Skip to content

Releases: KryptosAI/mcp-observatory

v1.34.0

Choose a tag to compare

@github-actions github-actions released this 19 Jul 02:10

1.34.0 (2026-07-19)

Bug Fixes

  • suppress lint errors in safety-index population script (a59a4ee)

Features

  • Safety Index API — 8 public endpoints + static data (20ec194)

v1.33.0 — Ed25519 Receipts, Multi-CI, SSO Auth, Demo Command, Safety Index SEO

Choose a tag to compare

@KryptosAI KryptosAI released this 18 Jul 02:31

New Features

  • Ed25519 receipt signing — Cryptographic signing and verification for MCP receipts with zero new dependencies (Node.js built-in)
  • Multi-CI templates — GitLab CI, CircleCI, Bitbucket Pipelines, Azure DevOps support with auto-detection
  • SSO/OIDC auth — Device authorization flow, token storage, cloud login/logout/whoami commands
  • Demo commandmcp-observatory demo scans your servers and shows a safety grade in seconds
  • Remediation hints — Scan/test failures now tell you how to fix them (thanks @albatrossflyon-coder!)

Website

  • Safety Index SEO — 175 server detail pages with health scores, dimension breakdowns, and check results
  • Sitemap — Expanded from 1 to 177 URLs
  • SOC 2 compliance docs — 8 documents covering system description, access control, change management, risk assessment, incident response, data retention, vendor management, encryption policy

Fixes

  • TypeScript 7 peer dep conflict resolved (downgraded to 5.8.0)
  • 3 pre-existing test failures fixed
  • --legacy-peer-deps removed from all CI workflows
  • Lint errors blocking release pipeline resolved

v1.30.0: Skill Scanning + Snyk Parity

Choose a tag to compare

@KryptosAI KryptosAI released this 09 Jul 17:12
f6c8e25

What's New

  • 🕵️ Skill scanning: detect credential theft, exfiltration, remote execution, prompt injection in agent skill files
  • 🌐 13+ agent auto-discovery: Cursor, Windsurf, VS Code, OpenCode, Codex, Gemini CLI, and more
  • 🔤 Unicode obfuscation detection: zero-width characters, bidi overrides, Unicode tag sequences
  • 🧬 YARA-inspired compound rules: credential-exfiltration, supply-chain-hijack, hidden-execution, social-engineering
  • 📊 572 tests, 59 test files

New Contributors

Full Changelog: v1.29.2...v1.30.0

v1.29.2

Choose a tag to compare

@github-actions github-actions released this 08 Jul 14:36
8f9d937

1.29.2 (2026-07-08)

Bug Fixes

  • mention vim keys in menu footer (6dd2f1e)

v1.29.1

Choose a tag to compare

@github-actions github-actions released this 08 Jul 01:42
fca5413

1.29.1 (2026-07-08)

Bug Fixes

  • add missing type fields in dashboard test mocks (fbd59d3)
  • resolve dashboard lint errors (fca5413)

v1.29.0

Choose a tag to compare

@github-actions github-actions released this 07 Jul 22:01
7a3a382

1.29.0 (2026-07-07)

Bug Fixes

Features

  • add deprecation warnings for legacy CLI commands (#187) (ebae2a5)

v1.28.2

Choose a tag to compare

@github-actions github-actions released this 06 Jul 22:16
6e22a05

1.28.2 (2026-07-06)

Bug Fixes

  • guard npm publish race after semantic release (#156) (6e22a05)

v1.28.1

Choose a tag to compare

@github-actions github-actions released this 06 Jul 22:09
e1daaf6

1.28.1 (2026-07-06)

Bug Fixes

  • publish package version when semantic release skips (#155) (e1daaf6)

v1.28.0 - MCP Receipts

Choose a tag to compare

@KryptosAI KryptosAI released this 06 Jul 21:54
1ee9644

MCP Receipts: portable trust evidence for agent dependencies

This release makes MCP Receipts a canonical public trust artifact for MCP Observatory.

A scan finds facts. A report explains facts. A receipt makes those facts portable, reproducible, citable, and actionable for CI gates, Safety Index entries, maintainers, agents, and buyers.

Highlights

  • New receipt CLI command for standalone JSON or Markdown MCP Receipts.
  • New audit --receipt <file> output path to emit receipts alongside JSON, Markdown, or SARIF reports.
  • Receipt verdicts with explicit action states: allow, gate, rerun, quarantine, and escalate.
  • Buyer-ready and maintainer-ready CTAs inside receipt artifacts.
  • Government and enterprise pilot artifacts: procurement one-pager, security due diligence, public guidance crosswalk, and commercial boundary docs.
  • Private telemetry command center improvements for growth direction, stale-version adoption, and paid-intent tracking.
  • Stronger test coverage around receipt generation, artifact hashing, action receipts, and release behavior.

Try it

npx @kryptosai/mcp-observatory@latest audit npx -y <server-package> --receipt receipt.md --format markdown --output report.md
npx @kryptosai/mcp-observatory@latest receipt npx -y <server-package> --output receipt.json

Next step after a clean receipt

npx @kryptosai/mcp-observatory@latest setup-ci --all --sarif --schedule weekly

Notes

This is safe-mode evidence generation only. MCP Observatory does not execute destructive payloads, exfiltrate secrets, or contact attacker-controlled callbacks.

v0.28.0

Choose a tag to compare

@github-actions github-actions released this 06 Jul 15:00
73c8302

0.28.0 (2026-07-06)

Features

  • promote attack simulator homepage demo (73c8302)