llm-cli-gateway 1.17.7 → 1.17.9

package/CHANGELOG.md

@@ -4,6 +4,124 @@ All notable changes to the llm-cli-gateway project.
 
 ## Unreleased
 
+## [1.17.9] - 2026-06-04: prod-only shrinkwrap + registry-fidelity verification
+
+Patch release shipping a prod-only `npm-shrinkwrap.json` and correcting the
+1.17.8 record: registry installs **do** honour the published shrinkwrap (the
+real distribution channel), so consumers of `npm install llm-cli-gateway`
+already get the pinned `tar-stream@3.1.7`. The 1.17.8 changelog called the
+shrinkwrap "inert today because of npm/cli#7977" — that was wrong. npm/cli#7977
+covers a remote-registry edge case; what we actually reproduced on this host
+(npm 11.12.1) is that **local-tarball** installs ignore a nested shrinkwrap
+(npm/cli#5349/#5325 class), while registry installs honour it via the
+packument's `hasShrinkwrap` flag. This release verifies the registry path end
+to end with a verdaccio reproduction.
+
+### Added
+
+- `scripts/make-prod-shrinkwrap.mjs`: deterministic generator that projects
+  `package-lock.json` into a prod-only `npm-shrinkwrap.json` — drops every
+  dev-only (`dev === true`) `packages` entry and deletes the root
+  `devDependencies` field. A byte-identical copy of the lockfile (1.17.8's
+  approach) reified all ~316 packages into consumer trees (npm/cli#4323); the
+  prod-only projection ships ~124 and eliminates the dev-dep bloat for registry
+  consumers. Output is byte-deterministic; the security audit regenerates and
+  compares for parity. `optional` (and any `devOptional`) entries are kept —
+  prod installs need them. The shrinkwrap is GENERATED at pack/publish time
+  and never committed: a committed npm-shrinkwrap.json is treated by
+  `npm ci`/`npm install` as the authoritative lockfile, and the prod-only
+  projection (no dev deps) breaks every dev/CI install with EUSAGE "lock
+  file out of sync" — discovered when the first 1.17.9 release attempt
+  failed all four `npm ci`-based workflows. `.gitignore` now covers it; the
+  CI, publish, and tag-release workflows generate it just before the
+  security audit / pack / publish steps.
+- `scripts/verify-registry-install.sh`: registry-fidelity gate (run by
+  `scripts/pre-release.sh` and standalone). Publishes the current tree to an
+  ephemeral verdaccio, installs it into a fresh consumer dir, and asserts (a)
+  `tar-stream` resolves to `3.1.7` (shrinkwrap honoured), (b) no dev-dep markers
+  (`vitest`/`typescript`/`eslint`/`prettier`) in the consumer tree, (c) the
+  installed bin prints the expected version, (d) `better-sqlite3` loads from the
+  installed package (binding built through the pinned tar chain). The publish /
+  consumer-install / assertion flow runs entirely against throwaway temp dirs
+  (registry storage, npm cache, userconfig) and the localhost registry — the
+  package under test never reaches the public registry. One exception: the
+  verdaccio bootstrap itself (`npx --yes verdaccio`) resolves through the user's
+  normal npm config and npx cache (unavoidable for an ephemeral tool), touching
+  only verdaccio's own packages. Sets the packument's
+  `_hasShrinkwrap` flag to mirror what npmjs sets at publish (verdaccio does not
+  compute it), so the reproduction faithfully matches the real registry. Logs
+  the observed reified-package count (not hard-asserted in this release).
+
+### Changed
+
+- `scripts/pre-release.sh` / `scripts/refresh-release-lockfile.sh`: replace
+  `cp package-lock.json npm-shrinkwrap.json` with
+  `node scripts/make-prod-shrinkwrap.mjs`; pre-release now also runs
+  `scripts/verify-registry-install.sh` after the shrinkwrap regeneration and the
+  release gate.
+- `scripts/release-security-audit.sh`: the shrinkwrap parity gate no longer does
+  byte-identity against the lockfile (that no longer holds — the shrinkwrap is a
+  prod-only projection). It regenerates the expected projection from
+  `package-lock.json` via the same deterministic generator into a temp file and
+  `cmp -s` against the shipped `npm-shrinkwrap.json`.
+
+### Fixed (record correction)
+
+- The 1.17.8 claim that the shipped shrinkwrap is "inert today because of
+  npm/cli#7977" was incorrect. Registry installs honour it (verified via the new
+  verdaccio reproduction); only **local-tarball** installs ignore it
+  (npm/cli#5349/#5325 class — our live repro). The packed-consumer-install
+  advisory in the audit is requalified accordingly: registry installs get
+  `tar-stream@3.1.7`, local-tarball installs still resolve `tar-stream@2.2.0`,
+  and the advisory (warn, not fail) stays until Phase B drops `better-sqlite3`
+  from the prod graph. The 1.17.8 entry itself is left unedited.
+
+### Known residuals
+
+- Consumer `npm ls` exits ELSPROBLEMS: the pinned `tar-stream@3.1.7` sits
+  outside `tar-fs`'s `^2.1.4` range. Inherent to the out-of-range pin; disappears
+  in 2.0.0 (Phase B / node:sqlite) when the `better-sqlite3 → prebuild-install
+  → tar-fs` chain leaves the prod graph entirely.
+- Local-tarball installs still resolve `tar-stream@2.2.0` (shrinkwrap ignored on
+  that path); the audit's advisory carve-out stays until Phase B.
+
+## [1.17.8] - 2026-06-04: release-audit integrity fix + shrinkwrap groundwork
+
+Patch release fixing a masking bug in the release security audit and documenting
+the consumer-side tar-stream@2.2.0 exposure honestly: `package.json#overrides`
+only pins tar-stream 3.1.7 in this repo's own tree — npm overrides never
+propagate to dependents, so `npm install llm-cli-gateway` still resolves
+tar-stream@2.2.0 under better-sqlite3 → prebuild-install → tar-fs in the
+consumer's tree. The canonical remedy, a published `npm-shrinkwrap.json`, is
+currently **ignored by npm itself** (npm/cli#7977, verified empirically against
+npm 11.12.1 with lockfileVersion 2 and 3): no mechanism available to this
+package can pin a dependent's transitive resolution today.
+
+### Fixed
+
+- `scripts/release-security-audit.sh`: lockfile package names were derived with
+  `path.split('/node_modules/')`, which never matches top-level
+  `node_modules/<pkg>` entries — the packed-consumer-install check silently
+  passed 1.17.7 despite tar-stream@2.2.0 in the consumer tree. Names now derive
+  from a `node_modules/` split that handles top-level and nested entries.
+
+### Added
+
+- Ship `npm-shrinkwrap.json` (byte-identical copy of `package-lock.json`,
+  regenerated by `scripts/pre-release.sh`; the audit fails the release if the
+  two diverge). Inert today because of npm/cli#7977, but it becomes effective
+  the moment npm honours published shrinkwraps again — the audit detects that
+  flip and says so.
+- Consumer-tree tar-stream 2.x is now a **documented advisory** in the audit
+  (warn, not fail): the exposure is upstream (better-sqlite3's install path),
+  install-time only (extracting the prebuilt binding fetched over HTTPS from
+  better-sqlite3's GitHub releases), and unfixable from this package until
+  npm/cli#7977 is resolved or better-sqlite3 drops `prebuild-install`. Any
+  other blocked version in the consumer tree still hard-fails.
+- `scripts/pre-release.sh`: better-sqlite3 native-binding sanity check
+  (auto-`npm rebuild` when `npm install` re-lays the subtree without running
+  its install script) and deterministic shrinkwrap regeneration.
+
 ## [1.17.7] - 2026-06-04: Socket supply-chain score restoration
 
