v0.21.1

This release fixes a critical startup crash caused by an upstream dependency break and ships a few community-contributed features that landed on main since v0.21.0.

🐛 Fixed

Server / Transport

• Startup crash on fresh uvx installs: fakeredis 2.35.0 renamed FakeConnection without a backward-compatible alias, breaking pydocket's runtime import and making FastMCP's lifespan fail with ImportError: cannot import name 'FakeConnection' from 'fakeredis.aioredis'. Pinned fakeredis>=2.32.1,<2.35.0 as a downstream constraint until upstream ships a fix. Users no longer need the --with fakeredis==2.34.1 workaround (#1250, fixes #1248).

Confluence

• include_content test coverage and descriptions: Follow-up hardening for the new include_content option (#1099).

✨ Features

Confluence

• include_content on create/update: confluence_create_page and confluence_update_page now accept an include_content flag so callers can skip echoing full page bodies back in responses (#1098).
• confluence_get_space_page_tree: New tool for discovering a space's page hierarchy in a single call (#1090).

Deployment

• Helm: OAuth proxy + client storage configuration: Helm chart now exposes FastMCP auth's OAuth proxy and client storage settings so operators can configure them declaratively (#1084).

Contributors

Thanks to @kimoto, @Poggen, and @Troubladore!

Full Changelog: v0.21.0...v0.21.1

v0.21.0

This release adds 4 new tools (sprint management, page moves, page diffs, comment replies), OAuth proxy support, markdown table rendering, and multiple content processing fixes.

✨ Features

Jira

• Sprint Management: Move issues between sprints with the new jira_add_issues_to_sprint tool (#1078)
• Cloud Search Pagination: jira_search now returns next_page_token for cursor-based pagination on Cloud (#1079)
• Field Options Filtering: jira_get_field_options supports contains, return_limit, and values_only params for targeted lookups (#1074)
• Markdown Tables: Markdown tables in descriptions and comments are now converted to native ADF table nodes on Cloud (#1089)

Confluence

• Move Pages: Relocate pages between parents or spaces with the new confluence_move_page tool (#1080)
• Page Version Diff: Compare two page versions with the new confluence_get_page_diff tool (#1083)
• Comment Replies: Reply to existing comments with the new confluence_reply_to_comment tool (#1070)
• Page Width Layout: Library-level support for controlling page width (default / full-width) on Cloud. Available via the Confluence fetcher API; MCP tool integration planned for a future release (#1091)
• Server/DC User Search: confluence_search_user now supports Server/DC via group member fallback (#1081)

Authentication

• OAuth Proxy: Opt-in OAuth 2.0 proxy with Dynamic Client Registration (DCR), PKCE, consent flow, and grant type hardening (#1054)
• Header Auth Bypass: New IGNORE_HEADER_AUTH env var to ignore proxy-injected Authorization headers and use server-configured credentials (#1073)

🐛 Fixed

Jira

• Code Block Corruption: {code} and {noformat} blocks in Server/DC wiki markup are now protected from markup conversion corruption (#1059)
• Custom Field Preservation: Complex custom field values (nested objects, arrays) are no longer silently converted to strings (#1058)
• Panel Block Handling: {panel} blocks and bare URLs in wiki markup are now correctly converted to markdown (#1055)
• Field Name Matching: fixVersions, issuetype, and other API field names are now correctly recognized in should_include_field checks, fixing field exclusion when users request specific fields (#1076)

Preprocessing

• Code Span Truncation: Inline code spans (<code>) are no longer broken by HTML content truncation (#1094)

🔒 Security

• URL Validation Bypass: Prevented SSRF allowlist bypass where evil-atlassian.net could match the atlassian.net domain check — now uses strict .{domain} suffix matching (#1087)

Contributors

Thanks to @Poggen, @Troubladore, @djb2c, @Lama9, @iiiokojiadbi, @Arbuzov, @solganik, @johnny, @pibylick, @nulvox, @yliu, and @reneleonhardt!

Full Changelog: v0.20.1...v0.21.0

v0.20.1

This release fixes error handling for the ServiceDesk comment API on non-JSM projects.

🐛 Fixed

Jira

• ServiceDesk 403 handling: Non-JSM projects return 403 Forbidden (not 404) from the ServiceDesk API when using the public parameter for internal/external comments. The error message now clearly indicates the issue is not a JSM service desk project or the user lacks permission (#1051)

Full Changelog: v0.20.0...v0.20.1

v0.20.0

This release adds JSM internal comment support, a Kubernetes Helm chart, and fixes for worklog ADF handling and tool parameter naming.

