Commit graph

598 commits

Author SHA1 Message Date
Evan Tahler
57d5d314e0
Run all tests with dependabot (#727)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Removes the dependabot exclusion so secret-backed toolkit tests run on
any non-fork PR.
> 
> - **CI (GitHub Actions)**
> - Update `if` condition in `/.github/workflows/test-toolkits.yml` for
"Test stand-alone toolkits (with secrets)":
> - Remove `github.actor != 'dependabot[bot]'`, leaving only
`!github.event.pull_request.head.repo.fork` to allow tests with secrets
on non-fork PRs (including dependabot).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fab42ac63abe305cc5f5344ab6bcb8386c541fb6. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-12 17:35:15 -08:00
dependabot[bot]
324a148b5b
Bump authlib from 1.3.0 to 1.6.5 (#724)
Bumps [authlib](https://github.com/authlib/authlib) from 1.3.0 to 1.6.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/authlib/authlib/releases">authlib's
releases</a>.</em></p>
<blockquote>
<h2>v1.6.5</h2>
<h2>What's Changed</h2>
<ul>
<li>Add a <code>request</code> param to RFC7591
<code>generate_client_info</code> and
<code>generate_client_secret</code> methods by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/825">authlib/authlib#825</a></li>
<li>feat: support list params in prepare_grant_uri by <a
href="https://github.com/lisongmin"><code>@​lisongmin</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/827">authlib/authlib#827</a></li>
<li>chore(deps): bump SonarSource/sonarqube-scan-action from 5 to 6 in
/.github/workflows by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/authlib/authlib/pull/828">authlib/authlib#828</a></li>
<li>fix(jose): add max size for JWE zip=DEF decompression by <a
href="https://github.com/lepture"><code>@​lepture</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/830">authlib/authlib#830</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/lisongmin"><code>@​lisongmin</code></a>
made their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/827">authlib/authlib#827</a></li>
<li><a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
made their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/828">authlib/authlib#828</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/authlib/authlib/compare/v1.6.4...v1.6.5">https://github.com/authlib/authlib/compare/v1.6.4...v1.6.5</a></p>
<h2>v1.6.4</h2>
<h2>What's Changed</h2>
<ul>
<li>fix(jose): prevent public/unprotected header overwriting protected
header by <a
href="https://github.com/lepture"><code>@​lepture</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/809">authlib/authlib#809</a></li>
<li>Fix <code>InsecureTransportError</code> raising by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/810">authlib/authlib#810</a></li>
<li>Add conventional-commits pre-commit hook by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/811">authlib/authlib#811</a></li>
<li>Fix response_mode=form_post with Starlette client by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/812">authlib/authlib#812</a></li>
<li>Specify README.md as project long description by <a
href="https://github.com/EpicWink"><code>@​EpicWink</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/817">authlib/authlib#817</a></li>
<li>Migrate tests to pytest paradigm by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/813">authlib/authlib#813</a></li>
<li>jose/jws: Reject unprotected ‘crit’ and enforce type; add tests by
<a href="https://github.com/AL-Cybision"><code>@​AL-Cybision</code></a>
in <a
href="https://redirect.github.com/authlib/authlib/pull/823">authlib/authlib#823</a></li>
<li>Use explicit *.test urls in unit tests by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/824">authlib/authlib#824</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/EpicWink"><code>@​EpicWink</code></a>
made their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/817">authlib/authlib#817</a></li>
<li><a
href="https://github.com/AL-Cybision"><code>@​AL-Cybision</code></a>
made their first contribution in <a
href="https://redirect.github.com/authlib/authlib/pull/823">authlib/authlib#823</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/authlib/authlib/compare/v1.6.3...v1.6.4">https://github.com/authlib/authlib/compare/v1.6.3...v1.6.4</a></p>
<h2>Version 1.6.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Add diff-cover check in GHA by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/803">authlib/authlib#803</a></li>
<li>Run GHA unit tests with uv by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/805">authlib/authlib#805</a></li>
<li>Move from pre-commit to prek by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/804">authlib/authlib#804</a></li>
<li>Sign OIDC id_token according to
<code>id_token_signed_response_alg</code> client metadata by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/802">authlib/authlib#802</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/authlib/authlib/compare/v1.6.2...v1.6.3">https://github.com/authlib/authlib/compare/v1.6.2...v1.6.3</a></p>
<h2>Version 1.6.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Allow insecure transport for 127.0.0.1 for debugging by <a
href="https://github.com/geigerzaehler"><code>@​geigerzaehler</code></a>
in <a
href="https://redirect.github.com/authlib/authlib/pull/788">authlib/authlib#788</a></li>
<li>Raise a MissingCodeError when code parameter is missing by <a
href="https://github.com/lepture"><code>@​lepture</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/786">authlib/authlib#786</a></li>
<li>Temporarily restore OAuth2Request body parameter by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/791">authlib/authlib#791</a></li>
<li>Raise MissingCodeException when code parameter is missing by <a
href="https://github.com/lepture"><code>@​lepture</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/794">authlib/authlib#794</a></li>
<li>Fix id_token generation with EdDSA alg by <a
href="https://github.com/azmeuk"><code>@​azmeuk</code></a> in <a
href="https://redirect.github.com/authlib/authlib/pull/800">authlib/authlib#800</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/authlib/authlib/compare/v1.6.1...v1.6.2">https://github.com/authlib/authlib/compare/v1.6.1...v1.6.2</a></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/authlib/authlib/blob/main/docs/changelog.rst">authlib's
changelog</a>.</em></p>
<blockquote>
<h2>Version 1.6.5</h2>
<p><strong>Released on Oct 2, 2025</strong></p>
<ul>
<li>RFC7591 <code>generate_client_info</code> and
<code>generate_client_secret</code> take a <code>request</code>
parameter.</li>
<li>Add size limitation when decode JWS/JWE to prevent DoS.</li>
<li>Add size limitation for <code>DEF</code> JWE zip algorithm.</li>
</ul>
<h2>Version 1.6.4</h2>
<p><strong>Released on Sep 17, 2025</strong></p>
<ul>
<li>Fix <code>InsecureTransportError</code> error raising.
:issue:<code>795</code></li>
<li>Fix <code>response_mode=form_post</code> with Starlette client.
:issue:<code>793</code></li>
<li>Validate <code>crit</code> header value, reject unprotected header
in <code>crit</code> header.</li>
</ul>
<h2>Version 1.6.3</h2>
<p><strong>Released on Aug 26, 2025</strong></p>
<ul>
<li>OIDC <code>id_token</code> are signed according to
<code>id_token_signed_response_alg</code>
client metadata. :issue:<code>755</code></li>
</ul>
<h2>Version 1.6.2</h2>
<p><strong>Released on Aug 23, 2025</strong></p>
<ul>
<li>Temporarily restore <code>OAuth2Request</code> <code>body</code>
parameter. :issue:<code>781</code> :pr:<code>791</code></li>
<li>Allow <code>127.0.0.1</code> in insecure transport mode.
:pr:<code>788</code></li>
<li>Raise <code>MissingCodeException</code> when the <code>code</code>
parameter is missing. :issue:<code>793</code> :pr:<code>794</code></li>
<li>Fix <code>id_token</code> generation with <code>EdDSA</code> algs.
:issue:<code>799</code> :pr:<code>800</code></li>
</ul>
<h2>Version 1.6.1</h2>
<p><strong>Released on Jul 20, 2025</strong></p>
<ul>
<li>Filter key set with additional &quot;alg&quot; and &quot;use&quot;
parameters.</li>
<li>Restore and deprecate <code>OAuth2Request</code> <code>body</code>
parameter. :issue:<code>781</code></li>
</ul>
<h2>Version 1.6.0</h2>
<p><strong>Released on May 22, 2025</strong></p>
<ul>
<li>Fix issue when :rfc:<code>RFC9207 &lt;9207&gt;</code> is enabled and
the authorization endpoint response is not a redirection.
:pr:<code>733</code></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9ec42561cd"><code>9ec4256</code></a>
chore: release 1.6.5</li>
<li><a
href="b62b5b2757"><code>b62b5b2</code></a>
Merge branch 'fix-GHSA-pq5p-34cr-23v9'</li>
<li><a
href="e0863d5129"><code>e0863d5</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/830">#830</a>
from authlib/fix-GHSA-g7f3-828f-7h7m</li>
<li><a
href="867e3f87b0"><code>867e3f8</code></a>
fix(jose): add size limitation to prevent DoS</li>
<li><a
href="75ad6d4d62"><code>75ad6d4</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/828">#828</a>
from authlib/dependabot/github_actions/dot-github/wor...</li>
<li><a
href="68b982352d"><code>68b9823</code></a>
chore(deps): bump SonarSource/sonarqube-scan-action</li>
<li><a
href="5bdfc4bfff"><code>5bdfc4b</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/827">#827</a>
from lisongmin/support-list-params-in-prepare-grant-uri</li>
<li><a
href="30ea3c5f85"><code>30ea3c5</code></a>
feat: support list params in prepare_grant_uri</li>
<li><a
href="4b5b570339"><code>4b5b570</code></a>
fix(jose): add max size for JWE zip=DEF decompression</li>
<li><a
href="6e35a02ecf"><code>6e35a02</code></a>
Merge pull request <a
href="https://redirect.github.com/authlib/authlib/issues/825">#825</a>
from azmeuk/request-params</li>
<li>Additional commits viewable in <a
href="https://github.com/authlib/authlib/compare/v1.3.0...v1.6.5">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=authlib&package-manager=pip&previous-version=1.3.0&new-version=1.6.5)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/ArcadeAI/arcade-mcp/network/alerts).

