Skip to content

Commit 15fd617

Browse files
doublegateclaude
andcommitted
docs: comprehensive README/CHANGELOG audit and corrections for v1.9.0
- Fix ENABLE_WORKERS env var references to CYBERCHEF_ENABLE_WORKERS across README.md, docs/releases/v1.9.0.md, and example configurations - Update upstream-monitor cron schedule references from "every 6 hours" to "weekly (Sundays at noon UTC)" in README.md CI/CD section and features list - Update Dockerfile base image references from node:18-alpine to Chainguard distroless in docs/architecture/architecture.md and CLAUDE.md - Expand architecture diagram to include transport layer and worker pool - Update CLAUDE.md: coverage thresholds (75%/90%/70%), full MCP tools list, complete CI/CD workflow table (10 workflows), Chainguard base image - Add [Unreleased] section to CHANGELOG.md documenting upstream-monitor schedule change and all documentation corrections - Mark all v1.2.0-v1.9.0 releases as "Released" in ROADMAP.md with status column, update v1.9.0 description to reflect actual features delivered - Stage upstream-monitor.yml cron schedule change (6h -> weekly Sunday noon) - Update ref-proj/CyberChef submodule to latest upstream Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 4ab8b19 commit 15fd617

8 files changed

Lines changed: 56 additions & 32 deletions

File tree

.github/workflows/upstream-monitor.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,8 @@ name: Upstream Release Monitor
22

33
on:
44
schedule:
5-
# Run every 6 hours
6-
- cron: '0 */6 * * *'
5+
# Run once per week: Sunday at 12:00 UTC (mid-day)
6+
- cron: '0 12 * * 0'
77
workflow_dispatch: # Allow manual trigger
88

99
permissions:

CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### Changed
11+
- **Upstream Monitor Schedule**: Changed cron from every 6 hours to weekly (Sundays at noon UTC) to reduce unnecessary CI runs
12+
13+
### Fixed
14+
- **Documentation**: Corrected `ENABLE_WORKERS` env var references to `CYBERCHEF_ENABLE_WORKERS` across README.md, CLAUDE.md, and release notes
15+
- **Documentation**: Updated upstream monitor schedule references from "every 6 hours" to "weekly" in README.md
16+
- **Documentation**: Updated Dockerfile base image references from `node:18-alpine`/`node:22-alpine` to Chainguard distroless in architecture docs and CLAUDE.md
17+
- **Documentation**: Updated coverage threshold references in CLAUDE.md to match current thresholds (75% lines/stmts, 90% functions, 70% branches)
18+
- **Documentation**: Expanded MCP tools listing and CI/CD workflow table in CLAUDE.md
19+
1020
## [1.9.0] - 2026-02-05
1121

