Merge pull request #46 from yfedoseev/release/0.1.8

yfedoseev · web-flow · commit 35e30b831095 · 2026-04-08T17:58:01.000-07:00
Release v0.1.8
diff --git a/.github/scripts/extract-release-notes.sh b/.github/scripts/extract-release-notes.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+# Extracts release notes for a given version from CHANGELOG.md
+# Usage: extract-release-notes.sh <version>
+# Outputs:
+#   release-title.txt  — "v0.1.8 | Subtitle..." or just "v0.1.8"
+#   release-notes.md   — Full body (changelog section + installation footer)
+
+set -euo pipefail
+
+VERSION="$1"
+CHANGELOG="CHANGELOG.md"
+
+if [ ! -f "$CHANGELOG" ]; then
+  echo "Error: $CHANGELOG not found" >&2
+  exit 1
+fi
+
+# Extract subtitle from "> ..." line after version header
+SUBTITLE=$(awk "/^## \[${VERSION}\]/{found=1; next} found && /^>/{gsub(/^> */, \"\"); print; exit}" "$CHANGELOG")
+
+# Build title
+if [ -n "$SUBTITLE" ]; then
+  echo "v${VERSION} | ${SUBTITLE}" > release-title.txt
+else
+  echo "v${VERSION}" > release-title.txt
+fi
+
+# Extract body: everything between this version's ## and the next ##
+awk "/^## \[${VERSION}\]/{flag=1; next} /^## \[/{flag=0} flag" "$CHANGELOG" \
+  | sed '/^> /d' \
+  | sed '1{/^$/d}' > changelog-section.md
+
+if [ ! -s changelog-section.md ]; then
+  echo "Warning: No changelog content found for version ${VERSION}" >&2
+fi
+
+# Build release body = changelog section + installation footer
+cat changelog-section.md > release-notes.md
+cat >> release-notes.md << 'FOOTER'
+
+---
+
+### Installation
+
+**From crates.io**
+```bash
+cargo install fossil-mcp
+```
+
+**Pre-built Binaries**
+Download the appropriate archive for your platform from the assets below, extract, and place `fossil-mcp` in your PATH.
+
+### Platform Support
+| Platform | Architecture | Archive |
+|----------|-------------|---------|
+| Linux | x86_64 (recommended) | `fossil-mcp-linux-x86_64-musl-*.tar.gz` |
+| Linux | x86_64 (glibc) | `fossil-mcp-linux-x86_64-*.tar.gz` |
+| Linux | ARM64 | `fossil-mcp-linux-aarch64-*.tar.gz` |
+| macOS | x86_64 (Intel) | `fossil-mcp-macos-x86_64-*.tar.gz` |
+| macOS | ARM64 (Apple Silicon) | `fossil-mcp-macos-aarch64-*.tar.gz` |
+| Windows | x86_64 | `fossil-mcp-windows-x86_64-*.zip` |
+
+### Changelog
+See [CHANGELOG.md](https://github.com/yfedoseev/fossil-mcp/blob/main/CHANGELOG.md) for full details.
+FOOTER
+
+# Cleanup
+rm -f changelog-section.md
+
+echo "Generated release-title.txt and release-notes.md for v${VERSION}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -161,7 +161,7 @@ jobs:
           Compress-Archive -Path dist/fossil-mcp.exe -DestinationPath ${{ matrix.artifact_name }}.zip
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.artifact_name }}
           path: |
@@ -178,7 +178,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           path: artifacts
 
@@ -189,38 +189,19 @@ jobs:
           echo "=== Release files ==="
           ls -lh release-files/
 
-      - name: Generate release notes
+      - name: Extract release notes from CHANGELOG
         run: |
-          cat << 'EOF' > release-notes.md
-          ## fossil-mcp v${{ needs.validate.outputs.version }}
+          chmod +x .github/scripts/extract-release-notes.sh
+          .github/scripts/extract-release-notes.sh "${{ needs.validate.outputs.version }}"
 
-          The code quality toolkit for the vibe coding era.
-
-          ### Installation
-
-          #### From crates.io
-          ```bash
-          cargo install fossil-mcp
-          ```
-
-          #### Pre-built Binaries
-          Download the appropriate archive for your platform from the assets below, extract, and place `fossil-mcp` in your PATH.
-
-          ### Platform Support
-          | Platform | Architecture | Archive |
-          |----------|-------------|---------|
-          | Linux | x86_64 (recommended) | `fossil-mcp-linux-x86_64-musl-*.tar.gz` |
-          | Linux | x86_64 (glibc) | `fossil-mcp-linux-x86_64-*.tar.gz` |
-          | Linux | ARM64 | `fossil-mcp-linux-aarch64-*.tar.gz` |
-          | macOS | x86_64 (Intel) | `fossil-mcp-macos-x86_64-*.tar.gz` |
-          | macOS | ARM64 (Apple Silicon) | `fossil-mcp-macos-aarch64-*.tar.gz` |
-          | Windows | x86_64 | `fossil-mcp-windows-x86_64-*.zip` |
-          EOF
+      - name: Read release title
+        id: title
+        run: echo "title=$(cat release-title.txt)" >> $GITHUB_OUTPUT
 