</details>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Skip GHA secret-backed toolkit tests for dependabot, add Dockerized
Postgres test setup and default to postgres user, and bump authlib to
1.6.5.
> 
> - **CI**:
> - Update `Test stand-alone toolkits (with secrets)` condition to also
exclude `github.actor == 'dependabot[bot]'`.
>   - Execute optional `tests/test_setup.sh` before pytest when present.
> - **Postgres toolkit tests**:
> - Default `POSTGRES_DATABASE_CONNECTION_STRING` user changed to
`postgres` in `toolkits/postgres/tests/test_postgres.py`.
> - Add `toolkits/postgres/tests/test_setup.sh` to spin up a Docker
`postgres` and wait until ready.
> - **Dependencies**:
>   - Upgrade `authlib` to `1.6.5` in `pyproject.toml`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f3600e7536a409ecd8e645f473d747b9ba363765. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: evan <evan@arcade.dev>
2025-12-12 17:16:14 -08:00
Sterling Dreyer
069ce70fb2
Instrumentation for outbound requests (#726)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Adds OpenTelemetry instrumentation for outbound HTTP (httpx, aiohttp,
requests), guards span environment attribute, and updates
package/version deps.
> 
> - **Telemetry**:
> - Instrument outbound HTTP clients with OpenTelemetry: `httpx`,
`aiohttp-client`, and `requests`.
>   - Tighten excluded span types using `Literal`.
> - **Core**:
> - Guard setting `environment` span attribute in `CallToolComponent`
only if present on `worker`.
> - **Packaging**:
>   - Bump `arcade-serve` to `3.2.1`.
> - Add new dependencies for HTTP client instrumentation and `aiohttp`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
9ab57f3c33d6033ff9ec4c6a40445a85328b169a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-12 15:30:11 -08:00
Eric Gustin
4d54b28926
Bump some verisons (#723)
`arcade-mcp-server` version was not bumped in
https://github.com/ArcadeAI/arcade-mcp/pull/717, so this PR bumps
`arcade-mcp-server`, and then update's `arcade-mcp`'s dependency on
`arcade-mcp-server` by increasing the minimum version

