memory-journal-mcp 6.1.2 → 6.2.1

package/releases/v4.3.1.md

@@ -1,69 +0,0 @@
-# v4.3.1 - OutputSchema Fix & CVE Remediations
-
-Released: February 5, 2026
-
-## Highlights
-
-- **OutputSchema Fix** — Fixed `get_cross_project_insights` validation error on empty results
-- **Security Patches** — Remediated 3 CVEs in Docker image (libexpat CRITICAL, tar HIGH)
-- **Dependency Updates** — MCP SDK 1.26.0 and other updates
-
----
-
-## Fixed
-
-### `get_cross_project_insights` OutputSchema Validation
-
-When no projects met the minimum entry threshold, the tool returned only `message` and `projects` fields, failing outputSchema validation.
-
-**Now returns all required fields:**
-
-- `project_count: 0`
-- `total_entries: 0`
-- `inactive_projects: []`
-- `time_distribution: []`
-- `message` (with explanation)
-- `projects: []`
-
----
-
-## Security
-
-### CVE-2026-24515 (libexpat) — CRITICAL
-
-Null pointer dereference vulnerability. Fixed by explicitly installing libexpat from Alpine edge repositories in Dockerfile.
-
-### CVE-2026-25210 (libexpat) — MEDIUM
-
-Integer overflow leading to information disclosure. Same fix as CVE-2026-24515.
-
-### CVE-2026-24842 (tar) — HIGH
-
-Path traversal vulnerability in npm's bundled tar package. Updated from 7.5.4 → 7.5.7 in Dockerfile.
-
----
-
-## Changed
-
-### Dependency Updates
-
-| Package                     | From    | To     |
-| --------------------------- | ------- | ------ |
-| `@modelcontextprotocol/sdk` | 1.25.3  | 1.26.0 |
-| `@types/node`               | 25.0.10 | 25.2.0 |
-| `commander`                 | 14.0.2  | 14.0.3 |
-| `globals`                   | 17.1.0  | 17.3.0 |
-
----
-
-## Upgrade
-
-```bash
-# npm
-npm update -g memory-journal-mcp
-
-# Docker
-docker pull writenotenow/memory-journal-mcp:v4.3.1
-```
-
-**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/releases/v4.4.0.md

