npm - @calmo/task-runner - Versions diffs - 3.7.0 → 3.8.0 - Mend

@calmo/task-runner 3.7.0 → 3.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/.github/workflows/ci.yml +3 -0
package/.jules/nexus.md +5 -0
package/.jules/sentinel.md +6 -0
package/AGENTS.md +1 -0
package/CHANGELOG.md +10 -0
package/README.md +2 -0
package/coverage/coverage-final.json +7 -7
package/coverage/index.html +9 -9
package/coverage/lcov-report/index.html +9 -9
package/coverage/lcov-report/src/EventBus.ts.html +4 -4
package/coverage/lcov-report/src/TaskGraphValidationError.ts.html +1 -1
package/coverage/lcov-report/src/TaskGraphValidator.ts.html +38 -38
package/coverage/lcov-report/src/TaskRunner.ts.html +25 -25
package/coverage/lcov-report/src/TaskRunnerBuilder.ts.html +1 -1
package/coverage/lcov-report/src/TaskRunnerExecutionConfig.ts.html +1 -1
package/coverage/lcov-report/src/TaskStateManager.ts.html +35 -35
package/coverage/lcov-report/src/WorkflowExecutor.ts.html +56 -47
package/coverage/lcov-report/src/contracts/RunnerEvents.ts.html +1 -1
package/coverage/lcov-report/src/contracts/index.html +1 -1
package/coverage/lcov-report/src/index.html +9 -9
package/coverage/lcov-report/src/strategies/DryRunExecutionStrategy.ts.html +1 -1
package/coverage/lcov-report/src/strategies/RetryingExecutionStrategy.ts.html +5 -5
package/coverage/lcov-report/src/strategies/StandardExecutionStrategy.ts.html +3 -3
package/coverage/lcov-report/src/strategies/index.html +1 -1
package/coverage/lcov.info +251 -244
package/coverage/src/EventBus.ts.html +4 -4
package/coverage/src/TaskGraphValidationError.ts.html +1 -1
package/coverage/src/TaskGraphValidator.ts.html +38 -38
package/coverage/src/TaskRunner.ts.html +25 -25
package/coverage/src/TaskRunnerBuilder.ts.html +1 -1
package/coverage/src/TaskRunnerExecutionConfig.ts.html +1 -1
package/coverage/src/TaskStateManager.ts.html +35 -35
package/coverage/src/WorkflowExecutor.ts.html +56 -47
package/coverage/src/contracts/RunnerEvents.ts.html +1 -1
package/coverage/src/contracts/index.html +1 -1
package/coverage/src/index.html +9 -9
package/coverage/src/strategies/DryRunExecutionStrategy.ts.html +1 -1
package/coverage/src/strategies/RetryingExecutionStrategy.ts.html +5 -5
package/coverage/src/strategies/StandardExecutionStrategy.ts.html +3 -3
package/coverage/src/strategies/index.html +1 -1
package/dist/TaskRunner.js +1 -1
package/dist/TaskRunner.js.map +1 -1
package/dist/TaskStep.d.ts +6 -0
package/dist/WorkflowExecutor.js +2 -0
package/dist/WorkflowExecutor.js.map +1 -1
package/openspec/changes/feat-task-metrics/proposal.md +17 -0
package/openspec/changes/feat-task-metrics/tasks.md +6 -0
package/package.json +14 -3
package/src/TaskRunner.ts +1 -1
package/src/TaskStep.ts +7 -0
package/src/WorkflowExecutor.ts +3 -0
package/test-report.xml +139 -123

package/.github/workflows/ci.yml CHANGED Viewed

@@ -8,6 +8,9 @@ on:
 jobs:
   build:
+    permissions:
+      contents: read
+      checks: write
     runs-on: ubuntu-latest
     steps:

package/.jules/nexus.md CHANGED Viewed

@@ -9,3 +9,8 @@
 **Insight:** In distributed systems or long-running local scripts, "Retry from scratch" is a naive default. Users fear side effects (double-billing, double-emailing).
 **Action:** Treating the `TaskResult` map as a portable "Save Game" file transforms the library from a simple runner into a resilient engine. The key is separating "Execution State" (which tasks passed) from "Runtime Context" (variables in memory). By persisting only the former, we avoid the nightmare of serializing closures/sockets while still solving the user's primary pain point: "Don't do the hard work twice."
+## 2026-01-17 - Performance Visibility
+**Insight:** Users' optimization efforts are blind without granular metrics. Users often don't know *which* task is slow, only that the workflow is slow.
+**Action:** Always include telemetry requirements (like start/end times and duration) in execution engine specs to enable data-driven optimization.

