@oomkapwn/enquire-mcp 3.9.0-rc.30 → 3.9.0-rc.32

package/CHANGELOG.md

@@ -2,6 +2,54 @@
 
 All notable changes to this project will be documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.9.0-rc.32] — 2026-05-30
+
+> **TL;DR:** **Automate MCP Registry publishing + drift backstop (closes the registry-staleness class).** A promotion-channel check found the canonical MCP Registry stuck at **3.8.4** while npm `@latest` is **3.8.8** (~7 versions behind) — and because Glama / mcp.so / smithery **auto-sync from the registry**, that stale entry was silently propagating an outdated "current version" across the whole directory ecosystem. Root cause: the registry was published *manually* (`mcp-publisher publish` after each stable), so it drifted whenever that step was skipped. **Fixed structurally:** `release.yml` now auto-publishes **stable releases** to the registry via GitHub Actions **OIDC** (no secret — the existing `id-token: write` is all it needs), and new **OIA Check 11** is a state-driven advisory that surfaces registry-vs-npm drift on every audit run. **Workflow + audit-script + docs only; 1020 tests unchanged.**
+
+**Patch — supply-chain / discoverability automation.**
+
+### Added
+
+- **Automated MCP Registry publish (OIDC) in `release.yml`** — after the npm publish + GitHub Release steps, a new `Publish to MCP Registry (stable only)` step downloads the official `mcp-publisher`, authenticates via `mcp-publisher login github-oidc` (GitHub Actions OIDC — trusts the repo's identity for the `io.github.oomkapwn/*` namespace; **no dedicated secret**), and runs `mcp-publisher publish`. **Gated to `dist_tag == 'latest'`** so the registry's `isLatest` always reflects what `npm install` gives by default — RCs publish to npm under `@rc` but are deliberately NOT pushed to the registry (else the canonical listing, and every directory that syncs from it, would advertise an `-rc.N` as current). Defensively re-syncs `server.json`'s `version` (+ each `packages[].version`) from `package.json` before publishing.
+- **OIA Check 11 — `MCP-REGISTRY-VERSION-DRIFT`** (`scripts/oia-walk.mjs`, network, `--skip-network`-respecting) — compares the registry's `isLatest` version to npm's `latest` dist-tag and prints a visible **ADVISORY** when they differ. **Non-fatal by design**: remediation (re-publish) is maintainer-gated (runs on a stable tag or a manual login), so a PR author can't fix registry state inside their PR — hard-failing the `oia` gate on it would block unrelated work (same principle as the SLSA network check skipping on infra it doesn't control). Detection-power verified: it flags the live 3.8.4-vs-3.8.8 drift today. OIA canonical count 10 → 11 (header + AGENTS ×2 + ROADMAP, gated by `docs-consistency.test.ts`).
+
+### Method note
+
+This is the registry analogue of the rc.31 repo-About fix: a promotion surface that lives **outside the repo's files** (here, the canonical registry; there, GitHub metadata) drifted because the publish path was manual and no state-driven check watched it. The durable fix is the same shape — **automate the publish** (OIDC step) **+ add a state-driven drift detector** (OIA Check 11). The advisory will keep flagging 3.8.4-vs-3.8.8 until the next **stable** release runs the new OIDC step (or a maintainer re-publishes manually); on an RC line there is no stable tag to trigger it, so the reconciliation lands with the v3.9.0 → `@latest` promotion.
+
+### Files changed
+
+- `.github/workflows/release.yml` (registry-publish OIDC step, stable-gated), `scripts/oia-walk.mjs` (Check 11 + canonical count 11), `AGENTS.md` ×2 + `ROADMAP.md` (OIA count 10 → 11; ROADMAP test count 1002 → 1020 stale-fix).
+- version bump 3.9.0-rc.31 → 3.9.0-rc.32; no `src/`, no test change (1020).
+
+---
+
+## [3.9.0-rc.31] — 2026-05-30
+
+> **TL;DR:** **Repo-page SLSA overclaim fix + structural guard (residual of overclaim #15).** A state-driven check of the GitHub repo page found the **About description still said "SLSA-3"** — the unenforced claim that overclaim #15 (rc.7) downgraded to "SLSA L2" across README/package.json/llms.txt/COMPARISON/STABILITY, and that rc.18 fixed on the social card. The About string lives ONLY on GitHub (no file → outside OIA Check 4d's scope), so it survived ~23 RCs. **Fixed the live About** (`gh repo edit` → "SLSA L2") and added a structural guard so it can't drift back: `tests/github-metadata-invariant.test.ts` now asserts the About carries no SLSA-level-above-2 claim. **1019 → 1020 tests** (+1 source `it()`, positive + NEGATIVE controls); no `src/` change.
+
+**Patch — brand-integrity (repo metadata + invariant). Tests + docs only.**
+
+### Fixed
+
+- **Repo About "SLSA-3" → "SLSA L2"** (residual instance of overclaim #15). `release.yml` runs `npm publish --provenance` = **SLSA Build L2** (L3 requires the isolated `slsa-framework/slsa-github-generator`). The GitHub About description was the last surface still asserting the higher level — corrected via `gh repo edit`. (Topics verified correct: all `REQUIRED_TOPICS` present incl. `openclaw`; About lead-in "The most advanced Obsidian MCP" intact.)
+
+### Added
+
+- **`findSlsaOverclaim` analyzer + live assertion** in `tests/github-metadata-invariant.test.ts` — the About-description test now fails if the description claims SLSA-3 / L3 / L4 (tolerant of `SLSA-3`, `SLSA 3`, `SLSA Build L3`, `SLSA Level 3`, `SLSA L3`); `SLSA L2` / `SLSA-2` pass. This is the structural class-closer for the gap that let the overclaim live on GitHub-only metadata: OIA Check 4d guards in-repo claim files + the social SVG, but the repo About string had no guard until now. Positive + NEGATIVE controls + a false-positive guard ("3 transports / L3 caching" must NOT trip).
+
+### Method note
+
+The change-driven sweep of overclaim #15 (rc.7) fixed every *file*; OIA Check 4d (rc.8) structurally guarded every *file* + the social SVG (rc.18). But the GitHub About/Topics metadata is not a file in the repo — it's reachable only via `gh api` — so it fell outside both. Same root shape the project keeps hitting: **a defense scoped to one surface type misses a sibling surface of a different type**. The fix extends the existing `github-metadata-invariant` (which already pulls live About/Topics) with the SLSA check, so the repo page is now covered by the same fail-loud apparatus as the files.
+
+### Files changed
+
+- `tests/github-metadata-invariant.test.ts` (+`findSlsaOverclaim` + live assertion + NEGATIVE control), test-count claims 1019 → 1020 (README ×4, package.json, llms.txt, AGENTS, COMPARISON).
+- live GitHub repo About (out-of-band via `gh repo edit`; not a tracked file).
+- version bump 3.9.0-rc.30 → 3.9.0-rc.31.
+
+---
+
 ## [3.9.0-rc.30] — 2026-05-30
 
