Commit graph

654 commits

Author SHA1 Message Date
Eric Gustin
3204201360
fix: TypedDict total=False output breaks validation (#816)
When a tool’s output TypedDict uses total=False, MCP clients reject the
response with:
```
MCP error -32602: Structured content does not match the tool's output schema
```
Note that the bug also exists for the Engine transport
(/worker/tools/execute), but since the engine doesn't validate the
output schema, the bug never surfaced. This PR addresses the problem
holistically (MCP and Engine) in preparation for a future where the
Engine transport validates output schemas.

Two bugs combined to cause this:
1. Schema: The outputSchema had no required array and declared all
fields as strict types (e.g. "type": "string"), making every field look
mandatory and non-null.
2. Serialization: model_dump() on TypedDict-derived Pydantic models
emitted None for absent optional fields. A tool returning {"name":
"hello"} produced {"name": "hello", "optional_field": null} which is a
value the schema forbids.


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Adjusts core schema generation and MCP JSON Schema conversion for
TypedDicts, affecting how tool input/output contracts are emitted and
validated across clients; mistakes could break compatibility or
validation behavior.
> 
> **Overview**
> Fixes MCP/engine validation failures for `TypedDict(total=False)`
outputs by ensuring absent optional keys are **omitted from serialized
output** and that emitted schemas correctly describe **required vs
optional** keys.
> 
> `arcade-core` now tracks `required_keys`/`inner_required_keys` and
per-field `nullable` in `ValueSchema`, derives required sets from
TypedDict `__required_keys__`, and unwraps `Optional[T]` to support
optional nested TypedDicts; TypedDict-derived Pydantic models now
`model_dump(exclude_unset=True)` to avoid leaking missing fields as
`null`.
> 
> `arcade-mcp-server` JSON Schema conversion now emits `required` arrays
(including for arrays of objects), supports `nullable` by generating
`type: [<type>, "null"]` (and `enum` including `None`), and treats
nullable top-level objects as valid unwrapped output schemas. Adds
focused unit/end-to-end tests plus an expanded example server
demonstrating total-false, mixed required/optional, nullable, and
optional-nested TypedDict outputs, and bumps package
versions/dependencies accordingly.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
53fe8365f613053599130520b75f30b614b465ca. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-09 17:47:57 -07:00
Eric Gustin
5075b6d40e
Update CLAUDE.md (#815)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Documentation-only changes that clarify protocols, CLI usage, and
environment/configuration conventions; no runtime behavior or
dependencies are modified.
> 
> **Overview**
> **Updates `CLAUDE.md` from a brief repo note to a comprehensive
developer guide.** It now documents the dual-protocol HTTP server model
(MCP + Arcade Worker), key runtime components (`MCPApp`, transports,
context, middleware), and how tool discovery, auth/secrets, and error
handling are intended to work.
> 
> Also refreshes contributor workflow guidance: updated `make`/`uv`
commands, CLI command overview, key environment variables, test/fixture
locations, and stricter notes about avoiding stdout/stderr pollution in
stdio transport paths.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
2e08a62e22f02d4531fdcf6a73837aa8dd38607f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-08 16:49:58 -07:00
Eric Gustin
317b9900ba
Remove big binary (#813)
A 35 MB binary was accidentally merged in
https://github.com/ArcadeAI/arcade-mcp/pull/729

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: this PR only deletes a committed binary artifact and does
not change application code or runtime behavior.
> 
> **Overview**
> Removes the previously committed large binary file (about 35 MB) that
was accidentally merged, reducing repository size and avoiding shipping
build artifacts in source control.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
bab409ccd2466e229a22a613f062b66a24daf3dc. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-08 13:10:26 -07:00
Eric Gustin
987a4eaef9
Add [tool.uv] exclude-newer config to arcade new's full template (#809)
templates the changes in https://github.com/ArcadeAI/monorepo/pull/765 


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: adds `uv` configuration to generated templates and bumps the
package version, with no runtime logic changes.
> 
> **Overview**
> Updates the `arcade new` **full** template `pyproject.toml` to include
a new `[tool.uv]` section that pins resolver behavior via `exclude-newer
= "1 week"` while exempting key `arcade-*` packages.
> 
> Bumps the root project version from `1.12.2` to `1.12.3`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fd47343d52ee51700affad5c3f1701b3e143002f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-08 11:54:12 -07:00
Eric Gustin
59011e9c83
Add state github bot (#812)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Low risk GitHub Actions-only change that affects PR triage by
automatically labeling and closing inactive PRs; no runtime code paths
are modified.
> 
> **Overview**
> Adds a new GitHub Actions workflow (`.github/workflows/stale.yml`) to
automatically mark pull requests as `stale` after 14 days of inactivity
and close them after an additional 14 days.
> 
> The workflow runs daily (and can be manually triggered), exempts PRs
labeled `pinned` or `security`, and explicitly disables
staleness/closure for issues.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
cdac08e3f3a40ccee7a8f79f4962adcdbb2e79c0. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-07 17:48:06 -07:00
Eric Gustin
9f904a4ad6
Suppress 500 during deployment warm-up period (#810) 2026-04-07 11:51:40 -07:00
Eric Gustin
82d6661dd9
Better error message (#789)
We should be checking if the entrypoint file is in the current directory
before we validate that it's a valid python file. Otherwise, the error
message will be "invalid name for python file" when someone provides a
path to a valid python file.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: only adjusts input validation/error messaging for `arcade
configure` stdio entrypoints and bumps the package patch version.
> 
> **Overview**
> Improves `arcade configure` stdio entrypoint validation by **rejecting
path-like values** (e.g., containing `/` or `\\`) before checking
filename format, producing a clearer error when users pass a path
instead of a file in the current directory.
> 
> Bumps the project version from `1.13.0` to `1.13.1`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
4d02ee947740f839fd46d9faf62cfa766d5dae47. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-02 16:27:23 -07:00
Eric Gustin
d31a81ef3f
Add background update check & notification for arcade CLI (#800)
## Summary
- On every CLI command invocation (except `update`/`upgrade`/`mcp`), a
detached subprocess checks PyPI for newer versions (throttled to once
per 4 hours) and caches the result at `~/.arcade/update_cache.json`
- On the next invocation, if a newer version is known, a yellow
one-liner notification is printed suggesting `arcade update`
- Respects `ARCADE_DISABLE_AUTOUPDATE=1` environment variable to opt out
entirely


