@calmo/task-runner 3.7.0 → 3.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/.github/workflows/ci.yml +3 -0
  2. package/.jules/nexus.md +5 -0
  3. package/.jules/sentinel.md +6 -0
  4. package/AGENTS.md +1 -0
  5. package/CHANGELOG.md +16 -0
  6. package/README.md +2 -0
  7. package/coverage/coverage-final.json +8 -7
  8. package/coverage/index.html +20 -20
  9. package/coverage/lcov-report/index.html +20 -20
  10. package/coverage/lcov-report/src/EventBus.ts.html +4 -4
  11. package/coverage/lcov-report/src/TaskGraphValidationError.ts.html +1 -1
  12. package/coverage/lcov-report/src/TaskGraphValidator.ts.html +142 -82
  13. package/coverage/lcov-report/src/TaskRunner.ts.html +94 -79
  14. package/coverage/lcov-report/src/TaskRunnerBuilder.ts.html +1 -1
  15. package/coverage/lcov-report/src/TaskRunnerExecutionConfig.ts.html +1 -1
  16. package/coverage/lcov-report/src/TaskStateManager.ts.html +42 -54
  17. package/coverage/lcov-report/src/WorkflowExecutor.ts.html +56 -47
  18. package/coverage/lcov-report/src/contracts/ErrorTypes.ts.html +103 -0
  19. package/coverage/lcov-report/src/contracts/RunnerEvents.ts.html +1 -1
  20. package/coverage/lcov-report/src/contracts/index.html +23 -8
  21. package/coverage/lcov-report/src/index.html +15 -15
  22. package/coverage/lcov-report/src/strategies/DryRunExecutionStrategy.ts.html +1 -1
  23. package/coverage/lcov-report/src/strategies/RetryingExecutionStrategy.ts.html +5 -5
  24. package/coverage/lcov-report/src/strategies/StandardExecutionStrategy.ts.html +3 -3
  25. package/coverage/lcov-report/src/strategies/index.html +1 -1
  26. package/coverage/lcov.info +361 -332
  27. package/coverage/src/EventBus.ts.html +4 -4
  28. package/coverage/src/TaskGraphValidationError.ts.html +1 -1
  29. package/coverage/src/TaskGraphValidator.ts.html +142 -82
  30. package/coverage/src/TaskRunner.ts.html +94 -79
  31. package/coverage/src/TaskRunnerBuilder.ts.html +1 -1
  32. package/coverage/src/TaskRunnerExecutionConfig.ts.html +1 -1
  33. package/coverage/src/TaskStateManager.ts.html +42 -54
  34. package/coverage/src/WorkflowExecutor.ts.html +56 -47
  35. package/coverage/src/contracts/ErrorTypes.ts.html +103 -0
  36. package/coverage/src/contracts/RunnerEvents.ts.html +1 -1
  37. package/coverage/src/contracts/index.html +23 -8
  38. package/coverage/src/index.html +15 -15
  39. package/coverage/src/strategies/DryRunExecutionStrategy.ts.html +1 -1
  40. package/coverage/src/strategies/RetryingExecutionStrategy.ts.html +5 -5
  41. package/coverage/src/strategies/StandardExecutionStrategy.ts.html +3 -3
  42. package/coverage/src/strategies/index.html +1 -1
  43. package/dist/TaskGraphValidator.d.ts +3 -0
  44. package/dist/TaskGraphValidator.js +33 -26
  45. package/dist/TaskGraphValidator.js.map +1 -1
  46. package/dist/TaskRunner.d.ts +4 -0
  47. package/dist/TaskRunner.js +39 -45
  48. package/dist/TaskRunner.js.map +1 -1
  49. package/dist/TaskStateManager.js +1 -5
  50. package/dist/TaskStateManager.js.map +1 -1
  51. package/dist/TaskStep.d.ts +6 -0
  52. package/dist/WorkflowExecutor.js +2 -0
  53. package/dist/WorkflowExecutor.js.map +1 -1
  54. package/dist/contracts/ErrorTypes.d.ts +6 -0
  55. package/dist/contracts/ErrorTypes.js +7 -0
  56. package/dist/contracts/ErrorTypes.js.map +1 -0
  57. package/dist/contracts/ValidationError.d.ts +2 -1
  58. package/openspec/changes/feat-task-metrics/proposal.md +17 -0
  59. package/openspec/changes/feat-task-metrics/tasks.md +6 -0
  60. package/package.json +14 -3
  61. package/src/TaskGraphValidator.ts +52 -32
  62. package/src/TaskRunner.ts +52 -47
  63. package/src/TaskStateManager.ts +1 -5
  64. package/src/TaskStep.ts +7 -0
  65. package/src/WorkflowExecutor.ts +3 -0
  66. package/src/contracts/ErrorTypes.ts +6 -0
  67. package/src/contracts/ValidationError.ts +10 -1
  68. package/test-report.xml +145 -123
package/.github/workflows/ci.yml CHANGED
@@ -8,6 +8,9 @@ on:
8
8
 
9
9
  jobs:
10
10
  build:
11
+ permissions:
12
+ contents: read
13
+ checks: write
11
14
  runs-on: ubuntu-latest
12
15
 
