@yawlabs/mcph 0.28.1 → 0.29.0

package/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes to `@yawlabs/mcph` are documented here. This project uses [semantic versioning](https://semver.org) and a CI-gated release flow: pushing a `vX.Y.Z` tag triggers `.github/workflows/release.yml`, which publishes to npm.
 
+## 0.29.0 — 2026-04-18
+
+- **Compliance-aware routing (`MCPH_MIN_COMPLIANCE`)** — Phase 3 item. Set the env var to `A`, `B`, `C`, `D`, or `F` and `mcp_connect_activate` refuses to load any installed server whose reported `complianceGrade` is below the floor, with an error that names the grade and the env var to unset. `mcp_connect_discover` annotates below-grade servers in place (so the model knows they exist and why they won't auto-activate) and emits a "Compliance filter active" header. Forward-compatible schema: the optional `complianceGrade` field on `UpstreamServerConfig` rides the existing `/api/connect/config` response — the feature kicks in automatically once the backend starts populating grades. Ungraded servers always pass (don't punish unknown).
+
 ## 0.28.1 — 2026-04-18
 
 Docs-only release.

package/README.md

@@ -286,6 +286,7 @@ Rotate a credential in one place (the dashboard), every machine picks up the new
 | `MCPH_PRUNE_RESPONSES` | No | Conservative response pruning (redact large file blobs etc. before returning to the client). Set to `0` or `false` to disable. Default: enabled. |
 | `MCPH_DISABLE_PERSISTENCE` | No | Set to `1` or `true` to keep learning + pack-history scoped to the current process — nothing loaded at start, nothing written on shutdown. Intended for ephemeral / shared environments (CI, containers). Default: cross-session persistence enabled at `~/.mcph/state.json`. |
 | `MCPH_AUTO_LOAD` | No | Set to `1` or `true` to pre-activate the top recurring pack (from persisted pack-history) on startup — no LLM round-trip required. Skips silently when history is empty or no pack's namespaces are all installed. Default: off. Requires persistence to be enabled. |
+| `MCPH_MIN_COMPLIANCE` | No | Minimum compliance grade (`A`, `B`, `C`, `D`, or `F`, case-insensitive) an installed server must report before `mcp_connect_activate` will load it. Ungraded servers always pass (don't punish unknown). `discover()` annotates below-grade servers in place and shows a "Compliance filter active" header when set. Invalid values log a warning and disable the filter. Default: unset (no filter). |
 | `MCP_CONNECT_TIMEOUT` | No | Connection timeout in ms for upstream servers (default: `15000`) |
 | `MCP_CONNECT_IDLE_THRESHOLD` | No | Baseline for idle auto-unload (default: `10`). The per-namespace adaptive cap is `[5, 50]` — bursty namespaces extend past the baseline, long-idle ones unload at it. |
 

package/dist/index.js

@@ -946,7 +946,7 @@ function errorMessage(err) {
 }
 
 // src/doctor-cmd.ts
-var VERSION = true ? "0.28.1" : "dev";
+var VERSION = true ? "0.29.0" : "dev";
 async function runDoctor(opts = {}) {
   const lines = [];
   const write = opts.out ?? ((s) => process.stdout.write(s));
@@ -1825,6 +1825,42 @@ function bundleActivateHint(bundle) {
   return `mcp_connect_activate({ namespaces: ${JSON.stringify(bundle.namespaces)} })`;
 }
 
