memory-journal-mcp 3.0.0

package/README.md

@@ -0,0 +1,461 @@
+# Memory Journal MCP Server
+
+Last Updated December 28, 2025 - v3.0.0
+
+<!-- mcp-name: io.github.neverinfamous/memory-journal-mcp -->
+
+[![GitHub](https://img.shields.io/badge/GitHub-neverinfamous/memory--journal--mcp-blue?logo=github)](https://github.com/neverinfamous/memory-journal-mcp)
+[![npm](https://img.shields.io/npm/v/memory-journal-mcp)](https://www.npmjs.com/package/memory-journal-mcp)
+[![Docker Pulls](https://img.shields.io/docker/pulls/writenotenow/memory-journal-mcp)](https://hub.docker.com/r/writenotenow/memory-journal-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+![Version](https://img.shields.io/badge/version-v3.0.0-green)
+![Status](https://img.shields.io/badge/status-Production%2FStable-brightgreen)
+[![MCP Registry](https://img.shields.io/badge/MCP_Registry-Published-green)](https://registry.modelcontextprotocol.io/v0/servers?search=io.github.neverinfamous/memory-journal-mcp)
+[![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](SECURITY.md)
+[![TypeScript](https://img.shields.io/badge/TypeScript-Strict-blue.svg)](https://github.com/neverinfamous/memory-journal-mcp)
+
+*Project context management for AI-assisted development - Bridge the gap between fragmented AI threads with persistent knowledge graphs and intelligent context recall*
+
+**🎯 Solve the AI Context Problem:** When working with AI across multiple threads and sessions, context is lost. Memory Journal maintains a persistent, searchable record of your project work, decisions, and progress - making every AI conversation informed by your complete project history.
+
+**[GitHub](https://github.com/neverinfamous/memory-journal-mcp)** • **[Wiki](https://github.com/neverinfamous/memory-journal-mcp/wiki)** • **[Changelog](https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG)** • **[Release Article](https://adamic.tech/articles/memory-journal-mcp-server)**
+
+**🚀 Quick Deploy:**
+- **[npm Package](https://www.npmjs.com/package/memory-journal-mcp)** - `npm install -g memory-journal-mcp`
+- **[Docker Hub](https://hub.docker.com/r/writenotenow/memory-journal-mcp)** - Alpine-based with full semantic search
+
+---
+
+## ✨ What's New in v3.0.0 (December 28, 2025)
+
+### 🚀 **Complete TypeScript Rewrite**
+
+Memory Journal v3.0 is a ground-up rewrite in TypeScript, delivering:
+
+- **Pure JS Stack** - No native compilation required (`sql.js` + `vectra` + `@xenova/transformers`)
+- **Cross-Platform Portability** - Works on Windows, macOS, Linux without binary dependencies
+- **Strict Type Safety** - Zero TypeScript errors, 100% strict mode compliance
+- **Faster Startup** - Lazy ML loading with instant cold starts
+- **MCP 2025-11-25 Compliance** - Full spec compliance with behavioral annotations
+
+### 🗄️ **New: Backup & Restore Tools**
+
+Never lose your journal data again:
+
+| Tool | Description |
+|------|-------------|
+| `backup_journal` | Create timestamped database backups |
+| `list_backups` | List all available backup files |
+| `restore_backup` | Restore from any backup (with auto-backup before restore) |
+
+```javascript
+// Create a backup before major changes
+backup_journal({ name: "before_migration" })
+// → { success: true, filename: "before_migration.db", sizeBytes: 524288 }
+
+// List available backups
+list_backups()
+// → { backups: [...], total: 3, backupsDirectory: "~/.memory-journal/backups" }
+
+// Restore from backup (requires confirmation)
+restore_backup({ filename: "before_migration.db", confirm: true })
+// → { success: true, previousEntryCount: 50, newEntryCount: 42 }
+```
+
+### 📊 **New: Server Health Resource**
+
+Get comprehensive server diagnostics via `memory://health`:
+
+```json
+{
+  "database": {
+    "path": "~/.memory-journal/memory_journal.db",
+    "sizeBytes": 524288,
