llm-cli-gateway 1.15.1 → 1.15.3

package/CHANGELOG.md

@@ -2,6 +2,55 @@
 
 All notable changes to the llm-cli-gateway project.
 
+## Unreleased
+
+## [1.15.3] - 2026-05-29 — remove retired PyPI plugin
+
+Patch release removing the retired Python `llm` plugin integration so the
+project no longer depends on Simon Willison's `llm` package.
+
+### Removed
+
+- Removed `integrations/llm-plugin/`, including the `gateway-claude`,
+  `gateway-codex`, and `gateway-gemini` aliases that were registered through
+  the external `llm` package.
+- Removed the PyPI trusted-publishing workflow. Releases now publish npm and
+  signed GitHub installer artifacts only.
+- Removed the plugin-specific Dependabot and security-lint wiring for the
+  deleted Python package.
+
+### Changed
+
+- Removed README guidance that advertised `llm install llm-gateway` and
+  `llm -m gateway-*` usage.
+- Added an archived PyPI retirement description explaining the supported npm
+  and direct-MCP install paths for users who discover the historical PyPI
+  package.
+
+## [1.15.2] - 2026-05-29 — security quality follow-up
+
+Patch release for GitHub Security & quality follow-up findings and Scorecard
+documentation.
+
+### Fixed
+
+- Preserve the leading content when truncating async job stdout/stderr in
+  `llm_job_result`, matching bounded-result consumer expectations instead of
+  returning only the tail.
+- Handle installer gateway log file close errors explicitly so failed flushes
+  from writable stdout/stderr log handles are surfaced to callers.
+
+### Changed
+
+- Moved non-canonical root Markdown into `docs/guides/` and `docs/archive/`
+  so the repository root stays focused on public entry points.
+- Renamed async-defer result guidance from the old retrieval field to `collectWith`,
+  avoiding Socket substring false positives in generated package code.
+- Recorded OpenSSF Scorecard `FuzzingID` as a valid roadmap/process item:
+  adding `fast-check` style property tests for parser, argv, and worktree
+  surfaces would improve the Scorecard signal, but the absence of fuzzing does
+  not block this patch release.
+
 ## [1.15.1] - 2026-05-29 — quality badges + Sigstore release signing
 
 Release-infrastructure follow-up to v1.15.0.
@@ -1121,11 +1170,11 @@ Technical corrections from the multi-LLM voice + technical review:
 
 ### Fixed — `socket.yml` networkAccess false-positive documentation
 
-- Documented that the `globalThis["fetch"]` flag on `dist/index.js` /
-  `dist/job-store.js` is a substring-match false positive. Neither file
-  contains any actual fetch call; the matches are English-prose
-  occurrences in an error message, the `fetchWith` JSON field name, and
-  a code comment. Verified by sub-agent investigation, no code change
+- Documented that Socket's network-access flag on `dist/index.js` /
+  `dist/job-store.js` was a substring-match false positive. Neither file
+  contained a production network call; the matches were English-prose
+  retrieval wording in an error message, a structured result-tool field name,
+  and a code comment. Verified by sub-agent investigation, no code change
   required, no attack-surface delta vs 1.5.35.
 