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Bumps arcade-mcp-server to 1.13.0, updates arcade-mcp to 1.6.2, and
raises related dependency minimums (including example auth server).
> 
> - **Versions**:
> - Bump `libs/arcade-mcp-server` project version from `1.12.0` to
`1.13.0`.
>   - Bump `arcade-mcp` package version from `1.6.1` to `1.6.2`.
> - **Dependencies**:
> - Raise `arcade-mcp` dependency on `arcade-mcp-server` to `>=1.13.0`
in `pyproject.toml` (including `all` extra).
> - Increase example server
`examples/mcp_servers/authorization/pyproject.toml` minimum
`arcade-mcp-server` to `>=1.12.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
8a4f606bd8d0b48dd50e3e8e836d31bb679c6eba. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-11 14:09:23 -08:00
Nate Barbettini
592c3f73c0
fix: Don't double-include template files (#722)
Fixes broken publishing action:
https://github.com/ArcadeAI/arcade-mcp/actions/runs/20147239181

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Removes template force-include to avoid duplicate files and adds CI
wheel-duplicate validation; bumps version to 1.6.1.
> 
> - **Packaging**:
> - Bump `arcade-mcp` version from `1.6.0` to `1.6.1` in
`pyproject.toml`.
> - Remove `[tool.hatch.build.targets.wheel.force-include]` for
`arcade_cli/templates` to prevent double-including template files.
> - **CI/CD**:
> - In `.github/workflows/release-on-version-change.yml`, add a
post-build Python step to validate built wheels for duplicate filenames
before publishing.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
3a15e08772b2b4851b185b04c763f3f5898bdbd5. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-11 13:55:31 -08:00
Nate Barbettini
aae9b3a49c
feat: Support multiple orgs & projects in Arcade CLI (#717)
Fixes [PLT-720: Refactor CLI to support multiple orgs +
projects](https://linear.app/arcadedev/issue/PLT-720/refactor-cli-to-support-multiple-orgs-projects)

This PR removes the legacy login flow (login to get an API key) from
Arcade CLI. Believe it or not, this flow predates the ability to get an
API key from the Dashboard, or even the Dashboard itself!

Notable changes:

**Legacy handling** - When a user with an existing `credentials.yaml`
updates the CLI, they will get instructions on fixing their old
credentials:
<img width="978" height="146" alt="Screenshot 2025-12-08 at 10 10 37"
src="https://github.com/user-attachments/assets/5aeaef2c-bef7-4642-a2f7-f917b257c94b"
/>

Any commands that require login (non-public commands) will be blocked
with the above message until `arcade logout / arcade login` is performed
again.

**New login flow**

```sh
arcade login
Opening a browser to log you in...

 Logged in as nate@arcade.dev.

Active project: Nate Barbettini's organization / Default project
Run 'arcade org list' or 'arcade project list' to see available options.
```

**List and set the active organization**
```sh
arcade org list
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━┓
┃ Name                           ┃ ID                                   ┃ Default ┃ Active ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━┩
│ Nate Barbettini's organization │ 1c64968e-fdc5-4c55-8612-2ce46cd7881b │ ✓       │ ✓      │
│ Sergio 743                     │ 1f1f6184-58dc-4bac-bdde-b9184e43fdf3 │         │        │
└────────────────────────────────┴──────────────────────────────────────┴─────────┴────────┘

Use 'arcade org set <org_id>' to switch organizations.
```
```sh
arcade org set 1c64968e-fdc5-4c55-8612-2ce46cd7881b 

✓ Switched to organization: Nate Barbettini's organization
  Active project: Default project
```

**List and set the active project**
```sh
arcade project list

Active organization: Nate Barbettini's organization
Use 'arcade org list' and 'arcade org set <org_id>' to switch organizations.

┏━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━┓
┃ Name            ┃ ID                                   ┃ Default ┃ Active ┃
┡━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━┩
│ Default project │ 35166bf3-6e68-481e-bf16-f747fadc6c22 │ ✓       │ ✓      │
│ Second project  │ 62963205-31ea-4fda-9fc4-af10db89c06f │         │        │
└─────────────────┴──────────────────────────────────────┴─────────┴────────┘

Use 'arcade project set <project_id>' to switch projects.
```
```sh
arcade project set 35166bf3-6e68-481e-bf16-f747fadc6c22
✓ Switched to project: Default project
```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Migrates CLI to OAuth2 (PKCE) with saved org/project context, adds
org/project commands, rewrites Engine calls to org-scoped endpoints, and
bumps core packages.
> 
> - **Auth & Config**
> - Implement OAuth2 Authorization Code + PKCE (`arcade_cli/authn.py`)
with local callback server and Jinja templates.
> - Persist tokens and active `context` (org/project) in
`credentials.yaml` via updated config models
(`arcade_core/config_model.py`).
> - Add token refresh and CLI config fetch utilities
(`arcade_core/auth_tokens.py`).
> - Detect legacy API-key credentials and block protected commands until
re-login; add `whoami` command.
> - **Org/Project Management**
> - New subcommands: `arcade org list|set`, `arcade project list|set`
(fetch via Coordinator).
> - **Engine API usage (org-scoped)**
> - Introduce org/project URL rewriting transports
(`arcade_core/network/org_transport.py`) and helpers
(`get_org_scoped_url`, `get_arcade_client`, `get_auth_headers`).
> - Update `deploy`, `server`, and `secret` commands to use Bearer
tokens and org-scoped paths; adjust log streaming/status, secrets CRUD,
and deployment workflows.
> - **CLI UX**
> - Replace legacy login URLs/constants; add success/failure HTML
templates for browser callback.
>   - Tweak `dashboard` to health-check without credentials.
>   - Usage tracking now includes `org_id`/`project_id` properties.
> - **Tests**
> - Update tests for dashboard, secrets, utils, and usage identity
(OAuth `/whoami`).
> - **Dependencies & Versions**
> - Bump packages: `arcade-core@4.0.0`, `arcade-mcp-server@1.12.0`,
`arcade-serve@3.2.0`, `arcade-tdk@3.3.0`; add `authlib`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
49702c2f74b9db15bb286d3ec71179b4e74a9134. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-11 12:58:55 -08:00
Eric Gustin
98fd13c4ed
Front-Door Auth (#696)
# Valuable references for the reviewer:
- Docs PR: https://github.com/ArcadeAI/docs/pull/583
- Implements Phase 1 of the following planning doc:
https://linear.app/arcadedev/project/arcade-mcp-supports-mcp-auth-front-door-auth-7cbaa20cb054/overview


