smart-web-mcp 0.32.0 → 0.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -46,6 +46,7 @@ The format is based on Keep a Changelog[^1] and this project uses SemVer.
46
46
  - Added `--json-file <path>` and an npm alias for provider benchmark JSON artifacts without stdout capture.
47
47
  - Added `--gap-file <path>` and `benchmark:providers:gaps` for compact provider evidence gap JSON artifacts.
48
48
  - Added `benchmark:providers:live:no-secret:gaps` for refreshing the compact all-no-secret live provider evidence gap artifact without archiving the full Markdown/JSON report.
49
+ - Added `--compare-external` and `benchmark:providers:compare` for no-secret/local comparative provider records, including optional Crawl4AI command skip diagnostics when `crawl4ai` is absent.
49
50
  - Added a provider benchmark report archive index in `reports/README.md` that points maintenance jobs at the current no-secret artifacts and labels older cumulative reports as historical calibration snapshots.
50
51
  - Added fixture skipped-case lane/reason metadata to provider benchmark live-vs-fixture and evidence-gap artifacts so credential-gated fixtures are not misread as absent fixtures.
51
52
  - Added `scripts/partial-handoff-watchdog.mjs` and `npm run watchdog:partial-handoff` to run a no-secret drift watchdog over representative partial/blocked/handoff outputs and fail on chrome URL, script, or style-shell leakage.
@@ -53,6 +54,7 @@ The format is based on Keep a Changelog[^1] and this project uses SemVer.
53
54
  - Added `expectPartialHandoff` checks to the partial/handoff watchdog so representative authwall/unavailable cases fail when they silently become non-partial/skipped instead of only checking already-suspect outputs.
54
55
  - Added a compact text-size ceiling to the partial/handoff watchdog so authwall/unavailable drift fails when `content[0].text` becomes verbose even without chrome/script leakage.
55
56
  - Added `scripts/no-secret-surface-watchdog.mjs` and `npm run watchdog:no-secret` as a deterministic no-secret current-surface gate for empty provider gaps, hosted API-key provider markers, and the partial/handoff compact-output ceiling.
57
+ - Added `npm run watchdog:no-secret:live` and a scheduled/manual GitHub Actions workflow for no-secret live regression smokes that refresh the compact gap artifact and fail on non-empty provider gaps without secrets.
56
58
  - Added BOJ unavailable/shutdown output to the partial/handoff watchdog representative set.
57
59
  - Added LinkedIn profile authwall output to the partial/handoff watchdog representative set.
58
60
  - Added Naver Blog unavailable/deleted post output to the partial/handoff watchdog representative set.
@@ -146,6 +148,18 @@ The format is based on Keep a Changelog[^1] and this project uses SemVer.
146
148
  - Korean public API helpers now validate outbound URLs and redirects before fetching, blocking localhost, private, and reserved targets unless `network.allowPrivateHosts` is explicitly enabled.
147
149
  - CI now declares read-only default repository permissions, Dependabot auto-merge pins the reusable workflow without forwarding all caller secrets, and the workflow check enforces those guards.
148
150
 
151
+ ## [0.33.0](https://github.com/jojo-labs/smart-web/compare/v0.32.0...v0.33.0) (2026-06-22)
152
+
153
+
154
+ ### Features
155
+
156
+ * **benchmark:** add no-secret comparison ([#373](https://github.com/jojo-labs/smart-web/issues/373)) ([90a26c9](https://github.com/jojo-labs/smart-web/commit/90a26c9921dfa2ce75df69dbf36fc33eb26595f8))
157
+
158
+
159
+ ### CI / Release
160
+
161
+ * add no-secret live watchdog ([#372](https://github.com/jojo-labs/smart-web/issues/372)) ([a8c0975](https://github.com/jojo-labs/smart-web/commit/a8c09759f88d76ec6709d56a64ab7a3b1508b929))
162
+
149
163
  ## [0.32.0](https://github.com/jojo-labs/smart-web/compare/v0.31.0...v0.32.0) (2026-06-22)
150
164
 
151
165
 
package/README.md CHANGED
@@ -477,6 +477,7 @@ Use the provider benchmark when deciding whether to build, wrap, or replace retr
477
477
  ```bash
478
478
  npm run benchmark:providers
479
479
  npm run benchmark:providers:measure
480
+ npm run benchmark:providers:compare
480
481
  npm run --silent benchmark:providers:json
481
482
  npm run benchmark:providers:json-file
482
483
  npm run benchmark:providers:report
@@ -493,6 +494,7 @@ npm run benchmark:providers:live:naver-cafe
493
494
  npm run benchmark:providers:live:x-twitter
494
495
  npm run benchmark:providers:live:no-secret
495
496
  npm run benchmark:providers:live:no-secret:gaps
497
+ npm run watchdog:no-secret:live
496
498
  npm run benchmark:providers:trend
497
499
  npm run benchmark:smartsearch
498
500
  npm run --silent benchmark:smartsearch:json
@@ -502,6 +504,8 @@ npm run watchdog:partial-handoff
502
504
 
503
505
  The default report is availability-only and safe for CI. `--run-measurements` (`npm run benchmark:providers:measure`) adds deterministic fixture records for available local/core and optional no-key lanes: success, useful character counts, projected/text character counts, useful-to-projected and useful-to-text yield ratios, latency, extractor/provider id, confidence, partial status, error class, lane label/family/category metadata, provider-family/category lane-status rollups, surface coverage, and recommendation sections grouped by lane, case, and surface.
