ProxmoxMCP-Plus v0.5.0

This release changes the OpenAPI security baseline. OpenAPI mode now refuses to start without PROXMOX_API_KEY unless PROXMOX_ALLOW_NO_AUTH=true is explicitly set for local unauthenticated development. HTTP clients must send Authorization: Bearer <PROXMOX_API_KEY>.

Highlights

• OpenAPI auth is enforced by a project-owned middleware using constant-time API key comparison.
• Auth failures now pass through the rate limiter, so repeated 401/403 responses can be throttled.
• /livez provides unauthenticated process liveness, while /readyz and /health remain authenticated readiness endpoints.
• Live E2E OpenAPI checks now set PROXMOX_API_KEY and send Bearer auth to /health and /openapi.json.
• OpenAPI examples now include Authorization headers.
• scripts/start_openapi.sh now launches the proxy with .venv/bin/python and checks mcpo in that virtual environment.
• Paramiko is upgraded to >=5.0.0,<6.0.0, removing the temporary CVE-2026-44405 audit exception.

Upgrade Notes

• Set PROXMOX_API_KEY before starting OpenAPI mode through Docker, Compose, or python -m proxmox_mcp.openapi_proxy.
• Update HTTP/OpenAPI clients to include Authorization: Bearer <PROXMOX_API_KEY>.
• Use /livez for unauthenticated container or orchestrator liveness checks.
• Use /readyz or /health with auth when you need MCP backend readiness details.
• Only set PROXMOX_ALLOW_NO_AUTH=true for local development where unauthenticated access is intentional.
• Paramiko 5 removes legacy RSA/SHA-1 signatures, SHA-1 key exchange algorithms, and GSSAPI support. Update old SSH endpoints before upgrading if they depend on those algorithms.

Validation

• pytest -q --cov=proxmox_mcp --cov-report=term-missing --cov-fail-under=60
• ruff check .
• mypy src --ignore-missing-imports
• pip-audit -r requirements.txt
• python -m build