From fdb38363028033150ef3d91f4656616b0b6e5bd1 Mon Sep 17 00:00:00 2001
From: Tony Narlock <tony@git-pull.com>
Date: Sat, 13 Jun 2026 15:19:58 -0500
Subject: [PATCH 1/3] py(deps) Bump fastmcp 3.4.0 -> 3.4.2

why: 3.4.1 floors starlette>=1.0.1 (CVE-2026-48710), previously only
constrained transitively through mcp; 3.4.2 carries that floor. The
3-day uv dependency cooldown that held our floor at 3.4.0 has cleared.
what:
- pyproject: fastmcp floor >=3.4.0 -> >=3.4.2
- uv.lock: fastmcp resolves to 3.4.2 (starlette to 1.2.1)
---
 pyproject.toml | 2 +-
 uv.lock        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index b8afe6a..66ca24b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -41,7 +41,7 @@ include = [
 
 dependencies = [
   "libtmux>=0.58.0,<1.0",
-  "fastmcp>=3.4.0,<4.0.0",
+  "fastmcp>=3.4.2,<4.0.0",
 ]
 
 [project.urls]
diff --git a/uv.lock b/uv.lock
index e32e1b1..d09597b 100644
--- a/uv.lock
+++ b/uv.lock
@@ -1242,7 +1242,7 @@ testing = [
 
 [package.metadata]
 requires-dist = [
-    { name = "fastmcp", specifier = ">=3.4.0,<4.0.0" },
+    { name = "fastmcp", specifier = ">=3.4.2,<4.0.0" },
     { name = "libtmux", specifier = ">=0.58.0,<1.0" },
 ]
 

From c34fcb179cf1a37f4fadd8e3a267109d0806cfe0 Mon Sep 17 00:00:00 2001
From: Tony Narlock <tony@git-pull.com>
Date: Sat, 13 Jun 2026 15:21:29 -0500
Subject: [PATCH 2/3] mcp(docs[CHANGES]): Note fastmcp 3.4.2 minimum

why: the fastmcp floor bump needs a Dependencies entry so the starlette
CVE-2026-48710 fix it pulls in is recorded for downstream installs.
what:
- Add a Dependencies entry for the fastmcp >=3.4.2 minimum
---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index d292e11..0dcf0e1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@
 _Notes on upcoming releases will be added here_
 <!-- END PLACEHOLDER - ADD NEW CHANGELOG ENTRIES BELOW THIS LINE -->
 
+### Dependencies
+
+**Minimum `fastmcp>=3.4.2`** (was `>=3.4.0`). Picks up fastmcp 3.4.1's explicit `starlette>=1.0.1` floor, so installs can no longer resolve to a Starlette version affected by CVE-2026-48710 — previously this was constrained only transitively through `mcp`.
+
 ### What's new
 
 **One-call command completion with {tooliconl}`run-command`**

From d4168f983558ad6db7b1f197c442a6d870c17bb7 Mon Sep 17 00:00:00 2001
From: Tony Narlock <tony@git-pull.com>
Date: Sat, 13 Jun 2026 15:27:44 -0500
Subject: [PATCH 3/3] mcp(docs[CHANGES]): Reference PR in fastmcp dependency
 note

why: the Dependencies entry is this branch's only changelog line, so it
should carry the PR reference like the other unreleased entries.
what:
- Add the PR reference to the fastmcp 3.4.2 Dependencies entry
---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 0dcf0e1..a070bfe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,7 +8,7 @@ _Notes on upcoming releases will be added here_
 
 ### Dependencies
 
-**Minimum `fastmcp>=3.4.2`** (was `>=3.4.0`). Picks up fastmcp 3.4.1's explicit `starlette>=1.0.1` floor, so installs can no longer resolve to a Starlette version affected by CVE-2026-48710 — previously this was constrained only transitively through `mcp`.
+**Minimum `fastmcp>=3.4.2`** (was `>=3.4.0`). Picks up fastmcp 3.4.1's explicit `starlette>=1.0.1` floor, so installs can no longer resolve to a Starlette version affected by CVE-2026-48710 — previously this was constrained only transitively through `mcp`. (#77)
 
 ### What's new