v1.12.0

🐛 Bug Fixes

Clipboard Tools Routing Fix

• Fixed "Tool not found" error for clipboard MCP tools
• Added 6 clipboard tools to the static tools routing array in CallTool handler:
  • pluggedin_clipboard_set
  • pluggedin_clipboard_get
  • pluggedin_clipboard_delete
  • pluggedin_clipboard_list
  • pluggedin_clipboard_push
  • pluggedin_clipboard_pop
• Previously, clipboard tools were registered in ListTools but NOT routed in CallTool

📦 Full Changelog

v1.11.0...v1.12.0

v1.11.0: MCP Protocol Compliance & Security Hardening

🚀 Release v1.11.0: MCP Protocol Compliance & Security Hardening

This release brings full MCP protocol compliance, critical security improvements, and Smithery Cloud deployment support to the Plugged.in MCP Hub.

🎯 Highlights

🔒 Critical Security Fixes

• Timing Attack Prevention: API key comparison now uses constant-time crypto.timingSafeEqual() to prevent timing side-channel attacks
• Memory Exhaustion Protection: Session management with TTL (30 min), max sessions limit (10,000), and LRU eviction
• Error Information Disclosure: Production mode no longer exposes stack traces, file paths, or internal details
• Session Cleanup: Periodic cleanup (every 60s) prevents unbounded memory growth

📡 Full MCP Protocol Compliance

• Protocol Version Validation: Validates Mcp-Protocol-Version header (2024-11-05)
• Standardized Headers: Uses title-case headers per MCP spec (Mcp-Session-Id, Mcp-Protocol-Version)
• JSON-RPC 2.0 Compliance: Proper error codes for all error scenarios
• CORS Headers: Exposes custom MCP headers to clients with documented security rationale
• Accept Header Normalization: Ensures both application/json and text/event-stream are acceptable

☁️ Smithery Cloud Deployment

• .well-known Discovery: Serves /.well-known/mcp-config and /.well-known/mcp.json for Smithery scanner
• Container Deployment: Updated Dockerfile with pnpm support and proper port configuration
• Configuration Schema: Auto-generated UI from exported schema
• Dual Path Support: Serves MCP endpoints at both /mcp and / for compatibility

---

🔐 Security Improvements

P0 (Critical)

• Timing-Safe API Key Comparison (src/middleware.ts:126-129)

  const isValid = apiKey && apiKey.length === expectedKey.length &&
    timingSafeEqual(Buffer.from(apiKey), Buffer.from(expectedKey));

  Prevents brute-force attacks via timing measurements

• Session Management with Limits (src/constants.ts, src/streamable-http.ts)

  • TTL: 30 minutes per session
  • Max sessions: 10,000 concurrent
  • Cleanup interval: 60 seconds
  • LRU eviction when limit reached

High Priority

• Error Disclosure Prevention (src/streamable-http.ts:196-209)
  • Production: Generic error messages only
  • Development: Full stack traces for debugging
  • No sensitive information leakage

Medium Priority

• CORS Configuration Documented (src/middleware.ts:25-39)
  • Comprehensive security note explaining wildcard usage
  • Guidance for production deployments with reverse proxy

---

✨ New Features

MCP Protocol Enhancements

• Protocol Version Middleware: Validates client protocol version
• Session ID Management: Proper session tracking with UUID generation
• Health Endpoint: /health returns session count and transport info
• Multiple Endpoints: Discovery endpoints under both / and /mcp paths

Smithery Integration

• Discovery Files:
  • /.well-known/mcp-config - Server configuration schema
  • /.well-known/mcp.json - Metadata for Smithery scanner
• Configuration UI: Auto-generated from exported Zod schema
• Environment Variables:
  • PLUGGEDIN_API_KEY - API key for authenticated operations
  • PLUGGEDIN_API_BASE_URL - Base URL (default: https://plugged.in)
  • REQUIRE_API_AUTH - Enable API authentication (default: false)
  • PORT - HTTP server port (default: 8081 for Smithery)