       - name: Create release
         uses: softprops/action-gh-release@v2
         with:
-          name: fossil-mcp v${{ needs.validate.outputs.version }}
+          name: ${{ steps.title.outputs.title }}
           body_path: release-notes.md
           files: release-files/*
           draft: false
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.8] - 2026-04-08
+
+### Added
+
+- **Hardcoded secrets detection in scaffolding scanner** — contributed by [@nooscraft](https://github.com/nooscraft) in [#45](https://github.com/yfedoseev/fossil-mcp/pull/45)
+  - New `include_secrets` parameter (default: false) for `fossil_detect_scaffolding`
+  - Detects ~15 secret patterns: OpenAI, Anthropic, AWS, GitHub, Google, Stripe API keys, PEM headers, Slack/Discord webhooks, DB connection strings with credentials, JWT tokens
+  - High and medium confidence findings with automatic redaction (first 8 chars + `***`)
+  - Environment variable access lines are excluded to reduce false positives
+  - Known placeholder strings (changeme, your_api_key, etc.) are filtered out
+  - 17 new tests (unit + integration) covering all pattern types, redaction, and exclusions
+
+### Changed
+
+- **Dependency updates**
+  - `sha2` 0.10 → 0.11 ([#43](https://github.com/yfedoseev/fossil-mcp/pull/43))
+  - `tree-sitter-scala` 0.24 → 0.25 ([#41](https://github.com/yfedoseev/fossil-mcp/pull/41))
+  - `actions/upload-artifact` v6 → v7 ([#38](https://github.com/yfedoseev/fossil-mcp/pull/38))
+  - `actions/download-artifact` v7 → v8 ([#39](https://github.com/yfedoseev/fossil-mcp/pull/39))
+
+### Contributors
+
+Thank you to [@nooscraft](https://github.com/nooscraft) for another great contribution!
+
+[0.1.8]: https://github.com/yfedoseev/fossil-mcp/compare/v0.1.7...v0.1.8
+
 ## [0.1.7] - 2026-02-19
 
 ### Added
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "fossil-mcp"
-version = "0.1.7"
+version = "0.1.8"
 edition = "2021"
 authors = ["Yury Fedoseev <yfedoseev@gmail.com>"]
 license = "MIT OR Apache-2.0"
@@ -43,7 +43,7 @@ tree-sitter-cpp = "0.23"
 tree-sitter-c = "0.24"
 tree-sitter-swift = "0.7"
 tree-sitter-bash = "0.25"
-tree-sitter-scala = "0.24"
+tree-sitter-scala = "0.25"
 tree-sitter-r = "1.2"
 streaming-iterator = "0.1"
 
@@ -63,7 +63,7 @@ indexmap = { version = "2.0", features = ["serde"] }
 dashmap = "6.1"
 
 # Hashing
-sha2 = "0.10"
+sha2 = "0.11"
 xxhash-rust = { version = "0.8", features = ["xxh3"] }
 
 # Probabilistic data structures
diff --git a/src/mcp/mod.rs b/src/mcp/mod.rs
@@ -379,7 +379,7 @@ impl McpServer {
                 },
                 {
                     "name": "fossil_detect_scaffolding",
-                    "description": "Detect AI-generated scaffolding artifacts in source code: phased/temporal function names, phased comments (Phase N/Step N/Part N), TODO/FIXME markers, placeholder method bodies, debug prints, delivery/summary files, framework defaults, verbose doc comments, identical error strings, AI vocabulary density, comment clones, over-documented functions, documented ignored parameters, misleading algorithm names, emoji characters",
+                    "description": "Detect AI-generated scaffolding artifacts in source code: phased/temporal function names, phased comments (Phase N/Step N/Part N), TODO/FIXME markers, placeholder method bodies, debug prints, delivery/summary files, framework defaults, verbose doc comments, identical error strings, AI vocabulary density, comment clones, over-documented functions, documented ignored parameters, misleading algorithm names, emoji characters, hardcoded secrets and credentials",
                     "annotations": annotations,
                     "inputSchema": {
                         "type": "object",
@@ -408,6 +408,10 @@ impl McpServer {
                                 "type": "boolean",
                                 "description": "Include emoji characters found anywhere in source code (comments, strings, identifiers) (default: false)"
                             },
+                            "include_secrets": {
+                                "type": "boolean",
+                                "description": "Include hardcoded secrets and credentials: API keys, passwords, tokens, private keys, webhook URLs, database connection strings with credentials (default: false)"
+                            },
                             "limit": {
                                 "type": "integer",
                                 "description": "Maximum findings to return (default: 200)",
diff --git a/src/mcp/tools/scaffolding.rs b/src/mcp/tools/scaffolding.rs