+    "entryCount": 150,
+    "deletedEntryCount": 5,
+    "relationshipCount": 42,
+    "tagCount": 28
+  },
+  "backups": {
+    "directory": "~/.memory-journal/backups",
+    "count": 3,
+    "lastBackup": { "filename": "...", "createdAt": "...", "sizeBytes": 524288 }
+  },
+  "vectorIndex": {
+    "available": true,
+    "indexedEntries": 150,
+    "modelName": "all-MiniLM-L6-v2"
+  },
+  "toolFilter": {
+    "active": false,
+    "enabledCount": 27,
+    "totalCount": 27
+  },
+  "timestamp": "2025-12-28T05:47:00Z"
+}
+```
+
+### 📈 **Current Capabilities**
+
+- **27 MCP tools** - Complete development workflow + backup/restore
+- **14 workflow prompts** - Standups, retrospectives, PR workflows, CI/CD failure analysis
+- **14 MCP resources** - Including new `memory://health` diagnostics
+- **GitHub Integration** - Projects, Issues, Pull Requests, Actions with auto-linking
+- **8 tool groups** - `core`, `search`, `analytics`, `relationships`, `export`, `admin`, `github`, `backup`
+- **Knowledge graphs** - 5 relationship types, Mermaid visualization
+- **Semantic search** - AI-powered conceptual search via `@xenova/transformers`
+
+---
+
+## 🎯 Why Memory Journal?
+
+### **The Fragmented AI Context Problem**
+
+When managing large projects with AI assistance, you face a critical challenge:
+
+- **Thread Amnesia** - Each new AI conversation starts from zero, unaware of previous work
+- **Lost Context** - Decisions, implementations, and learnings scattered across disconnected threads  
+- **Repeated Work** - AI suggests solutions you've already tried or abandoned
+- **Context Overload** - Manually copying project history into every new conversation
+
+### **The Solution: Persistent Project Memory**
+
+Memory Journal acts as your project's **long-term memory**, bridging the gap between fragmented AI threads:
+
+**For Developers:**
+- 📝 **Automatic Context Capture** - Git commits, branches, GitHub issues, PRs, and project state captured with every entry
+- 🔗 **Knowledge Graph** - Link related work (specs → implementations → tests → PRs) to build a connected history
+- 🔍 **Intelligent Search** - Find past decisions, solutions, and context across your entire project timeline
+- 📊 **Project Analytics** - Track progress from issues through PRs, generate reports for standups/retrospectives
+
+**For AI-Assisted Work:**
+- 💡 AI can query your **complete project history** in any conversation
+- 🧠 **Semantic search** finds conceptually related work, even without exact keywords
+- 📖 **Context bundles** provide AI with comprehensive project state instantly
+- 🔗 **Relationship visualization** shows how different pieces of work connect
+
+---
+
+## 🚀 Quick Start
+
+### Option 1: npm (Recommended)
+
+**Step 1: Install the package**
+
+```bash
+npm install -g memory-journal-mcp
+```
+
+**Step 2: Add to ~/.cursor/mcp.json**
+
+```json
+{
+  "mcpServers": {
+    "memory-journal-mcp": {
+      "command": "memory-journal-mcp"
+    }
+  }
+}
+```
+
+**Step 3: Restart Cursor**
+
+Restart Cursor or your MCP client, then start journaling!
+
+### Option 2: npx (No Installation)
+
+```json
+{
+  "mcpServers": {
+    "memory-journal-mcp": {
+      "command": "npx",
+      "args": ["-y", "memory-journal-mcp"]
+    }
+  }
+}
+```
+
+### Option 3: From Source
+
+```bash
+git clone https://github.com/neverinfamous/memory-journal-mcp.git
+cd memory-journal-mcp
+npm install
+npm run build
+```
+
+```json
+{
+  "mcpServers": {
+    "memory-journal-mcp": {
+      "command": "node",
+      "args": ["dist/cli.js"]
+    }
+  }
+}
+```
+
+### GitHub Integration Configuration
+
+The GitHub tools (`get_github_issues`, `get_github_prs`, etc.) can auto-detect the repository from your git context. However, MCP clients may run the server from a different directory than your project.
