memory-journal-mcp 6.1.2 → 6.2.1

package/skills/github-commander/workflows/pr-review.md

@@ -0,0 +1,123 @@
+# PR Review
+
+Review an open pull request with optional validation pipeline and structured
+findings.
+
+## Phase 1 — Gather Context
+
+1. Read `memory://briefing` for session context
+2. Fetch the PR details:
+   ```
+   get_github_pr({ pr_number: <N> })
+   ```
+3. If available, fetch Copilot review findings:
+   ```
+   get_copilot_reviews({ pr_number: <N> })
+   ```
+4. Search journal for related entries:
+   ```
+   semantic_search({ query: "<PR title/description>" })
+   ```
+5. Check linked issues and milestone context
+6. Journal review start:
+   ```
+   create_entry({
+     content: "Starting review of PR #<N>: <title>. Author: <author>. Files changed: <count>.",
+     entry_type: "review_start",
+     tags: ["commander", "review"],
+     pr_number: <N>
+   })
+   ```
+
+## Phase 2 — Code Review
+
+1. Check out the PR branch locally:
+
+   ```bash
+   gh pr checkout <N>
+   ```
+
+2. Review changes for:
+   - **Correctness** — does the code do what the PR claims?
+   - **Style** — does it follow project conventions?
+   - **Security** — any injection, validation, or auth issues?
+   - **Performance** — any hot-path allocations, missing early returns?
+   - **Test coverage** — are new/changed paths tested?
+
+3. Run validation gates (same as issue-triage Phase 3):
+   - Gate 1: Lint + Typecheck
+   - Gate 2: Build
+   - Gate 3: Unit/Integration Tests
+   - Gate 4: E2E Tests
+   - Gate 5: Security Scans (auto-detected)
+
+   Journal each gate result as in issue-triage.
+
+## Phase 3 — Findings Report
+
+Compile all findings into a structured report:
+
+1. **Code review findings** — issues found during manual review
+2. **Gate results** — pass/fail for each validation gate
+3. **Security findings** — from auto-detected security scans
+4. **Copilot findings** — any issues flagged by Copilot reviews
+
+Journal each significant finding:
+
+```
+create_entry({
+  content: "PR #<N> finding: <severity> - <description>. File: <path>:<lines>.",
+  entry_type: "audit_finding",
+  tags: ["commander", "review", "<category>"],
+  pr_number: <N>
+})
+```
+
+**HITL checkpoint**: Present the full findings report to the human. Ask for
+review decision:
+
+- **Approve** — no blocking issues found
+- **Request changes** — blocking issues identified
+- **Comment** — non-blocking suggestions
+
+## Phase 4 — Submit Review
+
+Based on human's decision:
+
+### Approve
+
+```bash
+gh pr review <N> --approve --body "LGTM. All validation gates passed. <summary>"
+```
+
+### Request Changes
+
+```bash
+gh pr review <N> --request-changes --body "<findings summary with specific file/line references>"
+```
+
+### Comment
+
+```bash
+gh pr review <N> --comment --body "<non-blocking suggestions>"
+```
+
+Journal review completion:
+
+```
+create_entry({
+  content: "Completed review of PR #<N>: <decision>. Findings: <count>. Gates: <summary>.",
+  entry_type: "review_complete",
+  tags: ["commander", "review"],
+  pr_number: <N>
+})
+```
+
+## Phase 5 — Session Summary
+
+Run `/session-summary` to capture:
+
+- PR reviewed with decision
+- All findings by category
+- Gate results
+- Any follow-up items

