ProxmoxMCP-Plus v0.4.8

This release hardens production behavior for persistent jobs, OpenAPI job controls, inventory reads, metrics cardinality, and release quality gates.

What Changed

Hardened the SQLite-backed JobStore with WAL mode, busy timeout, schema migration tracking, indexes, SQL-side filtering/limits, and explicit connection close lifecycle.
Added policy checks to high-risk job retry paths in both MCP and OpenAPI, including approval-token enforcement.
Fixed VM guest-agent command execution to poll exec-status until the command exits and to report non-zero exits as failures.
Reduced large-cluster list overhead by using cluster resource inventory for VM and LXC list defaults, with expensive stats now opt-in for containers.
Changed OpenAPI Prometheus request labels to use route templates instead of raw request paths, avoiding high-cardinality /jobs/{uuid} series.
Registered clone_vm with the persistent job store, including a persisted vm.clone retry recipe and plain-text task/job output.
Widened Paramiko runtime support to paramiko>=4.0.0,<5.0.0 so patched 4.x releases can be adopted without another upper-bound change.
Added a tracked temporary pip-audit exception for CVE-2026-44405 while PyPI has no fixed Paramiko release.
Aligned CI and documentation around full ruff check ., mypy src --ignore-missing-imports, pip-audit, and a 60% coverage gate.

get_containers now defaults include_stats=false; pass include_stats=true when per-container status/config/RRD detail is required.
clone_vm responses now include a stable Job ID in addition to the raw Proxmox task ID.
CI intentionally ignores only CVE-2026-44405 until a fixed Paramiko release is available. Remove the exception once pip-audit -r requirements.txt passes cleanly.

python -m pytest -q --cov=proxmox_mcp --cov-report=term-missing --cov-fail-under=60
python -m ruff check .
python -m mypy src --ignore-missing-imports
python -m pip_audit -r requirements.txt --ignore-vuln CVE-2026-44405
python -m build
python -m twine check dist\*