chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.10.5#8
Open
github-actions[bot] wants to merge 26 commits into
Open
chore(deps): update ghcr.io/astral-sh/uv docker tag to v0.10.5#8github-actions[bot] wants to merge 26 commits into
github-actions[bot] wants to merge 26 commits into
Conversation
Adds a FastMCP 3.0 Middleware that compresses tool descriptions in tools/list and enforces mandatory documentation delivery on first tool use per session. Tools cannot execute until the LLM has received their full documentation. Tools with short descriptions (<500 chars) are exempt and execute immediately. - New: FirstCallDocsMiddleware using on_list_tools / on_call_tool hooks - New: ENABLE_FIRST_CALL_DOCS config toggle (default: true) - Session tracking via Context.session_id with stdio fallback - Estimated ~42K token reduction in idle context (97 tools → 25 exempt) - Unit tests (22 tests) and E2E tests (5 tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ion eviction
The docs ToolResult now sets meta={} which causes to_mcp_result() to
return a CallToolResult, bypassing jsonschema validation in the MCP
low-level server. Without this, tools with return type annotations
rejected the docs payload as schema-invalid.
Also addresses Gemini code review feedback:
- Session tracking uses OrderedDict with LRU eviction (cap: 1000)
to prevent unbounded memory growth in long-running HTTP servers
- Tool name validated against allow-list (only tools captured during
on_list_tools can be gated, preventing prompt injection via
unknown tool names)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Existing E2E tests expect tools to execute immediately on first call. The first-call docs middleware was intercepting these calls and returning documentation instead of results, causing widespread failures. - Set ENABLE_FIRST_CALL_DOCS=false in tests/.env.test - Dedicated first-call-docs E2E tests use their own fixture that temporarily enables the middleware with env override + settings reset Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Proxied/tunneled connections (e.g., Cloudflare tunnel) can assign a new session_id to each HTTP request. This caused the docs gate to re-trigger on every call, creating an infinite loop where tools never executed. Add a global _docs_ever_delivered set that tracks which tools have had documentation delivered to ANY session. Once docs are delivered once, subsequent calls execute immediately regardless of session_id. Resets on server restart (correct — fresh context should re-deliver).
Proxied/tunneled connections (e.g., Cloudflare tunnel) can assign a new session_id to each HTTP request. This caused the docs gate to re-trigger on every call, creating an infinite loop where tools never executed. Add _docs_ever_delivered global set: once docs are delivered for a tool to any session, subsequent calls from any session execute immediately. Resets on server restart (correct behavior). Update test to reflect the new global fallback behavior and add test verifying fresh middleware instances deliver docs independently.
Replace global fallback with token-based acknowledgment. When docs are delivered, the response includes a short ack token. The LLM echoes it back via `_docs_ack` argument to prove it received the docs. The middleware strips `_docs_ack` before forwarding. This handles proxied/tunneled connections (e.g., Cloudflare) where each request gets a new session_id, while preserving per-session independence for stable transports. Two paths to execution: 1. Session-based: same session calls again → execute (no token needed) 2. Token-based: different session includes valid _docs_ack → execute
- Ack tokens now expire after 4 hours (TTL stored via time.monotonic) - Expired tokens are pruned on generation and rejected on validation - Fixed E2E test asserting old "Do not call a different tool" text - Added unit test for expired token rejection Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Clients with additionalProperties: false reject unknown parameters, preventing the LLM from sending the ack token back. Now the middleware injects _docs_ack as an optional string parameter into each gated tool's JSON schema during tools/list. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
MCP transports/clients may strip unknown fields from structured_content. Now the ack token is embedded directly in the documentation text field which always survives transport. Removed separate _docs_ack and message fields from structured_content. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Transports may enforce schema validation and reject the _docs_ack parameter when additionalProperties is false. Setting it to true allows clients to pass the ack token back through any transport. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove all session tracking, ack token generation/validation, and schema injection (_docs_ack parameter, additionalProperties). These mechanisms don't survive Claude Code's strict schema enforcement. Replace with simple time-based expiry: docs are delivered on the first call to a gated tool, and the entry expires after a configurable timeout (default 10 min, set to 2 min for testing). New conversations after the timeout get fresh docs; calls within the window execute normally. Add FIRST_CALL_DOCS_EXPIRY config setting to control the timeout. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove unused `typing.Any` import (ruff F401) - Rewrite unit tests: remove ack token, session tracking, and LRU eviction tests. Add time-based expiry, per-tool independent tracking, and zero-expiry edge case tests. - Fix E2E test: assert ACTION REQUIRED instead of _docs_ack in response Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove unused imports (time, patch) and fix import sorting - Access ToolResult.content[0].text instead of .content (which is a list of TextContent objects, not a string) - Clean up schema test assertions to not reference old approach Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Too important to gate — diagnostics/bug reporting should execute immediately without requiring a docs pre-call. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Testing complete, switching from 2-minute test value to the production default of 600 seconds (10 minutes). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Exclude ha_report_issue from docs gate - Expiry default changed to 10 minutes (600s) - All source files synced from root src/ Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Restore start.py, pyproject.toml, uv.lock, and fix Dockerfile path (COPY start.py / instead of homeassistant-addon/start.py). These were lost when addon-repo was reset to feat/first-call-docs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Documents the addon-repo workflow, critical build steps after git reset --hard, and why specific files must be restored. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Added dual src/ directories section (the #1 gotcha) - FORK-DEV.md itself is backed up to ~/.ha-mcp-fork-dev.md - Deploy workflow now includes restoring FORK-DEV.md after reset Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
kingpanther13
force-pushed
the
addon-repo
branch
2 times, most recently
from
8e18f2b to
59dcf76
Compare
kingpanther13
force-pushed
the
addon-repo
branch
17 times, most recently
from
ddd9435 to
9882d4b
Compare
kingpanther13
force-pushed
the
addon-repo
branch
11 times, most recently
from
6c1247a to
c0a3b86
Compare
kingpanther13
force-pushed
the
addon-repo
branch
from
c0a3b86 to
1b76565
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.9.30-python3.13-trixie-slim→0.10.5-python3.13-trixie-slimRelease Notes
astral-sh/uv (ghcr.io/astral-sh/uv)
v0.10.5Compare Source
Released on 2026-02-23.
Enhancements
uv lock --frozen(#17859)pylock.tomlwheels by tags andrequires-python(#18081)uv publish(#17783)exclude-newerinvalidates the lock file (#18100)Performance
Bug fixes
--no-emit-workspacewith--all-packageson single-member workspaces (#18098)UV_NO_DEFAULT_GROUPSrejecting truthy values like1(#18057)Documentation
uv exportformats (#17900)v0.10.4Compare Source
Released on 2026-02-17.
Enhancements
uv pythonerrors (#18008)Bug fixes
uv init / --name foo) (#17983)wheelandsdistfiles produced by theuv_buildbuild backend (#18020)v0.10.3Compare Source
Released on 2026-02-16.
Python
Enhancements
Preview features
exclude-newerinuv format(#17651)target-workspace-discoveryis enabled (#17965)uv format(#17977)Bug fixes
cpython-3.1is specified (#17972)--allow-existingwith minor version links on Windows (#17978)u64::MAXin version segments to prevent overflow (#17985)Documentation
v0.10.2Compare Source
Released on 2026-02-10.
Enhancements
Bug fixes
cargo-installfailing due to missinguv-testdependency (#17954)v0.10.1Compare Source
Released on 2026-02-10.
Enhancements
sdist-vX/.gitif it already exists (#17825)Documentation
uv python update-shelloveruv tool update-shellin Python docs (#17941)v0.10.0Compare Source
Since we released uv 0.9.0 in October of 2025, we've accumulated various changes that improve correctness and user experience, but could break some workflows. This release contains those changes; many have been marked as breaking out of an abundance of caution. We expect most users to be able to upgrade without making changes.
This release also includes the stabilization of preview features. Python upgrades are now stable, including the
uv python upgradecommand,uv python install --upgrade, and automatically upgrading Python patch versions in virtual environments when a new version is installed. Theadd-boundsandextra-build-dependenciessettings are now stable. Finally, theuv workspace diranduv workspace listutilities for writing scripts against workspace members are now stable.There are no breaking changes to
uv_build. If you have an upper bound in your[build-system]table, you should update it, e.g., from<0.10.0to<0.11.0.Breaking changes
Require
--clearto remove existing virtual environments inuv venv(#17757)Previously,
uv venvwould prompt for confirmation before removing an existing virtual environment in interactive contexts, and remove it without confirmation in non-interactive contexts. Now,uv venvrequires the--clearflag to remove an existing virtual environment. A warning for this change was added in uv 0.8.You can opt out of this behavior by passing the
--clearflag or settingUV_VENV_CLEAR=1.Error if multiple indexes include
default = true(#17011)Previously, uv would silently accept multiple indexes with
default = trueand use the first one. Now, uv will error if multiple indexes are marked as the default.You cannot opt out of this behavior. Remove
default = truefrom all but one index.Error when an
explicitindex is unnamed (#17777)Explicit indexes can only be used via the
[tool.uv.sources]table, which requires referencing the index by name. Previously, uv would silently accept unnamed explicit indexes, which could never be referenced. Now, uv will error if an explicit index does not have a name.You cannot opt out of this behavior. Add a
nameto the explicit index or remove the entry.Install alternative Python executables using their implementation name (#17756, #17760)
Previously,
uv python installwould install PyPy, GraalPy, and Pyodide executables with names likepython3.10into the bin directory. Now, these executables will be named using their implementation name, e.g.,pypy3.10,graalpy3.10, andpyodide3.12, to avoid conflicting with CPython installations.You cannot opt out of this behavior.