✨ Features

Jira

• JSM Internal Comments: New public parameter on add_comment tool for Jira Service Management issues. Set public=true for customer-visible comments or public=false for internal agent-only comments. Routes through the ServiceDesk API with plain text body (#1049, fixes #867)

Deployment

• Kubernetes Helm Chart: Deploy mcp-atlassian on Kubernetes with a full-featured Helm chart supporting all auth modes, transport types (stdio/SSE/streamable-HTTP), HPA, ingress, PVC for OAuth tokens, and RBAC (#737, #1048)

🐛 Fixed

Jira

• Worklog ADF Comments on Cloud: Worklog comments were silently dropped on Cloud because ADF dicts from _markdown_to_jira() were posted to the v2 API which ignores them. Now routes through v3 API when the comment is ADF, matching the existing pattern in comments (#1047, fixes #1045)

Server

• Tool Parameter Naming: Aligned MCP tool parameter names with their response field names for consistency — comment_body → body, issue_description → description, etc. (#1044)
• Descriptive Error Messages: Tool handlers now return specific error descriptions instead of generic messages (#1010)

📚 Documentation

• Updated parameter names in documentation to match the tool renames (#1046)

Contributors

Thanks to @antweiss, @baumgold, and @hteichmann-strato!

Full Changelog: v0.19.0...v0.20.0

v0.19.0

This release adds toolset-based tool filtering for granular control over which tools are exposed, OS native trust store support for enterprise SSL environments, and Jira issue watcher tools.

✨ Features

Server

• Toolset-Based Tool Filtering: New TOOLSETS env var groups 68 tools into 21 named toolsets (15 Jira, 6 Confluence) for granular control. Supports all, default, and comma-separated names. All toolsets enabled by default — in v0.22.0 the default will change to 6 core toolsets only (#1041, #1043)

Jira

• Issue Watcher Tools: New jira_get_issue_watchers, jira_add_watcher, and jira_remove_watcher tools for managing issue watchers. Write operations respect READ_ONLY_MODE (#1039, fixes #1032)

Authentication

• OS Native Trust Store: SSL connections now verify certificates against the OS trust store (Windows Certificate Store, macOS Keychain, Linux system CAs) via truststore, enabling enterprise environments with internal CAs to connect without disabling SSL verification. Opt out with MCP_ATLASSIAN_USE_SYSTEM_TRUSTSTORE=false (#976)

🐛 Fixed

Jira

• JiraUser Username/Key Fields: JiraUser.from_api_response() was mapping displayName to both display_name and name, discarding the login username needed for Server/DC [~username] mentions. Now preserves username and user_key fields separately (#1038, fixes #1031)
• Underscore in Project Keys: Issue key patterns like D_DEV-123 were not recognized in both server tools and preprocessing due to missing _ in regex character classes (#1030, #1035)
• Windows Timestamp Overflow: Jira DC sentinel dates (year 9999) caused OverflowError/OSError on Windows. parse_date now catches these and returns None gracefully (#1037, fixes #1033)

Authentication

• Truststore Env Var Parsing: Fixed AttributeError when .env contains a bare key (no = sign) — dotenv_values() returns None which broke .lower() at import time (#1036)

Server / Transport

• Allowlisted Domains Bypass DNS: Domains in ALLOWED_DOMAINS now bypass DNS resolution checks, fixing false rejections for internal hostnames (#1005)

🧪 Testing

• Test Reclassification: Mock-based integration tests moved to unit tests, model tests split to match source structure, Cloud/Server pairs parametrized (#1015, #1016, #1021)

📚 Documentation

• Auto-Generated Tool Reference: Full reference pages for all 68 MCP tools with parameters, examples, and toolset tags (#1017)
• New Guides: JQL/CQL query guides, workflow recipes, SLA metrics, Docker deployment, and expanded troubleshooting (#1018, #1019)

Contributors

Thanks to @tsondergaard, @fatherlinux, @alvaroEset, and @bbkmike!

Full Changelog: v0.18.0...v0.19.0

v0.18.1

This release fixes allowlisted domains being incorrectly blocked by the SSRF DNS resolution check.

🐛 Fixed

Server / Transport

• Allowlisted domains bypass DNS resolution check: When MCP_ALLOWED_URL_DOMAINS was set, internal hosts resolving to private IPs (e.g. 10.x.x.x) were still blocked by the DNS check. Allowlisted domains now return early before DNS resolution, while hard-blocked hostnames (localhost, metadata.google.internal) and IP literal checks remain enforced (#1005, fixes #1002)

Contributors

Thanks to @autumnjava for reporting!