Session Management

• Stateful Mode (default):
  • Session-based transport management
  • Efficient connection pooling
  • Lower CPU usage
• Stateless Mode (optional):
  • New transport per request
  • No session tracking
  • Suitable for serverless environments

---

🐛 Bug Fixes

• JSON-RPC Error Codes: Standardized to match specification

  • -32600: Invalid Request (malformed, unsupported protocol)
  • -32601: Method Not Found (HTTP method not allowed)
  • -32603: Internal Error (server exception)
  • -32001: Unauthorized (auth failure)
  • -32000: Application Error (session not found)

• DELETE Method Support: Proper session termination handling

• Header Case Sensitivity: Fixed header casing to match MCP spec

• CORS Exposure: Custom headers now properly exposed to clients

---

🧪 Testing

• 88 Total Tests (84 original + 4 new security tests)
• New Security Tests:
  • Timing-safe comparison with correct key
  • Timing-safe comparison with incorrect key
  • Timing-safe comparison with length mismatch
  • Timing-safe comparison with missing key
• Updated Tests: Health endpoint format and error code assertions

---

📚 Documentation

New Documentation

• PROTOCOL_COMPLIANCE.md - Complete MCP protocol compliance documentation (338 lines)
• docs/SMITHERY_DEPLOYMENT.md - Comprehensive Smithery Cloud deployment guide (195 lines)
• Updated README.md with:
  • Hub pillars (Knowledge · Memory · Tools · Proxy)
  • Smithery deployment quickstart
  • Autonomous agents preview
  • Deployment modes comparison

Updated Files

• smithery.yaml - Container-based deployment configuration
• Dockerfile - pnpm support, proper port exposure, entrypoint updates
• .well-known/mcp-config - Discovery endpoint configuration
• .well-known/mcp.json - Metadata for Smithery scanner

---

🏗️ Technical Details

Files Modified (14 total)

• src/middleware.ts (261 lines, NEW) - Reusable middleware functions
• src/constants.ts (50 lines, NEW) - MCP protocol constants
• src/streamable-http.ts (168 additions, 114 deletions) - Enhanced server
• tests/streamable-http.test.ts (428 additions, 11 deletions) - Security tests
• src/server.ts (87 additions) - Smithery entry point
• package.json (3 additions, 1 deletion) - Exports and dependencies
• Dockerfile (9 additions, 4 deletions) - Container improvements
• README.md (56 additions, 2 deletions) - Documentation
• And 6 more files...

Dependencies Updated

• @modelcontextprotocol/sdk: Upgraded to ^1.21.1

Performance Impact

• Session cleanup: O(n) every 60s where n = active sessions
• LRU eviction: O(n) when max reached (rare)
• Timing-safe comparison: <0.1ms overhead per auth check
• Overall: Negligible impact with significant security improvements

---

🚀 Deployment Recommendations

Production Checklist

1. Set environment to production:

   NODE_ENV=production  # Disables error disclosure

2. Generate strong API keys:

   PLUGGEDIN_API_KEY=$(openssl rand -base64 32)  # 256-bit entropy

3. Enable authentication for public deployments:

   REQUIRE_API_AUTH=true

4. Optional: Stricter CORS via reverse proxy:

   add_header Access-Control-Allow-Origin "https://yourapp.com";

Smithery Cloud

1. Visit smithery.ai
2. Connect GitHub repository
3. Configure API key in UI
4. Deploy with one click

---

🔄 Breaking Changes

None - This release is fully backward compatible.

All existing configurations and integrations continue to work without modification.

