npm - @socialneuron/mcp-server - Versions diffs - 1.3.1 → 1.4.0 - Mend

@socialneuron/mcp-server 1.3.1 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,22 @@
 All notable changes to `@socialneuron/mcp-server` will be documented in this file.
+## [1.4.0] - 2026-03-13
+### Changed
+- **Telemetry is now opt-IN**: No data is sent unless `SOCIALNEURON_TELEMETRY=1` is explicitly set. Previously telemetry was opt-out.
+- **PostHog moved to optionalDependencies**: `posthog-node` is no longer a required runtime dependency. The package works fully without it installed. This reduces supply chain surface and resolves socket.dev security flags.
+- **Dynamic import**: PostHog is loaded via `import()` at runtime, silently skipped if unavailable.
+- `DO_NOT_TRACK=1` continues to override and disable telemetry in all cases.
+## [1.3.2] - 2026-03-13
+### Fixed
+- **TypeScript strict mode**: Added `@types/express`, fixed `AuthenticatedRequest` type to extend express `Request`, corrected `StreamableHTTPServerTransport` constructor usage
+- **Optional dependency stubs**: Added ambient declarations for `playwright`, `@remotion/bundler`, `@remotion/renderer` (dynamically imported, not required at runtime)
+- **Removed unused directive**: Cleaned up stale `@ts-expect-error` in REPL module
+- **Release CI**: Typecheck now passes in GitHub Actions release workflow
 ## [1.3.1] - 2026-03-13
 ### Fixed

package/README.md CHANGED Viewed

@@ -250,17 +250,26 @@ Each iteration produces smarter content as performance data feeds back into the
 - SSRF protection on all URL parameters with DNS rebinding prevention
 - Rate limiting per user with per-tool limits for expensive operations
 - Agent loop detection prevents runaway automation
-- Set `DO_NOT_TRACK=1` to disable anonymous usage telemetry
+- Telemetry is off by default — opt in with `SOCIALNEURON_TELEMETRY=1`
 See [SECURITY.md](./SECURITY.md) for our vulnerability disclosure policy and credential safety details.
 ## Telemetry
-This package collects anonymous usage metrics (tool name, duration, success/failure) to improve the product. Your user ID is hashed before transmission.
+Telemetry is **off by default**. No data is collected unless you explicitly opt in.
-**To disable**: Set `DO_NOT_TRACK=1` or `SOCIALNEURON_NO_TELEMETRY=1` in your environment.
+**To enable**: Set `SOCIALNEURON_TELEMETRY=1` in your environment.
-No personal content, API keys, or request payloads are ever collected.
+**To disable**: `DO_NOT_TRACK=1` or `SOCIALNEURON_NO_TELEMETRY=1` always disables telemetry, even if `SOCIALNEURON_TELEMETRY=1` is set.
+When enabled, the following anonymous metrics are collected via PostHog:
+- Tool name invoked
+- Success or failure status
+- Invocation duration (ms)
+No personal content, API keys, or request payloads are ever collected. Your user ID is hashed (SHA-256) before transmission.
+`posthog-node` is an optional dependency — if it is not installed, telemetry is a silent no-op regardless of environment variables.
 ## Examples

