tool-compass 2.0.6__tar.gz → 2.2.0__tar.gz

tool_compass-2.2.0/.github/dependabot.yml

@@ -0,0 +1,24 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    groups:
+      # Minor + patch only so breaking majors open as SEPARATE PRs.
+      # (Avoids the ollama-intern PR #4 incident where 5 breaking majors
+      # shipped bundled under a wildcard group.)
+      all-pip:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 3
+    groups:
+      all-github-actions:
+        patterns: ["*"]
+        update-types: ["minor", "patch"]

tool_compass-2.2.0/.github/workflows/ci.yml

@@ -0,0 +1,341 @@
+# Tool Compass CI Pipeline
+# Runs tests on pushes and PRs that touch code or config.
+# Also handles GitHub Pages deploy for site/** changes on main (folded in from
+# the former pages.yml per the two-workflow-per-repo hard rule).
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '*.py'
+      - 'tests/**'
+      - 'scripts/**'
+      - 'requirements*.txt'
+      - 'pyproject.toml'
+      - 'Dockerfile'
+      - 'site/**'
+      - '.github/workflows/**'
+  pull_request:
+    branches: [main]
+    paths:
+      - '*.py'
+      - 'tests/**'
+      - 'scripts/**'
+      - 'requirements*.txt'
+      - 'pyproject.toml'
+      - 'Dockerfile'
+      - 'site/**'
+      - '.github/workflows/**'
+  # TST-FT-002: nightly-fuzz job runs Hypothesis in `nightly` profile
+  # Mon/Wed/Fri at 09:00 UTC. Kept in this file to preserve the
+  # two-workflow-per-repo limit.
+  schedule:
+    - cron: '0 9 * * 1,3,5'
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Default least-privilege; individual jobs that need more elevate explicitly.
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Org URL sanity check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Check for stale org/user URLs
+        run: bash scripts/check-org-urls.sh
+
+      # CDS-FT-001: SCORECARD drift guard. Soft-fail for now — shipcheck
+      # markdown output is still settling. Flip continue-on-error to false
+      # once the format stabilizes.
+      # TODO(swarm): enforce once shipcheck JSON format stabilizes
+      - name: Verify SCORECARD is in sync
+        continue-on-error: true
+        run: |
+          if [ -f Makefile ] && grep -q "^verify-scorecard:" Makefile; then
+            make verify-scorecard
+          else
+            echo "Makefile verify-scorecard target missing — skipping"
+          fi
+
+  test:
+    name: Python ${{ matrix.python-version }} on ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        # Two versions per user's hard rule (max 2 Python versions). Covers
+        # current stable + latest supported, keeping requires-python honest.
+        # 3.13 dropped from CI matrix: hnswlib 0.8.0's cp313 wheel SIGILLs on
+        # GitHub ubuntu-latest runners (AVX instruction gap). pyproject still
+        # declares 3.13 support; once hnswlib ships a forgiving cp313 wheel
+        # or we switch to a pluggable vector backend (IDX-FT-001), re-add it.
+        python-version: ['3.11', '3.12']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+
+      - name: Run tests
+        run: |
+          pytest -v --tb=short -m "not integration" \
+            --junitxml=junit-${{ matrix.python-version }}.xml
+
+      - name: Upload JUnit report
+        if: always()
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: junit-reports-${{ matrix.python-version }}
+          path: junit-${{ matrix.python-version }}.xml
+          if-no-files-found: warn
+
+      - name: Run tests with coverage
+        if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
+        run: |
+          pytest --cov=. --cov-report=xml --cov-report=term -m "not integration"
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+        with:
+          file: coverage.xml
+          fail_ci_if_error: false
+
+      - name: Run pip-audit (report only)
+        if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
+        run: |
+          pip-audit -r requirements.txt --format json --output pip-audit-report.json || true
+        # Non-blocking: full output captured as artifact for reviewers.
+
+      - name: Upload pip-audit report
+        if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: pip-audit-report
+          path: pip-audit-report.json
+          if-no-files-found: ignore
+
+      - name: Audit dependencies for vulnerabilities
+        if: matrix.python-version == '3.11' && matrix.os == 'ubuntu-latest'
+        run: |
+          pip-audit -r requirements.txt
+        # TODO(swarm): enforce after CVE baseline reviewed — issue #TBD
+        continue-on-error: true  # Warn-only until clean baseline established
+
+  # TST-FT-002: nightly Hypothesis fuzzing. Runs on schedule (Mon/Wed/Fri 09:00
