Releases: berntpopp/phentrieve
Release list
v0.24.1 — dependency & security maintenance
Dependency, security, and code-scanning maintenance release. Consolidates the open Dependabot updates (#294, #296, #297, #299, #300) into one verified PR (#301) and clears the outstanding GitHub security surface. Also ships the previously-unreleased frontend footer / MCP-connect work under one unified tag.
Components: CLI 0.24.1 · API 0.16.1 · Frontend 0.16.1
Security (12 Dependabot advisories cleared)
- pip:
starlette1.0.1→1.3.1 (HIGH),cryptography46.0.7→49.0.0 (HIGH),msgpack1.1.2→1.2.1 (HIGH),python-multipart0.0.29→0.0.32 (HIGH + 2 low),pydantic-settings2.13.1→2.14.2 (MED) - npm:
form-data→4.0.6 (HIGH) - Enforced security floors added under
[tool.uv]so a futureuv lockcannot regress. chromadbCRITICAL (GHSA-f4j7-r4q5-qw2c) — not applicable: the pre-auth code injection is in Chroma's HTTP server mode only; phentrieve uses an embeddedPersistentClientexclusively, and no patched release exists above 1.5.9 (also pinned for data-bundle compatibility).
Changed
- Frontend deps refreshed to latest minor/patch (
vue3.5.39,vite8.1.3, plus the 12-package group;npm auditclean). - CI:
actions/checkout→v7,actions/cache→v6 (verified drop-in). typerheld at<0.26.0— 0.26 vendors Click and breaks the lazy CLI groups, so Dependabot #298 was declined.
Fixed
- Resolved 3 CodeQL findings:
py/empty-except,py/import-and-import-from,py/ineffectual-statement(all inapi/).
Added (previously unreleased frontend work)
- Footer API/MCP shortcut icons and the
/connect"Connect an AI Agent (MCP)" page.
Verified against the full make ci-local gate (1880 tests) + make security-python.
v0.24.0 — MCP server stabilization (CLI 0.24.0 / API 0.16.0 / Frontend 0.15.0)
MCP server stabilization — every quality dimension lifted toward >9/10
(plan: .planning/analysis/2026-06-14-mcp-stabilization-plan.md, PR #291).
Component versions: CLI 0.24.0 · API/MCP 0.16.0 · Frontend 0.15.0.
Highlights
- Correctness: band-based
no_high_confidence_match(B1);chunk_text
lazy-loads the model so all 7 strategies work (B2); LLM extraction drops
family-history mislabels + adds orthogonal experiencer/assertion axes and a
negated_qualifier, fixing "X without Y" over-negation (LLM-1/LLM-2). - Token efficiency & DX: one canonical phenopacket,
phenopacket_jsongated
(R1); capped/compacted export pre-fill (R2); value-level blank-text envelope
(B3);not_found→resolve_identifier+ search (D4); live diagnostics (D3). - Polish:
text_attributionsalways an array (D1);ic_proxy→
normalized_depth(D2); synonym cap (R3); deterministic extract default
num_results_per_chunk1→3 (Q1); honest alias-policy docs (B4).
Schema/descriptor changes intentionally roll capabilities_version. See
CHANGELOG.md for full notes.
v0.23.2 — MCP assessment remediation
Component versions: CLI 0.23.2 / API 0.15.3 / Frontend 0.14.1
Closes the MCP consumer-assessment defects that the prior hardening pass left open or punted (PR #290). Every assessment dimension now reaches ≥ 9.5/10 (overall was 7.5).
Correctness (shared pipeline — REST + frontend benefit)
- D1 Span-level negation: a match is negated only when its phrase span overlaps a computed negated scope, so an affirmed concept beside a negated one ("severe intellectual disability without regression") is no longer over-negated; "no X / not X" stays negated.
- D2/D3 Multi-concept spans split on progression markers so co-findings ("hypotonia progressing to hypertonia") each surface at
num_results_per_chunk=1; degenerate function-word chunks dropped.
