@oomkapwn/enquire-mcp 3.9.0-rc.31 → 3.9.0-rc.32
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +22 -0
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,28 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented here. The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
4
4
|
|
|
5
|
+
## [3.9.0-rc.32] — 2026-05-30
|
|
6
|
+
|
|
7
|
+
> **TL;DR:** **Automate MCP Registry publishing + drift backstop (closes the registry-staleness class).** A promotion-channel check found the canonical MCP Registry stuck at **3.8.4** while npm `@latest` is **3.8.8** (~7 versions behind) — and because Glama / mcp.so / smithery **auto-sync from the registry**, that stale entry was silently propagating an outdated "current version" across the whole directory ecosystem. Root cause: the registry was published *manually* (`mcp-publisher publish` after each stable), so it drifted whenever that step was skipped. **Fixed structurally:** `release.yml` now auto-publishes **stable releases** to the registry via GitHub Actions **OIDC** (no secret — the existing `id-token: write` is all it needs), and new **OIA Check 11** is a state-driven advisory that surfaces registry-vs-npm drift on every audit run. **Workflow + audit-script + docs only; 1020 tests unchanged.**
|
|
8
|
+
|
|
9
|
+
**Patch — supply-chain / discoverability automation.**
|
|
10
|
+
|
|
11
|
+
### Added
|
|
12
|
+
|
|
13
|
+
- **Automated MCP Registry publish (OIDC) in `release.yml`** — after the npm publish + GitHub Release steps, a new `Publish to MCP Registry (stable only)` step downloads the official `mcp-publisher`, authenticates via `mcp-publisher login github-oidc` (GitHub Actions OIDC — trusts the repo's identity for the `io.github.oomkapwn/*` namespace; **no dedicated secret**), and runs `mcp-publisher publish`. **Gated to `dist_tag == 'latest'`** so the registry's `isLatest` always reflects what `npm install` gives by default — RCs publish to npm under `@rc` but are deliberately NOT pushed to the registry (else the canonical listing, and every directory that syncs from it, would advertise an `-rc.N` as current). Defensively re-syncs `server.json`'s `version` (+ each `packages[].version`) from `package.json` before publishing.
|
|
14
|
+
- **OIA Check 11 — `MCP-REGISTRY-VERSION-DRIFT`** (`scripts/oia-walk.mjs`, network, `--skip-network`-respecting) — compares the registry's `isLatest` version to npm's `latest` dist-tag and prints a visible **ADVISORY** when they differ. **Non-fatal by design**: remediation (re-publish) is maintainer-gated (runs on a stable tag or a manual login), so a PR author can't fix registry state inside their PR — hard-failing the `oia` gate on it would block unrelated work (same principle as the SLSA network check skipping on infra it doesn't control). Detection-power verified: it flags the live 3.8.4-vs-3.8.8 drift today. OIA canonical count 10 → 11 (header + AGENTS ×2 + ROADMAP, gated by `docs-consistency.test.ts`).
|
|
15
|
+
|
|
16
|
+
### Method note
|
|
17
|
+
|
|
18
|
+
This is the registry analogue of the rc.31 repo-About fix: a promotion surface that lives **outside the repo's files** (here, the canonical registry; there, GitHub metadata) drifted because the publish path was manual and no state-driven check watched it. The durable fix is the same shape — **automate the publish** (OIDC step) **+ add a state-driven drift detector** (OIA Check 11). The advisory will keep flagging 3.8.4-vs-3.8.8 until the next **stable** release runs the new OIDC step (or a maintainer re-publishes manually); on an RC line there is no stable tag to trigger it, so the reconciliation lands with the v3.9.0 → `@latest` promotion.
|
|
19
|
+
|
|
20
|
+
### Files changed
|
|
21
|
+
|
|
22
|
+
- `.github/workflows/release.yml` (registry-publish OIDC step, stable-gated), `scripts/oia-walk.mjs` (Check 11 + canonical count 11), `AGENTS.md` ×2 + `ROADMAP.md` (OIA count 10 → 11; ROADMAP test count 1002 → 1020 stale-fix).
|
|
23
|
+
- version bump 3.9.0-rc.31 → 3.9.0-rc.32; no `src/`, no test change (1020).
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
5
27
|
## [3.9.0-rc.31] — 2026-05-30
|
|
6
28
|
|
|
7
29
|
> **TL;DR:** **Repo-page SLSA overclaim fix + structural guard (residual of overclaim #15).** A state-driven check of the GitHub repo page found the **About description still said "SLSA-3"** — the unenforced claim that overclaim #15 (rc.7) downgraded to "SLSA L2" across README/package.json/llms.txt/COMPARISON/STABILITY, and that rc.18 fixed on the social card. The About string lives ONLY on GitHub (no file → outside OIA Check 4d's scope), so it survived ~23 RCs. **Fixed the live About** (`gh repo edit` → "SLSA L2") and added a structural guard so it can't drift back: `tests/github-metadata-invariant.test.ts` now asserts the About carries no SLSA-level-above-2 claim. **1019 → 1020 tests** (+1 source `it()`, positive + NEGATIVE controls); no `src/` change.
|
package/dist/index.d.ts
CHANGED
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
* + `McpServer({version})`) and `src/tool-registry.ts` (used in the
|
|
8
8
|
* `vault-info` resource payload).
|
|
9
9
|
*/
|
|
10
|
-
export declare const VERSION = "3.9.0-rc.
|
|
10
|
+
export declare const VERSION = "3.9.0-rc.32";
|
|
11
11
|
export { main } from "./cli.js";
|
|
12
12
|
export { buildEmbedText, buildMcpServer, formatReadyBanner, prepareServerDeps, type ServeOptions, type ServerDeps, startServer } from "./server.js";
|
|
13
13
|
export { parsePositiveInt, parseQuantizationMode } from "./tool-registry.js";
|
package/dist/index.js
CHANGED
|
@@ -40,7 +40,7 @@ import { main } from "./cli.js";
|
|
|
40
40
|
* + `McpServer({version})`) and `src/tool-registry.ts` (used in the
|
|
41
41
|
* `vault-info` resource payload).
|
|
42
42
|
*/
|
|
43
|
-
export const VERSION = "3.9.0-rc.
|
|
43
|
+
export const VERSION = "3.9.0-rc.32";
|
|
44
44
|
// Re-exports — preserve the v3.5.x public surface so http-transport.ts and
|
|
45
45
|
// tests don't need to know about the new module layout. The set below
|
|
46
46
|
// exactly matches the v3.5.x `export` declarations: `main`,
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://json.schemastore.org/package.json",
|
|
3
3
|
"name": "@oomkapwn/enquire-mcp",
|
|
4
|
-
"version": "3.9.0-rc.
|
|
4
|
+
"version": "3.9.0-rc.32",
|
|
5
5
|
"mcpName": "io.github.oomkapwn/enquire-mcp",
|
|
6
6
|
"description": "MCP server giving AI agents (Claude Code, Claude Desktop, Cursor, ChatGPT, Codex, OpenClaw) persistent long-term memory backed by your local Obsidian markdown vault. Hybrid retrieval (BM25 + ML embeddings + BGE reranker, RRF-fused), HNSW + int8 quantization, agentic RAG (HyDE + sub-question decomposition), GraphRAG-light (Louvain), standalone Obsidian Bases, PDFs + Tesseract OCR. Vendor-neutral memory layer for any MCP-compatible agent. 44 tools, 19 MCP prompts, 1020 tests, signed npm build provenance (SLSA L2), semver-bound, MIT, zero cloud calls during serve.",
|
|
7
7
|
"type": "module",
|