Security defaults
run_shellMCP exposure is now opt-in viaFORTRANSPIRE_ENABLE_SHELL=1. Closes the unauthenticated shell-execution path throughask_agent.- MCP file/directory arguments are jailed to the workspace root via a new
_jail()helper. Auto-off in stdio mode (IDE trust boundary), enforced by default in HTTP/SSE.
CI
- New
.github/workflows/tests.yml: pytest on every push and PR (Python 3.11/3.12 matrix),gfortran -fopenaccequivalence harness on push and manual dispatch. - Tests badge added to README.
Repo cleanup
- Paper artefacts moved to
paper/(paper.md,paper.bib). - Container artefacts moved to
containers/(Dockerfile,Dockerfile.hpc,apptainer.def,docker-compose.yml). - Two stray root markdowns relocated under
docs/concepts/anddocs/integrations/. - Dead code removed:
fortranspire/main.py,fortranspire/brain/, brokenDockerfile.ciandApptainer.analyze.
Paper
- 2289 → 1103 body words (-52%). Eight-stage table + LLM-intervention rationale + agent-loop motivation moved to
docs/concepts/architecture.md. - Five orphan bib entries dropped; zero broken citations.
- "Sovereign" now backed in
docs/concepts/llm-endpoints.mdby GDPR (EU 2016/679), AI Act (EU 2024/1689), and NIS2 Directive (EU 2022/2555).
Install path fixes
- README and
docs/getting-started/with-mistral-vibe.md:uv tool install fortranspire→uv tool install 'fortranspire[mcp]'. The[mcp]extra is required for the stdio handshake. - Hardcoded
/opt/homebrewremoved (breaks Intel Macs). .envedit reminder aftercp .env.example .env.
Install
```bash
uv tool install 'fortranspire[mcp]'
```
Full changelog: docs/changelog.md.