package/.jules/sentinel.md CHANGED Viewed

@@ -3,3 +3,9 @@
 **Vulnerability:** Recursive graph traversal (DFS) can lead to Denial of Service via Stack Overflow when processing deep user-supplied graphs.
 **Learning:** Even with large stack limits, recursion is a risk for user-controlled data structures. Node.js stack size is finite.
 **Prevention:** Use iterative algorithms with explicit stacks for graph traversal (e.g., cycle detection).
+## 2024-05-22 - Mermaid Graph Sanitization Vulnerability
+**Vulnerability:** The Mermaid graph generation logic in `TaskRunner.getMermaidGraph` used a weak sanitization method (only replacing spaces, colons, and quotes) which allowed special characters like `[]`, `()`, `{}` to pass through. This could result in invalid Mermaid syntax or potentially malicious graph structures if user input controlled task names.
+**Learning:** Blocklists (replacing specific characters) are often insufficient because it's hard to predict all problematic characters.
+**Prevention:** Use strict allowlists (e.g., `/[^a-zA-Z0-9_-]/g`) for identifiers that are used in structured output formats like Mermaid, ensuring only safe characters are included.

package/AGENTS.md CHANGED Viewed

@@ -15,6 +15,7 @@ Use `@/openspec/AGENTS.md` to learn:
 - How to create and apply change proposals
 - Spec format and conventions
 - Project structure and guidelines
+- When creating specs or docs, add a prefix "docs:" to your commit to avoid triggering a new module version
 Keep this managed block so 'openspec update' can refresh the instructions.

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,13 @@
+## 3.8.0 (2026-01-21)
+* feat: add task priority for concurrency scheduling (#87) ([43bb6b4](https://github.com/thalesraymond/task-runner/commit/43bb6b4)), closes [#87](https://github.com/thalesraymond/task-runner/issues/87) [#74](https://github.com/thalesraymond/task-runner/issues/74)
+* docs: add link to showcase app in README (#85) ([e4c10ca](https://github.com/thalesraymond/task-runner/commit/e4c10ca)), closes [#85](https://github.com/thalesraymond/task-runner/issues/85)
+* docs: add Task Execution Metrics proposal (#86) ([9a9661f](https://github.com/thalesraymond/task-runner/commit/9a9661f)), closes [#86](https://github.com/thalesraymond/task-runner/issues/86)
+* chore: Add guideline for commit prefix 'docs:' ([99635dc](https://github.com/thalesraymond/task-runner/commit/99635dc))
+* chore: Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#78) ([b8fb2b4](https://github.com/thalesraymond/task-runner/commit/b8fb2b4)), closes [#78](https://github.com/thalesraymond/task-runner/issues/78)
+* chore: update package.json description and keywords (#84) ([757b254](https://github.com/thalesraymond/task-runner/commit/757b254)), closes [#84](https://github.com/thalesraymond/task-runner/issues/84)
+* fix:🛡️ Sentinel: Fix Mermaid graph identifier sanitization (#81) ([a8bebe3](https://github.com/thalesraymond/task-runner/commit/a8bebe3)), closes [#81](https://github.com/thalesraymond/task-runner/issues/81)
 ## 3.7.0 (2026-01-19)
 * Merge pull request #82 from thalesraymond/nexus-feature-state-persistence-17975676824428491411 ([1137981](https://github.com/thalesraymond/task-runner/commit/1137981)), closes [#82](https://github.com/thalesraymond/task-runner/issues/82)

package/README.md CHANGED Viewed

@@ -7,6 +7,8 @@
 A lightweight, type-safe, and domain-agnostic task orchestration engine. It resolves a Directed Acyclic Graph (DAG) of steps, executes independent tasks in parallel, and manages a shared context across the pipeline.
+Try the [Showcase App](https://task-runner-mu.vercel.app/) to see the runner in action.
 ## Features
 - **Domain Agnostic**: Separate your business logic ("What") from the execution engine ("How").