Releases: KryptosAI/mcp-observatory
Releases · KryptosAI/mcp-observatory
Release list
v1.34.0
v1.33.0 — Ed25519 Receipts, Multi-CI, SSO Auth, Demo Command, Safety Index SEO
New Features
- Ed25519 receipt signing — Cryptographic signing and verification for MCP receipts with zero new dependencies (Node.js built-in)
- Multi-CI templates — GitLab CI, CircleCI, Bitbucket Pipelines, Azure DevOps support with auto-detection
- SSO/OIDC auth — Device authorization flow, token storage, cloud login/logout/whoami commands
- Demo command —
mcp-observatory demoscans your servers and shows a safety grade in seconds - Remediation hints — Scan/test failures now tell you how to fix them (thanks @albatrossflyon-coder!)
Website
- Safety Index SEO — 175 server detail pages with health scores, dimension breakdowns, and check results
- Sitemap — Expanded from 1 to 177 URLs
- SOC 2 compliance docs — 8 documents covering system description, access control, change management, risk assessment, incident response, data retention, vendor management, encryption policy
Fixes
- TypeScript 7 peer dep conflict resolved (downgraded to 5.8.0)
- 3 pre-existing test failures fixed
--legacy-peer-depsremoved from all CI workflows- Lint errors blocking release pipeline resolved
v1.30.0: Skill Scanning + Snyk Parity
What's New
- 🕵️ Skill scanning: detect credential theft, exfiltration, remote execution, prompt injection in agent skill files
- 🌐 13+ agent auto-discovery: Cursor, Windsurf, VS Code, OpenCode, Codex, Gemini CLI, and more
- 🔤 Unicode obfuscation detection: zero-width characters, bidi overrides, Unicode tag sequences
- 🧬 YARA-inspired compound rules: credential-exfiltration, supply-chain-hijack, hidden-execution, social-engineering
- 📊 572 tests, 59 test files
New Contributors
- @albatrossflyon-coder made their first contribution in #201
Full Changelog: v1.29.2...v1.30.0
v1.29.2
v1.29.1
v1.29.0
v1.28.2
v1.28.1
v1.28.0 - MCP Receipts
MCP Receipts: portable trust evidence for agent dependencies
This release makes MCP Receipts a canonical public trust artifact for MCP Observatory.
A scan finds facts. A report explains facts. A receipt makes those facts portable, reproducible, citable, and actionable for CI gates, Safety Index entries, maintainers, agents, and buyers.
Highlights
- New
receiptCLI command for standalone JSON or Markdown MCP Receipts. - New
audit --receipt <file>output path to emit receipts alongside JSON, Markdown, or SARIF reports. - Receipt verdicts with explicit action states:
allow,gate,rerun,quarantine, andescalate. - Buyer-ready and maintainer-ready CTAs inside receipt artifacts.
- Government and enterprise pilot artifacts: procurement one-pager, security due diligence, public guidance crosswalk, and commercial boundary docs.
- Private telemetry command center improvements for growth direction, stale-version adoption, and paid-intent tracking.
- Stronger test coverage around receipt generation, artifact hashing, action receipts, and release behavior.
Try it
npx @kryptosai/mcp-observatory@latest audit npx -y <server-package> --receipt receipt.md --format markdown --output report.md
npx @kryptosai/mcp-observatory@latest receipt npx -y <server-package> --output receipt.jsonNext step after a clean receipt
npx @kryptosai/mcp-observatory@latest setup-ci --all --sarif --schedule weeklyNotes
This is safe-mode evidence generation only. MCP Observatory does not execute destructive payloads, exfiltrate secrets, or contact attacker-controlled callbacks.