+
+**To enable GitHub auto-detection**, add `GITHUB_REPO_PATH` to your config:
+
+```json
+{
+  "mcpServers": {
+    "memory-journal-mcp": {
+      "command": "memory-journal-mcp",
+      "env": {
+        "GITHUB_TOKEN": "ghp_your_token_here",
+        "GITHUB_REPO_PATH": "/path/to/your/git/repo"
+      }
+    }
+  }
+}
+```
+
+| Environment Variable | Description |
+|---------------------|-------------|
+| `GITHUB_TOKEN` | GitHub personal access token for API access |
+| `GITHUB_REPO_PATH` | Path to the git repository for auto-detecting owner/repo |
+
+**Without `GITHUB_REPO_PATH`**: You'll need to explicitly provide `owner` and `repo` parameters when calling GitHub tools.
+
+### Cursor Known Issues
+
+**Listing MCP Resources**: If the agent has trouble listing resources, instruct it to call `list_mcp_resources()` without specifying a server parameter. Using `server="memory-journal-mcp"` may return nothing (Cursor bug).
+
+---
+
+## 📋 Core Capabilities
+
+### 🛠️ **27 MCP Tools** (8 Groups)
+
+| Group | Tools | Description |
+|-------|-------|-------------|
+| `core` | 6 | Entry CRUD, tags, test |
+| `search` | 4 | Text search, date range, semantic, vector stats |
+| `analytics` | 2 | Statistics, cross-project insights |
+| `relationships` | 2 | Link entries, visualize graphs |
+| `export` | 1 | JSON/Markdown export |
+| `admin` | 4 | Update, delete, rebuild/add to vector index |
+| `github` | 5 | Issues, PRs, context integration |
+| `backup` | 3 | **NEW** Backup, list, restore |
+
+**[Complete tools reference →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Tools)**
+
+### 🎯 **14 Workflow Prompts**
+
+- `find-related` - Discover connected entries via semantic similarity
+- `prepare-standup` - Daily standup summaries
+- `prepare-retro` - Sprint retrospectives
+- `weekly-digest` - Day-by-day weekly summaries
+- `analyze-period` - Deep period analysis with insights
+- `goal-tracker` - Milestone and achievement tracking
+- `get-context-bundle` - Project context with Git/GitHub
+- `pr-summary` - Pull request journal activity summary
+- `code-review-prep` - Comprehensive PR review preparation
+- `pr-retrospective` - Completed PR analysis with learnings
+- `actions-failure-digest` - CI/CD failure analysis
+
+**[Complete prompts guide →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Prompts)**
+
+### 📡 **14 Resources**
+
+- `memory://recent` - 10 most recent entries
+- `memory://significant` - Significant milestones and breakthroughs
+- `memory://graph/recent` - Live Mermaid diagram of recent relationships
+- `memory://team/recent` - Recent team-shared entries
+- `memory://health` - **NEW** Server health & diagnostics
+- `memory://projects/{number}/timeline` - Project activity timeline
+- `memory://issues/{issue_number}/entries` - Entries linked to issue
+- `memory://prs/{pr_number}/entries` - Entries linked to PR
+- `memory://prs/{pr_number}/timeline` - Combined PR + journal timeline
+- `memory://graph/actions` - CI/CD narrative graph
+- `memory://actions/recent` - Recent workflow runs
+- `memory://tags` - All tags with usage counts
+- `memory://statistics` - Journal statistics
+
+---
+
+## 🔧 Configuration
+
+### GitHub Integration (Optional)
+
+```bash
+export GITHUB_TOKEN="your_token"              # For Projects/Issues/PRs
+export GITHUB_ORG_TOKEN="your_org_token"      # Optional: org projects
+export DEFAULT_ORG="your-org-name"            # Optional: default org
+```
+
+**Scopes:** `repo`, `project`, `read:org` (org only)
+
+### Tool Filtering (Optional)
+
+Control which tools are exposed using `MEMORY_JOURNAL_MCP_TOOL_FILTER`:
+
+```bash
+export MEMORY_JOURNAL_MCP_TOOL_FILTER="-analytics,-github"
+```
+
+**Filter Syntax:**
+- `-group` - Disable all tools in a group
+- `-tool` - Disable a specific tool