MCP output shape & signalling
- D4
export_phenopacketreturns a nativephenopacketobject (string kept for back-compat). - D5
compare_hpo_termshonoursresponse_mode(adds MICA / IC / labels / subsumer path at standard/full). - D6
search_hpo_termsaddsconfidence_band+no_high_confidence_match. - D7/D13 Uniform
text_attributions, null padding dropped. - D8/D9/D11 Cache-key contract documented; best-effort startup warmup; honest client-supplied provenance.
LLM-side negation-scope (D1) remains deferred (benchmark-gated). Full verification: .planning/analysis/2026-06-14-phentrieve-mcp-assessment-remediation-verification.md.
v0.23.1 — close out vite 8 / vue-router 5.1 frontend migration
Patch release closing out the frontend build-toolchain migration tracked in #273.
Components: CLI 0.23.1 / API 0.14.0 / Frontend 0.13.1
Changed
- Frontend toolchain on vite 8 / vue-router 5.1. The dependency bumps landed in 0.23.0 (vite 6 → 8 via rolldown,
vue-router5.0.7 → 5.1, unblocking deps that peer-require vite 7/8); this release records and verifies the migration and closes #273.
Verified
make ci-frontend+ non-CI build: ESLint, Prettier, 306 Vitest tests, production build, andvite-plugin-compressionbrotli output all green undervite v8.0.16.make ci-local+make security-python: Python quality (incl.uv sync --locked) and security scans pass.- Docker/CI Node
20.19satisfies vite's^20.19.0 || >=22.12.0. vue-routerdependabot ignore block (#271) removed; normal updates resume.
No functional code change — versions + changelog only.
Full diff: v0.23.0...v0.23.1
v0.23.0 (CLI 0.23.0 / API 0.14.0 / Frontend 0.13.0)
Highlights
Interactive full-text annotation curation. On the highlighted clinical note you can now curate the automatic annotations directly — left-click / right-click / keyboard-activate a phrase to change the term (re-query with ranked HPO candidates, definitions, scores, affirmed/negated toggle), remove it (with Undo), add to collection, or revert to the original. Select unhighlighted text to annotate a new span. Edits are per-turn, persisted, and provenance-tracked — findings carry an auto/manual badge and manual spans render in a distinct colour.
Auto terms whose label appears verbatim in the note are now highlighted even when the extractor returns no text attributions.
Removed the orphaned full-text annotation workspace cluster (~2,300 LOC) it supersedes.
Fixes
- Manual annotation of a whitespace-padded selection (typical mouse drag) now highlights correctly.
- The affirmed/negated choice in the term picker now applies (previously had no effect in the production build).
Versions
CLI 0.23.0 · API 0.14.0 · Frontend 0.13.0
See CHANGELOG.md for details.
v0.22.1 — Readable phenotype tooltip + non-collapsing annotation hover
Patch release — CLI 0.22.1 / API 0.13.0 / Frontend 0.12.1.
Fixed
- Full-text annotation hover no longer collapses the highlights. Hovering one annotated phrase previously hid every other highlight (22 → 1) and could leave a highlight stuck. All mentions now stay highlighted; the hovered phenotype is emphasised via a CSS class only, and the highlight always resets on leave.
- Phenotype tooltip is now readable. It rendered near-black text on Vuetify's default dark surface (~1.7:1 contrast) because the custom style sat in a scoped
:deep()that can't reach the teleported overlay. It now uses a global, theme-aware surface meeting WCAG AA (≈21:1 label, ≈5.6:1 eyebrow) in light and dark themes.
Added
- Keyboard accessibility for annotated spans: focusable (
tabindex,aria-label), tooltip on focus (open-on-focus), focus/hover emphasis parity (WCAG 1.4.13); the note expand/collapse toggle gained an accessible name.
Changed
- Local dev stack no longer enforces the public LLM daily quota —
docker-compose.dev.ymlruns the dev API asdevelopment(the quota gate only fires whenPHENTRIEVE_ENV=production).
