npm - llm-cli-gateway - Versions diffs - 1.5.30 → 1.5.31 - Mend

llm-cli-gateway 1.5.30 → 1.5.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,17 @@
 All notable changes to the llm-cli-gateway project.
+## [1.5.31] - 2026-05-25
+### Changed
+- Replace direct dependency on `toml@3.0.0` (single-maintainer, last released 2020) with `smol-toml@^1.6.1` (actively maintained, TypeScript-native, zero deps). Same `parse(text)` API, drop-in across `src/config.ts`, `src/claude-mcp-config.ts`, and `src/model-registry.ts`.
+### Security
+- Add `socket.yml` documenting the rationale for Socket's behavioural alerts (`networkAccess`, `shellAccess`, `usesEval`). Alerts are left visible — not silenced — so downstream consumers can see the maintainer's review context.
+- Expand README "Security Considerations" with a per-alert breakdown mapping each Socket signal to where it lives in the code and why it is bounded.
 ## [1.5.30] - 2026-05-25
 ### Fixed

package/README.md CHANGED Viewed

@@ -1005,8 +1005,22 @@ The gateway supports concurrent requests across different CLIs. Each request spa
 - **Input Validation**: All prompts are validated (min 1 char, max 100k chars)
 - **Command Execution**: Uses `spawn` with separate arguments (not shell execution)
-- **No Eval**: No dynamic code evaluation
+- **No Eval**: No dynamic code evaluation in our source (see "Socket alerts" below for the transitive `ajv` codegen case)
 - **Sandboxing**: Consider running in containers for production use
+- **Provenance**: Releases are published with [npm provenance](https://docs.npmjs.com/generating-provenance-statements) via OIDC trusted publishing from GitHub Actions
+### Socket alerts — context for reviewers
+If you're vetting `llm-cli-gateway` through [Socket](https://socket.dev/npm/package/llm-cli-gateway) or a similar supply-chain scanner, you'll see three behavioural alerts and some dependency-ownership alerts. They are accurate descriptions of what the package does and what it depends on; we've left them visible (not silenced in `socket.yml`) so you don't have to take our word for it. Here's the context for each:
+| Alert | Where | Why it's bounded |
+|---|---|---|
+| **Network access** | `src/http-transport.ts` opens an HTTP MCP transport when started via `npm run start:http`. `src/endpoint-exposure.ts` issues a HEAD probe to verify configured public/tunnel URLs. | The transport binds to `127.0.0.1` by default and requires `LLM_GATEWAY_AUTH_TOKEN` to be set. The default stdio MCP entry point (`npm start`) opens no sockets. |
+| **Shell access** | `src/executor.ts` uses `child_process.spawn(cmd, args, …)` to invoke the underlying LLM CLIs. | `spawn` is called with an argument array and **never** `shell: true`, so there is no shell interpolation path for caller input. The command name is restricted to an allow-list of known CLI binaries (`claude`, `codex`, `gemini`, `grok`, `vibe`). |
+| **Uses eval** | None in our source. Transitive: `@modelcontextprotocol/sdk` → `ajv@8` uses `new Function(...)` in `ajv/dist/compile/index.js` to compile JSON Schema validators. | This is ajv's standard codegen path. Only known schemas (defined in our source and the MCP SDK) flow into it; no caller-supplied data ever reaches the compiled function body. |
+| **Dependency ownership** | A handful of small transitive packages (e.g. `bindings` via `better-sqlite3`, `media-typer` via `@modelcontextprotocol/sdk`) trip Socket's "unstable ownership" or "obfuscated code" heuristics. | These are pinned, well-known micro-deps in the Node ecosystem with no known issues. We pin direct override versions of `content-type` and `type-is` in `package.json#overrides`. Our previous direct dependency on `toml@3.0.0` (also single-maintainer, last released 2020) was replaced with the actively-maintained `smol-toml` to reduce inherited risk. |
+See [`socket.yml`](./socket.yml) for the same context in machine-readable form.
 ## Contributing

package/dist/claude-mcp-config.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync, renameSync, openSync, fsyncSync, closeSync, chmodSync, } from "fs";
 import { homedir } from "os";
 import { dirname, join } from "path";
-import { parse as parseToml } from "toml";
+import { parse as parseToml } from "smol-toml";
 export const CLAUDE_MCP_SERVER_NAMES = ["sqry", "exa", "ref_tools", "trstr"];
 function asStringArray(value) {
     if (!Array.isArray(value)) {

