npm - llm-cli-gateway - Versions diffs - 1.5.13 → 1.5.15 - Mend

llm-cli-gateway 1.5.13 → 1.5.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +23 -0
package/dist/db.d.ts +2 -2
package/dist/db.js +25 -2
package/dist/migrate.js +12 -1
package/dist/session-manager-pg.d.ts +4 -3
package/dist/session-manager-pg.js +16 -11
package/package.json +25 -9

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,29 @@
 All notable changes to the llm-cli-gateway project.
+## [1.5.15] - 2026-05-24
+### Fixed
+- Make the desktop bootstrapper `upgrade` command discover the latest GitHub release bundle and SHA256SUMS itself, so `llm-cli-gateway upgrade` no longer depends on stale `RVWR_GATEWAY_BUNDLE_URL` / `RVWR_GATEWAY_BUNDLE_SHA256` shell state.
+- Add desktop bootstrapper `--version`, `version`, `--help`, `-help`, and `/?` handling, and report the real release version in `doctor` instead of `"bootstrapper"`.
+- Normalize bundle checksum comparison and include expected/actual hashes when verification fails.
+### Changed
+- Move `pg` and `ioredis` out of the default production install path and into optional peer dependencies, while keeping them as dev dependencies for PostgreSQL/Redis tests and development.
+## [1.5.14] - 2026-05-24
+### Fixed
+- Remove the Redis Lua `eval` lock-release path from production source and replace it with Redis `WATCH`/`MULTI` compare-and-delete semantics.
+- Add exact direct production dependencies for `content-type@1.0.5` and `type-is@2.0.1` so packed consumer installs do not resolve the Socket-flagged `content-type@2.0.0` / `type-is@2.1.0` versions.
+### Added
+- Add `npm run security:audit` as a CI/release gate covering `npm audit --omit=dev`, production source dynamic-execution scanning, blocked dependency-version checks, and a packed consumer install policy check.
 ## [1.5.13] - 2026-05-24
 ### Fixed

package/dist/db.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { Pool } from "pg";
-import { Redis } from "ioredis";
+import type { Pool } from "pg";
+import type { Redis } from "ioredis";
 import { Config } from "./config.js";
 import type { Logger } from "./logger.js";
 export interface HealthCheckResult {

package/dist/db.js CHANGED Viewed

@@ -1,5 +1,3 @@
-import { Pool } from "pg";
-import { Redis } from "ioredis";
 import { noopLogger } from "./logger.js";
 /**
  * Database connection manager for PostgreSQL and Redis
@@ -20,6 +18,8 @@ export class DatabaseConnection {
      * Initialize connections to PostgreSQL and Redis
      */
     async connect() {
+        const { Pool } = await importOptionalPg();
+        const Redis = await importOptionalRedis();
         // Initialize PostgreSQL pool
         const poolConfig = {
             connectionString: this.config.database.connectionString,
@@ -160,6 +160,29 @@ export class DatabaseConnection {
         return this.redis;
     }
 }
+async function importOptionalPg() {
+    try {
+        return await import("pg");
+    }
+    catch (error) {
+        if (error?.code === "ERR_MODULE_NOT_FOUND" || error?.code === "MODULE_NOT_FOUND") {
+            throw new Error("PostgreSQL sessions require optional peer dependency 'pg'. Install it alongside llm-cli-gateway to use DATABASE_URL/REDIS_URL-backed sessions.");
+        }
+        throw error;
+    }
+}
+async function importOptionalRedis() {
+    try {
+        const mod = await import("ioredis");
+        return mod.Redis ?? mod.default;
+    }
+    catch (error) {
+        if (error?.code === "ERR_MODULE_NOT_FOUND" || error?.code === "MODULE_NOT_FOUND") {
+            throw new Error("PostgreSQL sessions require optional peer dependency 'ioredis'. Install it alongside llm-cli-gateway to use DATABASE_URL/REDIS_URL-backed sessions.");
+        }
+        throw error;
+    }
+}
 /**
  * Factory function to create and connect DatabaseConnection
  */

package/dist/migrate.js CHANGED Viewed

@@ -1,5 +1,4 @@
 #!/usr/bin/env node
-import { Pool } from "pg";
 import { readFileSync, readdirSync } from "fs";
 import { join, dirname } from "path";
 import { fileURLToPath } from "url";
@@ -68,6 +67,7 @@ async function main() {
         console.error("ERROR: DATABASE_URL environment variable not set");
         process.exit(1);
     }
+    const { Pool } = await importOptionalPg();
     const pool = new Pool({ connectionString: databaseUrl });
     try {
         // Load migrations
@@ -97,4 +97,15 @@ async function main() {
         await pool.end();
     }
 }
+async function importOptionalPg() {
+    try {
+        return await import("pg");
+    }
+    catch (error) {
+        if (error?.code === "ERR_MODULE_NOT_FOUND" || error?.code === "MODULE_NOT_FOUND") {
+            throw new Error("PostgreSQL migrations require optional peer dependency 'pg'. Install it alongside llm-cli-gateway before running migrate.");
+        }
+        throw error;
+    }
+}
 main();