@@ -1,120 +0,0 @@
-# v4.4.0 - Milestones, Insights, Security Hardening & Performance
-
-Released: February 27, 2026
-
-## Highlights
-
-- **GitHub Milestones Integration** — Full CRUD support with 5 new tools, 2 new resources, and briefing/status integration
-- **Repository Insights/Traffic Tool** — New `get_repo_insights` tool and `memory://github/insights` resource for monitoring stars, forks, clones, views, referrers, and popular paths (14-day rolling data)
-- **HTTP Transport Security Hardening** — Configurable CORS, request body size limits, security headers, session timeout, and error log token scrubbing
-- **Performance Improvements** — Debounced database save, paginated vector rebuild, parallel batch embedding, GitHub API TTL cache, and startup deduplication
-- **15+ Bug Fixes** — Including `memory://significant` sort correctness, `delete_entry` permanent delete, JournalEntry GitHub metadata exposure, and `list_tags` zero-count filtering
-
----
-
-## Added
-
-### GitHub Milestones Integration
-
-Full lifecycle management for GitHub Milestones:
-
-- **5 new tools**: `get_github_milestones`, `get_github_milestone`, `create_github_milestone`, `update_github_milestone`, `delete_github_milestone`
-- **2 new resources**: `memory://github/milestones` (list) and `memory://milestones/{number}` (detail)
-- Briefing and status resources now include milestone progress data
-- `create_github_issue_with_entry` accepts optional `milestone_number` parameter
-
-### Repository Insights/Traffic
-
-- **New tool**: `get_repo_insights` with token-efficient `sections` parameter
-- **New resource**: `memory://github/insights` — compact summary (~150 tokens)
-- Surfaces stars, forks, watchers, clones, views, top referrers, and popular pages
-- Extended 10-minute cache TTL for slowly-changing traffic data
-
-### Server Host Bind Parameter
-
-- New `--server-host` CLI option and `MCP_HOST` / `HOST` environment variables
-- Defaults to `localhost`; set to `0.0.0.0` for container deployments
-
-### Performance Benchmarking Suite
-
-- New `npm run bench` script using `vitest bench` for baseline performance measurement
-
----
-
-## Improved
-
-- **`get_entry_by_id` Importance Scoring Breakdown** — Returns weighted component contributions
-- **`get_cross_project_insights` Inactive Threshold Visibility** — Self-documenting `inactiveThresholdDays` field
-- **Database I/O — Debounced Save** — 500ms debounce batches rapid writes into single disk flush
-- **Vector Index Rebuild** — Paginated fetching (200 per page) + parallel batch embedding (5 at a time) + sequential insertion
-- **Server Startup — `getTools()` Deduplication** — Eliminated duplicate call during startup
-- **GitHub API — TTL Response Cache** — 5-minute cache for read methods with automatic invalidation on mutations
-
----
-
-## Fixed
-
-- **`memory://significant` Importance Sort** — Fixed resource returning timestamp-sorted instead of importance-sorted entries when >20 entries exist
-- **`memory://instructions` Active Tool Count** — Fixed hardcoded 3-tool fallback; now uses `getAllToolNames()`
-- **`memory://health` Tool Count** — Dynamic computation from `TOOL_GROUPS` instead of hardcoded value
-- **`delete_entry` Permanent Delete** — Now works on previously soft-deleted entries via `getEntryByIdIncludeDeleted()`
-- **`delete_entry` Existence Check (P154)** — Pre-checks entry existence before mutation
-- **`link_entries` Existence Check (P154)** — Pre-checks both source and target entry existence
-- **`visualize_relationships` Disambiguation (P154)** — Clear "Entry not found" message for nonexistent entries
-- **`list_tags` Zero-Count Filtering** — No longer returns orphan tags with zero usage
-- **`get_github_issue` Missing Milestone Field** — Now maps `issue.milestone` from API response
-- **`JournalEntry` GitHub Metadata** — 10 GitHub fields now included in all tool responses
-- **`delete_github_milestone` Structured Error** — Returns proper `DeleteMilestoneOutputSchema` on failure
-- **`ServerInstructions.ts` Entry Types** — Updated from 7 stale types to full 13-type union
-- **Docker Hub Short Description** — Corrected "HTTPS" → "HTTP/SSE"
-
----
-
-## Security
-
-- **HTTP Transport Hardening** — Configurable CORS (`--cors-origin`), 1MB request body limit, `X-Content-Type-Options: nosniff` + `X-Frame-Options: DENY`, 30-min session timeout
-- **Error Log Token Scrubbing** — Automatic sanitization of GitHub tokens and Authorization headers
-- **CVE-2026-26960 (tar)** — Updated npm's bundled tar → 7.5.8 (HIGH, path traversal CVSS 7.1)
-- **GHSA-w7fw-mjwx-w883 (qs)** — Updated qs 6.14.1 → 6.14.2 (low, arrayLimit bypass DoS)
-- **GHSA-43fc-jf86-j433 (axios)** — Override to 1.13.5 (DoS via `__proto__` key)
-- **SECURITY.md Rewrite** — Complete rewrite for TypeScript era
-- **docker-compose.yml Rewrite** — Removed Python-era configuration, added secure mounts
-- **Dockerfile Healthcheck** — Replaced no-op healthcheck with `process.exit(0)` validation
-
----
-
-## CI/CD
-
-- Removed Dependabot auto-merge workflow — manual review required
-- Trivy Action updated to 0.34.0
-- CI test matrix aligned to `[24.x, 25.x]` matching `engines.node: >=24.0.0`
-- Blocking `npm audit` — known vulnerabilities now fail the pipeline
-- Blocking secret scanning — verified leaks now fail the pipeline
-
----
-
-## Dependencies
-
-| Package                     | From   | To             |
-| --------------------------- | ------ | -------------- |
-| `@eslint/js`                | 9.39.2 | 10.0.1 (major) |
-| `@modelcontextprotocol/sdk` | 1.26.0 | 1.27.1 (minor) |
-| `@types/node`               | 25.2.0 | 25.3.2 (minor) |
-| `eslint`                    | 9.39.2 | 10.0.2 (major) |
-| `simple-git`                | 3.28.0 | 3.32.3 (minor) |
-| `sql.js`                    | 1.12.0 | 1.14.0 (minor) |
-| `typescript-eslint`         | 8.54.0 | 8.56.1 (minor) |
-
----
-
-## Upgrade
-
-```bash
-# npm
-npm update -g memory-journal-mcp
-
-# Docker
-docker pull writenotenow/memory-journal-mcp:v4.4.0
-```
-
-**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/releases/v4.4.1.md

@@ -1,33 +0,0 @@
-# v4.4.1 - CVE Remediation (minimatch)
-
-Released: February 27, 2026
-
-## Highlights
-
-- **Security Patch** — Fixed 2 HIGH severity CVEs in minimatch that blocked Docker deployment
-
----
-
-## Security
-
-### CVE-2026-27903 (minimatch) — HIGH
-
-Inefficient algorithmic complexity vulnerability in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Added npm override `minimatch@^10.2.3`.
-
-### CVE-2026-27904 (minimatch) — HIGH
-
-Inefficient regular expression complexity (ReDoS) in minimatch >=10.0.0, <10.2.3 (CVSS 7.5). Same fix as CVE-2026-27903.
-
----
-
-## Upgrade
-
-```bash
-# npm
-npm update -g memory-journal-mcp
-
-# Docker
-docker pull writenotenow/memory-journal-mcp:v4.4.1
-```
-
-**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/releases/v4.4.2.md

