UNPKG

obsidian-mcp-server

Version:

MCP server for Obsidian vaults — read, write, search, and surgically edit notes, tags, and frontmatter via the Local REST API plugin. STDIO or Streamable HTTP.

github.com/cyanheads/obsidian-mcp-server

cyanheads/obsidian-mcp-server

24 lines (19 loc) 3.31 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
--- summary: "Pick up `mcp_tool_scopes` claim + `MCP_AUTH_DISABLE_SCOPE_CHECKS` bypass from `@cyanheads/mcp-ts-core` 0.8.20 — resolves [#47](https://github.com/cyanheads/obsidian-mcp-server/issues/47) for OIDC providers that can't override `scope`." breaking: false security: false --- # 3.1.6 — 2026-05-09 Maintenance release. Picks up the framework-side fix for [#47](https://github.com/cyanheads/obsidian-mcp-server/issues/47) — operators behind Authentik / Keycloak < 26.5 / Zitadel can now inject per-tool scopes via the `mcp_tool_scopes` custom claim, or set `MCP_AUTH_DISABLE_SCOPE_CHECKS=true` and rely on `OBSIDIAN_READ_PATHS` / `OBSIDIAN_WRITE_PATHS` / `OBSIDIAN_READ_ONLY` for access control. No source changes in this server. ## Changed - **`@cyanheads/mcp-ts-core` `^0.8.18` → `^0.8.20`.** Two upstream releases roll up: - `0.8.19` — engines bumped to Bun ≥1.3.0 / Node ≥24.0.0; Docker base `oven/bun:1``oven/bun:1.3`; new `api-telemetry` skill (v1.0); changelog frontmatter `security: bool` field; `init` template substitutions resolve `{{MCP_SDK_VERSION}}` and `{{ZOD_VERSION}}` from the framework `package.json`. - `0.8.20``mcp_tool_scopes` JWT claim parsed alongside `scp` and `scope` (granted scopes are the union); `MCP_AUTH_DISABLE_SCOPE_CHECKS` env var bypasses both `withRequiredScopes` and `checkScopes` after the auth-context presence check (signature/audience/issuer/expiry validation intact); `authFactory` logs `WARNING` at startup whenever the bypass is active under non-`none` mode. ([cyanheads/mcp-ts-core#128](https://github.com/cyanheads/mcp-ts-core/issues/128)) - **`engines.node` `>=22.0.0` → `>=24.0.0`** (mirroring the framework). README prerequisites line updated. - **Docker base image `oven/bun:1` → `oven/bun:1.3`** for build and production stages — pins to the matching minor of the framework's published image. - **`@types/node` `^25.6.0` → `^25.6.2`.** - **README** — env-var table gains `MCP_AUTH_DISABLE_SCOPE_CHECKS` row covering the bypass semantics, the path-policy combination, and the startup `WARNING`. - **`.env.example`** — new comment block under the auth section documents the `mcp_tool_scopes` claim union, the OIDC `authorization_code` restriction, and the bypass-flag fallback. - **`CLAUDE.md`** — header version updated; skills table picks up the new `api-telemetry` row and the refreshed `api-utils` description (now scoped to the helper API; OTel catalog moved to `api-telemetry`). - **Phase A skill bumps** (synced from framework): `api-telemetry` (new, v1.0), `api-auth` 1.0 → 1.1 (claims mapping table + OIDC operator setup + bypass docs), `api-config` 1.3 → 1.4 (env-var row), `api-utils` 2.1 → 2.2 (telemetry section now points to `api-telemetry`), `maintenance` 2.0 → 2.1 (Phase C resyncs pristine reference files), `report-issue-framework` 1.5 → 1.6, `report-issue-local` 1.4 → 1.5 (terser issue-writing guidance), `security-pass` 1.3 → 1.4 (Axis 2 bypass-in-production check), `setup` 1.6 → 1.7 (`bunx` examples, `release-and-publish` in progression), `tool-defs-analysis` 1.0 → 1.1 (env var names allowed in recovery hints). - **Phase C reference-file sync:** `scripts/build-changelog.ts` parses the new `security` frontmatter field; `changelog/template.md` documents it.