+  # UTC) or manually via workflow_dispatch. Never runs on push/PR — nightly-only.
+  # On failure, opens a tracking issue via actions/github-script.
+  nightly-fuzz:
+    name: Nightly Hypothesis fuzz
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+
+      - name: Run Hypothesis (nightly profile)
+        id: fuzz
+        run: |
+          HYPOTHESIS_PROFILE=nightly pytest -m "not integration"
+
+      - name: Open tracking issue on failure
+        if: failure() && steps.fuzz.conclusion == 'failure'
+        # TODO(swarm): pin actions/github-script to SHA once nightly-fuzz run
+        # history confirms the job shape is stable.
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const title = `[nightly-fuzz] Hypothesis failures on ${context.sha}`;
+            const body = [
+              `Nightly Hypothesis run failed on commit \`${context.sha}\`.`,
+              ``,
+              `- Workflow: ${context.workflow}`,
+              `- Run: ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+              `- Triggered by: ${context.eventName}`,
+              ``,
+              `Investigate and either fix the underlying flake or narrow the strategy.`,
+            ].join('\n');
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title,
+              body,
+              labels: ['nightly-fuzz', 'bug'],
+            });
+
+  # Integration tests (requires Ollama)
+  integration:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    needs: test  # Only run after unit tests pass
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+          cache-dependency-path: 'requirements*.txt'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install -r requirements-dev.txt
+
+      - name: Install pinned Ollama
+        # Pinned to a specific Ollama release instead of piping `curl | sh`.
+        # Ollama's GitHub releases don't ship per-file .sha256 siblings, so
+        # we try to fetch one and fall back to a SHA-less pin. TODO(swarm):
+        # switch to attestation verification once Ollama publishes SLSA
+        # provenance, or hard-pin the known-good SHA-256 inline.
+        run: |
+          set -euo pipefail
+          OLLAMA_VERSION="v0.4.7"
+          BASE_URL="https://github.com/ollama/ollama/releases/download/${OLLAMA_VERSION}"
+          TARBALL="ollama-linux-amd64.tgz"
+          curl -fsSL "${BASE_URL}/${TARBALL}" -o "${TARBALL}"
+          if curl -fsSL "${BASE_URL}/${TARBALL}.sha256" -o "${TARBALL}.sha256" 2>/dev/null; then
+            sha256sum -c "${TARBALL}.sha256"
+          else
+            echo "::warning::Ollama ${OLLAMA_VERSION} release has no .sha256 file; proceeding without checksum verification (known upstream gap)."
+          fi
+          sudo tar -C /usr/local -xzf "${TARBALL}"
+          rm -f "${TARBALL}" "${TARBALL}.sha256"
+          ollama --version
+          ollama serve &
+          # Wait for the daemon to accept connections instead of a blind sleep.
+          for _ in $(seq 1 30); do
+            if curl -sf http://localhost:11434/api/version > /dev/null; then
+              break
+            fi
+            sleep 1
+          done
+          ollama pull nomic-embed-text
+
+      - name: Run integration tests
+        run: |
+          pytest -v -m integration
+        continue-on-error: true  # Integration tests may be flaky
+
+  docker:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build Docker image
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          push: false
+          tags: tool-compass:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ===========================================================================
+  # GitHub Pages build + deploy (folded in from former pages.yml)
+  # Only runs on pushes to main — never on PRs. Deploy job carries the
+  # elevated permissions; build job stays read-only.
+  # ===========================================================================
+  pages-build:
+    name: Build site
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version: 22
+
+      - name: Install site dependencies
+        working-directory: site
+        run: npm ci
+
+      - name: Build site
+        working-directory: site
+        run: npm run build
+
+      - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
+        with:
+          path: site/dist
+
+  pages-deploy:
+    name: Deploy to GitHub Pages
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    needs: pages-build
+    runs-on: ubuntu-latest
+    # Dedicated concurrency group so a long deploy is never cancelled by a
+    # newer CI run (CDS-A-012).
+    concurrency:
+      group: pages
+      cancel-in-progress: false
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - id: deployment
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

