v6.1.0-beta.10 — Verify-after-write, assertion counter, SSE stream, small-viewport polish

v6.1.0-beta.10 — 2026-05-16 — Verification stuck-loop detector + live event stream

Two follow-ups on the beta.9 verify-after-write foundation:

Driver-loop assertion-failure counter

When a specialist's spawn produces an artifact that fails its
post-write check (byte-count drift, magic-header mismatch, partial
write), the driver loop now increments a per-subtask
consecutiveAssertionFailures counter. Three failures in a row on
the same subtask force a verify_fail block — preventing the
"specialist keeps reporting success but the artifact never matches"
stuck-loop pattern. A passing verification resets the counter.

Pairs with the existing consecutiveIdenticalErrors (catches
repeated tool throws) and consecutiveNeedsInfoCount (catches empty
needs_info loops) — three independent termination paths now defend
the driver from different stuck-loop shapes.

GET /api/verification/stream (Server-Sent Events)

New SSE endpoint that pushes every verification event as it happens
(file_write / file_append / file_edit / image_download /
browser_fetch). On connect the server replays the last 32 events
as a snapshot frame so a fresh subscriber sees current state
without polling. Heartbeat every 15 s keeps proxies from reaping
the connection.

Subscribed by the Mission Canvas trust line in a follow-up UI ship.

Tests

• 5 new tests in tests/verification.test.ts (24 total) for
  verificationEventsSince time + kind filtering and for
  subscribeVerification fan-out, unsubscribe, and listener
  isolation (a thrown listener does not break the recorder).
• 57 driver-state tests continue to pass with the new branch.

No API contract changes. No schema changes. No new dependencies.

---

v5.4.1 — 🛡️ Layer Reliability

Patch release. Tightens the provider, UI, mesh, and config layers around
the v5.4.0 framework so every transient failure has a predictable,
testable recovery path. 1057 deterministic tests pass in 19s across
41 files. Typecheck clean.

Created by Tony Elliott aka djtony707.

Added

Per-model output clamping (Kimi)

• New src/providers/modelCapabilities.ts — central source of truth for
  every provider's context-window + max-output ceiling, plus a family-
  pattern fallback for unknown specific versions and a config override
  hook (providers.modelCapabilities[<model>]).
• clampMaxTokens(model, requested) is now called inside Anthropic,
  OpenAI, OpenAI-compatible, Google, and Ollama providers. DEFAULT_MAX_TOKENS
  becomes a "user-preference ceiling" (bumped to 200K) — the clamper
  silently lowers it to each model's real ceiling so the caller can ask
  for a high default without 400-ing on capped providers.

Retry/failover stream events (no more text-leak)

• New retry variant on ChatStreamChunk (discriminated union in
  src/providers/base.ts). Pre-fix the router yielded
  \n[Retrying request (1/4) due to rate_limit...]\n\n as a text
  chunk, which leaked retry banners straight into the assistant's
  response.
• agent/agentLoop.ts consumers now have onRetry / onFailover
  callbacks; chunk handlers route retry/failover branches out-of-band
  (logged + callback fired, never appended to streamContent).
• Gateway emits dedicated event: retry and event: failover SSE
  frames so the UI can render status indicators without parsing the
  text stream.

New Issue dialog in the sidebar

• ui/src/components/layout/TitanSidebar.tsx — the Quick Create button
  now opens a Modal that posts to /api/command-post/issues and
  navigates to the new issue. Pre-fix the button had an empty onClick.

5 Hunt regression tests

• tests/hunt-regression.test.ts adds top-level describes for Findings
  #16 (sanitizer false-positive), #21 (narrator preamble + minimax XML
  leak), #28 (dangerous-shell invariants), #30 (broken npm install),
  #37 (Retry-After plumbing).

Fixed

Gemini tool message serialization (src/providers/google.ts)

• New strict pre-serialization validation: every function_response
  must have a non-empty name paired with a tool_call_id that
  references a recorded prior tool_call in the conversation. Drops
  malformed tool messages with a logged warning instead of forwarding
  them and triggering Gemini's opaque 400 response.
• Optional debug dump: GOOGLE_DUMP_REQUEST_BODY=1 (or
  providers.google.dumpRequestBody: true) writes failing request
  bodies to ~/.titan/debug/gemini-requests/ for post-mortem.