---

📝 Upgrade Guide

From v1.10.x

No changes required! Simply update your package:

npm install @pluggedin/pluggedin-mcp-proxy@latest

Or for npx users:

npx -y @pluggedin/pluggedin-mcp-proxy@latest

Optional: Enable New Security Features

To take advantage of the new security hardening:

# Enable API authentication
REQUIRE_API_AUTH=true

# Set production mode
NODE_ENV=production

# Restart your server

---

🙏 Credits

This release includes contributions from:

• Protocol compliance implementation
• Security audit and fixes
• Smithery Cloud integration
• Comprehensive testing suite

Special thanks to the MCP community for feedback and the Smithery team for deployment platform support.

---

📦 Installation

NPM

npm install @pluggedin/pluggedin-mcp-proxy@1.11.0

NPX (Recommended)

npx -y @pluggedin/pluggedin-mcp-proxy@latest

Docker

docker pull ghcr.io/veriteknik/pluggedin-mcp:v1.11.0

---

📖 Resources

• Documentation: README.md
• Protocol Compliance: PROTOCOL_COMPLIANCE.md
• Smithery Guide: SMITHERY_DEPLOYMENT.md
• Issues: GitHub Issues
• Discussions: GitHub Discussions

---

🔜 What's Next

Coming in future releases:

• Enhanced memory management tools
• Advanced agent orchestration
• Additional transport protocols
• Performance monitoring dashboard

---

Full Changelog: v1.10.5...v1.11.0

v1.10.3 - Enhanced RAG Tool with Metadata Support

What's New

Enhanced RAG Tool with Metadata Support

• Added optional includeMetadata parameter for pluggedin_ask_knowledge_base tool
• Returns document sources and IDs when metadata requested
• Formatted response with source attribution
• Maintains full backward compatibility with plain text responses

Improvements

• Better formatting of source documents in responses
• Enhanced error handling for RAG queries
• Updated schema with optional metadata parameter

This release works in conjunction with pluggedin-app v2.11.1 to provide document source attribution in AI responses.

See the CHANGELOG for detailed information.

v1.8.0 - RAG v2 MCP Tools for AI Document Exchange

Release Notes: v1.8.0 - RAG v2 MCP Tools for AI Document Exchange

🚀 New MCP Tools for AI Document Management

This release introduces 5 new MCP tools that enable AI models to create, manage, and collaborate on documents through the Plugged.in platform.

🎯 New Tools

1. pluggedin_create_document

Create AI-generated documents with rich metadata:

• Formats: Markdown, plain text, JSON, HTML
• Metadata: Model info, context, visibility settings
• Features: Automatic tagging, categorization, content validation

2. pluggedin_list_documents

Browse and filter documents with advanced options:

• Filters: Source (upload/AI/API), model, date range, tags, category
• Sorting: Date, title, size, relevance
• Pagination: Efficient handling of large document sets

3. pluggedin_search_documents

Semantic search powered by RAG:

• Query-based: Natural language search across all documents
• Filters: Model, date range, tags for refined results
• Relevance: AI-powered relevance scoring

4. pluggedin_get_document

Retrieve documents with optional details:

• Content: Optional inclusion of document content
• History: View version history and model contributions
• Metadata: Complete attribution and context

5. pluggedin_update_document

Update existing documents with version tracking:

• Operations: Replace, append, or prepend content
• Attribution: Track which model made updates
• Versioning: Automatic version history maintenance

🔧 Technical Implementation

Tool Schemas

• Comprehensive Zod validation for all inputs
• Clear parameter descriptions and examples
• Proper error handling with informative messages

API Integration

• Secure communication with pluggedin-app backend
• Bearer token authentication
• Rate limiting compliance
• Async operations for better performance

Activity Logging

• All tool usage tracked for analytics
• Non-blocking notification system
• Performance metrics collection

📊 Performance Optimizations

• Lightweight implementation for Docker deployments
• Minimal dependencies for reduced bundle size
• Efficient error handling and retries
• Optimized for container environments

