Skip to content

Release/v0.2.0#5

Closed
Miggets7 wants to merge 17 commits into
mainfrom
release/v0.2.0
Closed

Release/v0.2.0#5
Miggets7 wants to merge 17 commits into
mainfrom
release/v0.2.0

Conversation

@Miggets7

Copy link
Copy Markdown
Contributor

No description provided.

Miggets7 added 17 commits May 15, 2026 20:31
…t_current_user

Remove tool families that are either security liabilities or low-value for an
LLM-driven workflow:

- users-sessions.ts (both tools): disconnect_user_session uses HTTP GET to
  mutate state, easy for an LLM to fire by accident and log real users out.
  get_user_sessions had marginal debug value on its own.
- update_password / update_current_password: plaintext password flows through
  the LLM context (transcripts, provider logs, cache). Email-only reset flow
  (request_password_reset, request_current_password_reset) stays.
- reset_user_secret: regenerating a service user's OAuth secret can lock out
  integrations and, worst case, the MCP server's own auth.
- get_current_user: returns the service-user identity that the server already
  runs as; marginal value to downstream prompts.

Net: 24 -> 17 user tools. PUT-replace semantics on update_user and the
update_*_roles tools kept as-is (description warnings already present).
Drop the users-sessions import and registerUserSessionTools() call, and
remove the trimmed tool names from the LLM-facing instructions block.
README capability table: tool count 49 -> 43; rows for get_current_user,
update_password, update_current_password, reset_user_secret,
get_user_sessions, disconnect_user_session removed.

CLAUDE.md: add project guidance file; scope-boundaries paragraph documents
that sessions and direct-credential mutation are deferred (footgun +
LLM-context credential leakage); conventions paragraph lists the active
users-* split sub-files.
list_accessible_realms is the non-admin variant, so the "(admin)"
qualifier on the realms instructions heading was inaccurate.
…sthrough

Review findings (PR #1):
- update_realm: the backend requires the realm id in the body and 500s
  without it. Extract a shared base schema, add a required id to the
  update variant, and document that a get_realm-first read is mandatory
  for every update, not only partial ones.
- update_user_client_roles: document that roles are name strings, not the
  role objects get_client_roles returns.
- request_password_reset / request_current_password_reset: note that a
  configured mail server is required; the backend returns a 500 otherwise.
- Remove update_current_user and update_current_user_locale: both are dead
  under service-account auth (405 and no-op). Drops registration, the
  users-self files, and updates README and scope notes.

Cleanup:
- Replace deprecated ZodObject.passthrough() with z.looseObject() / .loose()
  (Zod 4.4.3); behavior unchanged.
Remove request_current_password_reset: like the other self-service
endpoints it is useless under service-account auth (it emails the
service account's nonexistent inbox). Inline the remaining
request_password_reset into users-crud.ts and delete the now
single-tool users-passwords.ts; absorb its tests. Note the exclusion
in the scope boundaries.

Fix syslog enum drift against @openremote/model: drop the invalid
DEBUG level and MANAGER category, add the missing ALARM category.
The model ships these as ambient const enums, so deriving them via
Object.values hits TS2475 under tsc; keep corrected literals in sync
on model bumps instead.
@Miggets7
Miggets7 requested a review from Ekhorn July 15, 2026 10:15
@Ekhorn

Ekhorn commented Jul 15, 2026

Copy link
Copy Markdown

@Miggets7 this was already merged right? See #1

@Miggets7

Copy link
Copy Markdown
Contributor Author

@Ekhorn I believe so, but it also shows 17 commits ahead?
I will delete it, because it's seems weird

@Miggets7 Miggets7 closed this Jul 15, 2026
@Miggets7
Miggets7 deleted the release/v0.2.0 branch July 15, 2026 11:33
@Ekhorn

Ekhorn commented Jul 15, 2026

Copy link
Copy Markdown

but it also shows 17 commits ahead?

@Miggets7 probably because it was squash merged (a single commit)

Asked Dennis to enable auto delete branches once they are merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants