Upgrade FastMCP to patched 3.x and remove deprecated/vulnerable JWT auth path usage

[Copilot]

This PR resolves the authlib.jose deprecation fallout and addresses newly reported FastMCP security advisories affecting <3.2.0. It moves the project to a patched FastMCP line while preserving MCP behavior and test coverage.

• Dependency/security updates

  • Upgraded FastMCP constraint from >=2.14.7,<3 to >=3.2.0,<4 (locked to 3.2.4).
  • Updated lockfile to align transitive dependencies required by FastMCP 3.x.
  • Bumped project version to 0.4.38 in package metadata.

• MCP test compatibility with FastMCP 3 API

  • Replaced test access to removed private internals (mcp._tool_manager._tools) with FastMCP’s public async tool lookup API (mcp.get_tool(...)).
  • Applied this change only in tests that introspect MCP-registered tools (insert/update/validate/dependencies/elements/negative-parameter tests).

• Regression guard for deprecated auth path warning

  • Kept the focused setup test that asserts importing FastMCP JWT provider does not emit the authlib.jose deprecation warning.

# old (private, brittle)
for tool in mcp._tool_manager._tools.values():
    if tool.name == "insert_content":
        insert_tool = tool

# new (public API)
insert_tool = asyncio.run(mcp.get_tool("insert_content"))

[Copilot]

Pull request overview

Upgrades the project to FastMCP 3.2.x (patched line) and updates the test suite to use FastMCP’s public tool lookup API, while bumping dacli’s version metadata.

Changes:

• Bump FastMCP dependency to >=3.2.0,<4 (lock to 3.2.4) and refresh uv.lock for new transitive deps.
• Update MCP-related tests to replace private _tool_manager._tools introspection with asyncio.run(mcp.get_tool(...)).
• Add a regression test ensuring importing FastMCP’s JWT provider does not emit the authlib.jose deprecation warning; bump project version to 0.4.38.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
uv.lock	Locks FastMCP 3.2.4 and updates transitive dependencies accordingly.
pyproject.toml	Updates declared dependency constraints (FastMCP 3.x; pydocket range) and bumps project version.
src/dacli/__init__.py	Bumps __version__ to 0.4.38.
tests/test_project_setup.py	Adds subprocess-based import test to guard against authlib.jose deprecation warning.
tests/test_mcp_negative_params_220.py	Uses mcp.get_tool(...) public API for tool retrieval in negative-param tests.
tests/test_mcp_insert_blank_lines_232.py	Migrates tool lookup to mcp.get_tool(...) for blank-line insertion tests.
tests/test_mcp_insert_after_229.py	Migrates tool lookup to mcp.get_tool(...) for insert-after behavior tests.
tests/test_manipulation_bugs_244_245.py	Updates helper to retrieve insert_content via mcp.get_tool(...).
tests/test_get_dependencies_67.py	Updates tool existence check to use mcp.get_tool(...).
tests/test_elements_help_types_259.py	Updates tool lookup to use mcp.get_tool(...) for docstring assertions.
tests/test_circular_include_validation_251.py	Updates validate tool lookup to use mcp.get_tool(...).

Comments suppressed due to low confidence (1)

tests/test_mcp_insert_after_229.py:82

• This test calls insert_tool.fn(...) without first asserting that mcp.get_tool("insert_content") returned a tool. Add an explicit assertion/guard (consistent with the other test in this file) so failures are clearer if tool registration changes.

        insert_tool = asyncio.run(mcp.get_tool("insert_content"))

        # Insert after "Child Section" (no children)
        result = insert_tool.fn(
            path="test:parent-section.child-section",

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.