v1.3.1 — version drift fix + post-evaluation cleanup

Patch release — npm v1.3.0 publish 직후 git tag/release 와 npm registry 시점이 어긋난 부분을 해소하고, 외부 평가 보고서 후속 정리를 단일 release 로 묶었습니다.

Update from v1.3.0

npm update -g agent-safety-oss        # 전역 설치 사용자
# 또는
npx -y agent-safety-oss@latest tools  # npx 사용자는 자동으로 latest

Claude Desktop · Codex CLI 의 npx -y agent-safety-oss serve 설정은 변경 없이 그대로 v1.3.1 을 받습니다.

Changes

• External evaluator report (2026-05-20) — P0/P1 6 items resolved
  • tool-registry comment ("80 tools") → TOOLS.length SSoT
  • ensureGraphBuilt now invokes buildIndex + buildGraph (name/behavior alignment)
  • loadArchivedDocument path-traversal guard (.. / / / \\ / resolved-prefix check)
  • assemble_doc_context excerpt is now slice(0, 500) instead of full article body
  • Local storage path SSoT — src/config/paths.ts introduced + local-storage / trace-recorder integrated
  • link_company_key / get_company_info text content PII is masked by default; opt-in plaintext via reveal: true
• Regression fix — trace-recorder now honors SAFETY_LOCAL_DIR via paths.ts
• Cleanup — .env.example and code comments: residual agent-safety-oss-mcp legacy name removed

Backward compatibility

• All 88 tools keep the same input schema and output structure
• New reveal: false default on company-key tools is non-breaking for downstream programs (they receive masked values which are still strings)
• No removed tools, no removed APIs

Verification

• ontology:gate HIGH 0 / SHACL 22/22 / capability · edge-context · link-type all green
• npm audit — 0 vulnerabilities
• quality-regression — 96/96 excellent, mean 9.68/10, 0 hallucination flags
• check:doc-sync HIGH 0 (all version markers aligned)

Links

• npm: https://www.npmjs.com/package/agent-safety-oss
• CHANGELOG: https://github.com/ratelworks/agent-safety-oss/blob/main/CHANGELOG.md