Releases

Changelog

All notable changes to this project are documented here. This project follows Semantic Versioning.

v1.1.0

Latest

Security

  • Response size cap (1 MB) now enforced during transfer via a streaming byte-counting reader — holds even when the server omits Content-Length
  • disconnect_spotify is now confirm-gated (requires confirm: "DISCONNECT") and carries a destructive annotation
  • Hardened 429/401 retry: re-acquires the token and honors a second Retry-After, still strictly bounded (no loops)
  • Pinned transitive dependencies via overrides — npm audit (production) reports 0 vulnerabilities; SECURITY.md documents the stdio-only, transport-unreachable posture
  • Removed a redundant decrypt re-encrypt step (AES-256-GCM already authenticates on final())

Changed

  • remove_tracks_from_playlist now enforces the 100-URI cap in the API layer as well as the schema
  • Test suite expanded from 99 to 112 tests

v1.0.0

Added

  • Initial release
  • Tools: search_tracks, create_playlist, add_tracks_to_playlist, remove_tracks_from_playlist, get_playlist, get_my_playlists, disconnect_spotify
  • Prompts: create_mood_playlist, create_thematic_playlist, discover_similar, create_narrative_playlist, create_era_blend
  • Resources: spotify-profile, spotify-auth-status
  • OAuth 2.0 PKCE authentication flow (no client secret needed)
  • AES-256-GCM encrypted token storage at rest
  • Adaptive rate limiting with 429/Retry-After handling
  • Automatic token refresh on expiry
  • Comprehensive error handling with user-friendly MCP error messages
  • Full test suite — 99 tests across 9 test files
  • Feb 2026 Spotify API compliance (uses /items endpoints)
  • Cross-platform support: Windows, macOS, Linux
  • CI pipeline: Node 20, 22, 24 on Ubuntu, Windows, macOS