Skip to content

Releases: berntpopp/phentrieve

v0.24.1 — dependency & security maintenance

Choose a tag to compare

@berntpopp berntpopp released this 03 Jul 06:10
4abde11

Dependency, security, and code-scanning maintenance release. Consolidates the open Dependabot updates (#294, #296, #297, #299, #300) into one verified PR (#301) and clears the outstanding GitHub security surface. Also ships the previously-unreleased frontend footer / MCP-connect work under one unified tag.

Components: CLI 0.24.1 · API 0.16.1 · Frontend 0.16.1

Security (12 Dependabot advisories cleared)

  • pip: starlette 1.0.1→1.3.1 (HIGH), cryptography 46.0.7→49.0.0 (HIGH), msgpack 1.1.2→1.2.1 (HIGH), python-multipart 0.0.29→0.0.32 (HIGH + 2 low), pydantic-settings 2.13.1→2.14.2 (MED)
  • npm: form-data →4.0.6 (HIGH)
  • Enforced security floors added under [tool.uv] so a future uv lock cannot regress.
  • chromadb CRITICAL (GHSA-f4j7-r4q5-qw2c) — not applicable: the pre-auth code injection is in Chroma's HTTP server mode only; phentrieve uses an embedded PersistentClient exclusively, and no patched release exists above 1.5.9 (also pinned for data-bundle compatibility).

Changed

  • Frontend deps refreshed to latest minor/patch (vue 3.5.39, vite 8.1.3, plus the 12-package group; npm audit clean).
  • CI: actions/checkout→v7, actions/cache→v6 (verified drop-in).
  • typer held at <0.26.0 — 0.26 vendors Click and breaks the lazy CLI groups, so Dependabot #298 was declined.

Fixed

  • Resolved 3 CodeQL findings: py/empty-except, py/import-and-import-from, py/ineffectual-statement (all in api/).

Added (previously unreleased frontend work)

  • Footer API/MCP shortcut icons and the /connect "Connect an AI Agent (MCP)" page.

Verified against the full make ci-local gate (1880 tests) + make security-python.

v0.24.0 — MCP server stabilization (CLI 0.24.0 / API 0.16.0 / Frontend 0.15.0)

Choose a tag to compare

@berntpopp berntpopp released this 14 Jun 21:50
e54692b

MCP server stabilization — every quality dimension lifted toward >9/10
(plan: .planning/analysis/2026-06-14-mcp-stabilization-plan.md, PR #291).

Component versions: CLI 0.24.0 · API/MCP 0.16.0 · Frontend 0.15.0.

Highlights

  • Correctness: band-based no_high_confidence_match (B1); chunk_text
    lazy-loads the model so all 7 strategies work (B2); LLM extraction drops
    family-history mislabels + adds orthogonal experiencer/assertion axes and a
    negated_qualifier, fixing "X without Y" over-negation (LLM-1/LLM-2).
  • Token efficiency & DX: one canonical phenopacket, phenopacket_json gated
    (R1); capped/compacted export pre-fill (R2); value-level blank-text envelope
    (B3); not_foundresolve_identifier + search (D4); live diagnostics (D3).
  • Polish: text_attributions always an array (D1); ic_proxy
    normalized_depth (D2); synonym cap (R3); deterministic extract default
    num_results_per_chunk 1→3 (Q1); honest alias-policy docs (B4).

Schema/descriptor changes intentionally roll capabilities_version. See
CHANGELOG.md for full notes.

v0.23.2 — MCP assessment remediation

Choose a tag to compare

@berntpopp berntpopp released this 14 Jun 17:54
fec1362

Component versions: CLI 0.23.2 / API 0.15.3 / Frontend 0.14.1

Closes the MCP consumer-assessment defects that the prior hardening pass left open or punted (PR #290). Every assessment dimension now reaches ≥ 9.5/10 (overall was 7.5).

Correctness (shared pipeline — REST + frontend benefit)

  • D1 Span-level negation: a match is negated only when its phrase span overlaps a computed negated scope, so an affirmed concept beside a negated one ("severe intellectual disability without regression") is no longer over-negated; "no X / not X" stays negated.
  • D2/D3 Multi-concept spans split on progression markers so co-findings ("hypotonia progressing to hypertonia") each surface at num_results_per_chunk=1; degenerate function-word chunks dropped.

