memory-journal-mcp 3.0.0 → 3.1.3

package/.github/dependabot.yml

@@ -1,10 +1,11 @@
 # Dependabot configuration for Memory Journal MCP Server
-# Manages 72+ dependencies including ML libraries and NVIDIA CUDA packages
+# v3.0.0+ is a TypeScript/Node.js project (npm dependencies)
+# The Python codebase is deprecated and archived in archive/python-v2
 
 version: 2
 updates:
-  # Python dependencies (pip)
-  - package-ecosystem: "pip"
+  # NPM dependencies (TypeScript/Node.js - v3.0.0+)
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
@@ -16,61 +17,45 @@ updates:
       - "neverinfamous"
     labels:
       - "dependencies"
-      - "python"
-    # Group ML/AI related packages to reduce PR noise
+      - "npm"
     groups:
+      mcp-core:
+        patterns:
+          - "@modelcontextprotocol/*"
+          - "zod*"
+        update-types:
+          - "minor"
+          - "patch"
       ml-packages:
         patterns:
-          - "torch*"
-          - "nvidia-*"
-          - "transformers*"
-          - "sentence-transformers*"
-          - "huggingface-*"
-          - "scikit-learn*"
-          - "scipy*"
-          - "numpy*"
-          - "faiss-*"
-          - "pillow*"
-          - "tokenizers*"
-          - "safetensors*"
+          - "@xenova/*"
+          - "vectra*"
         update-types:
           - "minor"
           - "patch"
-      mcp-core:
+      database:
         patterns:
-          - "mcp*"
-          - "pydantic*"
-          - "httpx*"
-          - "starlette*"
-          - "uvicorn*"
+          - "sql.js*"
+          - "better-sqlite3*"
         update-types:
           - "minor"
           - "patch"
-      utilities:
+      build-tools:
         patterns:
-          - "tqdm*"
-          - "click*"
-          - "pyyaml*"
-          - "requests*"
-          - "urllib3*"
-          - "certifi*"
-          - "charset-normalizer*"
-          - "idna*"
-          - "filelock*"
-          - "packaging*"
-          - "attrs*"
+          - "typescript*"
+          - "tsup*"
+          - "@types/*"
         update-types:
+          - "minor"
+          - "patch"
+      linting:
+        patterns:
+          - "eslint*"
+          - "@eslint/*"
+          - "typescript-eslint*"
+        update-types:
+          - "minor"
           - "patch"
-    # Ignore specific packages that might cause compatibility issues
-    ignore:
-      # NVIDIA CUDA packages - only update for security fixes
-      - dependency-name: "nvidia-*"
-        update-types: ["version-update:semver-minor"]
-      # PyTorch - be conservative with updates
-      - dependency-name: "torch"
-        update-types: ["version-update:semver-major"]
-      - dependency-name: "triton"
-        update-types: ["version-update:semver-major"]
 
   # GitHub Actions
   - package-ecosystem: "github-actions"
@@ -94,7 +79,7 @@ updates:
           - "minor"
           - "patch"
 
-  # Docker dependencies (if using Docker Compose)
+  # Docker dependencies
   - package-ecosystem: "docker"
     directory: "/"
     schedule:

package/.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4

package/.github/workflows/docker-publish.yml

@@ -23,10 +23,41 @@ permissions:
   attestations: write
 
 jobs:
+  # Gate check: For tag pushes, run lint/typecheck/build first
+  preflight-check:
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22.x'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run ESLint
+        run: npm run lint
+
+      - name: Run TypeScript check
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run build
+
   # Build each platform on native architecture (avoids QEMU emulation issues)
   build-platform:
-    # Only run if lint-and-test succeeded OR if this is a tag push
-    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'push' }}
+    # For workflow_run: only run if lint-and-test succeeded
+    # For tag push: only run after preflight-check succeeds
+    needs: [preflight-check]
+    if: |
+      always() && 
+      (github.event.workflow_run.conclusion == 'success' || 
+       (github.event_name == 'push' && needs.preflight-check.result == 'success'))
     strategy:
       fail-fast: false
       matrix:
@@ -48,7 +79,7 @@ jobs:
     
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
@@ -112,7 +143,7 @@ jobs:
 
     - name: Upload digest
       if: github.event_name != 'pull_request'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v6
       with:
         name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
         path: /tmp/digests/*
@@ -130,7 +161,7 @@ jobs:
     
