memory-journal-mcp 6.1.2 → 6.2.1

package/.github/workflows/dependency-maintenance.md

@@ -1,147 +0,0 @@
----
-description: 'Automated dependency maintenance — npm, Docker transitive deps, Alpine packages, and validation (no version bump)'
-private: true
-labels: [dependencies, automation, maintenance]
-
-on:
-  schedule:
-    - cron: '0 14 * * 1' # Every Monday at 14:00 UTC
-  workflow_dispatch:
-
-engine:
-  id: copilot
-  model: claude-opus-4-20250514
-
-runtimes:
-  node:
-    version: '24'
-
-network:
-  allowed:
-    - defaults
-    - node
-
-permissions: read-all
-
-safe-outputs:
-  create-pull-request:
-    title-prefix: '[deps] '
-    labels: [dependencies, automated]
-    reviewers: [neverinfamous]
-    draft: false
-    max: 1
-    expires: 14
-    fallback-as-issue: true
-    if-no-changes: 'ignore'
-
-timeout-minutes: 30
-concurrency: dependency-maintenance
----
-
-# Dependency Maintenance Agent
-
-You are maintaining the **memory-journal-mcp** project — a TypeScript MCP server for project context management with SQLite, semantic search, and GitHub integration. Built with Node.js 24. Your job is to batch-update all dependencies across npm, Docker, and system layers, run validation, and create a single PR with all changes.
-
-**This workflow does NOT bump versions or create releases.** It only updates dependencies and validates the build. Version bumps and releases are handled separately by the maintainer.
-
-## Important Rules
-
-- **Only act on actual command output.** Never guess package versions.
-- **If nothing is outdated and no Dockerfile patches are needed, exit cleanly.** Do not create a PR with no changes.
-- **Dockerfile `npm pack` patches must stay within the same major version line** as npm's bundled dependencies (e.g., diff@8.x, tar@7.x, minimatch@10.x).
-- **Keep `package.json` overrides in sync with Dockerfile `npm pack` versions** — use **exact version pins** (e.g., `"10.2.4"` not `"^10.2.4"`) to prevent lockfile drift.
-
-## Step 1: Check for Outdated Packages
-
-Run `npm outdated --json` to see what's available. If nothing is outdated, note this and proceed to check Dockerfile patches (Step 3). Do not stop here — Dockerfile transitive deps may still need attention.
-
-## Step 2: Update npm Packages
-
-1. Run `npm update` to update packages within their semver ranges.
-2. For packages where `wanted` equals `current` but `latest` is newer (beyond the caret range), install them explicitly: `npm install <package>@latest` for each.
-3. **`0.x` caret-range edge case**: `npm update` respects semver but **will not cross minor boundaries for `0.x` packages** (e.g., `^0.12.3` won't resolve `0.13.0`). Update the version range in `package.json` and run `npm install`.
-4. **Skip intentionally pinned packages** where "Latest" on npm is actually a downgrade or incompatible:
-   - Pre-release/canary pins
-   - Exact-version pins where `Current` equals `Wanted` but differs from `Latest`
-5. Run `npm audit`. If vulnerabilities are found, run `npm audit fix`. If unfixable via audit, check if `overrides` in `package.json` can pin transitive deps to patched versions.
-
-After excluding intentional pins, `npm outdated` should show only expected pins (or nothing).
-
-## Step 3: Audit Dockerfile Transitive Dependencies
-
-> **This is the critical step that prevents Docker Scout blocks at deploy time.**
-
-Parse the project's `Dockerfile` for all `npm pack <package>@<version>` lines. These are manually patched npm-bundled packages (the P111 lifecycle pattern). For each package found:
-
-1. Determine the major version line being used (e.g., `tar@7.5.11` → major line 7).
-2. Check the latest version in that major line: `npm view <package>@<major> version`.
-3. If a newer patch/minor version exists in the same major line, update **all of**:
-   - The `npm pack <package>@<new_version>` lines in **both** Dockerfile stages (builder + runtime)
-   - The corresponding `overrides` entry in `package.json` (use exact version pins)
-   - The CVE/GHSA comment above each `RUN` block
-4. After updating overrides, run `npm install --package-lock-only` to sync the lockfile.