+// src/compliance.ts
+var GRADE_ORDER = {
+  A: 4,
+  B: 3,
+  C: 2,
+  D: 1,
+  F: 0
+};
+function gradeRank(grade) {
+  if (!grade) return -1;
+  const up = grade.toUpperCase();
+  if (up in GRADE_ORDER) return GRADE_ORDER[up];
+  return -1;
+}
+var invalidWarned = false;
+function parseMinCompliance(raw) {
+  if (raw === void 0) return null;
+  const trimmed = raw.trim();
+  if (trimmed === "") return null;
+  const up = trimmed.toUpperCase();
+  if (up === "A" || up === "B" || up === "C" || up === "D" || up === "F") {
+    return up;
+  }
+  if (!invalidWarned) {
+    invalidWarned = true;
+    log("warn", "Invalid MCPH_MIN_COMPLIANCE; filter disabled", { value: raw });
+  }
+  return null;
+}
+function passesMinCompliance(serverGrade, min) {
+  if (min === null) return true;
+  const serverRank = gradeRank(serverGrade);
+  if (serverRank < 0) return true;
+  return serverRank >= gradeRank(min);
+}
+
 // src/cost-estimate.ts
 var BYTES_PER_TOKEN = 4;
 var CACHED_TOOL_SCHEMA_PAD_BYTES = 200;
@@ -2319,7 +2355,7 @@ var META_TOOLS = {
   },
   activate: {
     name: "mcp_connect_activate",
-    description: 'Load one or more installed MCP servers\' tools into the current session by namespace. Each server adds its tools to your context, so load only what the current task needs. When you move on, unload servers you\'re done with via `mcp_connect_deactivate` before loading new ones. Tools are prefixed by namespace (e.g., "gh_create_issue"). Pass "server" for one or "servers" for multiple. Optionally pass `tools: [...]` to expose only those tools by name \u2014 the rest stay proxyable via mcp_connect_dispatch.',
+    description: 'Load one or more installed MCP servers\' tools into the current session by namespace. Each server adds its tools to your context, so load only what the current task needs. When you move on, unload servers you\'re done with via `mcp_connect_deactivate` before loading new ones. Tools are prefixed by namespace (e.g., "gh_create_issue"). Pass "server" for one or "servers" for multiple. Optionally pass `tools: [...]` to expose only those tools by name \u2014 the rest stay proxyable via mcp_connect_dispatch. If `MCPH_MIN_COMPLIANCE` is set, activation refuses servers whose reported grade is below the floor (ungraded servers always pass); the refusal message names the grade and the env var to unset.',
     inputSchema: {
       type: "object",
       properties: {
@@ -3791,7 +3827,7 @@ function categorizeSpawnError(err) {
 }
 async function connectToUpstream(config, onDisconnect, onListChanged) {
   const client = new Client(
-    { name: "mcph", version: true ? "0.28.1" : "dev" },
+    { name: "mcph", version: true ? "0.29.0" : "dev" },
     { capabilities: {} }
   );
   let transport;
@@ -4242,6 +4278,9 @@ function isPersistenceDisabled() {
   if (raw === void 0 || raw === "") return false;
   return raw === "1" || raw.toLowerCase() === "true";
 }
+function resolveMinCompliance() {
+  return parseMinCompliance(process.env.MCPH_MIN_COMPLIANCE);
+}
 function isAutoLoadEnabled() {
   const raw = process.env.MCPH_AUTO_LOAD;
   if (raw === void 0 || raw === "") return false;
@@ -4305,7 +4344,7 @@ var ConnectServer = class _ConnectServer {
     this.apiUrl = apiUrl6;
     this.token = token6;
     this.server = new Server(
-      { name: "mcph", version: true ? "0.28.1" : "dev" },
+      { name: "mcph", version: true ? "0.29.0" : "dev" },
       {
         capabilities: {
           tools: { listChanged: true },
@@ -5100,6 +5139,11 @@ var ConnectServer = class _ConnectServer {
     const lines = [context ? "Servers ranked by relevance:\n" : "Installed MCP servers:\n"];
     if (autoWarmed && sorted.length > 0) {
       lines.push(`Auto-loaded "${sorted[0].namespace}" \u2014 top match for your query.
+`);
+    }
+    const minCompliance = resolveMinCompliance();
+    if (minCompliance !== null) {
+      lines.push(`Compliance filter active: MCPH_MIN_COMPLIANCE=${minCompliance}
 `);
     }
     if (context) {
@@ -5160,7 +5204,17 @@ var ConnectServer = class _ConnectServer {
           costLabel = ` \u2014 ${formatCostLabel(estimateFromToolCache(cached))}`;
         }
       }
-      lines.push(`  ${server.namespace} \u2014 ${server.name} [${status}] (${server.type})${relevance}${costLabel}`);
+      let complianceLabel = "";
+      if (minCompliance !== null && server.complianceGrade) {
+        if (passesMinCompliance(server.complianceGrade, minCompliance)) {
+          complianceLabel = ` [${server.complianceGrade}]`;
+        } else {
+          complianceLabel = ` (grade ${server.complianceGrade} \u2014 below MCPH_MIN_COMPLIANCE=${minCompliance}, won't auto-activate)`;
+        }
+      }
+      lines.push(
+        `  ${server.namespace} \u2014 ${server.name} [${status}] (${server.type})${relevance}${costLabel}${complianceLabel}`
+      );
       const shadow = formatShadowLine(server);
       if (shadow) lines.push(`    ${shadow}`);
       const warning = formatHealthWarning(connection?.health, this.activationFailures.get(server.namespace));
@@ -5418,10 +5472,21 @@ ${activeCount} loaded in this session, ${totalTools} tools in context${tokenSumm
     const results = [];
     let anyChanged = false;
     let anyError = false;
+    const minCompliance = resolveMinCompliance();
     const total = namespaces.length;
     let i = 0;
     for (const namespace of namespaces) {
       i += 1;
+      if (minCompliance !== null) {
+        const cfg = this.config?.servers.find((s) => s.namespace === namespace);
+        if (cfg && !passesMinCompliance(cfg.complianceGrade, minCompliance)) {
+          const grade = cfg.complianceGrade ?? "unknown";
+          const message = `Refused to load "${namespace}": compliance grade ${grade} is below MCPH_MIN_COMPLIANCE=${minCompliance}. Unset MCPH_MIN_COMPLIANCE (or lower it) to override.`;
+          results.push(message);
+          anyError = true;
+          continue;
+        }
+      }
       progress?.(`Loading ${namespace} (${i}/${total})`, i - 1, total);
       const r = await this.activateOne(namespace, progress);
       results.push(r.message);
@@ -6340,7 +6405,7 @@ ${installBlock}
   );
   process.exit(0);
 } else if (subcommand === "--version" || subcommand === "-V") {
-  process.stdout.write(`mcph ${true ? "0.28.1" : "dev"}
+  process.stdout.write(`mcph ${true ? "0.29.0" : "dev"}
 `);
   process.exit(0);
 } else {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/mcph",
-  "version": "0.28.1",
+  "version": "0.29.0",
   "description": "mcp.hosting — one install, all your MCP servers, managed from the cloud",
   "license": "UNLICENSED",
   "author": "Yaw Labs <contact@yaw.sh> (https://yaw.sh)",