chore: prepare v1.52.0 release (#339)

erraggy · claude · github-actions[bot] · web-flow · commit d5a1bf18b01d · 2026-02-20T22:44:42.000-08:00
* fix: address code review findings before v1.52.0 release

- Add package prefix to RejectSymlinkOutput error messages
- Document intentional race trade-off in pattern cache eviction
- Narrow MCP sanitizeError regex to filesystem paths only
- Change WithMaxFileSize signature from int64 to int for API consistency
- Use allowlist sanitization for discriminator JSON names

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* chore: bump plugin version to 1.52.0

* chore: add benchmark results for v1.52.0

Generated by CI benchmark workflow on chore/v1.52.0-release-prep

🤖 Generated automatically

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
@@ -10,7 +10,7 @@
     {
       "name": "oastools",
       "description": "15 MCP tools and 5 guided skills for working with OpenAPI specs — validate, fix, convert, diff, join, overlay, generate, and walk operations/schemas/parameters/responses/security/paths",
-      "version": "1.51.6",
+      "version": "1.52.0",
       "author": {
         "name": "erraggy",
         "url": "https://github.com/erraggy"
diff --git a/benchmarks/benchmark-v1.52.0.txt b/benchmarks/benchmark-v1.52.0.txt
diff --git a/cmd/oastools/commands/common.go b/cmd/oastools/commands/common.go
@@ -134,10 +134,10 @@ func RejectSymlinkOutput(cleanedPath string) error {
 		return nil
 	}
 	if err != nil {
-		return fmt.Errorf("checking output path: %w", err)
+		return fmt.Errorf("commands: checking output path: %w", err)
 	}
 	if info.Mode()&os.ModeSymlink != 0 {
-		return fmt.Errorf("refusing to write to symlink: %s", cleanedPath)
+		return fmt.Errorf("commands: refusing to write to symlink: %s", cleanedPath)
 	}
 	return nil
 }
diff --git a/generator/template_builders.go b/generator/template_builders.go
@@ -444,10 +444,14 @@ func (cg *oas3CodeGenerator) buildOneOfTypeDefinition(typeName, originalName str
 	if schema.Discriminator != nil && schema.Discriminator.PropertyName != "" {
 		oneOfData.Discriminator = schema.Discriminator.PropertyName
 		oneOfData.DiscriminatorField = toFieldName(schema.Discriminator.PropertyName)
-		// Sanitize the discriminator property name to prevent injection in generated code
-		jsonName := schema.Discriminator.PropertyName
-		jsonName = strings.ReplaceAll(jsonName, `"`, "")
-		jsonName = strings.ReplaceAll(jsonName, "`", "")
+		// Sanitize the discriminator property name to prevent injection in generated code.
+		// Only allow alphanumeric, underscore, hyphen, and dot — safe for JSON struct tags.
+		jsonName := strings.Map(func(r rune) rune {
+			if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '_' || r == '-' || r == '.' {
+				return r
+			}
+			return -1 // drop unsafe characters
+		}, schema.Discriminator.PropertyName)
 		oneOfData.DiscriminatorJSONName = jsonName
 		oneOfData.HasUnmarshal = true
 
diff --git a/httpvalidator/schema.go b/httpvalidator/schema.go
@@ -531,6 +531,9 @@ func (v *SchemaValidator) matchPattern(pattern, s string) (bool, error) {
 
 	// Size cap: if cache exceeds limit, clear and start fresh.
 	// This prevents unbounded growth from specs with many unique patterns.
+	// NOTE: The count check and clear are not atomic — under high concurrency,
+	// multiple goroutines may clear simultaneously. This is acceptable because
+	// the cache is a performance optimization; worst case is extra recompilation.
 	if v.patternCount.Add(1) > maxPatternCacheSize {
 		v.patternCache.Range(func(key, _ any) bool {
 			v.patternCache.Delete(key)
diff --git a/internal/mcpserver/server.go b/internal/mcpserver/server.go
@@ -175,7 +175,7 @@ func makeSlice[T any](n int) []T {
 