 ### Fixed — `lychee.toml` exclusions

package/README.md

@@ -3,7 +3,11 @@
 [![CI](https://github.com/verivus-oss/llm-cli-gateway/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/verivus-oss/llm-cli-gateway/actions/workflows/ci.yml)
 [![Security](https://github.com/verivus-oss/llm-cli-gateway/actions/workflows/security.yml/badge.svg?branch=main)](https://github.com/verivus-oss/llm-cli-gateway/actions/workflows/security.yml)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/verivus-oss/llm-cli-gateway/badge)](https://scorecard.dev/viewer/?uri=github.com/verivus-oss/llm-cli-gateway)
+[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/13025/badge)](https://www.bestpractices.dev/projects/13025)
 [![npm](https://img.shields.io/npm/v/llm-cli-gateway.svg)](https://www.npmjs.com/package/llm-cli-gateway)
+[![npm weekly downloads](https://img.shields.io/npm/dw/llm-cli-gateway.svg)](https://www.npmjs.com/package/llm-cli-gateway)
+[![npm monthly downloads](https://img.shields.io/npm/dm/llm-cli-gateway.svg)](https://www.npmjs.com/package/llm-cli-gateway)
+[![GitHub release downloads](https://img.shields.io/github/downloads/verivus-oss/llm-cli-gateway/total.svg)](https://github.com/verivus-oss/llm-cli-gateway/releases)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 [![Releases: Sigstore signed](https://img.shields.io/badge/releases-Sigstore%20signed-2e7d32.svg)](SECURITY.md#release-signing)
 
@@ -23,7 +27,7 @@ A Model Context Protocol (MCP) gateway for running Claude Code, Codex, Gemini, G
 - Can run requests inside gateway-managed git worktrees for isolated multi-agent review and implementation loops.
 - Ships personal-appliance setup surfaces: HTTP transport with bearer-token auth, `doctor --json`, setup UI artifacts, provider setup snippets, Docker fallback, and checked release bundles.
 
-## Personal MCP Appliance MVP
+## Personal MCP Appliance
 
 The personal-appliance contract keeps that surface intentionally narrow: one trusted user runs the gateway on a machine or volume they own, connects one MCP endpoint, and asks any connected client for cross-LLM validation.
 
@@ -31,7 +35,7 @@ The product contract is documented in [docs/personal-mcp/PRODUCT_CONTRACT.md](do
 
 This project does not provide hosted multi-tenant credential custody. Provider credentials stay on the user's machine or user-owned deployment volume.
 
-MVP release readiness is tracked in [docs/personal-mcp/RELEASE_READINESS.md](docs/personal-mcp/RELEASE_READINESS.md). Dogfooding evidence (which target LLMs guided setup, what unsafe suggestions were captured, which findings are deferred to post-MVP work) is in [docs/personal-mcp/DOGFOODING_RESULTS.md](docs/personal-mcp/DOGFOODING_RESULTS.md).
+Release-readiness history is tracked in [docs/personal-mcp/RELEASE_READINESS.md](docs/personal-mcp/RELEASE_READINESS.md). Dogfooding evidence (which target LLMs guided setup, what unsafe suggestions were captured, and which findings were deferred from the initial personal-appliance rollout) is in [docs/personal-mcp/DOGFOODING_RESULTS.md](docs/personal-mcp/DOGFOODING_RESULTS.md).
 
 Current personal-appliance artifacts include:
 
@@ -172,7 +176,7 @@ Opt-in flags (all default off) live under `[cache_awareness]` in `~/.llm-cli-gat
 - **No Secret Leakage**: Generic session descriptions only (file permissions 0o600)
 - **No ReDoS**: Bounded regex patterns prevent catastrophic backtracking
 - **Type Safety**: Strict TypeScript with comprehensive error handling
-- **Supply-chain hardening**: a dedicated `.github/workflows/security.yml` runs actionlint, zizmor, shellcheck, typos, osv-scanner, gitleaks, ruff, bandit, and lychee on every push and PR (see `SECURITY.md` for the threat model)
+- **Supply-chain hardening**: a dedicated `.github/workflows/security.yml` runs actionlint, zizmor, shellcheck, typos, osv-scanner, gitleaks, and lychee on every push and PR (see `SECURITY.md` for the threat model)
 
