memory-journal-mcp 6.1.0 → 6.1.2

package/.github/workflows/docker-publish.yml

@@ -32,8 +32,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
@@ -93,8 +91,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
@@ -175,8 +171,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Download digests
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

package/CHANGELOG.md

@@ -5,7 +5,28 @@ All notable changes to Memory Journal MCP will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/neverinfamous/memory-journal-mcp/compare/v6.1.0...HEAD)
+## [Unreleased](https://github.com/neverinfamous/memory-journal-mcp/compare/v6.1.2...HEAD)
+
+## [6.1.2](https://github.com/neverinfamous/memory-journal-mcp/releases/tag/v6.1.2) - 2026-03-22
+
+### Security
+
+- **Docker Workflow** — Removed `ref: ${{ github.event.workflow_run.head_sha }}` from `docker-publish.yml` checkout steps; CodeQL does not accept `persist-credentials: false` as mitigation for untrusted-checkout alerts (#145, #146, #161).
+
+### Fixed
+
+- **Unused Import** — Removed orphaned `jose` import from `entries-auth-branches.test.ts` (#162), cascading from v6.1.1 `err` variable removal.
+
+## [6.1.1](https://github.com/neverinfamous/memory-journal-mcp/releases/tag/v6.1.1) - 2026-03-22
+
+### Security
+
+- **Docker Workflow Hardening** — Removed explicit `ref: ${{ github.event.workflow_run.head_sha }}` from `docker-publish.yml` checkout steps to resolve CodeQL "untrusted checkout in trusted context" alerts (#145, #146, #147). The workflow only triggers on completed `Lint and Test` runs on main, so the default checkout is safe.
+
+### Fixed
+
+- **Useless Assignment** — Removed dead initial assignment `= 'unknown'` on `status` variable in `github-section.ts` (#148).
+- **Unused Variables** — Removed 12 unused variables, imports, and constants across test files flagged by CodeQL (#149–#160).
 
 ## [6.1.0](https://github.com/neverinfamous/memory-journal-mcp/releases/tag/v6.1.0) - 2026-03-22
 

package/DOCKER_README.md

@@ -8,7 +8,7 @@
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](https://github.com/neverinfamous/memory-journal-mcp/blob/main/SECURITY.md)
 [![GitHub Stars](https://img.shields.io/github/stars/neverinfamous/memory-journal-mcp?style=social)](https://github.com/neverinfamous/memory-journal-mcp)
 [![TypeScript](https://img.shields.io/badge/TypeScript-Strict-blue.svg)](https://github.com/neverinfamous/memory-journal-mcp)
-![Coverage](https://img.shields.io/badge/Coverage-96.21%25-brightgreen.svg)
+![Coverage](https://img.shields.io/badge/Coverage-96.1%25-brightgreen.svg)
 ![Tests](https://img.shields.io/badge/Tests-1679_passed-brightgreen.svg)
 ![E2E Tests](https://img.shields.io/badge/E2E_Tests-247_passed-brightgreen.svg)
 

package/README.md

@@ -10,7 +10,7 @@
 [![MCP Registry](https://img.shields.io/badge/MCP_Registry-Published-green)](https://registry.modelcontextprotocol.io/v0/servers?search=io.github.neverinfamous/memory-journal-mcp)
 [![Security](https://img.shields.io/badge/Security-Enhanced-green.svg)](SECURITY.md)
 [![TypeScript](https://img.shields.io/badge/TypeScript-Strict-blue.svg)](https://github.com/neverinfamous/memory-journal-mcp)
-![Coverage](https://img.shields.io/badge/Coverage-96.21%25-brightgreen.svg)
+![Coverage](https://img.shields.io/badge/Coverage-96.1%25-brightgreen.svg)
 ![Tests](https://img.shields.io/badge/Tests-1679_passed-brightgreen.svg)
 ![E2E Tests](https://img.shields.io/badge/E2E_Tests-247_passed-brightgreen.svg)
 