https://github.com/user-attachments/assets/79ad43fd-f5e8-4793-a1dd-18b35acefdc3

# PR Description
Adds OAuth 2.1 Resource Server authentication to arcade-mcp-server,
enabling HTTP MCP servers to validate Bearer tokens on every request.
This unlocks tool-level authorization and secrets support for HTTP
servers.

- Multiple authorization server support
- Granular token validation options (verify_exp, verify_iat, verify_iss)
- Environment variable configuration
- OAuth discovery metadata endpoint
(/.well-known/oauth-protected-resource)
- Extracts sub claim from token as context.user_id
- Lifts transport restrictions for tools requiring auth/secrets on HTTP
when protected

```python
from arcade_mcp_server import MCPApp
from arcade_mcp_server.resource_server import ResourceServerAuth, AuthorizationServerEntry

resource_server_auth = ResourceServerAuth(
    canonical_url="http://127.0.0.1:8000/mcp",
    authorization_servers=[
        AuthorizationServerEntry(
            authorization_server_url="https://auth.example.com",
            issuer="https://auth.example.com",
            jwks_uri="https://auth.example.com/jwks",
        )
    ],
)

app = MCPApp(name="my_server", version="1.0.0", auth=resource_server_auth)
```

# Testing
Beyond the comprehensive unit tests, I also manually tested end-to-end
with WorkOS Authkit (DCR) and KeyCloak (non-DCR).

# Future Work
- CIMD support
- An `ArcadeResourceServer` to make adding front-door auth super easy
when using Arcade's Auth Server



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds OAuth 2.1 front-door auth (JWKS validation + OAuth discovery) and
propagates user identity to tools, enabling auth/secret-requiring tools
over HTTP.
> 
> - **Authentication (Front-Door OAuth 2.1)**
> - New `resource_server` module with `ResourceServerAuth`
(multi-authorization-server, metadata) and `JWKSTokenValidator`
(JWKS-based JWT validation) plus granular validation options.
> - ASGI `ResourceServerMiddleware` validates Bearer tokens on every
HTTP request and injects `resource_owner`.
> - OAuth discovery endpoint via FastAPI router at
`/.well-known/oauth-protected-resource[/<path>]`.
> - **Integration**
> - `MCPApp`/`worker` accept `auth`/`resource_server_validator`, mount
middleware, expose discovery; logs accepted auth servers.
> - HTTP transport (`http_streamable`) carries `SessionMessage` with
`resource_owner` from request → session.
> - `Context`/`Session`/`Server` plumb `resource_owner`; `Server`
selects `user_id` preferring token `sub`.
> - **Behavior Changes**
> - HTTP transport restriction lifted for tools requiring
`authorization`/`secrets` when request is authenticated; otherwise
blocked with actionable error.
> - **Configuration**
> - Env-var based auth config via `MCP_RESOURCE_SERVER_*` in
`MCPSettings.ResourceServerSettings`; `.env` auto-load.
> - **Telemetry**
>   - Usage tracking records `resource_server_type` on server start.
> - **Examples**
> - New `examples/mcp_servers/authorization` sample server (HTTP auth,
secrets, Reddit tool) with Docker setup.
> - **Tests**
> - Extensive unit tests for validators, middleware, env config,
multi-AS, transport rules, and app integration.
> - **Version**
> - Bump `arcade-mcp-server` to `1.12.0`; minor docstring tweak in
`__init__.py`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d1116cdcafb0c7cb8f91e66682eb1fbae380da31. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->





Resolves TOO-152
2025-12-11 12:51:20 -08:00
Sterling Dreyer
99c22f0ebb
Ability to run multiple uvicorn workers (#721)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Adds --workers to HTTP mode with validation, refactors server
startup/discovery for multi-process uvicorn, and removes all
Docker-related files/configs.
> 
> - **MCP Server (HTTP mode)**
> - Add `--workers` arg to run multiple uvicorn workers; block `workers
> 1` with `stdio`, and `reload` with multiple workers.
> - Refactor startup: move tool discovery/config into
`create_arcade_mcp_factory()` driven by env vars; use `uvicorn.run(...,
workers=...)` for multi-worker/reload; retain `serve_with_force_quit()`
only for single-worker.
> - Adjust CLI to only discover tools in `stdio` path; HTTP path now
delegates discovery to the factory.
> - **MCPApp**
> - Minor run path cleanup; continue using `serve_with_force_quit()` for
single-worker HTTP.
> - **Ops/Packaging**
> - Remove `docker/` directory and all Dockerfiles, compose/configs, and
docs.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c5700ac8855173c1e82c6f7e41b30ca173aaec14. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-10 11:06:24 -08:00
Evan Tahler
0fc9e21308
Improve error messages with fix instructions (#713)
Improve user-facing error messages to provide actionable fix
instructions, enhancing developer experience and reducing support
queries.

