permissions for git workflows

.github/workflows/check-maintainer-edits.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
 
+permissions:
+  pull-requests: read
+  issues: write
+
 jobs:
   check-maintainer-edits:
     runs-on: ubuntu-latest

.github/workflows/docker-publish.yml

@@ -11,6 +11,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions: {}
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}

.github/workflows/publish-mcp-registry.yml

@@ -6,6 +6,8 @@ on:
       - "v*"
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   publish:
     runs-on: ubuntu-latest

core/server.py

@@ -348,7 +348,7 @@ def configure_server_for_http():
                     )
             elif use_disk:
                 try:
-                    from key_value.aio.stores.disk import DiskStore
+                    from key_value.aio.stores.filetree import FileTreeStore
 
                     disk_directory = os.getenv(
                         "WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY", ""
@@ -363,7 +363,7 @@ def configure_server_for_http():
                                 "~/.fastmcp/oauth-proxy"
                             )
 
-                    client_storage = DiskStore(directory=disk_directory)
+                    client_storage = FileTreeStore(data_directory=disk_directory)
 
                     jwt_signing_key = validate_and_derive_jwt_key(
                         jwt_signing_key_override, config.client_secret
@@ -379,7 +379,7 @@ def configure_server_for_http():
                         fernet=Fernet(key=storage_encryption_key),
                     )
                     logger.info(
-                        "OAuth 2.1: Using DiskStore for FastMCP OAuth proxy client_storage (directory=%s)",
+                        "OAuth 2.1: Using FileTreeStore for FastMCP OAuth proxy client_storage (directory=%s)",
                         disk_directory,
                     )
                 except ImportError as exc:

pyproject.toml

@@ -59,7 +59,7 @@ workspace-mcp = "main:main"
 
 [project.optional-dependencies]
 disk = [
-    "py-key-value-aio[disk]>=0.3.0",
+    "py-key-value-aio[filetree]>=0.3.0",
 ]
 valkey = [
     "py-key-value-aio[valkey]>=0.3.0",
@@ -84,7 +84,7 @@ dev = [
 
 [dependency-groups]
 disk = [
-    "py-key-value-aio[disk]>=0.3.0",
+    "py-key-value-aio[filetree]>=0.3.0",
 ]
 valkey = [
     "py-key-value-aio[valkey]>=0.3.0",

tests/gchat/test_chat_tools.py

@@ -3,6 +3,8 @@ Unit tests for Google Chat MCP tools — attachment support
 """
 
 import base64
+from urllib.parse import urlparse
+
 import pytest
 from unittest.mock import AsyncMock, Mock, patch
 import sys
@@ -271,10 +273,12 @@ async def test_download_uses_api_media_endpoint():
     # Verify we used the API endpoint with attachmentDataRef.resourceName
     call_args = mock_client.get.call_args
     url_used = call_args.args[0]
-    assert "chat.googleapis.com" in url_used
+    parsed = urlparse(url_used)
+    assert parsed.scheme == "https"
+    assert parsed.hostname == "chat.googleapis.com"
     assert "alt=media" in url_used
-    assert "spaces/S/attachments/A" in url_used
+    assert "spaces/S/attachments/A" in parsed.path
-    assert "/messages/" not in url_used
+    assert "/messages/" not in parsed.path
 
     # Verify Bearer token
     assert call_args.kwargs["headers"]["Authorization"] == "Bearer fake-access-token"

uv.lock

@@ -423,15 +423,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4/defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61", size = 25604 },
 ]
 