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Adds a background PyPI version check that spawns detached subprocesses
and may print update notifications on most CLI invocations; mistakes
could impact CLI reliability or corrupt MCP stdio output (mitigated by
explicit command exclusions).
> 
> **Overview**
> Adds `arcade update` (and hidden `arcade upgrade` alias) to
self-upgrade the `arcade-mcp` CLI by detecting the original install
method (`uv tool`, `pipx`, `uv pip`, or `pip`) and running the
appropriate upgrade command.
> 
> Introduces a **throttled background update check** on most CLI
invocations: a detached subprocess queries PyPI, writes
`~/.arcade/update_cache.json`, and on subsequent runs prints a one-line
notification when a newer version is cached; this is disabled via
`ARCADE_DISABLE_AUTOUPDATE=1` and explicitly skipped for
`update`/`upgrade`/`mcp` to avoid MCP stdio output corruption.
> 
> Bumps the package version to `1.13.0`, adds a `packaging` dependency,
and includes comprehensive tests covering PyPI/yanked/prerelease
handling, install-method detection, caching, and callback integration.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2d9646ecc2211e8cfecd6e4901d14b1f5b7bb306. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-02 11:30:55 -07:00
Eric Gustin
7ce7d6892f
Add 'PRODUCT_ANALYTICS' to SericeDomain enum (#806)
We will be adding some product analytics toolkits in the near future

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: adds a new `ServiceDomain` enum value and bumps the package
version, with minimal behavioral impact beyond any downstream enum
matching/serialization expectations.
> 
> **Overview**
> Adds `ServiceDomain.PRODUCT_ANALYTICS` (`"product_analytics"`) to tool
metadata classification to support upcoming product analytics
integrations.
> 
> Bumps `arcade-core` version from `4.5.0` to `4.6.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
84666eaf997401559f8025dbe43563fdd03acd49. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-27 17:12:23 -07:00
Eric Gustin
9eec003c72
Add full support for MCP Resources (#803)
Resolves
https://linear.app/arcadedev/issue/TOO-590/add-resources-support-to-server-framework


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Adds new resource registration/reading semantics (including URI
templates and duplicate/multiple-match policies) and changes JSON Schema
generation for tool I/O, which may affect MCP client compatibility and
runtime behavior across servers.
> 
> **Overview**
> **Adds first-class MCP Resources support across `arcade-mcp-server`.**
`MCPApp` can now register resources at build time via
`add_resource`/`@resource` plus convenience `add_text_resource` and
`add_file_resource`, and passes these through to `MCPServer` for startup
loading (including `ResourceTemplate` URIs with `{param}` and `{param*}`
matching).
> 
> **Extends `ResourceManager` behavior.** Resource reads now coerce
handler return types (including raw `bytes` to base64
`BlobResourceContents`), support template matching with
overlap/multiple-match detection, and introduce configurable duplicate
handling policies.
> 
> **Improves tool schema + MCP Apps linking.** Tool input/output JSON
Schema generation is refactored to recursively expand nested `json`
schemas and ensure `outputSchema` is always an object (wrapping
non-object returns in a `result` property); `MCPApp` also supports
attaching arbitrary tool `_meta` extensions (e.g., `ui.resourceUri`)
applied at server start.
> 
> Adds two new example servers (`resources`, `tools_with_output_schema`)
and broad test coverage for resource templates, static/file resources,
meta extensions, and schema wrapping/recursion.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
e785bee79d74110727519b00b81dcad6e9b74212. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-27 15:27:57 -07:00
Eric Gustin
bbba7aec90
Update arcade new --full (#805)
Monorepo has new linting and formatting preferences. Updated the
`--full` to reflect that.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes only affect the generated `--full` project template
and CLI help surface (flag is now hidden), plus a patch version bump.
> 
> **Overview**
> Updates `arcade new --full` to be *internal-only* by hiding the flag
and revises the full template to match monorepo conventions
(Ruff/pre-commit versions and hook IDs, `.ruff.toml` now extends the
repo config, `pyproject.toml` formatting/booleans, adds `pytest`
`asyncio_mode`, and removes `pre-commit install` from the template
`Makefile`).
> 
> Adds a regression test ensuring generated full-template files match
these conventions, and bumps the root package version to `1.12.2`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2c1a285752d67dc4dd1aa8e0b6f25ca2f0a33fa2. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-27 14:22:32 -07:00
Sankara R. Avula
78c8e6fb99
feat: Add TelemetryPassbackMiddleware for serverExecutionTelemetry capability (#797)
**Implements**: [SEP-2448: server execution telemetry]
(https://github.com/modelcontextprotocol/modelcontextprotocol/pull/2448)



**Description:**

**The Observability Gap (The Problem)**

MCP clients propagate trace context to servers, but server-side
execution remains a black box. The client sees a single tools/call or
resources/read span; everything the server does (auth checks, policy
evaluation, API calls, sub-tool invocations) is invisible. In
cross-organization deployments, clients and servers use separate
observability backends with no shared collector access, making
traditional span export useless.

<img width="1015" height="450" alt="Screenshot 2026-03-23 at 3 43 21 PM"
src="https://github.com/user-attachments/assets/58c817b5-fee6-46a3-9877-d523a25368ad"
/>


**Server Execution Telemetry (The Solution)**

Servers advertise serverExecutionTelemetry and return a curated slice of
their execution spans directly in _meta.otel of the response. Clients
ingest these verbatim OTLP spans into their own collector, stitching
server-side execution into their distributed trace; no shared
infrastructure required. The black box becomes transparent.

<img width="945" height="574" alt="Screenshot 2026-03-23 at 3 43 44 PM"
src="https://github.com/user-attachments/assets/38d97c94-aa73-4e62-9b4e-3264600e5ed0"
/>

.
**Summary:**

Implement MCP serverExecutionTelemetry capability that enables
cross-organization distributed tracing by returning server-side
OpenTelemetry spans to clients inline via _meta.otel.traces.