+- `+tool` - Re-enable after group disable
+- Meta-groups: `starter`, `essential`, `full`, `readonly`
+
+**Example Configurations:**
+
+```json
+{
+  "mcpServers": {
+    "memory-journal-mcp": {
+      "command": "memory-journal-mcp",
+      "env": {
+        "MEMORY_JOURNAL_MCP_TOOL_FILTER": "starter",
+        "GITHUB_TOKEN": "your_token"
+      }
+    }
+  }
+}
+```
+
+| Configuration | Filter String | Tools |
+|---------------|---------------|-------|
+| Starter | `starter` | ~10 |
+| Essential | `essential` | ~6 |
+| Full (default) | `full` | 27 |
+| Read-only | `readonly` | ~20 |
+
+**[Complete tool filtering guide →](https://github.com/neverinfamous/memory-journal-mcp/wiki/Tool-Filtering)**
+
+---
+
+## 📖 Usage Examples
+
+### Create an Entry with GitHub Context
+
+```javascript
+create_entry({
+  content: "Completed Phase 1 of GitHub Projects integration!",
+  entry_type: "technical_achievement",
+  tags: ["github-projects", "milestone"],
+  project_number: 1,
+  significance_type: "technical_breakthrough"
+})
+```
+
+### Create and Manage Backups
+
+```javascript
+// Before major refactoring
+backup_journal({ name: "pre_refactor" })
+
+// Check available backups
+list_backups()
+
+// Restore if needed (creates auto-backup first)
+restore_backup({ filename: "pre_refactor.db", confirm: true })
+```
+
+### Check Server Health
+
+```javascript
+// Fetch the health resource
+// Returns: database stats, backup info, vector index status, tool filter config
+```
+
+### Search and Analyze
+
+```javascript
+// Full-text search
+search_entries({ query: "performance optimization", limit: 5 })
+
+// Semantic search for concepts
+semantic_search({ query: "startup time improvements", limit: 3 })
+
+// Get analytics
+get_statistics({ group_by: "week" })
+```
+
+### Generate Visual Maps
+
+```javascript
+// Visualize entry relationships
+visualize_relationships({
+  entry_id: 55,
+  depth: 2
+})
+```
+
+---
+
+## 🏗️ Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ MCP Server Layer (TypeScript)                               │
+│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────┐  │
+│  │ Tools (27)      │  │ Resources (14)  │  │ Prompts (14)│  │
+│  │ with Annotations│  │ with Annotations│  │             │  │
+│  └─────────────────┘  └─────────────────┘  └─────────────┘  │
+├─────────────────────────────────────────────────────────────┤
+│ Pure JS Stack (No Native Dependencies)                      │
+│  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────┐  │
+│  │ sql.js          │  │ vectra          │  │ transformers│  │
+│  │ (SQLite)        │  │ (Vector Index)  │  │ (Embeddings)│  │
+│  └─────────────────┘  └─────────────────┘  └─────────────┘  │
+├─────────────────────────────────────────────────────────────┤
+│ SQLite Database with Hybrid Search                          │
+│  ┌─────────────────────────────────────────────────────────┐│
+│  │ entries + tags + relationships + embeddings + backups   ││
+│  └─────────────────────────────────────────────────────────┘│
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## 🔧 Technical Highlights
+
+### Performance & Portability
+- **TypeScript + Pure JS Stack** - No native compilation, works everywhere
+- **sql.js** - SQLite in pure JavaScript with disk sync
+- **vectra** - Vector similarity search without native dependencies
+- **@xenova/transformers** - ML embeddings in JavaScript
+- **Lazy loading** - ML models load on first use, not startup
+
+### Security
+- **Local-first** - All data stored locally, no external API calls (except optional GitHub)
+- **Input validation** - Zod schemas, content size limits, SQL injection prevention
+- **Path traversal protection** - Backup filenames validated
+- **MCP 2025-11-25 annotations** - Behavioral hints (`readOnlyHint`, `destructiveHint`, etc.)
