@boomstream/mcp 0.2.1 → 0.2.2

package/CHANGELOG.md

@@ -6,6 +6,16 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 
 ## [Unreleased]
 
+## [0.2.2] - 2026-06-01
+
+### Fixed
+
+- **Public docs hygiene.** Removed internal issue-tracker references from
+  the public-facing CHANGELOG and README, corrected stale version mentions
+  in the README, and replaced the broken relative `CHANGELOG.md` link
+  (which 404'd on npmjs.com) with inline prose pointing at the bundled
+  file.
+
 ## [0.2.1] - 2026-06-01
 
 ### Fixed
@@ -20,17 +30,16 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 ### Added
 
 - **CHANGELOG.md** added to the repository, documenting versions 0.1.0–0.1.2
-  with full entries. CI tarball now includes CHANGELOG. ([BOO-64])
+  with full entries. CI tarball now includes CHANGELOG.
 
 ### Changed
 
 - **api-client: switched to POST + `Content-Type: application/json` for all
   tools.** Previously the api-client used GET with query-string parameters for
   most methods and POST for a small subset. The Boomstream API supports
-  `POST + JSON body` universally («Режим 2»). All tools now use POST; the GET
-  branch and `URLSearchParams` are removed entirely. Closes root cause of
-  [BOO-52] / [BOO-56] (the `RequestURI` redaction is retained as
-  defence-in-depth). ([BOO-67])
+  `POST + JSON body` universally. All tools now use POST; the GET branch and
+  `URLSearchParams` are removed entirely. Closes the apikey-in-URL leak surface
+  at its root (the `RequestURI` redaction is retained as defence-in-depth).
 - **apikey removed from URL.** `apikey` is now sent in the JSON request body
   rather than the URL query string, eliminating it from proxy access-logs,
   browser history, and server `RequestURI` echo fields.
@@ -42,8 +51,8 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
   format from the `Content-Type` header.
 - **`httpMethod` removed from `schemas/boomstream.json`.** The field was used
   only by the GET/POST dispatch logic, which no longer exists.
-- **README: `BOOMSTREAM_TEST_API_KEY` wording clarified** and `hwdmedia.documents`
-  database reference removed from docs. ([BOO-50])
+- **README: `BOOMSTREAM_TEST_API_KEY` wording clarified** and internal
+  database-source reference removed from docs.
 
 ## [0.1.2] - 2026-05-31
 
@@ -54,7 +63,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
   responses. The MCP client previously surfaced this field verbatim in tool
   results. The api-client now drops `RequestURI` from parsed responses and
   redacts `apikey`/`token`/`signature` from any error message before it reaches
-  the model. ([BOO-52], [BOO-56])
+  the model.
 - **Tool-result content redaction.** A defence-in-depth pass also scrubs
   `apikey`, `token`, and `signature` query parameters from any string the
   server returns to the client — even if the upstream API surfaces them in a
@@ -71,71 +80,47 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
 ### Added
 
 - **CI auto-publish on `v*` tags.** Pushing a tag matching `v\d+.\d+.\d+(-…)?`
-  to `boomstream-ai/boomstream-mcp` now triggers the `npm-publish` GitLab CI
-  job, which builds and runs `pnpm publish --access public` against the npm
-  registry using a protected, masked `NPM_TOKEN`. Tag-pattern `v*` is a
-  protected tag (Maintainer+ push only). ([BOO-23])
-- **Self-hosted GitLab runner** registered for `boomstream-ai/boomstream-mcp`
-  so the publish job can reach the npm registry. ([BOO-41])
+  now triggers the `npm-publish` GitLab CI job, which builds and runs
+  `pnpm publish --access public` against the npm registry using a protected,
+  masked `NPM_TOKEN`. Tag-pattern `v*` is a protected tag (Maintainer+ push
+  only).
+- **Self-hosted CI runner** registered so the publish job can reach the npm
+  registry.
 - README expanded with Available-tools table generator (`pnpm
   build-readme-tools`), `claude_desktop_config.json` example, and end-to-end
-  smoke cycle for `media → ppv` flows. ([BOO-18])
+  smoke cycle for `media → ppv` flows.
 
 ### Changed
 
 - **pnpm pinned to 10.34.1** via `packageManager` in `package.json` to match
-  the Node 20 runtime used in CI and Docker. ([BOO-48])
+  the Node 20 runtime used in CI and Docker.
 - `.gitignore` now excludes `.npmrc` everywhere in the worktree to prevent
-  accidental token commits during local dev. ([BOO-22])
+  accidental token commits during local dev.
 - Polished `transports/stdio.ts` help text, CI rules guard against fork
-  pipelines, and added `CODEOWNERS` for security-sensitive files. ([BOO-17])
+  pipelines, and added `CODEOWNERS` for security-sensitive files.
 