  Server-side (middleware):
  - TelemetryPassbackMiddleware intercepts tools/call and resources/read
- ContextVarSpanCollector isolates span collection per-request via
ContextVar
- Propagates traceparent from client request for distributed trace
stitching
- Serializes collected spans to verbatim OTLP JSON (resourceSpans
format), directly POSTable to /v1/traces
- Top-level span filtering by default; full span tree via detailed
opt-in
- Middleware advertises capabilities via get_capabilities() on the
Middleware base class
  - Provisional API: FutureWarning emitted until SEP-2448 is ratified

  Client-side (reference agent):
- LangChain ReAct agent connects to MCP server via
streamable_http_client with OAuth 2.1
  - Detects serverExecutionTelemetry capability at initialization
- Dynamically wraps discovered MCP tools with traceparent propagation
and _meta.otel span request
- Ingests returned server spans into Jaeger (OTLP JSON) and Galileo
(OTLP protobuf)
- Two-act demo: --no-passback (black box) vs default (full server-side
visibility)

  Dependencies:
  - opentelemetry-api and opentelemetry-sdk added to arcade-mcp-server

  Bump arcade-mcp-server version to 1.18.0.
2026-03-25 15:57:50 -07:00
Eric Gustin
9bbdbe2b46
Fix outputSchema to conform to MCP spec's object type requirement (#799)
When a stdio server had a tool that didn't return a dict, then:
```
  {
    "code": "invalid_value",
    "values": [
      "object"
    ],
    "path": [
      "tools",
      2,
      "outputSchema",
      "type"
    ],
    "message": "Invalid input: expected \"object\""
  }
```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the generated `outputSchema` shape for all non-`json` return
types by wrapping them under a `result` property, which may affect
clients/tests expecting primitive/array schemas despite being
spec-correct.
> 
> **Overview**
> Adjusts MCP tool `outputSchema` generation to **always** emit an
object schema, per the MCP spec that `structuredContent` must be a JSON
object.
> 
> `json` outputs remain a direct object schema, while primitive/array
outputs are now wrapped as `{ "type": "object", "properties": {
"result": <inner> } }` (preserving `enum`/`items`), and tests are
expanded to cover these cases. Bumps `arcade-mcp-server` version to
`1.18.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7dd13bd33d6fdf6ebb778e1a3d9167ca89806f55. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-20 15:50:54 -07:00
Eric Gustin
3c7d1e1ee1
Bump authlib dep (#795)
Updated authlib==1.6.6 to authlib==1.6.9 in the CLI's pyproject.toml.
The breaking changes in 1.6.7–1.6.9 are all in the JWT/JOSE/OIDC
modules, which the CLI doesn't use. The only authlib import is
OAuth2Client from authlib.integrations.httpx_client (in
libs/arcade-cli/arcade_cli/authn.py), used for OAuth 2.0 + PKCE. That
module is unaffected.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk dependency/version bump; only affects the CLI’s OAuth2
`OAuth2Client` usage and does not change runtime code paths beyond
pulling in the newer library.
> 
> **Overview**
> Bumps the package version from `1.12.0` to `1.12.1` and upgrades the
pinned `authlib` dependency from `1.6.6` to `1.6.9` in `pyproject.toml`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f55973deb75f6388b286eca0ca7c16948518e64f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-16 17:50:29 -07:00
jottakka
9c47f73602
[TOO-518] Enforce semver for MCPApp Versioning (#793)
Here's the PR summary:

---

## Enforce semver validation for `MCPApp` versioning

### Problem

`MCPApp.__init__` accepted any string as `version` with no validation.
Invalid versions like `"1.0.0dev"` or `"latest"` silently propagated to
the Engine, where `compareToolVersions` fell back to lexicographic
`strings.Compare` instead of `semver.Compare` — causing incorrect
ordering (e.g. `1.10.0 < 1.9.0`).

### Solution

Validate and normalize `version` at `MCPApp` instantiation time using
the same acceptance rules as Go's `golang.org/x/mod/semver v0.31.0` (the
exact version used by the Engine).

### Changes

**`arcade_mcp_server/_validation.py`** (new file)
- Shared regex constants: `SEMVER_PATTERN` (semver.org spec),
`SHORT_VERSION_PATTERN`, `MAJOR_ONLY_PATTERN`

**`arcade_mcp_server/mcp_app.py`**
- Added `_validate_version()` mirroring the existing `_validate_name()`
pattern
- Added `version` property + setter (validates on mutation too)
- `__init__` now stores `self._version` via `_validate_version()`

**`arcade_mcp_server/settings.py`**
- Added `@field_validator("version")` on `ServerSettings` — covers the
`MCP_SERVER_VERSION` env var path
- Fixed default from `"0.1.0dev"` → `"0.1.0"` (the old default was
itself invalid)

**`pyproject.toml`** — bumped `arcade-mcp-server` `1.17.4` → `1.17.5`

### Normalization pipeline

All inputs are normalized to canonical `MAJOR.MINOR.PATCH` before
storage:

| Input | Stored as |
|-------|-----------|
| `v1.0.0` | `1.0.0` |
| `1.0` / `v1.0` | `1.0.0` |
| `1` / `v1` | `1.0.0` |

### Verification

Validated against `golang.org/x/mod/semver v0.31.0` (Engine's exact
pinned version) — 40/40 accept/reject cases match. The Engine's own
`store_test.go` uses `"1.0"` and `"1.1"` as `ToolkitVersion` values,
confirming short forms are intentionally supported.

### Breaking change

Any user currently passing a non-semver version string (e.g.
`"1.0.0dev"`, `"latest"`) will get a `ValueError` on upgrade. This is
intentional — those versions were silently causing incorrect tool
ordering in the Engine.

Closes TOO-518

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Introduces stricter version validation/normalization that will raise
errors for previously-accepted non-semver inputs (including via env
vars), which may break existing consumers depending on lax version
strings.
> 
> **Overview**
> **Enforces semver for server versioning** across both `MCPApp` and
`ServerSettings`, rejecting invalid strings and normalizing accepted
inputs (e.g., stripping leading `v`, expanding `1`/`1.2` to
`1.0.0`/`1.2.0`).
> 
> Adds shared `normalize_version` logic in
`arcade_mcp_server/_validation.py`, updates `MCPApp` to validate on init
and via a new `version` property/setter, and adds a Pydantic `version`
validator so `MCP_SERVER_VERSION` is checked. Defaults are updated from
`0.1.0dev` to `0.1.0`, tests are expanded to cover accept/reject cases,
and the package version is bumped to `1.17.5`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2ceabacb25372e67eef9720b901c1ee2b214868f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Eric Gustin <34000337+EricGustin@users.noreply.github.com>
2026-03-16 16:06:25 -07:00
jottakka
bf6bfa83f1
[TOO-522] Supress chardet noizy versioning warning (#792)
Use this PR summary:

---

## [TOO-522] Suppress chardet warning and fix OpenTelemetry telemetry

### Summary
Reduces noisy chardet/urllib3 warnings in telemetry and updates the
OpenTelemetry logger API to match the current SDK.