package/dist/http.js CHANGED Viewed

@@ -10,16 +10,24 @@ var __export = (target, all) => {
 // src/lib/posthog.ts
 import { createHash } from "node:crypto";
-import { PostHog } from "posthog-node";
 function hashUserId(userId) {
   return createHash("sha256").update(`${POSTHOG_SALT}:${userId}`).digest("hex").substring(0, 32);
 }
+function isTelemetryOptedIn() {
+  if (process.env.DO_NOT_TRACK === "1" || process.env.DO_NOT_TRACK === "true" || process.env.SOCIALNEURON_NO_TELEMETRY === "1") {
+    return false;
+  }
+  return process.env.SOCIALNEURON_TELEMETRY === "1";
+}
 function initPostHog() {
-  if (isTelemetryDisabled()) return;
+  if (!isTelemetryOptedIn()) return;
   const key = process.env.POSTHOG_KEY || process.env.VITE_POSTHOG_KEY;
   const host = process.env.POSTHOG_HOST || process.env.VITE_POSTHOG_HOST || "https://eu.i.posthog.com";
   if (!key) return;
-  client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  import("posthog-node").then(({ PostHog }) => {
+    client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  }).catch(() => {
+  });
 }
 async function captureToolEvent(args) {
   if (!client) return;
@@ -6215,7 +6223,7 @@ init_supabase();
 import { z as z14 } from "zod";
 // src/lib/version.ts
-var MCP_VERSION = "1.3.1";
+var MCP_VERSION = "1.4.0";
 // src/tools/usage.ts
 function asEnvelope10(data) {
@@ -8613,7 +8621,15 @@ app.post("/mcp", authenticateRequest, async (req, res) => {
     applyScopeEnforcement(server, () => getRequestScopes() ?? auth.scopes);
     registerAllTools(server, { skipScreenshots: true });
     const transport = new StreamableHTTPServerTransport({
-      sessionIdGenerator: () => randomUUID3()
+      sessionIdGenerator: () => randomUUID3(),
+      onsessioninitialized: (sessionId) => {
+        sessions.set(sessionId, {
+          transport,
+          server,
+          lastActivity: Date.now(),
+          userId: auth.userId
+        });
+      }
     });
     transport.onclose = () => {
       if (transport.sessionId) {
@@ -8621,16 +8637,6 @@ app.post("/mcp", authenticateRequest, async (req, res) => {
       }
     };
     await server.connect(transport);
-    const originalOnSessionInit = transport.onsessioninitialized;
-    transport.onsessioninitialized = async (sessionId) => {
-      if (originalOnSessionInit) await originalOnSessionInit(sessionId);
-      sessions.set(sessionId, {
-        transport,
-        server,
-        lastActivity: Date.now(),
-        userId: auth.userId
-      });
-    };
     await requestContext.run(
       { userId: auth.userId, scopes: auth.scopes, creditsUsed: 0, assetsGenerated: 0 },
       () => transport.handleRequest(req, res, req.body)

package/dist/index.js CHANGED Viewed

@@ -14,22 +14,30 @@ var MCP_VERSION;
 var init_version = __esm({
   "src/lib/version.ts"() {
     "use strict";
-    MCP_VERSION = "1.3.1";
+    MCP_VERSION = "1.4.0";
   }
 });
 // src/lib/posthog.ts
 import { createHash } from "node:crypto";
-import { PostHog } from "posthog-node";
 function hashUserId(userId) {
   return createHash("sha256").update(`${POSTHOG_SALT}:${userId}`).digest("hex").substring(0, 32);
 }
+function isTelemetryOptedIn() {
+  if (process.env.DO_NOT_TRACK === "1" || process.env.DO_NOT_TRACK === "true" || process.env.SOCIALNEURON_NO_TELEMETRY === "1") {
+    return false;
+  }
+  return process.env.SOCIALNEURON_TELEMETRY === "1";
+}
 function initPostHog() {
-  if (isTelemetryDisabled()) return;
+  if (!isTelemetryOptedIn()) return;
   const key = process.env.POSTHOG_KEY || process.env.VITE_POSTHOG_KEY;
   const host = process.env.POSTHOG_HOST || process.env.VITE_POSTHOG_HOST || "https://eu.i.posthog.com";
   if (!key) return;
-  client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  import("posthog-node").then(({ PostHog }) => {
+    client = new PostHog(key, { host, flushAt: 5, flushInterval: 1e4 });
+  }).catch(() => {
+  });
 }
 async function captureToolEvent(args) {
   if (!client) return;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@socialneuron/mcp-server",
-  "version": "1.3.1",
+  "version": "1.4.0",
   "description": "MCP server for Social Neuron - AI content creation platform",
   "type": "module",
   "main": "dist/index.js",
@@ -65,10 +65,13 @@
     "express": "^5.1.0",
     "jose": "^6.2.1",
     "open": "10.0.0",
-    "posthog-node": "^5.28.0",
     "zod": "^4.0.0"
   },
+  "optionalDependencies": {
+    "posthog-node": "^5.28.0"
+  },
   "devDependencies": {
+    "@types/express": "^5.0.6",
     "@types/node": "^25.3.5",
     "esbuild": "^0.27.3",
     "typescript": "^5.9.3",