een-api-toolkit 0.3.67 → 0.3.70

package/CHANGELOG.md

@@ -2,138 +2,83 @@
 
 All notable changes to this project will be documented in this file.
 
-## [0.3.67] - 2026-02-08
+## [0.3.70] - 2026-02-10
 
 ### Release Summary
 
-#### PR #91: feat: E2E runner script, release summary fix, agent updates
+#### PR #102: Release v0.3.69: CI improvements and dependency management
 ## Summary
-
-- **feat:** Add `scripts/run-examples-e2e.sh` that dynamically discovers all example apps and runs Playwright E2E tests sequentially with port 3333 cleanup between runs
-- **fix:** Fix npm-publish workflow race condition where Release Summary was always empty — replaced `git log --merges` (which failed when checked-out develop commit didn't have production merge commits as ancestors) with `gh pr list --base production --state merged` via GitHub API
-- **fix:** Update PR-and-check skill to fetch all tags (`git fetch origin --tags`), check for in-progress release workflows before proceeding, use `npm run test:e2e:examples` script, and set 20-minute E2E timeout
-- **chore:** Update docs-accuracy-reviewer to also verify skills and agent files against actual implementations
-- **chore:** Set sonnet model for test-runner and docs-accuracy-reviewer agents
-- **fix:** Correct inaccuracies in een-auth, een-devices, een-media, een-users agent files
-
-## Version
-
-`0.3.62`
+- Dynamic E2E test matrix discovery (auto-detects example apps with `playwright.config.ts`)
+- Added missing `vue-jobs` to CI E2E testing
+- Dependabot configuration for automated dependency updates
+- Pinned GitHub Actions to immutable commit SHAs for supply chain security
 
 ## Commits
-
-- `6df59c8` chore: Set 20-minute timeout for example E2E tests in PR skill
-- `fce1f9e` feat: Add E2E runner script, fix release PR summaries, update agents
+- `474e9bb` ci: Dynamically discover example apps for E2E matrix
+- `ad3f318` fix: pin GitHub Actions to immutable commit SHAs
+- `cc706d8` chore: add Dependabot configuration for automated dependency updates
+- `24a385b` Merge PR #95 (workflow SHA pinning security fix)
 
 ## Test Results
-
-| Check | Result |
-|-------|--------|
-| Lint | Passed |
-| Unit Tests | 600 passed (22 files) |
-| Build | Passed |
-| vue-alerts-metrics E2E | 20 passed |
-| vue-automations E2E | 24 passed |
-| vue-bridges E2E | 18 passed |
-| vue-cameras E2E | 41 passed |
-| vue-event-subscriptions E2E | 15 passed |
-| vue-events E2E | 16 passed |
-| vue-feeds E2E | 12 passed |
-| vue-jobs E2E | 34 passed |
-| vue-layouts E2E | 14 passed |
-| vue-media E2E | 20 passed |
-| vue-users E2E | 14 passed (passed on retry, transient OAuth callback timeout) |
-| **Total E2E** | **228 passed across 11 apps** |
+- **Lint**: Passed (0 errors, 1 warning)
+- **Unit tests**: 619/619 passed
+- **Build**: Successful
+- **E2E tests**: 11/11 example apps passed (1 transient OAuth timeout on vue-users, passed on rerun)
 
 ## Security Review
+Changes are CI/infrastructure only (workflow files, dependabot config). No source code changes. No security vulnerabilities.
 
-No security concerns. Changes are limited to:
-- Shell script for test orchestration (no user input, runs locally)
-- GitHub Actions workflow fix (uses `gh` CLI with existing `GH_TOKEN`)
-- Documentation/agent file corrections (markdown only)
-- No new dependencies, no API changes, no auth flow changes
-
-🤖 Generated with [Claude Code](https://claude.com/claude-code)
-
-#### PR #92: Release v0.3.66 - GitHub Issues Resolution & vue-feeds Fix
-## Release v0.3.66
-
-This PR merges develop into production with GitHub issue resolutions, automation improvements, and critical bug fixes.
-
-### Summary
-
-- Resolved all 7 open GitHub issues
-- Automated event data schemas documentation generation
-- Fixed vue-feeds navigation reactivity issue
-- Added camera utility functions
-- Improved accessibility with aria-labels
-
-### Changes
-
-**Closed Issues:**
-- ✅ #84 - Added aria-label to JSON viewer button for screen reader accessibility
-- ✅ #70 - Implemented getCameraStatusString() utility function
-- ✅ #71 - Implemented isStatusObject() TypeScript type guard
-- ✅ #87 - Documented auto-generated vs manually maintained files
-- ✅ #89 - Fully automated event data schemas documentation generation
-- ❌ #85 - Closed as won't-do (JSON viewer E2E tests)
-- ❌ #76 - Closed as won't-do (datetime persistence test timezone)
-
-**New Features:**
-- `src/utils/camera.ts` - Camera status utility functions with full JSDoc
-- `scripts/generate-event-data-schemas-doc.ts` - Auto-generates AI-EVENT-DATA-SCHEMAS.md from TypeScript source
-- CLAUDE.md documentation section explaining auto-generated vs manual files
-
-**Bug Fixes:**
-- Fixed vue-feeds navigation not appearing after OAuth login (computed property for reactivity)
-- Updated all example app READMEs with accurate function lists
-
-### Test Results
-
-**✅ Passed (8 of 11 apps - 148 tests):**
-- vue-alerts-metrics: 20 tests
-- vue-automations: 24 tests  
-- vue-bridges: 13 tests
-- vue-event-subscriptions: 15 tests
-- vue-events: 16 tests
-- **vue-feeds: 12 tests** ✅ (Main fix verified)
-- vue-jobs: 34 tests
-- vue-users: 14 tests
-
-**Note:** 3 apps failed due to OAuth rate limiting (vue-cameras) and test config issues (vue-layouts, vue-media) - not related to code changes.
-
-### Security Review
+## Version
+`v0.3.69`
 