Streaming fallback success recording (src/providers/router.ts)

• tryFallbackChainStream used to call recordSuccess(provider) the
  moment it acquired the generator — before any chunk had been
  produced. The breaker booked optimistic success for streams that
  errored mid-flight. Replaced with a monitored() wrapper that books
  success only after the underlying stream completes without throwing,
  and books failure on error chunks or thrown errors. Same wrapping
  applied to the priority-failover loop.

Provider failover beyond first attempt (src/providers/router.ts)

• The priority-failover loop was gated by attempt === 0; if the
  initial attempt was retryable but exhausted, no failover was tried.
  Replaced with priorityFailoverAttempted and fallbackChainAttempted
  latches so both fallback paths are reachable on any exhausted-retry
  attempt — and each is attempted at most once per chatStream call.

Mesh multi-hop reply routing (src/mesh/transport.ts)

• route_forward sendReply no longer blindly writes to the inbound
  socket. Forwarded requests can arrive via intermediate hops; the
  reply now uses routeMessageMultiHop keyed on the original requester
  id (carried through payload.originalRequesterId) and falls back to
  the inbound socket only as a last resort. Added a matching
  task_response handler for the requester end so multi-hop replies
  resolve pending requests.

Mesh stale route invalidation (src/mesh/transport.ts)

• findNextHop now validates the next-hop's WebSocket state in addition
  to checking lastUsedAt staleness — a closed socket no longer sits
  in the routing table for the full 5-minute ROUTE_STALE_MS window.
• New invalidateRoutesVia(nodeId) is wired into both inbound and
  outbound WebSocket close + error handlers. Triggers an immediate
  distance-vector broadcast so the rest of the mesh converges in
  seconds rather than waiting for the next periodic cycle.

pendingApproval hook return value (ui/src/hooks/useSSE.ts)

• The hook always returned pendingApproval: false regardless of SSE
  content because the variable that tracked it was a closure-local
  inside send(). Promoted to a useState(isPendingApproval) so the
  returned value reflects state across renders, with reset on each new
  send.

Config drift visibility (src/config/config.ts)

• New recursive diff between rawConfig and the Zod-parsed result —
  unknown keys at any nesting depth are now logged with their full
  dot-notation path (e.g.
  Unknown config key: providers.anthropic.unknownField). Pre-fix only
  top-level unknown keys were warned about. Strictly informational —
  never blocks startup.

Log parser regex documentation (ui/src/api/client.ts)

• Added a 12-line comment documenting the gateway log line format
  (YYYY-MM-DD HH:MM:SS <LEVEL> <COMPONENT> <message>) and the
  history of the corrupted DEn alternation that briefly hid every
  ERROR/WARN entry from the dashboard.

Test description drift (tests/providers.test.ts)

• 'should contain exactly 31 presets' → '32 presets' (matches the
  assertion that already required 32). Maintainer note added so the
  description and the assertion stay in sync next time.

---

v5.4.0 — 🧠 Real Framework

Phase 9 release. Lifts TITAN from "agent that runs" to "agent that
remembers, doesn't fabricate, doesn't leak, and survives flooded inboxes."
Eight tracks across two co-working agents (Claude + Kimi K2.6) landed in a
single bundle.

728 deterministic tests pass in 7.80 s. Typecheck + UI build clean.

Created by Tony Elliott aka djtony707.

Added

Track B — Memory upgrades

• src/memory/index.ts (NEW) — inverted-index TF-IDF keyword search.
  Sub-50 ms query at 5 000 episodes (verified via tests/unit/memory-index.test.ts).
  Wired into searchMemory, addEpisode, enforceMemoryBounds.
• addEpisode now accepts { awaitEntities: true } to close the entity-
  extraction race window — replaces the brittle "wait 100 ms and hope" pattern.
• enforceMemoryBounds now prunes entities by salience score
  (typeWeight × (1 + episodeRefs + facts)) instead of FIFO lastSeen.
  Identity entities (person, project) survive log floods that previously
  evicted them.
• memory.vectorSearchEnabled default flipped false → true. Silent
  fallback contract preserved — installs without Ollama running don't break.

