compound-agent 1.4.2 → 1.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +52 -1
- package/dist/cli.js +634 -46
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +38 -6
- package/dist/index.js.map +1 -1
- package/docs/research/index.md +12 -0
- package/docs/research/security/auth-patterns.md +138 -0
- package/docs/research/security/data-exposure.md +185 -0
- package/docs/research/security/dependency-security.md +91 -0
- package/docs/research/security/injection-patterns.md +249 -0
- package/docs/research/security/overview.md +81 -0
- package/docs/research/security/secrets-checklist.md +92 -0
- package/docs/research/security/secure-coding-failure.md +297 -0
- package/package.json +3 -1
- package/scripts/postinstall.mjs +102 -0
package/CHANGELOG.md
CHANGED
|
@@ -9,6 +9,54 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
9
9
|
|
|
10
10
|
## [Unreleased]
|
|
11
11
|
|
|
12
|
+
## [1.4.4] - 2026-02-23
|
|
13
|
+
|
|
14
|
+
### Added
|
|
15
|
+
|
|
16
|
+
- **Security arc with P0-P3 severity model**: Security-reviewer promoted from generic OWASP checker to mandatory core-4 reviewer with P0 (blocks merge), P1 (requires ack), P2 (should fix), P3 (nice to have) classification
|
|
17
|
+
- **5 on-demand security specialist skills**: `/security-injection`, `/security-secrets`, `/security-auth`, `/security-data`, `/security-deps` -- spawned by security-reviewer via SendMessage within the review AgentTeam for deep trace analysis
|
|
18
|
+
- **6 security reference docs** (`docs/research/security/`): overview, injection-patterns, secrets-checklist, auth-patterns, data-exposure, dependency-security -- distilled from the secure-coding-failure PhD survey into actionable agent guides
|
|
19
|
+
- **Native addon build injection** (`scripts/postinstall.mjs`): Postinstall script auto-patches consumer `package.json` with `pnpm.onlyBuiltDependencies` config for `better-sqlite3` and `node-llama-cpp`. Handles indent preservation, BOM stripping, atomic writes
|
|
20
|
+
- **CLI preflight diagnostics** (`src/cli-preflight.ts`): Catches native module load failures before commands run, prints PM-specific fix instructions (pnpm: 3 options; npm/yarn: rebuild + build tool hints)
|
|
21
|
+
- **`ca doctor` pnpm check**: Verifies `onlyBuiltDependencies` is configured correctly for pnpm projects, recognizes wildcard `["*"]` as valid
|
|
22
|
+
- **Escalation-wiring tests**: 7 new tests verifying security-reviewer mentions all 5 specialists, each specialist declares "Spawned by security-reviewer", P0 documented as merge-blocking, each specialist has `npx ca knowledge` and references correct research doc
|
|
23
|
+
- **better-sqlite3 injection patterns**: Added project-specific `db.exec()` vs `db.prepare().run()` examples to `injection-patterns.md`
|
|
24
|
+
|
|
25
|
+
### Fixed
|
|
26
|
+
|
|
27
|
+
- **Noisy `node-llama-cpp` warnings on headless Linux**: Vulkan binary fallback and `special_eos_id` tokenizer warnings no longer print during `ca search` / `ca knowledge` -- GPU auto-detection preserved via `progressLogs: false` + `logLevel: error`
|
|
28
|
+
- **Resource leak in `isModelUsable()`**: `Llama` and `LlamaModel` instances are now properly disposed after the preflight usability check
|
|
29
|
+
- **Wildcard `onlyBuiltDependencies`**: Doctor and postinstall now recognize `["*"]` as fully configured (no false positive)
|
|
30
|
+
- **Infinity loop marker injection**: `--model` validated against shell metacharacters; grep patterns anchored (`^EPIC_COMPLETE`, `^EPIC_FAILED`) to prevent false-positive matches from prompt echo in logs
|
|
31
|
+
- **Template-to-deployed SKILL.md drift**: Backported all deployed specialist improvements (output fields, collaboration notes, `npx ca knowledge` lines) into source templates so `ca setup --update` no longer regresses