🔄 Upgrading

From v1.7.x

1. Pull latest changes:

   git pull origin main
   git checkout v1.8.0

2. Install dependencies:

   npm install

3. Build:

   npm run build

4. Restart MCP proxy:

   sudo systemctl restart pluggedin-mcp

Docker Users

docker pull ghcr.io/veriteknik/pluggedin-mcp:v1.8.0
docker-compose restart mcp

🐛 Bug Fixes

• Improved error messages for better debugging
• Fixed schema validation edge cases
• Enhanced connection retry logic
• Better handling of large documents

🌟 Usage Examples

Creating a Document

await pluggedin_create_document({
  title: "Analysis Results",
  content: "# Key Findings\n\n...",
  format: "md",
  tags: ["research", "analysis"],
  metadata: {
    model: { name: "Claude", provider: "Anthropic" },
    context: "Research analysis for project X"
  }
});

Searching Documents

await pluggedin_search_documents({
  query: "machine learning insights",
  filters: {
    modelName: "Claude",
    dateFrom: "2025-01-01"
  }
});

🙏 Acknowledgments

Thanks to the MCP community for their continued support and feedback in shaping these tools.

---

For detailed documentation and examples, visit the pluggedin-mcp repository.

v1.4.0 - Registry v2 Support & Enhanced OAuth Integration

Release Notes: v1.4.0 - Registry v2 Support & Enhanced OAuth Integration

🎉 Overview

We're excited to announce the release of plugged.in MCP Proxy v1.4.0! This release brings full support for the Registry v2 features from plugged.in App v2.7.0, including OAuth token management, bidirectional notifications, and trending analytics.

🚀 Major Features

1. OAuth Token Management

• Seamless Authentication: OAuth tokens are now automatically retrieved from plugged.in App v2.7.0
• No Client-Side Auth: No need for client-side authentication setup - all handled by the proxy
• Secure Token Storage: Tokens are securely stored and refreshed automatically
• State-of-the-Art Encryption: All OAuth tokens protected with AES-256-GCM encryption
• Multiple Provider Support: Works with GitHub, Linear, and custom OAuth providers

2. Enhanced Notification System

• Bidirectional Support: Send and receive notifications seamlessly
• Send Notifications: Push notifications to plugged.in App from MCP servers
• Receive Notifications: Get notifications from the app in real-time
• Mark as Read/Unread: Programmatically manage notification status
• Delete Notifications: Remove notifications through the proxy
• Email Integration: Optional email delivery for important notifications

3. Trending Analytics

• Real-time Activity Tracking: Every tool call is logged and tracked
• Trending Calculations: Contributes to trending server calculations in plugged.in App
• Usage Metrics: Detailed usage statistics and popularity insights
• Community Insights: Discover what tools and servers are popular
• Installation Tracking: Monitor server installations and usage patterns

4. Registry Integration

• Full Registry v2 Support: Complete integration with the new registry features
• Automatic Discovery: Servers are automatically discovered from the registry
• Installation Tracking: Track server installations and metrics
• Community Server Support: Access to community-contributed servers
• Server Claiming: Support for server ownership verification

🔧 Technical Improvements

OAuth Integration

• Automatic token retrieval from plugged.in App APIs
• Secure token storage with refresh mechanisms
• Error handling for token expiration and refresh failures
• Support for multiple OAuth providers simultaneously

Notification Architecture

• Bidirectional notification flow
• Real-time notification delivery
• Notification state management
• Email integration for critical notifications

Analytics & Tracking

• Tool call logging for trending calculations
• Usage metrics collection
• Performance monitoring
• Community engagement tracking

📊 Compatibility

plugged.in App Integration

This release is designed to work seamlessly with plugged.in App v2.7.0 and its Registry v2 features:

• OAuth token management
• Trending server calculations
• Bidirectional notifications
• Registry integration

MCP Client Support

Fully compatible with all MCP clients:

• Claude Desktop
• Cline
• Cursor
• Any MCP-compatible client

🔄 Migration Guide

Upgrading from v1.3.x

1. Update the package:

   npx -y @pluggedin/mcp-proxy@1.4.0 --pluggedin-api-key YOUR_API_KEY

2. Update your Claude Desktop configuration:

   {
     "mcpServers": {
       "pluggedin": {
         "command": "npx",
         "args": ["-y", "@pluggedin/mcp-proxy@1.4.0"],
         "env": {
           "PLUGGEDIN_API_KEY": "YOUR_API_KEY"
         }
       }
     }
   }

3. No configuration changes needed: OAuth and notifications work automatically!

New Features Available Immediately

• OAuth authentication for Streamable HTTP servers
• Enhanced notification system
• Trending analytics tracking
• Registry integration

🆕 New Tools & Capabilities

Enhanced Built-in Tools

• pluggedin_send_notification: Now supports bidirectional notifications
• pluggedin_discover_tools: Enhanced with registry integration
• pluggedin_rag_query: Improved with trending data

OAuth-Enabled Servers

• Automatic OAuth token management for compatible servers
• No manual token configuration required
• Seamless authentication flow

🔐 Security Enhancements

OAuth Security

• Secure token storage with encryption
• Automatic token refresh mechanisms
• Protection against token exposure
• Secure communication with OAuth providers

Notification Security

• Validated notification payloads
• Secure notification delivery
• Protection against notification spam
• Authenticated notification sources

📈 Performance Improvements

OAuth Performance

• Optimized token retrieval and storage
• Efficient refresh mechanisms
• Reduced authentication overhead
• Better error handling

Notification Performance

• Fast notification delivery
• Efficient bidirectional communication
• Optimized message queuing
• Reduced latency

Analytics Performance

• Efficient activity tracking
• Optimized data collection
• Minimal performance impact
• Real-time processing

🐛 Bug Fixes

• Improved OAuth token handling edge cases
• Enhanced notification delivery reliability
• Better error handling for registry integration
• Fixed compatibility issues with various MCP clients

🌟 What's Next

We're already working on exciting features for future releases:

• Advanced analytics dashboard
• Custom notification templates
• Enhanced OAuth provider support
• Improved caching mechanisms

🙏 Get Involved

If you find the plugged.in MCP Proxy useful:

• ⭐ Star our repository on GitHub
• 🐛 Report issues or suggest features
• 🤝 Contribute to the project
• 📢 Share with the MCP community

📝 Links & Resources

• plugged.in App v2.7.0 Release
• MCP Specification
• Claude Desktop Documentation
• Project GitHub Repository

---

Thank you for being part of the plugged.in ecosystem! This release represents a significant step forward in making MCP servers more accessible and powerful for developers worldwide.

For detailed technical information, see the CHANGELOG.md and README.md.

v1.2.0 - Enhanced Security & Production Optimizations

🎉 Release v1.2.0

🔒 Security Enhancements

• URL Validation: Comprehensive SSRF protection blocking private IPs, localhost, and dangerous ports
• Command Allowlisting: Only approved commands (node, npx, python, python3, uv, uvx, uvenv) for STDIO servers
• Header Validation: RFC 7230 compliant validation with injection prevention
• Lazy Authentication: Tool discovery without API keys for better Smithery compatibility

🚀 Performance & Production

• Optimized Docker Builds: Multi-stage builds for minimal container footprint
• Lightweight Images: Excluded test files and dev dependencies from production
• Resource Efficiency: Designed for deployment in resource-constrained environments

🐛 Bug Fixes & Improvements

• Improved session management and cleanup in Streamable HTTP mode
• Better error handling for transport lifecycle events
• Fixed memory management issues in long-running sessions
• Enhanced TypeScript types for security validators

📚 Documentation

• Updated README with comprehensive security best practices
• Refined Smithery configuration for HTTP transport mode
• Added detailed CHANGELOG entries

🔧 Breaking Changes

None - This release maintains backward compatibility

📦 Installation

# Via npx
npx -y @pluggedin/pluggedin-mcp-proxy@1.2.0

# Via Docker
docker pull ghcr.io/veriteknik/pluggedin-mcp:1.2.0

See CHANGELOG.md for complete details.

plugged.in MCP Proxy v1.0.0 🚀

plugged.in MCP Proxy v1.0.0 🚀

What's New

🔔 Real-Time Notifications

Track all MCP activities in real-time with comprehensive notification support. Monitor tool calls, resource reads, and prompt executions through the plugged.in App notification center.

