Recovery release completing v0.4.3's distribution. v0.4.3 shipped to Docker + the GitHub Release, but its npm publish silently failed (expired NPM_TOKEN → E404, swallowed by the pre-#176 step), so npm + the MCP Registry stalled at 0.4.2. v0.4.4 carries all v0.4.3 runtime content forward — no runtime code changes vs 0.4.3 — and is published over the new OIDC Trusted Publishing path (no NPM_TOKEN). See CHANGELOG.
- npm:
@iris-eval/mcp-server@0.4.4(@latest), provenance-attested via OIDC Trusted Publishing. - Docker:
ghcr.io/iris-eval/mcp-server:0.4.4+:latest, cosign keyless-signed. - MCP Registry:
io.github.iris-eval/mcp-server@0.4.4(isLatest). - SBOMs: npm + Docker SPDX attached below.
Note: the SBOM
cosign sign-blob.sig/.pemcompanions are absent on this release — thecosign-installerv4 bump deprecated the--output-signature/--output-certificateflags, breaking the signing step. Fix tracked separately; restored in the next release. The Docker image signature and npm provenance attestation are unaffected.