MCP output shape & signalling

  • D4 export_phenopacket returns a native phenopacket object (string kept for back-compat).
  • D5 compare_hpo_terms honours response_mode (adds MICA / IC / labels / subsumer path at standard/full).
  • D6 search_hpo_terms adds confidence_band + no_high_confidence_match.
  • D7/D13 Uniform text_attributions, null padding dropped.
  • D8/D9/D11 Cache-key contract documented; best-effort startup warmup; honest client-supplied provenance.

LLM-side negation-scope (D1) remains deferred (benchmark-gated). Full verification: .planning/analysis/2026-06-14-phentrieve-mcp-assessment-remediation-verification.md.

v0.23.1 — close out vite 8 / vue-router 5.1 frontend migration

Choose a tag to compare

@berntpopp berntpopp released this 14 Jun 04:41
68772a5

Patch release closing out the frontend build-toolchain migration tracked in #273.

Components: CLI 0.23.1 / API 0.14.0 / Frontend 0.13.1

Changed

  • Frontend toolchain on vite 8 / vue-router 5.1. The dependency bumps landed in 0.23.0 (vite 6 → 8 via rolldown, vue-router 5.0.7 → 5.1, unblocking deps that peer-require vite 7/8); this release records and verifies the migration and closes #273.

Verified

  • make ci-frontend + non-CI build: ESLint, Prettier, 306 Vitest tests, production build, and vite-plugin-compression brotli output all green under vite v8.0.16.
  • make ci-local + make security-python: Python quality (incl. uv sync --locked) and security scans pass.
  • Docker/CI Node 20.19 satisfies vite's ^20.19.0 || >=22.12.0.
  • vue-router dependabot ignore block (#271) removed; normal updates resume.

No functional code change — versions + changelog only.

Full diff: v0.23.0...v0.23.1

v0.23.0 (CLI 0.23.0 / API 0.14.0 / Frontend 0.13.0)

Choose a tag to compare

@berntpopp berntpopp released this 14 Jun 04:22
82b912b

Highlights

Interactive full-text annotation curation. On the highlighted clinical note you can now curate the automatic annotations directly — left-click / right-click / keyboard-activate a phrase to change the term (re-query with ranked HPO candidates, definitions, scores, affirmed/negated toggle), remove it (with Undo), add to collection, or revert to the original. Select unhighlighted text to annotate a new span. Edits are per-turn, persisted, and provenance-tracked — findings carry an auto/manual badge and manual spans render in a distinct colour.

Auto terms whose label appears verbatim in the note are now highlighted even when the extractor returns no text attributions.

Removed the orphaned full-text annotation workspace cluster (~2,300 LOC) it supersedes.

Fixes

  • Manual annotation of a whitespace-padded selection (typical mouse drag) now highlights correctly.
  • The affirmed/negated choice in the term picker now applies (previously had no effect in the production build).

Versions

CLI 0.23.0 · API 0.14.0 · Frontend 0.13.0

See CHANGELOG.md for details.

v0.22.1 — Readable phenotype tooltip + non-collapsing annotation hover

Choose a tag to compare

@berntpopp berntpopp released this 13 Jun 20:27
5c907f4

Patch release — CLI 0.22.1 / API 0.13.0 / Frontend 0.12.1.

Fixed

  • Full-text annotation hover no longer collapses the highlights. Hovering one annotated phrase previously hid every other highlight (22 → 1) and could leave a highlight stuck. All mentions now stay highlighted; the hovered phenotype is emphasised via a CSS class only, and the highlight always resets on leave.
  • Phenotype tooltip is now readable. It rendered near-black text on Vuetify's default dark surface (~1.7:1 contrast) because the custom style sat in a scoped :deep() that can't reach the teleported overlay. It now uses a global, theme-aware surface meeting WCAG AA (≈21:1 label, ≈5.6:1 eyebrow) in light and dark themes.

