freshcontext-mcp 0.3.19 → 0.3.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (75) hide show
  1. package/FRESHCONTEXT_SPEC.md +317 -0
  2. package/METHODOLOGY.md +381 -0
  3. package/README.md +55 -5
  4. package/SECURITY.md +9 -7
  5. package/dist/adapters/arxiv.d.ts +15 -0
  6. package/dist/adapters/arxiv.js +3 -2
  7. package/dist/adapters/changelog.d.ts +2 -0
  8. package/dist/adapters/changelog.js +4 -2
  9. package/dist/adapters/finance.d.ts +2 -0
  10. package/dist/adapters/finance.js +1 -1
  11. package/dist/adapters/gdelt.d.ts +2 -0
  12. package/dist/adapters/gdelt.js +1 -1
  13. package/dist/adapters/gebiz.d.ts +2 -0
  14. package/dist/adapters/gebiz.js +1 -1
  15. package/dist/adapters/github.d.ts +2 -0
  16. package/dist/adapters/govcontracts.d.ts +2 -0
  17. package/dist/adapters/hackernews.d.ts +2 -0
  18. package/dist/adapters/jobs.d.ts +2 -0
  19. package/dist/adapters/jobs.js +6 -6
  20. package/dist/adapters/packageTrends.d.ts +2 -0
  21. package/dist/adapters/productHunt.d.ts +2 -0
  22. package/dist/adapters/reddit.d.ts +8 -0
  23. package/dist/adapters/reddit.js +12 -5
  24. package/dist/adapters/registry.d.ts +19 -0
  25. package/dist/adapters/repoSearch.d.ts +2 -0
  26. package/dist/adapters/repoSearch.js +1 -1
  27. package/dist/adapters/scholar.d.ts +2 -0
  28. package/dist/adapters/secFilings.d.ts +2 -0
  29. package/dist/adapters/secFilings.js +1 -1
  30. package/dist/adapters/yc.d.ts +2 -0
  31. package/dist/core/decay.d.ts +5 -0
  32. package/dist/core/decision.d.ts +3 -0
  33. package/dist/core/decision.js +1 -3
  34. package/dist/core/envelope.d.ts +5 -0
  35. package/dist/core/envelope.js +9 -1
  36. package/dist/core/explain.d.ts +12 -0
  37. package/dist/core/guards.d.ts +1 -0
  38. package/dist/core/index.d.ts +14 -0
  39. package/dist/core/index.js +2 -0
  40. package/dist/core/pipeline.d.ts +3 -0
  41. package/dist/core/pipeline.js +8 -0
  42. package/dist/core/provenance.d.ts +5 -0
  43. package/dist/core/provenanceReadiness.d.ts +2 -0
  44. package/dist/core/provenanceReadiness.js +220 -0
  45. package/dist/core/rank.d.ts +4 -0
  46. package/dist/core/readable.d.ts +2 -0
  47. package/dist/core/readable.js +75 -0
  48. package/dist/core/signal.d.ts +3 -0
  49. package/dist/core/sourceProfiles.d.ts +4 -0
  50. package/dist/core/types.d.ts +239 -0
  51. package/dist/core/utility.d.ts +2 -0
  52. package/dist/rest/handler.d.ts +1 -0
  53. package/dist/security.d.ts +15 -0
  54. package/dist/security.js +3 -1
  55. package/dist/server.d.ts +2 -0
  56. package/dist/server.js +2 -2
  57. package/dist/tools/evaluateContext.d.ts +21 -0
  58. package/dist/tools/evaluateContext.js +22 -1
  59. package/dist/tools/freshnessStamp.d.ts +1 -0
  60. package/dist/types.d.ts +1 -0
  61. package/docs/API_DESIGN.md +28 -1
  62. package/docs/CLIENT_SETUP.md +166 -0
  63. package/docs/CODEX_MCP_USAGE.md +4 -4
  64. package/docs/CORE_API.md +69 -5
  65. package/docs/CORE_MCP_BOUNDARY.md +13 -4
  66. package/docs/FUTURE_LANES.md +26 -3
  67. package/docs/HA_PRI_V2_DESIGN.md +7 -1
  68. package/docs/HA_PRI_V2_PRODUCTION_ENFORCEMENT_PLAN.md +414 -0
  69. package/docs/HUMAN_READABLE_OUTPUT_CONTRACT.md +293 -0
  70. package/docs/RELEASE_INTEGRITY.md +1 -1
  71. package/docs/RELEASE_NOTES.md +33 -5
  72. package/docs/SIGNAL_CONTRACT.md +200 -2
  73. package/package-script-guard.mjs +59 -3
  74. package/package.json +33 -13
  75. package/server.json +2 -2
package/METHODOLOGY.md ADDED
@@ -0,0 +1,381 @@
1
+ # FreshContext Data Intelligence Methodology
2
+ **Version 1.2 — May 2026**
3
+ *Authored by Immanuel Gabriel (Prince Gabriel) — Grootfontein, Namibia*
4
+
5
+ ---
6
+
7
+ ## What This Document Is
8
+
9
+ This document formally describes the data collection, scoring, ranking, storage, and provenance methodology underlying FreshContext.