Track D — Fabrication guard

• src/safety/fabricationGuard.ts (NEW) — pattern detection across six
  categories (file_write / file_edit / file_delete / shell_run /
  web_action / tool_used). All patterns require first-person voice and
  cross-check against tool history.
• verifyFileWriteClaim(path, expected?) — SHA-256 hash check, lenient
  trailing-whitespace compare, doesn't throw on invalid paths.
• buildNudgeMessage(findings) — blunt corrective text for the next turn.

Track A — Sub-agent safety (Kimi)

• Stall detection (3 identical responses → bail).
• Loop detection (identical tool+args fingerprint → bail).
• Per-tool error wrapping (returns ToolResult instead of throwing).
• Tool output summarization (>10K chars truncated with marker).
• Graceful degradation (all tools fail → early bail with error summary).

Track C — Self-improvement activation (Kimi)

• Checkpoint-before-mutation + auto-rollback on score drop.
• Rate limiting (max 1 mutation/hour via canMutate/recordMutation).

Fixed

Operational session leak (Phase 9 hotfix)

• TITAN PC v5.3.2 accumulated 755 in-memory sessions in 29 min. Root
  cause: every endpoint that internally calls processMessage with a
  templated channel name (autoresearch-trigger-${type},
  twilio-call-${callSid}, initiative-fix, monitor, mesh,
  deliberation, eval) created a unique cache key under
  ${channel}:${userId}:${agentId} — and all sessions shared the same
  30 min idle TTL. At ~26 sessions/min creation rate, the 30 min window
  buffered 750+ entries before the first one expired.
• src/agent/session.ts: new isEphemeralChannel(channel) classifier.
  Persistent allowlist (webchat, voice, discord, telegram, slack, …)
  keeps the full SESSION_TIMEOUT_MS (30 min); everything else gets
  EPHEMERAL_TTL_MS (5 min).
• LRU cap on ephemeral cache: EPHEMERAL_MAX_ACTIVE = 100. Beyond that,
  oldest-by-lastActive get evicted.
• 7-day idle DB purge in cleanupStaleSessions so the store doesn't grow
  forever when sessions never get re-messaged.
• src/gateway/server.ts: cleanup interval shortened 5 min → 60 s so
  ephemeral 5 min TTL evicts within ~1 min of expiry.
• New POST /api/sessions/sweep endpoint with {channel?, channelPrefix?, idleMs?, force?} body for live operational drain — no service restart.
  Default sweep closes every ephemeral; force: true includes persistent.

Pre-existing typecheck errors

• src/skills/builtin/gepa.ts: await in a non-async function — wrapped
  daemon registration in void (async () => { … })().
• src/skills/builtin/self_improve.ts: SELF_IMPROVE_DIR used at line
  20 before its export const declaration at line 111. Hoisted const to
  top, re-exported via export { SELF_IMPROVE_DIR }.

Test fixture stale-date trap

• tests/integration/smoke.test.ts "Session Listing" idle fixture used
  hardcoded 2026-04-13 dates — past the new 7-day idle purge threshold.
  Wrapped in vi.useFakeTimers + vi.setSystemTime('2026-04-13T11:00Z')
  so the test stays valid as wall-clock time advances. Added
  debouncedSave: vi.fn() to the memory/memory.js mock.

Tests

• tests/unit/memory-index.test.ts (NEW, 24): tokenization, ranking,
  IDF dampening, idempotent add, removal, vocabulary, performance budget.
• tests/unit/memory-vector.test.ts (NEW, 5): schema default, embedding-
  model default, signature exports.
• tests/unit/memory-salience-pruning.test.ts (NEW, 10): survival
  ordering, recency tiebreak, identity protection, fallback weights.
• tests/unit/fabrication-guard.test.ts (NEW, 26): all six categories,
  multi-finding responses, no false fires on tool-backed claims, third-
  person prose ignored, buildNudgeMessage format.
• tests/unit/fabrication-verify.test.ts (NEW, 10): existence, empty-
  file flagging, lenient compare, hash determinism.
• tests/unit/session-cleanup.test.ts (NEW, 21): per-channel TTL split,
  LRU cap eviction order, sweep filters, 7-day idle purge.
• tests/unit/subagent-safety.test.ts (NEW, 11): stall/loop detection,
  per-tool error wrap, output truncation, graceful degradation.
• tests/unit/self-improve.test.ts (NEW, 7): checkpoint/restore + rate
  limiting.