|
|
32
|
+
- **SSRF citations**: 3 OWASP references in `secure-coding-failure.md` corrected from A01 (Broken Access Control) to A10 (SSRF)
|
|
33
|
+
- **Stale verification docs**: Exit criteria updated from 6 to 8 categories (added Security Clear + Workflow Gates); closed-loop review process updated with security check in Stage 4 flowchart
|
|
34
|
+
- **Broken dual-path reference** in `subagent-pipeline.md`: Now documents both `docs/research/security/` (source repo) and `docs/compound/research/security/` (consumer repos)
|
|
35
|
+
- **Incomplete OWASP mapping** in `overview.md`: Completed from 5/10 to 10/10 (added A04, A05, A07, A08, A09)
|
|
36
|
+
|
|
37
|
+
### Changed
|
|
38
|
+
|
|
39
|
+
- **`getLlama()` initialization hardened**: Both call sites (`nomic.ts`, `model.ts`) now pass `build: 'never'` to prevent silent compilation from source on exotic platforms; set `NODE_LLAMA_CPP_DEBUG=true` to re-enable verbose output
|
|
40
|
+
- **Review skill wired to security arc**: P0 added to severity overview, security specialist skills listed as on-demand members, quality criteria include P0/P1 checks
|
|
41
|
+
- **WORKFLOW template**: Severity classification updated from P1/P2/P3 to P0-P3 with "Fix all P0/P1 findings"
|
|
42
|
+
- **Zero-findings instruction**: All 6 security templates (reviewer + 5 specialists) now include "return CLEAR" instruction when no findings detected
|
|
43
|
+
- **Scope-limiting instruction**: `security-injection` prioritizes files with interpreter sinks over pure data/config for large diffs (500+ lines)
|
|
44
|
+
- **Non-web context**: `security-auth` includes step for CLI/API-only projects without web routes
|
|
45
|
+
- **Graceful audit skip**: `security-deps` handles missing `pnpm audit` / `pip-audit` gracefully instead of failing
|
|
46
|
+
|
|
47
|
+
## [1.4.3] - 2026-02-23
|
|
48
|
+
|
|
49
|
+
### Fixed
|
|
50
|
+
|
|
51
|
+
- **Setup reports success when SQLite is broken**: `npx ca setup` now verifies that `better-sqlite3` actually loads after configuring `pnpm.onlyBuiltDependencies`, and auto-rebuilds if needed (escalates from `pnpm rebuild` to `pnpm install + rebuild`)
|
|
52
|
+
- **Misleading error message**: `ensureSqliteAvailable()` no longer suggests "Run: npx ca setup" (which didn't fix the problem); now provides per-package-manager rebuild instructions and build tools hint
|
|
53
|
+
|
|
54
|
+
### Added
|
|
55
|
+
|
|
56
|
+
- **SQLite health check in `ca doctor`**: New check reports `[FAIL]` with fix hint when `better-sqlite3` cannot load
|
|
57
|
+
- **SQLite status in `ca setup --status`**: Shows "OK" or "not available" alongside other status checks
|
|
58
|
+
- **`resetSqliteAvailability()` export**: Allows re-probing SQLite after native module rebuild
|
|
59
|
+
|
|
12
60
|
## [1.4.2] - 2026-02-23
|
|
13
61
|
|
|
14
62
|
### Fixed
|
|
@@ -715,7 +763,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
715
763
|
- Vitest test suite
|
|
716
764
|
- tsup build configuration
|
|
717
765
|
|
|
718
|
-
[Unreleased]: https://github.com/Nathandela/learning_agent/compare/v1.4.
|
|
766
|
+
[Unreleased]: https://github.com/Nathandela/learning_agent/compare/v1.4.4...HEAD
|
|
767
|
+
[1.4.4]: https://github.com/Nathandela/learning_agent/compare/v1.4.3...v1.4.4
|
|
768
|
+
[1.4.3]: https://github.com/Nathandela/learning_agent/compare/v1.4.2...v1.4.3
|
|
769
|
+
[1.4.2]: https://github.com/Nathandela/learning_agent/compare/v1.4.1...v1.4.2
|
|
719
770
|
[1.4.1]: https://github.com/Nathandela/learning_agent/compare/v1.4.0...v1.4.1
|
|
720
771
|
[1.4.0]: https://github.com/Nathandela/learning_agent/compare/v1.3.9...v1.4.0
|
|
721
772
|
[1.3.9]: https://github.com/Nathandela/learning_agent/compare/v1.3.8...v1.3.9
|