 ## [0.1.0] - 2026-05-29
 
 ### Added
 
 - **Initial stdio release.** Manual `npm publish @boomstream/mcp@0.1.0`
-  performed by the Release Engineer following the CSO publish recipe
+  performed by the Release Engineer following the publish recipe
   (env-file-floor `.npmrc` via `NPM_CONFIG_USERCONFIG=$(mktemp)`,
-  `--access public`). ([BOO-16])
-- **101 tools auto-generated** from the Boomstream API documentation corpus
-  (`hwdmedia.documents`, RU `language_id=1`) covering 17 sections: media,
-  live, ppv, conference, folder, playlist, stats, chat, screenshot,
-  subtitles, timecodes, webhooks, project, record-live, live-ipcamera,
-  player-api, general. Tool naming follows
-  `boomstream_<section>_<method>` snake_case convention. ([BOO-9])
-- **MCP core (Slice 3).** `src/core/server.ts` implements `tools/list` and
+  `--access public`).
+- **101 tools auto-generated** from the Boomstream API documentation corpus,
+  covering 17 sections: media, live, ppv, conference, folder, playlist,
+  stats, chat, screenshot, subtitles, timecodes, webhooks, project,
+  record-live, live-ipcamera, player-api, general. Tool naming follows
+  `boomstream_<section>_<method>` snake_case convention.
+- **MCP core.** `src/core/server.ts` implements `tools/list` and
   `tools/call` handlers, `src/core/schema.ts` loads
   `schemas/boomstream.json` once at boot, `src/core/api-client.ts` is the
-  fetch wrapper (`format=json`, `ver=1.2` default, exponential-backoff retry
-  on 5xx, 30 s timeout), `src/core/auth.ts` reads
-  `BOOMSTREAM_API_KEY` from env (Phase A). `src/tools/registry.ts` is the
-  single generic handler that dispatches every tool through one
-  zod-validated path. ([BOO-11])
-- **stdio transport (Slice 4).** `src/transports/stdio.ts` is the
-  `boomstream-mcp` bin entry point, wired through
-  `StdioServerTransport`. The package ships as a public scoped npm package
-  with `bin: "dist/transports/stdio.js"`, a post-build shebang/chmod step,
-  and a CLI surface (`--help`, `--version`, `stdio` subcommand). ([BOO-12])
-
-[Unreleased]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/compare/v0.2.1...HEAD
-[0.2.1]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/compare/v0.2.0...v0.2.1
-[0.2.0]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/compare/v0.1.2...v0.2.0
-[0.1.2]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/compare/v0.1.1...v0.1.2
-[0.1.1]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/compare/v0.1.0...v0.1.1
-[0.1.0]: https://gitlab.boomstream.com/boomstream-ai/boomstream-mcp/-/tags/v0.1.0
-[BOO-9]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-11]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-12]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-16]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-17]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-18]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-22]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-23]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-41]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-48]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-50]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-52]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-56]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-64]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
-[BOO-67]: https://gitlab.boomstream.com/boomstream-ai/boomstream-paperclip/-/issues
+  fetch wrapper (`ver=1.2` default, exponential-backoff retry on 5xx, 30 s
+  timeout), `src/core/auth.ts` reads `BOOMSTREAM_API_KEY` from env (Phase
+  A). `src/tools/registry.ts` is the single generic handler that dispatches
+  every tool through one zod-validated path.
+- **stdio transport.** `src/transports/stdio.ts` is the `boomstream-mcp`
+  bin entry point, wired through `StdioServerTransport`. The package ships
+  as a public scoped npm package with `bin: "dist/transports/stdio.js"`, a
+  post-build shebang/chmod step, and a CLI surface (`--help`, `--version`,
+  `stdio` subcommand).

package/README.md

@@ -2,7 +2,7 @@
 
 MCP server (Model Context Protocol) providing **Boomstream API as tools** for LLM agents: Claude Desktop, claude.ai, VS Code MCP extension, and any compatible client.
 
-> **Status:** stdio transport is live on npm (`@boomstream/mcp@latest`, currently `0.1.3`). SSE transport (remote hosting at `mcp.boomstream.com`) is the next stage; per-user OAuth comes after that. Release history → [CHANGELOG.md](CHANGELOG.md).
+> **Status:** stdio transport is live on npm (`@boomstream/mcp@latest`). SSE transport (remote hosting at `mcp.boomstream.com`) is the next stage; per-user OAuth comes after that. Release history is in the `CHANGELOG.md` file bundled with the npm package.
 
 ## What it does
 
@@ -25,7 +25,7 @@ npm install -g @boomstream/mcp@latest
 BOOMSTREAM_API_KEY=your-key boomstream-mcp
 ```
 
-`@latest` always resolves to the newest published version. Pin a specific version (e.g. `@boomstream/mcp@0.1.3`) if you need reproducible installs.
+`@latest` always resolves to the newest published version. Pin a specific version (e.g., `@boomstream/mcp@0.2.1`) if you need reproducible installs.
 
 ## Available tools
 
@@ -149,17 +149,12 @@ Verify your key in Boomstream project settings → API. Keys are project-scoped;
 
 ## Releases
 
-Full release notes are in [CHANGELOG.md](CHANGELOG.md). Latest highlights:
-
-- **0.1.3** — api-client switched to `POST + Content-Type: application/json`
-  for all tools; `apikey` now sent in the JSON body (never in the URL).
-  Array params sent as real JSON arrays. Closes BOO-52/56 root cause.
-- **0.1.2** — security fix: `apikey` is no longer echoed back through
-  `RequestURI` on error responses; tool-result content is additionally
-  scrubbed of `apikey`/`token`/`signature` query parameters.
-- **0.1.1** — CI auto-publish on `v*` tags, pnpm pinned to 10.34.1.
-- **0.1.0** — initial stdio release, 101 tools auto-generated from the
-  Boomstream API docs corpus.
+Full release notes are in the `CHANGELOG.md` file bundled with the npm
+package. Recent changes include POST+JSON transport (`apikey` sent in the
+request body, never in the URL), defence-in-depth scrubs for
+`apikey`/`token`/`signature` in tool-result content, and automated CI
+publish on `v*` tags. The full release timeline is available via
+`npm view @boomstream/mcp time --json`.
 
 GitLab CI publishes to npm automatically when a maintainer pushes a tag of
 the form `v\d+.\d+.\d+(-…)?` (protected tag, Maintainer+ only). The job

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@boomstream/mcp",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "MCP server providing Boomstream API as tools for LLM agents",
   "type": "module",
   "license": "MIT",