circle-ir-ai 2.8.3 → 2.8.6

package/CHANGELOG.md

@@ -5,6 +5,132 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.8.6] - 2026-06-10
+
+### Fixed
+
+- **#84 postmortem: parse-retry budget was entangled with HTTP retry
+  budget in v2.8.5.** Investigation after the v2.8.5 gemma3:12b
+  benchmark re-run showed an unchanged score (94/120, same 2 parse
+  errors). Inspection of the v2.8.5 verbose trail revealed:
+
+  ```
+  [LLM] JSON parse error (array) — parse-retry 1/1
+  [LLM] Error: This operation was aborted — retry 2/3 in 10s
+  [LLM] JSON parse error (array) — parse-retries exhausted
+  ```
+
+  The `parseRetries` counter in `benchmarks/runners/run-cwe-bench-java.ts`
+  was declared outside the `for (attempt...)` loop and was consumed by
+  the first parse error. When an AbortError subsequently triggered an
+  HTTP retry, the retry consumed an `attempt` slot but did not refresh
+  the parse-retry budget — so the next parse error had no budget left.
+
+  Fix: decoupled the two counters. Converted the loop to `while
+  (attempt <= MAX_RETRIES)` and now only HTTP-retry sites
+  (`attempt++`) consume the HTTP budget. Parse-retry `continue`
+  statements leave `attempt` untouched. Each error type now has its
+  own independent budget (max 4 HTTP attempts + 1 parse retry per
+  call). Maximum loop iterations bounded at 5.
+
+### Notes
+
+- The v2.8.6 gemma3:12b benchmark (re-run 2026-06-10) scored the
+  same 94/120 with 2 parse errors. The retry-logic fix is correct
+  but didn't recover the lost detection because gemma3:12b
+  consistently fails on the same 2 specific prompts under the
+  benchmark's actual conditions (sustained corpus load + cross-file
+  context augmentation). Standalone repros with `num_ctx=32768`
+  succeed 5/5 and 6/6 respectively, indicating the failure is
+  contextual to the runner's full augmented prompt + position in
+  the sequence rather than a logic bug.
+
+- The fix is the right semantic to ship regardless — removes a
+  latent bug from the retry path that would have masked any future
+  retry-recoverable failure.
+
+- For users seeking zero parse errors, recommend `qwen3-coder:30b`
+  (0/113 failures, 91/120 score, ~2x faster per call) over
+  `gemma3:12b` (2/109 failures, 94/120 score).
+
+## [2.8.5] - 2026-06-09
+
+### Fixed
+
+- **#84: CWE-Bench-Java runner produced 2 unrecoverable JSON parse
+  errors with `gemma3:12b`** (and any other local Ollama model) on
+  the 2026-06-09 run. Root cause turned out to be two distinct bugs
+  in `benchmarks/runners/run-cwe-bench-java.ts`:
+
+  **(1) Deterministic context overflow on large files (#118
+  rocketmq).** The Ollama `/v1/chat/completions` (OpenAI-compat)
+  endpoint defaults to `num_ctx=8192` — much smaller than the
+  model's native context window. `AdminBrokerProcessor.java`
+  (2655 lines, ~35K tokens) filled the entire prompt buffer,
+  leaving exactly 1 token for the response ("Okay"). The parser
+  then logged `No JSON found in response`.
+
+  Repro confirmed with `num_ctx∈{8192,16384}` → `eval_count=1`,
+  `num_ctx∈{32768,49152}` → `eval_count≈630`, valid array of 5
+  entries.
+
+  Fix: the runner now sets `options.num_ctx=32768` for any
+  `localhost:11434` / `127.0.0.1:11434` base URL. Honors
+  `LLM_OLLAMA_NUM_CTX` override for users with smaller VRAM or
+  models that don't support 32K (rare). 32K covers every file
+  in CWE-Bench-Java; gemma3:12b / qwen3-coder:30b / llama3 all
+  support 32K natively in <10GB VRAM.
+
+  **(2) Transient temp=0 stochasticity on tiny files (#109
+  spring-security).** `DefaultHttpFirewall.java` is 68 lines and
+  the parse error did NOT reproduce on 3 fresh repro attempts —
+  diagnosed as KV-cache / batch-grouping non-determinism that
+  surfaces at ~1% rate even with `temperature=0`.
+
+  Fix: added a single retry on any JSON parse failure
+  (`PARSE_ERR_ARRAY`, `PARSE_ERR_OBJECT`, `NO_JSON`). One retry
+  is sufficient because the failure is non-deterministic; a
+  second consecutive failure indicates a real prompt/model
+  problem worth recording as `parseError` in stats. Adds at
+  most ~1% extra LLM calls in the worst case, ~0 in the
+  common case.
+
+  Together these fixes should drop gemma3:12b's failure rate
+  from 2/109 (1.8%) to ~0/109. Smoke-tested on #118 only —
+  full re-run will happen on next benchmark cycle.
+
+  New env var: `LLM_OLLAMA_NUM_CTX` (integer, defaults to
+  32768). Only consulted when the LLM base URL is local
+  Ollama.
+
+## [2.8.4] - 2026-06-09
+
+### Fixed
+
+- **#72: benchmark runners ignored externally-set env vars (e.g.
+  `LLM_ENRICHMENT_MODEL`).** Symptom: `LLM_ENRICHMENT_MODEL=gpt-oss-120b
+  npm run benchmark:cwe` silently used whatever value was in the local
+  `.env` instead — masking LLM uplift in CWE-Bench-Java runs and
+  producing static-only numbers when the user had explicitly requested
+  an LLM model on the command line.
+
+  Root cause: 4 benchmark runners loaded `.env` via `dotenv.config()`
+  with its default `override: true` behavior, so `.env` clobbered any
+  pre-existing `process.env` value (the opposite of POSIX
+  precedence).
+
+  Fix: pass `{ override: false }` in all four call sites:
+  - `benchmarks/runners/run-cwe-bench-java.ts`
+  - `benchmarks/runners/run-all-benchmarks-parallel.ts`
+  - `benchmarks/instruction-safety/run-benchmark.ts`
+  - `benchmarks/skills/run-skills-benchmark.ts`
+
+  External env vars (CLI invocation, exported shell vars) now win;
+  `.env` is consulted only for keys not already set. `circle-pack`'s
+  `src/api/server.ts` is intentionally left as-is — different threat
+  model (production REST server where `.env` is the canonical config
+  source).
+
 ## [2.7.19] - 2026-05-28
 
 ### Versioning policy

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.8.3",
+  "version": "2.8.6",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",