You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Docs site: a Releases page generated from GitHub Releases at build time (notes rendered from
each release, plus direct .mcpb/.nupkg download buttons), a new Claude Desktop (1-click)
install tab, and a note that RoselineMCP is listed in the official MCP Registry. The Astro build
fetches the Releases API (authenticated in CI to avoid rate limits) and degrades to a GitHub
link-out if the fetch fails.
Added
One-click install for Claude Desktop (MCPB bundle). A mcpb/manifest.json (MCPB spec 0.3)
describes RoselineMCP as a dnx-launched server; the release now builds and attaches a RoselineMCP.mcpb to each GitHub Release, so users can install with a dialog instead of editing
JSON config. The bundle only wraps the dnx RoselineMCP launch (the .NET 10 SDK is still
required, since analysis loads projects through MSBuild), so it stays tiny and platform-agnostic.
Automated MCP Registry publishing.publish-nuget.yml now has a publish-registry job that,
after a successful NuGet publish, waits for the version to index, then authenticates via GitHub
OIDC (mcp-publisher login github-oidc, no secret) and publishes .mcp/server.json to the
official registry (registry.modelcontextprotocol.io) — so the server is discoverable by any
client/aggregator that reads the registry. Ownership is proven by an mcp-name: marker added to
the packed README.md, which the registry cross-checks against the NuGet package. The manifest $schema was migrated from the deprecated 2025-10-17 to the current 2025-12-11 (a URL-only
change; the format is unchanged for stdio package servers). Takes effect on the next tagged release.
Security
Pinned Microsoft.Bcl.Memory to 10.0.9 (aligned with the net10.0 TFM) in RoselineMCP.TokenBenchmark to override the 9.0.4
that Microsoft.ML.Tokenizers2.0.0 pulled in transitively, which was vulnerable to CVE-2026-26127 (GHSA-73j8-2gch-69rq, high severity — Base64Url out-of-bounds-read DoS). The
benchmark harness is never packaged and is not referenced by the shipped RoselineMCP package,
so published users were never exposed; this clears the NU1903 restore warning. Remove the pin
once Microsoft.ML.Tokenizers references a patched build.