package/dist/session-manager-pg.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { Pool } from "pg";
+import type { Pool } from "pg";
 import type { Redis } from "ioredis";
 import { Session, CliType } from "./session-manager.js";
 import { CacheTtl } from "./config.js";
@@ -24,8 +24,9 @@ export declare class PostgreSQLSessionManager {
      */
     private acquireLockWithRetry;
     /**
-     * Release distributed lock using Lua script for atomic compare-and-delete
-     * Only releases if lockValue matches (prevents releasing another process's lock)
+     * Release distributed lock with optimistic Redis transaction semantics.
+     * Only releases if lockValue matches, which prevents releasing another
+     * process's lock after expiry/reacquire.
      */
     private releaseLock;
     /**

package/dist/session-manager-pg.js CHANGED Viewed

@@ -52,20 +52,25 @@ export class PostgreSQLSessionManager {
         }
     }
     /**
-     * Release distributed lock using Lua script for atomic compare-and-delete
-     * Only releases if lockValue matches (prevents releasing another process's lock)
+     * Release distributed lock with optimistic Redis transaction semantics.
+     * Only releases if lockValue matches, which prevents releasing another
+     * process's lock after expiry/reacquire.
      */
     async releaseLock(key, lockValue) {
         const lockKey = `lock:${key}`;
-        // Lua script for atomic compare-and-delete
-        const script = `
-      if redis.call("get", KEYS[1]) == ARGV[1] then
-        return redis.call("del", KEYS[1])
-      else
-        return 0
-      end
-    `;
-        await this.redis.eval(script, 1, lockKey, lockValue);
+        await this.redis.watch(lockKey);
+        try {
+            const currentValue = await this.redis.get(lockKey);
+            if (currentValue !== lockValue) {
+                await this.redis.unwatch();
+                return;
+            }
+            await this.redis.multi().del(lockKey).exec();
+        }
+        catch (error) {
+            await this.redis.unwatch().catch(() => undefined);
+            throw error;
+        }
     }
     /**
      * Invalidate session cache

package/package.json CHANGED Viewed

@@ -1,13 +1,10 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.5.13",
+  "version": "1.5.15",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",
-  "author": {
-    "name": "VerivusAI Labs",
-    "url": "https://github.com/verivus-oss"
-  },
+  "author": "VerivusAI Labs (https://github.com/verivus-oss)",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/verivus-oss/llm-cli-gateway.git"
@@ -76,7 +73,8 @@
     "lint:fix": "eslint src/**/*.ts --fix",
     "format": "prettier --write 'src/**/*.ts'",
     "format:check": "prettier --check 'src/**/*.ts'",
-    "check": "npm run build && npm run lint && npm test",
+    "security:audit": "bash scripts/release-security-audit.sh",
+    "check": "npm run build && npm run lint && npm test && npm run security:audit",
     "release:build": "bash installer/build-release.sh",
     "release:checksums": "cd installer/dist && sha256sum --check SHA256SUMS",
     "release:docker": "docker compose -f docker-compose.personal.yml build"
@@ -84,11 +82,23 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "better-sqlite3": "^12.10.0",
-    "ioredis": "^5.4.1",
-    "pg": "^8.12.0",
+    "content-type": "1.0.5",
     "toml": "^3.0.0",
+    "type-is": "2.0.1",
     "zod": "^3.23.0"
   },
+  "peerDependencies": {
+    "ioredis": "^5.4.1",
+    "pg": "^8.12.0"
+  },
+  "peerDependenciesMeta": {
+    "ioredis": {
+      "optional": true
+    },
+    "pg": {
+      "optional": true
+    }
+  },
   "devDependencies": {
     "@types/better-sqlite3": "^7.6.0",
     "@types/node": "^20.19.30",
@@ -98,6 +108,8 @@
     "@vitest/coverage-v8": "^4.1.2",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.0.0",
+    "ioredis": "^5.4.1",
+    "pg": "^8.12.0",
     "prettier": "^3.0.0",
     "typescript": "^5.0.0",
     "vitest": "^4.0.18"
@@ -105,5 +117,9 @@
   "overrides": {
     "type-is": "2.0.1",
     "content-type": "1.0.5"
-  }
+  },
+  "directories": {
+    "doc": "docs"
+  },
+  "types": "./dist/index.d.ts"
 }