@jaypie/mcp 0.7.22 → 0.7.23

package/dist/suites/docs/index.js

@@ -9,7 +9,7 @@ import { gt } from 'semver';
 /**
  * Docs Suite - Documentation services (skill, version, release_notes)
  */
-const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.22#e20270cd"
+const BUILD_VERSION_STRING = "@jaypie/mcp@0.7.23#49c71f6f"
     ;
 const __filename$1 = fileURLToPath(import.meta.url);
 const __dirname$1 = path.dirname(__filename$1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaypie/mcp",
-  "version": "0.7.22",
+  "version": "0.7.23",
   "description": "Jaypie MCP",
   "repository": {
     "type": "git",

package/release-notes/constructs/1.2.31.md

@@ -0,0 +1,11 @@
+---
+version: 1.2.31
+date: 2026-02-18
+summary: Add Cache-Control and Cross-Origin-Embedder-Policy security headers to JaypieDistribution
+---
+
+# @jaypie/constructs 1.2.31
+
+## Fixes
+
+- **JaypieDistribution**: Added `Cache-Control` (`no-store, no-cache, must-revalidate, proxy-revalidate`) and `Cross-Origin-Embedder-Policy` (`unsafe-none`) to the default security response headers, resolving ZAP baseline scan warnings [90004], [10015], and [10049].

package/skills/cdk.md

@@ -173,12 +173,14 @@ new JaypieNextJs(this, "App", {
 
 `JaypieDistribution` ships with default security response headers via a `ResponseHeadersPolicy` (analogous to `helmet` for Express):
 
+- Cache-Control (no-store, no-cache, must-revalidate, proxy-revalidate)
 - HSTS (2-year max-age, includeSubDomains, preload)
 - X-Content-Type-Options (nosniff)
 - X-Frame-Options (DENY)
 - Referrer-Policy (strict-origin-when-cross-origin)
 - Content-Security-Policy (conservative defaults)
 - Permissions-Policy (camera, microphone, geolocation, payment disabled)
+- Cross-Origin-Embedder-Policy (unsafe-none)
 - Cross-Origin-Opener-Policy (same-origin)
 - Cross-Origin-Resource-Policy (same-origin)
 - Server header removed