@@ -1,31 +0,0 @@
-# v4.4.2 - CVE Remediation (minimatch Dockerfile Patch)
-
-Released: February 27, 2026
-
-## Highlights
-
-- **Docker CVE Fix** — Manually patched npm's bundled minimatch in Dockerfile to resolve Docker deploy block
-
----
-
-## Security
-
-### CVE-2026-27903 + CVE-2026-27904 (minimatch) — HIGH
-
-Manually patched npm's bundled `minimatch@10.2.2` → `10.2.3` in Dockerfile to fix HIGH severity ReDoS and algorithmic complexity vulnerabilities (CVSS 7.5).
-
-The v4.4.1 npm override only affected project dependencies. Docker Scout detected the vulnerable copy inside npm's own bundled packages at `/usr/local/lib/node_modules/npm/node_modules/minimatch`. This follows the same manual patch pattern used for tar and diff CVEs.
-
----
-
-## Upgrade
-
-```bash
-# npm
-npm update -g memory-journal-mcp
-
-# Docker
-docker pull writenotenow/memory-journal-mcp:v4.4.2
-```
-
-**Full Changelog**: https://github.com/neverinfamous/memory-journal-mcp/wiki/CHANGELOG

package/releases/v4.5.0.md

@@ -1,116 +0,0 @@
-# v4.5.0 - Automated Scheduling, Security Hardening & Quality Improvements
-
-**Released: March 2, 2026**
-
-## Highlights
-
-### ⏰ Automated Scheduler (HTTP/SSE Only)
-
-New in-process scheduler runs periodic maintenance jobs for long-running HTTP/SSE server processes:
-
-- `--backup-interval <minutes>` — Automated database backups with cleanup
-- `--keep-backups <count>` — Max backups to retain (default: 5)
-- `--vacuum-interval <minutes>` — Database optimization (`PRAGMA optimize`)
-- `--rebuild-index-interval <minutes>` — Full vector index rebuild
-
-Each job is error-isolated. Status visible via `memory://health`.
-
-### 🔒 Security Hardening
-
-Comprehensive security improvements across the entire stack:
-
-- **HTTP Transport** — Rate limiting (100 req/min), CSP headers, Cache-Control, Referrer-Policy, CORS wildcard warning
-- **Input Validation** — `entry_type` and `significance_type` now constrained to Zod enums; date format validation via regex
-- **Dead Code Wiring** — `sanitizeSearchQuery()` and `assertNoPathTraversal()` now active in code paths
-- **Foreign Keys** — `PRAGMA foreign_keys = ON` enforced at database initialization
-- **Path Traversal** — `exportToFile()` now protected with `assertNoPathTraversal()`
-- **Logger Hardening** — `LOG_LEVEL` validated; `setLevel()` guarded against invalid values
-- **Removed dead code** — SQL injection detection functions that provided false sense of security
-- **CI** — Blocking `npm audit` and TruffleHog steps; Node.js test matrix aligned to `>=24.0.0`
-
-### ✅ Test Coverage → 92%
-
-Expanded test suite from 549 → 590 tests, raising line coverage from 88.59% → 92.06%:
-
-- SIGINT shutdown handlers for all three transport modes
-- Prompt handlers with proper arguments
-- `SqliteAdapter` backup edge cases
-- GitHub integration error paths
-
-### 📝 Cursor Rule for Session Management
-
-Added `hooks/cursor/memory-journal.mdc` — an `alwaysApply` Cursor rule that instructs agents to read `memory://briefing` at session start and create a retrospective at session end. This is the most reliable mechanism for session behavior in Cursor.
-
-## Added
-
-- **Automated Scheduler** — `Scheduler.ts` module with CLI flags for backup, vacuum, and index rebuild intervals
-- **Cursor Rule** — `hooks/cursor/memory-journal.mdc` for reliable session management
-- **Cursor `sessionEnd` Hook** — `hooks/cursor/hooks.json` + `session-end.sh` audit script
-
-## Improved
-
-- **Test Coverage** — 88.59% → 92.06% line coverage (549 → 590 tests)
-- **Database I/O** — Debounced `scheduleSave()` reduces disk writes on rapid mutations
-- **Vector Index Rebuild** — Paginated fetching (200/page) + parallel batch embedding (5 at a time)
-- **Server Startup** — Eliminated duplicate `getTools()` call
-- **GitHub API** — TTL response cache (5 min) with automatic invalidation on mutations
-
-## Fixed
-
-- **Session Start briefing in Cursor** — Added `user-memory-journal-mcp` server name for Cursor compatibility
-- **`deleteOldBackups` Test Isolation** — Fixed flaky test by cleaning up pre-existing backups
-- **`share_with_team` Not Setting `isPersonal`** — `create_entry` with `share_with_team: true` now correctly sets `isPersonal: false`
-- **Path Traversal Test Assertion** — Updated to assert `PathTraversalError` type
-- **Tool Handler Test Fix** — Updated to use valid `entry_type` enum value
-
-## Security
-
-- Wire dead-code security utilities (F-001, F-002)
-- HTTP security headers: CSP, Cache-Control, Referrer-Policy (F-003)
-- `PRAGMA foreign_keys = ON` (F-005)
-- CORS wildcard warning (F-006)
-- `entry_type` / `significance_type` enum constraints
-- Date format validation on all date string fields
-- HTTP rate limiting (100 req/min per IP)
-- Remove dead SQL injection detection code
-- `exportToFile()` path traversal protection
-- `getRawDb()` safety documentation
-- Logger `LOG_LEVEL` validation (L1) and `setLevel()` guard (L2)
-- CI `security-scan` Node version alignment (L3)
-
-## Changed
-
-- `@types/node`: 25.3.2 → 25.3.3 (patch)
-- `globals`: 17.3.0 → 17.4.0 (minor)
-- `minimatch` override: 10.2.3 → 10.2.4 (patch)
-- `tar` override: 7.5.8 → 7.5.9 (patch)
-
-## Removed
-
-- **Unused `cors` dependency** — CORS handled by custom middleware
-
-## CI/CD
-
-- Removed Dependabot auto-merge workflow
-- Trivy Action updated to 0.34.0
-- Node.js test matrix aligned: `[24.x, 25.x]`
-- Blocking `npm audit` in CI pipeline
-- Blocking TruffleHog secret scanning
-
-## Documentation
-
-- Revised `hooks/README.md` with progressive enhancement model
-- Updated Session Management in README.md and DOCKER_README.md
-- SECURITY.md rewrite for TypeScript era
-- Team collaboration in READMEs with wiki links
-- Rate limiting documentation
-
----
-
-```bash
-# npm
-npm install -g memory-journal-mcp@4.5.0
-
-# Docker
-docker pull writenotenow/memory-journal-mcp:v4.5.0
-```

