chore(dependabot): ignore zod major bumps until v4 migration is scheduled#28
Merged
Merged
Conversation
…uled Adds an ``ignore`` rule to ``.github/dependabot.yml``'s npm ecosystem entry pinning zod to v3 majors. Minor + patch updates still flow through (and group via the existing ``npm-minor-patch`` rule). Why now: PR #17 (chore(deps): bump zod 3.25.76 → 4.4.3) failed CI with ~20 TS errors across src/tools.ts (TS2554 + TS2345 + TS2322), src/http-entry.ts (line 459), and src/stdio-entry.ts (line 60). zod v4 (2025) reshapes the type hierarchy: * ZodObject<...> is no longer assignable to ZodType<any, ZodTypeDef, any> (the entry-point types in http-entry.ts + stdio-entry.ts both depend on this conversion). * Output types tightened from Record<string, primitive> to Record<string, unknown> — the tools.ts handlers feed into TextContent's Record<string, string|number|boolean|undefined> expectation. * Several methods now require additional arguments (TS2554 Expected 2-3 arguments, but got 1). Migrating to zod 4 is real work that needs to land alongside the @modelcontextprotocol/sdk's zod-4 readiness + zod-to-json-schema's zod-4 compat track — non-trivial, non-urgent. Until that's scheduled deliberately, Dependabot will keep opening + failing this PR every week, which adds queue noise without value. PR #17 will be closed as superseded by this ignore rule. To pick up zod 4 later, remove the ignore entry and Dependabot will re-open the bump PR on its next scheduled run; do the migration in a dedicated commit alongside the SDK + zod-to-json-schema compat work. Pattern matches what cueapi engineer used today on cueapi-core#51 (pytest-asyncio 1.x major-bump deferral). Routed to CMA via cue-pm-pr-watcher per Mike's "get all PRs Argus-ready before review agent comes online" directive 2026-05-06 21:00 PT. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
govindkavaturi-art
approved these changes
May 6, 2026
Member
govindkavaturi-art
left a comment
govindkavaturi-art
left a comment
There was a problem hiding this comment.
Reasonable — zod v4 type-system reshape requires deliberate migration; pinning the major-bump ignore until that work is scheduled prevents weekly Dependabot churn. Comment block explains the why for the next reviewer. Approve.
mikemolinet
added a commit
that referenced
this pull request
May 9, 2026
Adds the agent-directory identity-layer surface to cueapi-mcp,
parallel to the cueapi-python ports for PR #630 (roster) and #662
(presence). Read-only on purpose — agents are typically managed by
humans via dashboard or CLI, not by automated MCP callers; adding
write-surface (create/update/delete) would create the wrong
abstraction.
- cueapi_list_agents — GET /v1/agents with status / online_only /
limit / offset filters. online_only takes precedence over status
when both are passed (server contract; pinned in tests).
- cueapi_get_agent — GET /v1/agents/{ref}. Accepts opaque agt_xxx
ID or slug-form 'agent_slug@user_slug'. Path-encoded so '@'
survives.
- cueapi_get_agent_presence — GET /v1/agents/{ref}/presence
(PR #662). Cheap-poll variant; lighter than get_agent. Used by
UIs/schedulers needing per-agent status refresh.
- cueapi_get_agent_roster — GET /v1/agents/roster (PR #630). Full
directory with presence blocks for every agent the calling key
owns. ETag-aware via if_none_match → If-None-Match header.
8 new tests under "agent directory tools — HTTP contract" pinning:
- list defaults (no filter)
- list online_only takes precedence over status (mutex contract)
- list passes status + limit/offset
- get encodes path correctly
- get url-encodes @ in slug-form ref
- presence path
- roster: no header by default
- roster: If-None-Match flows when if_none_match set
All 79 tests pass post-add (71 existing + 8 new).
Source: drift audit handoff/cueapi-package-drift-2026-05-06; Backlog
rows "Parity port: PR #630 → cueapi-mcp" + "PR #662 → cueapi-mcp"
(both p2). list_agents + get_agent fold in as the natural cueapi-cli
PR #28 + #40 parity at the same time.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mikemolinet
added a commit
that referenced
this pull request
May 10, 2026
…er) (#30) * feat(agents): add 4 read-only directory tools (list/get/presence/roster) Adds the agent-directory identity-layer surface to cueapi-mcp, parallel to the cueapi-python ports for PR #630 (roster) and #662 (presence). Read-only on purpose — agents are typically managed by humans via dashboard or CLI, not by automated MCP callers; adding write-surface (create/update/delete) would create the wrong abstraction. - cueapi_list_agents — GET /v1/agents with status / online_only / limit / offset filters. online_only takes precedence over status when both are passed (server contract; pinned in tests). - cueapi_get_agent — GET /v1/agents/{ref}. Accepts opaque agt_xxx ID or slug-form 'agent_slug@user_slug'. Path-encoded so '@' survives. - cueapi_get_agent_presence — GET /v1/agents/{ref}/presence (PR #662). Cheap-poll variant; lighter than get_agent. Used by UIs/schedulers needing per-agent status refresh. - cueapi_get_agent_roster — GET /v1/agents/roster (PR #630). Full directory with presence blocks for every agent the calling key owns. ETag-aware via if_none_match → If-None-Match header. 8 new tests under "agent directory tools — HTTP contract" pinning: - list defaults (no filter) - list online_only takes precedence over status (mutex contract) - list passes status + limit/offset - get encodes path correctly - get url-encodes @ in slug-form ref - presence path - roster: no header by default - roster: If-None-Match flows when if_none_match set All 79 tests pass post-add (71 existing + 8 new). Source: drift audit handoff/cueapi-package-drift-2026-05-06; Backlog rows "Parity port: PR #630 → cueapi-mcp" + "PR #662 → cueapi-mcp" (both p2). list_agents + get_agent fold in as the natural cueapi-cli PR #28 + #40 parity at the same time. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: cache-bust trailing comment to retrigger CI parser --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an
ignorerule to.github/dependabot.yml's npm ecosystem entry pinning zod to v3 majors. Minor + patch updates still flow through (and group via the existingnpm-minor-patchrule). Supersedes #17 — thechore(deps): bump zod 3.25.76 → 4.4.3Dependabot PR that failed CI with ~20 TS errors.Context
Routed to CMA via
cue-pm-pr-watcherper Mike's "get all PRs Argus-ready before review agent comes online" directive (2026-05-06 21:00 PT).PR #17 surfaced real zod 4 breaking type changes:
src/http-entry.ts:459+src/stdio-entry.ts:60ZodObject<...>no longer assignable toZodType<any, ZodTypeDef, any>(entry-point conversion type)src/tools.ts× ~14 linesRecord<string, unknown>tightening + newTS2554 Expected 2-3 arguments, but got 1on several handlersThese are zod v4's real type-system breaking changes (released 2025) — the migration is non-trivial because it needs to land alongside
@modelcontextprotocol/sdk's zod-4 readiness +zod-to-json-schema's zod-4 compat track. Until that's deliberately scheduled, Dependabot will keep opening + failing this PR every week, adding queue noise without value.Pattern
Mirrors what cueapi engineer used today on cueapi-core#51 (pytest-asyncio 1.x major-bump deferral) — same shape: add ignore rule to the dependabot config, close the failing major-bump PR as superseded.
Behavior after merge
npm-minor-patch)Test plan
.github/dependabot.yml— the typecheck + tests should be green)Related
🤖 Generated with Claude Code