Changelog

Releases

Release notes for the @neurynae/toolcairn-mcp package and the public API. Each entry corresponds to a tagged release on GitHub and a tarball on npm.

v1.1.0
minor2026-05-02
Agent feedback channel
- New `feedback` MCP tool — agent-only channel for flagging problems with ToolCairn itself (wrong / broken / low-quality / missing-capability / confusing). Distinct from `report_outcome`, which is about user-suggested libraries.
- Free of daily quota — calling `feedback` does not count toward your daily tool-call cap or bonus credits. Per-minute IP rate limits still apply.
- Universal `feedback_channel` footer on every other tool response, conditionally phrased ("If wrong/broken... Skip if useful") to discourage drift.
- Drift safeguards: severity is required + negative-only by enum; message minimum 20 chars; server-side dedup over 24h windows; soft per-user hourly limit.
v0.10.24
patch2026-04-30
Public-facing polish
- Refreshed npm + GitHub READMEs with brand hero, three-tier architecture visual, and bundled LICENSE.
- Lowercased GitHub repository slug across package metadata so npm provenance verification succeeds.
- author and bugs.url metadata added to package.json.
v0.10.22
patch2026-04-25
Pre-launch security hardening
- Replaced JWT-decode-only auth with full verification (HS256, dual-secret rotation).
- Strong-secret enforcement at boot — production refuses to start with weak or placeholder secrets.
- Per-route rate limits on every unauthenticated path; the edge fails closed on cache outage.
- CSP and standard hardening headers; admin and origin endpoints reject empty secrets.
- Local credentials file is created with mode 0600; cwd-root cache TTL added.
- npm publish now uses Sigstore provenance attestations.
v0.10.x
minor2026-04-12
Initial public release
- First public release of the MCP server with the discovery, stack, comparison, and project-config toolkits.
- Device-flow sign-in for MCP clients; 90-day local credentials.
- Standalone scan CLI for one-shot dependency health audits.

Older release notes and the full commit log live on GitHub Releases.

Changelog

Releases

Release notes for the @neurynae/toolcairn-mcp package and the public API. Each entry corresponds to a tagged release on GitHub and a tarball on npm.

v1.1.0
minor2026-05-02
Agent feedback channel
- New `feedback` MCP tool — agent-only channel for flagging problems with ToolCairn itself (wrong / broken / low-quality / missing-capability / confusing). Distinct from `report_outcome`, which is about user-suggested libraries.
- Free of daily quota — calling `feedback` does not count toward your daily tool-call cap or bonus credits. Per-minute IP rate limits still apply.
- Universal `feedback_channel` footer on every other tool response, conditionally phrased ("If wrong/broken... Skip if useful") to discourage drift.
- Drift safeguards: severity is required + negative-only by enum; message minimum 20 chars; server-side dedup over 24h windows; soft per-user hourly limit.
v0.10.24
patch2026-04-30
Public-facing polish
- Refreshed npm + GitHub READMEs with brand hero, three-tier architecture visual, and bundled LICENSE.
- Lowercased GitHub repository slug across package metadata so npm provenance verification succeeds.
- author and bugs.url metadata added to package.json.
v0.10.22
patch2026-04-25
Pre-launch security hardening
- Replaced JWT-decode-only auth with full verification (HS256, dual-secret rotation).
- Strong-secret enforcement at boot — production refuses to start with weak or placeholder secrets.
- Per-route rate limits on every unauthenticated path; the edge fails closed on cache outage.
- CSP and standard hardening headers; admin and origin endpoints reject empty secrets.
- Local credentials file is created with mode 0600; cwd-root cache TTL added.
- npm publish now uses Sigstore provenance attestations.
v0.10.x
minor2026-04-12
Initial public release
- First public release of the MCP server with the discovery, stack, comparison, and project-config toolkits.
- Device-flow sign-in for MCP clients; 90-day local credentials.
- Standalone scan CLI for one-shot dependency health audits.

Older release notes and the full commit log live on GitHub Releases.

v1.1.0

v0.10.24

v0.10.22

v0.10.x

Search ToolCairn

v1.1.0

v0.10.24

v0.10.22

v0.10.x