 ## Prerequisites
 
@@ -287,7 +291,7 @@ For clients that already support local stdio MCP servers, add a configuration li
 }
 ```
 
-This generic stdio example is not provider-support verification for the Personal MCP Appliance MVP. Client-specific setup guides for ChatGPT, Claude web, Claude Desktop, Codex, Gemini CLI, Gemini web, and Grok remain gated by the provider-support matrix in [docs/personal-mcp/PRODUCT_CONTRACT.md](docs/personal-mcp/PRODUCT_CONTRACT.md).
+This generic stdio example is not provider-support verification for the Personal MCP Appliance. Client-specific setup guides for ChatGPT, Claude web, Claude Desktop, Codex, Gemini CLI, Gemini web, and Grok remain gated by the provider-support matrix in [docs/personal-mcp/PRODUCT_CONTRACT.md](docs/personal-mcp/PRODUCT_CONTRACT.md).
 
 ### Available Tools
 
@@ -460,7 +464,7 @@ Execute a Grok CLI (xAI) request with session support.
 Every async job is persisted to a job store as it transitions through running → completed/failed/canceled. This makes the gateway a durable collection layer:
 
 - **Re-issuing a request is safe.** Identical `*_request` / `*_request_async` calls within the dedup window (default 1 hour) short-circuit onto the existing running or completed job — the caller gets back the same job ID instead of starting a duplicate run. This directly fixes the "agent times out polling, re-issues, and the whole job starts over" failure mode.
-- **`llm_job_status` and `llm_job_result` work across gateway restarts.** Job rows live for 30 days by default; callers can fetch results long after the in-memory cache has evicted them.
+- **`llm_job_status` and `llm_job_result` work across gateway restarts.** Job rows live for 30 days by default; callers can collect results long after the in-memory cache has evicted them.
 - **Jobs running at shutdown are marked `orphaned`** on the next gateway boot (the detached child can't be reattached to). Their captured partial output remains readable.
 - **Pass `forceRefresh: true`** on any request tool to bypass dedup and force a fresh CLI run.
 
@@ -537,7 +541,7 @@ template_kind     = "implementation-dag"
 docs              = "https://github.com/verivus-oss/agent-assurance/blob/main/SPEC.md"
 confidentiality   = "public"
 title             = "Per-project llm-cli-gateway persistence isolation"
-spec              = "https://github.com/verivusai-labs/llm-cli-gateway#per-project-isolation"
+spec              = "https://github.com/verivus-oss/llm-cli-gateway#per-project-isolation"
 created           = "YYYY-MM-DD"
 total_units       = 5
 tier1_units       = ["U01","U02","U03","U04","U05"]
@@ -966,25 +970,6 @@ Each CLI can be configured through its own configuration files:
 - Codex: `~/.codex/config.toml`
 - Gemini: `~/.gemini/config.json`
 
-## For Fans of Simon Willison
-
-Simon's `llm` tool made it trivially easy to talk to any LLM from the command line. But as AI-assisted development matures, the challenge shifts from "how do I call a model" to "how do I orchestrate multiple models reliably, and what did they actually do?"
-
-**Multiple models increase the confidence factor.** When Claude writes code, Codex reviews it, and Gemini checks for bugs -- each bringing different training data and reasoning patterns -- the result is more robust than any single model alone. And often this isn't even enough. Having the models do iterative reviews is where you start getting real confidence.
-
-**Every interaction should be queryable data.** Inspired by `llm`'s SQLite logging philosophy, the gateway records every request and response to a local SQLite database. Not just prompts and responses -- retry counts, circuit breaker states, approval decisions, thinking blocks, cost estimates. Open it with Datasette and you have a complete operational picture of your AI usage:
-
-    datasette ~/.llm-cli-gateway/logs.db
-
-**The `llm-gateway` plugin bridges both worlds.** Install it, and your existing `llm` workflows gain orchestration features without changing how you work:
-
-    llm install llm-gateway
-    llm -m gateway-claude "explain this function"
-
-Your gateway interactions appear in both `llm logs` (for your personal history) and the gateway's flight recorder (for operational observability). Two audiences, one workflow.