---
Linear Issue:
[TOO-199](https://linear.app/arcadedev/issue/TOO-199/audit-error-messages-for-actionable-fix-instructions)

<a
href="https://cursor.com/background-agent?bcId=bc-e764f9a0-3581-4ced-b34a-2c48f3df1021"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-e764f9a0-3581-4ced-b34a-2c48f3df1021"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Enhances MCP server/session error responses with clear, actionable
guidance across JSON-RPC, tools, and resources; updates tests to assert
new messages.
> 
> - **Server (`arcade_mcp_server/server.py`)**
> - **Actionable JSON-RPC errors**: Rich messages for `Invalid request`,
`Not initialized`, `Method not found`, and internal errors with
troubleshooting steps.
>   - **Tools**:
> - `tools/list`/`tools/call`: Improved internal error messages;
user-facing guidance on failures.
>     - Unknown tool: returns detailed fix instructions.
> - Transport restrictions: explicit "Unsupported transport" guidance
for HTTP vs `stdio` with docs link.
> - Auth flow: messages for missing API key, pending authorization (with
`authorization_url`), and authorization errors; includes next steps.
> - Secrets: clear "Missing secret(s)" with `.env`/env-var setup
instructions.
>   - **Resources/Prompts**:
> - `resources/list`, `resources/templates/list`, `resources/read`,
`prompts/list`, `prompts/get`: Detailed failure and not-found messages
with guidance.
> - **Session (`arcade_mcp_server/session.py`)**
> - Enhanced internal error response formatting with troubleshooting
steps.
> - **Tests (`libs/tests/arcade_mcp_server/test_server.py`)**
> - Updated assertions to match new, descriptive messages (e.g.,
"Authorization required", "Missing Arcade API key", "Unsupported
transport").
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
97a6db4ec80a1ea9597f3364b6325d47948c94e0. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Eric Gustin <34000337+EricGustin@users.noreply.github.com>
2025-12-10 10:16:38 -08:00
Eric Gustin
489e01e149
Improve message when evals isn't installed (#687)
New and improved error message

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Enhances dependency checks to display uv/pip install commands and
updates evals command accordingly; bumps package version to 1.5.9.
> 
> - **CLI utils**:
> - Update `require_dependency` to accept `uv_install_command` and
`pip_install_command` and format error message with both install
options.
> - **Evals command (`arcade_cli/main.py`)**:
> - Update `require_dependency` calls for `arcade_evals` and
`arcade_tdk` to provide uv/pip install commands.
> - **Version**:
> - Bump `project.version` in `pyproject.toml` from `1.5.8` to `1.5.9`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
217a6a87686e27747ef59d66bc0db05a270b294a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-09 15:41:15 -08:00
Eric Gustin
25dabbe75f
Inform type checkers that arcade_mcp_server has inline type annotations (#720)
Other packages that depend on `arcade_mcp_server` will now be able to
use the type information that `arcade_mcp_server` provides

Avoids mypy errors like the following:
`arcade_google_drive/tools/folders.py:12: error: Argument 1 to
"create_folder" becomes "Any" due to an unfollowed import
[no-any-unimported]`

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Add `arcade_mcp_server/py.typed` to expose inline type hints and bump
package version to 1.11.2.
> 
> - **Types**:
> - Add `arcade_mcp_server/py.typed` to publish inline type hints to
dependents.
> - **Packaging**:
> - Bump `version` in `libs/arcade-mcp-server/pyproject.toml` from
`1.11.1` to `1.11.2`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f566b0acddc9174411896a01d03018cd34cf95cb. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-09 15:35:15 -08:00
Sterling Dreyer
73acc93414
Cursor versioning rules (#715)
Rules to update versions of libraries that were changed and any
dependencies if there are breaking changes

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds `.cursor/rules/versioning.mdc` with semver rules and dependency
graph for the arcade libraries.
> 
> - **Docs**:
>   - Add `.cursor/rules/versioning.mdc`:
> - Defines semver rules and when to bump library and dependency
versions.
> - Documents dependency graph for `arcade-core`, `arcade-tdk`,
`arcade-serve`, `arcade-mcp-server`, and `arcade-mcp`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
6974d4ffc6f238bd0a56d0f88fc8005560e00018. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Eric Gustin <34000337+EricGustin@users.noreply.github.com>
2025-12-09 11:31:15 -08:00
Eric Gustin
bdb7163313
Update ALL libs and their deps to most recent version of other libs (#716)
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Bumps versions across core libs and MCP packages, updates dependency
constraints accordingly, and refreshes CLI template defaults to the new
minimums.
> 
> - **Versions**:
>   - `arcade-core` → `3.4.0`
>   - `arcade-serve` → `3.1.5`
>   - `arcade-tdk` → `3.2.2`
>   - `arcade-mcp-server` → `1.11.1`
>   - Root `arcade-mcp` → `1.5.8`
> - **Dependency constraints**:
> - Raise minimums to `arcade-core>=3.4.0`, `arcade-serve>=3.1.5`,
`arcade-tdk>=3.2.2`, `arcade-mcp-server>=1.11.1` across affected
`pyproject.toml` files.
> - **CLI** (`libs/arcade-cli/arcade_cli/new.py`):
> - Update template minimums for `arcade-mcp` (`1.5.8`), `arcade-tdk`
(`3.2.2`), `arcade-serve` (`3.1.5`), and `arcade-mcp-server` (`1.11.1`).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
b1b43e4d04810b0b49d4de6c943c23e69c99aad4. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-05 14:57:10 -08:00
Evan Tahler
65acf41b11
Add startup warnings for missing secrets (#712)
Add startup warnings for missing tool secrets to provide faster feedback
on configuration issues.