 Patch release restoring the npm Socket supply-chain posture from 1.17.5

package/dist/index.js

@@ -1444,9 +1444,7 @@ export function prepareGrokRequest(params, runtime = resolveGatewayServerRuntime
         args.push("--prompt-file", params.promptFile);
     }
     if (params.promptJson !== undefined) {
-        const promptJsonValue = typeof params.promptJson === "string"
-            ? params.promptJson
-            : JSON.stringify(params.promptJson);
+        const promptJsonValue = typeof params.promptJson === "string" ? params.promptJson : JSON.stringify(params.promptJson);
         if (!promptJsonValue.trim()) {
             return createErrorResponse(params.operation, 1, "", corrId, new Error("promptJson: must be a non-empty JSON string or serializable value"));
         }
@@ -3454,10 +3452,7 @@ export function createGatewayServer(deps = {}) {
             .optional()
             .describe("Grok --verbatim: send the prompt exactly as given. Also skips gateway optimizePrompt when true."),
         agents: z
-            .union([
-            z.string().min(1),
-            z.record(z.string(), z.record(z.string(), z.unknown())),
-        ])
+            .union([z.string().min(1), z.record(z.string(), z.record(z.string(), z.unknown()))])
             .optional()
             .describe("Grok --agents <JSON>: inline subagent definitions (JSON string or name → { description, prompt, … } map)."),
         promptFile: z
@@ -3478,10 +3473,16 @@ export function createGatewayServer(deps = {}) {
             .boolean()
             .optional()
             .describe("Grok --experimental-memory: enable cross-session memory."),
-        noAltScreen: z.boolean().optional().describe("Grok --no-alt-screen: run inline without alt screen."),
+        noAltScreen: z
+            .boolean()
+            .optional()
+            .describe("Grok --no-alt-screen: run inline without alt screen."),
         noMemory: z.boolean().optional().describe("Grok --no-memory: disable cross-session memory."),
         noPlan: z.boolean().optional().describe("Grok --no-plan: disable plan mode."),
-        noSubagents: z.boolean().optional().describe("Grok --no-subagents: disable subagent spawning."),
+        noSubagents: z
+            .boolean()
+            .optional()
+            .describe("Grok --no-subagents: disable subagent spawning."),
         oauth: z.boolean().optional().describe("Grok --oauth: use OAuth during authentication."),
         restoreCode: z
             .boolean()
@@ -4258,10 +4259,7 @@ export function createGatewayServer(deps = {}) {
                 .optional()
                 .describe("Grok --verbatim: send the prompt exactly as given. Also skips gateway optimizePrompt when true."),
             agents: z
-                .union([
-                z.string().min(1),
-                z.record(z.string(), z.record(z.string(), z.unknown())),
-            ])
+                .union([z.string().min(1), z.record(z.string(), z.record(z.string(), z.unknown()))])
                 .optional()
                 .describe("Grok --agents <JSON>: inline subagent definitions (JSON string or name → { description, prompt, … } map)."),
             promptFile: z
@@ -4286,7 +4284,10 @@ export function createGatewayServer(deps = {}) {
                 .boolean()
                 .optional()
                 .describe("Grok --no-alt-screen: run inline without alt screen."),
-            noMemory: z.boolean().optional().describe("Grok --no-memory: disable cross-session memory."),
+            noMemory: z
+                .boolean()
+                .optional()
+                .describe("Grok --no-memory: disable cross-session memory."),
             noPlan: z.boolean().optional().describe("Grok --no-plan: disable plan mode."),
             noSubagents: z
                 .boolean()