### Changes

**`libs/arcade-serve/arcade_serve/fastapi/telemetry.py`**
- Add `warnings.filterwarnings` to ignore `RequestsDependencyWarning`
when chardet≥6 is present (requests uses charset-normalizer regardless)
- Replace `_logs.set_logger_provider` with `set_logger_provider` from
`opentelemetry._logs` (API change in OpenTelemetry 1.15+)

**`.ruff.toml`**
- Add per-file ignore for E402 on `telemetry.py` because
`warnings.filterwarnings` must run before the opentelemetry imports that
pull in requests

**`libs/arcade-serve/pyproject.toml`**
- Bump version 3.2.1 → 3.2.2

---
Closes TOO-522

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: changes are limited to telemetry initialization (warning
filtering and OpenTelemetry logger-provider wiring) plus a patch version
bump, with minimal impact outside observability.
> 
> **Overview**
> Reduces telemetry startup noise by filtering `requests`
`chardet`-related warnings before OpenTelemetry imports, and updates
logging initialization to use `opentelemetry._logs.set_logger_provider`
instead of the deprecated `_logs.set_logger_provider` call.
> 
> Adds a targeted Ruff `E402` per-file ignore for `telemetry.py` to
allow the early warning filter, and bumps `arcade-serve` version from
`3.2.1` to `3.2.2`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5166c51be7cdfb05f86df18490a0c98b44f771c2. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-13 15:56:15 -07:00
jottakka
3ed66e663c
Removing Flanky tests (#790)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Test-only change, but it removes coverage for concurrent tool
execution over HTTP, which could let concurrency regressions slip
through unnoticed.
> 
> **Overview**
> Removes three async end-to-end integration tests in
`test_end_to_end.py` that asserted **parallel/concurrent tool
execution** timing across the HTTP `POST /mcp` JSON-RPC route, the `POST
/worker/tools/invoke` route, and a mixed MCP+Worker scenario.
> 
> No production code changes; remaining HTTP and stdio E2E coverage
stays in place, but the suite no longer validates HTTP concurrency
behavior.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3846363488c935771e79e0bb9b946b98137fdc55. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-06 16:03:49 -03:00
Renato Byrro
3e9ffb6bd9
Fix deploy timeout and improve error messages (#770)
- update_deployment() was using httpx default timeout (5s) instead of
the 360s used by deploy_server_to_engine(), causing "The write operation
timed out" errors on larger packages
- Catch httpx.TimeoutException in both deploy paths with an actionable
error message that points to package size as the likely cause
- Add proper error handling (ConnectError, HTTPStatusError) and
client.close() to update_deployment(), matching
deploy_server_to_engine()
- Add unit tests covering timeout handling and timeout constant usage
2026-03-06 10:03:48 -03:00
Eric Gustin
4d48bb765d
arcade new <name> --full generates an MCPApp (#787)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Moderate risk because it changes the default `arcade new --full`
scaffolding (dependencies, entry points, Makefile workflow, licensing)
and removes interactive prompts, which could break existing expectations
for generated projects.
> 
> **Overview**
> `arcade new --full` scaffolding is simplified to be non-interactive
and always generate an `arcade_<name>` package, with derived name
variants (title/hyphenated) and updated next-step instructions (`make
install/dev/test/lint`).
> 
> The full template is updated to produce a runnable `arcade-mcp-server`
`MCPApp` (`__main__.py` + `project.scripts`), switch sample
code/tests/evals to a new async Reddit example tool (auth + metadata)
using `httpx`, and refresh dev tooling (new `Makefile`, ruff config
tweaks, added pytest `conftest.py`).
> 
> Template licensing/metadata is standardized to Arcade proprietary
(removes community/official conditionals and the templated README), and
the repo version is bumped to `1.12.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fd39c9ed9beba068fe85cf96979f04a31a40daa4. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-03-05 17:50:10 -08:00
Eric Gustin
830480de83
Remove toolkits (#784) 2026-02-26 09:09:46 -08:00
jottakka
bcee0f556f
Left over fixes for Windows Papercut PR (#781)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Mostly CI/test and CLI output tweaks, plus a small refactor to reuse
existing subprocess termination logic; low risk with minor potential for
CI environment/version compatibility issues.
> 
> **Overview**
> Expands CI coverage by adding Python `3.13` and `3.14` to the GitHub
Actions matrices (main tests, install test, and no-auth CLI
integration), and removes a redundant editable install step in the
no-auth workflow.
> 
> Cleans up Windows subprocess handling by dropping
`arcade_cli.deploy._graceful_terminate` and calling the shared
`arcade_core.subprocess_utils.graceful_terminate_process` directly, with
corresponding test updates.
> 
> Improves `arcade new` scaffolding guidance by printing numbered “Next
steps” with explicit stdio/HTTP run options, and adds/updates CLI tests
to assert this output. Also bumps package version to `1.11.2` and
tightens pre-commit `ruff` excludes (no longer excluding `_scratch`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
55c2ae106f13e5657acdbebf63e00d74c171181f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-26 13:24:15 -03:00
Eric Gustin
4a737b9710
Improve .env discovery (#737)
Resolves TOO-201