Added

  • Keyboard accessibility for annotated spans: focusable (tabindex, aria-label), tooltip on focus (open-on-focus), focus/hover emphasis parity (WCAG 1.4.13); the note expand/collapse toggle gained an accessible name.

Changed

  • Local dev stack no longer enforces the public LLM daily quotadocker-compose.dev.yml runs the dev API as development (the quota gate only fires when PHENTRIEVE_ENV=production).

Full changelog: CHANGELOG.md → [0.22.1]. Merged via #277.

v0.22.0 — MCP FastMCP v3 Gen-3 modernization

Choose a tag to compare

@berntpopp berntpopp released this 13 Jun 19:08
c3bb57b

[0.22.0] — 2026-06-13 (CLI 0.22.0 / API 0.13.0 / Frontend 0.12.0)

Changed

  • MCP server modernized to the FastMCP v3 "Gen-3" house style (breaking).
    Tools are renamed from dotted (phentrieve.extract_hpo_terms) to
    underscore-namespaced (phentrieve_extract_hpo_terms). Every tool now returns
    a Family B envelope — success plus a _meta block (tool, request_id,
    elapsed_ms, response_mode, capabilities_version,
    unsafe_for_clinical_use, next_commands) — or a structured error
    (error_code, retryable, recovery_action). A new response_mode
    (minimal | compact | standard | full, default compact) controls token
    cost. Clients depending on the previous response shapes or tool names must
    update.
  • MCP transport is Streamable HTTP only. The stdio transport (the broken
    phentrieve-mcp entry point) and the legacy fastapi-mcp OpenAPI bridge have
    been removed. phentrieve mcp serve no longer takes --http (HTTP is the only
    mode). The fastapi-mcp dependency is replaced by fastmcp>=3.2.

Added

  • New MCP tools: phentrieve_export_phenopacket (GA4GH Phenopacket v2 export),
    phentrieve_chunk_text (chunk-only), and phentrieve_diagnostics (subsystem
    health + recent errors). phentrieve_get_server_capabilities is renamed to
    phentrieve_get_capabilities and now reports a content-hashed
    capabilities_version and descriptor_chars.
  • MCP discoverability: phentrieve://schema/overview and
    phentrieve://schema/tool-guide markdown resources, richer server
    instructions, readOnlyHint tool annotations, structured output schemas,
    argument-alias normalization with did-you-mean validation errors, and
    next_commands workflow hints on every response.
  • MCP research-use acknowledgement parity: extraction tools require
    research_use_acknowledged=true when the server runs in public-hosted or
    research-ack mode, mirroring the REST X-Research-Ack gate.

v0.21.6

Choose a tag to compare

@berntpopp berntpopp released this 13 Jun 00:06

Summary

  • Remediate Dependabot security alerts for ChromaDB and esbuild.
  • Pin ChromaDB below the affected 1.x range and constrain PostHog to a ChromaDB 0.6-compatible API range.
  • Upgrade the frontend toolchain to Vite 8 and remove vulnerable esbuild from the lockfile.
  • Add dependency-security policy tests and ChromaDB 0.6 compatibility coverage.

Security Notes

Verification

  • make check
  • make typecheck-fast
  • make test
  • make ci-frontend
  • npm --prefix frontend audit --audit-level=high
  • uv run pip-audit --requirement audit-requirements.txt --vulnerability-service pypi --ignore-vuln CVE-2025-3000
  • real ChromaDB 0.6 PersistentClient smoke test

v0.21.5

Choose a tag to compare

@berntpopp berntpopp released this 12 Jun 23:43

Summary

  • Make local Python and frontend CI checks resource-safe by default.
  • Bound pytest workers and move coverage/xdist out of global pytest config.
  • Reuse existing local Python and npm dependencies by default; keep explicit clean parity targets.
  • Pin Node 20.19 for Vite 7 workflows and Docker frontend builds.

Verification

  • make check
  • make typecheck-fast
  • make test
  • make test-ci
  • make ci-frontend
  • make ci-quick

Pre-built HPO Data Bundles (HPO v2026-02-16)

Choose a tag to compare

@berntpopp berntpopp released this 22 May 20:48

Complete Phentrieve HPO v2026-02-16 bundles: minimal DB, single-vector indexes, and multivector indexes.