1222
### Added

CLAUDE.md

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ npm run build # Production build
3939
npm run lint # ESLint (zero errors required)
4040
npm test # Core unit tests
4141
npm run test:mcp # MCP server tests (689 tests)
42-
npm run test:coverage # Coverage report (thresholds: 70% lines/functions)
42+
npm run test:coverage # Coverage report (thresholds: 75% lines/stmts, 90% functions, 70% branches)
4343
npm run testnodeconsumer # Test CJS/ESM consumers
4444
```
4545

@@ -66,14 +66,18 @@ MCP Client (AI/IDE) <--> CyberChef MCP Server <--> CyberChef Node API <--> Cyber
6666
| `src/node/index.mjs` | Node.js API bridge (**generated** by Grunt) |
6767
| `src/core/config/OperationConfig.json` | Operation metadata (**generated** by Grunt) |
6868
| `src/core/operations/*.mjs` | Individual operation implementations |
69-
| `Dockerfile.mcp` | MCP server container (node:22-alpine) |
69+
| `Dockerfile.mcp` | MCP server container (Chainguard distroless) |
7070
| `Gruntfile.js` | Build orchestration for config generation |
7171

7272
### MCP Tools Structure
7373

7474
1. **`cyberchef_bake`** - Meta-tool for complex recipe chains
7575
2. **`cyberchef_search`** - Operation discovery via `help()` function
7676
3. **`cyberchef_<op_name>`** - 300+ dynamically generated tools from OperationConfig
77+
4. **`cyberchef_worker_stats`** - Worker thread pool monitoring (v1.9.0)
78+
5. **`cyberchef_deprecation_stats`** / **`cyberchef_migration_preview`** - v2.0.0 migration tools (v1.8.0)
79+
6. **Recipe tools** - `cyberchef_recipe_create/get/list/update/delete/execute/export/import/validate/test` (v1.6.0)
80+
7. **`cyberchef_batch`** / **`cyberchef_telemetry_export`** / **`cyberchef_cache_stats`** / **`cyberchef_cache_clear`** / **`cyberchef_quota_info`** (v1.7.0)
7781

7882
Tool naming: Operations are sanitized to snake_case with `cyberchef_` prefix (e.g., "AES Decrypt" -> `cyberchef_aes_decrypt`).
7983

@@ -99,7 +103,14 @@ Run these manually if developing locally on Node 22+.
99103
|----------|---------|---------|
100104
| `core-ci.yml` | Push to master | Lint + tests + Codecov coverage |
101105
| `mcp-docker-build.yml` | Push to master | Build and verify Docker image |
102-
| `mcp-release.yml` | Tags `v*` | Publish to GHCR |
106+
| `mcp-release.yml` | Tags `v*` | Publish to Docker Hub + GHCR |
107+
| `security-scan.yml` | Push/PR/weekly | Trivy + npm audit |
108+
| `upstream-monitor.yml` | Weekly (Sun noon UTC) | Check for upstream releases |
109+
| `upstream-sync.yml` | Label/manual | Selective upstream sync |
110+
| `rollback.yml` | Manual | Emergency rollback |
111+
| `pull_requests.yml` | PRs | PR validation |
112+
| `performance-benchmarks.yml` | Push | Performance regression testing |
113+
| `codeql.yml` | Push/PR/weekly | CodeQL security scanning |
103114

104115
### Release Process
105116
```bash

README.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ The server exposes CyberChef operations as MCP tools:
6666
- Lists all 8 deprecation codes (DEP001-DEP008) with details
6767
* **Worker Thread Pool** (v1.9.0): CPU-intensive operations offloaded to worker threads
6868
* `cyberchef_worker_stats` - Monitor worker pool utilization, active/completed tasks, and pool configuration
69-
* Enable with `ENABLE_WORKERS=true` environment variable
69+
* Enable with `CYBERCHEF_ENABLE_WORKERS=true` environment variable
7070
* Configurable pool size, idle timeout, and minimum input size for worker routing
7171

7272
### Technical Highlights
@@ -82,7 +82,7 @@ The server exposes CyberChef operations as MCP tools:
8282
* **Advanced Features** (v1.7.0): Enterprise-grade capabilities with batch processing (parallel/sequential execution of up to 100 operations), privacy-first telemetry collection (disabled by default, no input/output data captured), sliding window rate limiting for resource protection, enhanced caching with inspection tools, and resource quota tracking (concurrent operations, data sizes). All features are configurable via environment variables with secure defaults. See [Release Notes](docs/releases/v1.7.0.md) for details.
8383
* **Enhanced Observability** (v1.5.0): Structured JSON logging with Pino for production monitoring, comprehensive error handling with actionable recovery suggestions, automatic retry logic with exponential backoff, request correlation with UUID tracking, circuit breaker pattern for cascading failure prevention, and streaming infrastructure for progressive results on large operations. See [Release Notes](docs/releases/v1.5.0.md) for details.
8484
* **Performance Optimized** (v1.4.0): LRU cache for operation results (100MB default), automatic streaming for large inputs (10MB+ threshold), configurable resource limits (100MB max input, 30s timeout), memory monitoring, and comprehensive benchmark suite. See [Performance Tuning Guide](docs/architecture/performance-tuning.md) for configuration options.
85-
* **Upstream Sync Automation** (v1.3.0): Automated monitoring of upstream CyberChef releases every 6 hours, one-click synchronization workflow, comprehensive validation test suite with 689 tests, and emergency rollback mechanism.
85+
* **Upstream Sync Automation** (v1.3.0): Automated monitoring of upstream CyberChef releases weekly (Sundays at noon UTC), one-click synchronization workflow, comprehensive validation test suite with 689 tests, and emergency rollback mechanism.
8686
* **Security Hardened** (v1.4.5+): Chainguard distroless base image with zero-CVE baseline, non-root execution (UID 65532), automated Trivy vulnerability scanning with build-fail thresholds, dual SBOM strategy (Docker Scout attestations + CycloneDX), read-only filesystem support, SLSA Build Level 3 provenance, and 7-day SLA for critical CVE patches. Fixed 11 of 12 code scanning vulnerabilities including critical cryptographic randomness weakness and 7 ReDoS vulnerabilities. See [Security Policy](SECURITY.md) and [Security Fixes Report](docs/security/SECURITY_FIX_REPORT.md) for details.
8787
* **Production Ready**: Comprehensive CI/CD with CodeQL v4, automated testing, and dual-registry container publishing (Docker Hub + GHCR) with complete supply chain attestations.
8888

