Releases: HelpCode-ai/anythingmcp
Release list
v0.3.0 — Redesign (sidebar app shell), cloud onboarding/conversion & KG improvements
Highlights
Redesign — sidebar app shell
- New design system (Geist fonts, refreshed token palette) and shared UI primitives.
- Left sidebar navigation with grouped sections, org switcher and mobile drawer, replacing the top nav across the app.
- Two-column MCP server detail with a sticky "Connect your MCP client" panel and a dedicated GitHub Copilot quick-connect (VS Code, Visual Studio desktop, JetBrains…).
- Numerous UX fixes: sticky footer, header back-links, fixed-sidebar scroll bug, refreshed login/onboarding.
Cloud onboarding & trial→paid conversion (cloud-only)
- Deterministic, idempotent trial activation on email verification (removes the no-license signup race); self-healing license wall.
- Value-oriented end-of-trial emails (3-day / last-day / expired, with a build recap) and a value-aware trial banner.
- Knowledge graph & skills surfaced as the differentiator in onboarding and a live-count dashboard teaser.
Knowledge graph
- Opt-in auto-apply of high-confidence AI-suggested connections (mirrors skill auto-apply; no extra AI cost).
All cloud-only features are gated and inert in self-hosted; no new recurring AI cost. Builds on the recent Copilot-Studio MCP transport/OAuth compatibility work.
v0.2.6 — Copilot Studio Streamable MCP compatibility
Fixed
- Microsoft Copilot Studio could not finalize an MCP connection or list tools. Verified against a Copilot-compatible reference server (Microsoft Learn Docs MCP): the streamable endpoint must return SSE-framed responses (
Content-Type: text/event-stream) on POST and 405 on a bare GET. AnythingMCP returnedapplication/jsonand401respectively. Now: responses are SSE-framed by default (setMCP_STREAMABLE_JSON_RESPONSE=truefor the old behaviour) and a GET to the MCP endpoint returns the transport's 405 instead of an auth 401. Spec-compliant clients (e.g. Claude) are unaffected.
v0.2.5 — OAuth /authorize idempotency fix
Fixed
- OAuth /authorize 404 with some clients (e.g. Microsoft Copilot Studio). The login strategy distinguished initiate vs validate by the login cookie alone, so re-hitting
/authorizewhile the short-lived login cookie was set made passport fall through to a 404./authorizenow always redirects to login; the cookie is only consumed at/callback. Existing clients (Claude, DCR) are unaffected. - setup.sh: the generated Caddyfile now routes
/callbackand/revoketo the backend (the OAuth authorization code is issued at/callback).
v0.2.4 — MCP OAuth/OIDC discovery for third-party clients
Fixed
- MCP OAuth/OIDC discovery for third-party clients. Serve
/.well-known/openid-configurationand the per-serveroauth-authorization-server/oauth-protected-resourcemetadata (RFC 8414/9728). Clients that append the resource path during discovery — e.g. Microsoft Copilot Studio — can now complete the OAuth flow and connect. The401WWW-Authenticateheader now pointsresource_metadataat the per-server document. Additive only; existing clients (Dynamic Client Registration, e.g. Claude) are unaffected.
v0.2.3
Fixes
- connectors:
bitrix24_callnow sends the method's native arguments at the body root instead of nesting them under aparamskey. New reusable__spreadbodyMapping directive in the REST engine. Resolves the Bitrix24400errors observed in production (Could not find value for parameter {fields},Param #0 (taskId),Argument "entityid" is required).
Full changelog: v0.2.2...v0.2.3
v0.2.2
v0.2.2
Knowledge Graph + AI skills + usage analytics + security hardening, with the
observational-ingest stability fixes.
Features (since 0.1.x):
- Knowledge Graph (static + observational), served over MCP via
kg_how_to_obtain; visual editor; optional LLM enrichment (OpenAI/OpenRouter/Anthropic). - AI skills from captured intents, composed into MCP server instructions; search/tabs/pagination, auto-apply, AI consolidate.
- Usage & cost analytics (
/analytics,/api/audit/breakdowns). - Security: SSRF guard on the DatabaseEngine; RLS foundation (off by default); prototype-pollution guard on outputSchema inference.
Stability fixes (0.2.1 → 0.2.2):
- kg-discovery observational ingest streamed in pages with per-page flush + a JSON-walk node cap → bounded memory/CPU (peak ~1 GB, was ~3 GB → OOM).
start.shexits (→ container restart) if either process dies; backend V8 heap cap.
All migrations are additive and auto-applied on container start.
v0.2.0 — Knowledge Graph, AI skills, analytics & security hardening
v0.2.0 — Knowledge Graph, AI skills, usage analytics & security hardening
A "smart, AI-empowered gateway" release. All AI features are opt-in and inert by default.