---

v5.0.1 — Spacewalk 🚀

🚀 v5.0.1 — Spacewalk

The biggest TITAN release since v1.0. Mission Control becomes a browser-first widget canvas, 110 production-ready widget templates ship out of the box, multi-agent orchestration is hardened, observability is end-to-end, and the agent gains live situational awareness of the canvas it's running in.

Install

npm install -g titan-agent@next
titan onboard
titan gateway

After ~1 week of real-world feedback, 5.0.1 promotes from @next → @latest.

Headline features

🪟 Widget gallery — 110 templates across 25 categories

The canvas chat agent always calls gallery_search first. Say "stock tracker for AAPL" → it lands. Say "control my smart lights" → it lands. Say "spawn a sales agent for me" → it lands.

Categories: agents (employees), automation, cooking, creative, data, devops, document, e-commerce, finance, games, health-fitness, homelab, lifestyle, ml-ai, multi-modal, music-dj, productivity, research, smart-home, social, software-builder, travel, utilities, vehicle, web.

New skill widget_gallery exposes gallery_search / gallery_get / gallery_list with scored fuzzy match (trigger phrase=10, name token=4, trigger token=3, tag=2, description=1) and supports both REPLACE_WITH_X and {{X}} placeholder fills with backslash + single-quote + backtick escaping.

🤖 Agent-employees

Receptionist, SDR, Researcher, Coder, Bookkeeper, Data Analyst, Business Control Tower — each is a real TITAN sub-agent panel, not a chatbot persona.

🏠 Smart-home native

Lights, thermostats, scenes, sensors, presence, energy — all controllable from the canvas via Home Assistant.

🛠️ Software builder

App skeletons (React + form + API wrapper), Mini database, Admin panel, Landing page, Blog engine, Shopify-style store — drop in a template, wire it to APIs, ship the same day.

🧠 Self-aware multi-agent

• systemPromptParts assembles bootstrap + per-turn prompts with per-model overlays and a CANVAS_AWARENESS block.
• multiAgent.routeMessage threads systemPromptAppendix through to processMessage so the canvas delivers live URL/space/widget context every turn.
• New self-awareness modules: companyPortability, conflictResolver, peerAdvise, runContinuations, subdirHints, trajectory.
• agentScope.ts now actually wires config-defined custom agents (was dead code).

📊 End-to-end observability

• PostHog Cloud telemetry (opt-in) with bucketed system fingerprint (no cpuModel / gpuName; ramGB / gpuVramGB rounded to nearest 4 GB).
• Bug-report capture: ~/.titan/bug-reports.jsonl (5 MB rotation, 250 ms burst guard, 4 KB stack truncation) + PostHog forward.
• New POST /api/bug-reports + GET /api/bug-reports/:id endpoints.
• Crash-report secret scrubber.
• Diagnostics snapshot, hardware detection, checkpoint subsystem.

🗣️ F5-TTS voice cloning

Replaces Orpheus. mlx-audio on Mac, container on Linux. Faster, cleaner, cross-platform.

🛡️ Hardening

• PII redaction across tool outputs and LLM responses.
• Five-layer secret-exfiltration scanner.
• Pre-execution scanner blocks rm -rf /, curl | sh, eval, etc.
• Shell lifecycle hooks: pre_tool_call, post_tool_call, on_session_start, on_session_end, on_round_start, on_round_end.
• Filesystem checkpoints with snapshot rollback.

🤝 Agent-bus IPC

Cross-agent collaboration channel at ~/.local/bin/agent-bus with file claims, message bus, and Kimi CLI auto-hook for live multi-agent co-working.

Infrastructure

• Node.js >= 22 (bumped from >= 20)
• 37 providers (4 native + 33 OpenAI-compatible)
• 143 skills loaded, 248 tools
• Mission Control v2 React SPA with 25+ admin panels (Vite 6 + Tailwind 4 + React 19)

Why the version number

5.0.0 was published to npm @next on 2026-04-23 as a preview that predated this gallery + canvas situational-awareness work. 5.0.1 is the real Spacewalk release. Same content as v5.0.0 git tag plus the v4.13.0 ancestor-extraction sprint merged in.

Authoring credits

• Tony Elliott — vision, direction, final QA
• Kimi K2.6 (kimi-cli) — bulk-authored ~80% of the widget template gallery, reviewed the gallery skill before commit
• Claude Opus 4.7 (1M context) — gallery skill, canvas chat-agent integration, system prompt assembly, agent-bus IPC, bug-report capture, staged release commit

Migration

Drop-in for v4.13.x. Mission Control URL, default model, and config schema are backward compatible; new fields default-off.

