@oomkapwn/enquire-mcp 3.5.1 → 3.5.2

package/CHANGELOG.md

@@ -2,6 +2,33 @@
 
 All notable changes to this project will be documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.5.2] — 2026-05-09
+
+**Patch — README marketing boost + SECURITY.md PVR mention.** Companion to v3.5.1. No code changes.
+
+### Changed — README leads with a punchier value claim
+
+- Hero callout (`> First and only Obsidian-MCP that ships hybrid retrieval, cross-encoder reranking, HNSW, int8 quantization, late-chunking, HyDE, GraphRAG-light, standalone .base, PDFs + OCR, and stateful remote MCP — together. In one binary. Under MIT. SLSA-3 signed.`) replaces the prior generic `What it is` lead. The factual claims are individually defensible from the v3.0 competitive audit + each subsequent sprint's CHANGELOG.
+- Comparison table preamble: `Six features no other Obsidian-MCP has at all (GraphRAG-light, standalone .base execution, HyDE, int8 quantization, late-chunking, built-in eval harness). Plus the entire modern IR stack...` — quantifies the lead instead of generic superlatives.
+- New comparison rows: **Standalone `.base` query execution** (✅ only here), **HyDE retrieval + sub-question decomposition** (✅ only here). These two were already in the feature inventory but weren't called out in the comparison table.
+- Added npm-downloads badge for live discoverability signal.
+
+### Changed — SECURITY.md leads with GitHub Private Vulnerability Reporting
+
+Reporting a vulnerability now offers two channels: **GitHub PVR (preferred)** with a direct link to the advisory submission flow, plus the existing email fallback. Aligns with the GitHub Code Security recommendation for public repos.
+
+### Tests
+
+664 unit tests pass (unchanged from v3.5.1). Marketing-copy + security-doc changes don't affect the CI surface.
+
+### Migration
+
+**No-op for default users.** No CLI / response shape / schema changes.
+
+### Repo About + topics + security settings (separate, admin-only)
+
+The matching repo-level admin actions (description sync, topic rotation, Dependabot/secret-scanning/PVR/branch-protection enablement) require maintainer admin access and were performed out-of-band where possible. See PR description for the remaining checklist of items the maintainer needs to confirm via GitHub Settings UI.
+
 ## [3.5.1] — 2026-05-09
 
 **Patch — audit-driven public-claim sync.** No behavior changes. External audit identified drift between README, STABILITY.md, CONTRIBUTING.md, CLI help, and `package.json` numeric claims (tools, tests, gates, write tools, prompts, dependencies). Production-grade projects can't ship inconsistent public surfaces — this release fixes that and pins it under CI.

package/README.md

@@ -6,11 +6,12 @@
 
 ### The most advanced Obsidian MCP server. Period.
 
-**Hybrid retrieval. Cross-encoder reranking. HNSW. int8 quantization. PDFs. OCR. Multilingual. Remote MCP. SLSA-3. Free.**
+**Every modern IR primitive. In one tool. For free.**
 
 [![CI](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/@oomkapwn/enquire-mcp/latest.svg?label=npm%20%40latest&color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
-[![tests](https://img.shields.io/badge/tests-606%20passing-brightgreen.svg)](#trust)
+[![downloads](https://img.shields.io/npm/dm/@oomkapwn/enquire-mcp.svg?color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
+[![tests](https://img.shields.io/badge/tests-664%20passing-brightgreen.svg)](#trust)
 [![stable](https://img.shields.io/badge/v3.0-stable-brightgreen.svg)](./STABILITY.md)
 [![SLSA-3](https://img.shields.io/badge/SLSA-3-blue.svg)](https://slsa.dev/spec/v1.0/levels#build-l3)
 [![MCP](https://img.shields.io/badge/MCP-1.29-8A2BE2.svg)](https://modelcontextprotocol.io/)
@@ -20,11 +21,13 @@
 
 ---
 
+> **First and only Obsidian-MCP that ships hybrid retrieval, cross-encoder reranking, HNSW, int8 quantization, late-chunking, HyDE, GraphRAG-light community detection, standalone `.base` query execution, PDFs + OCR, and stateful remote MCP — together. In one binary. Under MIT. SLSA-3 signed.**
+
 ## What it is
 
-A **production-ready MCP server** that gives any AI agent — Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, mobile MCP clients — structured access to your Obsidian vault. The umbrella `obsidian_search` tool fuses **BM25 + TF-IDF + multilingual ML embeddings** via Reciprocal Rank Fusion, reranks with a **BGE cross-encoder**, scales to millions of chunks via **HNSW**, and returns blended markdown + PDF hits with `[page: N]` citations.
+A **production-ready MCP server** that gives any AI agent — Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, mobile MCP clients — structured access to your Obsidian vault. The umbrella `obsidian_search` tool fuses **BM25 + TF-IDF + multilingual ML embeddings** via Reciprocal Rank Fusion (Cormack et al, 2009), reranks with a **BGE cross-encoder** (5 model options), scales to millions of chunks via **HNSW with int8 quantization**, and returns blended markdown + PDF hits with `[page: N]` citations.
 
