v0.3.2 — Security & Infrastructure Hardening

A pure security + infrastructure release. No runtime API changes — the server behaves identically to 0.3.1 for its consumers. The auto-publish workflow had been failing on every non-md push since 2026-05-02 (no version bump → npm rejects republishing 0.3.1); this release closes that gap.

🔒 Security

• npm audit fix resolved all 14 transitive npm vulnerabilities (hono, @hono/node-server, express-rate-limit, path-to-regexp, picomatch, postcss, vite).
• Added overrides.vite: ^8.0.0 in package.json to permanently resolve three high-severity vite advisories (GHSA-4w7w-66w2-5vf9, GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583) inherited via the vitest dev tree.
• npm audit now reports zero vulnerabilities.
• Enabled GitHub Dependabot security updates, secret scanning, and secret scanning push protection.
• Confirmed Private Vulnerability Reporting — disclosure path: https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/new

🏗️ Infrastructure

• .github/dependabot.yml — weekly grouped npm + GitHub Actions + Docker update PRs
• .github/workflows/codeql.yml — CodeQL static analysis (security-extended + security-and-quality query packs)
• .github/CODEOWNERS, PULL_REQUEST_TEMPLATE.md, three ISSUE_TEMPLATE/*.yml forms, CODE_OF_CONDUCT.md
• Branch protection ruleset on main: PR required, status checks gated (build-and-test + Analyze (javascript-typescript)), force-push and deletion blocked, linear history required, squash/rebase merges only
• GitHub release tags backfilled for v0.3.0 and v0.3.1

🚀 Publish workflow

• actions/checkout@v3 → @v6
• actions/setup-node@v3 → @v6
• node-version: 20.x → 22.x (LTS Iron)
• npm test enabled in build-and-test (vitest is wired)
• npm publish --provenance --access public — Sigstore-signed npm provenance attestations via GitHub OIDC
• pull_request trigger added so build-and-test runs on PRs (required for branch protection)
• Least-privilege permissions: blocks at workflow + job level

🧹 Removed

• docs/VISION.md — superseded; product strategy is tracked elsewhere
• Wiki page Product-Vision-&-Roadmap.md — duplicate of the above

✅ Verification

Check	Result
npm audit	0 vulnerabilities (was 14)
npm run build	clean
npm test	41/41 tests pass on Node 22 with vite ^8.0.0
Sigstore provenance	published with this release

Full notes in CHANGELOG.md.