Skip to content

Commit f9a6ae0

Browse files
authored
Merge branch 'main' into renovate/mcp-clickhouse-0.x
2 parents b07b59d + 8ded2f0 commit f9a6ae0

100 files changed

Lines changed: 575 additions & 158 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/build-containers.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -206,7 +206,7 @@ jobs:
206206
python-version: '3.13'
207207

208208
- name: Set up uv
209-
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
209+
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
210210
with:
211211
enable-cache: true
212212

@@ -261,6 +261,10 @@ jobs:
261261
MCP_SCANNER_ENABLE_LLM: ${{ vars.MCP_SCANNER_ENABLE_LLM || 'false' }}
262262
MCP_SCANNER_LLM_API_KEY: ${{ secrets.MCP_SCANNER_LLM_API_KEY }}
263263
MCP_SCANNER_LLM_MODEL: ${{ vars.MCP_SCANNER_LLM_MODEL || '' }}
264+
# Severity threshold for blocking. Findings below this severity are
265+
# surfaced as warnings but do not fail the job. One of: INFO, LOW,
266+
# MEDIUM, HIGH, CRITICAL. Tune via PR.
267+
MCP_SCANNER_BLOCK_SEVERITY: HIGH
264268
SERVER_NAME: ${{ steps.meta.outputs.server_name }}
265269
PROTOCOL: ${{ steps.meta.outputs.protocol }}
266270
CONFIG_FILE: ${{ matrix.config }}
@@ -353,7 +357,7 @@ jobs:
353357
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
354358

355359
- name: Install Cosign
356-
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
360+
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
357361

358362
- name: Install yq
359363
uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2

.github/workflows/build-skills.yml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ jobs:
162162
python-version: '3.13'
163163

164164
- name: Set up uv
165-
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
165+
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
166166
with:
167167
enable-cache: true
168168

@@ -218,8 +218,20 @@ jobs:
218218
- name: Run skill security scan
219219
id: scan
220220
env:
221-
SKILL_SCANNER_USE_LLM: ${{ vars.SKILL_SCANNER_USE_LLM || 'false' }}
222-
SKILL_SCANNER_LLM_API_KEY: ${{ secrets.SKILL_SCANNER_LLM_API_KEY }}
221+
# LLM analyzer (LiteLLM-driven). Reuses the same provider key as the
222+
# MCP scanner — single secret across both pipelines, single rotation.
223+
# Toggle via repo variable SKILL_SCANNER_USE_LLM=false to disable in a pinch.
224+
SKILL_SCANNER_USE_LLM: ${{ vars.SKILL_SCANNER_USE_LLM || 'true' }}
225+
SKILL_SCANNER_LLM_API_KEY: ${{ secrets.MCP_SCANNER_LLM_API_KEY }}
226+
# Dedicated model knob — set to e.g. anthropic/claude-sonnet-4. If unset,
227+
# skill-scanner falls back to its built-in default (claude-3-5-sonnet-...).
228+
SKILL_SCANNER_LLM_MODEL: ${{ vars.SKILL_SCANNER_LLM_MODEL }}
229+
# Optional consensus voting — N>1 multiplies LLM cost per scan.
230+
SKILL_SCANNER_LLM_CONSENSUS_RUNS: ${{ vars.SKILL_SCANNER_LLM_CONSENSUS_RUNS }}
231+
# Severity threshold for blocking. Findings below this severity are
232+
# surfaced as warnings but do not fail the job. One of: INFO, LOW,
233+
# MEDIUM, HIGH, CRITICAL. Tune via PR.
234+
SKILL_SCANNER_BLOCK_SEVERITY: HIGH
223235
SKILL_NAME: ${{ steps.meta.outputs.skill_name }}
224236
SOURCE_DIR: ${{ steps.skill-src.outputs.source_dir }}
225237
CONFIG_FILE: ${{ matrix.config }}
@@ -285,7 +297,7 @@ jobs:
285297

286298
- name: Install Cosign
287299
if: github.event_name != 'pull_request'
288-
uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
300+
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
289301

290302
- name: Install yq
291303
uses: mikefarah/yq@751d8ad57b84f1794661bc70c0afb92a22ad7b3c # v4.53.2

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ go 1.26.1
55
require (
66
github.com/sigstore/sigstore-go v1.1.4
77
github.com/spf13/cobra v1.10.2
8-
github.com/stacklok/toolhive v0.22.0
8+
github.com/stacklok/toolhive v0.24.1
99
github.com/stacklok/toolhive-core v0.0.16
1010
gopkg.in/yaml.v3 v3.0.1
1111
)
@@ -137,7 +137,7 @@ require (
137137
github.com/lestrrat-go/jwx/v3 v3.0.13 // indirect
138138
github.com/lestrrat-go/option/v2 v2.0.0 // indirect
139139
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
140-
github.com/mark3labs/mcp-go v0.48.0 // indirect
140+
github.com/mark3labs/mcp-go v0.49.0 // indirect
141141
github.com/mattn/go-isatty v0.0.20 // indirect
142142
github.com/mattn/goveralls v0.0.12 // indirect
143143
github.com/mitchellh/go-homedir v1.1.0 // indirect