Documentation PR for this is here:
https://github.com/ArcadeAI/docs/pull/626


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes how environment variables/secrets are discovered and loaded,
which can subtly alter runtime behavior depending on directory structure
and existing env vars; bounded traversal and added tests reduce but
don’t eliminate this risk.
> 
> **Overview**
> **Improves `.env` discovery across the MCP server and CLI.** Adds
`find_env_file()` (bounded by the nearest `pyproject.toml` by default)
and switches settings loading, `arcade deploy`, `arcade configure` stdio
env injection, and provider API-key resolution to use it.
> 
> Updates dev reload to also watch the discovered `.env` even when it
lives outside the current working directory, adjusts `deploy --secrets
all` to only run when a `.env` was found, and moves the minimal
scaffold’s `.env.example` to the project root with updated
tests/integration checks. Version bumps align examples and top-level
deps with `arcade-mcp-server` `1.17.4` and `arcade-mcp` `1.11.2`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
40cff1738c14674ce01f09fd325ece9c874cd072. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 23:20:28 -08:00
Eric Gustin
c50699d5e6
Migrate OSS toolkits to MCPApp (#782)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Touches multiple toolkits’ runtime entrypoints and context/error/auth
plumbing, so breakage risk is mainly around invocation/packaging and
tool execution wiring rather than business logic.
> 
> **Overview**
> Migrates the BrightData, ClickHouse, LinkedIn, Math, MongoDB,
Postgres, and Zendesk OSS toolkits from `arcade-tdk` to
`arcade-mcp-server` APIs by updating tool decorators, `Context` types,
auth classes, and exception imports.
> 
> Adds per-toolkit `__main__.py` files that construct an `MCPApp`,
register module tools, and run via configurable transport/host/port;
corresponding `pyproject.toml` updates bump versions, drop
`arcade-tdk`/`arcade-serve` deps, and add `project.scripts` console
entrypoints.
> 
> Updates tests and eval suites to use `arcade_mcp_server.Context`
(mocked) and switches eval `ToolCatalog` imports to `arcade_core`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
9b3e31acb4b35e1d72efd47e2d279c5b19e3ecb0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-25 14:29:18 -08:00
Eric Gustin
36584942f7
Fix runtime warning (#771)
When `python -m arcade_mcp_server` was executed, we would get the
following Runtime Warning:

```
<frozen runpy>:128: RuntimeWarning: 'arcade_mcp_server.__main__' found in sys.modules after import of package 'arcade_mcp_server', but prior to execution of 'arcade_mcp_server.__main__'; this may result in unpredictable behaviour
```

This PR resolves this. This PR is mainly just moving existing functions
to new locations; a refactor


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Primarily a module-organization refactor with minimal behavior change;
main risk is import-path regressions for internal callers and stdio/CLI
startup wiring.
> 
> **Overview**
> Fixes the `python -m arcade_mcp_server` runtime warning by refactoring
`arcade_mcp_server.__main__` to be a thin CLI entrypoint and moving its
reusable logic into import-safe modules.
> 
> Extracts stdio execution and tool discovery into a new
`arcade_mcp_server.stdio_runner` (`initialize_tool_catalog`,
`run_stdio_server`) and moves `setup_logging` into `logging_utils`,
updating `MCPApp`, the FastAPI `worker`, and tests to import from the
new locations. Bumps package version to `1.17.3`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
210475acea7c5df44fc66be2bde06f1f0c806c4e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-25 09:55:37 -08:00
Eric Gustin
25267ab6ee
JSON-safety validation for ToolMetadata.extras (#773)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Tightens validation on tool metadata, which may break existing tools
that relied on non-JSON-serializable `extras` values or keys; changes
are localized and well-covered by tests.
> 
> **Overview**
> Adds **JSON-safety enforcement** for `ToolMetadata.extras`: top-level
keys must be strings at model construction, and `validate_for_tool()`
now recursively rejects non-JSON-native values (including non-finite
floats) with path-rich `ToolDefinitionError` messages.
> 
> Expands tests to cover valid/invalid nested `extras` cases and
error-message quality, and bumps `arcade-core` version to `4.5.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2bab0db3c17f0ddb97868764d10494da543b39e5. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-25 09:48:04 -08:00
Eric Gustin
5228c75dc9
Add ToolMetadata to OSS toolkits (#776)
Resolves TOO-388


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Primarily metadata/dependency additions with no changes to core tool
execution paths; risk is limited to potential packaging/import issues
from the new `arcade-mcp-server` dependency.
> 
> **Overview**
> Adds `ToolMetadata` to tool decorators across the Bright Data,
ClickHouse, MongoDB, Postgres, LinkedIn, Zendesk, and Math toolkits,
specifying *behavior* (read-only/idempotency/destructive/open-world)
and, where applicable, *service domain* classification.
> 
> Updates each toolkit package to depend on `arcade-mcp-server` (plus
local `uv` source wiring) and bumps toolkit versions accordingly; minor
`__all__` ordering tweaks in Math/Zendesk are included.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3bde3a061194e1d1b6a4e8a2ebd608b17984db4f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-25 09:41:41 -08:00
jottakka
fe8ddfd500
[TOO-326] Windows papercuts (#768)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> Touches authentication/login flow, credentials-file permissions, and
subprocess lifecycle behavior across platforms; while mostly defensive,
regressions could impact login or process management on Windows/macOS
runners.
> 
> **Overview**
> Improves Windows/cross-platform reliability across the CLI and MCP
server: OAuth login now binds the callback server to `127.0.0.1`, avoids
slow loopback reverse-DNS, adds a configurable callback timeout
(`--timeout` + env default), and opens URLs via a Windows-friendly
`_open_browser` to avoid flashing console windows.
> 
> Centralizes CLI output via a shared `console` that forces UTF-8 on
Windows, standardizes UTF-8 file reads/writes throughout, tightens
credentials-file permissions on Windows using `icacls`, and adds shared
Windows subprocess helpers for **no-window** process creation and
graceful termination (used by `deploy`, MCP reload, and usage-tracking
worker).
> 
> Updates client configuration UX/robustness (Windows AppData resolution
via `platformdirs`, Cursor config path fallbacks + compatibility writes,
overwrite warnings, absolute `uv` path for GUI clients, safer path
display) and improves `deploy` child-process handling to avoid
pipe-buffer deadlocks while giving better debug-aware error messages.
> 
> Expands CI to run tests on Linux/Windows/macOS, adds a no-auth CLI
integration workflow, disables usage tracking in toolkits CI, and adds
extensive regression tests for Windows signals, subprocess cleanup,
UTF-8, and config-path edge cases; bumps `arcade-core` to `4.4.2` and
`arcade-mcp-server` to `1.17.2` (with updated dependency pin).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0fabd8ca1cd647039ba6ddbdf3f7809c330bab9e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-25 13:18:16 -03:00
Mateo Torres
9baab7fc07
deleted crewai-arcade and contrib directory (#780)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Pure deletion of an already-deprecated contrib package; risk is
limited to any external or internal consumers still depending on it.
> 
> **Overview**
> Removes the deprecated `contrib/crewai` integration package from the
repository.
> 
> This deletes the associated packaging/config files (`pyproject.toml`,
`Makefile`), license/readme, and the `crewai_arcade` module that only
emitted a deprecation warning.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
10737eab971e568e8159e1303cfc1085935aa02f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-23 19:35:58 -03:00
Mateo Torres
cf282b5a32
actually deprecate the package (#779)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Small metadata/build tooling change limited to a deprecated contrib
package; no runtime or security-sensitive logic is modified.
> 
> **Overview**
> Marks the `crewai-arcade` contrib package as updated by bumping its
`pyproject.toml` version from `2.0.0` to `2.0.1` (with deprecation
messaging already in the project description).
> 
> Adds a minimal `Makefile` with an `install` target that runs `uv sync`
to simplify setting up the package’s environment.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
85d7c42ca2fee85f677194e32ddbc2474b507e78. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-21 22:01:14 -03:00
Mateo Torres
6f8db11129
deprecate crewai-langchain (#778) 2026-02-21 00:11:46 +00:00
Evan Tahler
4d783e0d31
Add CLAUDE.md with project guidance for Claude Code (#775)
## Summary
- Adds `CLAUDE.md` with project overview, common commands, library
dependency graph, versioning rules, key code patterns, project layout,
and code quality notes
- Documents that `uv` must always be used (never bare `pip`/`python`)
- Documents that all changes must have tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Documentation-only change with no runtime or build behavior
modifications.
> 
> **Overview**
> Adds a new `CLAUDE.md` developer guidance document for Claude Code,
summarizing repo purpose, common `make`/`uv` commands, library
dependency relationships, and an example `MCPApp` tool pattern.
> 
> Also documents contribution expectations (tests/TDD), versioning bump
rules, project layout, and code-quality tooling/CI conventions.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
cf0f2fc56f418882e8eeac8f7c0127b0673cef52. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Eric Gustin <34000337+EricGustin@users.noreply.github.com>
2026-02-20 12:33:35 -08:00
Evan Tahler
7a28e7f988
Remove secret hints from CLI (#774)
## Summary
- Removes the `Hint` column from `arcade secret list` table output —
secret hints were removed from the API in
[monorepo#322](https://github.com/ArcadeAI/monorepo/pull/322), causing a
`KeyError: 'hint'` crash
- Adds a test for `print_secret_table` with populated secrets (verifying
no hint column)
- Bumps version from 1.10.0 → 1.11.0