10
+
11
+ It exists for four audiences:
12
+
13
+ 1. **Technical integrators** — teams embedding FreshContext into their agent infrastructure who need to understand what the data represents and how it is scored.
14
+ 2. **Agent/retrieval system builders** — teams designing retrieval pipelines that need temporal relevance instead of undated context.
15
+ 3. **Auditors and reviewers** — people verifying that timestamped AI context is represented honestly and reproducibly.
16
+ 4. **Future licensing or platform partners** — entities evaluating FreshContext as infrastructure, who need to audit the methodology that makes the data defensible.
17
+
18
+ ---
19
+
20
+ ## Section 1: Core Methodology and Source Collection
21
+
22
+ ### 1.1 Architecture
23
+
24
+ FreshContext Core methodology describes the signal contract and temporal scoring primitives that can be used by MCP servers, APIs, CLIs, dashboards, agents, or internal retrieval systems.
25
+
26
+ The Core methodology covers:
27
+
28
+ - **Signal schema** — source, content, timestamps, confidence, adapter identity
29
+ - **Source/provenance** — where the observation came from and how it was retrieved
30
+ - **Published/content date** — when the source claims the content became true or available
31
+ - **Retrieved timestamp** — when FreshContext observed the content
32
+ - **Confidence** — how reliable the timestamp extraction is
33
+ - **Decay-Adjusted Relevancy (DAR)** — temporal utility after source-specific decay
34
+ - **Failure honesty** — failed adapters must not be promoted as fresh successful context
35
+ - **Ranking/explain primitives** — fields that let agents and systems explain why a signal ranked where it did
36
+
37
+ FreshContext also supports a Store/Ledger methodology for systems that persist recurring signals over time. The production Worker implementation uses Cloudflare runtime pieces for MCP transport, KV cache policy, rate limiting, D1 persistence, feeds, cron collection, and deployment concerns. Those runtime concerns are implementation layers, not requirements for every FreshContext-compatible system.
38
+
39
+ ### 1.2 Store / Ledger Collection Layer
40
+
41
+ The Store/Ledger methodology describes a continuous data collection pipeline that can run on Cloudflare's global edge infrastructure. A deployment may execute scheduled collection via cron and query watched definitions stored in D1 or another durable store.
42
+
43
+ Each watched query specifies:
44
+ - **Adapter** — the data source to query (e.g., `hackernews`, `jobs`, `reposearch`)
45
+ - **Query** — the search term or URL
46
+ - **User ID** — the profile this query serves
47
+ - **Filters** — optional parameters (location, exclusion terms, etc.)
48
+
49
+ This D1 cron ledger is one implementation layer and future Store direction. It is not required for every FreshContext-compatible envelope implementation.
50
+
51
+ ### 1.3 Example Adapter / Source Classes
52
+
53
+ FreshContext currently has:
54
+
55
+ - A reference MCP implementation with `evaluate_context` and 21 read-only reference adapters
56
+ - Separate feed products such as Fresh HN Feed and Fresh Jobs Feed
57
+ - A Store/Ledger methodology for systems that collect recurring signals over time
58
+
59
+ The following table describes example source classes used by FreshContext implementations. Not every source class is necessarily collected by every cron/feed deployment.
60
+
61
+ | Adapter class | Source | Auth Required | Typical Update Frequency |
62
+ |---|---|---|---|
63
+ | `hackernews` | Hacker News Algolia API | None | Real-time |
64
+ | `jobs` | Remotive API | None | Continuous |
65
+ | `reposearch` | GitHub Search API | Optional (rate limit) | Real-time |
66
+ | `github` | GitHub Repository API | Optional | Real-time |
67
+ | `reddit` | Reddit JSON API | None | Real-time |
68
+ | `yc` | YC Open Source API | None | Per batch cycle |
69
+ | `packagetrends` | npm Registry + npm Downloads API | None | Per publish |
70
+ | `finance` | Stooq quote API | None | Market hours / quote feed cadence |
71
+ | `producthunt` | Product Hunt launch data | Token when API-backed | Launch cadence |
72
+ | `changelog` | GitHub Releases / npm package metadata | Optional | Per release |
73
+ | `arxiv` / `scholar` | Academic sources | None | Publication cadence |
74
+ | `gdelt` | GDELT global news | None | 15-minute feed cadence |
75
+ | `govcontracts` / `gebiz` | Government procurement datasets | None | Dataset cadence |
76
+ | `sec_filings` | SEC EDGAR filings | None | Filing cadence |
77
+
78
+ FreshContext adapters operate on publicly accessible or publicly documented data sources. Most reference adapters require no credentials. Some APIs may optionally use tokens for rate limits or official API access, but FreshContext-compatible adapters should not require private user data unless explicitly documented by the implementation. All fetch requests include a `User-Agent` header identifying the FreshContext crawler where the runtime/source supports it.