+
+### Data & Privacy
+- **Single SQLite file** - You own your data
+- **Portable** - Move your `.db` file anywhere
+- **Soft delete** - Entries can be recovered
+- **Auto-backup on restore** - Never lose data accidentally
+
+---
+
+## 📚 Documentation & Resources
+
+- **[GitHub Wiki](https://github.com/neverinfamous/memory-journal-mcp/wiki)** - Complete documentation
+- **[Docker Hub](https://hub.docker.com/r/writenotenow/memory-journal-mcp)** - Container images
+- **[npm Package](https://www.npmjs.com/package/memory-journal-mcp)** - Node.js distribution
+- **[Issues](https://github.com/neverinfamous/memory-journal-mcp/issues)** - Bug reports & feature requests
+
+---
+
+## 📄 License
+
+MIT License - See [LICENSE](LICENSE) file for details.
+
+## 🤝 Contributing
+
+Built by developers, for developers. PRs welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+---
+
+*Migrating from v2.x?* Your existing database is fully compatible. The TypeScript version uses the same schema and data format.

package/SECURITY.md

@@ -0,0 +1,200 @@
+# 🔒 Security Guide
+
+The Memory Journal MCP server implements comprehensive security measures to protect your personal journal data.
+
+## 🛡️ **Database Security**
+
+### **WAL Mode Enabled**
+- ✅ **Write-Ahead Logging (WAL)** enabled for better concurrency and crash recovery
+- ✅ **Atomic transactions** ensure data consistency
+- ✅ **Better performance** with concurrent read/write operations
+
+### **Optimized PRAGMA Settings**
+```sql
+PRAGMA foreign_keys = ON          -- Enforce referential integrity
+PRAGMA journal_mode = WAL         -- Enable WAL mode
+PRAGMA synchronous = NORMAL       -- Balance safety and performance
+PRAGMA cache_size = -64000        -- 64MB cache for better performance
+PRAGMA mmap_size = 268435456      -- 256MB memory-mapped I/O
+PRAGMA temp_store = MEMORY        -- Store temp tables in memory
+PRAGMA busy_timeout = 30000       -- 30-second timeout for busy database
+```
+
+### **File Permissions**
+- ✅ **Database files**: `600` (read/write for owner only)
+- ✅ **Data directory**: `700` (full access for owner only)
+- ✅ **Automatic permission setting** on database creation
+
+## 🔐 **Input Validation**
+
+### **Content Limits**
+- **Journal entries**: 50,000 characters maximum
+- **Tags**: 100 characters maximum
+- **Entry types**: 50 characters maximum
+- **Significance types**: 50 characters maximum
+
+### **Character Filtering**
+Dangerous characters are blocked in tags:
+- `<` `>` `"` `'` `&` `\x00`
+
+### **SQL Injection Prevention**
+- ✅ **Parameterized queries** used throughout
+- ✅ **Input validation** before database operations
+- ✅ **Warning system** for potentially dangerous content patterns
+
+## 🐳 **Docker Security**
+
+### **Non-Root User**
+- ✅ **Dedicated user**: `appuser` with minimal privileges
+- ✅ **No shell access**: `/bin/false` shell for security
+- ✅ **Restricted home directory**: `/app/user`
+
+### **File System Security**
+- ✅ **Minimal base image**: `python:3.11-slim`
+- ✅ **Restricted data directory**: `700` permissions
+- ✅ **Volume mounting**: Data persists outside container
+
+### **Container Isolation**
+- ✅ **Process isolation** from host system
+- ✅ **Network isolation** (no external network access needed)
+- ✅ **Resource limits** can be applied via Docker
+
+## 🔍 **Data Privacy**
+
+### **Local-First Architecture**
+- ✅ **No external services**: All processing happens locally
+- ✅ **No telemetry**: No data sent to external servers
