Release/v0.2.0#5
Closed
Miggets7 wants to merge 17 commits into
Closed
Conversation
…t_current_user Remove tool families that are either security liabilities or low-value for an LLM-driven workflow: - users-sessions.ts (both tools): disconnect_user_session uses HTTP GET to mutate state, easy for an LLM to fire by accident and log real users out. get_user_sessions had marginal debug value on its own. - update_password / update_current_password: plaintext password flows through the LLM context (transcripts, provider logs, cache). Email-only reset flow (request_password_reset, request_current_password_reset) stays. - reset_user_secret: regenerating a service user's OAuth secret can lock out integrations and, worst case, the MCP server's own auth. - get_current_user: returns the service-user identity that the server already runs as; marginal value to downstream prompts. Net: 24 -> 17 user tools. PUT-replace semantics on update_user and the update_*_roles tools kept as-is (description warnings already present).
Drop the users-sessions import and registerUserSessionTools() call, and remove the trimmed tool names from the LLM-facing instructions block.
README capability table: tool count 49 -> 43; rows for get_current_user, update_password, update_current_password, reset_user_secret, get_user_sessions, disconnect_user_session removed. CLAUDE.md: add project guidance file; scope-boundaries paragraph documents that sessions and direct-credential mutation are deferred (footgun + LLM-context credential leakage); conventions paragraph lists the active users-* split sub-files.
list_accessible_realms is the non-admin variant, so the "(admin)" qualifier on the realms instructions heading was inaccurate.
…sthrough Review findings (PR #1): - update_realm: the backend requires the realm id in the body and 500s without it. Extract a shared base schema, add a required id to the update variant, and document that a get_realm-first read is mandatory for every update, not only partial ones. - update_user_client_roles: document that roles are name strings, not the role objects get_client_roles returns. - request_password_reset / request_current_password_reset: note that a configured mail server is required; the backend returns a 500 otherwise. - Remove update_current_user and update_current_user_locale: both are dead under service-account auth (405 and no-op). Drops registration, the users-self files, and updates README and scope notes. Cleanup: - Replace deprecated ZodObject.passthrough() with z.looseObject() / .loose() (Zod 4.4.3); behavior unchanged.
Remove request_current_password_reset: like the other self-service endpoints it is useless under service-account auth (it emails the service account's nonexistent inbox). Inline the remaining request_password_reset into users-crud.ts and delete the now single-tool users-passwords.ts; absorb its tests. Note the exclusion in the scope boundaries. Fix syslog enum drift against @openremote/model: drop the invalid DEBUG level and MANAGER category, add the missing ALARM category. The model ships these as ambient const enums, so deriving them via Object.values hits TS2475 under tsc; keep corrected literals in sync on model bumps instead.
Contributor
Author
|
@Ekhorn I believe so, but it also shows 17 commits ahead? |
@Miggets7 probably because it was squash merged (a single commit) Asked Dennis to enable auto delete branches once they are merged. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.