Commit 7f32a2d
feat(client)!: 2026-05-14 spec drift sweep + CVE bumps
Combined output of:
1. ``poe refresh-upstream-spec`` — fresh live-gateway OAS + README.io portal
spec.
2. Manual prose-drift audit (5 parallel sub-agents across all API areas)
comparing per-object README.io reference pages against the local spec.
The reference markdown corpus those agents read lives in PR #743; this
PR focuses on the spec edits that came out of the audit.
3. Live-API verification for fields that can't be confirmed from docs alone.
## Spec changes
### New schema fields (additive)
- ``Variant.abc_classification`` (enum ``A`` / ``B`` / ``C``, nullable). New
shared ``AbcClassification`` enum schema.
- ``SalesOrderRow.serial_number_transactions`` (array of
``{serial_number_id, quantity: 0|1}`` — Katana's audit trail of serial-number
add/remove actions).
- ``UpdateManufacturingOrderOperationRowRequest.manufacturing_order_id``
property added; ``manufacturing_order_id`` + ``status`` now required.
- ``UpdateProductRequest.configs.items.id`` optional integer (lets callers
rename a config by id instead of matching by name).
### Wire-format types: ``number`` → ``string`` on read schemas
Katana returns fixed-precision decimals as strings on the wire
(``"0.0300000000"``). Our generated client previously typed these as
``float``, which the pydantic client silently coerced (lossy precision) and
the attrs client passed through as ``str`` while claiming ``float`` (runtime
type lie). The read schemas now match what the wire delivers:
- ``SalesOrderRow.price_per_unit``, ``cogs_value``
- ``ManufacturingOrderRecipeRow.planned_quantity_per_unit``
- ``ManufacturingOrderOperationRow.planned_time_per_unit``,
``planned_time_parameter``, ``total_actual_time``,
``planned_cost_per_unit``, ``total_actual_cost``
Write-side DTOs (``Create*Request``, ``Update*Request``) keep ``number`` —
the API accepts numeric input on write.
### Removed schemas / new endpoints
- ``SalesOrderSearchRequest`` and ``SalesOrderSearchRequestFilter`` removed;
``POST /sales_orders/search`` now references the consolidated
``SearchFilterRequest``.
- New endpoint ``POST /sales_order_rows/search`` — LoopBack-style filter
envelope, returns ``SalesOrderRowListResponse``. Response shape verified
against live API (issue #733 closed).
- New ``SearchFilterRequest`` schema (shared by both search endpoints).
### Relaxed-required + renames
- ``CreatePurchaseOrderRequest.order_no`` and
``CreateSalesOrderRequest.order_no`` no longer required — Katana
auto-generates a sequential PO/SO number when omitted.
- ``CreateSalesOrderRowRequest.attributes.items.name`` → ``key`` (renamed
to match the read schema's ``SalesOrderRowAttribute``). Same change on
``UpdateSalesOrderRowRequest``.
### Other field-level corrections
- ``CreateVariantRequest.registered_barcode`` — removed ``minLength: 3``,
widened ``maxLength`` 40 → 120 to match Update + upstream.
- ``CreateSerialNumbersRequest`` — ``resource_type`` and ``serial_numbers``
added to ``required``.
- ``CreateStockTransferRequest.stock_transfer_number`` +
``CreateStockAdjustmentRequest.stock_adjustment_number`` — added
``minLength: 1``.
- ``Inventory.safety_stock_level`` — added to ``required`` (live API always
populates the field).
- ``DemandForecastPeriod.in_stock`` description fixed: "at the start" → "at
the end of the period".
- ``PurchaseOrderRow.price_per_unit`` description copy-paste typo fixed
("sales price… in sales order currency" → "purchase price… in purchase
order currency").
- ``Webhook.subscribed_events.items`` now ``$ref``'s the ``WebhookEvent``
enum (previously a free-form string); stale example event names removed.
- ``CreateSalesOrderFulfillmentRequest.tracking_number`` / ``tracking_url``
— added missing ``maxLength`` constraints (256 / 2048).
- Deprecation markers added to ``cost_per_hour`` /
``planned_time_per_unit`` across ``ManufacturingOrderOperationRow``, its
Create / Update siblings, and ``ProductOperationRow`` (upstream documents
these as superseded by ``cost_parameter`` / ``planned_time_parameter``).
## Supporting changes
- ``scripts/generate_pydantic_models.py`` — ``serial_number_transactions``
added to ``SalesOrderRow``'s ``json_columns`` so the cached SQLModel
serializes it via ``PydanticJSON``.
- ``katana_mcp_server/src/katana_mcp/tools/tool_result_utils.py`` — new
``float_or_none`` helper for coercing wire-format decimal strings at the
domain boundary.