-
-Common packages to check: `diff`, `tar`, `minimatch`, `brace-expansion`.
-
-## Step 4: Check Alpine System Packages
-
-If the Dockerfile uses `--repository=https://dl-cdn.alpinelinux.org/alpine/edge/main` for specific packages (e.g., `curl`, `libexpat`, `zlib`), verify these are still the latest by checking Alpine edge package versions.
-
-## Step 5: Validate
-
-Run all validation gates. **All must pass before proceeding:**
-
-```bash
-npm run lint
-npm run typecheck
-npm test
-npx prettier --write .
-```
-
-If lint or typecheck fails, attempt to fix the issues. If unfixable, report the errors in the PR description and create the PR anyway (as draft).
-
-## Step 6: npm Audit Report
-
-Run `npm audit` one final time and capture the output. Include the result (clean or vulnerability count) in the PR description.
-
-## Step 7: Patch Version Bump
-
-Read the current version from `package.json`. Bump the **patch** version only (e.g., `5.1.1` → `5.1.2`). Dependency-only updates are always patch bumps. **Never bump minor or major versions** — those are reserved for the maintainer.
-
-Update version references in:
-
-- `package.json` (`"version"` field)
-- Run `npm install --package-lock-only` to sync `package-lock.json`
-- `README.md` (version badge if present)
-- `DOCKER_README.md` (version badge if present, Available Tags table)
-- `Dockerfile` (`LABEL version=` line)
-- `server.json` (top-level `version`, package `version`, and OCI `identifier` tag if present)
-
-**Verify no version references were missed.** Search for the OLD version number across the project (excluding `node_modules`, `CHANGELOG.md`, `releases/`, and `package-lock.json`). If any matches appear, update them.
-
-## Step 8: Update Unreleased Log and Create Release Notes
-
-1. Add dependency updates to `UNRELEASED.md`:
-   - Under `### Security` for CVE/advisory fixes
-   - Under `### Changed` → `**Dependency Updates**` for routine version bumps
-   - **Do NOT create duplicate section headers** — check if sections already exist first
-2. Run `node scripts/compile-changelog.js` to automatically compile `UNRELEASED.md` into `CHANGELOG.md`.
-3. Create `releases/vX.Y.Z.md` with condensed highlights:
-   - Highlights (top 3-5 bullet points)
-   - Categorized sections (Security, Changed)
-   - Footer with compare link and install commands (`npm install memory-journal-mcp@X.Y.Z`)
-
-## Step 9: Commit and Create PR
-
-1. Stage all changes: `git add -A`
-2. Commit with message: `vX.Y.Z - Dependency updates and security patches`
-3. Create the PR via safe-output with a description that includes:
-   - The new version number
-   - A **summary table** of all version changes (package | from | to)
-   - Which Dockerfile patches were updated (if any)
-   - Alpine package status
-   - `npm audit` results
-   - Validation results (lint, typecheck, test, prettier)
-   - CHANGELOG entries added
-
-The PR will be reviewed by Copilot and CI checks. After merge, a separate `auto-release.yml` workflow creates the git tag and GitHub release, which triggers npm publish and Docker image build.

package/.github/workflows/docker-publish.yml

@@ -1,254 +0,0 @@
-name: Build and Push Docker Images
-
-on:
-  # Only run after lint-and-test completes successfully
-  workflow_run:
-    workflows: ['Lint and Test']
-    types: [completed]
-    branches: [main]
-
-env:
-  REGISTRY: docker.io
-  IMAGE_NAME: writenotenow/memory-journal-mcp
-
-permissions:
-  contents: read
-  packages: write
-  security-events: write
-  pull-requests: write
-  id-token: write
-  attestations: write
-
-jobs:
-  # Security scan BEFORE any images are pushed
-  # This ensures no vulnerable images reach Docker Hub
-  security-scan:
-    if: github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      security-events: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Build image for scanning (local only)
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
-        with:
-          context: .
