v1.1.0 - Security, Structured Errors & Developer Experience

.dockerignore

@@ -1,3 +1,12 @@
+# Dependencies (rebuilt in container)
+node_modules/
+
+# Build artifacts (rebuilt in container)
+dist/
+build/
+out/
+*.tsbuildinfo
+
 # Git
 .git/
 .gitignore
@@ -6,23 +15,31 @@
 # GitHub
 .github/
 
-# Development
+# Development files
 .env
 .env.*
-.vscode/
-.idea/
+!.env.example
+.dev.vars
 *.log
 
-# Dependencies (rebuilt in container)
-node_modules/
+# IDE/Editor
+.gemini/
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
 
-# Build artifacts (rebuilt in container)
-dist/
+# OS files
+.DS_Store
+Thumbs.db
 
 # Test files
 tests/
+__tests__/
 test-database/
 coverage/
+test-results.json
 *.test.ts
 *.spec.ts
 vitest.config.ts
@@ -39,11 +56,10 @@ docs/
 !README.md
 !LICENSE
 
-# IDE/Editor
-.DS_Store
-Thumbs.db
-*.swp
-*.swo
+# Node and caching
+.npm/
+.eslintcache/
+.nyc_output/
 
 # Config files not needed in container
 eslint.config.js
@@ -53,6 +69,30 @@ eslint.config.js
 # Extensions (user provides these)
 extensions/
 
-# MCP Registry tokens
+# MCP Registry tokens and config
 .mcpregistry_github_token
 .mcpregistry_registry_token
+server.json
+
+# Docker (self-reference)
+Dockerfile
+.dockerignore
+docker-compose*.yml
+
+# NPM packaging config
+.npmignore
+
+# Alternative lock files
+yarn.lock
+pnpm-lock.yaml
+
+# Release notes
+releases/
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+
+# Assets
+social-preview.png

.github/workflows/codeql.yml

@@ -23,7 +23,7 @@ jobs:
       matrix:
         language: ["javascript-typescript"]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Check for JS/TS files
         id: check-files
         run: |
@@ -32,14 +32,14 @@ jobs:
           else
             echo "has_code=false" >> $GITHUB_OUTPUT
           fi
-      - uses: github/codeql-action/init@v4
+      - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         if: steps.check-files.outputs.has_code == 'true'
         with:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
-      - uses: github/codeql-action/autobuild@v4
+      - uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         if: steps.check-files.outputs.has_code == 'true'
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4
         if: steps.check-files.outputs.has_code == 'true'
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/docker-publish.yml

@@ -31,15 +31,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Build image for scanning (local only)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           file: Dockerfile
@@ -95,7 +95,8 @@ jobs:
               echo "🔄 Continuing build - scan timeout is not a security failure"
             else
               echo "⚠️ Docker Scout scan failed with exit code $exit_code"
-              echo "🔄 Continuing build - will rely on Trivy for security validation"
+              echo "❌ Security gate failed — cannot validate image safety"
+              exit 1
             fi
           fi
 
@@ -126,15 +127,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -152,7 +153,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -163,7 +164,7 @@ jobs:
 
       - name: Build and push platform image
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
         with:
           context: .
           file: Dockerfile
@@ -183,7 +184,7 @@ jobs:
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
           path: /tmp/digests/*
@@ -208,22 +209,22 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.workflow_run.head_sha }}
 
       - name: Download digests
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: /tmp/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -240,7 +241,7 @@ jobs:
 
       - name: Extract metadata for manifest
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -263,15 +264,15 @@ jobs:
       # Update Docker Hub description
       - name: Update Docker Hub Description
         if: github.ref == 'refs/heads/main'
-        uses: peter-evans/dockerhub-description@v5
+        uses: peter-evans/dockerhub-description@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
         continue-on-error: true
         timeout-minutes: 5
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           repository: ${{ env.IMAGE_NAME }}
           readme-filepath: ./DOCKER_README.md
-          short-description: "SQLite MCP Server with OAuth 2.1, HTTP/SSE, 122 Tools, and Smart Tool Filtering."
+          short-description: "SQLite MCP Server — 139 Tools, Code Mode, OAuth 2.1, Dual-Transport HTTP/SSE & Smart Tool Filtering"
 
       - name: Deployment Summary
         if: github.ref == 'refs/heads/main'

.github/workflows/e2e.yml

@@ -0,0 +1,38 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version: lts/*
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Install Playwright Browsers
+        run: npx playwright install --with-deps
+
+      - name: Build
+        run: npm run build
+
+      - name: Run E2E tests
+        run: npm run test:e2e
+
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        if: ${{ !cancelled() }}
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7

.github/workflows/lint-and-test.yml

@@ -18,15 +18,23 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: "npm"
 
+      - name: Cache node_modules
+        id: cache-node-modules
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: node_modules
+          key: node-modules-${{ matrix.node-version }}-${{ hashFiles('package-lock.json') }}
+
       - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
         run: npm ci
 
       - name: Run ESLint
@@ -45,10 +53,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: "24.x"
           cache: "npm"
@@ -58,4 +66,37 @@ jobs:
 
       - name: Run npm audit
         run: npm audit --audit-level=moderate
-        continue-on-error: true
+
+  benchmarks:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version: "24.x"
+          cache: "npm"
+
+      - name: Cache node_modules
+        id: cache-node-modules
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: node_modules
+          key: node-modules-24.x-${{ hashFiles('package-lock.json') }}
+
+      - name: Install dependencies
+        if: steps.cache-node-modules.outputs.cache-hit != 'true'
+        run: npm ci
+
+      - name: Run benchmarks
+        run: npm run bench 2>&1 | tee benchmark-results.txt
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        with:
+          name: benchmark-results-${{ github.sha }}
+          path: benchmark-results.txt
+          retention-days: 30

.github/workflows/publish-npm.yml

@@ -22,13 +22,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           # For release events, checkout the tag; for workflow_dispatch, use ref input or default to latest tag
           ref: ${{ github.event.release.tag_name || format('v{0}', github.event.inputs.version) || github.ref }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: "24.x"
           registry-url: "https://registry.npmjs.org"