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
@@ -153,27 +184,33 @@ jobs:
         docker images local-scan:latest
         echo "🔍 Running Docker Scout security scan for local-scan:latest"
         
+        # Define CVEs to ignore (upstream issues with NO fix available)
+        # CVE-2026-22184: Alpine zlib - no fix version released yet
+        # CVE-2019-10790: protobufjs taffydb - unmaintained/abandoned package
+        IGNORE_CVES="CVE-2026-22184|CVE-2019-10790"
+        
         echo "⏱️ Running Docker Scout scan (max 8 minutes)..."
         if timeout 480 docker scout cves local-scan:latest > scout_output.txt 2>&1; then
           echo "📊 Scan completed successfully"
           cat scout_output.txt
           
-          # Check if critical or high vulnerabilities are present in the output
-          # Look for non-zero counts in CRITICAL or HIGH columns (format: "1C" or "2H")
-          if grep -E "^\s+[1-9][0-9]*C\s+" scout_output.txt > /dev/null; then
-            echo "❌ Critical severity vulnerabilities detected"
+          # Filter out ignored CVEs and check remaining for critical/high
+          # First, check for any critical CVEs that are NOT in our ignore list
+          if grep -E "^[A-Z]" scout_output.txt | grep -vE "$IGNORE_CVES" | grep -q "CRITICAL"; then
+            echo "❌ Critical severity vulnerability detected (not in allowlist)"
             echo "🚨 Build blocked due to unacceptable security risk"
             exit 1
           fi
           
-          if grep -E "^\s+0C\s+[1-9][0-9]*H\s+" scout_output.txt > /dev/null; then
-            echo "❌ High severity vulnerabilities detected"
+          # Check for any high CVEs that are NOT in our ignore list
+          if grep -E "^CVE-" scout_output.txt | grep -vE "$IGNORE_CVES" | grep -q "HIGH"; then
+            echo "❌ High severity vulnerability detected (not in allowlist)"
             echo "🚨 Build blocked due to unacceptable security risk"
             exit 1
-          else
-            echo "✅ Security scan passed - no critical/high severity vulnerabilities"
-            echo "ℹ️ Low/medium severity vulnerabilities are acceptable"
           fi
+          
+          echo "✅ Security scan passed"
+          echo "ℹ️ Any flagged CVEs are either allowlisted (upstream) or low/medium severity"
         else
           echo "⚠️ Docker Scout scan timed out or failed"
           echo "🔄 Continuing build - scan timeout is not a security failure"
@@ -198,10 +235,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Download digests
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v7
       with:
         path: /tmp/digests
         pattern: digests-*

package/.github/workflows/lint-and-test.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v6
@@ -42,7 +42,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v6

package/.github/workflows/publish-npm.yml

@@ -22,7 +22,7 @@ jobs:
     
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v6

package/.github/workflows/secrets-scanning.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

package/.github/workflows/security-update.yml

@@ -18,7 +18,7 @@ jobs:
     
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3

package/.scout-ignore

@@ -0,0 +1,12 @@
+# Docker Scout CVE Ignore File
+# See: https://docs.docker.com/scout/explore/cve-ignorelist/
+#
+# Only include CVEs with NO upstream fix available
+
+# Alpine zlib - Critical severity, but NO FIX VERSION RELEASED by Alpine yet
+# We run `apk upgrade --no-cache` but there's nothing to upgrade to
+CVE-2026-22184
+
+# protobufjs bundled taffydb - 6+ year old unmaintained package
+# No fix version exists - package is abandoned
+CVE-2019-10790

package/.trivyignore

@@ -1,18 +1,19 @@
 # Trivy Ignore File
 # See: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/
 
-# CVE-2025-64756: glob command injection in npm CLI (HIGH)
-# This is in the Node.js base image's npm installation (/usr/local/lib/node_modules/npm)
-# We don't use glob CLI directly and cannot patch base image npm
-# Will be fixed when Node.js releases updated base images
-CVE-2025-64756
+# ============================================================================
+# Alpine Base Image - No upstream fix available
+# ============================================================================
 
-# CVE-2025-5889: brace-expansion ReDoS (LOW)
-# Bundled in protobufjs/cli/node_modules - can't override with npm
-# LOW severity, attack complexity is high, exploitation is difficult
-CVE-2025-5889
+# CVE-2026-22184: zlib vulnerability (CRITICAL)
+# No fix version released by Alpine yet - `apk upgrade` has nothing to update to
+CVE-2026-22184
 
