memory-journal-mcp 6.1.2 → 6.2.1

package/.github/workflows/docs-drift-detector.md

@@ -1,115 +0,0 @@
----
-description: 'Audit README and DOCKER_README for consistency and accuracy on every code PR'
-private: true
-labels: [documentation, automation]
-
-on:
-  pull_request:
-    types: [opened, ready_for_review]
-    paths: ['src/**', 'package.json', 'Dockerfile', 'tsconfig*.json', 'scripts/**']
-
-engine:
-  id: copilot
-  model: claude-opus-4-20250514
-
-network:
-  allowed:
-    - defaults
-
-permissions: read-all
-
-safe-outputs:
-  add-comment:
-    max: 3
-    discussions: false
-  noop:
-    max: 1
-
-timeout-minutes: 15
-concurrency: docs-drift-detector
----
-
-# Documentation Drift Detector
-
-You are auditing documentation for the **memory-journal-mcp** project — a TypeScript MCP server for project context management. Your job is to check if documentation is accurate and consistent with each other and with recent changes.
-
-## Important Rules
-
-- **You are read-only.** Never modify files. Only post comments.
-- **Be specific.** Quote the exact section and line that needs updating.
-- **Don't nitpick.** Focus on factual accuracy and consistency, not style or wording preferences.
-- **If everything looks good, say so.** Post a short ✅ confirmation via noop, don't create noise.
-
-## Step 1: Understand Recent Changes
-
-1. Read the PR diff to understand what code changed.
-2. Read the `UNRELEASED.md` file. **Never read the full `CHANGELOG.md`** — it is very long and only the unreleased section is relevant.
-3. Read the latest release notes file from `releases/` (the one with the highest version number).
-
-## Step 2: Audit README.md
-
-Check the following against the PR diff and unreleased changes:
-
-- **Feature list and tool counts** — are all features described still accurate? Were tools added or removed? Does the tool count match?
-- **Version references** — version badges. Are they stale?
-- **Environment variables** — are all documented env vars still used in the code? Any new ones missing from docs?
-- **Install/usage instructions** — do Docker commands, CLI args, and config examples match the current codebase?
-- **Architecture/stack** — does the described tech stack match `package.json` dependencies?
-- **Error handling** — does the described error handling pattern (ErrorResponse with category, suggestion, recoverable) match the actual implementation?
-
-## Step 3: Audit DOCKER_README.md
-
-Same checks as Step 2, plus:
-
-- **Available Tags table** — does it list the correct latest version?
-- **Docker Compose examples** — are port mappings, volume mounts, and env vars current?
-- **Security notes** — do they match the Dockerfile's actual patches and security measures?
-- **Multi-arch support** — is the platform support list accurate?
-
-## Step 4: Audit CONTRIBUTING.md
-
-- **Directory tree** — does it match the actual `src/` directory structure?
-- **Error handling patterns** — do code examples match the current error hierarchy?
-- **Test instructions** — are test commands and patterns current?
-- **Module organization** — does it accurately describe the barrel export pattern?
-
-## Step 5: Cross-Document Consistency
-
-Compare all documentation files for sections that should match:
-
-- Feature descriptions and tool counts across README.md, DOCKER_README.md
-- Error handling descriptions
-- Environment variable documentation
-- Version numbers
-- Server instructions preamble vs actual `server-instructions.ts`
-
-## Step 6: Report Findings
-
-### If drift is found:
-
-Use the `add-comment` tool to post a PR conversation comment with your findings organized as:
-
-```
-## 📋 Documentation Drift Report
-
-### ⚠️ Drift Detected
-
-**README.md**
-- Line X: [description of issue and suggested fix]
-
-**DOCKER_README.md**
-- Line Y: [description of issue and suggested fix]
-
-**CONTRIBUTING.md**
-- Line Z: [description of issue and suggested fix]
-
-### 🔄 Cross-Document Inconsistencies
-- [description of what doesn't match between docs]
-
-### ✅ Verified Sections
-- [list of sections that are accurate]
-```
-
-### If no drift is found:
-
-Use the noop tool with: "✅ Documentation audit complete — all docs are consistent and accurate with current codebase."