package/skills/github-commander/workflows/security-audit.md

@@ -0,0 +1,170 @@
+# Security Audit
+
+Run a comprehensive security audit using auto-detected scanning tools. Each tool
+is independently detected and skipped gracefully if unavailable.
+
+## Phase 1 — Tool Detection
+
+Detect available security scanning tools (see SKILL.md § Security Tool
+Auto-Detection). Journal which tools are available:
+
+```
+create_entry({
+  content: "Security audit: detected tools: <list>. Unavailable: <list>.",
+  entry_type: "audit_finding",
+  tags: ["commander", "security", "detection"]
+})
+```
+
+## Phase 2 — Dependency Vulnerabilities
+
+### npm audit (always available for Node.js)
+
+```bash
+npm audit --json
+```
+
+Report:
+
+- Total vulnerabilities by severity (critical / high / moderate / low)
+- Whether each is fixable via `npm audit fix` or requires manual intervention
+- Any overrides/resolutions in the manifest that may mask unfixed vulnerabilities
+
+For non-Node.js projects, use the equivalent tool:
+
+- Python: `pip audit --format json`
+- Rust: `cargo audit --json`
+- Go: `govulncheck ./...`
+
+## Phase 3 — Static Analysis (SAST)
+
+### CodeQL (if available)
+
+```bash
+codeql database create /tmp/codeql-db --language=<detected> --overwrite
+codeql database analyze /tmp/codeql-db \
+  --format=sarif-latest \
+  --output=/tmp/codeql-results.sarif \
+  security-extended security-and-quality
+```
+
+Parse SARIF output for findings. Journal each finding with severity.
+
+## Phase 4 — Secret Scanning
+
+### Gitleaks (if available)
+
+```bash
+gitleaks detect --source . --report-format json --report-path /tmp/gitleaks.json
+```
+
+### TruffleHog (if available)
+
+```bash
+trufflehog filesystem . --json --only-verified
+```
+
+For each finding: report file, line, secret type, and remediation.
+
+## Phase 5 — Container Security (if applicable)
+
+Skip unless `PROJECT_HAS_DOCKERFILE` is `true` or a Dockerfile is detected.
+
+### Trivy (if available)
+
+Filesystem scan:
+
+```bash
+trivy fs --severity HIGH,CRITICAL --format json .
+```
+
+Image scan (if image is built):
+
+```bash
+trivy image --severity HIGH,CRITICAL --format json <image-name>
+```
+
+### Docker Scout (if available)
+
+```bash
+docker scout cves <image-name> --format json --only-severity critical,high
+```
+
+## Phase 6 — Source Code Analysis
+
+Perform static analysis of the source code for common vulnerability patterns:
+
+1. **SQL injection** — string interpolation in SQL queries, missing parameterized
+   queries
+2. **Command injection** — user input passed to `exec()`, `spawn()`, or shell
+   commands without sanitization
+3. **Path traversal** — user-supplied paths used without normalization and
+   boundary checks
+4. **Prototype pollution** — unchecked `Object.assign()`, deep merge without
+   prototype guards
+5. **Input validation gaps** — overly permissive schemas, missing validation on
+   API boundaries
+6. **Authentication bypass** — endpoints accessible without auth checks
+7. **Error disclosure** — stack traces, database errors, or internal structure
+   leaked in responses
+
+## Phase 7 — CI/CD Pipeline Review
+
+If GitHub Actions workflows exist (`.github/workflows/`):
+
+1. **Action pinning** — verify `uses:` references use SHA commits, not tags
+2. **Secret handling** — verify secrets use `${{ secrets.* }}`, not inline values
+3. **Security gates** — verify security scans hard-fail (no `continue-on-error: true`)
+4. **Permissions** — verify workflow `permissions` follows least privilege
+
+## Phase 8 — Findings Report
+
+Journal all findings:
+
+```
+create_entry({
+  content: "Security audit finding: <severity> — <description>. Tool: <tool>. File: <path>.",
+  entry_type: "security_finding",
+  tags: ["commander", "security", "<tool-name>"],
+})
+```
+
+Produce a structured summary:
+
+| Category                   | Risk Level | Findings | Critical |
+| -------------------------- | ---------- | -------- | -------- |
+| Dependency Vulnerabilities |            |          |          |
+| Static Analysis (SAST)     |            |          |          |
+| Secret Exposure            |            |          |          |
+| Container Security         |            |          |          |
+| Source Code Patterns       |            |          |          |
+| CI/CD Pipeline             |            |          |          |
+
+**HITL checkpoint**: Present findings report to the human with:
+
+- An overall security posture score (A–F)
+- Top 3 most urgent remediations
+- Whether any findings are auto-fixable
+
+## Phase 9 — Apply Fixes (with approval)
+
+After human approves the fix plan:
+
+1. Apply fixes in severity order (critical → high → moderate → low)
+2. Run validation gates after all fixes:
+   - Gate 1: Lint + Typecheck
+   - Gate 2: Build
+   - Gate 3: Tests
+3. Journal each fix applied
+
+## Phase 10 — Commit
+
+Stage and commit security fixes:
+
+```bash
+git add <fixed files> <changelog>
+git diff --cached --stat
+git commit -m "security: audit fixes"
+```
+
+**Do not push** without human approval.