Closes TOO-444

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 08:31:18 -08:00
Eric Gustin
a918eef037
Add Tool Metadata (#766) 2026-02-17 14:31:45 -08:00
emmithood
b928f52445
Add Attio wellknown auth class (#769)
Add Attio to the wellknown OAuth2 provider classes so toolkits can use
Attio(scopes=[...]) instead of OAuth2(id=..., scopes=[...]).

---------

Co-authored-by: Eric Gustin <eric@arcade.dev>
2026-02-12 11:05:43 -08:00
jottakka
7472b18106
Fixing bug with multiple providers + stats for multiple runs (#752)
@EricGustin you can use this cli command:
```
uv run arcade evals mcp_building_evals_results/eval_toolkit_iteration_dict.py \
    -p openai:gpt-4o,gpt-4o-mini \
    -p anthropic:claude-sonnet-4-20250514 \
    -k openai:$OPENAI_API_KEY \
    -k anthropic:$ANTHROPIC_API_KEY \
    -d \
    --num-runs 3 \
    --seed random \
    --multi-run-pass-rule majority \
    --max-concurrent 6 \
    -o mcp_building_evals_results/results

```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches core eval execution and all result formatters while adding new
CLI inputs and output schema (`run_stats`/`critic_stats` and capture
`runs`), so regressions could affect evaluation results and report
compatibility despite being additive and validated.
> 
> **Overview**
> Adds **multi-run evaluation support** to `arcade evals` via new flags
`--num-runs`, `--seed`, and `--multi-run-pass-rule`, with upfront
validation and plumbing through the CLI runner into eval/capture suite
execution.
> 
> Fixes provider selection UX/bug by making `--use-provider/-p`
**repeatable** (instead of a space-delimited string), updates
docs/examples accordingly, and extends capture mode to optionally record
**per-run tool calls** (`CapturedRun`) when `num_runs > 1`.
> 
> Enhances all output formatters (HTML/Markdown/Text/JSON) to
**propagate and display** per-case `run_stats` and `critic_stats`,
including new HTML UI for run tabs/cards and comparative tables showing
mean ± stddev when multi-run data is present.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2ee1654b7d1fbb9538373507355636164b16a066. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-09 14:25:28 -03:00
Eric Gustin
c408208f83
Fix deprecation warning (#765)
`[tool.uv]`'s `dev-dependencies` is deprecated. I got tired of seeing
the warning.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk build/CI tooling change, but it may affect environment setup
if `uv sync` extra resolution differs from the old `--dev` behavior.
> 
> **Overview**
> Removes the deprecated `dev-dependencies` config and instead defines
development requirements as a `dev` optional-dependency extra in
`pyproject.toml`.
> 
> Updates local/CI install paths (Makefile, composite action, and
install-test workflow) to install dev requirements via `uv sync --extra
all --extra dev` rather than `uv sync --dev`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
472ab6e5e498b69d88ac8f08ba8414e901272f26. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- BUGBOT_STATUS --><sup><a
href="https://cursor.com/dashboard?tab=bugbot">Cursor Bugbot</a> found 1
potential issue for commit <u>472ab6e</u></sup><!-- /BUGBOT_STATUS -->
2026-02-04 13:53:56 -08:00
Eric Gustin
35d4912e57
Delete contrib/langchain folder (#764)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Low risk because this only removes a deprecated `contrib/langchain`
package and related metadata, with no runtime logic changes elsewhere.
> 
> **Overview**
> Removes the deprecated `contrib/langchain` subtree entirely, including
its packaging metadata (`pyproject.toml`), module stub
(`langchain_arcade/__init__.py`), and project docs/build files
(`README.md`, `LICENSE`, `Makefile`, `.gitignore`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
668861993ff5c6874aaa62cfe7e434d26de2591c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-03 16:46:21 -08:00
Eric Gustin
d3c775fb18
Actually deprecate langchain-arcade (#763)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Low risk packaging/dev tooling changes only: bumps the
`langchain-arcade` package version and adds a simple `make install`
helper, with no runtime logic changes.
> 
> **Overview**
> Updates the deprecated `langchain-arcade` package metadata by bumping
`pyproject.toml` version from `2.0.0` to `2.0.1`.
> 
> Adds a minimal `contrib/langchain/Makefile` with an `install` target
that runs `uv sync` to standardize dependency setup.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
823a66e1db9cd406a00ff0c3fe1b89b4f1b9f835. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-03 16:30:59 -08:00
Eric Gustin
859f2989be
ToolExecutionError description (#762)
we actually don't want to deprecate ToolExecutionError