package/dist/config.js CHANGED Viewed

@@ -108,7 +108,7 @@ function readPersistenceFile(configPath, logger) {
     }
     try {
         const require = createRequire(import.meta.url);
-        const TOML = require("toml");
+        const TOML = require("smol-toml");
         const text = readFileSync(configPath, "utf-8");
         const parsed = TOML.parse(text);
         return { raw: parsed?.persistence, sourcePath: configPath };

package/dist/executor.js CHANGED Viewed

@@ -152,10 +152,15 @@ const WINDOWS_CMD_META_CHARS = /([()\][%!^"`<>&|;, *?])/g;
 function escapeWindowsCmdCommand(value) {
     return win32.normalize(value).replace(WINDOWS_CMD_META_CHARS, "^$1");
 }
+// CommandLineToArgvW rules: a run of N backslashes before a literal " must be
+// doubled and followed by \" (yielding 2N+1 backslashes total, so the parser
+// strips N and keeps the quote as literal); a run of N backslashes immediately
+// before the closing " must be doubled (2N) so the quote still terminates the
+// arg. Then wrap in quotes and caret-escape cmd.exe metacharacters.
 function escapeWindowsCmdArgument(value) {
     let arg = `${value}`;
-    arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
-    arg = arg.replace(/(?=(\\+?)?)\1$/, "$1$1");
+    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+    arg = arg.replace(/(\\*)$/, "$1$1");
     arg = `"${arg}"`;
     return arg.replace(WINDOWS_CMD_META_CHARS, "^$1");
 }

package/dist/model-registry.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { existsSync, readFileSync, readdirSync, statSync } from "fs";
 import { homedir } from "os";
 import path from "path";
-import { parse as parseToml } from "toml";
+import { parse as parseToml } from "smol-toml";
 const FALLBACK_INFO = {
     claude: {
         description: "Anthropic's Claude Code CLI - best for code generation, analysis, and agentic coding tasks",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.5.30",
+  "version": "1.5.31",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",
@@ -49,6 +49,7 @@
     "setup/status.schema.json",
     "README.md",
     "CHANGELOG.md",
+    "socket.yml",
     "LICENSE"
   ],
   "scripts": {
@@ -83,7 +84,7 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "better-sqlite3": "^12.10.0",
     "content-type": "1.0.5",
-    "toml": "^3.0.0",
+    "smol-toml": "^1.6.1",
     "type-is": "2.0.1",
     "zod": "^3.23.0"
   },

package/socket.yml ADDED Viewed

@@ -0,0 +1,49 @@
+version: 2
+# Socket alerts on llm-cli-gateway
+# ---------------------------------
+# This package intentionally triggers three of Socket's behavioural alerts.
+# We do NOT disable them — they are accurate descriptions of what the package
+# does, and silencing them would hide useful signal from anyone evaluating
+# this dependency. The rationale for each is documented inline below and in
+# detail under "Security Considerations" in README.md.
+#
+#   networkAccess
+#     src/http-transport.ts opens an HTTP MCP transport (createServer/listen).
+#     Defaults to 127.0.0.1, auth-token gated (LLM_GATEWAY_AUTH_TOKEN).
+#     src/endpoint-exposure.ts also issues a HEAD probe when verifying
+#     tunnel reachability — opt-in via the start:http entry point only.
+#
+#   shellAccess
+#     src/executor.ts uses child_process.spawn(cmd, args, { ... }) with a
+#     fixed allow-list of CLI binaries (claude / codex / gemini / grok /
+#     vibe). shell:true is never set; arguments are passed as an array, so
+#     there is no shell interpolation path for user input. Spawning these
+#     CLIs is the entire purpose of the package.
+#
+#   usesEval
+#     Not in our source. Transitive via @modelcontextprotocol/sdk → ajv@8,
+#     which compiles JSON Schema validators using `new Function(...)`.
+#     This is ajv's standard codegen path; no caller-supplied data flows
+#     into the compiled function body.
+issueRules:
+  # Defaults from Socket. Listed explicitly so future contributors see what
+  # is enforced rather than relying on implicit defaults.
+  malware: true
+  troll: true
+  didYouMean: true
+  installScripts: true
+  telemetry: true
+  hasNativeCode: true            # better-sqlite3 — known and expected
+  shellScriptOverride: true
+  gitDependency: true
+  httpDependency: true
+  invalidPackageJSON: true
+  unresolvedRequire: true
+githubApp:
+  enabled: true
+  pullRequestAlertsEnabled: true
+  dependencyOverviewEnabled: true
+  projectReportsEnabled: true