llm-cli-gateway 1.17.0 → 1.17.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.17.0",
+  "version": "1.17.2",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",
@@ -62,6 +62,7 @@
     "migrate": "node dist/migrate.js",
     "test": "vitest run",
     "test:ci": "vitest run --pool=forks --maxWorkers=1",
+    "test:fuzz": "vitest run src/__tests__/fuzz.test.ts",
     "test:coverage": "vitest run --coverage",
     "test:watch": "vitest",
     "test:unit": "vitest run src/__tests__/executor.test.ts",
@@ -81,7 +82,7 @@
     "check": "npm run build && npm run lint && npm test && npm run security:audit",
     "release:build": "bash installer/build-release.sh",
     "release:checksums": "cd installer/dist && sha256sum --check SHA256SUMS",
-    "release:docker": "docker compose -f docker-compose.personal.yml build"
+    "release:docker": "docker compose -f docker/personal.compose.yml build"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
@@ -89,7 +90,7 @@
     "content-type": "1.0.5",
     "smol-toml": "^1.6.1",
     "type-is": "2.0.1",
-    "zod": "^3.23.0"
+    "zod": "^4.4.3"
   },
   "peerDependencies": {
     "pg": "^8.12.0"
@@ -100,18 +101,20 @@
     }
   },
   "devDependencies": {
+    "@eslint/js": "^10.0.1",
     "@types/better-sqlite3": "^7.6.0",
-    "@types/node": "^20.19.30",
+    "@types/node": "^25.9.1",
     "@types/pg": "^8.11.10",
     "@typescript-eslint/eslint-plugin": "^8.59.4",
     "@typescript-eslint/parser": "^8.59.4",
     "@vitest/coverage-v8": "^4.1.2",
-    "eslint": "^8.57.1",
-    "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-security": "^3.0.1",
+    "eslint": "^10.4.1",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-security": "^4.0.0",
+    "fast-check": "^4.8.0",
     "pg": "^8.12.0",
     "prettier": "^3.0.0",
-    "typescript": "^5.0.0",
+    "typescript": "^6.0.3",
     "vitest": "^4.0.18"
   },
   "overrides": {

package/setup/status.schema.json

@@ -15,6 +15,7 @@
     "endpoint_exposure",
     "client_config",
     "cache_awareness",
+    "upstream",
     "next_actions"
   ],
   "properties": {
@@ -302,6 +303,36 @@
       },
       "additionalProperties": false
     },
+    "upstream": {
+      "type": "object",
+      "required": [
+        "note",
+        "recommendation",
+        "how_to_check",
+        "probed",
+        "installed_versions",
+        "contracts"
+      ],
+      "properties": {
+        "note": { "type": "string" },
+        "recommendation": { "type": "string" },
+        "how_to_check": { "type": "string" },
+        "probed": { "type": "boolean" },
+        "installed_versions": {
+          "type": "object",
+          "additionalProperties": { "type": ["string", "null"] }
+        },
+        "contracts": {
+          "type": "object",
+          "additionalProperties": true
+        },
+        "probe_report": {
+          "type": ["object", "null"],
+          "additionalProperties": true
+        }
+      },
+      "additionalProperties": false
+    },
     "next_actions": {
       "type": "array",
       "items": { "type": "string" }

package/socket.yml

@@ -2,11 +2,9 @@ version: 2
 
 # Socket alerts on llm-cli-gateway
 # ---------------------------------
-# This package intentionally triggers three of Socket's behavioural alerts.
-# We do NOT disable them — they are accurate descriptions of what the package
-# does, and silencing them would hide useful signal from anyone evaluating
-# this dependency. The rationale for each is documented inline below and in
-# detail under "Security Considerations" in README.md.
+# This package intentionally triggers behavioural alerts. They are accurate
+# descriptions of what the package does; the rationale for each is documented
+# inline below and in detail under "Security Considerations" in README.md.
 #
 #   networkAccess
 #     src/http-transport.ts opens an HTTP MCP transport (createServer/listen).
@@ -23,9 +21,10 @@ version: 2
 #
 #   shellAccess
 #     This alert fires on every module that imports node:child_process, and
-#     because spawning provider CLIs and git is the entire purpose of the
-#     package it surfaces on every release BY DESIGN — we keep it visible
-#     rather than silencing it. It is a capability description, not a finding.
+#     because spawning provider CLIs and git is the entire purpose of the package
+#     it is a reviewed capability description, not a finding. As of v1.17.1 this
+#     specific reviewed alert is suppressed via `issueRules.shellAccess: false`
+#     to avoid noisy repeat findings on every release.
 #
 #     INVARIANT enforced across ALL sites below: arguments are always passed
 #     as an array and `shell: true` is NEVER set, so there is no shell
@@ -75,6 +74,7 @@ issueRules:
   installScripts: true
   telemetry: true
   hasNativeCode: true            # better-sqlite3 — known and expected
+  shellAccess: false             # reviewed gateway capability; see rationale above
   shellScriptOverride: true
   gitDependency: true
   httpDependency: true