MCP tool annotations on all 56 tools: readOnlyHint: true on read-only
tools, destructiveHint: true on destructive ones (user deletion, password
reset, shutdown/restart, stopping sessions, resume-state clears, Quick
Connect authorization), so MCP clients can route destructive calls to human
approval. The confirm: true gate remains as a second layer.
Fixed
Strip the draft-07 $schema the MCP SDK stamps on tool schemas; Anthropic
rejects it when the full tool set is sent (e.g. on subagent spawns).
JELLYFIN_TIMEOUT is validated: non-numeric, zero, or negative values now
warn on stderr and fall back to the 30s default instead of producing a NaN
that aborted every request after ~1ms.
Server name and version are derived from package.json instead of
duplicated literals, so the advertised MCP version can no longer drift from
the published package version.
Security
JELLYFIN_VERIFY_SSL=false now relaxes TLS certificate validation for the
Jellyfin connection only, via a per-request undici dispatcher, instead of
the process-global NODE_TLS_REJECT_UNAUTHORIZED which disabled validation
for every outbound TLS connection.
Upstream Jellyfin error response bodies are no longer returned to the MCP
client; results carry the status summary only and the full body is logged
to stderr for operators.
jellyfin_set_user_password now warns (tool description and README) that
the plaintext password transits the LLM conversation and provider logs.
Changed
CI: the test step no longer uses continue-on-error, so test failures fail
the build and gate the publish job.