Changelog
What's new
Every release at a glance. Want the detail? Each entry links to its commit, and every version has a GitHub release.
-
A stateless, web-standard, agent-first 3.0: sessionless MCP transport, a leaner auth and dependency surface, and the Vercel adapter generalised into a portable edge adapter.
- Breaking Renamed @silkweave/vercel to @silkweave/edge, and its adapter vercel() to edge() (types EdgeAdapter/EdgeAdapterOptions; umbrella subpath silkweave/edge). It is platform-agnostic Web-Standard - one adapter for Cloudflare Workers, Vercel, Bun, Deno, Hono, and Next.js. Update imports; there is no back-compat alias. 44f5257
- Breaking The MCP HTTP transport is now stateless: no Mcp-Session-Id, no session map, no GET/DELETE reconnect. Each request mints a fresh transport, so servers scale horizontally with zero shared in-memory state. 5c82214
- Breaking @silkweave/auth is split: the spec-required resource-server core (bearer-token validation + protected-resource metadata, jose-only) stays at the root, while the OAuth 2.1 authorization-server proxy (PKCE, refresh tokens, CIMD, dynamic client registration) plus the persistence stores move behind the opt-in @silkweave/auth/oauth subpath. A pure resource server no longer pulls the issuer machinery into its graph. 5c82214
- Breaking express and cors are now optional peerDependencies of @silkweave/mcp (needed only for the Express http() server). The transport-agnostic tool-registration and result helpers are re-exported from the express-free @silkweave/mcp/tools subpath, which the web-standard adapters import - so serverless bundles and installs never pull Express. 832100f
- New Resource-server hardening for the 2026 OAuth SEPs: audience binding (RFC 8707), issuer binding (RFC 9207), step-up scope challenges (SEP-2350), and scopes_supported in protected-resource metadata (RFC 9728). 4c0d13d
- New Action linter guardrail: silkweave().start() warns at dev time about agent-hostile action definitions (missing or throwaway descriptions, undescribed input params) - the cheap mistakes that quietly degrade an agent's tool use. Disable with SilkweaveOptions.lint: false. ad52cc9
- New New Cloudflare Workers example: stateless MCP + Google Workspace OAuth 2.1 with OAuth state in Cloudflare KV (reusing createRedisStore over a tiny KV adapter, since Workers have no filesystem). Ships with a from-scratch Cloudflare + Google setup guide. 44f5257
- Fixed The edge adapter answers GET/DELETE on the MCP endpoint with 405 in stateless mode, instead of opening a never-closing SSE stream that hangs the request on serverless runtimes (Cloudflare cancelled it as "hung"). 44f5257
-
Slimmer dependency tree - pino dropped entirely, and the CLI proxy no longer leaks into the MCP server path.
- Improved Dropped pino entirely. @silkweave/logger's createLogger() is now a zero-dependency structured logger (JSON lines to a stream, with a level threshold and onLog/onProgress callbacks) - same API, no behaviour change for the stdio/http/vercel adapters. The package's only hard dependency is now zod. 6528d3b
- Improved @silkweave/core no longer depends on @silkweave/logger (it never imported it - the logger reaches actions via context.get('logger')). The @Mcp()/@Trpc() decorator import path in @silkweave/nestjs now pulls neither pino nor @clack/prompts on boot. 6528d3b
- Breaking The cliProxy adapter moved from the @silkweave/mcp root to the dedicated @silkweave/mcp/cli-proxy subpath, so importing the stdio/http servers no longer bundles the CLI client's commander + @clack/prompts. Update imports: import { cliProxy } from '@silkweave/mcp/cli-proxy'. 6528d3b
- Breaking commander and @clack/prompts are now optional peerDependencies of @silkweave/mcp (used only by the CLI proxy). Install them alongside @silkweave/mcp when you use @silkweave/mcp/cli-proxy; MCP server-only installs no longer pull them. @clack/prompts is likewise an optional peer of @silkweave/logger (needed only for createCLILogger()). 6528d3b
-
NestJS reflection gets louder and more precise - and @Res() works over tRPC.
- New Boot-time warning when a @Mcp/@Trpc whole-DTO @Body()/@Query() param reflects no fields. The usual cause is an intersection/union type (e.g. CreateDto & Extra), which TypeScript erases to Object so every DTO field is silently dropped - a ({ input }) override adds fields but does not recover them. The warning names the controller method and param so the footgun is caught at startup instead of as client-side drift. 4f448e5
- New Boot-time warning when a reflected @Trpc output field degrades to unknown/unknown[] (a nested DTO or Dto[] - reflection is one level deep). Explicit @Trpc({ output }) schemas are your own typing and are never flagged. Supply @Trpc({ output }) with a Zod schema for a precise nested shape. 4f448e5
- New @Res() now works over the tRPC transport - @Res({ passthrough: true }) resolves to the real Express response, so a handler can set session cookies/headers. Previously it was undefined on both transports. Over MCP it stays undefined (no HTTP response). 4f448e5
- Improved @Mcp/@Trpc({ input }) now accept a whole z.object({ ... }) (its .shape is unwrapped) in addition to a raw { field: z.type() } shape, and accept a schema from Zod v3 or v4 - a relief for apps already migrated to zod/v4. Override detection is duck-typed, so it does not depend on a shared Zod instance. 4f448e5
- Improved Reflect nullable fields - @ApiProperty({ nullable: true }) (and OpenAPI nullable) map to a .nullable() Zod field (string | null). class-validator has no null signal, so @IsOptional() stays optional-not-nullable. 4f448e5
-
NestJS controllers gain end-to-end-typed tRPC, plus a much lighter install.