package/dist/{chunk-MVKEP3QZ.js → chunk-HCEWINSB.js}

@@ -3338,7 +3338,7 @@ async function fetchCiStatus(github, owner, repo, config) {
     const runs = await github.getWorkflowRuns(owner, repo, runLimit);
     if (runs.length === 0) return { status: "unknown" };
     const latestRun = runs[0];
-    let status = "unknown";
+    let status;
     if (!latestRun) {
       status = "unknown";
     } else if (latestRun.status !== "completed") {

package/dist/cli.js

@@ -1,4 +1,4 @@
-import { VERSION, createServer } from './chunk-MVKEP3QZ.js';
+import { VERSION, createServer } from './chunk-HCEWINSB.js';
 import { logger } from './chunk-X4SWFATC.js';
 import './chunk-OKOVZ5QE.js';
 import { Command } from 'commander';

package/dist/index.js

@@ -1,4 +1,4 @@
-export { META_GROUPS, TOOL_GROUPS, VERSION, calculateTokenSavings, createServer, filterTools, getAllToolNames, getFilterSummary, getToolFilterFromEnv, getToolGroup, isToolEnabled, parseToolFilter } from './chunk-MVKEP3QZ.js';
+export { META_GROUPS, TOOL_GROUPS, VERSION, calculateTokenSavings, createServer, filterTools, getAllToolNames, getFilterSummary, getToolFilterFromEnv, getToolGroup, isToolEnabled, parseToolFilter } from './chunk-HCEWINSB.js';
 export { logger } from './chunk-X4SWFATC.js';
 import './chunk-OKOVZ5QE.js';
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "memory-journal-mcp",
-    "version": "6.1.0",
+    "version": "6.1.2",
     "description": "Project context management for AI-assisted development - Persistent knowledge graphs and intelligent context recall across fragmented AI threads",
     "type": "module",
     "main": "dist/index.js",

package/releases/v6.1.1.md

@@ -0,0 +1,30 @@
+# v6.1.1 — CodeQL Security & Hygiene Patch
+
+Resolves 16 CodeQL alerts introduced with the v6.1.0 scan: 3 medium (Docker workflow), 1 warning (useless assignment), 12 notes (unused variables in tests).
+
+## Highlights
+
+- **Docker Workflow Hardening** — Removed explicit `ref: ${{ github.event.workflow_run.head_sha }}` from checkout steps to resolve "untrusted checkout in trusted context" alerts
+- **Dead Code Removal** — Cleaned up 12 unused variables, imports, and constants across test files
+- **Source Hygiene** — Removed useless initial assignment in `github-section.ts`
+
+## Security
+
+- Remove `ref:` from `docker-publish.yml` checkout steps (#145, #146, #147) — workflow only triggers on main via `workflow_run`, so default checkout is safe
+
+## Fixed
+
+- Remove dead `= 'unknown'` initializer on `status` in `github-section.ts` (#148)
+- Remove 12 unused variables/imports across test and utility files (#149–#160)
+
+---
+
+**Compare**: [`v6.1.0...v6.1.1`](https://github.com/neverinfamous/memory-journal-mcp/compare/v6.1.0...v6.1.1)
+
+```bash
+npm install -g memory-journal-mcp@6.1.1
+```
+
+```bash
+docker pull writenotenow/memory-journal-mcp:v6.1.1
+```

package/releases/v6.1.2.md

@@ -0,0 +1,23 @@
+# v6.1.2 — CodeQL Cleanup (Follow-up)
+
+Resolves 4 remaining CodeQL alerts from v6.1.1: 3 Docker workflow untrusted-checkout and 1 unused import.
+
+## Security
+
+- Remove `ref: ${{ github.event.workflow_run.head_sha }}` from `docker-publish.yml` checkout steps — CodeQL does not accept `persist-credentials: false` as mitigation (#145, #146, #161)
+
+## Fixed
+
+- Remove orphaned `jose` import from `entries-auth-branches.test.ts` (#162), cascading from v6.1.1 `err` variable removal
+
+---
+
+**Compare**: [`v6.1.1...v6.1.2`](https://github.com/neverinfamous/memory-journal-mcp/compare/v6.1.1...v6.1.2)
+
+```bash
+npm install -g memory-journal-mcp@6.1.2
+```
+
+```bash
+docker pull writenotenow/memory-journal-mcp:v6.1.2
+```