---
Linear Issue:
[TOO-198](https://linear.app/arcadedev/issue/TOO-198/add-startup-warnings-for-missing-tool-secrets)

<a
href="https://cursor.com/background-agent?bcId=bc-203d1b6a-80a7-4933-b3ff-b3a9220b5809"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-203d1b6a-80a7-4933-b3ff-b3a9220b5809"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Eric Gustin <eric@arcade.dev>
2025-12-05 13:39:04 -08:00
Sterling Dreyer
f887877a8f
Fix arcade tdk and core version incompatibility (#714)
Update `arcade-core` and `arcade-tdk` dependency versions to resolve
`ImportError` caused by incompatible `Figma` auth provider imports.

The `Figma` OAuth2 provider was introduced in `arcade-core` 3.3.5.
`arcade-tdk` 3.2.0 and `arcade-mcp-server` 1.10.2 started importing
`Figma`, but their `pyproject.toml` dependency constraints were not
updated to require `arcade-core>=3.3.5`. This led to `ImportError` when
`arcade-tdk` or `arcade-mcp-server` were installed with an older
`arcade-core` version. This PR updates the minimum required versions in
`pyproject.toml` files across `arcade-tdk`, `arcade-mcp-server`, and the
root project to ensure compatibility.

---
Linear Issue:
[TOO-231](https://linear.app/arcadedev/issue/TOO-231/worker-fails-to-start-due-to-arcade-core-auth-import)

<a
href="https://cursor.com/background-agent?bcId=bc-4383bd24-eb8c-4d2e-bafe-c116a9d83e8b"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-4383bd24-eb8c-4d2e-bafe-c116a9d83e8b"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Align dependency minimums to `arcade-core>=3.3.5` and
`arcade-tdk>=3.2.0` and bump package versions across projects.
> 
> - **Dependencies**:
> - Raise `arcade-core` minimum to `>=3.3.5,<4.0.0` in
`libs/arcade-mcp-server/pyproject.toml`,
`libs/arcade-tdk/pyproject.toml`, and root `pyproject.toml`.
> - Raise `arcade-tdk` minimum to `>=3.2.0,<4.0.0` in
`libs/arcade-mcp-server/pyproject.toml` and root `pyproject.toml`.
> - **Version bumps**:
>   - `libs/arcade-mcp-server` version `1.10.2` → `1.10.3`.
>   - `libs/arcade-tdk` version `3.2.0` → `3.2.1`.
>   - Root package `arcade-mcp` version `1.5.6` → `1.5.7`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
abec5dff0d18c9e9c1c5a0ceafa73c67b6af661a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
2025-12-05 13:15:53 -08:00
jottakka
178c194ef2
[TOO-192] Update tdk to add figma typed oauth (#711)
Closes TOO-192

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds a Figma OAuth2 auth provider and wires it through TDK and MCP
server, with tests updated and package versions bumped.
> 
> - **Auth**:
> - Add `Figma` OAuth2 provider in
`libs/arcade-core/arcade_core/auth.py`.
> - **Exports**:
> - Expose `Figma` in
`libs/arcade-mcp-server/arcade_mcp_server/auth/__init__.py` and
`libs/arcade-tdk/arcade_tdk/auth/__init__.py` (`__all__`).
> - **Tests**:
> - Add Figma auth requirement test case in
`libs/tests/tool/test_create_tool_definition.py` and import `Figma`.
> - **Versioning**:
>   - Bump `arcade-mcp-server` to `1.10.2` and `arcade-tdk` to `3.2.0`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2bacfdc5695b3e7fc5e4532dbd360c3b2263130e. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Francisco Liberal <francisco@arcade.dev>
2025-12-05 16:38:12 -03:00
Renato Byrro
4118df073a
Remove all Starter MCP Servers migrated to the starter-tools repo (#710)
Servers added to the `starter-tools` repo in the [PR
#20](https://github.com/ArcadeAI/starter-tools/pull/20).

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Deletes `toolkits/asana_api/arcade_asana_api/moar/openapi.json` (the
large Asana OpenAPI spec) from the repo.
> 
> - **Toolkits**:
>   - **Asana API**:
> - Remove `toolkits/asana_api/arcade_asana_api/moar/openapi.json`
(entire OpenAPI spec JSON).
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
61530b254aaca17c2652a4ed2085981481dcf468. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-03 22:12:06 -03:00
Renato Byrro
f29886daa6
Remove servers migrated to the starter-tools repo (#706)
Servers migrated to the starter-tools repo in [PR
#18](https://github.com/ArcadeAI/starter-tools/pull/18).

These servers had tools generated with `dict` args and were revised.

The rest of the Starter servers in this repo will be migrated in a
subsequent PR.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Removes the Airtable API toolkit and adds a new Datadog API starter
toolkit with generated tools and supporting configs.
> 
> - **Removed**:
> - `toolkits/airtable_api/**` including all wrapper tools JSONs and the
Python package/configs.
> - **Added**:
> - `toolkits/datadog_api/**` with generated
`arcade_datadog_api/tools/__init__.py`, Makefile, LICENSE, pre-commit
and Ruff configs for the Datadog API starter toolkit.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
50354f0a19384bedd1ca2aa88cccc7f9cd4df6ae. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2025-12-02 22:19:43 -03:00
Evan Tahler
e75eeb7e77
Handle client disconnect for large payloads (#701)
Catch `ClientDisconnect` in FastAPI worker to return HTTP 499 for large
payloads and reduce noisy error logs.

