v1.3.0

Full Changelog: v1.2.1...v1.3.0

v1.2.1

v1.2.0 — Web-parity engine, analyzer & MCP server

Web-parity release: the CLI now ships the exact same password engine and file-analysis depth as zefer.carrillo.app — plus a built-in MCP server for AI agents.

Added

zefer mcp — MCP server (Model Context Protocol)

Every capability exposed as MCP tools over stdio (newline-delimited JSON-RPC 2.0, dependency-free): zefer_encrypt, zefer_decrypt, zefer_keygen, zefer_analyze_password, zefer_inspect.

• Auto-detection: launched with no args and piped stdin (how MCP clients spawn servers) → MCP mode; TTY → regular CLI
• Works installed globally ("command": "zefer", "args": ["mcp"]) or via npx ("command": "npx", "args": ["-y", "zefer-cli", "mcp"])
• Full integration guide: docs/MCP.md · Web page: https://zefer.carrillo.app/mcp

zefer analyze [password]

Full security report: score, estimated alphabet, max/effective entropy, keyspace, post-quantum entropy, crack times across 4 attack scenarios (10² – 10¹⁵ guesses/s), compliance checks (NIST SP 800-63B, OWASP ≥64 bits, long-term ≥100 bits, AES-128, post-quantum Grover), comparison vs an average human password, and weakness detection.

zefer info deep analysis

Structural integrity (chunk-framing walk, corruption/truncation detection), chunk count, estimated content size, ciphertext Shannon entropy, salt/IV hex, file SHA-256, passphrase-resistance table from the file's PBKDF2 iterations, and severity-tagged observations.

zefer keygen web parity

Shared engine with the web app: 7 modes (unicode|secure|alpha|hex|base58|pin|uuid), per-key strength bar + effective bits, and advanced options: --exclude-ambiguous, --exclude <chars>, --require-all, --no-repeats, --group <n>, --sort, --quiet.

Changed

• Breaking: keygen charsets now match the web app exactly — secure is Latin + symbols + accents (was base64url), alpha is strictly alphanumeric (was ASCII + symbols), unicode uses the curated web pool, and uuid generates UUID v7 (RFC 9562, was v4). Use --quiet for script-friendly output.

Security

• Updated transitive ws to 8.21.0 — fixes uninitialized memory disclosure (GHSA-58qx-3vcg-4xpx). npm audit: 0 vulnerabilities.

---

Files created by this CLI remain fully cross-compatible with the web app (same ZEFB3/ZEFR3 format, same crypto parameters).

Full changelog: v1.1.1...v1.2.0

v1.1.1

Full Changelog: v1.1.0...v1.1.1

v1.1.0 — Standalone binaries + complete script suite

Added

• Standalone binaries for all platforms — no Node.js or npm required:
  • zefer-linux-x64, zefer-linux-arm64
  • zefer-macos-x64 (Intel), zefer-macos-arm64 (Apple Silicon)
  • zefer-win-x64.exe
  • checksums.txt (SHA-256 for each binary)
• Version reads from package.json — zefer --version always reports the correct installed version.
• Complete npm script suite:
  • build:watch — tsup watch mode for development
  • build:cjs — ESM bundle with all deps inlined (used by binary builder)
  • build:all — builds both ESM (npm) and CJS (binary) bundles
  • build:binary — builds all platform binaries
  • build:binary:linux-x64|linux-arm64|macos-x64|macos-arm64|win-x64 — single platform
  • build:binary:current — builds binary for the current machine only
  • clean — removes dist/ and binaries/
  • verify — typecheck + build + version check (gates npm publish)
  • test — 26-check smoke test suite
  • release:patch|minor|major — bump version (auto-pushes tag via postversion)
  • release:gh — create GitHub release (triggers automated npm publish + binary build)
• scripts/test.mjs — 26 smoke tests: version, help, all keygen modes, encrypt/decrypt round-trips (text, file, gzip), wrong passphrase, hint/note visibility.
• scripts/clean.mjs — cross-platform artifact cleanup (no rimraf needed).
• scripts/release-gh.mjs — creates GitHub release, triggers both publish.yml and binaries.yml.
• scripts/build-binaries.mjs — now supports --target <id> and --current flags for per-platform builds.
• package.json best practices — added publishConfig, funding, sideEffects: false, engines.npm.
• CI updated — uses npm test (26 smoke checks) instead of inline shell commands.

Changed

• prepublishOnly now runs npm run verify (typecheck + build + version check).
• dev now uses tsx watch for hot-reload during development.