@oomkapwn/enquire-mcp 3.5.12 → 3.5.14

package/CHANGELOG.md

@@ -2,8 +2,74 @@
 
 All notable changes to this project will be documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.5.14] — 2026-05-14
+
+> **TL;DR:** External audit #5 (MiniMax, 4.7/5.0). Surface-only cleanup: added TL;DR headers to v3.5.9..v3.5.13 entries for skimability + documented the rejected L-2 finding (deps dual-listing is needed, not cosmetic). No code changes.
+
+**Patch — external audit #5 followup (MiniMax, v3.5.13).**
+
+Third independent audit in 4 days. Verdict: **4.7/5.0**, production-ready, only major concern is the monolith files already in v3.6 roadmap. Two reviewer recommendations actioned this release, one rejected with documented reasoning.
+
+### Added — TL;DR headers on recent CHANGELOG entries (audit M-1, partial)
+
+Auditor recommended simplifying the CHANGELOG (~1000 lines on 13 patches felt overweight). Full simplification rejected — the detail is **audit trail**, not noise: v3.5.10's coverage-stats drift was only catchable BECAUSE we had the original (wrong) numbers vs the (right) retroactive correction in the same file. Compromise: every recent entry now has a one-blockquote **TL;DR** at the top so skim-readers can grok scope in 1 second, while the full detail stays available for the next maintainer / next audit.
+
+Pattern applied to v3.5.9, v3.5.10, v3.5.11, v3.5.12, v3.5.13 — plus this entry. Future patches will follow the same convention.
+
+### Rejected — auditor L-2 (`@huggingface/transformers` deps dual-listing)
+
+Auditor flagged `@huggingface/transformers ^4.2.0` appearing in BOTH `devDependencies` and `optionalDependencies` as "cosmetic". **Tested the removal locally: 13 test failures** (cold-import timeouts in `pdf.test.ts` + `ocr.test.ts` + flake spreading across the test matrix when 31 test files run in parallel and each one's setup.ts cold-imports the 100MB transformers package).
+
+The dual-listing isn't cosmetic — it's the v3.5.6 root-cause fix for cold-import flakes. `optionalDependencies` alone is enough for npm to install the package, but listing in `devDependencies` ensures the dependency resolver hoists / caches it more aggressively, which keeps `tests/setup.ts`'s `Promise.allSettled([...])` warm-load reliable under the parallel test matrix. Empirical: with dual-listing 712/712 pass; without it 699/712 pass (4 test files fail with timeouts).
+
+Documented inline (this CHANGELOG entry) so future audits see the prior-art rejection and don't re-flag.
+
+### Deferred — auditor M-2 (JSDoc for public API)
+
+Adding TSDoc to 44 tools + 19 prompts is ~1300 lines of doc-comments. Worth doing but doesn't fit a patch — folded into the v3.6 sprint along with the monolith refactor.
+
+### Tests
+
+712 unit tests pass · branches 75.29% · lines 89.54% · statements 86.07% · functions 82.15% (verified via `npm run test:coverage`). Lint clean · tsc clean · version-consistency green at `3.5.14` across 5 surfaces.
+
+### Migration
+
+**No-op.** Documentation-only patch.
+
+### Method note
+
+This is a deliberate "no-op patch" against auditor findings: only the cheap actionable items get applied, the recommendations that turn out to be wrong on closer inspection get **documented rejections** in the CHANGELOG (not silently ignored). The next audit cycle sees the rejection trail and either accepts it or escalates with a stronger argument — avoiding the cycle of "auditor flags X → maintainer dismisses → next auditor flags X again".
+
+## [3.5.13] — 2026-05-13
+
+> **TL;DR:** README badges + `#trust` table stale CI claims (8→7 required gates, Node 22/24 matrix, branches ≥74%).
+
+**Patch — README badges + stale CI claims.** Surface-only cleanup. No code changes.
+
+### Fixed
+
+- **npm badge label**: `npm @latest` → `npm`. The `@latest` suffix could be misread as the npm dist-tag (which is implicit when you query the latest version), so the badge was double-labeling. Plus the URL-encoded `%20%40` made the link ugly in raw markdown.
+- **`stable` badge version pointer**: `v3.0-stable` → `v3.5.x-stable`. Was last updated when v3.0.0 shipped (2026-05-09); 12 patch releases later it still pointed at v3.0.
+- **CI gate count + Node matrix in `#trust`** (README line 162): `**8 required** … test ×3 [Node 20/22/24]` → `**7 required** … test ×2 [Node 22/24]`. v3.5.11 dropped Node 20 from CI (EOL'd 2026-04, pdfjs v5 needs ≥22.13); this table was missed in that patch. Inline note added to explain the change.
+- **CI gate count in trust table** (line 92): `8 required + 4 advisory` → `7 required + 4 advisory`. Same drift class as above.
+- **Coverage row**: `branches ≥73% (gated)` → `branches ≥74% (gated)`. v3.5.10 raised the threshold from 72→74 after the coverage uplift work but missed this surface.
+
+### Tests
+
+712 unit tests pass · lint clean · tsc clean · version-consistency green at `3.5.13` across 5 surfaces.
+
+### Migration
+
+**No-op.** Documentation-only patch.
+
+### Method note
+
+This is exactly the class of drift the v3.5.9 docs-consistency invariants were designed to catch — the per-tool/prompt/test-count surfaces. But CI-config-claim drift (number of required checks, Node matrix in the trust table) is a NEW surface those invariants don't cover. Adding an invariant for "README claims about CI gates must match `.github/workflows/ci.yml` reality" would be the right class fix. Left as future work for the next audit cycle to flag — if it does, we know the class is worth chasing. Same applies to the `branches threshold` claim in the trust table vs `vitest.config.ts`.
+
 ## [3.5.12] — 2026-05-13
 
