llm-cli-gateway 1.5.13 → 1.5.14

package/CHANGELOG.md

@@ -2,6 +2,17 @@
 
 All notable changes to the llm-cli-gateway project.
 
+## [1.5.14] - 2026-05-24
+
+### Fixed
+
+- Remove the Redis Lua `eval` lock-release path from production source and replace it with Redis `WATCH`/`MULTI` compare-and-delete semantics.
+- Add exact direct production dependencies for `content-type@1.0.5` and `type-is@2.0.1` so packed consumer installs do not resolve the Socket-flagged `content-type@2.0.0` / `type-is@2.1.0` versions.
+
+### Added
+
+- Add `npm run security:audit` as a CI/release gate covering `npm audit --omit=dev`, production source dynamic-execution scanning, blocked dependency-version checks, and a packed consumer install policy check.
+
 ## [1.5.13] - 2026-05-24
 
 ### Fixed

package/dist/session-manager-pg.d.ts

@@ -24,8 +24,9 @@ export declare class PostgreSQLSessionManager {
      */
     private acquireLockWithRetry;
     /**
-     * Release distributed lock using Lua script for atomic compare-and-delete
-     * Only releases if lockValue matches (prevents releasing another process's lock)
+     * Release distributed lock with optimistic Redis transaction semantics.
+     * Only releases if lockValue matches, which prevents releasing another
+     * process's lock after expiry/reacquire.
      */
     private releaseLock;
     /**

package/dist/session-manager-pg.js

@@ -52,20 +52,25 @@ export class PostgreSQLSessionManager {
         }
     }
     /**
-     * Release distributed lock using Lua script for atomic compare-and-delete
-     * Only releases if lockValue matches (prevents releasing another process's lock)
+     * Release distributed lock with optimistic Redis transaction semantics.
+     * Only releases if lockValue matches, which prevents releasing another
+     * process's lock after expiry/reacquire.
      */
     async releaseLock(key, lockValue) {
         const lockKey = `lock:${key}`;
-        // Lua script for atomic compare-and-delete
-        const script = `
-      if redis.call("get", KEYS[1]) == ARGV[1] then
-        return redis.call("del", KEYS[1])
-      else
-        return 0
-      end
-    `;
-        await this.redis.eval(script, 1, lockKey, lockValue);
+        await this.redis.watch(lockKey);
+        try {
+            const currentValue = await this.redis.get(lockKey);
+            if (currentValue !== lockValue) {
+                await this.redis.unwatch();
+                return;
+            }
+            await this.redis.multi().del(lockKey).exec();
+        }
+        catch (error) {
+            await this.redis.unwatch().catch(() => undefined);
+            throw error;
+        }
     }
     /**
      * Invalidate session cache

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.5.13",
+  "version": "1.5.14",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",
@@ -76,7 +76,8 @@
     "lint:fix": "eslint src/**/*.ts --fix",
     "format": "prettier --write 'src/**/*.ts'",
     "format:check": "prettier --check 'src/**/*.ts'",
-    "check": "npm run build && npm run lint && npm test",
+    "security:audit": "bash scripts/release-security-audit.sh",
+    "check": "npm run build && npm run lint && npm test && npm run security:audit",
     "release:build": "bash installer/build-release.sh",
     "release:checksums": "cd installer/dist && sha256sum --check SHA256SUMS",
     "release:docker": "docker compose -f docker-compose.personal.yml build"
@@ -84,9 +85,11 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "better-sqlite3": "^12.10.0",
+    "content-type": "1.0.5",
     "ioredis": "^5.4.1",
     "pg": "^8.12.0",
     "toml": "^3.0.0",
+    "type-is": "2.0.1",
     "zod": "^3.23.0"
   },
   "devDependencies": {