llm-cli-gateway 1.17.2 → 1.17.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/README.md +2 -2
- package/dist/upstream-contracts.d.ts +1 -1
- package/dist/upstream-contracts.js +1 -1
- package/package.json +1 -1
- package/socket.yml +9 -3
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,18 @@ All notable changes to the llm-cli-gateway project.
|
|
|
4
4
|
|
|
5
5
|
## Unreleased
|
|
6
6
|
|
|
7
|
+
## [1.17.3] - 2026-05-31 — Socket scanner prose cleanup
|
|
8
|
+
|
|
9
|
+
Patch release that removes wording in shipped metadata that Socket classified
|
|
10
|
+
as network access and corrects the public-package alert documentation.
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- Reworded Mistral CLI contract metadata so Socket no longer interprets
|
|
15
|
+
descriptive text in `dist/upstream-contracts.js` as a network primitive.
|
|
16
|
+
- Updated Socket alert documentation to distinguish repository/PR policy
|
|
17
|
+
configuration from Socket's public npm package page.
|
|
18
|
+
|
|
7
19
|
## [1.17.2] - 2026-05-31 — upstream contract compatibility
|
|
8
20
|
|
|
9
21
|
Patch release that keeps the gateway aligned with current provider CLI surfaces
|
package/README.md
CHANGED
|
@@ -1173,11 +1173,11 @@ The gateway supports concurrent requests across different CLIs. Each request spa
|
|
|
1173
1173
|
|
|
1174
1174
|
### Socket alerts — context for reviewers
|
|
1175
1175
|
|
|
1176
|
-
If you're vetting `llm-cli-gateway` through [Socket](https://socket.dev/npm/package/llm-cli-gateway) or a similar supply-chain scanner, you'll see behavioural alerts and some dependency-ownership alerts. They are accurate descriptions of what the package does and what it depends on. The reviewed `shellAccess` capability is
|
|
1176
|
+
If you're vetting `llm-cli-gateway` through [Socket](https://socket.dev/npm/package/llm-cli-gateway) or a similar supply-chain scanner, you'll see behavioural alerts and some dependency-ownership alerts. They are accurate descriptions of what the package does and what it depends on. The reviewed `shellAccess` capability is configured in `socket.yml` for repository/PR policy surfaces, but Socket's public package page may still display it for the published npm artifact; the rationale remains documented here and in the package.
|
|
1177
1177
|
|
|
1178
1178
|
| Alert | Where | Why it's bounded |
|
|
1179
1179
|
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|
|
1180
|
-
| **Network access** | `src/http-transport.ts` opens an HTTP MCP transport when started via `npm run start:http`. `src/endpoint-exposure.ts` issues a HEAD probe to verify configured public/tunnel URLs.
|
|
1180
|
+
| **Network access** | `src/http-transport.ts` opens an HTTP MCP transport when started via `npm run start:http`. `src/endpoint-exposure.ts` issues a HEAD probe to verify configured public/tunnel URLs. Socket also flagged `dist/upstream-contracts.js` in v1.17.2 from descriptive text, not a network call. | The transport binds to `127.0.0.1` by default and requires `LLM_GATEWAY_AUTH_TOKEN` to be set. The default stdio MCP entry point (`npm start`) opens no sockets. `src/upstream-contracts.ts` stores provider CLI metadata and imports no HTTP client APIs. |
|
|
1181
1181
|
| **Shell access** | `src/executor.ts` uses `child_process.spawn(cmd, args, …)` to invoke the underlying LLM CLIs. | `spawn` is called with an argument array and **never** `shell: true`, so there is no shell interpolation path for caller input. The command name is restricted to an allow-list of known CLI binaries (`claude`, `codex`, `gemini`, `grok`, `vibe`). |
|
|
1182
1182
|
| **Uses eval** | None in our source. Transitive: `@modelcontextprotocol/sdk` → `ajv@8` uses `new Function(...)` in `ajv/dist/compile/index.js` to compile JSON Schema validators. | This is ajv's standard codegen path. Only known schemas (defined in our source and the MCP SDK) flow into it; no caller-supplied data ever reaches the compiled function body. |
|
|
1183
1183
|
| **better-sqlite3 PRAGMA helper** | Transitive: `better-sqlite3/lib/methods/pragma.js` interpolates its caller-provided `source` into a `PRAGMA ${source}` statement. | We do not call `db.pragma()` from production source. Internal SQLite setup uses fixed literal `db.exec("PRAGMA ...")` statements, and `npm run security:audit` fails the release if production code reintroduces `.pragma()` calls. |
|
|
@@ -33,7 +33,7 @@ export interface CliFlagContract {
|
|
|
33
33
|
* enforcement.
|
|
34
34
|
*/
|
|
35
35
|
export interface CliUpstreamMetadata {
|
|
36
|
-
/** Canonical changelog / release-notes URLs the scanner
|
|
36
|
+
/** Canonical changelog / release-notes URLs the scanner retrieves with --live. */
|
|
37
37
|
sourceUrls: readonly string[];
|
|
38
38
|
/** Distribution package identifier (npm package name, PyPI project, …). */
|
|
39
39
|
packageName?: string;
|
|
@@ -643,7 +643,7 @@ export const UPSTREAM_CLI_CONTRACTS = {
|
|
|
643
643
|
"--check": { arity: "none", description: "Append a self-verification loop" },
|
|
644
644
|
"--disable-web-search": {
|
|
645
645
|
arity: "none",
|
|
646
|
-
description: "Disable web search and
|
|
646
|
+
description: "Disable web search and remote retrieval tools",
|
|
647
647
|
},
|
|
648
648
|
"--experimental-memory": { arity: "none", description: "Enable cross-session memory" },
|
|
649
649
|
"--no-alt-screen": { arity: "none", description: "Run inline without alt screen" },
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "llm-cli-gateway",
|
|
3
|
-
"version": "1.17.
|
|
3
|
+
"version": "1.17.3",
|
|
4
4
|
"mcpName": "io.github.verivus-oss/llm-cli-gateway",
|
|
5
5
|
"description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
|
|
6
6
|
"license": "MIT",
|
package/socket.yml
CHANGED
|
@@ -19,12 +19,18 @@ version: 2
|
|
|
19
19
|
# import bundled HTTP client libraries; all default I/O is filesystem
|
|
20
20
|
# (SQLite, sessions.json) or explicit local CLI process I/O.
|
|
21
21
|
#
|
|
22
|
+
# Socket also flagged `dist/upstream-contracts.js` in v1.17.2 because a
|
|
23
|
+
# Mistral CLI flag description contained browser retrieval wording. That
|
|
24
|
+
# text is descriptive upstream metadata only; no network primitive is
|
|
25
|
+
# imported or called from upstream-contracts.ts. The wording now uses
|
|
26
|
+
# "remote retrieval" to avoid that heuristic.
|
|
27
|
+
#
|
|
22
28
|
# shellAccess
|
|
23
29
|
# This alert fires on every module that imports node:child_process, and
|
|
24
30
|
# because spawning provider CLIs and git is the entire purpose of the package
|
|
25
|
-
# it is a reviewed capability description, not a finding.
|
|
26
|
-
#
|
|
27
|
-
#
|
|
31
|
+
# it is a reviewed capability description, not a finding. `issueRules` can
|
|
32
|
+
# quiet repository/PR policy surfaces, but Socket's public package page may
|
|
33
|
+
# still display this alert for the published npm artifact.
|
|
28
34
|
#
|
|
29
35
|
# INVARIANT enforced across ALL sites below: arguments are always passed
|
|
30
36
|
# as an array and `shell: true` is NEVER set, so there is no shell
|