79
+
80
+ ### 1.4 Content Hash Deduplication
81
+
82
+ Before any signal is stored, the platform computes a 32-bit rolling hash of the raw content. If the most recent stored result for a given watched query carries an identical hash, the current result is discarded. This prevents storing unchanged content across cron cycles.
83
+
84
+ ### 1.5 Semantic Deduplication
85
+
86
+ Beyond exact-match deduplication, FreshContext implements semantic deduplication to prevent the same underlying story appearing as multiple signals because it was covered by multiple sources (e.g., the same GitHub release appearing in both HN and Reddit).
87
+
88
+ The semantic fingerprint is computed as follows:
89
+
90
+ 1. Extract the first canonical URL from the raw content
91
+ 2. Extract the first ISO 8601 publication date from the raw content
92
+ 3. Extract and normalise the first substantive line (title) — lowercased, punctuation stripped, truncated to 80 characters
93
+ 4. Concatenate: `normalised_title|canonical_url|publication_date`
94
+ 5. Compute SHA-256 of the concatenated string
95
+ 6. Retain the first 16 hex characters as the fingerprint
96
+
97
+ If any signal stored within the preceding 48 hours carries an identical fingerprint, the new result is discarded. The 48-hour window is configurable.
98
+
99
+ ---
100
+
101
+ ## Section 2: Temporal Scoring — The DAR Engine
102
+
103
+ ### 2.1 Overview
104
+
105
+ The Decay-Adjusted Relevancy (DAR) engine scores every collected signal on two axes:
106
+
107
+ - **R_0 (Base Score)** — semantic relevancy of the content against the user's profile, independent of time
108
+ - **R_t (Decay-Adjusted Score)** — R_0 adjusted for how much time has elapsed since the content was published
109
+
110
+ The final stored `rt_score` is what drives signal ranking in briefings and the intelligence feed.
111
+
112
+ FreshContext measures temporal utility, not truth. A source can be valid and still have low utility for the current query if it is stale. A source can be fresh but low-confidence if its timestamp is missing, malformed, inferred, or contradicted.
113
+
114
+ ### 2.2 Base Score Calculation (R_0)
115
+
116
+ R_0 is the starting relevance or utility before temporal decay. In the Store/Feed implementation, R_0 is computed by matching content against the user profile:
117
+
118
+ ```
119
+ R_0 = baseline (40)
120
+ + vital_keyword_matches × 15 [capped at +35]
121
+ + skill_keyword_matches × 3 [capped at +15]
122
+ + location_accessibility_bonus [+8 if remote/accessible]
123
+ - error_penalty [−40 if content is empty/error]
124
+ ```
125
+
126
+ Vital keywords are drawn from the `targets` field of the user profile — job titles, company names, and technology domains the user is specifically tracking.
127
+
128
+ Skill keywords are drawn from the `skills` field — the user's technical competencies. A match here adds relevancy signal but at lower weight than a direct target match.
129
+
130
+ The location accessibility bonus is applied when the content explicitly mentions "remote", "worldwide", "anywhere", or the user's stated location. This is not a geographic filter — it is a signal boost for content that is accessible to the user regardless of their physical location.
131
+
132
+ **Hard exclusions:** If any term from the `exclusion_terms` list appears in the content, R_0 is forced to zero. The result is still stored (for audit purposes) but marked `is_relevant = 0`.
133
+
134
+ This profile formula is a Store/Feed implementation example, not the only possible way to produce base relevance. For Core/MCP envelope scoring, R_0 may be normalised to 100. For feed/ranking systems, R_0 may come from semantic relevance, profile relevance, adapter-specific relevance, or another documented scoring layer.
135
+
136
+ ### 2.3 Context-Conditioned Utility
137
+
138
+ FreshContext scoring is context-conditioned. The same signal can have different utility depending on the user, query, agent, platform, or workflow requesting it.
139
+
140
+ In the Store/Feed implementation, this context is represented by `R_0`, the base relevance or utility score before temporal decay. `R_0` may be computed from profile targets, query terms, semantic relevance, adapter-specific relevance, or another documented scoring layer.
141
+
142
+ The DAR function then applies temporal pressure:
143
+
144
+ ```
145
+ R_t = R_0 · e^(-λt)
146
+ ```
147
+
148
+ This means FreshContext does not treat freshness as a standalone ranking signal. A fresh but irrelevant signal should not outrank an older but highly relevant signal unless the source policy and use case justify it.
149
+
150
+ FreshContext Core exposes a pure context utility primitive for this direction:
151
+
152
+ ```
153
+ U(q, s, t) = R(q, s) · e^(-λt) · C_date · C_status
154
+ ```
155
+
156
+ Where:
157
+ - `q` is the requester context: user, query, agent, platform, or workflow
158
+ - `s` is the signal or database record
159
+ - `R(q, s)` is contextual relevance between the request and the signal
160
+ - `λ` is the source-specific decay constant
161
+ - `t` is signal age
162
+ - `C_date` is a timestamp-confidence factor
163
+ - `C_status` is a failure/partial/success factor
164
+
165
+ This is an extension of the DAR methodology, not a replacement for it. The purpose is to support systems where FreshContext runs over databases, feeds, retrieved documents, or agent memory and ranks information by both relevance and temporal utility. It does not imply vector search, multi-agent orchestration, or a hosted context store.