-**44 tools · 19 MCP prompts · 664 unit tests · v3.5 · semver-bound · MIT · SLSA-3.**
+**44 tools · 19 MCP prompts · 664 unit tests · 50+ languages · v3.5 · semver-bound · MIT · SLSA-3.**
 
 ---
 
@@ -62,7 +65,7 @@ enquire-mcp doctor --vault <path>    # color-coded ✓/⚠/✗ health check
 
 ## 🏆 Why it's the best
 
-The **leading Obsidian-MCP server — the only one shipping all of these capabilities together:**
+**Six features no other Obsidian-MCP has at all** (GraphRAG-light, standalone `.base` execution, HyDE, int8 quantization, late-chunking, built-in eval harness). **Plus the entire modern IR stack** (BM25 + ML embeddings + cross-encoder reranking + HNSW) that competitors ship at most one or two of. Side-by-side:
 
 | Capability | enquire-mcp | Smart Connections | Other Obsidian-MCPs |
 |---|:---:|:---:|:---:|
@@ -82,6 +85,8 @@ The **leading Obsidian-MCP server — the only one shipping all of these capabil
 | **Privacy filter** verified at every search + write path | ✅ | n/a | ❌ |
 | **44 production tools** (33 always-on read tools + 4 opt-in + 7 gated writes) | ✅ | n/a | varies |
 | **GraphRAG-light** (wikilink community detection via Louvain modularity) | ✅ **only here** | ❌ | ❌ |
+| **Standalone `.base` query execution** (works without Obsidian running) | ✅ **only here** | ❌ | ❌ delegates to Obsidian |
+| **HyDE retrieval** (Gao et al 2023) + sub-question decomposition | ✅ **only here** | ❌ | ❌ |
 | **664 unit tests · 8 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
 | **SLSA-3 build provenance** | ✅ | n/a | ❌ |
 | **Semver-bound public surface** ([STABILITY.md](./STABILITY.md)) | ✅ | n/a | ❌ |

package/SECURITY.md

@@ -2,13 +2,12 @@
 
 ## Reporting a vulnerability
 
-If you've found a security issue in enquire, **please don't open a public GitHub issue**. Instead:
+If you've found a security issue in enquire, **please don't open a public GitHub issue**. You have two equally-valid private channels:
 
-1. Email the maintainer at `oomkapwn@gmail.com` with the subject `enquire security`.
-2. Include a reproducer if you have one — vault layout, exact CLI flags, the operation that triggered the issue.
-3. Expect an acknowledgement within 72 hours.
+1. **Preferred — GitHub Private Vulnerability Reporting.** Open a [private security advisory](https://github.com/oomkapwn/enquire-mcp/security/advisories/new) directly on the repo. GitHub keeps the report private until you and I jointly publish it; collaboration on the fix happens in the same advisory thread.
+2. **Fallback — email.** `oomkapwn@gmail.com` with subject `enquire security`. Include a reproducer if you have one — vault layout, exact CLI flags, the operation that triggered the issue.
 
-I'll work on a fix in private, cut a patch release, and then publicly disclose with credit (or anonymously, your call).
+Either channel: expect an acknowledgement within **72 hours**. I work on a fix in private, cut a patch release, and then publicly disclose with credit (or anonymously, your call).
 
 ## Scope
 

package/dist/index.js

@@ -12,7 +12,7 @@ import { chunkContent, defaultIndexFile, FtsIndex } from "./fts5.js";
 import { appendToNote, archiveNote, chatThreadAppend, chatThreadRead, contextPack, createNote, dataviewQuery, embeddingsSearch, findPath, findSimilar, frontmatterGet, frontmatterSearch, frontmatterSet, getBacklinks, getNoteNeighbors, getOpenQuestions, getOutboundLinks, getRecentEdits, getUnresolvedWikilinks, getVaultStats, lintWiki, listCanvases, listNotes, listPdfs, listTags, ocrPdf, openInUi, paperAudit, readCanvas, readNote, readPdf, renameNote, replaceInNotes, resolveWikilink, searchHybrid, searchText, semanticSearch, validateNoteProposal } from "./tools.js";
 import { Vault } from "./vault.js";
 import { VaultWatcher } from "./watcher.js";
-const VERSION = "3.5.1";
+const VERSION = "3.5.2";
 /** Default location for the persistent embedding index, alongside .fts5.db. */
 function embedDbPath(vaultRoot) {
     // Match the FTS5 location convention by stripping the .fts5.db extension

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oomkapwn/enquire-mcp",
-  "version": "3.5.1",
+  "version": "3.5.2",
   "description": "The most advanced MCP server for Obsidian vaults. Hybrid retrieval (BM25 + TF-IDF + multilingual ML embeddings, RRF-fused) with BGE cross-encoder reranking, HNSW vector index, int8 quantization, late-chunking, HyDE-augmented retrieval, sub-question decomposition, PDFs (with OCR), Bases (.base query execution, standalone — no Obsidian needed), GraphRAG-light (Louvain wikilink community detection), wikilinks, backlinks, Dataview, frontmatter, canvas. 44 tools, 19 MCP prompts, 5 cross-encoder reranker models, 664 tests, SLSA-3, semver-bound. Works with Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, and any MCP client.",
   "type": "module",
   "bin": {