claudemd-cli 0.23.20 → 0.23.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,26 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
|
|
|
8
8
|
- **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
|
|
9
9
|
- **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
|
|
10
10
|
|
|
11
|
+
## [0.23.22] - 2026-07-02
|
|
12
|
+
|
|
13
|
+
**Patch — follow-up to v0.23.21 (code review): sync the two remaining dedup-key reference docs + harden the `extra` key against future key-order variance.** Spec content unchanged (stays v6.14.1).
|
|
14
|
+
|
|
15
|
+
### Fixed — two dedup-key reference docs still taught the pre-v0.23.21 4-field model
|
|
16
|
+
|
|
17
|
+
- v0.23.21 extended the `uniqueInvocations` dedup key to `(ts, hook, session_id, tool_use_id, event, extra)` and synced the parse-fn comment + `commands/claudemd-audit.md`, but two other canonical descriptions were left on the old 4-field model — and `scripts/audit.js:70` cross-references the first as authoritative, routing a maintainer straight into the pre-fix "byte-identical multi-emit looks like a bug" misread. Synced both: `hooks/lib/rule-hits.sh:21-25` (the `TOOL_USE_ID` param doc — ships with the plugin) and `docs/RULE-HITS-SCHEMA.md:16` (the `tool_use_id` field row — tracked via the `docs/*` + `!docs/<file>` gitignore allowlist) now carry the 6-field key + the multi-emit "confirm against the source command" caveat. Found by a `superpowers:requesting-code-review` pass on v0.23.21.
|
|
18
|
+
|
|
19
|
+
### Changed — canonicalize `extra` before the dedup key (defensive hardening)
|
|
20
|
+
|
|
21
|
+
- `scripts/lib/rule-hits-parse.js`: the key serialized `extra` with bare `JSON.stringify`, so double-fire detection silently depended on stable key order. Unreachable for `_real` today (every hook emits `extra` from fixed templates / single-key objects; the only multi-key extra — mem-audit `{missing,drift}` — carries a null `tool_use_id` → lands in `_legacy`), but a future multi-key extra on a `tool_use_id`-bearing hook built from an unordered source (`declare -A`) would let a genuine double-fire evade. New `stableExtraKey()` sorts top-level keys before serializing — behavior-preserving on current data (live-log `pre-bash-safety` `duplicate_rows_real` stays 34). Two direct unit tests added in `tests/scripts/rule-hits-parse.test.js` (reordered-key double-fire still collides → 1 unique / 1 `_real`; distinct-extra multi-emit stays separate → 2 / 0); `uniqueInvocations` previously had no unit-level coverage, only via `audit()`. Also noted: the v0.23.21 key extension incidentally narrows `duplicate_rows_legacy` (distinct event/extra rows at a null `tool_use_id` now count as unique — more correct; `_legacy` is documented non-gating noise). Renamed the v0.9.34 audit test title to state what it verifies (byte-identical collapse) instead of over-claiming the full key. Full suite 519 → 521 pass.
|
|
22
|
+
|
|
23
|
+
## [0.23.21] - 2026-07-02
|
|
24
|
+
|
|
25
|
+
**Patch — audit `duplicate_rows_real` over-counted multi-emit hooks as registration double-fires; found by a 30-day /claudemd-audit self-review.** Spec content unchanged (stays v6.14.1).
|
|
26
|
+
|
|
27
|
+
### Fixed — `uniqueInvocations` dedup key mis-counted `pre-bash-safety` multi-emit rows as double-fires
|
|
28
|
+
|
|
29
|
+
- `scripts/lib/rule-hits-parse.js` (`uniqueInvocations`): the v0.9.34 dedup key was `(ts, hook, session_id, tool_use_id)`, but `pre-bash-safety` is a MULTI-EMIT hook — one compound command logs one row per matched pattern (distinct `extra.var`, or mixed `§8-rm-rf-var` + `§8-npx` sections), all four key fields identical across those rows. Every row after the first was therefore counted as `duplicate_rows_real` — the signal `/claudemd-audit` documents as a "registration/lib double-fire bug candidate" — producing 77 phantom `_real` on a 30-day live-log window. Same "an audit red flag can be an artifact" class as the v0.23.20 sentinel-filter fix, different root cause. Fix: include `(event, extra)` in the key. A true double-fire emits BYTE-IDENTICAL rows (same event+extra) and still collides, so detection for single-emit hooks (banned-vocab / ship-baseline / memory-read-check) is preserved. Post-fix on the live log: `pre-bash-safety` `duplicate_rows_real` 77 → 34 — the residual is one command legitimately repeating the SAME pattern (`rm -rf $D/a; rm -rf $D/b`), which telemetry cannot distinguish from a double-registration; a real double-REGISTRATION would double EVERY row (~600/1191), not 34, so the residual is not a bug. Regression test `tests/scripts/audit.test.js` "v0.23.21: multi-emit hook…" pins it (pre-fix `unique_invocations`=3 / `_real`=3, post-fix 5 / 1). Docs synced: `rule-hits-parse.js` header comment + `commands/claudemd-audit.md` field-guard now carry the multi-emit caveat (confirm a `pre-bash-safety` `_real` against the source command before reporting a bug). Full suite: 519 pass + integration green.
|
|
30
|
+
|
|
11
31
|
## [0.23.20] - 2026-06-13
|
|
12
32
|
|
|
13
33
|
**Patch — two telemetry-integrity fixes found by a 7-day /claudemd-audit self-review: ad-hoc debug sentinels polluted audit views, and banned-vocab's bypass event violated its own documented schema.** Spec content unchanged (stays v6.14.1).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "claudemd-cli",
|
|
3
|
-
"version": "0.23.
|
|
3
|
+
"version": "0.23.22",
|
|
4
4
|
"description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|