release: v0.18.2

[cmeans-claude-dev]

Patch release stamping six PRs merged to main since v0.18.1 on 2026-04-20.

Summary

Two-file diff:

• pyproject.toml — version bump 0.18.1 → 0.18.2
• CHANGELOG.md — [Unreleased] renamed to [0.18.2] - 2026-04-21; new empty [Unreleased] section seeded; comparison-link footer updated

Why patch

• No new MCP tools, no changed tool signatures, no resource changes.
• No breaking config, no migration, no data-format change.
• requires-python = ">=3.10" floor unchanged in pyproject.toml.
• Dockerfile base bump (3.12 → 3.13) is runtime-transparent to image consumers; CI matrix widening (3.13, 3.14) is pure infra.
• OAuth log-redaction is security-hardening with no behavior change on the happy path.
• docker-compose host-port parameterization is backward-compatible — default behavior unchanged.

Textbook patch bump for a 0.x project.

Included PRs

PR	Title	Kind
#351	ci: cascade env-routing to pr-labels.yml + workflow permissions	Security
#352	fix(oauth): redact URLs in log output (CodeQL #5-#9)	Security
#350	ci: add docker-smoke workflow — build + import smoke on Dockerfile PRs	Added
#353	chore(compose): parameterize host port in docker-compose.yaml	Changed
#354	ci: extend Python test matrix to include 3.13 and 3.14	Added
#355	chore(docker): bump base image from python:3.12-slim to 3.13-slim	Changed

All six merged via their own QA-Approved cycles — nothing in this release bypasses the standard pipeline.

What's unchanged

• docker-compose.yaml — uses :latest, no version bump needed
• README.md — tool count (32) and text-mode content unchanged; no update needed
• uv.lock — no dep changes in any of the six PRs

QA

Lightweight per project convention — all substantive code was tested in its own PR. Review-only checks:

1. • pyproject.toml version is 0.18.2. Verify line 3: version = "0.18.2".
2. • CHANGELOG — [0.18.2] - 2026-04-21 heading exists; the six rolled-up entries sit beneath it in their original order (Changed → Added → Changed → Security → Security → Added); empty [Unreleased] seeded above.
3. • Comparison links — [0.18.2]: …v0.18.1...v0.18.2 added; [Unreleased] now points at v0.18.2...HEAD.
4. • Scope — git diff --stat origin/main shows exactly CHANGELOG.md (+4, -1) and pyproject.toml (+1, -1). Nothing else.
5. • No accidental content drift in rolled-up entries — diff between this branch's [0.18.2] section and what was in [Unreleased] on main before this PR should be zero beyond the heading/anchor move.

Acceptance

• ✅ CI green
• ☐ Merge + tag (Dev authorization, executed post-merge)

Merge + tag (Dev post-merge action)

After merge, Dev runs:

```
git checkout main && git pull --ff-only origin main
git tag -a v0.18.2 -m "v0.18.2 — CI matrix widening (3.13/3.14), Dockerfile to python:3.13-slim, docker-smoke workflow, compose host-port parameterization, OAuth log redaction, workflow permission hardening"
git push origin v0.18.2
```

The tag triggers `docker-publish.yml` to build and publish the `:v0.18.2` + `:latest` images.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans]

QA review — PR #356 (release v0.18.2)

Lightweight per project convention — feature code for all six rolled-up PRs was QA'd in its own cycle.

Verification performed

Step	Result
pyproject.toml version	✅ Line 3 reads version = "0.18.2".
CHANGELOG header placement	✅ ## [0.18.2] - 2026-04-21 sits below an empty ## [Unreleased] — correct Keep-a-Changelog shape.
Rolled-up entries (6)	✅ All present under [0.18.2] in original order (Changed #355 → Added #354 → Changed #353 → Security #352 → Security #351 → Added #350). Order matches PR body claim.
Content drift in rolled-up entries	✅ None possible — the diff only inserts the ## [0.18.2] - 2026-04-21 header + blank line and updates the footer; body of each entry is unchanged from what lived under [Unreleased] on main.
Comparison links	✅ [Unreleased]: …/compare/v0.18.2...HEAD and [0.18.2]: …/compare/v0.18.1...v0.18.2 — both correct.
Scope	⚠️ See finding #1.
Tag-command rollup coverage	✅ Post-merge tag message names all six rolled-up areas (3.13/3.14 matrix, Dockerfile bump, docker-smoke, compose port, OAuth redaction, permission hardening).
CI rollup	✅ docker-smoke, lint, typecheck, test (3.10–3.14), codecov/patch, CodeQL, license/cla — all green.

Findings

1. [substantive] PR body scope claim is off by one on CHANGELOG.md. Both the Summary and the acceptance checkbox #4 assert CHANGELOG.md (+3, -1). Actual:

   $ git diff --shortstat origin/main..origin/release/v0.18.2 -- CHANGELOG.md
    1 file changed, 4 insertions(+), 1 deletion(-)
   

   The [0.18.2] - 2026-04-21 header hunk inserts a header line and the blank line between [Unreleased] and [0.18.2] (+2); the footer hunk adds the new [Unreleased] link and the new [0.18.2] link while removing the old [Unreleased] link (+2, -1). Net (+4, -1), not (+3, -1).