- Knowledge Graph: per-workspace PII-safe data-relationship graph served over MCP (
kg_how_to_obtain), visual editor + redesigned canvas, optional LLM enrichment (cost-capped, batched). - AI skills: rules captured from real tool-call intents, composed into MCP server instructions (not extra tools); search/tabs/pagination, auto-apply, AI consolidate.
- Usage & cost analytics:
/analytics+/api/audit/breakdownsper connector/server/user with proxy metering and a volume-based cost estimate. - Security hardening: SSRF guard on the DatabaseEngine; RLS foundation (off by default) with a real-DB isolation proof; prototype-pollution guard on outputSchema inference.
- Migrations: 10 additive, auto-applied on container start.
v0.1.34
Maintenance release: a server-stability fix plus self-hosting and packaging improvements.
Fixed
- MCP server no longer 500s on duplicate tool names. A connector that produced two tools with the same name could take down the
/mcpendpoint; tool names are now deduplicated. (#313)
Self-hosting
- Run multiple stacks on one host.
docker-compose.ymlnow derives the project, network, volume and container names fromCOMPOSE_PROJECT_NAME(defaultamcp, so existing setups are unchanged). Set it to isolate a second instance without name collisions. (#316) - Single source of truth for the Node version in the Dockerfile (
ARG NODE_VERSION), and an explicitengines.node >=22so the supported minimum is machine-readable. (#316) .env.exampledocumentsCOMPOSE_PROJECT_NAMEand the internal-PORTvs host-BACKEND_PORTdistinction.
Packaging / license
- AnythingMCP is now licensed under AGPL-3.0 (OSI-approved open source), with operator-only cloud features kept under a separate commercial license in
ee/directories. Self-hosting is unaffected. (#314, #315)
Upgrade
docker compose pull && docker compose up -dNo configuration changes required.
v0.1.33
Fixes
- auth: membership-based tenant isolation for
/mcp/:serverId— multi-org users can reach every workspace they belong to; cross-org access stays denied (#311) - auth: resolve OAuth org by id OR email — fixes a production 403 lockout where legitimate owners were denied their own MCP servers after OAuth login (#309)
- dashboard: Claude Desktop connection config now uses
type: "http"(was the invalid"url", which Claude Desktop silently skipped) (#310) - weclapp: fix filter 400s via a general
__rawqueryengine passthrough — weclappproperty-operatorfilters now work (#308)
Connectors
- 8 reverse-engineered read-only connectors live: Playtomic (+ public), OpenTable, Resy, Vinted, Untappd, Idealista, Trenitalia
- Etsy migrated to OAuth2 with automatic refresh-token rotation
Notes
No breaking changes. Tenant isolation remains fail-closed and was verified against production data.
v0.1.32 — Proxy / Web-Unblocker + Onboarding + Help Scout OAuth2
✨ Highlights
Proxy / Web-Unblocker (#280, #281, #282)
Route a tool's outbound request through a proxy or web-unblocker (e.g. Zyte API proxy mode) to reach anti-bot / geo / rate-limited APIs. Fixes the Deutsche Bahn connector that 403'd on Akamai-protected endpoints.
- Per-tool opt-in:
mcp_tools.use_proxy(seeded from the adapter spec'suseProxy), toggled via a per-tool UI checkbox shown only whenCONNECTOR_PROXY_URLis set. - Cloud rate limit:
PROXY_RATE_LIMIT_DEFAULT(default 100) proxy calls/hour per workspace; over-cap returns an explicit error. Overridable only by a service admin viaorganizations.proxy_rate_limit(no API). - Engine: REST + GraphQL attach an
HttpsProxyAgent. SOAP/DB/MCP ignore it. - Adapters shipped with
useProxy: true: Deutsche Bahn, Playtomic (+ public), Sorare, OpenTable, Resy, Vinted, Untappd, idealista, Trenitalia, ImmobilienScout24, Etsy, Mercado Libre. - Docs:
docs/connectors/proxy.md.
Onboarding (#272, #273, #276)
- In-app
/welcomewizard with a gate-aware redirect (respects LicenseWall + license-choice). - Email drip cron for users who registered but never created a connector.
Connectors
- Help Scout → OAuth2 client-credentials with auto-refresh (#277).
- Clockify → expanded to 18 tools (#279).
- Sendcloud →
to_countryrequired to avoid 14s "all carriers" calls (#274).
Fixes
- Audit: resolve
user_idfrom the JWT email so cloud analytics aren't always NULL (#275). - License wall: hide on logout + auth routes, clear stale block state (#278).