+- ✅ **Full data ownership**: SQLite database stays on your machine
+
+### **Context Bundle Security**
+- ✅ **Git context**: Only reads local repository information
+- ✅ **No sensitive data**: Doesn't access private keys or credentials
+- ✅ **Optional GitHub integration**: Only if explicitly configured
+
+## 🚨 **Security Best Practices**
+
+### **For Users**
+1. **Keep Docker updated**: Regularly update Docker and base images
+2. **Secure host system**: Ensure your host machine is secure
+3. **Regular backups**: Back up your `data/` directory
+4. **Monitor logs**: Check container logs for any unusual activity
+5. **Limit access**: Don't expose the container to external networks
+
+### **For Developers**
+1. **Regular updates**: Keep Python and dependencies updated
+2. **Security scanning**: Regularly scan Docker images for vulnerabilities
+3. **Code review**: All database operations use parameterized queries
+4. **Input validation**: All user inputs are validated before processing
+
+## 🔧 **Security Configuration**
+
+### **Environment Variables**
+```bash
+# Database location (should be on secure volume)
+DB_PATH=/app/data/memory_journal.db
+
+# Python path for module resolution
+PYTHONPATH=/app
+```
+
+### **Volume Mounting Security**
+```bash
+# Secure volume mounting
+docker run -v ./data:/app/data:rw,noexec,nosuid,nodev memory-journal-mcp
+```
+
+### **Resource Limits**
+```bash
+# Apply resource limits
+docker run --memory=1g --cpus=1 memory-journal-mcp
+```
+
+## 📋 **Security Checklist**
+
+- [x] WAL mode enabled for database consistency
+- [x] Proper file permissions (600/700)
+- [x] Input validation and length limits
+- [x] Parameterized SQL queries
+- [x] Non-root Docker user
+- [x] Minimal container attack surface
+- [x] Local-first data architecture
+- [x] No external network dependencies
+- [x] Comprehensive error handling
+- [x] Security documentation
+
+## 🚨 **Reporting Security Issues**
+
+If you discover a security vulnerability, please:
+
+1. **Do not** open a public GitHub issue
+2. **Contact** the maintainers privately
+3. **Provide** detailed information about the vulnerability
+4. **Allow** time for the issue to be addressed before public disclosure
+
+## 🔄 **Security Updates**
+
+- **Database maintenance**: Run `ANALYZE` and `PRAGMA optimize` regularly
+- **Container updates**: Rebuild Docker images when base images are updated
+- **Dependency updates**: Keep Python packages updated
+- **Security patches**: Apply host system security updates
+
+### **Recent Security Fixes**
+
+#### **CodeQL #110, #111: URL Substring Sanitization Vulnerability** (Fixed: October 26, 2025)
+- **Issue**: Incomplete URL substring sanitization in GitHub remote URL parsing
+- **Severity**: MEDIUM
+- **Affected Code**: `_extract_repo_owner_from_remote()` function in server.py
+- **Vulnerability Details**:
+  - Used unsafe substring checks: `'github.com' in remote_url` and `'github.com/' in remote_url`
+  - Could allow malicious URLs to bypass hostname validation
+  - Example bypasses: `http://evil.com/github.com/fake/repo` or `http://github.com.evil.com/fake/repo`
+- **Mitigation**:
+  - ✅ **Proper URL Parsing**: Implemented `urllib.parse.urlparse()` for HTTPS/HTTP URLs
+  - ✅ **Exact Hostname Matching**: Validates `parsed.hostname == 'github.com'` (not substring or endswith)
+  - ✅ **SSH URL Validation**: Explicit `startswith('git@github.com:')` check for SSH format
+  - ✅ **Defense in Depth**: Returns `None` for any non-GitHub URLs instead of attempting to parse