- New @Trpc() decorator for @silkweave/nestjs - the tRPC sibling of @Mcp. Expose a controller route as an end-to-end-typed tRPC procedure, reflecting input from the same sources @Mcp uses. Adds precise output types (from @ApiOkResponse({ type }) or @Trpc({ output })), verb-inferred query/mutation kind, and async-generator routes as SSE subscriptions. One method can carry @Mcp + @Trpc + @UseGuards at once. 6b01553
- New trpc() and typegen() NestJS adapters. trpc() mounts httpBatch (query/mutation) + SSE (subscription) on Nest’s HTTP server; guards read the real Express request (cookie/header auth) and denials surface as a TRPCError carrying data.httpStatus. typegen() writes the AppRouter type for createTRPCClient<AppRouter>() on boot. 6b01553
- Improved Lighter install - NestJS adapters now live behind subpath exports (@silkweave/nestjs/mcp, /trpc, /typegen) with their stacks as optional peer dependencies, so an MCP-only app never pulls in @trpc/server and a tRPC-only app never pulls in the MCP SDK. rxjs is now externalized instead of bundled, shrinking the core build from 360KB to 45KB. 6b01553
- Breaking NestJS adapter imports moved to subpaths: import { mcp } from '@silkweave/nestjs/mcp' (likewise /trpc, /typegen) instead of from '@silkweave/nestjs'. The @Mcp/@Trpc decorators and SilkweaveModule stay on the root. Add the adapter package(s) you use - @silkweave/mcp, @silkweave/trpc, @silkweave/typegen - as dependencies. 6b01553
-
A new Next.js App Router adapter joins the family.
- New @silkweave/nextjs - Next.js App Router adapter. defineSilkweave({ actions }) projects one action set onto route handlers: app.mcp() exposes MCP tools for agents and app.trpc() a typed tRPC endpoint for your frontend. Additive, App Router only, no next/react dependency. 1b3dc23
- New NestJS module-wide default result format - SilkweaveModule.forRoot({ defaultResult }) sets the MCP result format for every tool (a per-method @Mcp({ result }) and a client’s _meta.disposition still override it).
-
- New Configurable MCP result format - set @Mcp({ result: 'json' }) (or an action’s disposition) to return compact JSON instead of the default smart embedded-resource output. Clients can still override per call. 1eeab3e
-
- Improved NestJS path-scoped guards now work over MCP - request.params is populated from the route’s path bindings before guards run, so an API-key guard that scopes by :id behaves the same over MCP as over REST. c98f773
-
- New NestJS app-global guards (APP_GUARD / useGlobalGuards) can be opted into MCP tool calls via an explicit allow-list. aff769d
- Fixed MCP tool errors no longer leak stack traces to clients - only a safe message goes on the wire; the full error stays server-side. 34501fe
- Fixed Published packages resolve to build output, while in-repo development keeps using TypeScript source - no rebuild needed for cross-package edits. 29c4581
-
The NestJS adapter is now additive controller reflection - a breaking rework of how Nest routes become MCP tools.
- Breaking Expose existing NestJS controllers as MCP tools by adding a single @Mcp() decorator. Tool name, description, and input schema are reflected from the route + @Param/@Query/@Body + Swagger / class-validator metadata - nothing is re-declared. c66ff63
-
A big release: tRPC, Next.js, the Vercel AI SDK bridge, and REST routing all land.
- New tRPC adapter - every action becomes an end-to-end type-safe procedure via InferTrpcRouter<typeof server>, with a standalone HTTP server and a fetch handler for serverless runtimes. 04ee310
- New NestJS integration - expose NestJS controller and provider methods as MCP tools, REST routes, and tRPC procedures via decorators. aff4e4b
- New @silkweave/ai - bridge useChat to a streaming action over tRPC subscriptions (silkweaveTransport + createChatAction), with an end-to-end Vite + React example. 6582e93
- New REST routing - actions gain method / path / queryParams to map a single input schema across the URL path, query string, and body; NestJS Swagger support included. 4a935e3
- New NestJS async-generator methods stream as tRPC subscriptions. bb20176
-
Initial public release of the Action → Adapter toolkit: MCP stdio/HTTP, CLI, Fastify, Vercel, and auth.
- New Smart tool results - large MCP responses are automatically split into a short text summary plus a base64 embedded resource, keeping the model’s context window lean. 391085a
- New Define an Action once and expose it via multiple adapters: MCP (stdio + Streamable HTTP), CLI, Fastify REST with Swagger, and a stateless Vercel serverless adapter - plus OAuth 2.1 / bearer auth. 20c7d74
-
The original prototype - a proof of concept for defining an Action once and running it across transports.
- New First proof of concept: the Action → Adapter → Silkweave pattern, validating that a single typed operation could be exposed over multiple transports.