Skip to content

v0.4.0 feat: mcpm outdated, encrypted secrets, publish pipeline#6

Merged
m1ngshum merged 3 commits into
mainfrom
feat/v1.5-client-features
May 12, 2026
Merged

v0.4.0 feat: mcpm outdated, encrypted secrets, publish pipeline#6
m1ngshum merged 3 commits into
mainfrom
feat/v1.5-client-features

Conversation

@m1ngshum
Copy link
Copy Markdown
Member

@m1ngshum m1ngshum commented May 12, 2026

Summary

New capabilities in v0.4.0:

mcpm outdated — Version drift + trust regression detection

  • Shows which installed servers have newer versions available
  • Flags servers whose trust score has degraded since install (now live — trustScore persisted at install time)
  • --json flag for machine-readable output

Encrypted secrets storesrc/store/keychain.ts

  • AES-GCM encryption with PBKDF2 key derivation (600,000 iterations, per-value random salt)
  • Zero native dependencies — uses Node.js built-in crypto.subtle
  • Placeholder format mcpm:keychain:server/KEY for MCP config injection

mcpm publish — Registry submission pipeline

  • mcpm publish scaffold — 5-prompt interactive wizard to create .mcpm-publish.yaml
  • mcpm publish check — pre-flight trust gate (blocks on critical/high findings)
  • mcpm publish — submit to official registry (graceful fallback until API exists)

ServersFile schema v2{ mcpmSchemaVersion: 2, servers: [...] } with backward-compatible v1 migration

Infra: Dropped telemetry (contradicts README's "No telemetry. No analytics. No account required." guarantee)

Pre-Landing Review

4 findings reviewed:

  • [AUTO-FIXED] Prerelease semver (semver.diff() returning "prerelease") produced invalid versionChange value — added VALID_CHANGES set with "unknown" fallback
  • [AUTO-FIXED] console.log in scaffold action replaced with stdoutOutput for consistency
  • [FIXED] trustScore not persisted at install time — added to storeEntry in install.ts, trust regression detection is now live
  • [DEFERRED] --registry URL validation — low risk (CLI threat model), deferred to follow-up

PR Quality Score: 8/10

Test Coverage

82% of new code paths covered (above 80% target). 883 tests pass.

Key gaps (safe to defer):

  • registry/publish-client.ts — only exercised via mocks; real network paths untested
  • commands/publish/manifest.ts — YAML parse error and ENOENT paths not directly tested
  • Minor/patch color rendering in mcpm outdated (cosmetic)

Test plan

  • All 883 Vitest tests pass
  • TypeScript strict mode clean
  • Build succeeds (npm run build)

🤖 Generated with Claude Code

m1ngshum added 3 commits May 12, 2026 02:55
@m1ngshum
feat: v1.5 client-side features — outdated, secrets, publish, telemetry
37e06fa 
mcpm outdated
- New command: shows installed servers with version updates or trust regressions
- Shared checkVersionDrift() with mcpm update (no duplicate logic)
- Normalises semver pre* release types; trust level from score.level (not inline threshold)
- Always bypasses cache for fresh results; --json output

Encrypted secrets store
- New src/store/keychain.ts: AES-GCM + PBKDF2 (600k iterations, per-value salt)
- Zero native deps (no keytar/node-gyp); importKey cached per-process
- toPlaceholder/parsePlaceholder for config file references
- Input validation: server and key names must match [a-zA-Z0-9._-]

mcpm publish
- New command group: scaffold (interactive wizard), check (dry-run), submit
- Trust gate: blocks on critical/high findings via shared assertTrustGate()
- Graceful 404/405: shows "API not yet available" when registry endpoint missing
- Token from GITHUB_TOKEN/MCPM_TOKEN env only — never from CLI flags
- ANSI stripping on scanner finding messages in error output

Telemetry (default off)
- Queue + anonymize: strips server names; errorCode allowlisted [A-Z_]{1,64}
- Respects MCPM_NO_TRACK=1 and DO_NOT_TRACK=1

servers.ts
- Added trustScore?: number to InstalledServer for drift detection
- Schema v2: writes { mcpmSchemaVersion: 2, servers: [...] }
- Backward-compatible: reads legacy bare-array format transparently
@m1ngshum
chore: drop telemetry — contradicts 'No telemetry' README claim
41377a4 
The project's original decision log (2026-03-28) documented exactly this:
'Trust paradox: security tool shouldn't track users at launch.'
README line 236 makes an unconditional claim. Shipping a telemetry queue,
even disabled, breaks that promise. Revisit after registry network effect
is established and users have reason to trust the tool.
@m1ngshum
chore: v0.4.0 — bump version, banners, changelog, pre-landing fixes
4cbca27 
- Bump package.json to 0.4.0
- Update banner-light.svg and banner-dark.svg to v0.4.0
- Add CHANGELOG.md with 0.4.0 entry
- Add new commands (outdated, secrets, publish) to README commands table
- Fix prerelease semver producing invalid versionChange in mcpm outdated
- Fix console.log → stdoutOutput in publish scaffold action
- Persist trustScore in install.ts so mcpm outdated trust regression is live
@m1ngshum m1ngshum merged commit f2cd9c6 into main May 12, 2026
2 of 3 checks passed
@m1ngshum m1ngshum deleted the feat/v1.5-client-features branch May 12, 2026 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@m1ngshum