Full changelog: CHANGELOG.md

TITAN v1.0.0 — First Stable Semver Release

TITAN v1.0.0

TITAN goes semver. This is the first stable release under proper semantic versioning, replacing the 2026.10.XX date-based scheme. All prior versions are deprecated.

Install

npm install titan-agent@1.0.0

Highlights

• Paperclip Integration — Full agent governance: types, API client, routes, and 14 Command Post UI components
• Provider Error Recovery — Circuit breaker pattern, exponential backoff retry, automatic fallback chain
• Multi-Agent Architecture — Async sub-agent execution via Command Post, inter-agent communication with inbox/wakeup system
• PostgreSQL Storage — Full persistence layer with migrations, JSON fallback, budget/reservation tracking
• CI/CD Pipeline — GitHub Actions with Node 20/22/24 matrix, coverage, Dependabot, Docker GPU builds
• Zero Vulnerabilities — 0 npm audit issues, 0 Dependabot alerts

What's New Since 2026.10.68

Added

• Paperclip integration (types, API client, gateway routes, 14 Command Post UI components)
• Provider error recovery (circuit breaker, exponential backoff, fallback chain)
• Mesh transport routing (next-hop resolution, route broadcast, loop detection)
• Agent wakeup system (heartbeat inbox, async task delegation)
• PostgreSQL storage module (StorageProvider, migrations, JSON fallback)
• Cost estimator and heartbeat scheduler
• External adapters (HTTP, lifecycle, process)
• CI/CD pipeline (GitHub Actions, Node 20/22/24, Docker GPU, Dependabot)
• Docker multi-stage build with GPU support and health checks
• 5 developer example projects
• 124 new smoke tests
• Cloud model bypass for OpenRouter parallel processing
• Mission Control mobile-responsive redesign

Fixed

• 38 TypeScript compilation errors from prior agent commits
• Cloud model tool looping (phase separation)
• Gateway shutdown cleanup
• DeepSeek XML tool parsing
• All npm vulnerabilities (brace-expansion, path-to-regexp)
• All 13 Dependabot alerts (MCP SDK, dompurify, lodash, picomatch, flatted)

Changed

• Versioning migrated from 2026.10.XX to semver 1.0.0
• Mandatory QA gate: Coder → QA Tester → CEO + Board approval
• Agent workspace security lockdown (no credentials, shell guards, read-only git configs)

Stats

Metric	Value
Providers	36 (4 native + 32 OpenAI-compatible)
Skills	100+ loaded
Tools	~195 across 100+ skills
Channels	15
Tests	4,430+ across 140 files
npm vulnerabilities	0
Dependabot alerts	0

Contributors

Built by Tony Elliott (@Djtony707) with contributions from the Paperclip AI agent team:

• Backend Engineer, Full Stack Engineer, Founding Engineer (core features)
• DevOps Engineer (CI/CD, Docker)
• Frontend Engineer (Mission Control UI)
• Protocol Engineer (mesh transport, inter-agent comms)
• QA Engineer (smoke tests)
• Research & Strategy Analyst (competitive analysis)
• Documentation Engineer, Developer Relations Manager (docs, examples)

---

Full changelog: CHANGELOG.md

v2026.10.49 — Hindsight MCP Bridge

Hindsight MCP Bridge — Cross-Session Episodic Memory

Added

• Hindsight MCP Bridge (src/memory/hindsightBridge.ts) — Connects TITAN's learning system to Vectorize.io's Hindsight episodic memory
  • retainStrategy() — Stores successful tool sequences as "experience" memories after each task
  • getHindsightHints() — Queries cross-session memory when local strategy hints don't match
  • Fully fire-and-forget — never blocks or crashes if Hindsight is unavailable
  • 14 new tests covering connection detection, retain, recall, error handling

Stats

• 4,390 tests passing across 138 files
• npm: titan-agent@2026.10.49

v2026.10.48 — Smart Auto-Learning

Smart Auto-Learning

Added

• SmartCompress Plugin — Task-type-aware context compression via ContextEngine plugin. Classifies conversations by type (coding, research, analysis, general) and applies optimal compression strategies. Configurable aggressiveness.
• Continuous Learning Feedback Loop — Strategy outcome tracking with recordStrategyOutcome(). Failed strategies auto-excluded from hints. 30-day decay for unvalidated strategies.