package/skills/github-commander/workflows/update-deps.md

@@ -0,0 +1,109 @@
+# Update Dependencies
+
+Run a structured dependency update with validation gates and journal audit trail.
+Generalized for any package manager (npm, yarn, pnpm, bun).
+
+## Phase 1 — Update Dependencies
+
+1. Detect package manager (see SKILL.md § Package Manager Auto-Detection)
+
+2. Update dependencies using the detected package manager:
+
+   | Package Manager | Update Command | Audit Command         |
+   | --------------- | -------------- | --------------------- |
+   | npm             | `npm update`   | `npm audit`           |
+   | yarn            | `yarn upgrade` | `yarn audit`          |
+   | pnpm            | `pnpm update`  | `pnpm audit`          |
+   | bun             | `bun update`   | _(no built-in audit)_ |
+
+3. Run dependency audit (if available for the package manager)
+
+4. If audit reports vulnerabilities:
+   - Attempt auto-fix (e.g., `npm audit fix`)
+   - For unfixable issues: check if lockfile overrides/resolutions can pin
+     transitive deps to patched versions
+   - Journal each vulnerability found
+
+5. Check for remaining outdated packages:
+
+   ```bash
+   # npm
+   npm outdated
+   # yarn
+   yarn outdated
+   # pnpm
+   pnpm outdated
+   ```
+
+6. For any remaining outdated packages:
+   - Update the version range in the manifest file
+   - Run install to update the lockfile
+   - **Skip intentionally pinned packages** (pre-release pins, exact-version
+     pins where Current = Wanted ≠ Latest)
+
+## Phase 2 — Dockerfile Dependencies (Optional)
+
+Skip this phase unless `PROJECT_HAS_DOCKERFILE` is `true` or a `Dockerfile`
+is detected in the project root.
+
+1. Scan the Dockerfile for manually patched packages (e.g., `npm pack <pkg>@<version>`)
+2. For each patched package:
+   - Check the registry for the latest version
+   - Check for known CVEs
+   - If a newer version exists, update the Dockerfile patch lines
+3. Check base image for updates:
+   - Verify the base image tag is pinned (not `latest`)
+   - Check for newer patch versions of the pinned base
+4. If the Dockerfile uses edge repositories for system packages, verify
+   those packages are current
+
+## Phase 3 — Validation Gates
+
+Run the standard validation gates from SKILL.md:
+
+1. **Gate 1**: Lint + Typecheck (`PROJECT_LINT_CMD`, `PROJECT_TYPECHECK_CMD`)
+2. **Gate 2**: Build (`PROJECT_BUILD_CMD`)
+3. **Gate 3**: Tests (`PROJECT_TEST_CMD`)
+4. **Gate 4**: E2E Tests (`PROJECT_E2E_CMD`)
+
+Journal each gate result. Fix any failures caused by dependency updates.
+
+## Phase 4 — Journal & Changelog
+
+1. Journal the update:
+
+   ```
+   create_entry({
+     content: "Updated dependencies: <list of packages updated>. Audit: <clean/N vulnerabilities>.",
+     entry_type: "deps_update",
+     tags: ["commander", "deps-update"]
+   })
+   ```
+
+2. Update the project changelog (if it exists):
+   - Security fixes (CVE/GHSA) under a security section
+   - Version bumps under a changed/dependencies section
+   - **Do not duplicate existing section headers**
+
+## Phase 5 — Human Checkpoint
+
+Present to the human:
+
+- List of updated packages with old → new versions
+- Any vulnerabilities found and their status (fixed/unfixable)
+- Gate results
+- Changelog additions
+
+Wait for human approval before committing.
+
+## Phase 6 — Commit
+
+Stage only the files changed by this workflow:
+
+```bash
+git add package.json package-lock.json <changelog> <Dockerfile if changed>
+git diff --cached --stat
+git commit -m "chore: update dependencies"
+```
+
+**Do not push.** The human decides when to push or create a PR.

