Patch Changes

• 8123b51: Restore Node 18 support by pinning undici to ^6.26.0 and commander to ^13.1.0, which dropped the Node 20+ engine requirements that caused a "File is not defined" crash on startup.

Patch Changes

• cb6aee1: Bump runtime dependencies: commander 13 -> 15 and ora 9.0 -> 9.4.
• 428af3e: Recover Context7 library IDs that Git Bash mangles on Windows. Git Bash rewrites a leading-slash argument like /facebook/react into a Windows path under the Git install dir (C:/Program Files/Git/facebook/react), causing ctx7 docs to reject it as invalid; this mainly affected users running ctx7 through Claude Code. The CLI now detects and undoes the conversion before validation, accepts the //owner/repo escape, and points users at that workaround for install layouts it can't auto-detect.
• c03bc9c: Store CLI files in XDG Base Directory locations instead of ~/.context7. Credentials move to $XDG_CONFIG_HOME/context7 (default ~/.config/context7), updater state to $XDG_STATE_HOME/context7 (default ~/.local/state/context7), and generate previews to $XDG_CACHE_HOME/context7 (default ~/.cache/context7). Existing files in ~/.context7 are migrated automatically on first use; migration is best-effort and falls back to reading the legacy file if it cannot complete. The credentials file is always re-asserted to 0o600 after migration or write so it is never group/world-readable. Relative or empty XDG_* values are ignored per the spec.

Patch Changes

• f327589: Avoid throwing a raw SyntaxError when the server returns a non-JSON error body. HttpClient.request() now wraps the error-path res.json() in a .catch, so non-JSON responses (HTML 502s, plain-text 429s, Cloudflare challenge pages) fall back to res.statusText and always surface as a typed Context7Error.

Minor Changes

• c921c8b: Replace the in-result sign-in nudge with an MCP form elicitation. When the backend signals (via X-Context7-Auth-Prompt: 1) that an anonymous client has crossed the per-IP threshold, the MCP server now fires an elicitation/create request instead of appending instructions into the tool result.
  • Surfaces the npx ctx7 setup --<client> --mcp[ --stdio] -y command in a client-rendered dialog rather than as model-visible text. The previous text-injection approach was treated as untrusted instruction content by some agents; elicitations are delivered out-of-band to the user so they bypass that path entirely.
  • Gated on the client advertising the elicitation capability — clients without it see no nudge, which is a safe no-op.
  • Presents a two-option radio: "I'll run the command to sign in" or "Continue anonymously with smaller limits".
  • The server holds no suppression state: the backend emits the header at most once per MCP session, so the dialog is shown whenever the header is present. Frequency is owned entirely by the backend.
  • Fire-and-forget: the elicitation does not block or alter the surrounding tool response.

Patch Changes

• cb6aee1: Bump runtime dependencies: @modelcontextprotocol/sdk 1.25 -> 1.29, undici 6 -> 7, and zod 4.3 -> 4.4.
• fcdc36e: Advertise empty prompts and resources capabilities with no-op prompts/list, resources/list, and resources/templates/list handlers. Some MCP clients (e.g. opencode) call these unconditionally and treat -32601 Method not found as a fatal connection error rather than honoring the negotiated capabilities, which previously prevented the server from loading.

Patch Changes

• ea91d7d: ctx7 login now always uses the device-code flow. The localhost-callback path is removed — every install (laptop, SSH, Codespace, Docker, CI) goes through the same boxed prompt and verification page. Drops the --device flag (it was the opt-in for what's now the default). Older CLI versions (≤ 0.5.0) continue to work against the unchanged auth endpoints, so pinned installs are unaffected.

Minor Changes

• 5a180d5: Add OAuth 2.0 device authorization flow (RFC 8628) for ctx7 login and ctx7 setup. Required for headless / remote hosts (SSH, Codespaces, Docker, CI) where the existing localhost-callback flow can't work — the browser was opening on the user's laptop while the callback listener ran on the remote host.

  The new flow prints a verification URL and short code, then polls a token endpoint. The user visits the URL on any device, signs in, and approves; the CLI receives the same ctx7sk-… API key it would have gotten from the legacy flow. Device flow is selected automatically when SSH_CONNECTION is set or $DISPLAY is missing on Linux, and can be forced with ctx7 login --device. Polling tolerates transient network errors and 5xx responses without ending the session.

Patch Changes

• 2affada: ctx7 setup now properly supports --antigravity, installing skills to .agent/skills, a GEMINI.md rule section (Antigravity reads Gemini-family config), and MCP config to Antigravity 2.0's documented global path ~/.gemini/config/mcp_config.json (with httpUrl for HTTP, matching the Gemini convention). Antigravity has no documented project-level MCP file, so setup --antigravity --project --mcp writes to the global location. Also removes the --universal flag from setup, which was advertised but silently ignored — it never propagated through agent selection, so passing it (e.g. setup --cli --universal --project) caused setup to fall back to auto-detection and write to the wrong directory.
• 268f52f: ctx7 setup --api-key <KEY> (without --cli, --mcp, or -y) now prompts to choose between MCP server and CLI + Skills modes. Previously, passing --api-key short-circuited to MCP, locking users out of the CLI + Skills option even though that mode also accepts an API key. Explicit --mcp / --cli / --stdio / --oauth / -y still skip the prompt as before.
• 2e97dae: Add deprecation warning to skill commands

Minor Changes

• 1fb2d42: Add multi-tenant Microsoft Entra ID validation for MCP tokens. The server now detects inbound Entra v2 tokens by issuer pattern, fetches per-teamspace configuration (tenantId, audience, requiredScope) from the Context7 app, and verifies the token against the matching tenant's JWKS, enforcing the required scope claim when configured. User resolution happens downstream in the Context7 app against a pre-provisioned user mapping table — the MCP server only validates. Per-tenant JWKS cache and a 5-minute in-memory config cache keyed by JWT audience reduce overhead under load.

Minor Changes

• f91b40c: Initial release. Adds an official Context7 extension for the pi coding agent — registers resolve-library-id and query-docs tools, ships the context7-docs skill, and exposes a /c7-docs slash command. Wire format, error messages, and tool descriptions are copied verbatim from @upstash/context7-mcp so pi and MCP clients give the LLM identical instructions and output. Self-contained — no Context7 runtime dependencies. Works out of the box at IP-based rate limits; set CONTEXT7_API_KEY for the higher tier. Install with pi install npm:@upstash/context7-pi.

Patch Changes

• 7cacc94: Add --json flag to ctx7 skills list for machine-parseable output. Emits { skills: [{ name, path, source }] } where path is absolute and source is the agent type (universal, claude, cursor, antigravity). Matches the existing --json pattern on ctx7 library and ctx7 docs.