Fixed

• Ordered Tool Sequence Capture — Agent loop tracks true execution order with repeats, separate from deduplicated tool set.
• ContextEngine Compact Hook — runCompact() and runAfterTurn() now fire in the agent loop. Plugins participate in compression and post-turn learning.

Stats

• 4,376 tests passing across 137 files
• npm: titan-agent@2026.10.48

v2026.10.47 — Multi-Chip GPU Support

What's New

Multi-Chip GPU Support

• NVIDIA (nvidia-smi), AMD ROCm (rocm-smi), and Apple Silicon (Metal/MPS) GPU detection and monitoring
• Vendor-aware VRAM orchestrator dispatches to correct probe per platform
• Apple Silicon unified memory support (GPU shares system RAM)
• system_info and vram_status tools report vendor-specific GPU details
• New config option: vram.gpuVendor (auto | nvidia | amd | apple | none)

Hindsight MCP Memory Preset

• Builtin MCP preset for Hindsight cross-session episodic memory
• 4-network architecture: world, experience, opinion, observation
• 91% LongMemEval score. Enable via MCP config.

Tool Sequence Learning

• Learning engine now tracks ordered tool call sequences (not just deduplicated sets)
• Task type classification (coding, research, system, creative, general)
• Duplicate sequence merging with success count tracking
• Strategy cap raised 50→200 with smart sorting by success rate + recency

Full Changelog

See CHANGELOG.md for details.

---

Install: npm install -g titan-agent@2026.10.47

v2026.10.43 — VRAM Orchestrator + NVIDIA GPU Skills

What's New

VRAM Orchestrator (v2026.10.43)

Automatic GPU VRAM management for NVIDIA GPUs (tested on RTX 5090, 32GB).

• nvidia-smi polling — periodic GPU state monitoring (VRAM usage, temp, utilization)
• Model auto-swap — when GPU services need VRAM, the orchestrator downgrades the LLM to a smaller model, then upgrades back when done
• Time-bounded leases — services reserve VRAM with auto-expiry, preventing memory hogging
• Async mutex — all VRAM operations serialized, no race conditions
• Emergency OOM — auto-unloads all models if VRAM drops below critical threshold
• 3 agent tools: vram_status, vram_acquire, vram_release
• 4 API endpoints: GET /api/vram, POST /api/vram/acquire, POST /api/vram/release, GET /api/vram/check
• Config schema: vram.* section with services budget map, thresholds, auto-upgrade

NVIDIA GPU Skills (v2026.10.42)

• cuOpt — GPU-accelerated vehicle routing optimization via NVIDIA cuOpt v26.02 async API (tested live, VRP solved in 74ms)
• AI-Q Research — Deep research via Nemotron Super 49B NIM API with citation extraction
• OpenShell Sandbox — K3s-based secure code execution with declarative YAML policies
• All gated behind TITAN_NVIDIA=1 env var

Fixes (v2026.10.41-42)

• Voice mic leak — VoiceOverlay cleanup
• Tool visibility — security.allowedTools default
• OpenAI-compat keepModelPrefix bug
• 6 TypeScript type errors
• Voice system prompt rewrite (500 tokens vs 3000+)

Stats

• 4,321 tests across 135 files (all passing)
• 0 TypeScript errors, 0 ESLint errors
• ~155 tools across 100+ skills

v2026.10.39 — Security Release

🔒 Security Release

Resolved all 23 Dependabot vulnerability alerts — TITAN now has 0 known vulnerabilities.

Changes

• Upgraded matrix-js-sdk v34 → v41
• Added npm overrides for transitive dependencies: esbuild ^0.25.0, yauzl ^3.2.1, langsmith ^0.5.0
• All 3,879 tests passing across 124 test files

Previous Release (v2026.10.38)

• titan doctor --json — Machine-readable JSON output (Issue #2)
• Better provider error messages with actionable hints (Issue #3)
• npm download stats in doctor report (Issue #4)
• 27 weather skill tests (Issue #6)
• 5 dependency vulnerability patches

---

📦 npm install titan-agent@2026.10.39

🤖 Generated with Claude Code