package/.dockerignore

@@ -1,139 +0,0 @@
-# =============================================================================
-# Memory Journal MCP - Docker Build Ignore File
-# =============================================================================
-# Files and directories excluded from Docker build context
-# Keep this in sync with .gitignore where applicable
-
-# -----------------------------------------------------------------------------
-# Dependencies (reinstalled in builder stage)
-# -----------------------------------------------------------------------------
-node_modules/
-
-# -----------------------------------------------------------------------------
-# Git and Version Control
-# -----------------------------------------------------------------------------
-.git/
-.gitignore
-.github/
-.gitattributes
-
-# -----------------------------------------------------------------------------
-# IDE and Editor Files
-# -----------------------------------------------------------------------------
-.vscode/
-.cursor/
-.idea/
-*.swp
-*.swo
-*~
-*.tsbuildinfo
-
-# -----------------------------------------------------------------------------
-# OS Files
-# -----------------------------------------------------------------------------
-.DS_Store
-Thumbs.db
-
-# -----------------------------------------------------------------------------
-# Development Tooling (not needed in production)
-# -----------------------------------------------------------------------------
-.prettierrc
-.prettierignore
-eslint.config.js
-vitest.config.ts
-tests/
-coverage/
-.test-output/
-dist/
-
-# -----------------------------------------------------------------------------
-# Local Development Files
-# -----------------------------------------------------------------------------
-docker-compose.yml
-mcp-config-example.json
-tools.json
-server.json
-mcp-publisher.exe
-
-# -----------------------------------------------------------------------------
-# Security Scanning Configs (CI only)
-# -----------------------------------------------------------------------------
-.scout-ignore
-.trivyignore
-trivy-results.sarif
-
-# -----------------------------------------------------------------------------
-# Documentation (keep README.md for Docker Hub)
-# -----------------------------------------------------------------------------
-docs/
-releases/
-CHANGELOG.md
-CODE_OF_CONDUCT.md
-CONTRIBUTING.md
-DOCKER_README.md
-SECURITY.md
-*.md
-!README.md
-
-# -----------------------------------------------------------------------------
-# Data Directory (mounted as volume at runtime)
-# -----------------------------------------------------------------------------
-data/
-
-# -----------------------------------------------------------------------------
-# Database and Index Files (runtime only)
-# -----------------------------------------------------------------------------
-*.db
-*.db-shm
-*.db-wal
-*.sqlite
-*.sqlite3
-# Legacy vector index files (before sqlite-vec migration)
-.vectra_index/
-*.vectra/
-
-# -----------------------------------------------------------------------------
-# Temporary Files
-# -----------------------------------------------------------------------------
-temp/
-tmp/
-*.tmp
-*.temp
-
-
-# -----------------------------------------------------------------------------
-# Logs
-# -----------------------------------------------------------------------------
-*.log
-logs/
-
-# -----------------------------------------------------------------------------
-# Security and Secrets
-# -----------------------------------------------------------------------------
-*.pem
-*.key
-.env
-.env.*
-auth.json
-github_auth.json
-.mcpregistry_*
-
-# -----------------------------------------------------------------------------
-# Python Legacy (archived, not used in TypeScript version)
-# -----------------------------------------------------------------------------
-__pycache__/
-*.py[cod]
-*$py.class
-*.so
-.Python
-venv/
-env/
-ENV/
-*.egg-info/
-*.egg
-
-# -----------------------------------------------------------------------------
-# Assets
-# -----------------------------------------------------------------------------
-social-preview.png
-