package/releases/v5.0.0.md

@@ -1,105 +0,0 @@
-# v5.0.0 — Major Architecture & Security Release
-
-**Release Date:** March 6, 2026
-
-This is a major release featuring a complete architectural overhaul, comprehensive security hardening, a new E2E test suite, redesigned team collaboration, and deterministic error handling across all 42 tools.
-
-## ✨ Highlights
-
-- **Architecture Overhaul** — Tool handler monolith (3,428 lines) split into 12 focused modules. Resource handlers, prompt handlers, types, mutation tools, and HTTP transport all modularized similarly.
-- **Team Collaboration Redesign** — Rebuilt from scratch with separate team database (`TEAM_DB_PATH`), author attribution, cross-DB search, and 3 dedicated tools (`team_create_entry`, `team_get_recent`, `team_search`).
-- **Deterministic Error Handling** — All 42 tool handlers wrapped with `formatHandlerError()` returning structured `{ success: false, error }` responses. Dual-schema validation pattern ensures Zod errors also produce structured responses.
-- **20+ Security Improvements** — Bearer token authentication, HSTS, timing-safe token comparison, shell-free git detection, Docker hardening, CI pipeline action pinning, and more.
-- **Playwright E2E Test Suite** — 8 spec files (47 tests) testing HTTP/SSE transport end-to-end: health, protocols, security headers, auth, sessions, tools, resources, stateless mode, and scheduler.
-- **Dual HTTP Transport** — Streamable HTTP (`/mcp`) + Legacy SSE (`/sse`) running simultaneously in stateful mode.
-
-## 🆕 Added
-
-- **Playwright E2E Test Suite** — `health.spec.ts`, `protocols.spec.ts`, `security.spec.ts`, `auth.spec.ts`, `sessions.spec.ts`, `tools.spec.ts`, `resources.spec.ts`, `stateless.spec.ts`, `scheduler.spec.ts`
-- **Legacy SSE Transport** — `GET /sse` + `POST /messages?sessionId=<id>` for backward-compatible MCP 2024-11-05 clients (stateful mode only)
-- **Health Endpoint** — `GET /health` returns `{ status: "healthy", timestamp }`
-- **Root Info Endpoint** — `GET /` returns server name, version, endpoints, docs link
-- **404 Handler** — Unknown paths return `{ error: "Not found" }`
-- **`DB_PATH` Environment Variable** — Database path via env block (precedence: CLI `--db` > `DB_PATH` > `./memory_journal.db`)
-- **`--auth-token` CLI Option** — Bearer token authentication for HTTP transport (`MCP_AUTH_TOKEN` env)
-- **`Permissions-Policy` Header** — 6th security header: `camera=(), microphone=(), geolocation=()`
-- **Team Collaboration** — `TEAM_DB_PATH`, `TEAM_AUTHOR`, `share_with_team`, `memory://team/recent`, `memory://team/statistics`
-- Tool count: 39 → 42 · Tool groups: 8 → 9 · Resources: 20 → 22
-
-## 🔒 Security
-
-- **Trigger Name Validation** — `SAFE_IDENTIFIER_RE` regex in `migrateSchema()` prevents SQL injection via crafted trigger names
-- **Query Limit Caps** — `.max(500)` on all `limit` parameters (10 schemas)
-- **TruffleHog Pinned** — `@main` → `@v3.93.7`
-- **Docker Scout Official Action** — Replaces `curl | sh` installer with `docker/scout-action@v1.18.2`
-- **Gitleaks Blocking** — Removed `continue-on-error: true`; leaks now fail the workflow
-- **Gitleaks Pinned** — `@v2` → `@v2.3.9`
-- **Bearer Token Auth** — Optional `--auth-token` with `MCP_AUTH_TOKEN` env support
-- **SSE Session Timeout** — Legacy SSE sessions expire after 30 min idle
-- **`searchByDateRange` Limit** — `LIMIT 500` prevents unbounded result sets
