Release Notes

Bug Fixes

Windows Filename Compatibility (#774)

Fixes attachment handling on Windows systems. Gmail attachment filenames are now properly sanitized to remove invalid
characters (like :, *, ?, <, >, etc.) and Windows reserved device names (CON, PRN, AUX, NUL, COM1-9, LPT1-9). The
response now displays the actual sanitized filename that was saved to disk, providing clear confirmation of successful saves.
This ensures reliable cross-platform file storage for Gmail attachments.

Impact: Windows users can now save Gmail attachments without encountering "invalid filename" errors.

Calendar Date Handling Robustness (#794)

Adds defensive parsing to _correct_time_format_for_api to handle malformed date/time inputs from LLM clients. Some MCP
hosts (particularly those using certain gateway layers) double-encode JSON arguments, causing dates to arrive with literal
quote characters embedded (e.g., "\"2026-05-15T00:00:00Z\"") or literal "null" strings instead of absent parameters.
These malformed values previously caused 400 errors from the Google Calendar API.

The fix:

• Strips outer whitespace and surrounding quotes (single or double)
• Treats literal strings "null" and "none" (case-insensitive) as absent values
• Preserves correct behavior for well-formed inputs

Impact: Calendar queries now work reliably even when the MCP client serializes parameters incorrectly, eliminating
confusing "API error in get_events" failures.

New Features

OAuth Token Passthrough Mode (#756)

Enables running the MCP server without sharing the Google OAuth client secret by adding JWT signing key support to the
external OAuth 2.1 provider configuration.

With this mode, access tokens passed in the Authorization: Bearer header are validated against Google's userinfo API to
resolve the user's email, then forwarded directly to Google APIs—no client secret required on the server.

Configuration example:

MCP_ENABLE_OAUTH21=true
EXTERNAL_OAUTH21_PROVIDER=true
GOOGLE_OAUTH_CLIENT_ID=xyz.apps.googleusercontent.com
FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY=averysecretvalue

Impact: Improves security posture for deployments where client secrets cannot be safely stored on the server.

Extended Contact Fields (#773)

Adds comprehensive write support for four previously read-only contact fields: nicknames, urls, userDefined, and relations.
Each field supports merge, replace, and remove modes with intelligent deduplication.

New capabilities:

• Nicknames: Store alternative-script names for cross-language contact search (e.g., bilingual contacts)
• URLs: Manage social profiles, websites, and other links (useful for pruning defunct services)
• User-defined fields: Extract structured data from notes into queryable key-value pairs (government IDs, account numbers,
  custom dates)
• Relations: Define family/spouse relationships for voice assistant commands ("call my wife")

The implementation includes 77 new unit tests and mirrors the established pattern from PR #688. Also fixes a bug where
notes="" didn't clear biographies.

Impact: Full round-trip support for the People API's most commonly used personal contact fields.

OAuth Port Auto-Resolution (#768)

Solves multi-process OAuth conflicts by implementing late-bound port resolution with automatic fallback. Previously, when
multiple MCP processes started (common during app reloads, extension restarts, or multi-session usage), only one could claim
port 8000, causing "Port already in use" errors or silent OAuth state mismatches.

How it works:

• Probes a preferred port (default: 8000) plus a configurable fallback range (default: 4 additional ports)
• Binds the first available port and updates the OAuth redirect URI accordingly
• Each process gets its own callback listener—no cross-process state sharing needed

Configuration:
WORKSPACE_MCP_PORT=8000 # Preferred port (default)
WORKSPACE_MCP_PORT_FALLBACK_COUNT=4 # Fallback slots (5 ports total)

Compatibility:

• Desktop OAuth clients (most common): Works automatically—Google's loopback rule accepts any port on localhost
• Web OAuth clients (less common): Requires one-time registration of fallback ports in GCP Console

Impact: Eliminates OAuth failures in multi-process environments. Fixes issues #546, #667, and #754.

Enhancements

Richer File Permission Metadata (#783)

Enhances get_drive_file_permissions to return comprehensive file metadata alongside permission data:

New fields:

• Parents: Parent folder IDs (or None for root/orphaned files)
• Owners: Display name + email for each owner (handles both modern and legacy API response formats)
• Created: File creation timestamp
• Trashed: Boolean trash status
• Shared Drive ID: Conditionally included when the file resides in a shared drive

The formatted output now presents this metadata before the sharing-status block, providing complete file context at a glance.

Impact: Richer context for permission audits and file organization tasks.

Dependencies

Python Package Updates

• python-multipart: 0.0.26 → 0.0.27 (#778)
• authlib: 1.7.0 → 1.7.1 (#792)

Both updates are routine security and bug fix releases managed by Dependabot.

New Contributors

• @guifran001 made their first contribution in #756
• @oryband made their first contribution in #773
• @theparlor made their first contribution in #768
• @castigiova made their first contribution in #794

Full Changelog: v1.20.4...v1.21.0