npm - @oomkapwn/enquire-mcp - Versions diffs - 3.5.1 → 3.5.3 - Mend

@oomkapwn/enquire-mcp 3.5.1 → 3.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,37 @@
 All notable changes to this project will be documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.5.3] — 2026-05-09
+**Patch — CHANGELOG cleanup.** No code or config changes. Removes references to internal operational notes from the v3.5.1 / v3.5.2 entries that are not relevant to consumers of the package. Repository-level admin items are tracked privately, not in the public CHANGELOG.
+## [3.5.2] — 2026-05-09
+**Patch — README marketing boost + SECURITY.md PVR mention.** Companion to v3.5.1. No code changes.
+### Changed — README leads with a punchier value claim
+- Hero callout (`> First and only Obsidian-MCP that ships hybrid retrieval, cross-encoder reranking, HNSW, int8 quantization, late-chunking, HyDE, GraphRAG-light, standalone .base, PDFs + OCR, and stateful remote MCP — together. In one binary. Under MIT. SLSA-3 signed.`) replaces the prior generic `What it is` lead. The factual claims are individually defensible from the v3.0 competitive audit + each subsequent sprint's CHANGELOG.
+- Comparison table preamble: `Six features no other Obsidian-MCP has at all (GraphRAG-light, standalone .base execution, HyDE, int8 quantization, late-chunking, built-in eval harness). Plus the entire modern IR stack...` — quantifies the lead instead of generic superlatives.
+- New comparison rows: **Standalone `.base` query execution** (✅ only here), **HyDE retrieval + sub-question decomposition** (✅ only here). These two were already in the feature inventory but weren't called out in the comparison table.
+- Added npm-downloads badge for live discoverability signal.
+### Changed — SECURITY.md leads with GitHub Private Vulnerability Reporting
+Reporting a vulnerability now offers two channels: **GitHub PVR (preferred)** with a direct link to the advisory submission flow, plus the existing email fallback. Aligns with the GitHub Code Security recommendation for public repos.
+### Tests
+664 unit tests pass (unchanged from v3.5.1). Marketing-copy + security-doc changes don't affect the CI surface.
+### Migration
+**No-op for default users.** No CLI / response shape / schema changes.
+### Repo About + topics
+Repo About description synced to current v3.x feature set; topics rotated for discovery (high-signal additions: `obsidian-mcp`, `mcp-server`, `claude-desktop`, `chatgpt`, `rag`, `vector-search`, `hnsw`, `pdf`, `ocr`).
 ## [3.5.1] — 2026-05-09
 **Patch — audit-driven public-claim sync.** No behavior changes. External audit identified drift between README, STABILITY.md, CONTRIBUTING.md, CLI help, and `package.json` numeric claims (tools, tests, gates, write tools, prompts, dependencies). Production-grade projects can't ship inconsistent public surfaces — this release fixes that and pins it under CI.
@@ -54,7 +85,7 @@ The audit also flagged three structural issues that need their own focused work,
 1. **`src/index.ts` is 3,673 lines + excluded from coverage.** Splitting it into `cli.ts` / `server.ts` / `tool-registry.ts` / `prompts.ts` / `options.ts` is a multi-day refactor. Tracking for v3.6+.
 2. **Machine-readable tool registry** (`tools.json` or similar) as single source of truth for README + docs/api.md + STABILITY.md + CLI help generation. Would replace the current invariant-tests-as-defense pattern with generation. Tracking for v3.6+.
-3. **Admin GitHub settings** (private vulnerability reporting, CodeQL default-setup confirmation, branch protection ruleset audit) require maintainer admin access — provided as a checklist in the v3.5.1 PR description, not code-shippable.
+3. **Repo-level configuration items** that require maintainer admin access (separate from code changes — handled out-of-band).
 ## [3.5.0] — 2026-05-09

