release(3.17.2): advertise the GHSA-gvpp-v77h-5w8g fix to the marketplace

v3.17.1 shipped the security fix CODE to the marketplace, but the
release only bumped pyproject.toml — .claude-plugin/marketplace.json
still advertised 3.17.0. Because Claude Code decides whether to prompt
a /plugin update by comparing the installed version against the
marketplace-advertised version, users sitting on 3.17.0 were never
prompted to pull the fix, even though it was present in the cloned
tree. The patched code was in the channel but unadvertised.

This bump aligns all version labels at 3.17.2 so the marketplace
advertises an increment and the update prompt fires:

  - .claude-plugin/marketplace.json  metadata.version  3.17.0 -> 3.17.2
  - .claude-plugin/marketplace.json  plugins[0].version 3.17.0 -> 3.17.2
  - pyproject.toml                   version           3.17.1 -> 3.17.2
  - added plugins[0].version_note pointing at the advisory

No code change — the fix already landed in 5d22091 (PR #47). This is
purely the distribution-metadata correction that makes the marketplace
(the only supported install path per ADR-0050) surface it as an update.

source: GHSA-gvpp-v77h-5w8g; ADR-0050 (marketplace-only distribution).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: cdeust

.claude-plugin/marketplace.json

@@ -6,21 +6,22 @@
   },
   "metadata": {
     "description": "Persistent memory and cognitive profiling plugins for Claude Code",
-    "version": "3.17.0"
+    "version": "3.17.2"
   },
   "plugins": [
     {
       "name": "cortex",
       "source": "./",
       "description": "Persistent memory and cognitive profiling for Claude Code — thermodynamic memory with heat/decay, intent-aware retrieval, biological plasticity, codebase intelligence, and cognitive profiling. 49 MCP tools with enriched schemas. PostgreSQL + pgvector in CLI mode; automatic SQLite fallback in Cowork/sandboxed mode. v3.17.0 — autonomous per-project wiki: SessionStart auto-spawns a 6-hour consolidate cycle; a headless `claude -p` worker drains the curation-gap queue, calls codebase-intelligence MCP tools to ground each section in the real call graph, and authors missing anchor pages (architecture / services / api / data-flow / operations / decisions / PRD) per project from the source tree. 15 canonical scopes × 13 file sections; per-project dashboards under `wiki/_dashboards/`. Mermaid diagrams have a 🔍 lens with zoom + pan. Workflow graph with caller-qualified CALLS chains rendering full method-to-method dependencies (native tree-sitter, no AP required). Side panel humanized for non-technical users. Ingests codebase analysis (ai-automatised-pipeline) and PRDs (prd-spec-generator) into wiki + memory + knowledge graph. Docker image available.",
-      "version": "3.17.0",
+      "version": "3.17.2",
       "author": {
         "name": "Clement Deust",
         "email": "admin@ai-architect.tools"
       },
       "homepage": "https://github.com/cdeust/Cortex",
       "repository": "https://github.com/cdeust/Cortex",
       "license": "MIT",
+      "version_note": "3.17.2 — security: GHSA-gvpp-v77h-5w8g (untrusted dev-source ACE in cortex-visualize). Fixed; all users should update.",
       "keywords": ["memory", "cognitive-profiling", "mcp", "claude-code", "cortex", "knowledge-graph", "codebase-analysis", "docker"],
       "category": "productivity",
       "runtime": ["cli", "cowork"],

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "neuro-cortex-memory"
-version = "3.17.1"
+version = "3.17.2"
 description = "Scientifically-grounded memory system based on computational neuroscience research"
 readme = "README.md"
 license = "MIT"