504
506
 
507
+ Use `--compare-external` (`npm run benchmark:providers:compare`) to add an `externalComparisons` section that compares current smart-web fixture evidence against optional no-secret/local candidates. The comparison includes the local Crawl4AI command lane, the public Jina Reader relay fixture, and available direct/Playwright baselines. If `crawl4ai` is not installed, the Crawl4AI row is `skipped` with `action: "install-local-prerequisite"` and `prerequisite.command: "crawl4ai"`; this is an expected setup signal, not a benchmark failure or required dependency.
508
+
505
509
  Reports carry the `provider-benchmark.v1` schema version plus non-fatal git and runtime metadata so archived JSON, Markdown, and NDJSON trend artifacts are parseable, traceable, and comparable as the harness evolves. Markdown, text, JSON, and NDJSON outputs include aggregate fixture yield averages, compact yield rollups by provider family/category/lane, and a best-current-evidence surface table that ranks measured/skipped candidates so review jobs can compare token efficiency and build-vs-wrap posture between core, browser, relay, and specialist paths without reprocessing the full measurement table.
506
510
 
507
511
  Measurement artifacts also include a live-readiness manifest listing each lane's env/command/settings prerequisites, a deterministic fixture smoke, a safe MCP live-smoke candidate, and surfaces that still lack live evidence. `--run-live-smokes` (`npm run benchmark:providers:live`) is an explicit gated mode that runs only no-secret, core-surface live checks for static articles, long docs/Wikipedia, Hacker News, and docs export; optional no-secret lanes remain gated until explicitly allowlisted: `--allow-jina-live-smoke` (`npm run benchmark:providers:live:jina`) exercises the public Jina Reader relay with a secret-stripped settings file, `--allow-competitive-programming-live-smoke` (`npm run benchmark:providers:live:cp`) adds a public BOJ/Codeforces representative smoke for the competitive-programming specialist surface, `--allow-browser-live-smoke` (`npm run benchmark:providers:live:browser`) runs a Playwright `--force-dynamic` smoke for the JS-rendered article surface only when the local browser lane is available, `--allow-youtube-live-smoke` (`npm run benchmark:providers:live:youtube`) adds the public YouTube seed-lane representative smoke, `--allow-blocked-authwall-live-smoke` (`npm run benchmark:providers:live:blocked`) adds a deterministic HTTP Basic Auth challenge smoke that treats honest blocked/error/handoff signals as positive calibration without private credentials, `--allow-naver-blog-live-smoke` (`npm run benchmark:providers:live:naver-blog`) adds a stable public Naver Blog representative smoke for Korean specialist-lane calibration, `--allow-naver-map-live-smoke` (`npm run benchmark:providers:live:naver-map`) adds a stable public Naver Map place smoke with browser-preflight diagnostics, `--allow-naver-cafe-live-smoke` (`npm run benchmark:providers:live:naver-cafe`) adds a stable public Naver Cafe shared-link smoke that treats useful no-credential partial output as honest calibration, and `--allow-x-twitter-live-smoke` (`npm run benchmark:providers:live:x-twitter`) adds a public X/Twitter post smoke that keeps no-secret social-provider drift visible without private cookies. `--allow-all-no-secret-live-smokes` (`npm run benchmark:providers:live:no-secret`) enables every no-secret gate in one run; hosted API-key search lanes are excluded from the benchmark surface by product policy.