package/README.md CHANGED Viewed

@@ -6,11 +6,12 @@
 ### The most advanced Obsidian MCP server. Period.
-**Hybrid retrieval. Cross-encoder reranking. HNSW. int8 quantization. PDFs. OCR. Multilingual. Remote MCP. SLSA-3. Free.**
+**Every modern IR primitive. In one tool. For free.**
 [![CI](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/@oomkapwn/enquire-mcp/latest.svg?label=npm%20%40latest&color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
-[![tests](https://img.shields.io/badge/tests-606%20passing-brightgreen.svg)](#trust)
+[![downloads](https://img.shields.io/npm/dm/@oomkapwn/enquire-mcp.svg?color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
+[![tests](https://img.shields.io/badge/tests-664%20passing-brightgreen.svg)](#trust)
 [![stable](https://img.shields.io/badge/v3.0-stable-brightgreen.svg)](./STABILITY.md)
 [![SLSA-3](https://img.shields.io/badge/SLSA-3-blue.svg)](https://slsa.dev/spec/v1.0/levels#build-l3)
 [![MCP](https://img.shields.io/badge/MCP-1.29-8A2BE2.svg)](https://modelcontextprotocol.io/)
@@ -20,11 +21,13 @@
 ---
+> **First and only Obsidian-MCP that ships hybrid retrieval, cross-encoder reranking, HNSW, int8 quantization, late-chunking, HyDE, GraphRAG-light community detection, standalone `.base` query execution, PDFs + OCR, and stateful remote MCP — together. In one binary. Under MIT. SLSA-3 signed.**
 ## What it is
-A **production-ready MCP server** that gives any AI agent — Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, mobile MCP clients — structured access to your Obsidian vault. The umbrella `obsidian_search` tool fuses **BM25 + TF-IDF + multilingual ML embeddings** via Reciprocal Rank Fusion, reranks with a **BGE cross-encoder**, scales to millions of chunks via **HNSW**, and returns blended markdown + PDF hits with `[page: N]` citations.
+A **production-ready MCP server** that gives any AI agent — Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, mobile MCP clients — structured access to your Obsidian vault. The umbrella `obsidian_search` tool fuses **BM25 + TF-IDF + multilingual ML embeddings** via Reciprocal Rank Fusion (Cormack et al, 2009), reranks with a **BGE cross-encoder** (5 model options), scales to millions of chunks via **HNSW with int8 quantization**, and returns blended markdown + PDF hits with `[page: N]` citations.
-**44 tools · 19 MCP prompts · 664 unit tests · v3.5 · semver-bound · MIT · SLSA-3.**
+**44 tools · 19 MCP prompts · 664 unit tests · 50+ languages · v3.5 · semver-bound · MIT · SLSA-3.**
 ---
@@ -62,7 +65,7 @@ enquire-mcp doctor --vault <path>    # color-coded ✓/⚠/✗ health check
 ## 🏆 Why it's the best
-The **leading Obsidian-MCP server — the only one shipping all of these capabilities together:**
+**Six features no other Obsidian-MCP has at all** (GraphRAG-light, standalone `.base` execution, HyDE, int8 quantization, late-chunking, built-in eval harness). **Plus the entire modern IR stack** (BM25 + ML embeddings + cross-encoder reranking + HNSW) that competitors ship at most one or two of. Side-by-side:
 | Capability | enquire-mcp | Smart Connections | Other Obsidian-MCPs |
 |---|:---:|:---:|:---:|
@@ -82,6 +85,8 @@ The **leading Obsidian-MCP server — the only one shipping all of these capabil
 | **Privacy filter** verified at every search + write path | ✅ | n/a | ❌ |
 | **44 production tools** (33 always-on read tools + 4 opt-in + 7 gated writes) | ✅ | n/a | varies |
 | **GraphRAG-light** (wikilink community detection via Louvain modularity) | ✅ **only here** | ❌ | ❌ |
+| **Standalone `.base` query execution** (works without Obsidian running) | ✅ **only here** | ❌ | ❌ delegates to Obsidian |
+| **HyDE retrieval** (Gao et al 2023) + sub-question decomposition | ✅ **only here** | ❌ | ❌ |
 | **664 unit tests · 8 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
 | **SLSA-3 build provenance** | ✅ | n/a | ❌ |
 | **Semver-bound public surface** ([STABILITY.md](./STABILITY.md)) | ✅ | n/a | ❌ |

package/SECURITY.md CHANGED Viewed

@@ -2,13 +2,12 @@
 ## Reporting a vulnerability
-If you've found a security issue in enquire, **please don't open a public GitHub issue**. Instead:
+If you've found a security issue in enquire, **please don't open a public GitHub issue**. You have two equally-valid private channels:
-1. Email the maintainer at `oomkapwn@gmail.com` with the subject `enquire security`.
-2. Include a reproducer if you have one — vault layout, exact CLI flags, the operation that triggered the issue.
-3. Expect an acknowledgement within 72 hours.
+1. **Preferred — GitHub Private Vulnerability Reporting.** Open a [private security advisory](https://github.com/oomkapwn/enquire-mcp/security/advisories/new) directly on the repo. GitHub keeps the report private until you and I jointly publish it; collaboration on the fix happens in the same advisory thread.
+2. **Fallback — email.** `oomkapwn@gmail.com` with subject `enquire security`. Include a reproducer if you have one — vault layout, exact CLI flags, the operation that triggered the issue.
-I'll work on a fix in private, cut a patch release, and then publicly disclose with credit (or anonymously, your call).
+Either channel: expect an acknowledgement within **72 hours**. I work on a fix in private, cut a patch release, and then publicly disclose with credit (or anonymously, your call).
 ## Scope

package/dist/index.js CHANGED Viewed

@@ -12,7 +12,7 @@ import { chunkContent, defaultIndexFile, FtsIndex } from "./fts5.js";
 import { appendToNote, archiveNote, chatThreadAppend, chatThreadRead, contextPack, createNote, dataviewQuery, embeddingsSearch, findPath, findSimilar, frontmatterGet, frontmatterSearch, frontmatterSet, getBacklinks, getNoteNeighbors, getOpenQuestions, getOutboundLinks, getRecentEdits, getUnresolvedWikilinks, getVaultStats, lintWiki, listCanvases, listNotes, listPdfs, listTags, ocrPdf, openInUi, paperAudit, readCanvas, readNote, readPdf, renameNote, replaceInNotes, resolveWikilink, searchHybrid, searchText, semanticSearch, validateNoteProposal } from "./tools.js";
 import { Vault } from "./vault.js";
 import { VaultWatcher } from "./watcher.js";
-const VERSION = "3.5.1";
+const VERSION = "3.5.3";
 /** Default location for the persistent embedding index, alongside .fts5.db. */
 function embedDbPath(vaultRoot) {
     // Match the FTS5 location convention by stripping the .fts5.db extension

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oomkapwn/enquire-mcp",
-  "version": "3.5.1",
+  "version": "3.5.3",
   "description": "The most advanced MCP server for Obsidian vaults. Hybrid retrieval (BM25 + TF-IDF + multilingual ML embeddings, RRF-fused) with BGE cross-encoder reranking, HNSW vector index, int8 quantization, late-chunking, HyDE-augmented retrieval, sub-question decomposition, PDFs (with OCR), Bases (.base query execution, standalone — no Obsidian needed), GraphRAG-light (Louvain wikilink community detection), wikilinks, backlinks, Dataview, frontmatter, canvas. 44 tools, 19 MCP prompts, 5 cross-encoder reranker models, 664 tests, SLSA-3, semver-bound. Works with Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, and any MCP client.",
   "type": "module",
   "bin": {