+> **TL;DR:** Audit #4 followup — class fixes for `serve`/`serve-http` help drift (shared `cli-help.ts` module) + CHANGELOG coverage stat drift (new gate script in CI). 4 instance fixes (broken link, retroactive coverage numbers, biome schema bump, cosmetic version).
+
 **Patch — external audit #4 followup.** External re-audit measured v3.5.10 on disk and surfaced 5 LOW/INFO/COSMETIC findings (§3 of [REAUDIT_REPORT_v3.5.10]). Closes all 5 + applies root-cause-sweep methodology so the next audit doesn't find the same drift class again.
 
 ### Added — `src/cli-help.ts` (class fix for §3.1)
@@ -62,6 +128,8 @@ This closes the second class of bug the methodology was designed to prevent: num
 
 ## [3.5.11] — 2026-05-13
 
+> **TL;DR:** `pdfjs-dist` upgraded v4 → v5 (closes dependabot #54 that hung 2 days on CI red). 3 breaking API changes patched. CI matrix drops Node 20 (pdfjs v5 needs ≥22.13, Node 20 EOL'd 2026-04). Engines `>=20` UNCHANGED for non-PDF users on prebuilt dist.
+
 **Patch — pdfjs-dist v4 → v5 migration + CI Node 20 drop.** Dependabot PR #54 had been hanging since 2026-05-11 with CI red across every job. The bump itself was 1 line in `package.json`, but pdfjs v5 has 3 breaking API changes that needed code-side fixes, AND v5.7+ requires `engines: >=22.13.0`. This release ships the bump + migration + CI matrix update together.
 
 ### Changed
@@ -99,6 +167,8 @@ This closes the second class of bug the methodology was designed to prevent: num
 
 ## [3.5.10] — 2026-05-13
 
+> **TL;DR:** Audit #3 §3-5 followup — new `docs/COMPARISON.md` (honest matrix vs 4 alternatives) + `docs/QUICKSTART.md` (5-min happy path) + 14 missing tool sections in `docs/api.md` (now 44/44 documented) + branch coverage uplift 72.94% → 75.29% via 40 targeted tests.
+
 **Patch — external audit #3 followup.** v3.5.9 closed §2 of the audit (docs drift class fix). This release tackles §3-4: onboarding clarity, alternative comparison, api.md completeness, and the v3.6 commitment from v3.5.9 to lift branch coverage back above 75%.
 
 ### Added
@@ -128,6 +198,8 @@ v3.5.9 fixed §2 of audit #3 in one release. This release fixes §3-4 in one rel
 
 ## [3.5.9] — 2026-05-13
 
+> **TL;DR:** Audit #3 §2 class fix — 5 new docs-consistency invariants (README test count, package.json description, social-preview.svg, api.md tool counts, write-tool count word) + 6 instance drift fixes (D1-D6). Class fix, not symptom fix: next audit can't find the same bug class in 0 new surfaces.
+
 **Patch — external audit #3: class fix for numeric/feature drift across 8 surfaces.** v3.5.1 invariants caught drift in README + STABILITY.md tool counts. The same drift recurred in **6 OTHER surfaces** the invariants didn't cover. This release closes the class, not just the instances.
 