-# CVE-2025-54798: tmp symlink vulnerability (LOW)
-# Bundled in protobufjs/cli/node_modules - can't override with npm
-# LOW severity, only affects tmp file creation in CLI context
-CVE-2025-54798
+# ============================================================================
+# protobufjs Bundled CLI - in /app/node_modules/protobufjs/cli/node_modules/
+# taffydb is 6+ years unmaintained with no fix available
+# ============================================================================
+
+# CVE-2019-10790: taffydb prototype pollution (HIGH)
+# No fix version exists - package is abandoned
+CVE-2019-10790

package/DOCKER_README.md

@@ -1,11 +1,11 @@
 # Memory Journal MCP Server
 
-Last Updated December 28, 2025 - v3.0.0
+Last Updated January 11, 2026 - v3.1.3
 
 [![GitHub](https://img.shields.io/badge/GitHub-neverinfamous/memory--journal--mcp-blue?logo=github)](https://github.com/neverinfamous/memory-journal-mcp)
 [![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-![Version](https://img.shields.io/badge/version-v3.0.0-green)
+![Version](https://img.shields.io/badge/version-v3.1.3-green)
 ![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
 [![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](https://github.com/neverinfamous/memory-journal-mcp/blob/main/SECURITY.md)
@@ -36,6 +36,24 @@ Last Updated December 28, 2025 - v3.0.0
 - 📊 **Generate reports** (standups, retrospectives, PR summaries, status)
 - 🗄️ **Backup & restore** your journal data with one command
 
+```mermaid
+flowchart LR
+    subgraph Problem["❌ Without Memory Journal"]
+        direction TB
+        A1["Session 1<br/>Context Lost"] --> A2["Session 2<br/>Start Over"]
+    end
+    
+    subgraph Solution["✅ With Memory Journal"]
+        direction TB
+        B1["Session 1"] --> MJ[("📚 Memory<br/>Journal")]
+        B2["Session 2"] --> MJ
+        MJ --> |"Recall"| B1
+        MJ --> |"Search"| B2
+    end
+    
+    Problem -.->|"Solve with"| Solution
+```
+
 ---
 
 ## ✨ v3.0.0 Highlights (December 28, 2025)
@@ -54,8 +72,9 @@ Last Updated December 28, 2025 - v3.0.0
 ### **📊 New: Server Health Resource**
 - `memory://health` - Database stats, backup info, vector index status, tool filter config
 
-### **27 MCP Tools • 14 Workflow Prompts • 14 Resources**
+### **29 MCP Tools • 14 Workflow Prompts • 16 Resources**
 - **8 tool groups** - `core`, `search`, `analytics`, `relationships`, `export`, `admin`, `github`, `backup`
+- **GitHub Kanban** - View and manage GitHub Project boards directly
 - **Knowledge graphs** - 5 relationship types, Mermaid diagram visualization
 - **Semantic search** - AI-powered conceptual search via `@xenova/transformers`
 
@@ -184,7 +203,7 @@ docker pull writenotenow/memory-journal-mcp@sha256:<manifest-digest>
 
 ## ⚡ Core Features
 
-### 🛠️ 27 MCP Tools (8 Groups)
+### 🛠️ 29 MCP Tools (8 Groups)
 | Group | Tools | Description |
 |-------|-------|-------------|
 | `core` | 6 | Entry CRUD, tags, test |
@@ -193,8 +212,8 @@ docker pull writenotenow/memory-journal-mcp@sha256:<manifest-digest>
 | `relationships` | 2 | Link entries, visualize graphs |
 | `export` | 1 | JSON/Markdown export |
 | `admin` | 4 | Update, delete, vector index management |
-| `github` | 5 | Issues, PRs, context integration |
-| `backup` | 3 | **NEW** Backup, list, restore |
+| `github` | 7 | Issues, PRs, context, **Kanban board** |
+| `backup` | 3 | Backup, list, restore |
 
 **[Complete tools documentation →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Tools)**
 
@@ -202,8 +221,8 @@ docker pull writenotenow/memory-journal-mcp@sha256:<manifest-digest>
 Standups • Retrospectives • Weekly digests • PR summaries • Code review prep • Goal tracking  
 **[Complete prompts guide →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Prompts)**
 