package/server.json

@@ -3,12 +3,12 @@
     "name": "io.github.neverinfamous/memory-journal-mcp",
     "title": "Memory Journal MCP",
     "description": "Persistent knowledge graphs and intelligent context recall across AI threads",
-    "version": "6.1.0",
+    "version": "6.1.2",
     "packages": [
         {
             "registryType": "oci",
-            "identifier": "docker.io/writenotenow/memory-journal-mcp:v6.1.0",
-            "version": "6.1.0",
+            "identifier": "docker.io/writenotenow/memory-journal-mcp:v6.1.2",
+            "version": "6.1.2",
             "transport": {
                 "type": "stdio"
             }

package/src/handlers/resources/core/briefing/github-section.ts

@@ -128,7 +128,7 @@ async function fetchCiStatus(
         if (runs.length === 0) return { status: 'unknown' }
 
         const latestRun = runs[0]
-        let status: CiResult['status'] = 'unknown'
+        let status: CiResult['status']
         if (!latestRun) {
             status = 'unknown'
         } else if (latestRun.status !== 'completed') {

package/test-server/test-tool-annotations.mjs

@@ -1,5 +1,4 @@
 import { spawn } from 'child_process'
-import { join } from 'path'
 
 const projectDir = 'C:\\Users\\chris\\Desktop\\memory-journal-mcp'
 const proc = spawn('node', ['dist/cli.js', '--instruction-level', 'essential'], {

package/tests/database/entries-auth-branches.test.ts

@@ -9,7 +9,6 @@
  */
 
 import { describe, it, expect, vi, beforeEach } from 'vitest'
-import * as jose from 'jose'
 import Database from 'better-sqlite3'
 
 vi.mock('../../src/utils/logger.js', () => ({
@@ -129,7 +128,6 @@ describe('TokenValidator — branch coverage', () => {
         })
 
         it('should handle JWTExpired', async () => {
-            const err = new jose.errors.JWTExpired('expired')
             // Access private handleValidationError via validate path
             const result = await validator.validate('invalid.token.here')
             expect(result.valid).toBe(false)

package/tests/e2e/helpers.ts

@@ -15,8 +15,6 @@ import { type ChildProcess, spawn } from 'node:child_process'
 import { setTimeout as delay } from 'node:timers/promises'
 import { join } from 'node:path'
 
-const BASE_URL = 'http://localhost:3100/mcp'
-
 /**
  * Create and connect a Streamable HTTP MCP client.
  * Caller is responsible for calling client.close() in afterAll.

package/tests/e2e/session-advanced.spec.ts

@@ -19,8 +19,6 @@ test.describe('Advanced Session Management', () => {
             { capabilities: {} }
         )
 
-        let sseSessionId: string | undefined
-
         try {
             await sseClient.connect(sseTransport)
 

package/tests/filtering/tool-filter.test.ts

@@ -4,7 +4,7 @@
  * Tests the tool filtering system: groups, meta-groups, parsing, filtering.
  */
 
-import { describe, it, expect, vi, afterEach } from 'vitest'
+import { describe, it, expect, afterEach } from 'vitest'
 import {
     TOOL_GROUPS,
     META_GROUPS,

package/tests/handlers/error-path-coverage.test.ts

@@ -9,7 +9,7 @@
  * - admin.ts: error catches
  */
 
-import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest'
+import { describe, it, expect, beforeAll, afterAll } from 'vitest'
 import { callTool } from '../../src/handlers/tools/index.js'
 import { DatabaseAdapter } from '../../src/database/sqlite-adapter/index.js'
 

package/tests/handlers/resource-handlers.test.ts

@@ -28,7 +28,7 @@ describe('Resource Handlers', () => {
             projectNumber: 42,
             issueNumber: 7,
         })
-        const e3 = db.createEntry({
+        db.createEntry({
             content: 'Resource test entry gamma',
             prNumber: 15,
         })

package/tests/security/sql-injection.test.ts

@@ -48,18 +48,6 @@ const INJECTION_PAYLOADS = [
     "'; load_extension('malicious.so'); --",
 ]
 