Full changelog: CHANGELOG.md → [0.22.1]. Merged via #277.
v0.22.0 — MCP FastMCP v3 Gen-3 modernization
[0.22.0] — 2026-06-13 (CLI 0.22.0 / API 0.13.0 / Frontend 0.12.0)
Changed
- MCP server modernized to the FastMCP v3 "Gen-3" house style (breaking).
Tools are renamed from dotted (phentrieve.extract_hpo_terms) to
underscore-namespaced (phentrieve_extract_hpo_terms). Every tool now returns
a Family B envelope —successplus a_metablock (tool,request_id,
elapsed_ms,response_mode,capabilities_version,
unsafe_for_clinical_use,next_commands) — or a structured error
(error_code,retryable,recovery_action). A newresponse_mode
(minimal | compact | standard | full, defaultcompact) controls token
cost. Clients depending on the previous response shapes or tool names must
update. - MCP transport is Streamable HTTP only. The stdio transport (the broken
phentrieve-mcpentry point) and the legacyfastapi-mcpOpenAPI bridge have
been removed.phentrieve mcp serveno longer takes--http(HTTP is the only
mode). Thefastapi-mcpdependency is replaced byfastmcp>=3.2.
Added
- New MCP tools:
phentrieve_export_phenopacket(GA4GH Phenopacket v2 export),
phentrieve_chunk_text(chunk-only), andphentrieve_diagnostics(subsystem
health + recent errors).phentrieve_get_server_capabilitiesis renamed to
phentrieve_get_capabilitiesand now reports a content-hashed
capabilities_versionanddescriptor_chars. - MCP discoverability:
phentrieve://schema/overviewand
phentrieve://schema/tool-guidemarkdown resources, richer server
instructions,readOnlyHinttool annotations, structured output schemas,
argument-alias normalization with did-you-mean validation errors, and
next_commandsworkflow hints on every response. - MCP research-use acknowledgement parity: extraction tools require
research_use_acknowledged=truewhen the server runs in public-hosted or
research-ack mode, mirroring the RESTX-Research-Ackgate.
v0.21.6
Summary
- Remediate Dependabot security alerts for ChromaDB and esbuild.
- Pin ChromaDB below the affected 1.x range and constrain PostHog to a ChromaDB 0.6-compatible API range.
- Upgrade the frontend toolchain to Vite 8 and remove vulnerable esbuild from the lockfile.
- Add dependency-security policy tests and ChromaDB 0.6 compatibility coverage.
Security Notes
- Fixed GHSA-f4j7-r4q5-qw2c by resolving chromadb to 0.6.3.
- Fixed GHSA-gv7w-rqvm-qjhr and GHSA-g7r4-m6w7-qqqr by removing vulnerable esbuild from the frontend lockfile.
- CVE-2025-3000 / GHSA-rrmf-rvhw-rf47 for torch has no patched release as of 2026-06-13; the Dependabot alert is dismissed as tolerable risk with a no-patch rationale and remains an explicit pip-audit exception.
Verification
- make check
- make typecheck-fast
- make test
- make ci-frontend
- npm --prefix frontend audit --audit-level=high
- uv run pip-audit --requirement audit-requirements.txt --vulnerability-service pypi --ignore-vuln CVE-2025-3000
- real ChromaDB 0.6 PersistentClient smoke test
v0.21.5
Summary
- Make local Python and frontend CI checks resource-safe by default.
- Bound pytest workers and move coverage/xdist out of global pytest config.
- Reuse existing local Python and npm dependencies by default; keep explicit clean parity targets.
- Pin Node 20.19 for Vite 7 workflows and Docker frontend builds.
Verification
- make check
- make typecheck-fast
- make test
- make test-ci
- make ci-frontend
- make ci-quick
Pre-built HPO Data Bundles (HPO v2026-02-16)
Complete Phentrieve HPO v2026-02-16 bundles: minimal DB, single-vector indexes, and multivector indexes.