rps321321/obsidian-mcp-pro

Production hardening pass ahead of broader adoption. Every mutating path now survives crash/kill mid-flight, vault-wide scans fan out with bounded concurrency, and the HTTP surface exposes the operational primitives (version, rate limiting, CORS allowlist, structured logging) that operators running this in front of real traffic need.

Highlights

• Atomic writes on every mutating tool (create_note, append, prepend, update_frontmatter, canvas mutations). Staged tmp file + rename — crashes, kills, or OOMs mid-write can no longer leave a truncated note. Windows EPERM/EBUSY/EACCES from briefly-locked targets are retried with linear backoff; POSIX surfaces permission errors immediately.
• create_note exclusive mode uses OS-level wx so an out-of-process writer (Obsidian itself, a sync client, a second MCP server) can't slip between the existence check and the write.
• Parallel vault scans. search_notes and the obsidian://tags resource fan out 8-way via mapConcurrent instead of sequentially awaiting each read. Order-of-magnitude latency drops on 10K+ note vaults. Score ties break by path for deterministic output.
• HTTP rate limiting. New --rate-limit=<n> flag — sliding-window per-IP limiter with IPv4-mapped-IPv6 normalization. Returns 429 Too Many Requests + Retry-After: 60. /health and /version are exempt.
• CORS allowlist. New --allow-origin=<csv> flag. Vary: Origin is always set when an allowlist is configured so shared caches never pin one origin's response to another origin's request.
• GET /version endpoint for rollout auditing. /health now also includes the package version.
• HTTP request timeout of 2 minutes for POST only. Long-lived SSE GET streams are exempt so valid idle clients aren't reaped.
• Structured logger with LOG_LEVEL (debug/info/warn/error/silent) and LOG_FORMAT (text/json) env vars. All logs go to stderr — stdio transport on stdout stays protocol-clean.
• Process supervision. uncaughtException exits 1 so systemd/Docker/npx supervisors restart cleanly; unhandledRejection logs without killing the process. CLI-only — library embedders aren't affected.

Fixed

• Data-loss race on concurrent writes: fs.writeFile truncates-then-writes left notes partially written under crash/OOM/kill. Atomic tmp+rename rules this out.
• Windows fs.rename EPERM when another handle has the target open for read — now retried transparently.
• search_notes leaked relative note paths to stderr on read failure. Removed.
• search_notes tie-break was non-deterministic under parallel scan. Stable secondary sort by path.

Docs

• New Usage section with a realistic Claude Desktop transcript showing multi-tool orchestration.
• New Troubleshooting section covering the first issues new users hit.
• --host=0.0.0.0 promoted to a proper [!WARNING] callout with four concrete mitigations.
• Table of contents, consistent heading case, CHANGELOG-backed "What's New" summary.

Tests

• 153 → 173 tests. Covers atomic-write invariants, concurrent-mutation races, cross-process exclusive-create, CORS allowlist + Vary: Origin, per-IP rate limiting, logger levels/modes, and the new endpoints. Test harness now binds to port 0 and reads the real port from httpServer.address() to eliminate the pickPort collision flakes.

Full diff: v1.4.1...v1.5.0