Full Changelog: v0.18.0...v0.18.1

v0.18.0

This release adds inline image rendering for both Jira and Confluence, ADF write support for Jira Cloud, and fixes several bugs including stateless HTTP mode and Server/DC user lookup.

✨ Features

Jira

• Inline Image Rendering: New jira_get_issue_images tool returns issue image attachments as base64 ImageContent for direct LLM vision processing. Shared MIME detection extracted to utils/media.py (#1001)
• ADF Write Support: Markdown descriptions and comments are now converted to Atlassian Document Format on Jira Cloud, enabling rich text formatting (bold, italic, lists, code blocks, headings, links, blockquotes) via the v3 REST API (#994)

Confluence

• Inline Image Rendering: New confluence_get_page_images tool returns page image attachments as base64 ImageContent with two-tier MIME detection and 50MB size limit (#992)
• ac:image Markdown Conversion: Confluence <ac:image> XML tags are now converted to standard markdown image syntax during page preprocessing, with support for both attachment references and external URLs (#991)

🐛 Fixed

Jira

• ADF Payloads Routed Through v3 API: atlassian-python-api sends to /rest/api/2/ by default, which rejects ADF dict payloads. Added _post_api3()/_put_api3() helpers to route create/update/comment operations through /rest/api/3/ when the payload contains ADF (#1003, fixes #994)
• Server/DC User Lookup by Email: Replaced fragile key/username heuristic that misclassified usernames like j-smith2 as Jira keys. Email identifiers now resolve via /rest/api/2/user/search before profile fetch (#999, #998)
• Checklist Array Passthrough: Server/DC checklist fields with schema.type: "array" are now passed through unchanged instead of being incorrectly formatted as strings (#993)
• Attachment Size Limit: Added 50MB size guard to Jira attachment downloads to prevent OOM, matching existing Confluence behavior (#990)

Confluence

• In-Memory Attachment Downloads: Added fetch_attachment_content() to Confluence, eliminating duplicated inline download logic in server tools (#989)

Server / Transport

• Stateless HTTP Mode: stateless_http was broken since v0.13.1 because the global settings mutation happened after FastMCP.__init__() had already snapshotted them. Now passed explicitly via run_kwargs (#1000, fixes #997)

🧪 Testing

• 24 New E2E Tests: Image tools (DC+Cloud), ADF write round-trip (Cloud), user email resolution (DC), and ac:image conversion (#1004)

Contributors

Thanks to @kalabj, @TerminalGravity, @sigismund, @miwamoto, and @gudim!

Full Changelog: v0.17.0...v0.18.0

v0.17.0

This release fixes two security vulnerabilities, adds new Jira features, and includes multiple bug fixes and hardening improvements.

🔒 Security

• Path Traversal Guard: Confluence attachment downloads now validate paths against directory traversal attacks via validate_safe_path() with symlink resolution. Jira guards refactored to use the same shared utility. Fixes GHSA-xjgw-4wvw-rgm4 (#987)
• SSRF Protection: Header-based URLs (X-Atlassian-*-Url) are now validated against SSRF — blocks private IPs, DNS rebinding, and redirect-based attacks. Optional domain allowlist via MCP_ALLOWED_URL_DOMAINS. Fixes GHSA-7r34-79r5-rcc9 (#986)
• Credential Logging Removal: Removed OAuth token/secret logging from token exchange and response flows (#949)

✨ Features

Jira

• Service Desk Queue Support: New jira_get_service_desk_queues, jira_get_queue_issues, and jira_get_queue_details tools for Server/DC (#979)
• Project Components Tool: New jira_get_project_components tool to retrieve project components (#873)

🐛 Fixed

Jira

• Epic Link Aliases: epicKey, epic_link, epicLink, and "Epic Link" now resolve correctly in create/update operations (#970)
• JQL Reserved Words: Project keys matching JQL reserved words (e.g., IF, AND) are now auto-quoted (#967)
• update_issue Fields Parameter: Accepts JSON string input (not just dict), consistent with other tools after schema compatibility changes (#973)

Confluence

• Double /wiki Prefix: Fixed URL construction in analytics and v2 adapter that prepended /wiki twice on Cloud (#964)

Dependencies

• Python & Dependency Upgrades: Upgraded Python version in Docker and ran uv lock --upgrade to resolve Trivy scan vulnerabilities (#977)
• markdown-to-confluence Minimum: Bumped to >=0.3.4 to prevent ModuleNotFoundError on md2conf.metadata (#980)

🧪 Testing

• E2E Test Suites: Added DC (61 tests) and Cloud (48 tests) end-to-end test suites with auth matrix coverage (#963)
• Security Regression Tests: Path traversal and JQL sanitization regression tests (#983)

Contributors

Thanks to @elisa-tfager, @hteichmann-strato, @JakubAnderwald, @legard, @ilgaur, and @yotampe-pluto!

