v0.3.0

Security hardening (breaking).

• Breaking: mounting /mcp without dependencies raises RuntimeError unless allow_unauthenticated=True (CWE-306)
• Outer Authorization/Cookie and client address forwarded into inner dispatch (CWE-285)
• Sensitive inner-response headers stripped from tool results (CWE-200)
• cache_ttl_seconds refreshes the tool catalog to avoid stale routes (CWE-672)
• cookie params excluded from generated tool input schemas (CWE-522)

v0.2.0 — security hardening

Full OWASP review fixes. See CHANGELOG.md for details.

v0.1.0

Initial release.

• mount_mcp(app, path="/mcp", ...) — adds JSON-RPC endpoint that exposes every HawkAPI route as an MCP tool.
• MCPServer — transport-agnostic core (initialize / ping / tools/list / tools/call / notifications).
• OpenAPI 3.1 → tool conversion. Path / query / header / body merged into a single input schema with namespaced keys.
• include_only / exclude filters.
• Batch JSON-RPC requests supported.
• Internal ASGI dispatch — tool calls run against the same app, so all middleware / auth / DI apply.
• 28 tests, ruff + pyright strict clean.
• Python 3.12 / 3.13, hawkapi>=0.1.7.