You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Each SSE session stores its own Allure token (map[sessionID]token)
- X-Allure-Token header read on SSE connect, stored per-session automatically
- JWT cache keyed by API token — concurrent users never share JWTs
- sync.Mutex added to allure client JWT fields (fixes data race)
- internal/session package for context-based session ID propagation
- registry.go split into domain files (launches, results, testcases, etc.)
- GetSessionToken callback now context-aware
- resultToJSON error path fixed (was producing invalid JSON)
- crypto/rand failure now panics instead of falling back to predictable ID
- Dockerfile: alpine:3.21 pinned, Linux binary renamed from .exe
- HTTP server ReadTimeout and IdleTimeout added
- Build-time version via ldflags
- Docs: remote server config corrected to url+headers, Authorization marked optional
Copy file name to clipboardExpand all lines: CHANGELOG.md
+24Lines changed: 24 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7
7
8
8
## [Unreleased]
9
9
10
+
## [1.5.0] - Security & Architecture Hardening
11
+
12
+
### Added
13
+
-**Per-session Allure token isolation** — Each SSE session stores its own token; concurrent users on a shared server never mix credentials
14
+
-**`X-Allure-Token` header support** — Users pass their personal Allure token from Claude Desktop config via HTTP header; no need to call `configure_allure_token` manually
15
+
-**Token-keyed JWT cache** — JWT tokens cached per API key, not globally; separate users get separate JWTs
16
+
-**`internal/session` package** — Shared context helpers for session ID propagation across packages
17
+
-**Server startup warning** — Logged when HTTP mode runs without `MCP_AUTH_TOKEN`
18
+
-**Build-time version injection** — Server version set via `-ldflags` instead of hardcoded `"1.0.0"`
Replace `your-server.com:3000` with the server address and `your-personal-token-here` with your personal Allure API token (so your actions are done from your account).
59
+
-**`url`** — address of the shared MCP server (ask your team lead).
60
+
-**`Authorization`***(optional)* — the `MCP_AUTH_TOKEN` set on the server. Omit if the server has no `MCP_AUTH_TOKEN` configured.
61
+
-**`X-Allure-Token`** — your personal Allure API token. All actions in Allure will be done under your account.
59
62
60
63
### 3. Restart Claude Desktop
61
64
Close and reopen Claude.
@@ -186,21 +189,25 @@ Each team member adds to their Claude Desktop config (**Settings → Developer
0 commit comments