+- **Technical Details**:
+  - Vulnerability: CWE-20 (Improper Input Validation)
+  - CodeQL Rule: `py/incomplete-url-substring-sanitization`
+  - Context: Limited impact as this only parses Git remote URLs from local repositories
+  - However, could be exploited if an attacker could manipulate Git config files
+- **Verification**: Review `_extract_repo_owner_from_remote()` function for proper urlparse usage
+- **Impact**: Prevents URL spoofing attacks in repository owner detection
+- **Reference**: [OWASP: SSRF](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) | [CWE-20](https://cwe.mitre.org/data/definitions/20.html)
+
+#### **CVE-2025-58050: PCRE2 Heap Buffer Overflow** (Fixed: October 26, 2025)
+- **Issue**: PCRE2 heap-buffer-overflow read in match_ref due to missing boundary restoration
+- **Severity**: CRITICAL
+- **Affected Package**: pcre2 <10.46-r0
+- **Mitigation**:
+  - ✅ **Alpine Package**: Explicitly upgraded to pcre2=10.46-r0 in Dockerfile
+  - ✅ **Early Installation**: Upgraded in first layer to ensure all subsequent packages use patched version
+  - ✅ **Docker Base Image**: Using Python 3.14-alpine with latest security patches
+- **Technical Details**: 
+  - Vulnerability could allow heap buffer overflow attacks during regex pattern matching
+  - Fixed version restores boundaries correctly in match_ref function
+  - PCRE2 is a system dependency used by various tools including git and grep
+- **Verification**: Run `apk info pcre2` in Alpine container to confirm version ≥10.46-r0
+- **Impact**: Prevents potential remote code execution via malformed regex patterns
+- **Reference**: [CVE-2025-58050](https://avd.aquasec.com/nvd/cve-2025-58050)
+
+#### **CVE-2025-8869: pip Symbolic Link Vulnerability** (Fixed: October 20, 2025)
+- **Issue**: pip missing checks on symbolic link extraction in fallback tar implementation (when Python doesn't implement PEP 706)
+- **Severity**: MEDIUM
+- **Affected Package**: pip <25.0 (with Python versions without PEP 706 support)
+- **Comprehensive Mitigations**:
+  - ✅ **Python Version**: Minimum requirement bumped to 3.10.12+ (all versions ≥3.10.12 implement PEP 706)
+  - ✅ **pip Upgrade**: Explicitly upgrading to pip>=25.0 in all build processes (CI, Docker, local)
+  - ✅ **Docker Base Image**: Using Python 3.14-alpine which fully implements PEP 706
+  - ✅ **CI/CD Pipelines**: Updated to test against minimum Python 3.10.12
+  - ✅ **pyproject.toml**: Enforced minimum Python version requirement
+- **Technical Details**: 
+  - PEP 706 provides secure tar extraction with symlink validation
+  - When Python implements PEP 706, pip uses the secure implementation
+  - Otherwise, pip falls back to its own implementation which had the vulnerability
+  - Our fix addresses both the pip version and underlying Python version
+- **Verification**: Run `pip --version` to confirm pip>=25.0
+- **Impact**: Prevents potential exploitation during package installation via tar extraction
+- **Reference**: [CVE-2025-8869](https://nvd.nist.gov/vuln/detail/CVE-2025-8869) | [PEP 706](https://peps.python.org/pep-0706/)
+
+The Memory Journal MCP server is designed with **security-first principles** to protect your personal journal data while maintaining excellent performance and usability.

package/VERSION

@@ -0,0 +1 @@
+3.0.0

package/dist/cli.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Memory Journal MCP Server - CLI Entry Point
+ */
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;GAEG"}