package/.github/workflows/lint-and-test.yml

@@ -1,60 +0,0 @@
-name: Lint and Test
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [24.x, 25.x]
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run ESLint
-        run: npm run lint
-
-      - name: Run TypeScript check
-        run: npm run typecheck
-
-      - name: Build
-        run: npm run build
-
-      - name: Run unit tests
-        run: npm run test
-
-  security-scan:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version: '24.x'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run npm audit
-        run: npm audit --audit-level=moderate

package/.github/workflows/publish-npm.yml

@@ -1,85 +0,0 @@
-name: Publish to NPM
-
-# npm publish is gated behind Docker security checks:
-# - Triggered by docker-publish.yml after Docker Scout + image push succeeds
-# - Manual dispatch available as fallback
-on:
-  workflow_call:
-    secrets:
-      NPM_TOKEN:
-        required: true
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version to publish (must match package.json)'
-        required: false
-        default: ''
-
-permissions:
-  contents: read
-  id-token: write
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    environment:
-      name: npm
-      url: https://www.npmjs.com/package/memory-journal-mcp
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          ref: ${{ github.event.workflow_run.head_sha || github.ref }}
-
-      - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
-        with:
-          node-version: '24.x'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Read version
-        id: version
-        run: |
-          VERSION=$(node -p "require('./package.json').version")
-          echo "version=$VERSION" >> $GITHUB_OUTPUT
-          echo "Detected version: $VERSION"
-
-      - name: Check if version already published
-        id: check
-        run: |
-          PKG_VERSION="${{ steps.version.outputs.version }}"
-          PUBLISHED=$(npm view memory-journal-mcp version 2>/dev/null || echo "none")
-          echo "published=$PUBLISHED" >> $GITHUB_OUTPUT
-          if [ "$PUBLISHED" = "$PKG_VERSION" ]; then
-            echo "Version $PKG_VERSION already published, skipping"
-            echo "skip=true" >> $GITHUB_OUTPUT
-          else
-            echo "Publishing version $PKG_VERSION (current published: $PUBLISHED)"
-            echo "skip=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Build package
-        if: steps.check.outputs.skip != 'true'
-        run: npm run build
-
-      - name: Publish to NPM
-        if: steps.check.outputs.skip != 'true'
-        run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      - name: Verify publication
-        if: steps.check.outputs.skip != 'true'
-        run: |
-          sleep 10
-          PUBLISHED=$(npm view memory-journal-mcp version)
-          EXPECTED="${{ steps.version.outputs.version }}"
-          echo "Published: $PUBLISHED | Expected: $EXPECTED"
-          if [ "$PUBLISHED" != "$EXPECTED" ]; then
-            echo "::warning::Version mismatch after publish"
-          fi

package/.github/workflows/secrets-scanning.yml

@@ -1,32 +0,0 @@
-name: Secret Scanning
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-permissions:
-  contents: read
-
-jobs:
-  secrets:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: TruffleHog Secret Scanning
-        uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
-        with:
-          path: ./
-          base: ${{ github.event.before || 'HEAD~1' }}
-          head: HEAD
-          extra_args: --only-verified
-
-      - name: GITLEAKS Secret Scanning
-        uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/.github/workflows/security-update.yml

@@ -1,127 +0,0 @@
-name: Security Update Check
-
-on:
-  schedule:
-    # Run weekly on Sundays at 2 AM UTC
-    - cron: '0 2 * * 0'
-  push:
-    branches: [main]
-    paths:
-      - 'Dockerfile'
-      - 'package.json'
-      - 'package-lock.json'
-      - '.trivyignore'
-  pull_request:
-    branches: [main]
-    paths:
-      - 'Dockerfile'
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-permissions:
-  contents: write
-  pull-requests: write
-  security-events: write
-  issues: write
-
-jobs:
-  security-scan:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Build image for scanning
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
-        with:
-          context: .
-          file: Dockerfile
-          tags: security-test:latest
-          load: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      # Run SARIF scan first (non-blocking) to always generate the file
-      - name: Run Trivy scanner for SARIF output
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          image-ref: security-test:latest
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM'
-          trivyignores: '.trivyignore'
-          skip-dirs: '/usr/local/lib/node_modules/npm'
-
-      - name: Upload Trivy scan results
-        uses: github/codeql-action/upload-sarif@f0213c31c702f929cf06ddb900ac315d246a8997 # v4.33.0
-        if: always() && hashFiles('trivy-results.sarif') != ''
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      # Run table scan (blocking) after SARIF is uploaded
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
-        with:
-          image-ref: security-test:latest
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM'
-          trivyignores: '.trivyignore'
-          skip-dirs: '/usr/local/lib/node_modules/npm'
-
-      - name: Create security issue if vulnerabilities found
-        if: failure()
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        with:
-          script: |
-            const title = '🚨 Security vulnerabilities detected in Docker images'
-
-            // Check for existing open issue with same title to avoid duplicates
-            const { data: existing } = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'security,vulnerability,docker',
-              per_page: 10,
-            })
-            if (existing.some(issue => issue.title === title)) {
-              console.log('Open security issue already exists — skipping creation')
-              return
-            }
-
-            github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title,
-              body: `
-              ## Security Alert
-
-              Trivy has detected security vulnerabilities in our Docker images.
-
-              **Action Required:**
-              1. Review the security scan results in the Actions tab
-              2. Update base images and dependencies
-              3. Test the fixes
-              4. Deploy updated images
-
-              **Scan Details:**
-              - Workflow run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-              - Triggered by: Weekly security scan
-              - Scan Date: ${{ github.event.schedule || 'Manual trigger' }}
-
-              **Next Steps:**
-              - [ ] Review vulnerability details
-              - [ ] Update Dockerfiles
-              - [ ] Test changes
-              - [ ] Deploy fixes
-              `,
-              labels: ['security', 'vulnerability', 'docker']
-            })

