feat(registry): compose ServerDetail from manifest, mount /v1/servers, deprecate /v1/bundles

Adds a request-time composer that builds upstream MCP `ServerDetail`
from a bundle's stored mcpb v0.4 manifest plus mpak-side data
(downloads, provenance, certification, artifacts). The deprecated
`PackageVersion.serverJson` column is no longer read — server.json
metadata is fully derived from the manifest, so bundles that drop their
`server.json` file in their next release keep working.

Endpoints:
- GET /v0.1/servers/{name}                       (existing path, now composer-backed)
- GET /v0.1/servers/{name}/versions/{version}    (existing path, now composer-backed)
- GET /v0.1/servers/{name}/versions              (list versions for a server)
- GET /v0.1/servers/search?q=&limit=&cursor=     (NEW)
- GET /v0.1/servers                              (existing path, now composer-backed)
- /v1/servers mounts the same handlers under mpak's /v1 family
- {name} accepts both the npm-style scoped name (`@scope/pkg`) and the
  reverse-DNS form (`ai.nimblebrain/echo`); curated org map flips
  `@nimblebraininc/*` to `ai.nimblebrain/*`, and the mechanical default
  for any other org is `dev.mpak.<scope>/<name>`

Compatibility:
- Every /v1/bundles GET response now carries `Deprecation: true` plus
  `Link: </v1/servers>; rel="successor-version"` per RFC 8594. The
  bundle endpoints stay alive (CLI publish, OIDC announce still depend
  on them) but consumer-read shapes should migrate.
- New repository methods `findPackageForServerLookup`,
  `findPackagesForServerListing`, and `findLatestCompletedScan` replace
  the `serverJson != null` filter; the legacy `findPackageWithServerJson*`
  methods are kept for any external caller still on the old shape.

Schemas: new `ServerDetailSchema` (Zod) shipped in
`@nimblebrain/mpak-schemas` covering Icon, Repository, transports,
KeyValueInput, ServerPackage, and the full ServerDetail. Helpers
`mechanicalReverseDnsName`, `defaultReverseDnsName`, and
`resolveReverseDnsName` document the naming rules.

Other:
- `apps/registry` switched from `^0.2.0` to `workspace:*` for the
  schemas dep so monorepo builds pick up the new exports.

Tests: 10 new composer cases cover required-field projection, author
overrides, missing display_name fallback, XSS-guard on icon URLs,
description truncation, malformed-input rejection, no-artifact path,
and user_config → environmentVariables mapping.

Author: mgoldsborough

apps/registry/package.json

@@ -46,7 +46,7 @@
     "jose": "^6.1.3",
     "pg": "^8.13.1",
     "prisma": "^7.2.0",
-    "@nimblebrain/mpak-schemas": "^0.2.0",
+    "@nimblebrain/mpak-schemas": "workspace:*",
     "semver": "^7.6.3",
     "zod": "^4.3.4"
   },

