v1.8.1 — Security & Compat Patch

Patch release. Bug fixes only, no breaking changes. Recommended upgrade for all users — includes two security fixes (L5/L6 primitive-payload bypass and ML engine path leak) and Node 18 compat.

Security

• L5/L6 schema validation bypass for primitive payloads. Zod .strict() validation was gated behind a typeof parsed === "object" check in the pipeline, allowing JSON primitives (string, number, boolean, null) to bypass schema validation entirely. Such payloads reached the inner handler with validatedBody: null and no threat-score penalty. Moved Zod validation outside the object-typed guard. Obfuscation scan (L5) stays inside since detectObfuscation is inherently recursive on object trees.

• ML engine path leak to Python sidecar. When req.nextUrl was missing, the plugin sent the full URL (including query string and hash) to the sidecar. Query strings commonly carry API keys, tokens, or PII. Path is now extracted via new URL(req.url).pathname with a safe empty-string fallback; nextUrl.pathname is preferred when present.

Fixes

• AbortController timer leak in ML engine plugin. clearTimeout was not called on the !response.ok early-return path or when fetch threw. Moved to try/finally so the timer is always cleared and the controller is never abandoned.

• Node.js 18 compatibility for crypto global. crypto only became a Node.js global in v19, but engines.node pins to >=18. The honeypot and pipeline code used crypto.randomUUID() directly, which threw ReferenceError on Node 18 (surfaced as CI failures on the Node 18 quality job). Now uses globalThis.crypto ?? node:crypto.webcrypto. Works on Node 18, 20, 22, Edge runtime, and browsers.

• pytest-asyncio compat in ML engine integration tests. Pinned to 0.24.0 (was >=0.24.0) and switched the async client fixture to @pytest_asyncio.fixture. The 8 integration tests in engine-python/tests/test_api.py previously passed only in isolation; they now pass under full collection.

Stats

• 4 commits since v1.8.0
• 216 TypeScript tests pass (was 209)
• 39 Python tests pass (was 31, with 8 broken)
• All 5 CI jobs green (Node 18/20/22 quality, docker, python-tests)

Full diff: v1.8.0...v1.8.1

v1.8.0

Breaking

• Renumber detection layers to match execution order: old L6 (headers, pre-body) is now L4; old L4 (obfuscation, post-body) is now L5; old L5 (schema, post-body) is now L6. Plugin names referencing old layer numbers must be updated.

Fixes

• Stable sort for AnalyzerPlugin registration order.
• Remove build:python from prepublishOnly script.
• Remove static fake coverage badge from README.

Features

• Real coverage via vitest/v8 + Codecov upload in CI.
• Separate python-tests CI job (independent of Node matrix).
• npm run coverage script.
• Redis-persisted StatsTracker example in README.
• Plugin use-case examples: rate-limit mimic + scraper detection.

Docs

• Rewrite README: zero emoji, zero AI-slop, step-by-step tutorial, pairing guide, codebase structure tree.
• Sync CLAUDE.md and AGENTS.md with updated test counts and layer names.
• Add star history badge, Changelog, clean GitHub description.
• Clean up package.json keywords: 25 to 10.

v1.7.3

What's Changed

• Coverage: 94.55% → 98.72% statements (+15 tests, 189→204)
• 100% functions covered across all source files
• Pipeline: allowlist catch, mid-flight gate, L6 headers, nonJsonBody path
• Engine: debug mode logging (addScore, handleRedisError, circuit breaker), onViolation hook, use() method
• Validator: non-ZodError path (refine throws)
• Docs: README coverage badge updated to 99%

v1.7.2 — Built with Python + CI fixes

What's New

• Built with Python — ML engine Python sidecar is now officially part of the project identity
  • GitHub About description updated
  • README badge + Built With section updated
  • npm description updated
• CI pipeline fixes — branch triggers changed from \main\ to \master\
• Python tests in CI — quality job now runs
  pm run build:python\ (39 Python tests)
• Lint cleanup — removed unused \lastError\ variable in ml-engine plugin
• npm pkg fix — normalized repository.url format
• tsconfig — added
  ootDir: ./src, cleaned up redundant excludes

Full changelog

v1.7.0 — ML Engine Release

• Python sidecar (FastAPI) for prompt injection + obfuscation + content risk detection
• TS plugin with retry/circuit-breaker (tsup build, Vitest tests)
• StatsTracker integration tests + AnalysisContext.bodyRaw
• Bugscan fixes: Redis circuit breaker, CIDR matching, validator edge cases, honeypot
• Docker Compose for Redis + ML engine
• 177 TS tests + 39 Python tests = 216 total

v1.7.1 — Build Infrastructure

• Added \�uild:python\ and \ est:all\ npm scripts
• \prepublishOnly\ now runs Python tests before publishing
• All docs synced with Python build steps

v1.7.2 — Project Identity + CI Polish

• Built with Python branding across all surfaces
• CI branch fix: main → master
• Python tests added to CI quality job
• Lint error fixed
• Docker healthcheck verification in CI