package/.gitleaks.toml

@@ -1,9 +0,0 @@
-# Gitleaks Configuration
-# https://github.com/gitleaks/gitleaks#configuration
-
-title = "memory-journal-mcp gitleaks config"
-
-# Allowlist for known false positives in test fixtures
-[allowlist]
-  description = "Test fixtures containing intentionally fake secrets"
-  paths = []

package/.prettierignore

@@ -1,21 +0,0 @@
-# Build output
-dist/
-build/
-
-# Dependencies
-node_modules/
-
-# Package manager files
-package-lock.json
-pnpm-lock.yaml
-
-# Logs
-*.log
-
-# Generated
-*.min.js
-*.min.css
-
-# Database files
-*.db
-*.sqlite

package/.prettierrc

@@ -1,33 +0,0 @@
-{
-    "semi": false,
-    "singleQuote": true,
-    "tabWidth": 4,
-    "useTabs": false,
-    "trailingComma": "es5",
-    "printWidth": 100,
-    "bracketSpacing": true,
-    "arrowParens": "always",
-    "endOfLine": "auto",
-    "proseWrap": "preserve",
-    "overrides": [
-        {
-            "files": ["*.json", "*.jsonc"],
-            "options": {
-                "tabWidth": 4
-            }
-        },
-        {
-            "files": ["*.yaml", "*.yml"],
-            "options": {
-                "tabWidth": 2
-            }
-        },
-        {
-            "files": ["*.md"],
-            "options": {
-                "tabWidth": 2,
-                "proseWrap": "preserve"
-            }
-        }
-    ]
-}

package/.scout-ignore

@@ -1,12 +0,0 @@
-# Docker Scout CVE Ignore File
-# See: https://docs.docker.com/scout/explore/cve-ignorelist/
-#
-# Only include CVEs with NO upstream fix available
-
-# Alpine zlib - Critical severity, but NO FIX VERSION RELEASED by Alpine yet
-# zlib 1.3.1.3 contains the fix but Alpine hasn't packaged it
-CVE-2026-22184
-
-# Alpine busybox - wget CRLF injection (MEDIUM)
-# Patch submitted to busybox upstream but not in a release yet
-CVE-2025-60876

package/.trivyignore

@@ -1,21 +0,0 @@
-# Trivy CVE Ignore List for memory-journal-mcp
-# Add CVEs here that are:
-# 1. False positives
-# 2. Upstream issues with no fix available
-# 3. Not applicable to our use case
-
-# Format: CVE-YYYY-NNNNN
-
-# libexpat — No attack surface. This project is TypeScript/Node.js and does not
-# parse untrusted XML/DTD content. libexpat is a transitive Alpine system dependency.
-
-# CRITICAL — Mislabeled/poisoned CVE (supply chain data corruption in advisory feed).
-# Description is a SiYuan Note application-level authorization bypass (Go web app)
-# that was incorrectly attributed to the libexpat package. Not a real libexpat vuln.
-CVE-2026-32767
-
-# MEDIUM — DoS via infinite loop in DTD content parsing. No XML attack surface.
-CVE-2026-32777
-
-# MEDIUM — DoS via NULL pointer dereference after OOM. No XML attack surface.
-CVE-2026-32778