-- **Docker Production-Only Dependencies** — `npm ci --omit=dev` in production image
-- **CORS `Authorization` Header** — Added for bearer token support
-- **Timing-Safe Auth** — `crypto.timingSafeEqual()` for token comparison
-- **HSTS Header** — Conditional `Strict-Transport-Security` behind reverse proxy
-- **Docker Compose Hardening** — `read_only: true`, `tmpfs`, generic token placeholder, explicit `NODE_ENV`
-- **Shell-Free Git** — `execFileSync('git', [...])` replaces `execSync('git config ...')`
-
-## ⚡ Improved
-
-- **Batch Tag Fetching** — N+1 elimination: `getRecentEntries(50)` reduced from 51 queries to 2
-- **Batch Tag Linking** — Single `INSERT OR IGNORE` + `SELECT ... WHERE name IN (...)`
-- **Tool Dispatch Cache** — O(1) `Map` lookup instead of rebuilding 42 definitions per call
-- **Conditional JOIN in `searchByDateRange`** — Tag tables only JOINed when tag filter provided
-- **Consolidated `getStatistics` Queries** — 5 sequential `db.exec()` → 3 with `SUM(CASE ...)`
-- **Dual-Schema Validation** — Relaxed schemas for SDK, strict schemas in handlers
-
-## 🐛 Fixed
-
-- **Entry Type Enum** — Added 6 missing types (`technical_note`, `development_note`, `enhancement`, `milestone`, `system_integration_test`, `test_entry`)
-- **`get_github_milestones` State Filter** — `state: "all"` no longer silently defaults to `"open"`
-- **Legacy Database Migration** — `migrateSchema()` adds missing columns + drops FTS5 triggers
-- **`list_tags` Null Count** — `COALESCE(usage_count, 0)` prevents null validation failures
-- **Output Schema Error Responses** — All schemas now accept `{ success: false, error }` responses
-- **Multi-Session Connect Crash** — Close-before-reconnect pattern for concurrent HTTP sessions
-- **Backup Error Path** — Error responses now pass Zod output validation
-- **`share_with_team` Not Setting `isPersonal`** — Fixed `create_entry` with `share_with_team: true`
-- **Legacy SSE `start()` Redundancy** — Eliminated duplicate `sseTransport.start()` call
-
-## 🔄 Changed
-
-- **HTTP Transport Modularized** — `McpServer.ts` (813 → ~450 lines) → `src/transports/http.ts`
-- **`ToolDefinition.handler` Return Type** — `Promise<unknown>` → `unknown` (supports sync+async)
-- **Dependency Updates** — `@types/node` 25.3.3→25.3.5, `express-rate-limit` 8.2.1→8.3.0, `sql.js` 1.14.0→1.14.1
-
-## 🗑️ Removed
-
-- Legacy team collaboration system (rebuilt from scratch)
-- Tool handler monolith `src/handlers/tools/index.ts` (replaced by 12 modules)
-- Unused `cors` and `@types/cors` packages
-- Database files reorganized into `data/` directory
-
-## 🔄 CI/CD
-
-- **CodeQL Default Setup Disabled** — Custom workflow is now sole scanner
-- **CodeQL `actions` Language** — Added to replace Default Setup coverage
-- **Trivy Action** — 0.34.0 → 0.34.1
-
-## 📖 Documentation
-
-- Cursor Rule for session management (`hooks/cursor/memory-journal.mdc`)
-- Revised hooks/README.md with progressive enhancement model
-- SECURITY.md rewritten for current architecture
-- Team collaboration documented in READMEs
-- Wiki security page expanded (16-item checklist)
-
----
-
-**Full Changelog:** [v4.5.0...v5.0.0](https://github.com/neverinfamous/memory-journal-mcp/compare/v4.5.0...v5.0.0)
-
-**Install/Update:**
-
-```bash
-npm install -g memory-journal-mcp@5.0.0
-# or
-docker pull writenotenow/memory-journal-mcp:v5.0.0
-```