📚 RAG Integration

Seamlessly integrate document context into your AI interactions. The proxy now supports RAG-enhanced queries, automatically injecting relevant document context into system prompts.

🔒 Enhanced Security

• Industry-standard input validation and sanitization
• Improved URL validation to prevent SSRF attacks
• Secure environment variable handling
• Comprehensive audit logging

🔧 Developer Tools

• New inspector scripts for automated testing
• Improved error messages and debugging
• Health check endpoint with ping support
• Structured logging with proper stderr usage

Installation & Upgrade

New Users

npx -y @pluggedin/mcp-proxy@latest --pluggedin-api-key YOUR_API_KEY

Upgrading from Previous Versions

If you've been using a pre-release version, update your MCP client configuration:

{
  "mcpServers": {
    "pluggedin": {
      "command": "npx",
      "args": ["-y", "@pluggedin/mcp-proxy@1.0.0"],
      "env": {
        "PLUGGEDIN_API_KEY": "YOUR_API_KEY"
      }
    }
  }
}

Breaking Changes

None - This is the first stable release

Bug Fixes

• Fixed JSON-RPC protocol interference (stdout vs stderr)
• Resolved localhost URL validation for development
• Fixed API key handling in inspector scripts
• Improved connection stability and memory management

Contributors

Thanks to everyone who contributed to this release through code, bug reports, and feedback!

Related Updates

• pluggedin-app v2.1.0: Web app with notification center and document library
• See full changelog in RELEASE_NOTES_v1.0.0.md

Links

• 📖 Documentation
• 🐛 Report Issues
• 💬 Discussions

---

Full Changelog: v0.5.10...v1.0.0

pluggedin-mcp v0.6.0-rc1

pluggedin-mcp v0.6.0-rc1

🚀 Release Highlights

This release candidate introduces a completely redesigned architecture for the plugged.in MCP proxy server. We've implemented full compatibility with MCP prompts, custom instructions, tools, and resources according to official MCP specifications, while significantly simplifying the codebase for better performance and maintainability.

✨ Features

• API-Driven Proxy: Refactored proxy handlers to fetch aggregated capabilities from pluggedin-app API endpoints
• Capability Resolution: Implemented resolution logic to route requests to the correct downstream server
• Prefixed Tool Names: Implemented prefixed tool names (e.g., github_create_issue) for clarity and disambiguation
• Static Discovery Tool: Added a pluggedin_discover_tools tool to allow first-time users to trigger discovery
• Custom Instructions Integration: Integrated custom instructions into the proxy's prompts/list and prompts/get handlers

🐛 Bug Fixes

• ENOTEMPTY npm errors: Resolved npm-related errors during installation
• Session Handling: Improved session management for downstream server connections

⚡ Performance Improvements

• Simplified Architecture: Significantly simplified the codebase by removing dependency injection, caching, and complex logging
• Progressive Initialization: Implemented faster startup with deferred heavy operations

🔄 Other Changes

• Removed Components: Eliminated dependency injection container, caching mechanisms, complex logging system, and jest tests
• Tool Discovery Responsibility: Moved tool discovery responsibility to pluggedin-app

📋 Breaking Changes

This release introduces full compatibility with MCP prompts, custom instructions, tools, and resources according to official MCP specifications. Users upgrading from previous versions should update both pluggedin-app and pluggedin-mcp to ensure compatibility.

🔗 Related Repositories

• pluggedin-app: The companion web application for managing MCP servers