-          file: Dockerfile
-          platforms: linux/amd64
-          push: false
-          load: true
-          tags: local-scan:latest
-          cache-from: type=gha,scope=linux/amd64
-          cache-to: type=gha,scope=linux/amd64,mode=max
-
-      - name: Log in to Docker Hub (for Scout)
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Docker Scout security scan
-        uses: docker/scout-action@1128f02d1e60f339af7306e0e62b9fdc13d9fab9 # v1.20.2
-        timeout-minutes: 10
-        with:
-          command: cves
-          image: local-scan:latest
-          only-fixed: true
-          only-severities: critical,high
-          exit-code: true
-
-  # Build each platform on native architecture (only runs if security scan passes)
-  build-platform:
-    needs: [security-scan]
-    if: always() && needs.security-scan.result == 'success' && github.event_name != 'pull_request'
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-
-    runs-on: ${{ matrix.runner }}
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Read version from package.json
-        id: version
-        run: |
-          VERSION=$(grep -oP '"version":\s*"\K[0-9.]+' package.json | head -1)
-          if [ -z "$VERSION" ]; then
-            VERSION="1.0.0"
-          fi
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "Detected version: $VERSION"
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
-            suffix=-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
-          tags: |
-            type=sha,prefix=sha-,format=short
-
-      - name: Build and push platform image
-        id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
-        with:
-          context: .
-          file: Dockerfile
-          platforms: ${{ matrix.platform }}
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=${{ matrix.platform }}
-          cache-to: type=gha,scope=${{ matrix.platform }},mode=max
-          provenance: mode=max
-          sbom: true
-
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
-        with:
-          name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  # Merge platform images into multi-arch manifest
-  merge-and-push:
-    runs-on: ubuntu-latest
-    needs: [build-platform]
-    if: always() && needs.build-platform.result == 'success' && github.event_name != 'pull_request'
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-      deployments: write
-
-    environment:
-      name: ${{ github.ref == 'refs/heads/main' && 'production' || '' }}
-      url: https://hub.docker.com/r/writenotenow/memory-journal-mcp
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Read version
-        id: version
-        run: |
-          VERSION=$(grep -oP '"version":\s*"\K[0-9.]+' package.json | head -1)
-          if [ -z "$VERSION" ]; then
-            VERSION="1.0.0"
-          fi
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-
-      - name: Extract metadata for manifest
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=false
-          tags: |
-            type=raw,value=v${{ steps.version.outputs.version }},enable=${{ github.event.workflow_run.head_branch == 'main' }}
-            type=raw,value=latest,enable=${{ github.event.workflow_run.head_branch == 'main' }}
-            type=sha,prefix=sha-,format=short
-
-      - name: Create and push manifest
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
-
-      - name: Inspect manifest
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
-
-      # Update Docker Hub description
-      - name: Update Docker Hub Description
-        if: github.ref == 'refs/heads/main'
-        uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5
-        continue-on-error: true
-        timeout-minutes: 5
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: ${{ env.IMAGE_NAME }}
-          readme-filepath: ./DOCKER_README.md
-          short-description: 'MCP Server — Persistent AI Project Memory with GitHub Integration, Knowledge Graphs & Search.'
-
-      - name: Deployment Summary
-        if: github.ref == 'refs/heads/main'
-        run: |
-          echo "✅ Successfully published Docker images to production"
-          echo "🐳 Registry: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
-          echo "🏷️ Tags: ${{ steps.meta.outputs.tags }}"
-          echo "📝 Commit: ${{ github.sha }}"
-          echo "👤 Published by: ${{ github.actor }}"
-
-  # Publish to npm AFTER Docker images are successfully pushed
-  # This ensures npm and Docker releases are always in sync:
-  # - If Docker Scout blocks → npm doesn't publish → no burned version
-  # - If Lint/Test fails → nothing publishes
-  npm-publish:
-    needs: [merge-and-push]
-    if: always() && needs.merge-and-push.result == 'success' && github.event.workflow_run.head_branch == 'main'
-    uses: ./.github/workflows/publish-npm.yml
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}