v2.4.3

Fixed

• npm OIDC trusted publishing: configured trusted publisher on npmjs.com for Nainounen/homelab-mcp → homelab-mcp so CI publish works end-to-end
• Cross-platform lockfile: use npm install in publish workflow instead of npm ci — the npm 10→11 upgrade resolves optional wasm deps (@emnapi/*) differently on Linux than what the macOS-generated lockfile records, causing npm ci to reject the lockfile
• CI idempotency: Docker push and GitHub Release creation now skip if already published (re-run safe)
• CI cleanup: removed verbose npm logging now that OIDC diagnostics are resolved

v2.4.0 — Security hardening, health-check fixes, faster lookups, output caps

Security

• Shell injection fixed in devbox_git clone: the target directory was interpolated inside double quotes, so a repo_dir containing $(…) executed on the devbox — now passed through shellEscape like every other argument
• Safety filter hardened: rm with recursive+force flags in any order or spelling (-fr, -r -f, --recursive --force, -rfv) targeting an absolute path is now blocked on both devbox and Proxmox (was: only literal -rf)
• .env injection fixed in setup wizard: configure values containing newlines could append arbitrary extra lines to .env — now rejected by schema validation

Added

• Output size cap: every tool result is truncated at MAX_OUTPUT_CHARS (default 30,000 chars ≈ 7,500 tokens, 0 disables) so a stray cat of a huge file can't flood the AI context
• Library list filters: radarr_list_movies and sonarr_list_series accept filter (missing/downloaded-or-complete/unmonitored), search, and limit (default 100) — large libraries no longer dump thousands of lines per call

Fixed

• homelab_health false negatives: Proxmox/Devbox/QNAP entries are bare hosts, not URLs, so their HTTP pings always failed — Proxmox is now probed at https://HOST:PORT, Devbox/QNAP via TCP on their SSH ports; services answering 401/403/404 now count as reachable; self-signed HTTPS no longer fails the reachability probe
• media_dashboard storage section: multiple DASHBOARD_DISK_PATHS were quoted as a single df argument and silently produced no output — each path is now escaped individually

Performance

• SSH keepalive + fast-fail connect on devbox, Proxmox, and QNAP connections (keepaliveInterval 15s ×3, readyTimeout 15s) — dead peers are detected instead of hanging until command timeout
• Server-side lookups: Radarr/Sonarr single-item operations (add/remove/force-search/season-search/check-releases) query by tmdbId/tvdbId instead of fetching the entire library each call
• devbox_project_list: probes all projects in parallel with one combined SSH command each (was: two sequential round trips per project)
• ArrClient: HTTPS keep-alive agent added (HTTP-only before)

v2.1.0 — AI Setup Wizard

v2.1.0 — 2026-06-09

Added

• homelab_setup — AI-native onboarding wizard with three modes:
  • status — reads .env, reports configured vs missing with progress %
  • configure — saves settings interactively through conversation
  • test — verifies connectivity to all configured services
• isSecretKey() helper — single source of truth for credential masking
• npm install method in README (npm install homelab-mcp)
• Updated MCP config for npx homelab-mcp

Security

• All passwords, API keys, tokens, and secrets are masked (••••••••) in tool output
• Centralized secret detection via isSecretKey() — covers PASSWORD, API_KEY, TOKEN, SECRET patterns
• Secrets written to .env are never read back in plaintext

v2.0.2 — Corrected repo URLs

v2.0.2 — 2026-06-09

Fixed

• Corrected GitHub username in all repository URLs (package.json, README badges, SECURITY.md)
• CI badge now points to the correct Actions workflow

v2.0.1 — Open-source readiness & community polish

v2.0.1 — 2026-06-09

Added

• Community health files: issue/PR templates, CODE_OF_CONDUCT.md
• Status badges (CI, npm, license, node) and banner image in README
• .nvmrc for automatic Node.js version switching
• .npmrc with engine-strict=true to enforce Node.js >=20
• Author field in package.json
• Expanded npm keywords for better discoverability

Changed

• Prometheus and Grafana are now optional — server starts without them
• Populated .mcp.example.json with a working config example

Fixed

• Typo: serrModule → seerrModule in Seerr module export
• Missing security contact in SECURITY.md
• Wrong GitHub username in all URLs (ninomeier → Nainounen)
• .claude/ directory added to .gitignore