-[[package]]
-name = "diskcache"
-version = "5.6.3"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/3f/21/1c1ffc1a039ddcc459db43cc108658f32c57d271d7289a2794e401d0fdb6/diskcache-5.6.3.tar.gz", hash = "sha256:2c3a3fa2743d8535d832ec61c2054a1641f41775aa7c556758a109941e33e4fc", size = 67916 }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/3f/27/4570e78fc0bf5ea0ca45eb1de3818a23787af9b390c0b0a0033a1b8236f9/diskcache-5.6.3-py3-none-any.whl", hash = "sha256:5e31b2d5fbad117cc363ebaf6b689474db18a1f6438bc82358b024abd4c2ca19", size = 45550 },
-]
-
 [[package]]
 name = "dnspython"
 version = "2.8.0"
@@ -970,15 +961,6 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/7d/eb/b6260b31b1a96386c0a880edebe26f89669098acea8e0318bff6adb378fd/pathable-0.4.4-py3-none-any.whl", hash = "sha256:5ae9e94793b6ef5a4cbe0a7ce9dbbefc1eec38df253763fd0aeeacf2762dbbc2", size = 9592 },
 ]
 
-[[package]]
-name = "pathvalidate"
-version = "3.3.1"
-source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/fa/2a/52a8da6fe965dea6192eb716b357558e103aea0a1e9a8352ad575a8406ca/pathvalidate-3.3.1.tar.gz", hash = "sha256:b18c07212bfead624345bb8e1d6141cdcf15a39736994ea0b94035ad2b1ba177", size = 63262 }
-wheels = [
-    { url = "https://files.pythonhosted.org/packages/9a/70/875f4a23bfc4731703a5835487d0d2fb999031bd415e7d17c0ae615c18b7/pathvalidate-3.3.1-py3-none-any.whl", hash = "sha256:5263baab691f8e1af96092fa5137ee17df5bdfbd6cff1fcac4d6ef4bc2e1735f", size = 24305 },
-]
-
 [[package]]
 name = "platformdirs"
 version = "4.5.1"
@@ -1038,10 +1020,6 @@ wheels = [
 ]
 
 [package.optional-dependencies]
-disk = [
-    { name = "diskcache" },
-    { name = "pathvalidate" },
-]
 filetree = [
     { name = "aiofile" },
     { name = "anyio" },
@@ -2116,7 +2094,7 @@ dev = [
     { name = "twine" },
 ]
 disk = [
-    { name = "py-key-value-aio", extra = ["disk"] },
+    { name = "py-key-value-aio", extra = ["filetree"] },
 ]
 release = [
     { name = "tomlkit" },
@@ -2141,7 +2119,7 @@ dev = [
     { name = "twine" },
 ]
 disk = [
-    { name = "py-key-value-aio", extra = ["disk"] },
+    { name = "py-key-value-aio", extra = ["filetree"] },
 ]
 release = [
     { name = "tomlkit" },
@@ -2167,7 +2145,7 @@ requires-dist = [
     { name = "google-auth-oauthlib", specifier = ">=1.2.2" },
     { name = "httpx", specifier = ">=0.28.1" },
     { name = "py-key-value-aio", specifier = ">=0.3.0" },
-    { name = "py-key-value-aio", extras = ["disk"], marker = "extra == 'disk'", specifier = ">=0.3.0" },
+    { name = "py-key-value-aio", extras = ["filetree"], marker = "extra == 'disk'", specifier = ">=0.3.0" },
     { name = "py-key-value-aio", extras = ["valkey"], marker = "extra == 'valkey'", specifier = ">=0.3.0" },
     { name = "pyjwt", specifier = ">=2.12.0" },
     { name = "pytest", marker = "extra == 'dev'", specifier = ">=8.3.0" },
@@ -2195,7 +2173,7 @@ dev = [
     { name = "tomlkit", specifier = ">=0.13.3" },
     { name = "twine", specifier = ">=5.0.0" },
 ]
-disk = [{ name = "py-key-value-aio", extras = ["disk"], specifier = ">=0.3.0" }]
+disk = [{ name = "py-key-value-aio", extras = ["filetree"], specifier = ">=0.3.0" }]
 release = [
     { name = "tomlkit", specifier = ">=0.13.3" },
     { name = "twine", specifier = ">=5.0.0" },