@@ -286,7 +286,7 @@ CYBERCHEF_MAX_INPUT_SIZE=104857600 # Maximum input size (100MB)
286286
CYBERCHEF_OPERATION_TIMEOUT=30000 # Operation timeout in milliseconds (30s)
287287
CYBERCHEF_STREAMING_THRESHOLD=10485760 # Streaming threshold (10MB)
288288
CYBERCHEF_ENABLE_STREAMING=true # Enable streaming for large operations
289-
CYBERCHEF_ENABLE_WORKERS=false # Enable worker threads (disabled by default)
289+
CYBERCHEF_ENABLE_WORKERS=false # Enable worker thread pool (disabled by default)
290290
CYBERCHEF_CACHE_MAX_SIZE=104857600 # Cache maximum size (100MB)
291291
CYBERCHEF_CACHE_MAX_ITEMS=1000 # Cache maximum items
292292
```
@@ -341,7 +341,7 @@ docker run -i --rm \
341341
**Worker Thread Pool for CPU-Intensive Operations (v1.9.0+)**
342342
```bash
343343
docker run -i --rm \
344-
-e ENABLE_WORKERS=true \
344+
-e CYBERCHEF_ENABLE_WORKERS=true \
345345
-e CYBERCHEF_WORKER_MAX_THREADS=8 \
346346
-e CYBERCHEF_WORKER_IDLE_TIMEOUT=60000 \
347347
ghcr.io/doublegate/cyberchef-mcp_v1:latest
@@ -656,7 +656,7 @@ This project uses GitHub Actions to ensure stability and security:
656656
* **Release** ([`mcp-release.yml`](.github/workflows/mcp-release.yml)): Publishes Docker image to GHCR with SBOM attachment on version tags (`v*`), automatically creates GitHub releases
657657

658658
**Upstream Sync Automation (v1.3.0+):**
659-
* **Upstream Monitor** ([`upstream-monitor.yml`](.github/workflows/upstream-monitor.yml)): Monitors GCHQ/CyberChef for new releases every 6 hours, creates GitHub issues for review
659+
* **Upstream Monitor** ([`upstream-monitor.yml`](.github/workflows/upstream-monitor.yml)): Monitors GCHQ/CyberChef for new releases weekly (Sundays at noon UTC), creates GitHub issues for review
660660
* **Upstream Sync** ([`upstream-sync.yml`](.github/workflows/upstream-sync.yml)): Selective file synchronization workflow - copies only `src/core/operations/*.mjs` files, prevents restoration of deleted web UI components, creates PR for review
661661
* **Rollback** ([`rollback.yml`](.github/workflows/rollback.yml)): Emergency rollback mechanism with state comparison and ref-proj guidance
662662

docs/architecture/architecture.md

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,13 @@ The solution involves creating a new entry point in the `src/node/` directory th
66

77
```mermaid
88
graph TD
9-
A[MCP Client AI/IDE] -->|Stdio| B[CyberChef MCP Server]
10-
B -->|Imports| C[CyberChef Node API]
11-
C -->|Uses| D[CyberChef Core]
12-
D -->|Config| E[OperationConfig.json]
13-
D -->|Logic| F[Operations]
9+
A[MCP Client AI/IDE] -->|Stdio/HTTP| B[Transport Layer]
10+
B -->|Routes| C[CyberChef MCP Server]
11+
C -->|Imports| D[CyberChef Node API]
12+
D -->|Uses| E[CyberChef Core]
13+
E -->|Config| F[OperationConfig.json]
14+
E -->|Logic| G[Operations]
15+
C -->|Offloads| H[Worker Thread Pool]
1416
```
1517

1618
## Components
@@ -49,9 +51,10 @@ Programmatically generated tools for every supported CyberChef operation.
4951

