release: 2.0.0-alpha.2#80
Open
heskew wants to merge 1 commit into
Open
Conversation
Catches up the published alpha track with the auth/dispatch fixes and the withOAuthValidation refactor that have been on `main` since 2026-05-01. `2.0.0-alpha.1` shipped the Harper v5 baseline but predates the security-relevant work — anyone consuming the alpha should upgrade. Highlights: - **Breaking**: `withOAuthValidation` now wraps a Resource class, not an instance. Covers both static and instance dispatch surfaces in Resource API v2. - **Security**: fail-closed branches added across `requireAuth`, `onValidationError`, and no-context paths. Static-method dispatch bypass closed. - **Fixed**: `withOAuthValidation` re-exported from the package entry, `405` preserved for unimplemented verbs, lockfile regenerated with optional native deps. - **Added**: test/withOAuthValidation suite (+1247 lines), integration test harness, harper-mock test helper. - **Changed**: Node 20 no longer supported. Full notes in `CHANGELOG.md`.
|
Reviewed; no blockers found. |
This was referenced May 12, 2026
heskew
added a commit
to HarperFast/ai-review-prompts
that referenced
this pull request
May 12, 2026
…→ gemini-3-flash-preview The reusable shipped with `gemini-2.5-pro` as the default — wrong tier (flagship instead of mid) AND now a generation behind. The apples-to-apples peer of `_claude-review.yml`'s Claude Sonnet 4.6 (current-gen GA mid-tier) is Google's current-gen mid-tier Flash, which today is `gemini-3-flash-preview`. Calibration comparison is meaningful only when both sides run current-gen. Defaulting to `gemini-2.5-flash` (last-gen) would bias the comparison against Google. The reusable's default is what new consumers get out of the box. Consumers worried about preview-drift on every `pull_request` run can override to `gemini-2.5-flash` (last GA mid-tier). The next GA mid-tier — likely `gemini-3-flash` once Google drops the `-preview` suffix — will be a one-line follow-up bump. Side benefits (preserved from the original 2.5-pro → flash flip rationale): - Free-tier API access. Pro-tier requires billing on Google AI Studio free-tier projects; mid-tier Flash variants do not. The first dual-reviewer trial on HarperFast/oauth#80 failed with HTTP 429 `limit: 0, model: gemini-2.5-pro` — the Pro tier had zero free-tier allowance. - Lower cost. PR review is bounded reasoning over a diff; the smaller model is sufficient and meaningfully cheaper at scale. - Faster turnaround. Author waits less for a review. Consumers that override to a Flash model today (e.g. HarperFast/oauth's caller currently overriding to `gemini-2.5-flash`) can drop the override once their pin bumps past this commit and decide whether they want the new default or their own pin. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
Contributor
|
1 blocker found. 1. CI configuration regression (downgraded ai-review-prompts pins)File: .github/workflows/claude-review.yml:27, .github/workflows/gemini-review.yml:37 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Catches up the alpha track with the auth/dispatch fixes and the
withOAuthValidationrefactor that have been onmainsince2.0.0-alpha.1shipped on 2026-05-01. The published alpha predates the security-relevant work — anyone consuming@harperfast/oauth@alphashould upgrade.Highlights
Breaking
withOAuthValidationnow wraps a Resource class, not an instance. Covers both static and instance dispatch surfaces in Resource API v2.Security
requireAuth: trueand no request context is availableonValidationErrorreturnsundefinedonValidationErrorno longer sees a mutated request, and is no longer invoked without a requestFixed
withOAuthValidationre-exported from the package entry pointwithOAuthValidationreads request fromgetContext()(closes withOAuthValidation doesn't work with Resource API v2 classes #33)405 Method Not Allowedfor unimplemented verbs (was being serialized as204 No Content)package-lock.jsonregenerated with all optional native depsAdded
withOAuthValidation(+1247 lines covering each verb, both dispatch paths, fail-closed branches, callback contract)integrationTests/) with Harper v5 fixturesharper-mockhelper for Node-only unit testsChanged
Full notes in
CHANGELOG.md.Post-merge
v2.0.0-alpha.2— the existingrelease.ymlworkflow publishes to npm onrelease: published, with--provenance --access public@harperfast/oauth@alpharesolves to2.0.0-alpha.2on npm🤖 Generated with Claude Code