Changelog

Full release history for Synapse Layer. Sourced directly from the canonical CHANGELOG.md in the repository.

v2.4.4

Latest2026-07-01
Fixed
  • Restore mandatory mcp-name ownership marker in README for Official MCP Registry validation.
  • No functional or security changes; retains all v2.4.3 remediations.

v2.4.3

2026-07-01
Security
  • Pinned cryptography≥48.0.1 to resolve GHSA-537c-gmf6-5ccf (vulnerable OpenSSL in older wheels).
Changed
  • Dependency floor update only. No functional, API, MCP tool, or runtime behavior changes.

v2.4.2

2026-06-28
Fixed
  • Governance: Removed prohibited compliance claims and sensitive terminology from public manifests.
  • Forge: Rectified llms.txt with canonical Markdown links and validated URL health (100/100 PageSpeed).
  • Metadata: Synchronized canonical versioning across all package authorities.

v2.4.1

2026-06-28
Added
  • Canonical version governance: single source of truth (VERSION) with Hub-and-Spoke sync to public surfaces.
  • version-gate CI workflow enforcing version consistency across all manifests.
  • Official TypeScript SDK synced under sdk-typescript/.
  • Glama registry metadata with quality-optimized tool definitions.
  • server.json for the MCP Official Registry.
  • Agent discovery files finalized for crawler and agent ingestion.
Changed
  • Aligned all version manifests to canonical 2.4.1.
  • Smithery: tool annotations and outputSchema on all 13 tools; canonical configSchema.
  • README: added Use Cases, MCP Tools, and Deployment Modes sections.
Fixed
  • Removed duplicate npm badges from README.

v2.4.0

2026-05-15
Added
  • Static MCP server-card with 13 tools for Smithery indexing.
  • Secure Agent Handover branding and skill integration.
  • Smithery publish automation with GitHub Action for registry refresh.
  • GC Cron for expired memories (data lifecycle compliance).
    • POST /api/cron/gc — automated garbage collection endpoint.
    • Bearer token auth via CRON_SECRET (constant-time comparison).
    • Hard-deletes ForgeMemory rows where expiresAt < NOW().
    • Batched: 50 rows per DELETE, max 10 iterations (500 rows/run cap).
    • ForgeGcAuditLog table — append-only audit trail.
    • FK-aware: cascades QualityGateResult cleanup before memory deletion.
    • Fail-closed: missing env → 503, wrong/missing auth → 401.
Security
  • Data lifecycle: expired data is hard-deleted (erasure), not soft-deleted.
  • Zero PII in logs (only counts + duration).
  • Parameterized queries only (zero string interpolation).
  • Constant-time secret comparison (crypto.timingSafeEqual).
Fixed
  • Governance: replaced "End-to-end encrypted" with "AES-256-GCM encrypted at rest" across surfaces.
  • Governance: removed the last zero-knowledge claim from the Hermes skill.

v2.3.7

2026-05-04
Changed
  • Public surface governance: claims matrix v1.0 applied.
  • Removed deprecated claims from all public surfaces.
  • Aligned descriptions, topics, and metadata across all public repos.
  • Version synchronized across all distribution channels.

v1.2.0

2026-04-21
Added
  • Header-first auth via x-connect-token.
  • Canonical agent identity (normalizeAgentId()).
  • Token telemetry: usedCount + lastUsedAt.
  • CI secret scanning (3 repositories).
Security
  • Header takes priority over query param.
  • AES-256-GCM hardened.
  • Zero hardcoded secrets (CI enforced).
Verified in Production
  • curl -H "x-connect-token: VALID" → 200 OK ✅
  • No token → 401 ✅
  • Invalid token → 401 ✅

v1.1.8

2026-04-15
  • Supabase → PostgreSQL migration.
  • Tests: 496 | Coverage: 88%.

v1.1.7

2026-04-10
  • Initial MCP Marketplace listing.