- ``katana_mcp_server/src/katana_mcp/tools/foundation/sales_orders.py`` —
``SalesOrderRowInfo`` / ``SalesOrderRowDetail`` mappings now route
``price_per_unit`` / ``cogs_value`` through ``float_or_none`` so the
consumer-facing models stay numeric.
- Test factories (``katana_mcp_server/tests/factories.py``) accept
``float | str | None`` and stringify internally for caller convenience.
## CVE bumps
Pre-existing transitive vulnerabilities flagged by Trivy when this PR's
``uv.lock`` changes made them appear in the diff. Bumping in-place to the
fixed versions:
- ``gitpython`` 3.1.46 → 3.1.50 (CVE-2026-42215, -42284, -44243, -44244,
GHSA-mv93-w799-cj2w). Transitive via ``python-semantic-release``.
- ``python-multipart`` 0.0.24 → 0.0.28 (CVE-2026-42561). Transitive via the
MCP tooling chain.
- ``cryptography`` 46.0.6 → 48.0.0 (CVE-2026-39892). Transitive via
``pyjwt[crypto]``.
## Deferred work
Tier 2 findings from the audit that require live-API verification before
applying are tracked separately as #736 (items), #737 (customers/custom
fields/webhooks), #738 (inventory/stock), #739 (sales). The unverified
money-fields wire-format sweep continues in #735.
BREAKING CHANGE: Multiple field types narrowed from ``number`` to ``string``
on read schemas (``SalesOrderRow.price_per_unit`` / ``cogs_value``,
``ManufacturingOrderRecipeRow.planned_quantity_per_unit``,
``ManufacturingOrderOperationRow.planned_time_per_unit`` /
``planned_time_parameter`` / ``total_actual_time`` /
``planned_cost_per_unit`` / ``total_actual_cost``). Consumers doing
arithmetic on these need to parse them (e.g., ``float(row.price_per_unit)``
or ``decimal.Decimal(row.price_per_unit)``); pydantic clients in lax mode
will continue to auto-coerce. The ``SalesOrderSearchRequest`` /
``SalesOrderSearchRequestFilter`` classes are removed — callers of
``POST /sales_orders/search`` should switch to ``SearchFilterRequest``.
``SalesOrderRow``'s ``attributes.items`` request field is renamed
``name`` → ``key`` on Create / Update DTOs (matches the read shape).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent f93c838 commit 7f32a2d
49 files changed
Lines changed: 2296 additions & 432 deletions
File tree
- docs
- upstream-specs
- katana_mcp_server
- src/katana_mcp/tools
- foundation
- tests
- tools
- katana_public_api_client
- api
- manufacturing_order_operation
- sales_order_row
- sales_order
- variant
- models_pydantic
- _generated
- models
- scripts
- tests
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1049 | 1049 | | |
1050 | 1050 | | |
1051 | 1051 | | |
1052 | | - | |
1053 | 1052 | | |
1054 | 1053 | | |
1055 | 1054 | | |
| |||
1284 | 1283 | | |
1285 | 1284 | | |
1286 | 1285 | | |
| 1286 | + | |
| 1287 | + | |
| 1288 | + | |
| 1289 | + | |
1287 | 1290 | | |
1288 | 1291 | | |
1289 | 1292 | | |
| |||
1338 | 1341 | | |
1339 | 1342 | | |
1340 | 1343 | | |
1341 | | - | |
1342 | 1344 | | |
1343 | 1345 | | |
1344 | 1346 | | |
| |||
1455 | 1457 | | |
1456 | 1458 | | |
1457 | 1459 | | |
| 1460 | + | |
| 1461 | + | |
| 1462 | + | |
| 1463 | + | |
1458 | 1464 | | |
1459 | 1465 | | |
1460 | 1466 | | |
| |||
3572 | 3578 | | |
3573 | 3579 | | |
3574 | 3580 | | |
| 3581 | + | |
| 3582 | + | |
| 3583 | + | |
| 3584 | + | |
3575 | 3585 | | |
3576 | 3586 | | |
3577 | 3587 | | |
| |||
7708 | 7718 | | |
7709 | 7719 | | |
7710 | 7720 | | |
| 7721 | + | |
| 7722 | + | |
| 7723 | + | |
| 7724 | + | |
| 7725 | + | |
| 7726 | + | |
| 7727 | + | |
| 7728 | + | |
| 7729 | + | |
| 7730 | + | |
| 7731 | + | |
| 7732 | + | |
| 7733 | + | |
| 7734 | + | |
| 7735 | + | |
| 7736 | + | |
7711 | 7737 | | |
7712 | 7738 | | |
7713 | 7739 | | |
| |||
0 commit comments