 > **TL;DR:** **Correction patch — overclaim instance #18.** A state-driven post-ship audit (after the multi-hour sandbox outage that interrupted rc.29) caught that the rc.29 CHANGELOG + CLAUDE.md cited social-card asset sizes carried over from the **first design attempt the EPERM outage ate**, not the files actually shipped: SVG claimed "9.7 KB → 11.8 KB" (real **7.3 KB** — it shrank), PNG claimed "188 KB → **49.5 KB**" (real **205 KB** — the 2× density render grew it). No gate catches KB annotations in CHANGELOG prose, so only a state-driven read found it. Corrected to be **size-agnostic** (drop drift-prone KB; keep the verified `1280×640`, which the audit confirmed correct). **Docs-only — zero `src/`, zero asset change, 1019 tests unchanged.**

package/README.md

@@ -13,7 +13,7 @@
 [![CI](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/oomkapwn/enquire-mcp/actions/workflows/ci.yml)
 [![npm](https://img.shields.io/npm/v/@oomkapwn/enquire-mcp.svg?label=npm&color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
 [![downloads](https://img.shields.io/npm/dm/@oomkapwn/enquire-mcp.svg?color=cb3837)](https://www.npmjs.com/package/@oomkapwn/enquire-mcp)
-[![tests](https://img.shields.io/badge/tests-1019%20passing-brightgreen.svg)](#trust)
+[![tests](https://img.shields.io/badge/tests-1020%20passing-brightgreen.svg)](#trust)
 [![stable](https://img.shields.io/badge/v3.8.x-stable-brightgreen.svg)](./STABILITY.md)
 [![build provenance](https://img.shields.io/badge/build_provenance-SLSA_L2-blue.svg)](https://slsa.dev/spec/v1.0/levels#build-l2)
 [![MCP](https://img.shields.io/badge/MCP-1.29-8A2BE2.svg)](https://modelcontextprotocol.io/)
@@ -46,7 +46,7 @@ Your Obsidian vault becomes **persistent, queryable long-term memory** for any M
 > 2. **Best-in-class retrieval.** Hybrid BM25 + multilingual embeddings + BGE cross-encoder reranker fused via RRF, scaled with HNSW + int8 quantization. The same IR stack a search startup would build — open-sourced, in one binary.
 > 3. **Zero cloud calls during serve.** Models cached locally (one-time download from HuggingFace). Your vault content never leaves your machine. Air-gap-safe by default.
 