   Fix: update the PR body's Summary paragraph and checkbox #4 to read CHANGELOG.md (+4, -1). Nothing code-side changes.

What's good

• Proper two-file scope; no surprise edits.
• ## [Unreleased] section correctly preserved as an empty shell above ## [0.18.2] (Keep-a-Changelog convention).
• Rolled-up entries untouched; the release PR does exactly what a release PR should and nothing else.
• All six included PRs have matching CHANGELOG entries with original wording intact.
• Post-merge tag plan is tight and covers every rolled-up area.

Verdict

QA Failed — one substantive finding (scope-count drift in PR body). Trivial body-edit fix, no code change needed.

All feature-level code testing was completed in the individual PRs (#350, #351, #352, #353, #354, #355). This review confirms the release-mechanics shape only.

[cmeans]

QA audit — transitioning label to QA Failed.

Release-mechanics review complete:

• pyproject.toml version = 0.18.2 ✓
• [0.18.2] - 2026-04-21 heading in correct position below empty [Unreleased] ✓
• All six rolled-up entries present in original order (Changed chore(docker): bump base image from python:3.12-slim to 3.13-slim #355 → Added ci: extend Python test matrix to include 3.13 and 3.14 (#349) #354 → Changed chore(compose): parameterize host port in docker-compose.yaml (#344) #353 → Security fix(oauth): redact URLs in log output — close CodeQL clear-text-logging flags (#5/#6/#7/#8) #352 → Security ci: cascade env-routing to pr-labels.yml + add permissions to ci.yml (#334) #351 → Added ci: add docker-smoke workflow — build + import smoke on Dockerfile PRs (#348) #350) ✓
• Comparison links updated ([Unreleased] retargeted to v0.18.2...HEAD, [0.18.2] footer added) ✓
• No content drift in rolled-up entries — diff only touches header + footer ✓
• Post-merge tag command covers all six rolled-up areas ✓
• All CI green (docker-smoke, lint, typecheck, test 3.10–3.14, codecov, CodeQL, license/cla)

One substantive finding — PR body's scope claim is off by one on CHANGELOG.md. See review for detail. Fix is a PR-body edit: (+3, -1) → (+4, -1). No code change.

[cmeans-claude-dev]

Dev response to QA finding

Finding 1 — CHANGELOG.md scope count off by one

Fixed in PR body. Changed CHANGELOG.md (+3, -1) → CHANGELOG.md (+4, -1) on the Scope checkbox (#4). Verified against git diff --shortstat origin/main..origin/release/v0.18.2 -- CHANGELOG.md → 1 file changed, 4 insertions(+), 1 deletion(-).

My miscount was in the header hunk: the new ## [0.18.2] - 2026-04-21 line plus the blank trailing line is +2, not +1. Combined with the footer's +2/-1 (new [Unreleased] link + new [0.18.2] link, old [Unreleased] link removed), that totals +4/-1.

No code change

Only the PR-body markup was touched. pyproject.toml and CHANGELOG.md branch content are unchanged — the release artifact is the same one QA already audited and signed off on for mechanics. No re-push, no CI re-run required.

Labels

Transitioning QA Failed → Ready for QA for signoff.

[cmeans]

QA review — PR #356 (round 2)

Head: eb5c7270 (unchanged — body-only edit). CI rollup carries over from round 1: all green.

Round-1 finding resolution

Finding	Resolution
PR body scope claim CHANGELOG.md (+3, -1) vs actual (+4, -1)	✅ Checkbox #4 updated to CHANGELOG.md (+4, -1) and pyproject.toml (+1, -1). My round-1 mention of "Summary paragraph" was incorrect — the Summary uses a narrative description, not explicit line counts, so the checkbox was the only place that needed editing. Fix is complete.

Re-verification

Step	Result
PR body diff vs round 1	✅ Only line 47 (checkbox #4) changed. All other body content identical.
Actual git diff --shortstat origin/main..origin/release/v0.18.2 -- CHANGELOG.md	✅ 1 file changed, 4 insertions(+), 1 deletion(-) — now matches the body.
Head SHA unchanged	✅ eb5c7270 — no code change, so CI results carry forward as valid.
CI rollup	✅ All checks still green (same run as round 1).

Findings

None.

Verdict

Ready for QA Signoff — round-1 finding resolved, no new issues, release-mechanics shape verified.

Awaiting maintainer to apply QA Approved.

[cmeans]

QA audit — round 2. Transitioning label to Ready for QA Signoff.

Round-1 finding (PR body scope-count off-by-one) resolved — checkbox #4 now reads CHANGELOG.md (+4, -1) and pyproject.toml (+1, -1), matching reality. Head SHA unchanged (eb5c7270); CI results carry forward from round 1 (all green).

Zero findings this round. Awaiting maintainer to apply QA Approved.

[cmeans]

LGTM