13
16
  steps:
package/.jules/nexus.md CHANGED
@@ -9,3 +9,8 @@
9
9
 
10
10
  **Insight:** In distributed systems or long-running local scripts, "Retry from scratch" is a naive default. Users fear side effects (double-billing, double-emailing).
11
11
  **Action:** Treating the `TaskResult` map as a portable "Save Game" file transforms the library from a simple runner into a resilient engine. The key is separating "Execution State" (which tasks passed) from "Runtime Context" (variables in memory). By persisting only the former, we avoid the nightmare of serializing closures/sockets while still solving the user's primary pain point: "Don't do the hard work twice."
12
+
13
+ ## 2026-01-17 - Performance Visibility
14
+
15
+ **Insight:** Users' optimization efforts are blind without granular metrics. Users often don't know *which* task is slow, only that the workflow is slow.
16
+ **Action:** Always include telemetry requirements (like start/end times and duration) in execution engine specs to enable data-driven optimization.
package/.jules/sentinel.md CHANGED
@@ -3,3 +3,9 @@
3
3
  **Vulnerability:** Recursive graph traversal (DFS) can lead to Denial of Service via Stack Overflow when processing deep user-supplied graphs.
4
4
  **Learning:** Even with large stack limits, recursion is a risk for user-controlled data structures. Node.js stack size is finite.
5
5
  **Prevention:** Use iterative algorithms with explicit stacks for graph traversal (e.g., cycle detection).
6
+
7
+ ## 2024-05-22 - Mermaid Graph Sanitization Vulnerability
8
+
9
+ **Vulnerability:** The Mermaid graph generation logic in `TaskRunner.getMermaidGraph` used a weak sanitization method (only replacing spaces, colons, and quotes) which allowed special characters like `[]`, `()`, `{}` to pass through. This could result in invalid Mermaid syntax or potentially malicious graph structures if user input controlled task names.
10
+ **Learning:** Blocklists (replacing specific characters) are often insufficient because it's hard to predict all problematic characters.
11
+ **Prevention:** Use strict allowlists (e.g., `/[^a-zA-Z0-9_-]/g`) for identifiers that are used in structured output formats like Mermaid, ensuring only safe characters are included.
package/AGENTS.md CHANGED
@@ -15,6 +15,7 @@ Use `@/openspec/AGENTS.md` to learn:
15
15
  - How to create and apply change proposals
16
16
  - Spec format and conventions
17
17
  - Project structure and guidelines
18
+ - When creating specs or docs, add a prefix "docs:" to your commit to avoid triggering a new module version
18
19
 
19
20
  Keep this managed block so 'openspec update' can refresh the instructions.
20
21
 
package/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ ## <small>3.8.1 (2026-01-21)</small>
2
+
3
+ * fix: Fix missing event emission on task cancellation (#92) ([3d7e7aa](https://github.com/thalesraymond/task-runner/commit/3d7e7aa)), closes [#92](https://github.com/thalesraymond/task-runner/issues/92)
4
+ * refactor: Refactor TaskRunner to reduce cognitive complexity (#89) ([95c67d9](https://github.com/thalesraymond/task-runner/commit/95c67d9)), closes [#89](https://github.com/thalesraymond/task-runner/issues/89)
5
+ * Refactor TaskGraphValidator to address SonarCloud issues (#88) ([77c1538](https://github.com/thalesraymond/task-runner/commit/77c1538)), closes [#88](https://github.com/thalesraymond/task-runner/issues/88)
6
+
7
+ ## 3.8.0 (2026-01-21)
8
+
9
+ * feat: add task priority for concurrency scheduling (#87) ([43bb6b4](https://github.com/thalesraymond/task-runner/commit/43bb6b4)), closes [#87](https://github.com/thalesraymond/task-runner/issues/87) [#74](https://github.com/thalesraymond/task-runner/issues/74)
10
+ * docs: add link to showcase app in README (#85) ([e4c10ca](https://github.com/thalesraymond/task-runner/commit/e4c10ca)), closes [#85](https://github.com/thalesraymond/task-runner/issues/85)
11
+ * docs: add Task Execution Metrics proposal (#86) ([9a9661f](https://github.com/thalesraymond/task-runner/commit/9a9661f)), closes [#86](https://github.com/thalesraymond/task-runner/issues/86)
12
+ * chore: Add guideline for commit prefix 'docs:' ([99635dc](https://github.com/thalesraymond/task-runner/commit/99635dc))
13
+ * chore: Potential fix for code scanning alert no. 1: Workflow does not contain permissions (#78) ([b8fb2b4](https://github.com/thalesraymond/task-runner/commit/b8fb2b4)), closes [#78](https://github.com/thalesraymond/task-runner/issues/78)
14
+ * chore: update package.json description and keywords (#84) ([757b254](https://github.com/thalesraymond/task-runner/commit/757b254)), closes [#84](https://github.com/thalesraymond/task-runner/issues/84)
15
+ * fix:🛡️ Sentinel: Fix Mermaid graph identifier sanitization (#81) ([a8bebe3](https://github.com/thalesraymond/task-runner/commit/a8bebe3)), closes [#81](https://github.com/thalesraymond/task-runner/issues/81)
16
+
1
17
  ## 3.7.0 (2026-01-19)
2
18
 
3
19
  * Merge pull request #82 from thalesraymond/nexus-feature-state-persistence-17975676824428491411 ([1137981](https://github.com/thalesraymond/task-runner/commit/1137981)), closes [#82](https://github.com/thalesraymond/task-runner/issues/82)
package/README.md CHANGED
@@ -7,6 +7,8 @@
7
7
 
8
8
  A lightweight, type-safe, and domain-agnostic task orchestration engine. It resolves a Directed Acyclic Graph (DAG) of steps, executes independent tasks in parallel, and manages a shared context across the pipeline.
9
9
 
10
+ Try the [Showcase App](https://task-runner-mu.vercel.app/) to see the runner in action.
11
+
10
12
  ## Features
11
13
 
12
14
  - **Domain Agnostic**: Separate your business logic ("What") from the execution engine ("How").