166
+
167
+ ### 2.4 Decay Function (R_t)
168
+
169
+ ```
170
+ R_t = R_0 · e^(-λt)
171
+ ```
172
+
173
+ Where:
174
+ - `λ` = source-specific decay constant (per hour)
175
+ - `t` = hours elapsed since `published_at` / `content_date`
176
+ - `R_t` = current temporal utility score
177
+
178
+ If `published_at` / `content_date` cannot be extracted, the system must not pretend the signal is fresh. Core-compatible envelope scoring SHOULD use `freshness_score: null` and low confidence. Store/feed systems MAY apply a conservative fallback assumption, such as one source half-life, but must mark confidence low and explain the assumption.
179
+
180
+ ### 2.5 Source Decay Constants (λ)
181
+
182
+ These constants are reference/default calibration values for how quickly signals from each source class lose temporal utility:
183
+
184
+ | Source | λ (per hour) | Half-life |
185
+ |---|---|---|
186
+ | Hacker News | 0.050 | ~14 hours |
187
+ | Reddit | 0.010 | ~3 days |
188
+ | Product Hunt | 0.010 | ~3 days |
189
+ | Job listings | 0.005 | ~6 days |
190
+ | Financial data | 0.001 | ~29 days |
191
+ | YC companies | 0.001 | ~29 days |
192
+ | Package trends | 0.0005 | ~58 days |
193
+ | GitHub repositories | 0.0002 | ~5 months |
194
+ | Academic papers | 0.00005 | ~1.6 years |
195
+
196
+ These constants are reference defaults used by the FreshContext methodology and may be tuned by implementation. Hosted or private deployments may use calibrated variants per source, query type, or user profile. The calibration process and production tuning may be proprietary, even when public reference defaults are documented.
197
+
198
+ ### 2.6 Entropy Classification
199
+
200
+ Each signal is classified into one of three entropy states based on its position on the decay curve:
201
+
202
+ | State | Condition | Interpretation |
203
+ |---|---|---|
204
+ | `low` | `t < half_life / 2` | Signal near peak value — act now |
205
+ | `stable` | `t < 1.5 × half_life` | Usable signal — monitor |
206
+ | `high` | `t ≥ 1.5 × half_life` | Significantly degraded — verify before acting |
207
+
208
+ Entropy labels describe signal decay state, not confidence level. A high-entropy signal may still be factually accurate, but it has lost temporal utility for current retrieval unless reinforced by newer evidence.
209
+
210
+ ### 2.7 Relevancy Threshold
211
+
212
+ Signals with `rt_score < 35` are stored with `is_relevant = 0`. They remain in the database for audit and historical analysis but are excluded from briefings and the intelligence feed by default. The threshold is configurable per profile.
213
+
214
+ ### 2.8 Failure Honesty
215
+
216
+ Failed adapters must not be promoted by freshness scoring. Empty, blocked, timeout, malformed, rate-limited, access-denied, or error-only outputs reduce R_0 or mark the signal status as failed/unknown.
217
+
218
+ A failed result should not receive high confidence. A failed result should not produce `Score: 100/100`. Partial composites should preserve successful upstream results while marking failures explicitly.
219
+
220
+ ---
221
+
222
+ ## Section 3: FreshContext Store / Ledger Methodology
223
+
224
+ ### 3.1 The Ha-Pri Audit Signature
225
+
226
+ Every signal stored in a FreshContext Store/Ledger deployment carries a `ha_pri_sig` — a SHA-256 audit signature computed as:
227
+
228
+ ```
229
+ SHA-256( result_id + ":" + content_hash + ":" + "FRESHCONTEXT_DAR_V1" )
230
+ ```
231
+
232
+ In Ha-Pri v1, this signature is a provenance stamp and audit reference for stored signals. It binds the result ID, the current content hash, and the engine version. It is not yet a full tamper-enforcement system: the current `content_hash` source is the existing rolling `result_hash`, and signatures are not recomputed on read to reject modified rows.
233
+
234
+ Ha-Pri v1 serves three purposes:
235
+
236
+ 1. **Provenance reference** — the signature binds the result ID, current rolling content hash, and engine/version marker so the stored signal can be audited against the v1 formula.
237
+ 2. **Scoring lineage** — the signature records the scoring/signature formula used when the row was written.
238
+ 3. **Licensing / audit reference** — when FreshContext data is provided to a third party under licence, the `ha_pri_sig` column gives a stable reference for what was stored and delivered.