 ### Fixed — 6 instance drift cases (D1-D6 from external audit)

package/README.md

@@ -9,10 +9,10 @@
 **Every modern IR primitive. In one tool. For free.**
 
 [![CI](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml)
-[![npm](https://img.shields.io/npm/v/@oomkapwn/enquire-mcp/latest.svg?label=npm%20%40latest&color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
+[![npm](https://img.shields.io/npm/v/@oomkapwn/enquire-mcp.svg?label=npm&color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
 [![downloads](https://img.shields.io/npm/dm/@oomkapwn/enquire-mcp.svg?color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
 [![tests](https://img.shields.io/badge/tests-712%20passing-brightgreen.svg)](#trust)
-[![stable](https://img.shields.io/badge/v3.0-stable-brightgreen.svg)](./STABILITY.md)
+[![stable](https://img.shields.io/badge/v3.5.x-stable-brightgreen.svg)](./STABILITY.md)
 [![SLSA-3](https://img.shields.io/badge/SLSA-3-blue.svg)](https://slsa.dev/spec/v1.0/levels#build-l3)
 [![MCP](https://img.shields.io/badge/MCP-1.29-8A2BE2.svg)](https://modelcontextprotocol.io/)
 [![License](https://img.shields.io/badge/license-MIT-yellow.svg)](./LICENSE)
@@ -89,7 +89,7 @@ enquire-mcp doctor --vault <path>    # color-coded ✓/⚠/✗ health check
 | **GraphRAG-light** (wikilink community detection via Louvain modularity) | ✅ **only here** | ❌ | ❌ |
 | **Standalone `.base` query execution** (works without Obsidian running) | ✅ **only here** | ❌ | ❌ delegates to Obsidian |
 | **HyDE retrieval** (Gao et al 2023) + sub-question decomposition | ✅ **only here** | ❌ | ❌ |
-| **712 unit tests · 8 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
+| **712 unit tests · 7 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
 | **SLSA-3 build provenance** | ✅ | n/a | ❌ |
 | **Semver-bound public surface** ([STABILITY.md](./STABILITY.md)) | ✅ | n/a | ❌ |
 | Standalone (no Obsidian plugin needed) | ✅ | ❌ requires Obsidian | varies |
@@ -159,8 +159,8 @@ Plus 3 MCP resources (`obsidian://vault/info`, `obsidian://note/{path}`, `obsidi
 | **HTTP transport** | Bearer auth (constant-time SHA-256 + `timingSafeEqual`), per-token rate-limit, strict CORS |
 | **Frontmatter** | `gray-matter` (`js-yaml` safeLoad) — no code execution |
 | **Cache + index files** | chmod 0600, parent dir 0700 |
-| **CI** | **8 required** branch-protection gates (lint · test ×3 [Node 20/22/24] · smoke · audit · coverage · version-consistency) + **4 advisory** (test-macos · CodeQL ×2 · Analyze actions). Release workflow re-verifies all 8 required passed on tagged SHA before npm publish. |
-| **Coverage** | Lines ≥86% · statements ≥82% · functions ≥75% · branches ≥73% (gated) |
+| **CI** | **7 required** branch-protection gates (lint · test ×2 [Node 22/24] · smoke · audit · coverage · version-consistency) + **4 advisory** (test-macos · CodeQL ×2 · Analyze actions). Release workflow re-verifies all 7 required passed on tagged SHA before npm publish. _v3.5.11 — Node 20 dropped (EOL'd 2026-04, pdfjs v5 requires ≥22.13)._ |
+| **Coverage** | Lines ≥86% · statements ≥82% · functions ≥75% · branches ≥74% (gated) |
 | **Releases** | npm + GitHub release per tag · semver · **SLSA-3** build provenance |
 | **Stability** | v3.0+ semver-bound — every CLI flag, tool name, MCP resource, prompt, exported symbol is contract |
 

package/dist/index.js

@@ -13,7 +13,7 @@ import { chunkContent, defaultIndexFile, FtsIndex } from "./fts5.js";
 import { appendToNote, archiveNote, chatThreadAppend, chatThreadRead, contextPack, createNote, dataviewQuery, embeddingsSearch, findPath, findSimilar, frontmatterGet, frontmatterSearch, frontmatterSet, getBacklinks, getNoteNeighbors, getOpenQuestions, getOutboundLinks, getRecentEdits, getUnresolvedWikilinks, getVaultStats, lintWiki, listCanvases, listNotes, listPdfs, listTags, ocrPdf, openInUi, paperAudit, readCanvas, readNote, readPdf, renameNote, replaceInNotes, resolveWikilink, searchHybrid, searchText, semanticSearch, validateNoteProposal } from "./tools.js";
 import { Vault } from "./vault.js";
 import { VaultWatcher } from "./watcher.js";
-const VERSION = "3.5.12";
+const VERSION = "3.5.14";
 /** Default location for the persistent embedding index, alongside .fts5.db. */
 function embedDbPath(vaultRoot) {
     // Match the FTS5 location convention by stripping the .fts5.db extension

package/package.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@oomkapwn/enquire-mcp",
-  "version": "3.5.12",
+  "version": "3.5.14",
   "description": "The most advanced MCP server for Obsidian vaults. Hybrid retrieval (BM25 + TF-IDF + multilingual ML embeddings, RRF-fused) with BGE cross-encoder reranking, HNSW vector index, int8 quantization, late-chunking, HyDE-augmented retrieval, sub-question decomposition, PDFs (with OCR), Bases (.base query execution, standalone — no Obsidian needed), GraphRAG-light (Louvain wikilink community detection), wikilinks, backlinks, Dataview, frontmatter, canvas. 44 tools, 19 MCP prompts, 5 cross-encoder reranker models, 712 tests, SLSA-3, semver-bound. Works with Claude Code, Claude Desktop, Cursor, ChatGPT custom GPT, Codex, and any MCP client.",
   "type": "module",
   "bin": {