5052
### 3. Containerization (`Dockerfile.mcp`)
5153
A specialized Docker build for the server.
52-
- **Base:** `node:18-alpine`.
53-
- **Context:** Copies `src/`, `package.json`.
54+
- **Base:** Chainguard distroless Node.js 22 (`cgr.dev/chainguard/node:latest`).
55+
- **Context:** Multi-stage build; copies `src/`, `package.json`.
5456
- **Command:** `node src/node/mcp-server.mjs`.
57+
- **Security:** Non-root (UID 65532), zero-CVE baseline, read-only filesystem support.
5558

5659
## Data Flow
5760
1. **Discovery:** Client requests `listTools`. Server iterates `OperationConfig` and generates tool schemas.

docs/planning/ROADMAP.md

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -77,19 +77,19 @@ gantt
7777

7878
### Phase 1-3 (v1.2.0 - v2.0.0)
7979

80-
| Release | Theme | Key Features | Effort | Risk |
81-
|---------|-------|--------------|--------|------|
82-
| **v1.2.6** | Container Optimization | nginx:alpine-slim for web app, non-root permissions | S | Low |
83-
| **v1.2.5** | Security Patch | GitHub alerts, OWASP Argon2 hardening, build fixes | S | Low |
84-
| **v1.2.0** | Security Hardening | Docker DHI, non-root, security scanning | L | Medium |
85-
| **v1.3.0** | Upstream Sync | Automated CyberChef updates, validation testing | XL | Medium | **Completed** |
86-
| **v1.4.0** | Performance | Streaming optimization, worker threads, memory management | L | Low |
87-
| **v1.5.0** | Streaming & Errors | Large operation support, enhanced error handling | L | Medium |
88-
| **v1.6.0** | Recipe Management | Save/load/share recipes, recipe library | XL | Medium |
89-
| **v1.7.0** | Advanced Features | Batch processing, telemetry, rate limiting | L | Low |
90-
| **v1.8.0** | Breaking Changes Prep | Deprecation warnings, migration guides | M | High |
91-
| **v1.9.0** | Pre-v2.0.0 Polish | Final testing, documentation, migration tools | M | Medium |
92-
| **v2.0.0** | Major Release | Breaking changes, API stabilization, type system | XL | High |
80+
| Release | Theme | Key Features | Effort | Risk | Status |
81+
|---------|-------|--------------|--------|------|--------|
82+
| **v1.2.6** | Container Optimization | nginx:alpine-slim for web app, non-root permissions | S | Low | Released |
83+
| **v1.2.5** | Security Patch | GitHub alerts, OWASP Argon2 hardening, build fixes | S | Low | Released |
84+
| **v1.2.0** | Security Hardening | Docker DHI, non-root, security scanning | L | Medium | Released |
85+
| **v1.3.0** | Upstream Sync | Automated CyberChef updates, validation testing | XL | Medium | Released |
86+
| **v1.4.0** | Performance | Streaming optimization, worker threads, memory management | L | Low | Released |
87+
| **v1.5.0** | Streaming & Errors | Large operation support, enhanced error handling | L | Medium | Released |
88+
| **v1.6.0** | Recipe Management | Save/load/share recipes, recipe library | XL | Medium | Released |
89+
| **v1.7.0** | Advanced Features | Batch processing, telemetry, rate limiting | L | Low | Released |
90+
| **v1.8.0** | Breaking Changes Prep | Deprecation warnings, migration guides | M | High | Released |
91+
| **v1.9.0** | Pre-v2.0.0 Polish | Streaming, workers, HTTP transport, security | M | Medium | Released |
92+
| **v2.0.0** | Major Release | Breaking changes, API stabilization, type system | XL | High | Planned |
9393

9494
### Phase 4-6 (v2.1.0 - v3.0.0)
9595

docs/releases/v1.9.0.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ This release delivers MCP streaming with progress notifications, a Piscina-based
2222
- Configurable via `CYBERCHEF_WORKER_MIN_THREADS`, `MAX_THREADS`, `IDLE_TIMEOUT` env vars
2323
- Worker routing in CallTool handler before streaming execution
2424
- New `cyberchef_worker_stats` tool for monitoring pool utilization
25-
- Enable with `ENABLE_WORKERS=true` environment variable
25+
- Enable with `CYBERCHEF_ENABLE_WORKERS=true` environment variable
2626

2727
### Streamable HTTP Transport
2828
- New `src/node/transports.mjs` transport factory

0 commit comments

Comments
 (0)