239
+
240
+ Ha-Pri v1 is not hard tamper enforcement. It is not recomputed on read, it signs the existing rolling result_hash (`result_hash`) rather than canonical content SHA-256, and it does not reject rows. Ha-Pri v2 is the planned/additive path for stronger verification.
241
+
242
+ Future Ha-Pri v2 may add canonical content SHA-256, stronger canonicalization, and explicit verification/rejection on read. That hardening is separate from the current v1 provenance stamp.
243
+
244
+ Ha-Pri v1 is the provenance layer and the foundation for a stronger integrity layer, while DAR and context-conditioned utility are the ranking/scoring layer.
245
+
246
+ ### 3.2 D1 Historical Ledger
247
+
248
+ The `scrape_results` table functions as a **Contextual Ledger** — not merely a cache, but a time-series record of intelligence signals with full provenance.
249
+
250
+ This Store/Ledger methodology is not required for basic FreshContext-compatible envelope implementations. It is the methodology for systems that persist recurring signals and want auditability over time.
251
+
252
+ Key properties of the ledger:
253
+ - Scored signal material is treated as immutable once written; consumption metadata such as `is_new` may be updated
254
+ - Every row carries a `scraped_at` timestamp with second precision
255
+ - Every row carries a `published_at` date extracted from content (where available)
256
+ - The ledger accumulates continuously at 6-hour intervals regardless of active user sessions
257
+ - The ledger enables time-travel queries: "what was the intelligence landscape for topic X at date Y?"
258
+
259
+ ### 3.3 Schema Reference
260
+
261
+ ```sql
262
+ scrape_results (
263
+ id TEXT PRIMARY KEY, -- sr_{timestamp}_{random}
264
+ watched_query_id TEXT, -- FK → watched_queries.id
265
+ adapter TEXT, -- source adapter name
266
+ query TEXT, -- the search term used
267
+ raw_content TEXT, -- scraped content (max 8000 chars)
268
+ result_hash TEXT, -- 32-bit rolling hash of raw_content
269
+ semantic_fingerprint TEXT, -- 16-char SHA-256 of normalised title|url|date
270
+ is_new INTEGER, -- 1 until consumed by briefing
271
+ scraped_at TEXT, -- ISO 8601 UTC timestamp
272
+ published_at TEXT, -- extracted content publication date
273
+ relevancy_score INTEGER, -- = round(rt_score), 0-100
274
+ is_relevant INTEGER, -- 1 if rt_score >= 35, else 0
275
+ base_score INTEGER, -- R_0 semantic score, 0-100
276
+ rt_score REAL, -- R_t decay-adjusted score, 0-100
277
+ ha_pri_sig TEXT, -- SHA-256 audit signature (64 hex chars)
278
+ entropy_level TEXT -- 'low' | 'stable' | 'high'
279
+ )
280
+ ```
281
+
282
+ ---
283
+
284
+ ## Section 4: The Intelligence Feed
285
+
286
+ ### 4.1 Endpoint
287
+
288
+ ```
289
+ GET /v1/intel/feed/{profile_id}
290
+ ```
291
+
292
+ Optional parameters:
293
+ - `limit` — maximum signals to return (default: 20)
294
+ - `min_rt` — minimum rt_score filter (default: 0)
295
+
296
+ ### 4.2 Response Structure
297
+
298
+ ```json
299
+ {
300
+ "feed_metadata": {
301
+ "profile_id": "default",
302
+ "generated_at": "2026-04-14T09:00:00Z",
303
+ "signal_count": 18,
304
+ "version": "freshcontext-1.2"
305
+ },
306
+ "signals": [
307
+ {
308
+ "signal_id": "sr_1744628412_a3f7b",
309
+ "source": "hackernews",
310
+ "label": "HN: MCP Servers",
311
+ "content": {
312
+ "preview": "...",
313
+ "url": "mcp server 2026"
314
+ },
315
+ "intelligence_stamps": {
316
+ "scraped_at": "2026-04-14T08:12:00Z",
317
+ "published_at": "2026-04-14",
318
+ "base_score": 78,
319
+ "rt_score": 61.4,
320
+ "entropy_level": "stable",
321
+ "ha_pri_sig": "a3f7b2c1d4e5f6a7b8c9d0e1f2a3b4c5..."
322
+ }
323
+ }
324
+ ]
325
+ }
326
+ ```
327
+
328
+ ### 4.3 LLM Integration
329
+
330
+ The intelligence feed is designed to be consumed directly by any language model or AI agent without modification. The `intelligence_stamps` block gives the agent everything it needs to reason about data freshness:
331
+
332
+ - `rt_score` — a single number representing current signal value
333
+ - `entropy_level` — human-readable decay state
334
+ - `published_at` — the actual content date (not the retrieval date)
335
+ - `ha_pri_sig` — provenance reference the agent can cite
336
+
337
+ This is the core value proposition: **AI agents get grounded, timestamped, scored intelligence rather than undated web content of unknown age.**
338
+
339
+ MCP is one interface over this methodology, not the whole system. The same scoring, timestamp, confidence, and provenance primitives can support APIs, CLIs, npm packages, dashboards, agents, and internal services.
