๐Ÿšจ MCP Publish Hardening โ€” review findings shipped

fix/mcp-publish-hardening ยท closes the 4-agent /ork:review-pr findings on merged #2385 before v8.37.0 tags

The critical: deprecated OCI shape (verified against live registry)


  

Review findings โ†’ fixes

FindingFix here
CRITICAL: registryBaseUrl+version rejected by ValidateOCIcanonical untagged identifier + publish-time tag stamping
CRITICAL: release-please jsonpath targets forbidden fieldextra-file entry removed
HIGH: first GHCR push is born private โ†’ publish failsimage pre-seeded multi-arch (8.36.2+latest) + preflight anonymous-pull check with actionable error
MED: jsonpath silent no-op risktests/manifests/test-server-json.sh (pre-merge invariants)
MED: amd64-only imagebuildx linux/amd64+arm64 in release job
MED: /api-policy.md missing from SERVED_EXACTadded + filesystem drift-guard test
LOW: :latest can move backwardssort -V guard, :latest only on highest tag
LOW: repo-sized build context.dockerignore (src/mcp-server only)
LOW: tag-time Dockerfile discoverydocker-smoke.yml on PR (build + label check)
LOW: relative link + generated header in api-policy.mdboth fixed

Verification

โœ… live registry samplereal OCI entries use tagged identifier, no registryBaseUrl/version
โœ… test-server-json.sh6/6 invariants pass; wired into npm run test:manifests
โœ… docs-site vitest240/240 (10 new: headers, scored claims, link integrity, drift guard)
โœ… tsc --noEmitclean
โœ… actionlintrelease.yml + docker-smoke.yml clean
โœ… docker build with .dockerignorebuilds; both labels verified via inspect
โœ… GHCR pre-seed8.36.2 + latest pushed multi-arch โ€” flip visibility to Public, then v8.37.0 publishes clean