@lcv-ideas-software/cross-review 4.0.1 → 4.0.2

package/CHANGELOG.md

@@ -7,6 +7,70 @@ standard `v00.00.00`; npm package versions remain SemVer.
 
 ## [Unreleased]
 
+## [v04.00.02] — 2026-05-15
+
+**Patch — Codex second-pass audit close-out (6 findings).** v4.0.1 closed 8
+findings from the first Codex parecer; this v4.0.2 closes 6 additional
+items the second parecer flagged. None affects runtime semantics.
+
+### Fixed
+
+- **AUDIT-1 (MEDIUM) — lockfile version drift.** v4.0.1 bumped
+  `package.json` to `4.0.1` but the lockfile root `.version` and
+  `.packages[""].version` stayed at `4.0.0` (the `npm install` ran
+  during v4.0.0 captured deps, then the version bump didn't trigger a
+  re-resolve). Full reinstall this release brings the lockfile back to
+  the current `package.json` version. **Plus: new anti-drift smoke
+  marker `package_version_consistency_test`** asserts the four
+  equalities `pkg.name === pkg-lock.name`, `pkg-lock.name ===
+"@lcv-ideas-software/cross-review"`, `pkg.version === pkg-lock.version`,
+  `pkg.version === pkg-lock.packages[""].version`. Any future version
+  bump that forgets the `npm install` re-resolve fails smoke loudly
+  instead of slipping through to publish.
+- **AUDIT-2 (MEDIUM) — model-selection wording aligned with no-fallback
+  policy.** Both `docs/model-selection.md` and `src/peers/model-selection.ts`
+  were still describing "automatic model selection", "priority list",
+  and "documented fallback" — terms from the pre-v3.7.2 multi-model era.
+  The runtime has used canonical pins (one model per peer, no auto-chain)
+  since v3.7.2 (operator directive "sem fallback é sem fallback").
+  Updated docs + the `selected/candidates/reason` messages in
+  `selectFromCandidates`, `overrideSelection`, and the no-API-key
+  path to use canonical-pin language consistently. The `confidence`
+  classification logic is unchanged.
+- **AUDIT-3 (LOW) — SECURITY.md stub wording.** The doc said
+  `CROSS_REVIEW_STUB=1` alone is "ignored"; the code at
+  `src/peers/registry.ts:36-44` actually throws an explicit error
+  referencing the missing confirmation flag. Updated wording to
+  "rejected fail-fast" to match runtime behavior.
+- **AUDIT-4 (LOW) — README MCP tools list completed.** The README
+  Section listing the available tools had 22 entries; the runtime
+  exposes 28. Added the 6 missing tools:
+  `session_evidence_checklist_update`,
+  `session_evidence_judge_pass`,
+  `session_evidence_judge_consensus_pass`,
+  `session_judgment_precision_report`,
+  `contest_verdict`,
+  `regenerate_caller_tokens`.
+- **AUDIT-5 (LOW) — `docs/architecture.md` rename event.** The "Stable
+  Rename" section said the rename to `cross-review` happened at
+  `2.1.0`; the actual event is v4.0.0 on 2026-05-15 (this rename ship).
+  Rewrote the section to record v4.0.0 as the rename event and note
+  that prior names live only in dated changelog and memory.
+- **AUDIT-6 (MEDIUM) — StepSecurity post-rename detections triaged.**
+  Two new org-level suppression rules created:
+  (a) `Source-Code-Overwritten` for `*/dist/*` in
+  `.github/workflows/publish.yml` under the `Pre-publish gate (test +
+metadata)` job for repo `cross-review` (the prior cross-review-v2
+  rules no longer match after rename); (b)
+  `Action-Uses-Commit-From-Non-Default-Branch` for
+  `github/codeql-action*` (GitHub's release-branch model — tagged
+  versions cut from `releases/vN` not from default branch are
+  intended/audited by GitHub Security; rejecting would force less
+  secure tag-based usage). Plus 20 existing detections (19
+  Source-Code-Overwritten dist/\* + 1 codeql-action SHA) suppressed
+  per-detection via `update_detection_status` with rule-id citations
+  in the suppress reason.
+
 ## [v04.00.01] — 2026-05-15
 
 **Patch — close-out of post-v4.0.0 audit (eight surfaces left stale by the

package/README.md

@@ -193,7 +193,13 @@ these environment variables before running real sessions (example):
 - `session_report`
 - `session_check_convergence`
 - `session_attach_evidence`
+- `session_evidence_checklist_update`
+- `session_evidence_judge_pass`
+- `session_evidence_judge_consensus_pass`
+- `session_judgment_precision_report`
+- `contest_verdict`
 - `escalate_to_operator`
+- `regenerate_caller_tokens`
 - `session_sweep`
 - `session_finalize`
 

package/SECURITY.md

@@ -37,7 +37,7 @@ This repository employs:
 