tool_compass-2.2.0/.github/workflows/publish.yml

@@ -0,0 +1,178 @@
+# Tool Compass Release Pipeline
+# Publishes to PyPI (trusted publishing) and GHCR on release
+
+name: Publish
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    name: Build package
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.11'
+
+      - name: Install build tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+
+      - name: Build package
+        run: python -m build
+
+      - name: Check package with twine
+        run: twine check dist/*
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: dist
+          path: dist/
+
+  publish-pypi:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: build
+    environment: pypi
+    permissions:
+      id-token: write
+
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
+
+  docker:
+    name: Publish to GHCR
+    runs-on: ubuntu-latest
+    # PyPI ships first (CDS-B-005). If PyPI fails, Docker must not ship a
+    # half-release; if PyPI succeeds, Docker becomes the recoverable tail.
+    needs: publish-pypi
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Log in to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      # QEMU is required to cross-build linux/arm64 from an amd64 runner.
+      - name: Set up QEMU
+        # TODO(swarm): pin docker/setup-qemu-action by SHA on next dependabot sweep.
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build and push
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  release-smoke:
+    name: Release smoke test
+    runs-on: ubuntu-latest
+    needs: [publish-pypi, docker]
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Derive version (strip leading v)
+        id: ver
+        run: |
+          set -euo pipefail
+          TAG="${{ github.event.release.tag_name }}"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "version=${TAG#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: '3.11'
+
+      - name: PyPI smoke — install + --version matches tag
+        run: |
+          set -euo pipefail
+          VERSION="${{ steps.ver.outputs.version }}"
+          # PyPI propagation is fast but not instant; retry briefly.
+          for _ in $(seq 1 12); do
+            if pip install "tool-compass==${VERSION}"; then
+              break
+            fi
+            sleep 10
+          done
+          pip install "tool-compass==${VERSION}"
+          OUT="$(tool-compass --version 2>&1 || true)"
+          echo "tool-compass --version → $OUT"
+          echo "$OUT" | grep -Fq "${VERSION}" || {
+            echo "::error::PyPI smoke failed: --version output did not contain ${VERSION}"
+            exit 1
+          }
+
+      - name: Log in to GHCR (pull)
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker smoke — pull + --version matches tag
+        run: |
+          set -euo pipefail
+          TAG="${{ steps.ver.outputs.tag }}"
+          VERSION="${{ steps.ver.outputs.version }}"
+          IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}"
+          docker pull "$IMAGE"
+          OUT="$(docker run --rm --entrypoint tool-compass "$IMAGE" --version 2>&1 || true)"
+          echo "docker --version → $OUT"
+          echo "$OUT" | grep -Fq "${VERSION}" || {
+            echo "::error::Docker smoke failed: --version output did not contain ${VERSION}"
+            exit 1
+          }

{tool_compass-2.0.6 → tool_compass-2.2.0}/.gitignore

@@ -98,3 +98,12 @@ tmpclaude-*
 archive/
 site/.astro/
 site/node_modules/
+
+# forkctl / polyglot-mcp scratch
+.artifact/
+.polyglot-cache.json
+
+# repo-knowledge scratch (init creates these; don't commit)
+rk.config.json
+data/knowledge.db*
+data/artifacts/