package/releases/v5.0.1.md

@@ -1,25 +0,0 @@
-# v5.0.1 — Security Patch
-
-**Release Date:** March 6, 2026
-
-Patches a HIGH severity path traversal vulnerability in npm's bundled `tar` package discovered by Docker Scout during the v5.0.0 deployment pipeline.
-
-## 🔒 Security
-
-- **GHSA-qffp-2rhf-9h96 (tar)** — Manually patched npm's bundled `tar` → `7.5.10` in Dockerfile (builder + production stages) to fix HIGH severity path traversal vulnerability (CVSS 8.2). Also updated npm override in `package.json`.
-
-## 🔄 Changed
-
-- `tar` override: 7.5.9 → 7.5.10 (patch) — npm + Docker layers
-
----
-
-**Full Changelog:** [v5.0.0...v5.0.1](https://github.com/neverinfamous/memory-journal-mcp/compare/v5.0.0...v5.0.1)
-
-**Install/Update:**
-
-```bash
-npm install -g memory-journal-mcp@5.0.1
-# or
-docker pull writenotenow/memory-journal-mcp:v5.0.1
-```

package/releases/v5.1.0.md

@@ -1,83 +0,0 @@
-# v5.1.0 - 2026-03-07
-
-## Highlights
-
-- **`session-summary` Prompt** — New workflow prompt replaces unreliable session-end behaviors with robust, user-initiated context capture.
-- **Extreme Performance Gains** — Drastically reduced SQLite roundtrips 3→1 for importance calculation, introduced a composite covering index for `getRecentEntries` (4x faster), and cached tool array structures (~4800x faster).
-- **Cold Start Reduction** — Refactored to lazily load `@xenova/transformers` and `vectra`, shaving ~1.8s off server initialization.
-- **Zod Exception Security** — Closed boundary violation leak edge cases by injecting strict vs relaxed dual-schema parsing, ensuring all inputs result in defined structured error objects.
-- **Docker Compose Hardening** — Full network isolation (`mcp-net`), `no-new-privileges`, and `cap_drop: ALL` drastically drop container privileges and sandbox isolation boundaries.
-
-## Added
-
-- **`session-summary` Prompt** — New workflow prompt that creates a session summary journal entry. Fetches recent entries for context and guides the agent to create a `retrospective` entry tagged `session-summary` capturing accomplishments, pending items, and next-session context. Invoked by the user when ready (e.g., `/session-summary`). Replaces the unreliable automatic session-end behavior. Prompt count: 15 → 16.
-
-## Performance
-
-- **`calculateImportance` Query Consolidation** — Merged 3 separate SQL queries (entry data, relationship count, causal count) into a single query with subqueries, reducing SQLite roundtrips 3→1.
-- **`linkTagsToEntry` Batch Operations** — Replaced per-tag `INSERT OR IGNORE` + `UPDATE` loop (2N SQL calls) with batched multi-row `INSERT`, `SELECT ... IN (...)`, and `UPDATE ... IN (...)` (4 SQL calls total for any N tags).
-- **`createEntry` Redundant Fetch Elimination** — Removed post-INSERT `getEntryById()` re-fetch (full SELECT + tag query). Entry is now constructed directly from input values + `last_insert_rowid()` + `datetime(CURRENT_TIMESTAMP)`.
-- **`updateEntry` Pre-check Elimination** — Removed pre-UPDATE `getEntryById()` existence check. Uses `UPDATE ... WHERE deleted_at IS NULL` + `SELECT changes()` to detect missing entries in one SQL call instead of a full SELECT + tag query.
-- **SQLite Performance PRAGMAs** — Added `PRAGMA journal_mode = MEMORY`, `synchronous = OFF`, and `temp_store = MEMORY` at initialization. sql.js operates in-memory with manual disk serialization; these eliminate unnecessary internal journal overhead.
-- **Composite Covering Index for `getRecentEntries`** — Added `idx_memory_journal_recent` on `(deleted_at, timestamp DESC, id DESC)` to enable index-only scan for the `WHERE deleted_at IS NULL ORDER BY timestamp DESC, id DESC` query pattern.
-- **`addEntry` Native Upsert** — Replaced `deleteItem()` + `insertItem()` pattern with vectra's native `upsertItem()`, eliminating a full exception path on every new entry insertion.
-- **`getTools` Cached Output** — Extracted shared `ensureToolCache()` for both `getTools` and `callTool`. Unfiltered `getTools` calls now return a cached mapped array instead of rebuilding 42 tool objects and mapping them on every invocation (~4800x faster than tool execution).
-- **Lazy Module Loading for Startup** — Deferred `@xenova/transformers` (1.5s) and `vectra` (0.9s) from top-level imports in `VectorSearchManager.ts` to dynamic `import()` inside `initialize()`. These heavyweight modules are now loaded only when vector search is first used, reducing server cold-start by ~1.8s (VectorSearchManager import: 1515ms → 12ms).
-
-## Security
-
-- **Docker Compose Network Isolation (L-1)** — Added custom `mcp-net` bridge network to both services. Prevents MCP containers from accessing or being accessed by unrelated containers on the default Docker bridge.
