v3.2.1 — The One Where Updating Finally Brings The Mirror Along (and Clears the npm Vulns)

A bugfix release that makes engine updates actually deliver the flagship feature — and clears every npm vulnerability.

What it fixes

Before v3.2.1, updating a brain to v3.2.x copied the local-mirror code but never installed its skill nor registered its MCP server — so only a fresh install got the feature. Upgraders silently missed it.

Now, an engine update:

• Installs missing engine-declared skills (install-if-absent) — a brand-new engine skill (e.g. local-mirror) reaches upgraders, while a custom/already-present skill is left byte-identical.
• Reconciles .mcp.json from the manifest's engineMcpServers — registers a newly-shipped engine server, preserving existing engine/user servers.
• Names what it delivered in the update summary, so you see you finally have the feature.
• Clears all npm vulnerabilities (0 vulns on rag/ and local-mirror/).

Safety

Your notes, .env, constitution, settings and custom skills stay untouchable by construction — only manifest-declared engine assets are written, and only when absent.

ℹ️ Brains already on ≤v3.2.0 self-heal over two update cycles (run 1 installs the new logic, run 2 runs it) — documented in the update-engine skill + ADR 0025.

Closes QA findings #1 (major) + #2 (npm vulns).