 // sanitizeError strips absolute filesystem paths from error messages
 // to prevent leaking internal directory structure to MCP clients.
-var pathPattern = regexp.MustCompile(`(?:/[a-zA-Z0-9._-]+){2,}`)
+var pathPattern = regexp.MustCompile(`(?:/(?:home|tmp|var|Users|etc|opt|usr|private|root|mnt|srv|run|snap|nix)[a-zA-Z0-9._/-]*)`)
 
 func sanitizeError(err error) string {
 	if err == nil {
diff --git a/parser/parser_options.go b/parser/parser_options.go
@@ -294,12 +294,12 @@ func WithMaxCachedDocuments(count int) Option {
 // This prevents resource exhaustion from loading arbitrarily large files.
 // A value of 0 means use the default (10MB).
 // Returns an error if size is negative.
-func WithMaxFileSize(size int64) Option {
+func WithMaxFileSize(size int) Option {
 	return func(cfg *parseConfig) error {
 		if size < 0 {
 			return fmt.Errorf("parser: maxFileSize cannot be negative")
 		}
-		cfg.maxFileSize = size
+		cfg.maxFileSize = int64(size)
 		return nil
 	}
 }
diff --git a/plugin/.claude-plugin/plugin.json b/plugin/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "oastools",
   "description": "OpenAPI Specification tools — validate, fix, convert, diff, walk, and generate from OAS 2.0-3.2 documents",
-  "version": "1.51.6",
+  "version": "1.52.0",
   "author": {
     "name": "erraggy",
     "url": "https://github.com/erraggy"

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`{`
`11`	`11`	`"name": "oastools",`
`12`	`12`	`"description": "15 MCP tools and 5 guided skills for working with OpenAPI specs — validate, fix, convert, diff, join, overlay, generate, and walk operations/schemas/parameters/responses/security/paths",`
`13`		`- "version": "1.51.6",`
	`13`	`+ "version": "1.52.0",`
`14`	`14`	`"author": {`
`15`	`15`	`"name": "erraggy",`
`16`	`16`	`"url": "https://github.com/erraggy"`
Original file line number	Diff line number	Diff line change
`@@ -134,10 +134,10 @@ func RejectSymlinkOutput(cleanedPath string) error {`
`134`	`134`	`return nil`
`135`	`135`	`}`
`136`	`136`	`if err != nil {`
`137`		`- return fmt.Errorf("checking output path: %w", err)`
	`137`	`+ return fmt.Errorf("commands: checking output path: %w", err)`
`138`	`138`	`}`
`139`	`139`	`if info.Mode()&os.ModeSymlink != 0 {`
`140`		`- return fmt.Errorf("refusing to write to symlink: %s", cleanedPath)`
	`140`	`+ return fmt.Errorf("commands: refusing to write to symlink: %s", cleanedPath)`
`141`	`141`	`}`
`142`	`142`	`return nil`
`143`	`143`	`}`
Original file line number	Diff line number	Diff line change
`@@ -294,12 +294,12 @@ func WithMaxCachedDocuments(count int) Option {`
`294`	`294`	`// This prevents resource exhaustion from loading arbitrarily large files.`
`295`	`295`	`// A value of 0 means use the default (10MB).`
`296`	`296`	`// Returns an error if size is negative.`
`297`		`-func WithMaxFileSize(size int64) Option {`
	`297`	`+func WithMaxFileSize(size int) Option {`
`298`	`298`	`return func(cfg *parseConfig) error {`
`299`	`299`	`if size < 0 {`
`300`	`300`	`return fmt.Errorf("parser: maxFileSize cannot be negative")`
`301`	`301`	`}`
`302`		`- cfg.maxFileSize = size`
	`302`	`+ cfg.maxFileSize = int64(size)`
`303`	`303`	`return nil`
`304`	`304`	`}`
`305`	`305`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "oastools",`
`3`	`3`	`"description": "OpenAPI Specification tools — validate, fix, convert, diff, walk, and generate from OAS 2.0-3.2 documents",`
`4`		`- "version": "1.51.6",`
	`4`	`+ "version": "1.52.0",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "erraggy",`
`7`	`7`	`"url": "https://github.com/erraggy"`