chore(release): v0.10.0 — guard hardening + supply-chain integrity tr…

…ipwire (#84)

Six runtime-guard upgrades (H1/H2 carrier inspection + hidden-char detector,
H9 fail-closed un-guardable transport, H4 field-level schema-drift tiering,
H7 sampling/elicitation injection scan + relay block-to-origin, H5 handshake
drift) plus mcpm's first supply-chain signal (H11 npm same-version integrity
drift). Also: `mcpm init` now scaffolds a stack file (dead packs removed),
shell completions cover the full command set, and `mcpm_search` is annotated
read-only.

- Bump package.json 0.9.0 -> 0.10.0
- CHANGELOG [0.10.0] entry
- Sync banner SVGs v0.8.1 -> v0.10.0 (missed in the v0.9.0 release)

Full suite 1657 passing; tsc clean.

chore(release): v0.7.1 — 12 MEDIUM/LOW security fixes + #28 cleanup-n…

…ame fix (#48)

chore(release): v0.7.0 — mcpm why + 4 HIGH security fixes; add Depend…

…abot (#31) (#33)

chore(release): v0.6.0 — encrypted secrets (mcpm secrets) (#12)

v0.5.0 — mcpm-guard runtime defense

Adds mcpm-guard, the first MCP runtime defense distributed inside a
package manager. Wraps every installed MCP server with an inspection
relay; blocks prompt-injection in tool responses, schema rug-pulls
since install, and exfil-shaped tool-call arguments. Adoption is one
command (`mcpm guard enable`) instead of an afternoon of per-IDE
config wrapping.

11 new commands:
  enable / disable / status / demo / accept-drift / mute / unmute /
  pause / cleanup / list-signatures / reset-integrity

3 vendored OWASP MCP Top 10 v0.1 signatures + 2 drift detectors:
  - OWASP-MCP-1 — tool-description poisoning + schema drift (rug-pull)
  - OWASP-MCP-2 — instruction injection in tool responses
  - OWASP-MCP-7 — sensitive-path exfil in tool arguments

Performance: p99 0.065ms small / 3.1ms large message overhead
(78× / 8× under design budget) via SDK framing helpers.

Reviewed across 6 rounds of independent security review during
development; every CRITICAL and HIGH finding fixed before commit.
~30 findings total. pnpm overrides clear all 9 dependabot advisories
on main (fast-uri / hono / postcss / ip-address).

Files written: ~/.mcpm/pins.json + .integrity sidecar, guard-policy.yaml
+ .integrity sidecar, guard-events.jsonl (parse with jq). All 0o600.

Tests: 1053/1053 passing. E2E verified through real npm pack +
npm install -g + real config rewrite + IDE-style spawn.

Docs: README "Runtime defense" section, docs/GUARD.md (long-form),
docs/SIGNATURES.md (catalog + PR template), docs/POLICY.md (policy
file reference). 12 new Decision Log entries in CLAUDE.md.

PR #7 — #7

feat: mcpm outdated, encrypted secrets, publish pipeline (v0.4.0)

* feat: v1.5 client-side features — outdated, secrets, publish, telemetry

mcpm outdated
- New command: shows installed servers with version updates or trust regressions
- Shared checkVersionDrift() with mcpm update (no duplicate logic)
- Normalises semver pre* release types; trust level from score.level (not inline threshold)
- Always bypasses cache for fresh results; --json output

Encrypted secrets store
- New src/store/keychain.ts: AES-GCM + PBKDF2 (600k iterations, per-value salt)
- Zero native deps (no keytar/node-gyp); importKey cached per-process
- toPlaceholder/parsePlaceholder for config file references
- Input validation: server and key names must match [a-zA-Z0-9._-]

mcpm publish
- New command group: scaffold (interactive wizard), check (dry-run), submit
- Trust gate: blocks on critical/high findings via shared assertTrustGate()
- Graceful 404/405: shows "API not yet available" when registry endpoint missing
- Token from GITHUB_TOKEN/MCPM_TOKEN env only — never from CLI flags
- ANSI stripping on scanner finding messages in error output

Telemetry (default off)
- Queue + anonymize: strips server names; errorCode allowlisted [A-Z_]{1,64}
- Respects MCPM_NO_TRACK=1 and DO_NOT_TRACK=1

servers.ts
- Added trustScore?: number to InstalledServer for drift detection
- Schema v2: writes { mcpmSchemaVersion: 2, servers: [...] }
- Backward-compatible: reads legacy bare-array format transparently

* chore: drop telemetry — contradicts 'No telemetry' README claim

The project's original decision log (2026-03-28) documented exactly this:
'Trust paradox: security tool shouldn't track users at launch.'
README line 236 makes an unconditional claim. Shipping a telemetry queue,
even disabled, breaks that promise. Revisit after registry network effect
is established and users have reason to trust the tool.

* chore: v0.4.0 — bump version, banners, changelog, pre-landing fixes

- Bump package.json to 0.4.0
- Update banner-light.svg and banner-dark.svg to v0.4.0
- Add CHANGELOG.md with 0.4.0 entry
- Add new commands (outdated, secrets, publish) to README commands table
- Fix prerelease semver producing invalid versionChange in mcpm outdated
- Fix console.log → stdoutOutput in publish scaffold action
- Persist trustScore in install.ts so mcpm outdated trust regression is live