-**44 tools · 19 MCP prompts · 1019 unit tests · 50+ languages · v3.8.x stable · semver-bound · MIT · npm build provenance (SLSA L2).**
+**44 tools · 19 MCP prompts · 1020 unit tests · 50+ languages · v3.8.x stable · semver-bound · MIT · npm build provenance (SLSA L2).**
 
 ---
 
@@ -184,7 +184,7 @@ Auto-generated **[API reference at oomkapwn.github.io/enquire-mcp](https://oomka
 | **GraphRAG-light** (wikilink community detection via Louvain modularity) | ✅ **only here** | ❌ | ❌ |
 | **Standalone `.base` query execution** (works without Obsidian running) | ✅ **only here** | ❌ | ❌ delegates to Obsidian |
 | **HyDE retrieval** (Gao et al 2023) + sub-question decomposition | ✅ **only here** | ❌ | ❌ |
-| **1019 unit tests · 9 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
+| **1020 unit tests · 9 required + 4 advisory CI gates per PR** | ✅ | n/a | rare |
 | **Signed build provenance** (npm + Sigstore, SLSA Build L2) | ✅ | n/a | ❌ |
 | **Semver-bound public surface** ([STABILITY.md](./STABILITY.md)) | ✅ | n/a | ❌ |
 | Standalone (no Obsidian plugin needed) | ✅ | ❌ requires Obsidian | varies |
@@ -294,7 +294,7 @@ Channel: `npm install @oomkapwn/enquire-mcp` → latest stable (`@latest` = v3.8
 ```bash
 git clone https://github.com/oomkapwn/enquire-mcp.git
 cd enquire-mcp && npm install
-npm test       # full suite (1019 tests, ~12s)
+npm test       # full suite (1020 tests, ~12s)
 npm run lint   # zero warnings
 npm run build  # tsc → dist/
 ```

package/dist/index.d.ts

@@ -7,7 +7,7 @@
  * + `McpServer({version})`) and `src/tool-registry.ts` (used in the
  * `vault-info` resource payload).
  */
-export declare const VERSION = "3.9.0-rc.30";
+export declare const VERSION = "3.9.0-rc.32";
 export { main } from "./cli.js";
 export { buildEmbedText, buildMcpServer, formatReadyBanner, prepareServerDeps, type ServeOptions, type ServerDeps, startServer } from "./server.js";
 export { parsePositiveInt, parseQuantizationMode } from "./tool-registry.js";

package/dist/index.js

@@ -40,7 +40,7 @@ import { main } from "./cli.js";
  * + `McpServer({version})`) and `src/tool-registry.ts` (used in the
  * `vault-info` resource payload).
  */
-export const VERSION = "3.9.0-rc.30";
+export const VERSION = "3.9.0-rc.32";
 // Re-exports — preserve the v3.5.x public surface so http-transport.ts and
 // tests don't need to know about the new module layout. The set below
 // exactly matches the v3.5.x `export` declarations: `main`,

package/docs/COMPARISON.md

@@ -43,7 +43,7 @@ The four axes the external audit (#3, 2026-05) called out as decisive — **REST
 | Read open editor state, active note, etc.     | **No**              | **Yes**          | Limited          | No               | No               |
 | Zero outbound network calls in serve mode     | **Yes** (default)   | Local-only (REST)| Local-only (REST)| Yes              | Yes              |
 | Signed build provenance on releases (SLSA L2) | **Yes**             | No               | No               | No               | No               |
-| Test count (public)                           | **1019**             | (varies)         | (varies)         | (varies)         | (varies)         |
+| Test count (public)                           | **1020**             | (varies)         | (varies)         | (varies)         | (varies)         |
 | Tool count                                    | 44                  | ~25              | ~8               | ~10              | 3–5              |
 | MCP prompt count                              | 19                  | 0                | 0                | 0                | 0                |
 | License                                       | MIT                 | Apache-2.0       | MIT              | MIT              | (varies)         |

package/package.json

@@ -1,9 +1,9 @@
 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@oomkapwn/enquire-mcp",
-  "version": "3.9.0-rc.30",
+  "version": "3.9.0-rc.32",
   "mcpName": "io.github.oomkapwn/enquire-mcp",
-  "description": "MCP server giving AI agents (Claude Code, Claude Desktop, Cursor, ChatGPT, Codex, OpenClaw) persistent long-term memory backed by your local Obsidian markdown vault. Hybrid retrieval (BM25 + ML embeddings + BGE reranker, RRF-fused), HNSW + int8 quantization, agentic RAG (HyDE + sub-question decomposition), GraphRAG-light (Louvain), standalone Obsidian Bases, PDFs + Tesseract OCR. Vendor-neutral memory layer for any MCP-compatible agent. 44 tools, 19 MCP prompts, 1019 tests, signed npm build provenance (SLSA L2), semver-bound, MIT, zero cloud calls during serve.",
+  "description": "MCP server giving AI agents (Claude Code, Claude Desktop, Cursor, ChatGPT, Codex, OpenClaw) persistent long-term memory backed by your local Obsidian markdown vault. Hybrid retrieval (BM25 + ML embeddings + BGE reranker, RRF-fused), HNSW + int8 quantization, agentic RAG (HyDE + sub-question decomposition), GraphRAG-light (Louvain), standalone Obsidian Bases, PDFs + Tesseract OCR. Vendor-neutral memory layer for any MCP-compatible agent. 44 tools, 19 MCP prompts, 1020 tests, signed npm build provenance (SLSA L2), semver-bound, MIT, zero cloud calls during serve.",
   "type": "module",
   "bin": {
     "enquire-mcp": "dist/index.js"