-/**
- * Safe inputs that should be accepted
- */
-const SAFE_INPUTS = [
-    'Normal search query',
-    "It's a valid apostrophe",
-    'SELECT is just a word here',
-    'test@email.com',
-    '100% success rate',
-    'user_name with underscore',
-]
-
 // ============================================================================
 // Security Utility Tests
 // ============================================================================

package/tests/transports/http-legacy-sse.test.ts

@@ -10,7 +10,7 @@ import { describe, it, expect, vi, beforeEach } from 'vitest'
 // Hoisted mocks
 // ============================================================================
 
-const { MockSSEServerTransport, mockHandlePostMessage } = vi.hoisted(() => {
+const { MockSSEServerTransport } = vi.hoisted(() => {
     const handlePostMessage = vi.fn().mockResolvedValue(undefined)
 
     class SSEMock {

package/tests/transports/http-stateful.test.ts

@@ -11,36 +11,34 @@ import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
 // Hoisted mocks
 // ============================================================================
 
-const { mockHandleRequest, mockTransportClose, MockStreamableHTTPServerTransport } = vi.hoisted(
-    () => {
-        const handleRequest = vi.fn().mockResolvedValue(undefined)
-        const transportClose = vi.fn().mockResolvedValue(undefined)
-
-        class StreamableMock {
-            sessionId = 'test-session-id'
-            handleRequest = handleRequest
-            close = transportClose
-            onclose: (() => void) | null = null
-
-            constructor(opts?: {
-                sessionIdGenerator?: () => string
-                onsessioninitialized?: (sid: string) => void
-            }) {
-                this.sessionId = opts?.sessionIdGenerator?.() ?? 'test-session-id'
-                if (opts?.onsessioninitialized) {
-                    // Auto-fire after construction to simulate SDK behavior
-                    setTimeout(() => opts.onsessioninitialized?.(this.sessionId), 0)
-                }
+const { mockHandleRequest, MockStreamableHTTPServerTransport } = vi.hoisted(() => {
+    const handleRequest = vi.fn().mockResolvedValue(undefined)
+    const transportClose = vi.fn().mockResolvedValue(undefined)
+
+    class StreamableMock {
+        sessionId = 'test-session-id'
+        handleRequest = handleRequest
+        close = transportClose
+        onclose: (() => void) | null = null
+
+        constructor(opts?: {
+            sessionIdGenerator?: () => string
+            onsessioninitialized?: (sid: string) => void
+        }) {
+            this.sessionId = opts?.sessionIdGenerator?.() ?? 'test-session-id'
+            if (opts?.onsessioninitialized) {
+                // Auto-fire after construction to simulate SDK behavior
+                setTimeout(() => opts.onsessioninitialized?.(this.sessionId), 0)
             }
         }
+    }
 
-        return {
-            mockHandleRequest: handleRequest,
-            mockTransportClose: transportClose,
-            MockStreamableHTTPServerTransport: StreamableMock,
-        }
+    return {
+        mockHandleRequest: handleRequest,
+        mockTransportClose: transportClose,
+        MockStreamableHTTPServerTransport: StreamableMock,
     }
-)
+})
 
 vi.mock('@modelcontextprotocol/sdk/server/streamableHttp.js', () => ({
     StreamableHTTPServerTransport: MockStreamableHTTPServerTransport,

package/tests/transports/http-transport.test.ts

@@ -13,8 +13,6 @@ import { describe, it, expect, vi, beforeEach } from 'vitest'
 // ============================================================================
 
 const {
-    mockHandleRequest,
-    mockTransportClose,
     mockRoutes,
     mockMiddlewares,
     mockApp,