llm-cli-gateway 1.17.8 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/CHANGELOG.md +182 -0
  2. package/README.md +4 -2
  3. package/dist/flight-recorder.d.ts +3 -0
  4. package/dist/flight-recorder.js +22 -20
  5. package/dist/job-store.js +6 -12
  6. package/dist/sqlite-driver.d.ts +16 -0
  7. package/dist/sqlite-driver.js +149 -0
  8. package/npm-shrinkwrap.json +60 -3250
  9. package/package.json +4 -5
  10. package/socket.yml +20 -11
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "llm-cli-gateway",
3
- "version": "1.17.8",
3
+ "version": "2.0.0",
4
4
  "mcpName": "io.github.verivus-oss/llm-cli-gateway",
5
5
  "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
6
6
  "license": "MIT",
@@ -40,7 +40,7 @@
40
40
  "llm-cli-gateway": "dist/index.js"
41
41
  },
42
42
  "engines": {
43
- "node": ">=20.0.0"
43
+ "node": ">=24.4.0"
44
44
  },
45
45
  "files": [
46
46
  "dist/**/*.js",
@@ -87,7 +87,6 @@
87
87
  },
88
88
  "dependencies": {
89
89
  "@modelcontextprotocol/sdk": "^1.29.0",
90
- "better-sqlite3": "^12.10.0",
91
90
  "content-type": "1.0.5",
92
91
  "smol-toml": "^1.6.1",
93
92
  "type-is": "2.0.1",
@@ -104,6 +103,7 @@
104
103
  "devDependencies": {
105
104
  "@eslint/js": "^10.0.1",
106
105
  "@types/better-sqlite3": "^7.6.0",
106
+ "better-sqlite3": "^12.10.0",
107
107
  "@types/node": "^25.9.1",
108
108
  "@types/pg": "^8.11.10",
109
109
  "@typescript-eslint/eslint-plugin": "^8.59.4",
@@ -120,8 +120,7 @@
120
120
  },
121
121
  "overrides": {
122
122
  "type-is": "2.0.1",
123
- "content-type": "1.0.5",
124
- "tar-stream": "3.1.7"
123
+ "content-type": "1.0.5"
125
124
  },
126
125
  "directories": {
127
126
  "doc": "docs"
package/socket.yml CHANGED
@@ -25,10 +25,15 @@ version: 2
25
25
  # imported or called from upstream-contracts.ts. The wording now uses
26
26
  # "remote retrieval" to avoid that heuristic.
27
27
  #
28
- # Transitive tar-stream@2.2.0 (better-sqlite3 → prebuild-install → tar-fs)
29
- # triggered Socket "Potential vulnerability" (tar path traversal at install
30
- # only). v1.17.7+ overrides tar-stream to 3.1.7 and blocks 2.x in the
31
- # release security audit.
28
+ # Historical (resolved in 2.0.0): transitive tar-stream@2.2.0
29
+ # (better-sqlite3 prebuild-install tar-fs) triggered Socket "Potential
30
+ # vulnerability" (tar path traversal at install only). v1.17.7-1.17.9 worked
31
+ # around it with a tar-stream 3.1.7 override + prod-only shrinkwrap. As of
32
+ # 2.0.0 the gateway uses Node's built-in `node:sqlite` for persistence;
33
+ # better-sqlite3 is a devDependency only, so the prod graph has NO native
34
+ # module and NO tar-stream/prebuild-install/tar-fs install chain. The
35
+ # release security audit now hard-fails if any of those packages re-enter
36
+ # the prod graph (and still blocks the flagged tar-stream 2.x versions).
32
37
  #
33
38
  # shellAccess
34
39
  # This alert fires on every module that imports node:child_process, and
@@ -69,12 +74,16 @@ version: 2
69
74
  # This is ajv's standard codegen path; no caller-supplied data flows
70
75
  # into the compiled function body.
71
76
  #
72
- # better-sqlite3 PRAGMA helper
73
- # Socket may flag better-sqlite3/lib/methods/pragma.js because it
74
- # constructs PRAGMA SQL from its caller-provided `source` string. The
75
- # gateway does not call db.pragma() from production code; SQLite setup
76
- # uses fixed literal db.exec("PRAGMA ...") statements, and the release
77
- # security audit fails future production `.pragma()` calls.
77
+ # SQLite (node:sqlite) adapter isolation
78
+ # As of 2.0.0 persistence uses Node's built-in `node:sqlite` module (no
79
+ # native binding, no install scripts) through a single adapter,
80
+ # src/sqlite-driver.ts. No `db.pragma()` helper exists on node:sqlite and
81
+ # the gateway never calls one; SQLite setup uses fixed literal
82
+ # db.exec("PRAGMA ...") statements. The release security audit hard-fails
83
+ # if production code references node:sqlite outside the adapter or
84
+ # reintroduces a `.pragma()` call. (better-sqlite3 — and its
85
+ # lib/methods/pragma.js that older Socket scans flagged — is now a
86
+ # devDependency only and is absent from the published prod artifact.)
78
87
 
79
88
  issueRules:
80
89
  # Defaults from Socket. Listed explicitly so future contributors see what
@@ -84,7 +93,7 @@ issueRules:
84
93
  didYouMean: true
85
94
  installScripts: true
86
95
  telemetry: true
87
- hasNativeCode: true # better-sqlite3 known and expected
96
+ hasNativeCode: true # devDependency-only as of 2.0.0 (better-sqlite3); prod artifact has no native code
88
97
  shellAccess: false # reviewed gateway capability; see rationale above
89
98
  shellScriptOverride: true
90
99
  gitDependency: true