Full Changelog: v0.16.1...v0.17.0

v0.16.1

This release fixes Confluence Cloud URL construction, adds AI platform schema compatibility, and patches a ReDoS vulnerability.

🐛 Fixed

Confluence

• Double /wiki Prefix in Cloud URLs: base_url already includes /wiki for Cloud instances (auto-appended by atlassian-python-api), but five URL constructions in v2_adapter.py and analytics.py were prepending it again — producing 404s for analytics views, page attachments, and attachment CRUD operations (#964, fixes #962)

Jira

• ReDoS in Citation Regex: Citation regex in jira_get_issue used overlapping alternation that caused catastrophic backtracking on unmatched ?? markers — replaced with non-overlapping linear-time pattern (#948)

Server

• AI Platform Schema Compatibility: Add server-level anyOf flattening to fix JSON Schema incompatibilities with Vertex AI / Google ADK, Gemini, LiteLLM, and other AI platforms — 314 compatibility tests validate all tool schemas (d57b7fd, fixes #640, #733, #541, #484)

🧪 Testing

• E2E Test Suites: DC E2E (61 tests) and Cloud E2E (48 tests) covering auth matrix, service-specific operations, and MCP tool-level tests via FastMCPTransport (#963)

📚 Documentation

• AI Platform Compatibility Page: Platform matrix with schema compatibility details and setup notes for GitHub Copilot, Vertex AI / Google ADK, and ChatGPT (e0beb97, a00fa4e)

Contributors

Thanks to @johnny, @wallacekabum, @XinyueZ, @CatsMiaow, and @stephen-galea-weavr!

Full Changelog: v0.16.0...v0.16.1

v0.16.0

This release adds OAuth 2.0 for Atlassian Data Center, Basic Auth multi-user support for MCP gateways, and several auth reliability fixes.

✨ Features

Authentication

• OAuth 2.0 for Data Center: Extend OAuth support to Atlassian Server/Data Center instances with service-specific env vars (JIRA_OAUTH_CLIENT_ID, CONFLUENCE_OAUTH_CLIENT_ID), DC-specific token/authorize URLs, and keyring key namespacing (#952, fixes #527)
• Basic Auth Multi-User: Parse Authorization: Basic <base64(email:api_token)> headers in middleware for multi-user MCP gateway scenarios, creating per-request fetchers with individual Atlassian Cloud credentials (#955, fixes #380)
• BYOT OAuth Without URLs: ATLASSIAN_OAUTH_ENABLE=true now works as a fallback when no service URL is configured, enabling Bring Your Own Token mode where users provide OAuth tokens via per-request headers (#956, fixes #698)
• Configurable HTTP Timeout: New JIRA_TIMEOUT and CONFLUENCE_TIMEOUT env vars (default 75s) propagated to atlassian-python-api client constructors (#950, fixes #891)

🐛 Fixed

Authentication

• Bearer Token Disambiguation: Server/DC users sending Bearer-prefixed PATs no longer trigger OAuth flow errors — the dependency layer now resolves Bearer tokens as OAuth or PAT based on global config context (#953, fixes #892)
• .netrc Credential Override: Explicit PAT/OAuth credentials are no longer silently overridden by ~/.netrc entries — trust_env=False is set when explicit auth is provided (#951, fixes #860)

Jira

• Server/DC Createmeta Endpoint: Switch to new paginated createmeta endpoints (/issue/createmeta/{project}/issuetypes) for Jira 9.x+, fixing jira_get_field_options, get_required_fields, and get_project_issue_types returning empty results on modern Server/DC (#958)

🧪 Testing

• OAuth Refresh Failure: Regression tests for the OAuth refresh token failure when PAT/Bearer tokens are sent to a server with ATLASSIAN_OAUTH_ENABLE=true (#954, fixes #858)

📚 Documentation

• Auth Documentation: Updated AGENTS.md, CLI help text, and .env.example for DC OAuth, Basic Auth multi-user, BYOT mode, service-specific OAuth env vars, and HTTP timeouts (#957)

Contributors

Thanks to @blackalegator, @kangis89, @nealedj, @ckaytev, @hteichmann-strato, and @sergiobank!

Full Changelog: v0.15.0...v0.16.0