validation to OAuth callback server to mitigate DNS rebinding attacks
  • Set restrictive directory permissions (0o700) on ~/.mcpc/ and subdirectories to prevent local privilege escalation on shared systems

Fixed

  • Bridge ignores stored OAuth access token when no refresh token is provided; servers that don't issue refresh tokens now work correctly by using the access token as a static Bearer header
  • Session incorrectly marked as unauthorized when access token expires but refresh token is still valid; bridge now attempts token refresh before giving up
  • "ESC to detach" hint now shows immediately in the spinner when using --task, instead of waiting for the server to return a task ID

0.2.3 - 2026-03-31

0.2.2 - 2026-03-31

0.2.1 - 2026-03-30

Added

  • Secure x402 wallet storage using OS keychain integration with fallback to wallets.json for compatibility
  • QR code display for wallet address in x402 init, x402 import, and x402 info commands, allowing users to scan and fund the wallet directly from the terminal

Changed

  • Auto-reconnect crashed and unauthorized bridge processes in the background when enumerating sessions (mcpc or mcpc grep), with a 10-second cooldown between reconnection attempts. Unauthorized sessions benefit from OAuth tokens refreshed by other sessions sharing the same profile.

Fixed

  • Fixed expired sessions falsely showing as live after auto-reconnect — the bridge now detects when the server did not resume the original MCP session (including when no session ID is returned) and marks the session as expired
  • Bridge sends first keepalive ping 5 seconds after startup (instead of waiting the full 30-second interval) to detect stale sessions earlier

0.2.0 - 2026-03-24

Added

  • New mcpc grep <pattern> command to search tools, resources, prompts, and instructions across all active sessions, with regex, type filters, and single-session search support
  • New tasks-list, tasks-get, tasks-cancel commands for managing async tasks on the server
  • --task flag for tools-call to opt-in to task execution with progress spinner; --detach to start a task and return the task ID immediately; press ESC during --task to detach on the fly
  • --insecure global option to skip TLS certificate verification
  • --client-id and --client-secret options for mcpc login, for servers that don't support dynamic client registration
  • --no-profile option for connect to skip OAuth profile auto-detection
  • mcpc login now falls back to accepting a pasted callback URL when the browser cannot be opened (e.g. headless servers, containers)
  • tools-list now shows inline parameter signatures (e.g. read_file(path: string, +4 optional)) for quick scanning without --full
  • mcpc @session now shows available tools list from bridge cache (no extra server call)

Changed

  • Breaking: CLI syntax redesigned to command-first style. All commands now start with a verb; MCP operations require a named session.

    Before After
    mcpc <server> tools-list mcpc connect <server> @name then mcpc @name tools-list
    mcpc <server> connect @name mcpc connect <server> @name
    mcpc <server> login mcpc login <server>
    mcpc <server> logout mcpc logout <server>
    mcpc --clean=sessions mcpc clean sessions
    mcpc --config file.json entry connect @name mcpc connect file.json:entry @name

    Direct one-shot URL access (e.g. mcpc mcp.apify.com tools-list) is removed; create a session first with mcpc connect.

  • Revised session states: unauthorized (401/403), disconnected (bridge alive but server unreachable >2min), and expired (session ID rejected), each with actionable guidance

  • When --profile is not specified, only the default profile is used; non-default profiles require an explicit --profile flag

  • @napi-rs/keyring native addon is now loaded lazily; falls back to ~/.mcpc/credentials.json when unavailable

  • --header / -H option is now specific to the connect command instead of being a global option

  • Tools cache now fetches all pages on startup and on tools/list_changed notifications

Fixed

  • HTTP proxy support (HTTP_PROXY/HTTPS_PROXY) now works for MCP server connections, OAuth token refresh, and x402 payment signing
  • Explicit --header "Authorization: ..." now takes precedence over auto-detected OAuth profiles
  • Fixed auth loss when reconnecting an unauthorized session via mcpc connect
  • Session restart now auto-detects the default OAuth profile created after the session was established
  • --timeout flag now correctly propagates to MCP requests via session bridge
  • --task and --detach tool calls now correctly send task creation parameters to the server
  • Bridge now forwards logging/message notifications to connected clients
  • IPC buffer between CLI and bridge process is now capped at 10 MB, preventing unbounded memory growth
  • Fixed mcpc help <command> showing truncated usage line

0.1.10 - 2026-03-01

Added

  • Support for HTTPS_PROXY, HTTP_PROXY, and NO_PROXY / lowercase variants env vars for outbound connections
  • CI/CD automated test pipeline

Changed

  • Replaced deprecated keytar package with @napi-rs/keyring for OS keychain integration
  • Temp files now written to ~/.mcpc/ instead of /tmp/ to avoid cross-device rename errors on Linux
  • Improved error messages for invalid server hostnames and mistyped commands (e.g. mcpc login)
  • Added prettier formatting check to lint step

Fixed

  • Fixed ExperimentalWarning: Importing JSON modules is an experimental feature on Node.js 22+
  • Fixed OAuth token refresh for servers with root-based discovery (.well-known at /)
  • Fixed OAuth errors incorrectly expiring the session instead of failing gracefully

0.1.9 - 2026-02-02

Added

  • Added CHANGELOG.md for tracking changes
  • Automated GitHub release creation in publish script

Changed

  • tools-list now shows a compact summary by default to support dynamic tool discovery
  • Added --full flag to tools-list for detailed tool information
  • Publish script now automatically updates CHANGELOG.md version on release

0.1.8 - 2026-01-21

Changed

  • Session is now marked as expired (not auto-reconnected) when server rejects MCP session ID
  • Users must explicitly run mcpc @session restart to recover from expired sessions

Fixed

  • Fixed incorrect flagging of expired sessions as crashed
  • Fixed session expiration detection for various error message formats
  • Fixed help command output

0.1.7 - 2026-01-03

Changed

  • Documentation improvements and updates
  • Various cosmetic improvements to CLI output

Fixed

  • Minor bug fixes

0.1.6 - 2026-01-02

Added

  • Session notifications with timestamps for tracking list changes (tools/list_changed, resources/list_changed, prompts/list_changed)

Changed

  • Renamed _meta to _mcpc in JSON output for MCP spec conformance
  • Improved formatting of prompts output
  • Various cosmetic improvements

Fixed

  • Fixed proxy server issues
  • Fixed screenshot URL in README

0.1.5 - 2026-01-01

Added

  • Implemented --proxy option for exposing sessions as local MCP servers
  • Added mcpc @session restart command

Changed

  • Renamed session command to connect for clarity
  • Renamed "dead" session status to "crashed" for clarity

Fixed

  • Fixed --timeout option handling

0.1.4 - 2025-12-31

Added

  • Implemented --schema and --schema-mode options for tools
  • Added mcpc @session restart command

Changed

  • Renamed tools-schema command to tools-get
  • Improved formatting for prompts and tools output
  • Security review and improvements

0.1.3 - 2025-12-29

Added

  • Initial public release
  • Support for Streamable HTTP and stdio transports
  • Session management with persistent bridge processes
  • OAuth 2.1 authentication with PKCE
  • Full MCP protocol support: tools, resources, prompts
  • Interactive shell mode
  • JSON output mode for scripting