Note

Medium Risk
Changes the release/publish GitHub Actions workflow (Node/npm versions and npm publish flags), which could affect package publishing and tagging if the environment or provenance requirements are misconfigured.

Overview
Updates the Housekeeping GitHub Actions workflow to use newer action versions (actions/setup-node@v6 and actions/checkout@v6) and standardizes on Node.js 24.

Adjusts the publish job to install a pinned npm 11.12.1 and publishes the package with npm publish --provenance to attach build provenance during release.

^{Reviewed by Cursor Bugbot for commit e6f17bd. Bugbot is set up for automated code reviews on this repo. Configure here.}

Note

Low Risk
Low risk workflow-only change; publishing behavior is unchanged aside from relying on the npm version provided by actions/setup-node, which could affect CI if that npm version differs from latest.

Overview
Fixes the failing Housekeeping GitHub Action by removing the step that globally updates npm to npm@latest during the publish job.

The workflow now relies on the npm version bundled with actions/setup-node before running npm ci and the existing tag/publish logic.

^{Written by Cursor Bugbot for commit 414b7ce. This will update automatically on new commits. Configure here.}

Note

Medium Risk
Introduces a new destructive endpoint wrapper (delete) and surfaces backend errors to users; incorrect usage could lead to irreversible deletions, though the change is small and covered by tests.

Overview
Adds two new MCP tools for cost reports: get-cost-report (GET /v2/cost_reports/:token) and delete-cost-report (DELETE /v2/cost_reports/:token), both using pathEncode for token safety.

Both tools convert API failures into MCPUserError and include Vitest coverage for success/error responses; the tools are registered via the auto-generated src/tools/index.ts (with delete-cost-report marked destructive).

^{Written by Cursor Bugbot for commit b7637b8. This will update automatically on new commits. Configure here.}

Note

Medium Risk
Mostly additive tooling and tests, but the callApi change affects all API calls and could change behavior for any endpoint that legitimately returns 204 or previously failed JSON parsing on empty bodies.

Overview
Adds new Folder tools: get-folder, update-folder, and destructive delete-folder, each calling the /v2/folders/{token} endpoints and surfacing API failures as MCPUserError (with new Vitest coverage).

Updates the shared callApi helper to treat HTTP 204 No Content as a successful response returning data: undefined, and loosens the test harness API-call typing to allow undefined success data (needed for DELETE).

^{Written by Cursor Bugbot for commit 30ff369. This will update automatically on new commits. Configure here.}

Note

Low Risk
Adds isolated new tool endpoints with straightforward request/response plumbing and tests; minimal impact on existing behavior aside from tool registration.

Overview
Adds two new tools: get-anomaly (read-only) to fetch an anomaly alert by token via GET /v2/anomaly_alerts/:token, and update-anomaly to update an alert’s status (active/archived/ignored) with optional feedback via PUT /v2/anomaly_alerts/:token.

Registers both tools in the auto-generated src/tools/index.ts, and adds Vitest coverage that validates argument schemas and that non-ok API responses are surfaced as MCPUserError payloads.

^{Written by Cursor Bugbot for commit 48d1519. This will update automatically on new commits. Configure here.}