package/.gitattributes

@@ -1,20 +0,0 @@
-# Enforce LF line endings for all text files
-* text=auto eol=lf
-
-# Windows-specific scripts that require CRLF
-*.bat text eol=crlf
-*.cmd text eol=crlf
-
-# Docker
-Dockerfile text eol=lf
-.dockerignore text eol=lf
-
-
-# Explicitly binary
-*.db binary
-*.wasm binary
-*.png binary
-*.jpg binary
-*.ico binary
-
-.github/workflows/*.lock.yml linguist-generated=true merge=ours

package/.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,95 +0,0 @@
----
-name: Bug Report
-about: Create a report to help us improve the Memory Journal MCP Server
-title: '[BUG] '
-labels: ['bug']
-assignees: ''
----
-
-## 🐛 Bug Description
-
-A clear and concise description of what the bug is.
-
-## 🔄 Steps to Reproduce
-
-Steps to reproduce the behavior:
-
-1. Go to '...'
-2. Execute command '...'
-3. See error
-
-## ✅ Expected Behavior
-
-A clear and concise description of what you expected to happen.
-
-## ❌ Actual Behavior
-
-A clear and concise description of what actually happened.
-
-## 📱 Environment
-
-**MCP Client:**
-
-- Client: [e.g. Cursor, Claude Desktop]
-- Version: [e.g. 0.42.3]
-
-**System:**
-
-- OS: [e.g. Windows 11, macOS 14, Ubuntu 22.04]
-- Python Version: [e.g. 3.11.5]
-- Docker Version: [e.g. 24.0.6] (if using Docker)
-
-**Memory Journal MCP:**
-
-- Version/Tag: [e.g. :lite, :latest, commit hash]
-- Installation Method: [Docker Hub, local build, manual]
-
-## 📋 Configuration
-
-**MCP Configuration** (from ~/.cursor/mcp.json or similar):
-
-```json
-{
-  "mcpServers": {
-    "memory-journal": {
-      // Your configuration here
-    }
-  }
-}
-```
-
-## 📊 Database State
-
-- Database size: [e.g. 2.3MB, empty]
-- Number of entries: [e.g. 150 entries, fresh install]
-- Recent operations: [e.g. created 5 entries today]
-
-## 🔍 Error Logs
-
-**Error Messages:**
-
-```
-Paste any error messages or stack traces here
-```
-
-**MCP Server Logs:**
-
-```
-Include any relevant server output or logs
-```
-
-## 🖼️ Screenshots
-
-If applicable, add screenshots to help explain your problem.
-
-## 🔧 Additional Context
-
-Add any other context about the problem here:
-
-- Does this happen consistently or intermittently?
-- Any recent changes to your setup?
-- Workarounds you've tried?
-
-## ✨ Possible Solution
-
-If you have ideas on how to fix this, please share them here.

package/.github/ISSUE_TEMPLATE/config.yml

@@ -1,11 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: 📚 Documentation
-    url: https://github.com/neverinfamous/memory-journal-mcp/blob/main/README.md
-    about: Check the comprehensive README for setup instructions and usage examples
-  - name: 🐳 Docker Hub
-    url: https://hub.docker.com/r/writenotenow/memory-journal-mcp
-    about: View the official Docker images and installation instructions
-  - name: 💬 GitHub Discussions
-    url: https://github.com/neverinfamous/memory-journal-mcp/discussions
-    about: Ask questions, share ideas, and discuss with the community