Skip to content

v1.12.9

v1.12.9: Ship the product_qa docs corpus in the npm package (#109)
@dor-levi dor-levi tagged this 09 Jun 13:51 
* Stage mksite docs in publish + CI so the npm package ships a docs corpus

The published log10x-mcp package (the official npm install) shipped with an
empty product_qa docs corpus, so docs-search returned no hits. The corpus
lives in the separate private log-10x/mksite repo and is copied into
build/product-kb/docs at build time. publish.yml only checked out log10x-mcp,
so the build script's `cp -R ../mksite/docs/.` silently no-opped
(2>/dev/null || echo) and npm publish shipped an empty corpus.

The hosted demo (mcp.log10x.com) was unaffected because its separate Docker
workflow (backend/.../deploy-public-demo-mcp.yml) already checks out mksite
and stages the docs. This ports that exact pattern to npm publish and CI:

- Mint a token from the read-only org CI GitHub App.
- Check out log-10x/mksite, stage .md docs into config/mksite/docs.
- Point the build at it via LOG10X_PRODUCT_KB_SRC.
- Fail loudly if build/product-kb/docs ends up empty, so an empty corpus can
  never be published again.

Requires: the LOG10X_CI_READONLY_APP_ID / _PRIVATE_KEY org secrets must be
granted to this repo, and the app installation must include mksite.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Use a mksite-scoped deploy key instead of the org-wide read app

log10x-mcp is a public repo, so storing the org-wide LOG10X_CI_READONLY_APP
private key here would put an org-wide private-read credential in a public
trust boundary. Switch to a read-only SSH deploy key scoped to ONLY
log-10x/mksite (secret MKSITE_DOCS_DEPLOY_KEY) — a leak exposes mksite-read
and nothing else.

- publish.yml: checkout mksite via ssh-key. Runs on push to main only, so the
  secret is always present.
- ci.yml: gate the docs-staging + verify steps on the key's presence
  (HAS_DEPLOY_KEY). Same-repo branches build the real corpus and enforce it;
  fork PRs (which get no secrets on a public repo) build + test without docs
  and stay green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Bump version to 1.12.9 to ship the docs-corpus fix

The version-bump-check gate requires a bump vs main, and publish.yml only
ships a version that isn't already tagged. 1.12.9 is the first release that
will carry a populated product_qa docs corpus.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Fix eval harness: drop removed fetchAnalyzerCost, resolve rate in-tool

PR #101 removed fetchAnalyzerCost from src/lib/api.ts (cost tools must not
phone the account API; rate now resolves locally via resolveRate). The eval
harness still imported and called it, so `tsc` failed (TS2305) on every PR
that touched package.json — which is every PR. The eval-campaign check has
been red since 2026-06-08; it surfaced here only because this PR bumps the
version.

Mirror the current product dispatch (src/index.ts calls executeX(args, env)
straight through): drop the getAnalyzerCost pre-fetch + cost cache and pass
args directly, letting each tool resolve its own rate. Verified: MCP build +
eval harness `tsc` both clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Dor Levi <11015255+dor-levi@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Assets 2
Loading