@roadmapperai/mcp 0.9.0 → 0.9.1

package/README.md

@@ -126,6 +126,21 @@ This package follows semver. Breaking changes to tool shapes get a
 major-version bump and a deprecation window. Add `--package=@roadmapperai/mcp@0.x.y`
 to your `npx` invocation if you want to pin.
 
+Because the install is version-pinned (the dashboard hands you a config
+pinned to an exact version), the server checks the npm registry at boot
+and logs a one-line nudge to stderr if a newer version is published —
+re-copy the install command from **Settings → MCP** to upgrade. Disable
+the check with `ROADMAPPER_DISABLE_UPDATE_CHECK=1`.
+
+### Recent changes
+
+- **0.9.1** — the server now self-reports its real version (was a stale
+  hardcoded string in `serverInfo` and audit logs) and warns at boot
+  when a newer package is published.
+- **0.9.0** — entity reads on the customer path now route through the
+  broker, fixing an empty roadmap for every customer; new triage + gap
+  tools; light-by-default reads.
+
 ## Support
 
 - Bugs / feature requests: contact@roadmapperai.com

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@roadmapperai/mcp",
-  "version": "0.9.0",
+  "version": "0.9.1",
   "description": "Roadmapper AI MCP server — exposes a planning surface (themes, capabilities, tasks, sprints, PRs) to coding agents via stdio JSON-RPC. Pairs with the Roadmapper AI workspace at dashboard.roadmapperai.com.",
   "keywords": [
     "mcp",

package/server.mjs

@@ -95,7 +95,22 @@ const REPO_AGENTS_PATH = join(REPO, "AGENTS.md");
 
 const PROTOCOL_VERSION = "2024-11-05";
 const SERVER_NAME = "roadmapper";
-const SERVER_VERSION = "0.6.0";
+// Read the real version from the bundled package.json (it's in the npm
+// `files` allow-list) so SERVER_VERSION never drifts from the published
+// package. A hardcoded constant rotted to "0.6.0" while the package was
+// at 0.9.0 — which silently mis-stamped every audit-log row's
+// server_version. scripts/check-mcp-version.mjs guards the dashboard's
+// LATEST_MCP_VERSION against package.json; this closes the same gap on
+// the server side. Falls back to "0.0.0" only if the file is somehow
+// unreadable (never expected in a real install).
+const SERVER_VERSION = (() => {
+  try {
+    const pkg = JSON.parse(readFileSync(join(HERE, "package.json"), "utf-8"));
+    return typeof pkg.version === "string" ? pkg.version : "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+})();
 
 // Must match src/types.ts EFFORT_DAYS — AI-era calibration.
 // Fractional values (XS=0.25, S=0.5) get rounded up when used to
@@ -110,6 +125,69 @@ function log(...args) {
   console.error("[roadmapper-mcp]", ...args);
 }
 
+/**
+ * Compare two semver-ish strings ("1.2.3"). Returns 1 if a>b, -1 if
+ * a<b, 0 if equal. Compares the numeric major.minor.patch only — any
+ * prerelease/build suffix is ignored, which is fine for "is there a
+ * newer published release?" The probe below tolerates a 0 or negative
+ * result by staying silent, so an unexpected suffix never produces a
+ * false "upgrade available" nag.
+ */
+function compareVersions(a, b) {
+  const pa = String(a).split(".").map((n) => parseInt(n, 10) || 0);
+  const pb = String(b).split(".").map((n) => parseInt(n, 10) || 0);
+  for (let i = 0; i < 3; i++) {
+    const da = pa[i] ?? 0;
+    const db = pb[i] ?? 0;
+    if (da > db) return 1;
+    if (da < db) return -1;
+  }
+  return 0;
+}
+
+/**
+ * Best-effort startup staleness check. Fetches the `latest` dist-tag
+ * for @roadmapperai/mcp from the npm registry and, if the running
+ * version is behind, logs a one-line nudge to stderr. Entirely
+ * advisory — the server is pinned to a specific version in the
+ * client's MCP config (see the dashboard install snippets), so there
+ * is no auto-update; the user upgrades by re-copying the install
+ * command from Settings → MCP. This is the only signal a stranded,
+ * outdated install ever gets, so failures must stay silent (a flaky
+ * network or offline install must never spam the log or delay boot).
+ * Disable entirely with ROADMAPPER_DISABLE_UPDATE_CHECK=1.
+ */
+async function checkForUpdate() {
+  if (process.env.ROADMAPPER_DISABLE_UPDATE_CHECK === "1") return;
+  if (SERVER_VERSION === "0.0.0") return; // version unreadable; nothing to compare
+  try {
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), 2500);
+    let latest;
+    try {
+      const res = await fetch(
+        "https://registry.npmjs.org/@roadmapperai/mcp/latest",
+        { headers: { Accept: "application/json" }, signal: ctrl.signal }
+      );
+      if (!res.ok) return;
+      const body = await res.json();
+      latest = body && typeof body.version === "string" ? body.version : null;
+    } finally {
+      clearTimeout(timer);
+    }
+    if (!latest) return;
+    if (compareVersions(latest, SERVER_VERSION) > 0) {
+      log(
+        `update available: v${SERVER_VERSION} installed, v${latest} published. ` +
+          `This install is pinned — re-copy the install command from ` +
+          `Settings → MCP in the Roadmapper dashboard to upgrade.`
+      );
+    }
+  } catch {
+    // Offline, blocked, slow, or aborted — stay silent by design.
+  }
+}
+
 function send(message) {
   process.stdout.write(JSON.stringify(message) + "\n");
 }
@@ -5976,4 +6054,8 @@ if (process.argv.includes("--selftest")) {
     const snapTail = snap ? `, snapshot-workspace=${snap}` : "";
     log(`ready (mode=${mode}${tail}${snapTail})`);
   })();
+
+  // Advisory: nudge the operator if a newer package is published. Runs
+  // detached from boot — never blocks startup, never throws.
+  checkForUpdate();
 }