-### 📡 14 Resources
-Including new `memory://health` for server diagnostics  
+### 📡 16 Resources
+Including `memory://health` for diagnostics and `memory://kanban/{n}` for Kanban boards  
 **[Resources documentation →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Resources)**
 
 ---
@@ -226,9 +245,16 @@ backup_journal({ name: "pre_refactor" })
 // Search entries
 search_entries({ query: "performance" })
 
+// View Kanban board
+get_kanban_board({ project_number: 5 })
+
+// Move item on Kanban
+move_kanban_item({ project_number: 5, item_id: "PVTI_...", target_status: "Done" })
+
 // Access MCP resources
 memory://recent                  // Recent entries
 memory://health                  // Server diagnostics
+memory://kanban/5                // Kanban board view
 memory://projects/1/timeline     // Project timeline
 ```
 
@@ -300,7 +326,7 @@ docker run -i --rm \
 | **ARM64** (Apple Silicon) | Complete: all tools, semantic search, Git context |
 
 **TypeScript v3.0 Image Benefits:**
-- **Node.js 22 on Alpine Linux** - Minimal footprint (~150MB compressed)
+- **Node.js 24 on Alpine Linux** - Minimal footprint (~150MB compressed)
 - **Pure JS Stack** - No native compilation, identical features on all platforms
 - **sql.js** - SQLite in pure JavaScript
 - **vectra** - Vector similarity search without native dependencies
@@ -316,7 +342,7 @@ docker run -i --rm \
 - 📋 **SBOM Available** - Complete software bill of materials
 
 **Available Tags:**
-- `3.0.0` - Specific version (recommended for production)
+- `3.1.3` - Specific version (recommended for production)
 - `3.0` - Latest patch in 3.0.x series
 - `3` - Latest minor in 3.x series
 - `latest` - Always the newest version

package/Dockerfile

@@ -1,18 +1,32 @@
 # Memory Journal MCP Server - TypeScript Version
 # Multi-stage build for optimized production image
-FROM node:22-alpine AS builder
+FROM node:24-alpine AS builder
 
 WORKDIR /app
 
-# Install build dependencies
-RUN apk add --no-cache python3 make g++
+# Install build dependencies and upgrade packages for security
+# Use Alpine edge for latest security patches (curl CVE-2025-14524, etc.)
+RUN apk add --no-cache python3 make g++ && \
+    apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl && \
+    apk upgrade --no-cache
+
+# Upgrade npm globally to get fixed versions of bundled packages
+# Fixes CVE-2025-64756 (glob) and CVE-2025-64118 (tar)
+RUN npm install -g npm@latest
 
 # Copy package files first for better layer caching
-COPY package*.json ./
+COPY package*.json .npmrc ./
 
 # Install all dependencies (including devDependencies for build)
+# The .npmrc has legacy-peer-deps=true to handle zod peer conflicts
 RUN npm ci
 
+# Clean protobufjs bundled cli dependencies and apply overrides
+# This ensures our brace-expansion and tmp overrides take effect
+RUN rm -rf node_modules/protobufjs/cli/node_modules/brace-expansion \
+           node_modules/protobufjs/cli/node_modules/tmp && \
+    npm dedupe
+
 # Copy source code
 COPY tsconfig.json ./
 COPY src/ ./src/
@@ -21,12 +35,15 @@ COPY src/ ./src/
 RUN npm run build
 
 # Production stage
-FROM node:22-alpine
+FROM node:24-alpine
 
 WORKDIR /app
 
-# Install runtime dependencies
-RUN apk add --no-cache git ca-certificates && apk upgrade --no-cache
+# Install runtime dependencies with security fixes
+# Use Alpine edge for curl with CVE fixes
+RUN apk add --no-cache git ca-certificates && \
+    apk add --no-cache --repository=https://dl-cdn.alpinelinux.org/alpine/edge/main curl && \
+    apk upgrade --no-cache
 
 # Copy built artifacts and production dependencies
 COPY --from=builder /app/dist ./dist
@@ -59,6 +76,6 @@ CMD ["node", "dist/cli.js"]
 # Labels for Docker Hub
 LABEL maintainer="Adamic.tech"
 LABEL description="Memory Journal MCP Server - Project context management for AI-assisted development"
-LABEL version="3.0.0"
+LABEL version="3.1.3"
 LABEL org.opencontainers.image.source="https://github.com/neverinfamous/memory-journal-mcp"
 LABEL io.modelcontextprotocol.server.name="io.github.neverinfamous/memory-journal-mcp"