@@ -518,6 +522,8 @@ See `reports/README.md` for the curated report archive index. It identifies `pro
518
522
 
519
523
  `npm run watchdog:no-secret` is the deterministic current-surface gate for no-secret maintenance. It fails when `reports/provider-benchmark-live-no-secret-gaps.json` contains current gaps, when runtime/docs/examples/scripts reintroduce hosted API-key provider markers for Exa, Tavily, Firecrawl, Browserless, or Brave Search API, or when the partial/handoff watchdog no longer has a compact text ceiling. It intentionally ignores historical `CHANGELOG.md` entries and archived `reports/` output, and does not run live network smokes.
520
524
 
525
+ `npm run watchdog:no-secret:live` is the live regression gate for no-secret maintenance. It first refreshes `reports/provider-benchmark-live-no-secret-gaps.json` with `npm run benchmark:providers:live:no-secret:gaps`, then runs `npm run watchdog:no-secret` so non-empty live provider gaps fail locally or in CI. The scheduled/manual GitHub Actions workflow `.github/workflows/no-secret-live-watchdog.yml` runs the same alias weekly with read-only permissions, no secrets, and a short-retention gap artifact.
526
+
521
527
  `npm run watchdog:partial-handoff` builds the package and runs a compact no-secret drift watchdog over representative partial/blocked/handoff `smartfetch` outputs (httpbin authwall, LinkedIn profile authwall, Naver Blog unavailable/deleted posts, Threads unavailable/join-login output, DCInside unavailable/deleted posts, Telegram missing/private posts, a non-existent Wikidocs article, Naver Cafe, Naver Map search, and BOJ unavailable/shutdown output). It exits non-zero when expected handoff cases are silently reclassified as non-partial, when partial/handoff `content[0].text` grows beyond the compact watchdog ceiling, or when compact text or structured links/assets leak chrome URLs, script globals, or style-shell tokens, and prints a `partial-handoff-watchdog.v1` JSON report without raw page dumps or credentials. For runner artifacts without JSON stdout, run `node scripts/partial-handoff-watchdog.mjs --report-file <path>` after `npm run build`; the command keeps stdout human-readable and writes the full JSON report to the requested path. Fixture cases can set `expectPartialHandoff: true` to make classifier drift fail even if the output would otherwise be skipped.
522
528
 
523
529
  ## Quick verification
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "smart-web-mcp",
3
3
  "mcpName": "io.github.jojo-labs/smart-web",
4
- "version": "0.32.0",
4
+ "version": "0.33.0",
5
5
  "packageManager": "npm@11.9.0",
6
6
  "description": "Local MCP for web search, direct-URL fetch, compact normalized output, site crawling, and docs export.",
7
7
  "homepage": "https://github.com/jojo-labs/smart-web",
@@ -37,6 +37,7 @@
37
37
  "build": "rm -rf dist && tsc -p tsconfig.json && node scripts/ensure-bin-executable.mjs",
38
38
  "benchmark:providers": "node scripts/provider-benchmark.mjs",
39
39
  "benchmark:providers:measure": "node scripts/provider-benchmark.mjs --run-measurements",
40
+ "benchmark:providers:compare": "node scripts/provider-benchmark.mjs --run-measurements --compare-external",
40
41
  "benchmark:providers:json": "node scripts/provider-benchmark.mjs --run-measurements --json",
41
42
  "benchmark:providers:json-file": "node scripts/provider-benchmark.mjs --run-measurements --json-file reports/provider-benchmark.json",
42
43
  "benchmark:providers:report": "node scripts/provider-benchmark.mjs --run-measurements --report-file reports/provider-benchmark.md",
@@ -56,6 +57,7 @@
56
57
  "benchmark:smartsearch": "node --import tsx scripts/smartsearch-quality-benchmark.mjs",
57
58
  "benchmark:smartsearch:json": "node --import tsx scripts/smartsearch-quality-benchmark.mjs --json",
58
59
  "watchdog:no-secret": "node scripts/no-secret-surface-watchdog.mjs --json",
60
+ "watchdog:no-secret:live": "npm run benchmark:providers:live:no-secret:gaps && npm run watchdog:no-secret",
59
61
  "watchdog:partial-handoff": "npm run build && node scripts/partial-handoff-watchdog.mjs --json",
60
62
  "benchmark:providers:trend": "node scripts/provider-benchmark.mjs --run-measurements --trend-file reports/provider-benchmark.ndjson",
61
63
  "changelog:generate": "node scripts/generate-changelog-entry.mjs",