MCP/mcaxl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mcaxl/docs/query-patterns
History
Ryan Malloy 0691ba8c46 2026.04.27.1: same-day post-release PII scrub 
The original 2026.04.27 was published-then-deleted from PyPI within
hours after a stricter audit (against the unpacked sdist, not just
curated source paths) found cluster-fingerprint content that the
pre-publish grep had missed. This release supersedes the deleted one;
no functional differences.

Issues found in 2026.04.27 that this fixes:

1. docs/query-patterns/sip-trunk-report.md — "Live result snapshot"
   section (38 lines) contained the live cluster's actual SIP trunk
   inventory: real hostnames (exp-c-p.binghammemorial.org), real
   internal IPs (172.20.6.99, .104, .105, .114, .120, .222, plus
   172.20.2.22, 172.20.14.105, 172.24.10.10), real trunk-name +
   description rows. Section removed entirely. The query-pattern doc
   itself still ships — schema/SQL guidance is generic and useful.
   One inline FQDN example (`exp-c-p.binghammemorial.org`) replaced
   with `exp-c-p.example.com`. Status line that named the specific
   maintenance release (`Validated against CUCM 15.0.1.12900-234 on
   2026-04-25.`) genericized to `Validated against CUCM 15.`

2. .mcp.json shipping in sdist with `/home/rpm/bingham/axl` as the
   `--directory` argument. Local filesystem path = hostname leak.
   Added to `[tool.hatch.build.targets.sdist] exclude`. File stays
   in the source repo for development; no longer ships.

3. pyproject.toml comment about the audit workflow ironically
   contained the literal word "bingham" as the example grep token.
   Rewritten to use "site-specific tokens" generically.

Audit verification (against the unpacked sdist this time):
  tar -xzf dist/mcaxl-2026.4.27.1.tar.gz -C /tmp/sdist-inspect
  grep -rnEi 'bingham|binghammemorial|10\.[0-9]+\.[0-9]+\.[0-9]+|
              172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+|
              192\.168\.[0-9]+\.[0-9]+|SupportedSystems|CCX-AXL|
              CER-AXL|CUC-AXL|TabSync|variphy|15\.0\.1\.12900|
              production cluster|/home/rpm|cucm-pub\.bingham'
       /tmp/sdist-inspect/
  → returns empty (verified)

Tests still 155/155.

Lesson encoded for next time: the pre-publish audit MUST run against
the unpacked sdist, not just the four explicitly-named paths in the
python.md rule (src/, tests/, README.md, pyproject.toml, .env.example).
The sdist also pulls in docs/, top-level dotfiles, and uv.lock.
CHANGELOG.md spells this out in the post-release note for next time.
2026-04-27 13:07:38 -06:00
..
sip-trunk-report.md
2026.04.27.1: same-day post-release PII scrub
2026-04-27 13:07:38 -06:00