@adia-ai/llm 0.4.2 → 0.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/README.md +8 -0
- package/llm-bridge.js +20 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
8
8
|
|
|
9
9
|
_No pending changes._
|
|
10
10
|
|
|
11
|
+
## [0.4.4] - 2026-05-12
|
|
12
|
+
|
|
13
|
+
### Ride-along (no source changes)
|
|
14
|
+
|
|
15
|
+
Lockstep PATCH cut alongside `@adia-ai/web-components@0.4.4` (14 yaml gap closures from corpus simplification arc), `@adia-ai/a2ui-runtime@0.4.4` (registry expansion +27 web-modules + renderer kebab-case fix), `@adia-ai/a2ui-compose@0.4.4` (composition-library rename + transpiler `<a>` → Link), `@adia-ai/a2ui-corpus@0.4.4` (corpus simplification arc §36–§51), `@adia-ai/a2ui-mcp@0.4.4` (`get_fragment` tool retirement). Source byte-identical to v0.4.3.
|
|
16
|
+
|
|
17
|
+
Internal `@adia-ai/*` dep ranges stay at `^0.4.0` (patch-cut asymmetry — `^0.4.0` covers `0.4.x` under semver). See root [CHANGELOG.md `## [0.4.4]`](../../../CHANGELOG.md) for the cut narrative.
|
|
18
|
+
|
|
19
|
+
## [0.4.3] - 2026-05-11
|
|
20
|
+
|
|
21
|
+
### Added
|
|
22
|
+
|
|
23
|
+
- **`createAdapter()` browser API-key warn-once** in `llm-bridge.js`. When `IS_BROWSER && apiKey && !window.__adia_llm_key_warning_shown`, emits a one-shot `console.warn` (purple bridge name + amber severity + neutral body) noting that the key will ship in request headers — fine for local dev, **never deploy this shape**. Key masked as `${first8}…${last4}` (e.g. `sk-ant-a…Fiw-`) so the developer can identify *which* key is leaking without re-leaking the full secret. Dedup via `window.__adia_llm_key_warning_shown`. **Rotate at the provider console** if a debug transcript leaves the machine. Convention: every adapter / SDK with browser-side key access should emit a one-shot console warning at construction time.
|
|
24
|
+
|
|
25
|
+
### Ride-along (otherwise byte-identical to v0.4.2)
|
|
26
|
+
|
|
27
|
+
Lockstep PATCH cut alongside `@adia-ai/web-components@0.4.3` (input-ui type=number locale + thousands grouping + hold-to-repeat) + `@adia-ai/a2ui-compose@0.4.3` + `@adia-ai/a2ui-retrieval@0.4.3` (process.env browser-compat fix) + `@adia-ai/a2ui-corpus@0.4.3` (catalog regen + chunks re-harvest with new settings-appearance pattern). Apart from the `llm-bridge.js` addition above, source byte-identical to v0.4.2.
|
|
28
|
+
|
|
29
|
+
Internal `@adia-ai/*` dep ranges stay at `^0.4.0` (patch-cut asymmetry — `^0.4.0` covers `0.4.x` under semver). See root [CHANGELOG.md `## [0.4.3]`](../../CHANGELOG.md) for the cut narrative.
|
|
30
|
+
|
|
11
31
|
## [0.4.2] - 2026-05-11
|
|
12
32
|
|
|
13
33
|
### Ride-along (no source changes)
|
package/README.md
CHANGED
|
@@ -3,6 +3,14 @@
|
|
|
3
3
|
Provider-agnostic LLM client. Three adapters (anthropic / openai / gemini)
|
|
4
4
|
behind a single `chat()` + `streamChat()` facade. Works in browser and Node.
|
|
5
5
|
|
|
6
|
+
## Install
|
|
7
|
+
|
|
8
|
+
```bash
|
|
9
|
+
npm install @adia-ai/llm
|
|
10
|
+
```
|
|
11
|
+
|
|
12
|
+
## Usage
|
|
13
|
+
|
|
6
14
|
```js
|
|
7
15
|
import { chat, streamChat } from '@adia-ai/llm';
|
|
8
16
|
|
package/llm-bridge.js
CHANGED
|
@@ -78,6 +78,26 @@ export async function createAdapter(opts = {}) {
|
|
|
78
78
|
// Resolve API key for the detected provider
|
|
79
79
|
const apiKey = opts.apiKey || getEnv(`${provider.toUpperCase()}_API_KEY`) || getEnv('ANTHROPIC_API_KEY') || getEnv('OPENAI_API_KEY') || getEnv('GOOGLE_API_KEY');
|
|
80
80
|
|
|
81
|
+
// Browser-only safety reminder: when running through the dev-server's
|
|
82
|
+
// passthrough proxy, the API key is sent verbatim in `x-api-key` /
|
|
83
|
+
// `Authorization` headers from the browser. Anyone with DevTools open
|
|
84
|
+
// can read it from the Network panel — fine for local dev, **never**
|
|
85
|
+
// deploy this shape. We log once per session (deduplicated via a
|
|
86
|
+
// window-scoped flag) when a key is present and we're in the browser.
|
|
87
|
+
// Journal entry 2026-05-11 §22 documents the root cause.
|
|
88
|
+
if (IS_BROWSER && apiKey && typeof window !== 'undefined' && !window.__adia_llm_key_warning_shown) {
|
|
89
|
+
window.__adia_llm_key_warning_shown = true;
|
|
90
|
+
const masked = apiKey.length > 12 ? `${apiKey.slice(0, 8)}…${apiKey.slice(-4)}` : '••••';
|
|
91
|
+
console.warn(
|
|
92
|
+
`%c[@adia-ai/llm] %cAPI key in browser:%c ${provider} key (${masked}) will be sent in request headers via the Vite passthrough proxy. ` +
|
|
93
|
+
`Anyone with DevTools access on this dev server can read it. Local-dev only — never deploy this shape. ` +
|
|
94
|
+
`Rotate at the provider console if this transcript leaves your machine.`,
|
|
95
|
+
'color: #a78bfa; font-weight: bold;',
|
|
96
|
+
'color: #f59e0b; font-weight: bold;',
|
|
97
|
+
'color: inherit;'
|
|
98
|
+
);
|
|
99
|
+
}
|
|
100
|
+
|
|
81
101
|
// No key found → fall back to stub
|
|
82
102
|
if (!apiKey) {
|
|
83
103
|
console.warn('LLM Bridge: No API keys found. Using stub adapter.');
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@adia-ai/llm",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.4",
|
|
4
4
|
"description": "Provider-agnostic LLM client \u2014 anthropic / openai / gemini adapters with a unified chat() + streamChat() facade. Used by AdiaUI's chat-shell and the A2UI generation pipeline; works in browser (with proxyUrl) and Node.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": {
|