340
+
341
+ ---
342
+
343
+ ## Section 5: Asset Summary
344
+
345
+ For technical integrators, auditors, and future platform partners:
346
+
347
+ **What FreshContext owns:**
348
+
349
+ 1. **The FreshContext Specification v1.2** (MIT licence, open standard) — defines the envelope format, confidence levels, structured JSON form, freshness score behavior, and failure-honesty requirements. Timestamped in the public GitHub repository.
350
+
351
+ 2. **The DAR Engine** — the exponential decay scoring methodology with source-specific λ reference defaults and calibrated production tuning.
352
+
353
+ 3. **The Semantic Fingerprinting Method** — the three-field normalisation and SHA-256 fingerprinting approach for cross-adapter deduplication.
354
+
355
+ 4. **The Ha-Pri Audit Signature scheme** — the provenance stamp and audit reference that binds stored row material to the current v1 formula; stronger tamper-evidence is the future additive v2 path.
356
+
357
+ 5. **The Store / Ledger design** — support for recurring watched queries, historical signal accumulation, D1-backed storage, and time-series auditability.
358
+
359
+ 6. **The Reference Implementation** — `freshcontext-mcp@0.3.19`, the `evaluate_context` MCP interface, and 21 read-only reference adapters, listed on npm and the MCP Registry. The hosted Worker endpoint is a separate deployment surface.
360
+
361
+ ---
362
+
363
+ ## Changelog
364
+
365
+ ### Version 1.2 — May 2026
366
+ - Clarified Core methodology vs Store/Ledger methodology.
367
+ - Preserved DAR as the mathematical scoring backbone.
368
+ - Updated reference implementation language for `evaluate_context` plus 21 MCP reference adapters.
369
+ - Reframed source decay constants as reference defaults/calibration values.
370
+ - Added failure-honesty methodology.
371
+ - Added context-conditioned utility as a Core scoring primitive.
372
+ - Clarified missing timestamp behavior.
373
+ - Clarified MCP as one interface, not the whole system.
374
+
375
+ ### Version 1.1 — April 2026
376
+ - Existing methodology version.
377
+
378
+ ---
379
+
380
+ *"The work isn't gone. It's just waiting to be continued."*
381
+ *— Prince Gabriel, Grootfontein, Namibia*
package/README.md CHANGED
@@ -87,6 +87,22 @@ The production Cloudflare Worker now uses Core-backed envelope generation. Worke
87
87
 
88
88
  See [Core / MCP Boundary](./docs/CORE_MCP_BOUNDARY.md) for the current package boundary and the staged path toward a future standalone Core package.
89
89
 
90
+ ### Core import path
91
+
92
+ FreshContext Core is also available directly from the current MCP package:
93
+
94
+ ```ts
95
+ import {
96
+ evaluateSignals,
97
+ interpretEvaluations,
98
+ getSourceProfile,
99
+ normalizeSignal,
100
+ calculateHaPriV2,
101
+ } from "freshcontext-mcp/core";
102
+ ```
103
+
104
+ This is a Core subpath export inside `freshcontext-mcp`, not a standalone `freshcontext-core` package yet. The root package and `freshcontext-mcp` binary remain the MCP reference host.
105
+
90
106
  ---
91
107
 
92
108
  ## Primary MCP interface
@@ -126,9 +142,39 @@ FreshContext returns decision-first output:
126
142
  - Confidence
127
143
  - Why
128
144
 
145
+ Structured results also include a `readable` object for humans:
146
+
147
+ ```json
148
+ {
149
+ "decision": "cite_as_primary",
150
+ "label": "Cite as primary",
151
+ "readable": {
152
+ "label": "Primary source",
153
+ "summary": "This source is strong enough to use as main evidence.",
154
+ "why": [
155
+ "Strong semantic match and current freshness for arxiv.",
156
+ "source profile academic_research uses lenient date policy",
157
+ "intent profile citation_check selected"
158
+ ],
159
+ "action": "Use this as main evidence while preserving citation and provenance.",
160
+ "warnings": [
161
+ "FreshContext judges citation readiness and context usefulness; it does not certify truth."
162
+ ]
163
+ }
164
+ }
165
+ ```
166
+
167
+ The readable object translates Core decisions into user-facing language. It does not change ranking, decision labels, utility scoring, or source intake. Utility helps explain usefulness for the current question; it remains explanatory and does not control default decision labels or ranking.
168
+
169
+ FreshContext does not certify truth. It records why context was used, supported, questioned, refreshed, watched, or excluded before it reaches a model.
170
+
129
171
  `evaluate_context` does not fetch URLs, crawl, scrape, browse, read folders, or call adapters. It only evaluates candidate context the caller provides.
130
172
 
131
- Current boundary: `evaluate_context` is part of the published npm/local stdio MCP server. The hosted Cloudflare Worker endpoint is a separate deployment surface and may lag npm package interfaces until a dedicated Worker sync pass.
