@lcv-ideas-software/cross-review 4.1.0 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/CHANGELOG.md +52 -0
  2. package/README.md +75 -73
  3. package/dist/scripts/runtime-smoke.js +59 -3
  4. package/dist/scripts/runtime-smoke.js.map +1 -1
  5. package/dist/scripts/smoke.js +58 -0
  6. package/dist/scripts/smoke.js.map +1 -1
  7. package/dist/src/core/config.d.ts +1 -1
  8. package/dist/src/core/config.js +1 -1
  9. package/dist/src/core/session-store.js +7 -9
  10. package/dist/src/core/session-store.js.map +1 -1
  11. package/dist/src/mcp/server.js +101 -7
  12. package/dist/src/mcp/server.js.map +1 -1
  13. package/package.json +3 -3
package/CHANGELOG.md CHANGED
@@ -7,6 +7,58 @@ standard `v00.00.00`; npm package versions remain SemVer.
7
7
 
8
8
  ## [Unreleased]
9
9
 
10
+ ## [v04.02.00] — 2026-05-17
11
+
12
+ **Minor — bounded MCP session listing and cancellation semantics cleanup.** This
13
+ release addresses the operational findings reported against v4.1.1 while keeping
14
+ the runtime API-only.
15
+
16
+ ### Changed
17
+
18
+ - `session_list` is now paginated and summary-only by default
19
+ (`limit=25`, `max=100`, `offset=0`) and accepts `outcome_filter` plus
20
+ `detail`. This prevents large local histories from producing multi-megabyte
21
+ stdio payloads; callers that need a full session should use `session_read` or
22
+ request a bounded `detail="full"` page explicitly.
23
+
24
+ ### Fixed
25
+
26
+ - `session_cancel_job` no longer terminal-aborts a session when no running job
27
+ matches the request. It now returns `requested=false` with
28
+ `reason="no_running_job_matched"` and leaves the session resumable.
29
+ - `session_init` now honors `response_format="markdown"` instead of falling
30
+ through to JSON serialization.
31
+ - Added smoke/runtime-smoke guards for bounded `session_list`, non-terminal
32
+ no-job cancellation, and the markdown `session_init` response path.
33
+
34
+ ## [v04.01.01] — 2026-05-17
35
+
36
+ **Patch — release the hard-gate cleanup as a published package.** The previous
37
+ hard-gate cleanup was synchronized without a package-version bump; this patch
38
+ formalizes the change as npm package `4.1.1`, preserving the rule that every
39
+ patch shipped to `main` receives a publishable SemVer increment.
40
+
41
+ ### Fixed
42
+
43
+ - Removed the dead global ESLint waiver for
44
+ `@typescript-eslint/no-explicit-any`; strict enforcement already passes on the
45
+ current source tree.
46
+ - Restored README coverage under Prettier by removing the README masks from
47
+ `.prettierignore` and formatting the file instead of hiding the drift.
48
+ - Added smoke coverage that prevents future linter/formatter masking of
49
+ `README.md`, `src/**`, and `scripts/**`, and pins the TypeScript unused-var
50
+ rule as an error.
51
+ - Made `runtime-smoke` polling terminal-outcome aware and increased the polling
52
+ deadline to 60 seconds so slow-but-converged stub sessions are not reported as
53
+ timeouts.
54
+ - Replaced two CodeQL `js/file-system-race` patterns with atomic/file-descriptor
55
+ based flows: session metadata placeholder creation now relies directly on
56
+ `writeFileSync(..., { flag: "wx" })`, and the migration race harness snapshots
57
+ lock state through `openSync` + `fstatSync` on the opened descriptor.
58
+ - Added a scoped StepSecurity suppression for generated `dist/**` artifacts in
59
+ the publish workflow's pre-publish build job, then resolved the existing
60
+ actionable generated-file detections.
61
+
10
62
  ## [v04.01.00] — 2026-05-17
11
63
 
12
64
  **Minor — security hardening of session-store concurrency, write-path