---
Linear Issue:
[TOO-189](https://linear.app/arcadedev/issue/TOO-189/catch-clientdisconnect-and-return-499-for-large-payloads)

<a
href="https://cursor.com/background-agent?bcId=bc-f777f89b-d2bc-4c0c-bcb1-b76fcf601e05"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-cursor-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-cursor-light.svg"><img alt="Open in
Cursor"
src="https://cursor.com/open-in-cursor.svg"></picture></a>&nbsp;<a
href="https://cursor.com/agents?id=bc-f777f89b-d2bc-4c0c-bcb1-b76fcf601e05"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/open-in-web-dark.svg"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/open-in-web-light.svg"><img alt="Open in Web"
src="https://cursor.com/open-in-web.svg"></picture></a>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: Eric Gustin <eric@arcade.dev>
2025-12-02 13:44:34 -08:00
Evan Tahler
83ec80c08f
Bumps critical JS dependency versions (#699)
Fixes a number of security issues with JS dependencies in our examples.
Does not upgrade to the latest versions of frameworks.
2025-12-01 18:38:22 -08:00
Eric Gustin
ceca2f0913
Bump arcade_mcp_server version (#700) 2025-12-01 11:51:56 -08:00
Eric Gustin
072fbb0436 Don't display tool names in catalog on arcade_mcp_server startup 2025-12-01 11:04:31 -08:00
jottakka
2389d89471
[TOO-145]GQL Error Adaptor (#692)
# 🎫
[TOO-145](https://linear.app/arcadedev/issue/TOO-145/adding-gql-error-interceptor-in-tdk)
- add GraphQL-specific error adapter, expose it, and slot it ahead of
HTTP fallback
- map gql query/transport errors (incl. rate-limit handoff) without
logging sensitive data
- cover adapter + tool chain behavior with new unit tests (pathload,
dedupe, edge cases)



closes TOO-145

---------

Co-authored-by: Francisco Liberal <francisco@arcade.dev>
2025-11-25 23:00:26 -03:00
Sterling Dreyer
6d8d71b9ac
Exclude send/receive spans (#698) 2025-11-25 14:38:16 -08:00
Sterling Dreyer
0af13aeab5
Exclude health span from telemetry (#697) 2025-11-25 13:03:13 -08:00
Evan Tahler
bc2b945511
Create SECURITY.md (#693) 2025-11-24 18:14:40 -08:00
Eric Gustin
4f2c6abe36
Update OTEL resource attributes (#695)
Co-authored-by: Wils Dawson <wils@arcade-ai.com>
2025-11-24 18:13:28 -08:00
Eric Gustin
7fb097f20f
Use monkeypatch for tests that use ARCADE_WORKER_SECRET (#694)
Reverts the updates to unit tests in
https://github.com/ArcadeAI/arcade-mcp/pull/691 and replaces with
monkeypatch. They inadvertently changed global process state during the
test run causing failure of post-merge and failure of PyPI publish. See
https://github.com/ArcadeAI/arcade-mcp/actions/runs/19651637906/job/56283833231
to see what failed
2025-11-24 17:22:17 -08:00
Eric Gustin
44660d18ce
Only serve worker endpoints if secret is set (#691)
Default to `ARCADE_WORKER_SECRET` being unset. This env var must be
explicitly set now. Once it is set, the `worker/` endpoints will be
served.
2025-11-24 14:39:14 -08:00
Evan Tahler
a921b76ce9
Add tool name and version to otel spans for worker (#690)
Knowing which tools we called seems important

<img width="1554" height="293" alt="Screenshot 2025-11-20 at 1 36 48 PM"
src="https://github.com/user-attachments/assets/1b3cf297-749f-4ea1-9d1c-606707540d5b"
/>

Closes PLT-748
2025-11-21 15:53:54 -08:00
Eric Gustin
5602578b2f
Worker Stability (#688)
This PR does three things:
1. Executes synchronous tool calls in thread pool allowing for up to 4 +
# of CPUs executions in parallel.
2. Makes force quitting via double SIGINT/SIGTERM possible and via
single SIGINT/SIGTERM + graceful shutdown timeout expiry possible, even
if there are active connections.
3. Sets `timeout_graceful_shutdown` to
`ARCADE_UVICORN_TIMEOUT_GRACEFUL_SHUTDOWN` env var if set, else defaults
to 15.
4. Disable the worker health check span to reduce noise

Tradeoffs:
Since this PR introduces executing synchronous tools via `await
asyncio.to_thread(func, **func_args)`, this means that there is no way
for the thread to be killed until it finishes. The ramifications of this
is that the force quitting logic that is also implemented in this PR has
to be very harsh `os._exit(1)` just in case there is a sync tool
actively executing. This means that `MCPApp` teardown logic will not
execute when force quitting is required. Although this was already the
case because we weren't previously able to force quit! This tradeoff is
justified for now since "parallel" tool executions will relieve us of
many worker timeouts that we are seeing in prod.

Future work:
Minimize/eliminate the need for `os._exit(1)` such that `MCPApp`
teardown logic will always execute, even when force quitting. The
solution will likely be moving away from `await asyncio.to_thread(func,
**func_args)` (while maintaining "parallelism" and then utilize the
`TaskTrackerMiddleware` introduced in this PR to cancel all of the
active HTTP requests.

Resolves PLT-713
2025-11-20 11:13:41 -08:00
jottakka
b4720c2988
Fixing 403 error always being RateLimiting (#685)
Reponse 403 was returning RateLimiting all the time, but it was due only
checking if rate limiting header exists, but it should be checked if it
is 0 also.

---------

Co-authored-by: Francisco Liberal <francisco@arcade.dev>
2025-11-13 22:20:32 -03:00
Eric Gustin
bddb383034
Do not require entrypoint for arcade configure for HTTP server (#684) 2025-11-12 10:21:44 -08:00
Eric Gustin
99ffc03348
Rename example servers (#675)
We disallow spaces in the name
2025-11-12 10:21:25 -08:00
Renato Byrro
90c685c24a
Remove arcade engine api - moving to starter-tools repo (#686) 2025-11-11 15:49:38 -08:00
James Barney
4b77643513
Fix arcade configure claude to use correct path on Windows when runni… (#682)
…ng in WSL

When running `arcade configure claude` in WSL, the configuration file
was being written to the WSL filesystem
(~/.config/Claude/claude_desktop_config.json) instead of the Windows
AppData directory where Claude Desktop actually reads it.

