Changelog
Full release history for Synapse Layer. Sourced directly from the canonical CHANGELOG.md in the repository.
v2.4.4
Latest2026-07-01Fixed
- Restore mandatory
mcp-nameownership marker in README for Official MCP Registry validation. - No functional or security changes; retains all v2.4.3 remediations.
v2.4.3
2026-07-01Security
- Pinned
cryptography≥48.0.1to resolve GHSA-537c-gmf6-5ccf (vulnerable OpenSSL in older wheels).
Changed
- Dependency floor update only. No functional, API, MCP tool, or runtime behavior changes.
v2.4.2
2026-06-28Fixed
- Governance: Removed prohibited compliance claims and sensitive terminology from public manifests.
- Forge: Rectified
llms.txtwith canonical Markdown links and validated URL health (100/100 PageSpeed). - Metadata: Synchronized canonical versioning across all package authorities.
v2.4.1
2026-06-28Added
- Canonical version governance: single source of truth (
VERSION) with Hub-and-Spoke sync to public surfaces. version-gateCI workflow enforcing version consistency across all manifests.- Official TypeScript SDK synced under
sdk-typescript/. - Glama registry metadata with quality-optimized tool definitions.
server.jsonfor the MCP Official Registry.- Agent discovery files finalized for crawler and agent ingestion.
Changed
- Aligned all version manifests to canonical
2.4.1. - Smithery: tool annotations and
outputSchemaon all 13 tools; canonical configSchema. - README: added Use Cases, MCP Tools, and Deployment Modes sections.
Fixed
- Removed duplicate npm badges from README.
v2.4.0
2026-05-15Added
- Static MCP server-card with 13 tools for Smithery indexing.
- Secure Agent Handover branding and skill integration.
- Smithery publish automation with GitHub Action for registry refresh.
- GC Cron for expired memories (data lifecycle compliance).
POST /api/cron/gc— automated garbage collection endpoint.- Bearer token auth via
CRON_SECRET(constant-time comparison). - Hard-deletes
ForgeMemoryrows whereexpiresAt < NOW(). - Batched: 50 rows per DELETE, max 10 iterations (500 rows/run cap).
ForgeGcAuditLogtable — append-only audit trail.- FK-aware: cascades QualityGateResult cleanup before memory deletion.
- Fail-closed: missing env → 503, wrong/missing auth → 401.
Security
- Data lifecycle: expired data is hard-deleted (erasure), not soft-deleted.
- Zero PII in logs (only counts + duration).
- Parameterized queries only (zero string interpolation).
- Constant-time secret comparison (
crypto.timingSafeEqual).
Fixed
- Governance: replaced "End-to-end encrypted" with "AES-256-GCM encrypted at rest" across surfaces.
- Governance: removed the last zero-knowledge claim from the Hermes skill.
v2.3.7
2026-05-04Changed
- Public surface governance: claims matrix v1.0 applied.
- Removed deprecated claims from all public surfaces.
- Aligned descriptions, topics, and metadata across all public repos.
- Version synchronized across all distribution channels.
v1.2.0
2026-04-21Added
- Header-first auth via
x-connect-token. - Canonical agent identity (
normalizeAgentId()). - Token telemetry:
usedCount+lastUsedAt. - CI secret scanning (3 repositories).
Security
- Header takes priority over query param.
- AES-256-GCM hardened.
- Zero hardcoded secrets (CI enforced).
Verified in Production
curl -H "x-connect-token: VALID"→ 200 OK ✅- No token → 401 ✅
- Invalid token → 401 ✅
v1.1.8
2026-04-15- Supabase → PostgreSQL migration.
- Tests: 496 | Coverage: 88%.
v1.1.7
2026-04-10- Initial MCP Marketplace listing.