Respect global Python version pins in
uv tool runanduv tool install(#14112)Previously,
uv tool runanduv tool installdid not respect the global Python version pin (set viauv python pin --global). Now, these commands will use the global Python version when no explicit version is requested.For
uv tool install, if the tool is already installed, the Python version will not change unless--reinstallor--pythonis provided. If the tool was previously installed with an explicit--pythonflag, the global pin will not override it.You can opt out of this behavior by providing an explicit
--pythonflag.Remove Debian Bookworm, Alpine 3.21, and Python 3.8 Docker images (#17755)
The Debian Bookworm and Alpine 3.21 images were replaced by Debian Trixie and Alpine 3.22 as defaults in uv 0.9. These older images are now removed. Python 3.8 images are also removed, as Python 3.8 is no longer supported in the Trixie or Alpine base images.
The following image tags are no longer published:
uv:bookworm,uv:bookworm-slimuv:alpine3.21uv:python3.8-*Use
uv:debianoruv:trixieinstead ofuv:bookworm,uv:alpineoruv:alpine3.22instead ofuv:alpine3.21, and a newer Python version instead ofuv:python3.8-*.Drop PPC64 (big endian) builds (#17626)
uv no longer provides pre-built binaries for PPC64 (big endian). This platform appears to be largely unused and is only supported on a single manylinux version. PPC64LE (little endian) builds are unaffected.
Building uv from source is still supported for this platform.
Skip generating
activate.cshfor relocatable virtual environments (#17759)Previously,
uv venv --relocatablewould generate anactivate.cshscript that contained hardcoded paths, making it incompatible with relocation. Now, theactivate.cshscript is not generated for relocatable virtual environments.You cannot opt out of this behavior.
Require username when multiple credentials match a URL (#16983)
When using
uv auth loginto store credentials, you can register multiple username and password combinations for the same host. Previously, when uv needed to authenticate and multiple credentials matched the URL (e.g., when retrieving a token withuv auth token), uv would pick the first match. Now, uv will error instead.You cannot opt out of this behavior. Include the username in the request, e.g.,
uv auth token --username foo example.com.Avoid invalidating the lockfile versions after an
exclude-newerchange (#17721)Previously, changing the
exclude-newersetting would cause package versions to be upgraded, ignoring the lockfile entirely. Now, uv will only change package versions if they are no longer within theexclude-newerrange.You can restore the previous behavior by using
--upgradeor--upgrade-packageto opt-in to package version changes.Upgrade
uv formatto Ruff 0.15.0 (#17838)uv formatnow uses Ruff 0.15.0, which uses the 2026 style guide. See the blog post for details.The formatting of code is likely to change. You can opt out of this behavior by requesting an older Ruff version, e.g.,
uv format --version 0.14.14.Update uv crate test features to use
test-as a prefix (#17860)This change only affects redistributors of uv. The Cargo features used to gate test dependencies, e.g.,
pypi, have been renamed with atest-prefix for clarity, e.g.,test-pypi.Stabilizations
uv python upgradeanduv python install --upgrade(#17766)When installing Python versions, an intermediary directory without the patch version attached will be created, and virtual environments will be transparently upgraded to new patch versions.
See the Python version documentation for more details.
uv add --boundsand theadd-boundsconfiguration option (#17660)This does not come with any behavior changes. You will no longer see an experimental warning when using
uv add --boundsoradd-boundsin configuration.uv workspace listanduv workspace dir(#17768)This does not come with any behavior changes. You will no longer see an experimental warning when using these commands.
extra-build-dependencies(#17767)This does not come with any behavior changes. You will no longer see an experimental warning when using
extra-build-dependenciesin configuration.Enhancements
pyx.devas a target inuv authcommands despitePYX_API_URLdiffering (#17856)Bug fixes
Configuration
📅 Schedule: Branch creation - "after 3pm on tuesday" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.