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: behavior change is limited to no longer emitting a
`DeprecationWarning` when `ToolExecutionError` is instantiated, plus a
patch version bump.
> 
> **Overview**
> `ToolExecutionError` is no longer treated as deprecated: the
`warnings` import and runtime `DeprecationWarning` emission were
removed, and the class docstring was updated to describe it as the base
exception for errors raised from within a tool body.
> 
> Bumps `arcade-core` version from `4.2.2` to `4.2.3`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
250d20e393a8a4d8dc20fad673a7faea1cba4797. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-03 16:04:52 -08:00
Eric Gustin
10fd728fcf
Deprecate langchain-arcade (#761)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Medium Risk**
> This is mostly a packaging/documentation change, but it is a breaking
change because the integration code and dependencies are removed, so any
consumers importing `ToolManager`/`AsyncToolManager` will fail at
runtime.
> 
> **Overview**
> Marks `langchain-arcade` as **deprecated/inactive** and strips it down
to a stub package.
> 
> The PR removes the LangChain/LangGraph integration implementation
(`manager.py`, `_utilities.py`), tests, and local dev tooling
(`Makefile`, `tox.ini`), and updates `README.md` to a deprecation notice
pointing users to `docs.arcade.dev`.
> 
> `pyproject.toml` is bumped to `2.0.0`, clears dependencies, and
updates metadata/URLs; importing `langchain_arcade` now only emits a
`DeprecationWarning` and exports nothing.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d3db1346f6399af90dcc516ffe3755bf26cb6f87. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-03 15:33:43 -08:00
Mateo Torres
44563fce5b
Revert "🪓 langchain-arcade" (#760)
Reverts ArcadeAI/arcade-mcp#759

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Adds a new LangChain/LangGraph integration layer that wraps and
executes Arcade tools, including authorization and error/interrupt
handling; bugs here could impact tool execution semantics for adopters.
Changes are mostly additive and scoped to `contrib/langchain`.
> 
> **Overview**
> Re-introduces a standalone `contrib/langchain` Python package
(`langchain-arcade`) to expose Arcade tools as LangChain
`StructuredTool`s.
> 
> Adds sync/async `ToolManager` implementations plus utilities to
generate Pydantic arg schemas from `ToolDefinition`, optionally rewrite
tool names (underscores vs dots), and handle authorization via LangGraph
`NodeInterrupt` or structured error responses.
> 
> Includes packaging/dev scaffolding (`pyproject.toml`, `tox.ini`,
`Makefile`, `.gitignore`, `LICENSE`, `README`) and a comprehensive test
suite covering manager behaviors and auth flows.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
abd23b6d954470cb1e7376158468c0e59cdc7d7a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-02-02 18:31:26 -03:00
Mateo Torres
2dc810673d
🪓 langchain-arcade (#759) 2026-01-31 19:21:38 +00:00
Eric Gustin
d7d765343e
Fix multiple worker log level bug (#758)
When running `arcade_mcp_server` with `workers > 1`, uvicorn spawns
worker subprocesses that directly call `create_arcade_mcp_factory()`
without going through `main()`. Since `setup_logging()` is only called
in `main()`, these subprocesses have no logging configuration, causing:

1. Standard Python logging not intercepted by Loguru
    
2. DEBUG-level logs from libraries like urllib3 appearing when OTEL is
enabled
    
3. Inconsistent log formats between main process and workers

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches process-wide logging initialization for uvicorn worker
subprocesses, which can affect log levels/handlers and output across the
server. Functional impact is limited to observability but could change
verbosity when OTEL or libraries emit logs.
> 
> **Overview**
> Fixes multi-worker/reload mode logging by configuring Loguru inside
`create_arcade_mcp_factory()` (using `ARCADE_MCP_DEBUG` to set `INFO` vs
`DEBUG`) so uvicorn-spawned worker subprocesses get the same
logging/interception as `main()`.
> 
> Adds regression tests that assert the factory filters DEBUG logs by
default and enables them when `ARCADE_MCP_DEBUG=true`, and bumps
`arcade-mcp-server` to `1.15.2`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0c262eb9716ecbd589f1524842243a7aed80666e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-01-30 15:37:52 -08:00
Eric Gustin
a4160dd9fe
Four bug fixes (#754)
1. Resolves
[TOO-363](https://linear.app/arcadedev/issue/TOO-363/arcade-deploy-fails-when-additional-deps-are-added-to-the-server).
2. Resolves
[TOO-364](https://linear.app/arcadedev/issue/TOO-364/arcade-cores-tool-skip-logic-is-missing-case-for-direct-execution).
3. Resolves
[TOO-358](https://linear.app/arcadedev/issue/TOO-358/missing-evals-error-message-shows-wrong-command).
4. Resolves
[TOO-365](https://linear.app/arcadedev/issue/TOO-365/arcade-evals-unit-tests-are-hanging).