-- **Docker Compose `no-new-privileges` (L-2)** — Added `security_opt: ["no-new-privileges:true"]` to both services. Prevents privilege escalation via `setuid`/`setgid` binaries inside containers.
-- **Author Input Sanitization (L-5)** — `resolveAuthor()` and `resolveTeamAuthor()` in `team.ts` and `core.ts` now strip ASCII control characters (`0x00`–`0x1F`, `0x7F`) and cap author strings at 100 characters. Prevents crafted `TEAM_AUTHOR` env or git config values from injecting control characters into the database `author` column or `autoContext` JSON payloads.
-- **Consolidated `sanitizeAuthor` (Audit)** — Moved duplicated `sanitizeAuthor()` from `core.ts` and `team.ts` into `security-utils.ts` as a single-source-of-truth export. Eliminates risk of divergent sanitization logic.
-- **Docker Compose `cap_drop: ALL` (Audit)** — Added `cap_drop: ALL` to both Docker Compose services, dropping all Linux capabilities (NET_RAW, SYS_CHROOT, etc.) that are unnecessary for a Node.js MCP server.
-- **CI Unit Test Gate (Audit)** — Added `npm run test` step to `lint-and-test.yml` workflow so unit tests run on every push/PR, not just lint/typecheck/build.
-
-## Improved
-
-- **Zod Boundary Leak Prevention** — Created separate relaxed MCP schemas (without `min`/`max` constraints) for 7 tools so boundary violations reach the handler for structured `{success: false, error}` responses instead of leaking as raw MCP `-32602` error frames. Affected tools: `get_recent_entries`, `create_entry`, `create_entry_minimal`, `search_entries`, `search_by_date_range`, `semantic_search`, `export_entries`, `cleanup_backups`, `visualize_relationships`.
-
-## Fixed
-
-- **Output schema mismatches causing MCP -32602 errors** — Three `outputSchema` definitions didn't match actual handler output, causing `structuredContent does not match the tool's output schema` errors.
-- **`get_statistics` Date Filtering** — `start_date` and `end_date` parameters now filter all statistics queries (total count, type breakdown, period breakdown, decision density).
-- **`get_statistics` Project Breakdown** — `project_breakdown: true` now returns a `projectBreakdown` array with per-project entry counts.
-- **`export_entries` Filter Bypass** — Handler was calling `db.getRecentEntries(limit)` and ignoring all parsed filter parameters. Now correctly uses `db.searchByDateRange()`.
-- **GitHub Error Consistency** — All GitHub tool error responses now include `success: false` field, matching the `{success: false, error}` pattern.
-- **`get_vector_index_stats` Missing `success` Field** — Handler now returns `success: true/false`.
-- **No-Argument Prompts Failing with MCP `-32602`** — Prompts with no arguments failed due to `argsSchema: {}` instead of omitting `argsSchema`.
-- **`get_github_milestone` Error Missing `success: false`** — Error response for non-existent milestones now returns proper structured form.
-- **`get_kanban_board` Error Missing `success: false`** — Error response for non-existent projects matching consistent shape.
-- **`search_by_date_range` Silent Filter Bug** — `issue_number`, `pr_number`, and `workflow_run_id` properly mapped natively into queries.
-
-## Documentation
-
-- **Test Counts Updated** — Updated the `README.md` and `DOCKER_README.md` test count badges and the testing breakdown table to reflect the combined total of Vitest unit/integration tests and Playwright E2E tests (785 total tests).
-- **Performance Benchmark Claims Updated** — Updated benchmark numbers in `README.md` and `DOCKER_README.md` to reflect post-optimization measurements: vector ops >640 ops/sec, `getTools` ~4800x faster than tool execution, `getRecentEntries` ~4x faster via composite index.
-
-## Removed
-
-- **Automatic Session End Behavior** — Removed `## Session End` section from server instructions (`ServerInstructions.ts`, `server-instructions.md`).
-- **`hooks/` Directory** — Deleted the entire hooks directory (`hooks/cursor/`, `hooks/kiro/`, `hooks/kilo-code/`, `hooks/README.md`).
-
-## Changed
-
-- **CI `publish-npm.yml` Node Version Alignment (L-4)** — Updated Node.js version from 22.x to 24.x to match `engines.node: >=24.0.0` in `package.json` and the Dockerfile base image (`node:24-alpine`).
-- **Dependency Updates**
-  - `eslint`: 10.0.2 → 10.0.3 (patch)
-
----
-
-**Full Changelog:** [v5.0.1...v5.1.0](https://github.com/neverinfamous/memory-journal-mcp/compare/v5.0.1...v5.1.0)
-
-**To update via npm:**
-
-```bash
-npm install -g memory-journal-mcp@5.1.0
-```
-
-**To update via Docker:**
-
-```bash
-docker pull writenotenow/memory-journal-mcp:v5.1.0
-```