173
+ Current boundary: `evaluate_context` is part of the npm/local stdio MCP server prepared for `0.3.21`. The hosted Cloudflare Worker MCP endpoint was last verified separately at `0.3.20 / 22 tools`. The Worker remains a separate deployment surface, so future package interfaces should be re-verified remotely before being claimed live.
174
+
175
+ ### Network Boundary
176
+
177
+ FreshContext's primary `evaluate_context` path does not fetch, crawl, scrape, browse, read folders, or call adapters. The MCP package also includes read-only reference adapters that use network access only when those adapter tools are invoked. Supply-chain scanners may therefore report package network access; that applies to the optional adapter surface, not to caller-provided context evaluation.
132
178
 
133
179
  ---
134
180
 
@@ -195,6 +241,8 @@ The repo ships named reference adapters that demonstrate how different source cl
195
241
 
196
242
  ## Quick start
197
243
 
244
+ For Claude Desktop, Codex, `npx`, global npm, and source-checkout setup, see the concise [client setup guide](./docs/CLIENT_SETUP.md).
245
+
198
246
  ### Cloud (no install)
199
247
 
200
248
  Add to your Claude Desktop config and restart:
@@ -387,7 +435,7 @@ The reference implementation runs on Cloudflare's global edge:
387
435
  | `/` | GET | Service info + endpoint list |
388
436
  | `/health` | GET | Liveness check |
389
437
  | `/mcp` | POST | MCP JSON-RPC transport |
390
- | `/demo` | GET | Live before/after demo (no API key required) |
438
+ | `/demo` | GET | Live before/after demo (no auth token required) |
391
439
  | `/briefing` | GET | Latest stored briefing |
392
440
  | `/v1/intel/feed/:profile_id` | GET | DAR-scored intelligence feed |
393
441
  | `/watched-queries` | GET | List all watched queries |
@@ -405,17 +453,19 @@ Production: `https://freshcontext-mcp.gimmanuel73.workers.dev`
405
453
  ## Roadmap
406
454
 
407
455
  - [x] FreshContext Specification v1.2 published (MIT, open standard)
408
- - [x] DAR engine with proprietary λ constants (v0.3.19)
456
+ - [x] DAR engine with source-specific lambda constants
409
457
  - [x] Ha-Pri v1 provenance signatures on stored signals
410
458
  - [x] Semantic deduplication via fingerprinting
411
459
  - [x] Live before/after demo at `/demo`
412
- - [x] METHODOLOGY.md — formal IP and engineering documentation
460
+ - [x] METHODOLOGY.md — methodology and engineering documentation
413
461
  - [x] Named reference adapters across intelligence, competitive research, market data, and composites
414
462
  - [x] Generic MCP `evaluate_context` tool for caller-provided candidate context
415
463
  - [x] Core-backed envelope generation shared by npm/MCP and the Cloudflare Worker
416
464
  - [x] Cloudflare Workers deployment — global edge, KV cache, KV rate limiting
417
465
  - [x] Published on npm and listed for MCP usage; Apify/feed assets are separated from the normal MCP runtime package
418
- - [ ] Ha-Pri v2 hardened canonical content hash verification
466
+ - [x] Ha-Pri v2 Core helper and deterministic golden vectors
467
+ - [x] Ha-Pri v2 production-enforcement design document
468
+ - [ ] Ha-Pri v2 Worker/D1 production enforcement
419
469
  - [x] GitHub Actions release workflow — manual or `v*` tag-triggered npm publish path
420
470
  - [ ] Webhook triggers — push high-entropy signals on threshold
421
471
  - [ ] Dashboard — React frontend for the D1 intelligence pipeline
package/SECURITY.md CHANGED
@@ -25,10 +25,12 @@ For a useful report, include:
25
25
 
26
26
  Public GitHub issues are fine for non-sensitive bugs, documentation mistakes, stale claims, build failures, and feature requests.
27
27
 
28
- ## Scope Notes
29
-
30
- FreshContext does not currently offer a formal bug bounty program.
31
-
32
- Please do not send live production tokens, private Cloudflare logs, npm tokens, GitHub tokens, MCP registry tokens, customer data, or private account data. If a report requires sensitive evidence, describe the issue first by email so a safer exchange path can be agreed.
33
-
34
- This policy does not make claims of certification, compliance, guaranteed response time, or security warranty.
28
+ ## Scope Notes
29
+
30
+ FreshContext does not currently offer a formal bug bounty program.
31
+
32
+ Please do not send live production tokens, private Cloudflare logs, npm tokens, GitHub tokens, MCP registry tokens, customer data, or private account data. If a report requires sensitive evidence, describe the issue first by email so a safer exchange path can be agreed.
33
+
34
+ FreshContext's primary `evaluate_context` path evaluates caller-provided candidate context and does not fetch, crawl, browse, read folders, or call adapters. The published MCP package also includes read-only reference adapters that use network access only when those adapter tools are invoked.