-✅ Security review completed - No vulnerabilities found
-- All file operations use safe path handling
-- No command injection risks
-- Regex patterns safe from ReDoS
-- Vue components follow framework security best practices
+#### PR #94: Release v0.3.69: SSRF protection fix with test coverage
+## Summary
+- Merges security fix from PR #93 (SSRF domain validation in `initMediaSession`)
+- Fixes broken unit tests caused by the domain validation (updated test domains from `example.com` to `eagleeyenetworks.com`)
+- Adds 2 new unit tests for domain validation coverage (untrusted domain rejection, `een.cloud` acceptance)
 
-### Version
+## Commits
+- `22aed68` Fix AUTH_BYPASS vulnerability in initMediaSession()
+- `b6d21d1` fix: Update media tests for SSRF domain validation and add coverage
 
-v0.3.66 (auto-incremented from 0.3.64 via Husky pre-commit hooks)
+## Test Results
+- **Lint**: Passed (1 warning, 0 errors)
+- **Unit tests**: 619/619 passed
+- **Build**: Successful (v0.3.69)
+- **E2E tests**: 11/11 example apps passed
 
----
+## Security Review
+The only source code change is the SSRF protection in `src/media/service.ts` which validates session URLs against allowed domains (`.eagleeyenetworks.com`, `.een.cloud`). This is a security improvement with no new vulnerabilities.
 
-Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
+## Version
+`v0.3.69`
 
 
 ### Detailed Changes
 
-#### Features
-- feat: Resolve all open GitHub issues with automation and utilities
-
 #### Bug Fixes
-- fix: Add computed property for auth reactivity in vue-feeds example
+- fix: Address code review concerns for PR #102
+- fix: Revert TypeScript to ~5.8.0 and block minor bumps in Dependabot
+- fix: Revert eslint to v9 for typescript-eslint compatibility
+- fix: pin GitHub Actions to immutable commit SHAs
 
 #### Other Changes
-- docs: Address code review feedback for camera utilities
-- docs: Update example app READMEs to accurately list all toolkit functions used
+- docs: Address minor review concerns for PR #102
+- docs: Fix documentation inaccuracies and regenerate API docs
+- chore(deps): bump github/codeql-action from 3.32.2 to 4.32.2
+- chore: Ignore eslint major version bumps in Dependabot
+- chore(deps-dev): bump the npm-dependencies group with 18 updates
+- chore(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
+- chore(deps): bump anthropics/claude-code-action
+- chore(deps): bump github/codeql-action
+- chore(deps): bump actions/setup-node from 4.4.0 to 6.2.0
+- chore(deps): bump actions/checkout from 4.3.1 to 6.0.2
+- chore: add Dependabot configuration for automated dependency updates
+- ci: Dynamically discover example apps for E2E matrix
 
 ### Links
 - [npm package](https://www.npmjs.com/package/een-api-toolkit)
-- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.63...v0.3.67)
+- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.69...v0.3.70)
 
 ---
-*Released: 2026-02-08 17:32:38 CST*
+*Released: 2026-02-10 21:07:19 CST*

package/README.md

@@ -215,6 +215,8 @@ The `examples/` directory contains complete Vue 3 applications demonstrating too
 | **[vue-events](./examples/vue-events/)** | Event listing with bounding box overlays | `listEvents()`, `listEventTypes()`, `listEventFieldValues()`, `getRecordedImage()` |
 | **[vue-alerts-metrics](./examples/vue-alerts-metrics/)** | Event metrics, alerts, and notifications dashboard | `getEventMetrics()`, `listAlerts()`, `listAlertTypes()`, `listNotifications()` |
 | **[vue-event-subscriptions](./examples/vue-event-subscriptions/)** | Real-time event streaming with SSE | `listEventSubscriptions()`, `createEventSubscription()`, `deleteEventSubscription()`, `connectToEventSubscription()` |
+| **[vue-automations](./examples/vue-automations/)** | Automation rules and alert actions | `listEventAlertConditionRules()`, `listAlertConditionRules()`, `listAlertActionRules()`, `listAlertActions()` |
+| **[vue-jobs](./examples/vue-jobs/)** | Job management, exports, and file downloads | `listJobs()`, `getJob()`, `createExportJob()`, `listFiles()`, `downloadFile()` |
 
 Each example includes:
 - Complete OAuth authentication flow