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk because it changes how `arcade deploy` spawns the server
process and adjusts toolkit discovery skip logic, which can affect
deployments and tool discovery; however, the changes are small and
covered by new unit/integration tests.
> 
> **Overview**
> `arcade deploy` now starts the validation server using the project’s
`.venv` interpreter (via `find_python_interpreter`) instead of the CLI’s
own `sys.executable`, preventing missing dependency failures when the
CLI is installed in an isolated env.
> 
> `arcade-core`’s `Toolkit.tools_from_directory` skip logic is hardened
to also skip the currently executing entrypoint by module name
(`__main__.__spec__.name`) when file paths don’t match (e.g., bundled
execution). CLI error printing now escapes plain messages to avoid rich
markup issues, and `arcade-evals` lock acquisition accepts an optional
timeout default.
> 
> Adds unit tests for the new toolkit skip behavior and an integration
test that boots the MCP server via direct Python invocation to mirror
deployment behavior, and bumps `arcade-core`, `arcade-mcp-server`, and
root dependency versions accordingly.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
e7785634c231c059f2e0bd1bc73a56bd7470a494. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-01-29 15:12:06 -08:00
Nate Barbettini
ab47565540
chore: Bump langchain-core version (#757)
Bumping `langchain-core` to get bugfixes from that project.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Updates dependency and package version for the LangChain integration.
> 
> - Bumps `langchain-core` requirement to `>=0.3.80,<0.4`
> - Increments `langchain-arcade` package version to `1.4.5` in
`pyproject.toml`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ede8c67dbe88061f39bfe5466f157b36ae21bb1b. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-01-28 17:36:44 -07:00
dependabot[bot]
da36cc793c
Bump authlib from 1.6.5 to 1.6.6 (#755)
Bumps [authlib](https://github.com/authlib/authlib) from 1.6.5 to 1.6.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/authlib/authlib/releases">authlib's
releases</a>.</em></p>
<blockquote>
<h2>v1.6.6</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(ClientAuth): fix incorrect signature when Content-Type is
x-www-form-urlencoded by <a
href="https://github.com/shc261392"><code>@​shc261392</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/778">authlib/authlib#778</a></li>
<li>Fix: Use <code>expires_in</code> when <code>expires_at</code> is
unparsable by <a
href="https://github.com/bendavis78"><code>@​bendavis78</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/842">authlib/authlib#842</a></li>
<li><code>get_jwt_config</code> takes a <code>client</code> parameter.
by <a href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/844">authlib/authlib#844</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/shc261392"><code>@​shc261392</code></a>
made their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/778">authlib/authlib#778</a></li>
<li><a
href="https://github.com/bendavis78"><code>@​bendavis78</code></a> made
their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/842">authlib/authlib#842</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/authlib/authlib/compare/v1.6.5...v1.6.6">https://github.com/authlib/authlib/compare/v1.6.5...v1.6.6</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/authlib/authlib/blob/main/docs/changelog.rst">authlib's
changelog</a>.</em></p>
<blockquote>
<h2>Version 1.6.6</h2>
<p><strong>Released on Dec 12, 2025</strong></p>
<ul>
<li><code>get_jwt_config</code> takes a <code>client</code> parameter,
:pr:<code>844</code>.</li>
<li>Fix incorrect signature when <code>Content-Type</code> is
x-www-form-urlencoded for OAuth 1.0 Client, :pr:<code>778</code>.</li>
<li>Use <code>expires_in</code> in <code>OAuth2Token</code> when
<code>expires_at</code> is unparsable, :pr:<code>842</code>.</li>
<li>Always track <code>state</code> in session for OAuth client
integrations.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="bb7a315bef"><code>bb7a315</code></a>
chore: release 1.6.6</li>
<li><a
href="0a423d4638"><code>0a423d4</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/844">#844</a>
from azmeuk/806-get-jwt-config-client</li>
<li><a
href="2808378611"><code>2808378</code></a>
Merge commit from fork</li>
<li><a
href="714502a473"><code>714502a</code></a>
feat: get_jwt_config takes a client parameter</li>
<li><a
href="260d04edee"><code>260d04e</code></a>
Fix: Use <code>expires_in</code> when <code>expires_at</code> is
unparsable</li>
<li><a
href="eb37124bbb"><code>eb37124</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/778">#778</a>
from shc261392/fix-httpx-oauth1-form-data-incorrect-s...</li>
<li><a
href="0ba9ec4fee"><code>0ba9ec4</code></a>
docs: fix guide on requests self signed certificate</li>
<li><a
href="a2e9943815"><code>a2e9943</code></a>
docs: indicate that <a
href="https://redirect.github.com/authlib/authlib/issues/743">#743</a>
needs a migration</li>
<li><a
href="06015d2065"><code>06015d2</code></a>
test: factorize the token fixture</li>
<li>See full diff in <a
href="https://github.com/authlib/authlib/compare/v1.6.5...v1.6.6">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=authlib&package-manager=pip&previous-version=1.6.5&new-version=1.6.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/ArcadeAI/arcade-mcp/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-28 16:25:42 -08:00
Mateo Torres
e5312bc860
remove examples to be absorved as templates (#753)
🪓 

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Removes legacy example projects to be replaced by templates.
> 
> - Deletes entire `contrib/examples/*` subtrees: `ai-sdk`, `crewai`,
`langchain`, `langchain-ts`, `langgraph-ts`, and `mastra`
> - Removes associated source files, READMEs, env samples, package/lock
files, and miscellaneous configs
> 
> No product code changed; docs/examples only.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
0efc4ecc3e5a9d60d8cf3e853fd0d9aecd1ed4a8. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-01-23 23:34:42 -03:00
Evan Tahler
b3a90889c6
Npm-form-data security vulnerability (#743)
Remediate CVE-2025-7783 critical vulnerability in the `form-data`
package across the repository.

The `form-data` package (versions >= 4.0.0 and < 4.0.4) used
`Math.random()` to generate boundary values, which is predictable and
could allow attackers to inject additional parameters into requests.
This PR updates the affected dependencies to a secure version (>= 4.0.4)
by running `npm audit fix` in `openai-agents-ts` and adding a pnpm
override in `langchain-ts`.

---
Linear Issue:
[TOO-333](https://linear.app/arcadedev/issue/TOO-333/vanta-remediate-critical-vulnerabilities-identified-in-packages-are)

<a
href="https://cursor.com/background-agent?bcId=bc-10abc1b2-8ec1-42cc-8ab9-6c7d1ff8a69d"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-10abc1b2-8ec1-42cc-8ab9-6c7d1ff8a69d"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Security and dependency updates**
> 
> - Adds `pnpm` override in `contrib/examples/langchain-ts/package.json`
to force `form-data@>=4.0.4`
> - Refreshes `pnpm-lock.yaml` for `langchain-ts`, upgrading `form-data`
to `4.0.5` and bumping related transitive deps (e.g., `axios`,
`follow-redirects`, `ws`, `dotenv`, `jsonwebtoken`,
`zod-to-json-schema`)
> - Updates `contrib/examples/openai-agents-ts/package-lock.json`:
upgrades `@modelcontextprotocol/sdk` to `1.25.3` (adds optional
`@hono/node-server`, `hono`, `jose`, `json-schema-typed`) and bumps `qs`
to `6.14.1`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
ae26b3d994d8fb0a6f4a88be34b7f17fb98cef6e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
2026-01-20 18:17:56 -08:00
Eric Gustin
28c1863ee3
Support Ed25519 Algorithm (#742)
Ed25519 is needed for Arcade AS. This required migrating from
`python-jose` to `joserfc`, because `python-jose` didn't seem to support
Ed25519
2026-01-16 15:55:05 -08:00
Eric Gustin
a941eb7ffe
Fix dateutil dependency issue (#741)
This is the quick fix for placing the dateutil as a required dep instead
of as an 'extra' dep.

This is the second time in one week that a missing dependency has bitten
us. I've created a ticket (TOO-317) to catch this class of bugs in our
CI pipeline.
2026-01-14 15:33:48 -08:00