35
+
36
+ This policy does not make claims of certification, compliance, guaranteed response time, or security warranty.
@@ -0,0 +1,15 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ import type { FreshContextSignalInput } from "../core/types.js";
3
+ export type ArxivSignalSearchInput = {
4
+ query: string;
5
+ maxResults?: number;
6
+ retrievedAt?: string;
7
+ semanticScore?: number;
8
+ };
9
+ /**
10
+ * arXiv adapter uses the official arXiv API.
11
+ * Accepts a search query or a direct arXiv API URL.
12
+ * Docs: https://arxiv.org/help/api/user-manual
13
+ */
14
+ export declare function arxivAdapter(options: ExtractOptions): Promise<AdapterResult>;
15
+ export declare function searchArxivSignals(input: ArxivSignalSearchInput): Promise<FreshContextSignalInput[]>;
@@ -1,4 +1,5 @@
1
- const USER_AGENT = "freshcontext-mcp/0.1.7 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)";
1
+ import { validateUrl } from "../security.js";
2
+ const USER_AGENT = "freshcontext-mcp/0.3.21 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)";
2
3
  const DEFAULT_ARXIV_SIGNAL_SCORE = 0.8;
3
4
  function buildArxivApiUrl(input, maxResults = 10) {
4
5
  const trimmed = input.trim();
@@ -6,7 +7,7 @@ function buildArxivApiUrl(input, maxResults = 10) {
6
7
  ? Math.max(1, Math.min(Math.trunc(maxResults), 50))
7
8
  : 10;
8
9
  return trimmed.startsWith("http")
9
- ? trimmed
10
+ ? validateUrl(trimmed, "arxiv")
10
11
  : `https://export.arxiv.org/api/query?search_query=all:${encodeURIComponent(trimmed)}&start=0&max_results=${safeMaxResults}&sortBy=relevance&sortOrder=descending`;
11
12
  }
12
13
  async function fetchArxivXml(apiUrl) {
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function changelogAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -1,3 +1,4 @@
1
+ import { validateUrl } from "../security.js";
1
2
  /**
2
3
  * Changelog adapter — extracts update history from any product or repo.
3
4
  *
@@ -193,7 +194,8 @@ export async function changelogAdapter(options) {
193
194
  return fetchNpmChangelog(input, maxLength);
194
195
  }
195
196
  // GitHub repo URL → use releases API
196
- const ghMatch = input.match(/github\.com\/([^/]+)\/([^/?\s]+)/);
197
+ const safeInput = validateUrl(input, "changelog");
198
+ const ghMatch = safeInput.match(/github\.com\/([^/]+)\/([^/?\s]+)/);
197
199
  if (ghMatch) {
198
200
  try {
199
201
  return await fetchGitHubReleases(ghMatch[1], ghMatch[2], maxLength);
@@ -203,5 +205,5 @@ export async function changelogAdapter(options) {
203
205
  }
204
206
  }
205
207
  // Any other URL → discover changelog
206
- return discoverChangelog(input, maxLength);
208
+ return discoverChangelog(safeInput, maxLength);
207
209
  }
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function financeAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -30,7 +30,7 @@ async function fetchStooqQuote(ticker) {
30
30
  const url = `https://stooq.com/q/l/?s=${encodeURIComponent(stooqSymbol.toLowerCase())}&f=sd2t2ohlcv&h&e=json`;
31
31
  const res = await fetch(url, {
32
32
  headers: {
33
- "User-Agent": "freshcontext-mcp/0.3.17",
33
+ "User-Agent": "freshcontext-mcp/0.3.21",
34
34
  "Accept": "application/json",
35
35
  },
36
36
  });
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function gdeltAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -11,7 +11,7 @@
11
11
  */
12
12
  const HEADERS = {
13
13
  "Accept": "application/json",
14
- "User-Agent": "freshcontext-mcp/0.3.17 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
14
+ "User-Agent": "freshcontext-mcp/0.3.21 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
15
15
  };
16
16
  function parseGdeltDate(raw) {
17
17
  if (!raw)
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function gebizAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -20,7 +20,7 @@ const DATASET_ID = "d_acde1106003906a75c3fa052592f2fcb";
20
20
  const BASE_URL = "https://data.gov.sg/api/action/datastore_search";
21
21
  const HEADERS = {
22
22
  "Accept": "application/json",
23
- "User-Agent": "freshcontext-mcp/0.3.17 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
23
+ "User-Agent": "freshcontext-mcp/0.3.21 (https://github.com/PrinceGabriel-lgtm/freshcontext-mcp)",
24
24
  };
25
25
  function formatDate(raw) {
26
26
  if (!raw)
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function githubAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function govContractsAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function hackerNewsAdapter(options: ExtractOptions): Promise<AdapterResult>;
@@ -0,0 +1,2 @@
1
+ import { AdapterResult, ExtractOptions } from "../types.js";
2
+ export declare function jobsAdapter(options: ExtractOptions): Promise<AdapterResult>;