apps/registry/src/db/repositories/package.repository.ts

@@ -373,6 +373,94 @@ export class PackageRepository {
     });
   }
 
+  /**
+   * Find a package by its npm-style scoped name with all versions and
+   * artifacts. Variant of {@link findPackageWithServerJsonByName} that
+   * doesn't require the deprecated `serverJson` column to be set —
+   * server.json metadata is now composed from the manifest, so any
+   * indexed bundle can be served as an MCP `ServerDetail`.
+   */
+  async findPackageForServerLookup(
+    name: string,
+    tx?: TransactionClient
+  ): Promise<(Package & { versions: (PackageVersion & { artifacts: Artifact[] })[] }) | null> {
+    const client = tx ?? getPrismaClient();
+    return client.package.findUnique({
+      where: { name },
+      include: {
+        versions: {
+          orderBy: { publishedAt: 'desc' },
+          include: {
+            artifacts: true,
+          },
+        },
+      },
+    });
+  }
+
+  /**
+   * List packages with their latest version + artifacts. Variant of
+   * {@link findPackagesWithServerJson} without the deprecated
+   * `serverJson` filter — server.json metadata composes from the
+   * manifest, so every indexed package can be served. Honors a
+   * case-insensitive substring search on name / displayName /
+   * description.
+   */
+  async findPackagesForServerListing(
+    filters: { search?: string },
+    options: { skip?: number; take?: number },
+    tx?: TransactionClient
+  ): Promise<{ packages: (Package & { versions: (PackageVersion & { artifacts: Artifact[] })[] })[]; total: number }> {
+    const client = tx ?? getPrismaClient();
+
+    const where: Prisma.PackageWhereInput = filters.search
+      ? {
+          OR: [
+            { name: { contains: filters.search, mode: 'insensitive' } },
+            { displayName: { contains: filters.search, mode: 'insensitive' } },
+            { description: { contains: filters.search, mode: 'insensitive' } },
+          ],
+        }
+      : {};
+
+    const [packages, total] = await Promise.all([
+      client.package.findMany({
+        where,
+        skip: options.skip,
+        take: options.take,
+        orderBy: { name: 'asc' },
+        include: {
+          versions: {
+            orderBy: { publishedAt: 'desc' },
+            take: 1,
+            include: {
+              artifacts: true,
+            },
+          },
+        },
+      }),
+      client.package.count({ where }),
+    ]);
+
+    return { packages, total };
+  }
+
+  /**
+   * Latest completed security scan for a version, when present.
+   * Returned for the registry's MTF certification fields (level,
+   * controls passed/failed/total) on `_meta["dev.mpak/registry"].certification`.
+   */
+  async findLatestCompletedScan(
+    versionId: string,
+    tx?: TransactionClient
+  ): Promise<SecurityScan | null> {
+    const client = tx ?? getPrismaClient();
+    return client.securityScan.findFirst({
+      where: { versionId, status: 'completed' },
+      orderBy: { startedAt: 'desc' },
+    });
+  }
+
   // ==================== Package Version Methods ====================
 
   /**

apps/registry/src/index.ts

@@ -146,6 +146,18 @@ async function start() {
       max: 10,
       timeWindow: '1 minute',
     });
+    // Mark every /v1/bundles response as deprecated per RFC 8594. The
+    // successor is the MCP-spec-aligned /v1/servers family; the legacy
+    // bundle-shape endpoints stay alive (announce / publish flow still
+    // depends on them) but consumers fetching read shapes should
+    // migrate. Skip POST /announce — that's a publish path, not a
+    // consumer-read path.
+    instance.addHook('onSend', async (request, reply) => {
+      if (request.method === 'GET' || request.method === 'HEAD') {
+        reply.header('Deprecation', 'true');
+        reply.header('Link', '</v1/servers>; rel="successor-version"');
+      }
+    });
     await instance.register(bundleRoutes);
     await instance.register(securityRoutes); // /@:scope/:package/security routes
   }, { prefix: '/v1/bundles' });
@@ -165,7 +177,10 @@ async function start() {
     await instance.register(skillRoutes);
   }, { prefix: '/v1/skills' });
 
-  // MCP Registry API
+  // MCP Registry API — mounted at both /v0.1 (the upstream MCP Registry
+  // public API prefix) and /v1 (mpak's `/v1/...` family). Same routes,
+  // same handlers; consumers pick whichever URL space is conventional
+  // for their stack.
   await fastify.register(async (instance) => {
     await instance.register(cors, {
       origin: true,
@@ -175,6 +190,15 @@ async function start() {
     await instance.register(mcpRegistryRoutes);
   }, { prefix: '/v0.1' });
 
+  await fastify.register(async (instance) => {
+    await instance.register(cors, {
+      origin: true,
+      methods: ['GET', 'HEAD'],
+      credentials: false,
+    });
+    await instance.register(mcpRegistryRoutes);
+  }, { prefix: '/v1' });
+
   // Health check endpoint
   fastify.get('/health', {
     schema: {