package/releases/v5.1.1.md

@@ -1,10 +0,0 @@
-### Changed
-
-- **Dependency Updates**
-  - Various minor and patch dependency updates including `@types/node`, `express-rate-limit`, `simple-git`, `typescript-eslint`, and overrides for `tar`, `axios`, and `tmp` inside npm and Docker layers, as well as GitHub Actions.
-
-[Compare v5.1.0...v5.1.1](https://github.com/neverinfamous/memory-journal-mcp/compare/v5.1.0...v5.1.1)
-
-```bash
-npm install -g memory-journal-mcp
-```

package/releases/v6.0.0.md

@@ -1,48 +0,0 @@
-# v6.0.0 — Code Mode, OAuth 2.1, FTS5, and Architecture Overhaul
-
-> **Breaking Changes**: WASM SQLite fallback removed (`--sqlite-wasm`/`--sqlite-native` flags gone). CORS config changed from `corsOrigin: string` to `corsOrigins: string[]`.
-
-## Highlights
-
-### 🧠 Code Mode (`mj_execute_code`)
-
-Sandboxed JavaScript execution for multi-step workflows with 70-90% token reduction. Worker-thread isolation with V8 boundary, `mj.*` namespaced API across all 44 tools (10 groups), positional args, method aliases, and per-group `help()`. Resource limits: 50KB code, 30s timeout, 128MB memory, 60 exec/min.
-
-### 🔐 OAuth 2.1 Authentication
-
-Full RFC-compliant OAuth 2.0 auth for HTTP transport. JWT validation via `jose`, JWKS caching, 3 scopes (`read`/`write`/`admin`) mapped to 10 tool groups. RFC 9728 Protected Resource Metadata endpoint.
-
-### 🔍 FTS5 Full-Text Search
-
-Replaced `LIKE '%query%'` with SQLite FTS5. BM25 ranking, phrase queries, prefix matching, boolean operators. Content-sync mode (no duplicate storage), Porter stemmer, auto-populated on migration.
-
-### 📊 Configurable Briefing
-
-15 new env vars / CLI flags to customize `memory://briefing`: entry counts, team inclusion, issue/PR listing depth, workflow runs, Copilot review aggregation, rules file, skills dir.
-
-### 🏗️ Architecture
-
-- **sqlite-vec** replaces vectra for vector search (86 fewer dependencies)
-- **tsup** replaces tsc (875 KB → 455 KB dist, ~48% reduction)
-- **Modularized** SQLite adapter, GitHub integration, HTTP transport, briefing resources
-- **Harmonized error types** with `MemoryJournalMcpError` base class (9 categories, 6 subclasses)
-- **Built-in rate limiting** replaces `express-rate-limit`
-
-### 🧪 Testing
-
-- Unit coverage: 73% → 87% (320+ new tests across 10 files)
-- E2E: 71 → 105 tests (8 new Playwright specs)
-- 10 rounds of code quality audit fixes
-- 4 rounds of performance audit fixes
-
-### 🔒 Security
-
-- 6 CVEs patched via `undici` 7.24.1
-- DNS rebinding protection, server timeouts, HSTS config
-- SHA-pinned all GitHub Actions across 6 workflows
-
-[Full Changelog](https://github.com/neverinfamous/memory-journal-mcp/blob/main/CHANGELOG.md#600---2026-03-14)
-
-```bash
-npm install -g memory-journal-mcp
-```