 - **Multi-host concurrency.** Running two MCP host instances of `cross-review` against the same `CROSS_REVIEW_DATA_DIR` is **not supported**. The per-session lock has TTL + PID-liveness fallbacks that close the common cases but leave a narrow TOCTOU window when two hosts contend for the same session. If you need multi-host operation, point each instance at a distinct `CROSS_REVIEW_DATA_DIR` (introduced in v2.0; tilde expansion since v2.4.0) or share one host across all clients.
 - **API keys in memory.** `OPENAI_API_KEY`, `ANTHROPIC_API_KEY`, `GEMINI_API_KEY`, `DEEPSEEK_API_KEY` are loaded into `AppConfig.api_keys` at boot. The persistence layer redacts secrets via [`redact()`](./src/security/redact.ts) before any meta.json/event log write, but the in-memory object is not opaque — do not log `config` directly. Stack traces from SDK errors are passed through `safeErrorMessage()` which redacts known key shapes.
-- **Stub adapters.** `CROSS_REVIEW_STUB=1` alone is **ignored** since v2.4.0. To activate stubs, also set `NODE_ENV=test` OR `CROSS_REVIEW_STUB_CONFIRMED=1`. This double-confirmation prevents a stray dotenv variable from invalidating a cross-review used as a pre-commit gate.
+- **Stub adapters.** `CROSS_REVIEW_STUB=1` alone is **rejected fail-fast** since v2.4.0 — boot throws an explicit error referencing the missing confirmation flag, rather than silently demoting to real adapters. To deliberately activate stubs, set BOTH `CROSS_REVIEW_STUB=1` AND one of `NODE_ENV=test` OR `CROSS_REVIEW_STUB_CONFIRMED=1`. The double-confirmation prevents a stray dotenv variable from invalidating a cross-review used as a pre-commit gate.
 - **Dashboard HTTP.** The dashboard binds only to `127.0.0.1`. There is no authentication or rate-limit; same-machine processes can read all session metadata, costs and report markdown. Do not expose the dashboard port over a network without an authenticating reverse proxy.
 - **Untrusted callers.** The MCP `tools/list` schemas enforce per-field caps (`maxLength`, `pattern`) since v2.4.0 to defend against memory-exhaustion attempts via oversized `task`/`draft`/`prompt`. The trust boundary still assumes a cooperative caller — do not expose the stdio transport over a network socket without an authenticating proxy.
 - **Untrusted peers.** Peer streaming responses are capped at 16 MiB per call (`STREAM_TEXT_MAX_BYTES` since v2.4.0). The structured `<cross_review_status>` payload is rejected as malformed when it exceeds 64 KiB before `JSON.parse` runs.

package/dist/scripts/smoke.js

@@ -6120,6 +6120,30 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
     assert.ok(/pruneCorruptSessions\(minAgeMs: number\): \{ scanned: number; removed: number; kept: number \}/.test(storeSrcB1), "v3.7.5 / B1: store.pruneCorruptSessions must declare the {scanned, removed, kept} shape");
     console.log("[smoke] session_sweep_prune_corrupt_test: PASS");
 }
+// v4.0.2 (AUDIT-1, Codex audit close-out 2026-05-15): anti-drift check
+// that `package.json.version` === `package-lock.json.version` ===
+// `package-lock.json.packages[""].version`. The v4.0.1 ship bumped
+// package.json without re-running `npm install`, so the lockfile root
+// versions stayed at `4.0.0` while package.json said `4.0.1`. Codex's
+// audit caught it. This marker pins the consistency invariant so any
+// future bump that forgets to regenerate the lockfile fails smoke
+// loudly instead of slipping through to publish.
+{
+    const pjPath = path.join(process.cwd(), "package.json");
+    const plPath = path.join(process.cwd(), "package-lock.json");
+    const pj = JSON.parse(fs.readFileSync(pjPath, "utf8"));
+    const pl = JSON.parse(fs.readFileSync(plPath, "utf8"));
+    const pjVer = pj.version;
+    const plRootVer = pl.version;
+    const plPackagesRootVer = pl.packages?.[""]?.version;
+    assert.equal(plRootVer, pjVer, `v4.0.2 / AUDIT-1: package-lock.json root .version (${plRootVer}) must equal package.json .version (${pjVer}); run \`npm install\` after bumping the version.`);
+    assert.equal(plPackagesRootVer, pjVer, `v4.0.2 / AUDIT-1: package-lock.json packages[""].version (${plPackagesRootVer}) must equal package.json .version (${pjVer}); run \`npm install\` after bumping the version.`);
+    // Also verify package.json `name` matches the new canonical name; if
+    // the rename ever needs to happen again, this fails fast.
+    assert.equal(pj.name, "@lcv-ideas-software/cross-review", `v4.0.2 / AUDIT-1: package.json .name must be "@lcv-ideas-software/cross-review" (post-v4.0.0 rename); got "${pj.name}".`);
+    assert.equal(pl.name, "@lcv-ideas-software/cross-review", `v4.0.2 / AUDIT-1: package-lock.json .name must be "@lcv-ideas-software/cross-review"; got "${pl.name}".`);
+    console.log("[smoke] package_version_consistency_test: PASS");
+}
 // v2.6.1 NOTE: smoke coverage for `peer.fallback.budget_blocked` and
 // `peer.moderation_recovery.budget_blocked` is intentionally NOT
 // included. These two gates use the same arithmetic shape as preflight