This commit adds:
- WSL detection via WSL_DISTRO_NAME env var and /proc/version
- Windows username retrieval when running in WSL
- Updated config path functions to use Windows paths when in WSL
- Applied the same fix to Cursor and VS Code config paths for
consistency

The fix ensures that when running in WSL, the config file is written to:
/mnt/c/Users/{username}/AppData/Roaming/Claude/claude_desktop_config.json

This allows Claude Desktop on Windows to properly detect and use the MCP
server configuration.

Fixes #681

Co-authored-by: Claude <noreply@anthropic.com>
2025-11-07 17:04:20 -08:00
Eric Gustin
c15c07e12f
Better Handling of MCP-specific Context usage for managed servers (#679)
Since servers managed by Arcade use the `/worker` routes under the hood,
tools that use MCP-specific properties of `Context` will fail.

This PR helps reduce the 'blast radius' of the above fact. For
properties that were deemed 'non-critical' to the execution of a
deployed tool, we simply no-op. For properties that were deemed
'critical' to the execution of a deployed tool, we raise an error that
informs the caller that the feature is not supported for Arcade managed
servers.

- Non-critical property: A context property that returns None
- Critical property: A context property that may return something that
could be necessary for a tool execution to succeed.
2025-11-07 10:26:56 -08:00
Evan Tahler
57f2608dbe
Remove tools from the arcade wrapper toolkit that should not pass data through an LLM (#680)
Co-authored-by: Francisco Liberal <francisco@arcade.dev>
Co-authored-by: jottakka <fjlimal@gmail.com>
2025-11-06 18:55:52 -03:00
jottakka
e53a87bfaa
[MOAR][MAILCHIMP MKT] Mailchimp market toolkit (#670)
Co-authored-by: Francisco Liberal <francisco@arcade.dev>
2025-11-05 13:05:23 -03:00
Eric Gustin
0d30fdadf9
Better explain why arcade deploy may have failed (#677)
Another small one.

When you `arcade deploy`, you need to
1. Run the command from the root of your project, and
2. Specify the relative path to your entrypoint file if it is not
located at the root of your repository or if it is named something other
than `server.py`.
2025-11-04 17:44:16 -08:00
Eric Gustin
139cc2e54d
Fix race condition (#676)
Server start events were sometimes not being tracked because of a race
condition. Adding 150ms wait for now. Longer term solution:
https://app.clickup.com/t/86b7bm6kp

Other events do not suffer from this issue
2025-11-04 15:40:47 -08:00
Eric Gustin
a770edca4a
Consistent Server Description and Version (#674)
#672 was a quick fix. This PR makes it a long term fix.

Whether a tool is added via `MCPApp.add_tools_from_module`,
`MCPApp.add_tool`, or `@app.tool`, the server's version and description
will be the same.
2025-11-03 15:20:12 -08:00
Eric Gustin
f5b6d45aba
Bump arcade-mcp-server version (#673)
Forgot to bump in #672
2025-11-03 15:00:23 -08:00
Eric Gustin
630f7b8a26
Set server version for @app.tool and MCPApp.add_tool (#672) 2025-11-03 14:28:11 -08:00
Eric Gustin
3c6f1a69af
Update release-on-version-change.yml (#671)
An update to the server package that is used only for integration test
was triggering the workflow
2025-11-03 11:55:56 -08:00
Eric Gustin
d89b3a53d4
Fix: Skip currently executing file during tool discovery (#668)
### The Bug:
When an entrypoint file imports its parent package and
calls add_tools_from_module() on that package, and the same entrypoint
file also defines tools using @app.tool or @tool decorators, then the
server fails to start with an `AttributeError`. This is because the
tools would be discovered via AST parsing, but those tools weren't added
to the module's namespace yet because the file is still executing.

For example, this would fail on startup:
```py
#!/usr/bin/env python3
"""local_filesystem MCP server"""

import sys
from typing import Annotated

from arcade_mcp_server import MCPApp

import local_filesystem

app = MCPApp(name="eric_server", version="1.0.0", log_level="DEBUG")


app.add_tools_from_module(local_filesystem)


@app.tool
def eric(name: Annotated[str, "The name of the person to greet"]) -> str:
    """Greet a person by name."""
    return "return"


if __name__ == "__main__":
    transport = sys.argv[1] if len(sys.argv) > 1 else "stdio"

    app.run(transport="http", host="127.0.0.1", port=8074)
```

### The fix:
Skip the entrypoint file. This means that any tool defined inside of the
entrypoint file must be added via MCPApp.add_tool(...) or instead use
the recommended @app.tool.
2025-11-03 11:26:51 -08:00
Eric Gustin
4ca824cf8f
Improve arcade deploy CLI Command (#634)
Also fleshed out `arcade server` commands and MCPApp.name validation.

Example of output of `arcade deploy`:
<img width="2112" height="1320" alt="image"
src="https://github.com/user-attachments/assets/51fd3dd9-0ff1-442c-a9bb-1dbcd7337e7a"
/>
2025-11-03 11:19:04 -08:00
Renato Byrro
5f89497198
HubSpot Automation & CMS Starter tools (#669) 2025-10-31 20:13:18 -03:00
Renato Byrro
a979c4d6ee
Hubspot Marketing & CRM starter tools (#667) 2025-10-31 18:20:48 -03:00
jottakka
d0587def37
Francisco/moar/update toolkits (#666)
Co-authored-by: Francisco Liberal <francisco@arcade.dev>
2025-10-31 14:40:21 -03:00