Skip to content

iris-eval/mcp-server

v0.4.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

agent-evaluation ai-agent claude eval evaluation llm
+6 more
mcp mcp-server model-context-protocol observability security distributed-tracing

Affected surfaces

deps

Summary

AI summary

Added SPDX SBOMs, npm provenance signatures, and cosign‑signed Docker images for supply‑chain transparency.

Full changelog

Supply-chain transparency

  • SBOMs: iris-npm-sbom.spdx.json + iris-docker-sbom.spdx.json (attached below). Both are SPDX 2.3 JSON, cover direct + transitive dependencies.
  • npm provenance: published with --provenance (verifiable via npm audit signatures or on the package page).
  • Docker signature: image signed with cosign keyless (Sigstore). Verify with:
    cosign verify ghcr.io/iris-eval/mcp-server:v0.4.0 \
  --certificate-identity-regexp='https://github.com/iris-eval/mcp-server' \
  --certificate-oidc-issuer='https://token.actions.githubusercontent.com'
  • Build attestation: both the npm SBOM and Docker image manifest carry GitHub-signed build-provenance attestations. Inspect with gh attestation verify or cosign verify-attestation.

Full Changelog: https://github.com/iris-eval/mcp-server/compare/v0.3.1...v0.4.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track iris-eval/mcp-server

Get notified when new releases ship.

Sign up free

About iris-eval/mcp-server

MCP-native agent evaluation and observability server with trace logging, output quality evaluation, cost tracking, 12 built-in eval rules, real-time dashboard, and PII detection.

All releases →

Related context

Beta — feedback welcome: [email protected]