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -513,8 +513,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2
513513
github.com/luna-duclos/instrumentedsql v1.1.3/go.mod h1:9J1njvFds+zN7y85EDhN9XNQLANWwZt2ULeIC8yMNYs=
514514
github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
515515
github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
516-
github.com/mark3labs/mcp-go v0.48.0 h1:o+MXuGW/HCeR2ny5LcAcZQn2bo6I2xaZMEHnpRG+dtw=
517-
github.com/mark3labs/mcp-go v0.48.0/go.mod h1:JKTC7R2LLVagkEWK7Kwu7DbmA6iIvnNAod6yrHiQMag=
516+
github.com/mark3labs/mcp-go v0.49.0 h1:7Ssx4d7/T86qnWoJIdye7wEEvUzv39UIbnZb/FqUZMY=
517+
github.com/mark3labs/mcp-go v0.49.0/go.mod h1:BflTAZAzXlrTpiO44gmjMu89n2FO56rJ9m31fp4zd5k=
518518
github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
519519
github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
520520
github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
@@ -721,8 +721,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
721721
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
722722
github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
723723
github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
724-
github.com/stacklok/toolhive v0.22.0 h1:iUJ2JWDx+ZJU6xCFTr59PXAOKXDJ42iWPcZTxgvxook=
725-
github.com/stacklok/toolhive v0.22.0/go.mod h1:xThyeOmXAn16v3XmDbe5ONZR35zENw8CVJh10Tl49mg=
724+
github.com/stacklok/toolhive v0.24.1 h1:KztXdMtedNZIQkXGNCT4A0gxVNl7PBf2TOow4EgnCQo=
725+
github.com/stacklok/toolhive v0.24.1/go.mod h1:4axQeiCK+IOFz/gs01XhbDFlgMM1QjiH9ZJriqsTiD0=
726726
github.com/stacklok/toolhive-core v0.0.16 h1:Td/o/zrO3Pbr6tkx4r0k8Bqn9DySlwgah2vknE8tj5A=
727727
github.com/stacklok/toolhive-core v0.0.16/go.mod h1:iHp39rCHZxXzU5FmXKK9aoH48NE+K0ob+MtdTS9CvAk=
728728
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

npx/chrome-devtools-mcp/spec.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ metadata:
1111

1212
spec:
1313
package: "chrome-devtools-mcp"
14-
version: "0.22.0"
14+
version: "0.23.0"
1515

1616
provenance:
1717
repository_uri: "https://github.com/ChromeDevTools/chrome-devtools-mcp"

npx/context7/spec.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ metadata:
1111

1212
spec:
1313
package: "@upstash/context7-mcp" # NPM package name
14-
version: "2.1.8" # Specific version to install
14+
version: "2.2.0" # Specific version to install
1515

1616
provenance:
1717
# Note: This package does not have npm provenance attestations (Sigstore signatures)

npx/heroku-mcp-server/spec.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ metadata:
1111

1212
spec:
1313
package: "@heroku/mcp-server"
14-
version: "1.2.1"
14+
version: "1.2.2"
1515

1616
provenance:
1717
repository_uri: "https://github.com/heroku/heroku-mcp-server"

npx/phoenix-mcp/spec.yaml

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ metadata:
1111

1212
spec:
1313
package: "@arizeai/phoenix-mcp"
14-
version: "4.0.6"
14+
version: "4.0.7"
1515

1616
provenance:
1717
repository_uri: "https://github.com/Arize-ai/phoenix"
@@ -23,4 +23,15 @@ provenance:
2323
security:
2424
# Server requires PHOENIX_API_KEY and PHOENIX_BASE_URL to start - cannot be scanned in CI
2525
insecure_ignore: true
26-
allowed_issues: []
26+
allowed_issues:
27+
- code: "AITech-1.1"
28+
tool: "add-dataset-examples"
29+
reason: |
30+
False positive - LLM analyzer flagged the description for instructing
31+
the agent to "check existing examples using the get-dataset-examples
32+
tool ... to ensure that you are not adding duplicate examples". This is
33+
legitimate workflow guidance for chained tool usage (avoid duplicate
34+
rows on append) and the recommended pattern for MCP tools that mutate
35+
state. It does not override system instructions or attempt to redirect
36+
agent behavior outside this tool's scope. Verified in v4.0.7
37+
(datasetTools.ts ADD_DATASET_EXAMPLES_DESCRIPTION).

npx/pinecone-mcp/spec.yaml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Pinecone MCP Server Configuration
2+
# Package: https://www.npmjs.com/package/@pinecone-database/mcp
3+
# Repository: https://github.com/pinecone-io/pinecone-mcp
4+
# Will build as: ghcr.io/stacklok/dockyard/npx/pinecone-mcp:0.2.1
5+
6+
metadata:
7+
name: pinecone-mcp
8+
description: "Pinecone MCP server — enables AI assistants to interact with Pinecone indexes (list, describe, create-for-model, upsert, search, cascading-search, rerank) and query Pinecone documentation"
9+
protocol: npx
10+
11+
spec:
12+
package: "@pinecone-database/mcp"
13+
version: "0.2.1"
14+
15+
provenance:
16+
repository_uri: "https://github.com/pinecone-io/pinecone-mcp"
17+
repository_ref: "refs/tags/v0.2.1"
18+
19+
security:
20+
# Mock env vars allow security scanning of auth-gated tools without real credentials.
21+
# Without PINECONE_API_KEY the server exposes only `search-docs`; with a valid-shape key
22+
# it also exposes list/describe/create/upsert/search/rerank tools (9 total).
23+
mock_env:
24+
- name: PINECONE_API_KEY
25+
value: "pcsk_mock-pinecone-api-key-for-scanning"
26+
description: "Pinecone API key — mock value for security scanning"

npx/sentry-mcp-server/spec.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ metadata:
1111

1212
spec:
1313
package: "@sentry/mcp-server"
14-
version: "0.32.0"
14+
version: "0.33.0"
1515

1616
provenance:
1717
repository_uri: "https://github.com/getsentry/sentry-mcp"

0 commit comments

Comments
 (0)