-
-**Composability over monoliths.** The gateway doesn't replace `llm` -- it complements it. Use `llm` directly when you want simplicity. Route through the gateway when you want resilience, multi-model coordination, or detailed operational telemetry. The plugin is the bridge, not the destination.
-
 ## Development
 
 ### Project Structure

package/dist/async-job-manager.js

@@ -51,7 +51,7 @@ function truncateText(value, maxChars) {
         return { text: value, truncated: false };
     }
     return {
-        text: value.slice(value.length - maxChars),
+        text: value.slice(0, maxChars),
         truncated: true,
     };
 }

package/dist/index.js

@@ -486,7 +486,7 @@ cwd) {
         jobId: job.id,
         cli,
         correlationId: corrId,
-        message: `Execution exceeded sync deadline (${SYNC_DEADLINE_MS}ms). Poll with llm_job_status, fetch with llm_job_result.`,
+        message: `Execution exceeded sync deadline (${SYNC_DEADLINE_MS}ms). Poll with llm_job_status, collect with llm_job_result.`,
     };
 }
 function isDeferredResponse(result) {
@@ -505,7 +505,7 @@ function buildDeferredToolResponse(deferred, sessionId) {
                     message: deferred.message,
                     sessionId: sessionId || null,
                     pollWith: "llm_job_status",
-                    fetchWith: "llm_job_result",
+                    collectWith: "llm_job_result",
                     cancelWith: "llm_job_cancel",
                 }, null, 2),
             },

package/dist/job-store.js

@@ -245,7 +245,7 @@ export class SqliteJobStore {
      */
     markOrphanedOnStartup() {
         const now = new Date().toISOString();
-        // Orphaned jobs retain a short window so callers can fetch the partial output,
+        // Orphaned jobs retain a short window so callers can collect the partial output,
         // then evict. Reuse the standard retention.
         const expiresAt = new Date(Date.now() + this.retentionMs).toISOString();
         // SELECT before UPDATE — gateway boot is single-threaded so no row can

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.15.1",
+  "version": "1.15.3",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",

package/socket.yml

@@ -14,24 +14,12 @@ version: 2
 #     src/endpoint-exposure.ts also issues a HEAD probe when verifying
 #     tunnel reachability — opt-in via the start:http entry point only.
 #
-#     Additionally, Socket may flag `dist/index.js` and `dist/job-store.js`
-#     against the `globalThis["fetch"]` rule. This is a substring-match
-#     false positive (verified for v1.6.0 by sub-agent investigation on
-#     2026-05-26; same matches exist in v1.5.35). Neither file contains
-#     any `fetch(`, `globalThis.fetch`, polyfill import, or any other
-#     network-call construct. The matches are:
-#       - dist/index.js — the English word "fetch" inside an async-defer
-#         error message ("Poll with llm_job_status, fetch with
-#         llm_job_result.") AND the JSON field name `fetchWith:
-#         "llm_job_result"` (part of the deferred-job response contract).
-#       - dist/job-store.js — the word "fetch" inside a code comment on
-#         markOrphanedOnStartup() describing how callers retrieve partial
-#         output from SQLite.
-#     Verify with: `grep -rEn "\bfetch\(|globalThis\.fetch|globalThis\[" dist/`
-#     — returns empty. Production code does not import undici / node-fetch
-#     / axios / got. The cache-awareness slice (v1.6.0) introduced zero
-#     new network surfaces; all I/O is filesystem (SQLite, sessions.json)
-#     or in-process.
+#     Historical note: Socket previously flagged `dist/index.js` and
+#     `dist/job-store.js` because async-job prose used retrieval wording that
+#     resembled a browser-network primitive. The package now uses "collect" /
+#     `collectWith` wording for deferred job results. Production code does not
+#     import bundled HTTP client libraries; all default I/O is filesystem
+#     (SQLite, sessions.json) or explicit local CLI process I/O.
 #
 #   shellAccess
 #     src/executor.ts uses child_process.spawn(cmd, args, { ... }) with a