{tool_compass-2.0.6 → tool_compass-2.2.0}/CHANGELOG.md

@@ -5,7 +5,79 @@ All notable changes to Tool Compass will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [2.2.0] - 2026-04-23
+
+Dogfood swarm release: Stage A bug/security health pass + Stage B/C humanization
++ Feature Pass. Shipcheck 17/17 retained.
+
+### Added
+- **Per-backend stdout reader** — isolated log streams per MCP backend so a noisy
+  child process can't crowd out siblings in the combined view
+- **`/ready` + `/metrics` HTTP endpoints** — readiness probe + Prometheus-style
+  metrics surface for operators running the gateway behind a load balancer
+- **Embedding cache** — LRU cache in `Embedder` so repeated identical queries
+  skip the Ollama round-trip
+- **Diffing sync** — `SyncManager` now emits a structured diff (added / removed /
+  changed) instead of a full rebuild signal; downstream consumers can act on
+  partial changes
+- **`tool-compass` CLI subcommand shell** (`cli.py`) — top-level entry point now
+  dispatches to `serve` (gateway), `ui` (Gradio), `doctor` (config health),
+  `sync`, `test`, and `config`. `python gateway.py` still works unchanged.
+- **`deprecated_aliases` in tool manifest** — lets backends rename tools without
+  breaking old callers; the compass surfaces both names and marks legacy ones
+- **`make scorecard` + `make verify-scorecard`** (CDS-FT-001) — regenerate
+  SCORECARD.md from shipcheck output; CI soft-fails on drift
+- **`make dev` + `make dev-ui`** (CDS-FT-002) — one-shot install + run targets
+  for the fast local loop, with a warning if Ollama isn't reachable
+- **Nightly Hypothesis fuzz job** (TST-FT-002) — `nightly-fuzz` runs Mon/Wed/Fri
+  at 09:00 UTC in `ci.yml` (no new workflow file), auto-opens a tracking issue
+  on failure
+- **Coverage floor** (TST-FT-001) — `[tool.coverage.report] fail_under = 60`
+  and `--cov-fail-under=60` in `make test`; conservative first gate
+- **Architecture Mermaid diagrams** (CDS-FT-005) — component graph + request
+  sequence diagrams in `site/src/content/docs/handbook/architecture.md`
+
+### Changed
+- `tool-compass` console script now targets `cli:main` (was `gateway:main`).
+  `python gateway.py` remains fully supported for direct invocation.
+- Wheel bundle includes `cli.py`
+
+### Fixed (Stage A — 23 HIGH bug/security)
+- Misc security, bug, and error-shape fixes surfaced by the health pass
+
+### Humanized (Stage B/C — 15 HIGH + 14 MED)
+- **Ollama-down lexical fallback** — compass returns keyword matches when the
+  embedding backend is unreachable, with a clear degraded-mode marker
+- **`trace_id` correlation** — every request carries a trace ID end-to-end for
+  log stitching
+- **Circuit breaker** on the embedder — opens after N consecutive failures,
+  half-opens after a cooldown
+- **Corrupt-config recovery** — malformed `compass_config.json` no longer
+  crashes startup; loader falls back to defaults with a warning
+- **`tool-compass doctor`** — diagnoses Ollama reachability, index presence,
+  backend health, and prints actionable fixes
+
+## [2.0.7] - 2026-03-25
+
+### Added
+- 5 version consistency tests (semver, >= 1.0.0, CHANGELOG, pyproject parse, CLI)
+
+### Security
+- SHA-pinned all GitHub Actions across 3 workflows (ci, pages, publish)
+
+## [2.0.6] - 2026-02-27
+
+### Added
+- SHIP_GATE.md and SCORECARD.md (Shipcheck compliance)
+- Makefile with `verify` target (lint + test + build)
+- Security & Data Scope section and scorecard in README
+- Standard email in SECURITY.md
+
+### Changed
+- Removed redundant h1 heading (logo already contains name)
+- Replaced footer with standard MCP Tool Shop link
+- Scorecard 46/50 → 50/50
+- Bumped to 2.0.6
 
 ## [2.0.3] - 2026-02-14
 
@@ -162,7 +234,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 | 1.1.0 | 2026-01-16 | Workflows, analytics, sync |
 | 1.0.0 | 2026-01-15 | Initial release |
 
-[Unreleased]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.3...HEAD
+[Unreleased]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.2.0...HEAD
+[2.2.0]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.7...v2.2.0
+[2.0.7]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.6...v2.0.7
+[2.0.6]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.3...v2.0.6
 [2.0.3]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.2...v2.0.3
 [2.0.2]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.1...v2.0.2
 [2.0.1]: https://github.com/mcp-tool-shop-org/tool-compass/compare/v2.0.0...v2.0.1

{tool_compass-2.0.6 → tool_compass-2.2.0}/Dockerfile

@@ -4,7 +4,7 @@
 # =============================================================================
 # Stage 1: Builder
 # =============================================================================
-FROM python:3.11-slim as builder
+FROM python:3.11-slim AS builder
 
 WORKDIR /build
 
@@ -26,12 +26,12 @@ RUN pip install --no-cache-dir --upgrade pip && \
 # =============================================================================
 # Stage 2: Production
 # =============================================================================
-FROM python:3.11-slim as production
+FROM python:3.11-slim AS production
 
 LABEL maintainer="Tool Compass <github.com/mcp-tool-shop-org/tool-compass>"
 LABEL description="Semantic search gateway for MCP tools"
 # Keep in sync with pyproject.toml [project] version
-LABEL version="2.0.3"
+LABEL version="2.0.7"
 
 # Security: Run as non-root user
 RUN groupadd -r compass && useradd -r -g compass compass
@@ -76,7 +76,7 @@ CMD ["python", "ui.py"]
 # =============================================================================
 # Stage 3: MCP Gateway (alternative entrypoint)
 # =============================================================================
-FROM production as mcp-gateway
+FROM production AS mcp-gateway
 
 # Override for HTTP mode (Fly.io / Smithery)
 ENV PORT=8080