Dicklesworthstone/mcp_agent_mail v0.2.1

on GitHub

Highlights

🐍 Python 3.14 Cancellation Safety

• In Python 3.14, asyncio.CancelledError is now a BaseException rather than Exception
• All async cleanup operations now use asyncio.shield() to ensure completion
• Affected: session close, engine dispose, AsyncFileLock, archive_write_lock

🔒 Security Hardening

• Thread ID Validation: New validate_thread_id_format() prevents malicious thread IDs
• Path Traversal Prevention: _resolve_archive_relative_path() blocks directory traversal in attachment paths
• Defense-in-depth with Path.resolve().relative_to() against symlink escapes

⚡ Concurrency Robustness

• ensure_project() handles IntegrityError for truly idempotent concurrent creation
• _get_or_create_agent() uses retry loop with collision handling
• File reservations correctly reported as advisory (conflicts returned alongside grants)

📁 Resource Management

• SQLite now uses NullPool to prevent FD exhaustion on macOS
• PostgreSQL and other backends retain standard pooling configuration

Commits

• feat(utils): add thread_id format validation
• fix(db): Python 3.14 cancellation safety and FD exhaustion prevention
• fix(storage): security hardening and Python 3.14 cancellation safety
• fix(app): concurrency robustness, security, and cancellation safety
• test: update tests for advisory file reservations and concurrent registration

Installation

```bash
uv pip install mcp-agent-mail==0.2.1
```

Full Changelog: v0.2.0...v0.2.1