claudemd-cli 0.23.20 → 0.23.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,14 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
8
8
  - **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
9
9
  - **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
10
10
 
11
+ ## [0.23.21] - 2026-07-02
12
+
13
+ **Patch — audit `duplicate_rows_real` over-counted multi-emit hooks as registration double-fires; found by a 30-day /claudemd-audit self-review.** Spec content unchanged (stays v6.14.1).
14
+
15
+ ### Fixed — `uniqueInvocations` dedup key mis-counted `pre-bash-safety` multi-emit rows as double-fires
16
+
17
+ - `scripts/lib/rule-hits-parse.js` (`uniqueInvocations`): the v0.9.34 dedup key was `(ts, hook, session_id, tool_use_id)`, but `pre-bash-safety` is a MULTI-EMIT hook — one compound command logs one row per matched pattern (distinct `extra.var`, or mixed `§8-rm-rf-var` + `§8-npx` sections), all four key fields identical across those rows. Every row after the first was therefore counted as `duplicate_rows_real` — the signal `/claudemd-audit` documents as a "registration/lib double-fire bug candidate" — producing 77 phantom `_real` on a 30-day live-log window. Same "an audit red flag can be an artifact" class as the v0.23.20 sentinel-filter fix, different root cause. Fix: include `(event, extra)` in the key. A true double-fire emits BYTE-IDENTICAL rows (same event+extra) and still collides, so detection for single-emit hooks (banned-vocab / ship-baseline / memory-read-check) is preserved. Post-fix on the live log: `pre-bash-safety` `duplicate_rows_real` 77 → 34 — the residual is one command legitimately repeating the SAME pattern (`rm -rf $D/a; rm -rf $D/b`), which telemetry cannot distinguish from a double-registration; a real double-REGISTRATION would double EVERY row (~600/1191), not 34, so the residual is not a bug. Regression test `tests/scripts/audit.test.js` "v0.23.21: multi-emit hook…" pins it (pre-fix `unique_invocations`=3 / `_real`=3, post-fix 5 / 1). Docs synced: `rule-hits-parse.js` header comment + `commands/claudemd-audit.md` field-guard now carry the multi-emit caveat (confirm a `pre-bash-safety` `_real` against the source command before reporting a bug). Full suite: 519 pass + integration green.
18
+
11
19
  ## [0.23.20] - 2026-06-13
12
20
 
13
21
  **Patch — two telemetry-integrity fixes found by a 7-day /claudemd-audit self-review: ad-hoc debug sentinels polluted audit views, and banned-vocab's bypass event violated its own documented schema.** Spec content unchanged (stays v6.14.1).
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "claudemd-cli",
3
- "version": "0.23.20",
3
+ "version": "0.23.21",
4
4
  "description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
5
5
  "type": "module",
6
6
  "bin": {