Release/3.5.0

[bao-byterover]

Summary

• Problem: Ship the 3.5.0 release — Claude Desktop connector support, install.sh layout fix, and a high-severity npm dependency patch — by promoting release/3.5.0 into main.
• Why it matters: Unblocks Claude Desktop users, removes a node shadowing issue from the installer, and closes a known security advisory in a transitive dependency.
• What changed (since v3.4.0):
  • feat [ENG-2079] (feat: [ENG-2079] patch npm high serity #417) — patch npm high-severity vulnerability via basic-ftp bump.
  • feat [ENG-1990] (Feat/eng 1990 #404 / proj/isolate-bundle-node #413) — install.sh keeps bundled Node.js isolated from system node.
  • feat Proj/claude desktop integration #406 — Claude Desktop integration: new connector option in brv connectors install and /connectors, with macOS, Windows (incl. Store installs), and Linux config-path resolution in server/infra/connectors/mcp/claude-desktop-config-path.ts.
  • fix [ENG-2085] (fix: [ENG-2085] strip ANSI codes in query-renderer assertions #411) — strip ANSI codes in query-renderer test assertions.
  • chore — version bump to 3.5.0, CHANGELOG.md entry, CLAUDE.md refresh (test/e2e/, connectors note, brv locations).
• What did NOT change (scope boundary): No swarm, agent core, LLM provider, daemon transport, or VC/worktree behavior changes in this release.

Type of change

• Bug fix
• New feature
• Refactor (no behavior change)
• Documentation
• Test
• Chore (build, dependencies, CI)

Scope (select all touched areas)

• TUI / REPL
• Agent / Tools
• LLM Providers
• Server / Daemon
• Shared (constants, types, transport events)
• CLI Commands (oclif)
• Hub / Connectors
• Cloud Sync
• CI/CD / Infra

Linked issues

• Closes # ENG-2079, ENG-1990, ENG-2085
• Related # Proj/claude desktop integration #406 (Claude Desktop integration)

Root cause (bug fixes only, otherwise write N/A)

• Root cause:
  • ENG-2085: query-renderer tests asserted on raw output that included ANSI color escape codes, making assertions brittle.
  • ENG-2079: transitive basic-ftp version had a high-severity advisory open against it.
  • ENG-1990: install.sh placed bundled Node.js on PATH ahead of the user's system node, causing version conflicts.
• Why this was not caught earlier:
  • ENG-2085: ANSI was only emitted in TTY-attached environments; CI passed because output was plain.
  • ENG-2079: surfaced by a fresh npm audit run after upstream advisory publication.
  • ENG-1990: only manifested for users with a pre-existing Node.js install of a different major version.

Test plan

• Coverage added:
  • Unit test
  • Integration test
  • Manual verification only
• Test file(s):
  • test/integration/connectors/mcp/claude-desktop-mcp-connector.test.ts
  • test/unit/connectors/mcp/claude-desktop-config-path.test.ts
  • test/integration/connectors/mcp/mcp-connector.test.ts (extended)
  • test/commands/connectors/install.test.ts (extended)
• Key scenario(s) covered:
  • brv connectors install "Claude Desktop" writes the correct config path on macOS, Windows (incl. Store install), and Linux.
  • brv connectors install "Claude Code" continues to work unchanged.
  • npm audit reports no high-severity findings on the production dependency tree.
  • install.sh on a host with system node does not shadow or get shadowed by it.
  • brv --version reports 3.5.0.

User-visible changes

• New connector: "Claude Desktop" selectable from brv connectors install and /connectors. Users must fully quit Claude Desktop (tray/menu bar) and reopen to apply.
• install.sh no longer conflicts with an existing system node. Existing users should reinstall to pick up the new layout.
• basic-ftp upgraded to a patched version (resolves npm audit high-severity finding).
• brv --version reports 3.5.0.

Evidence

• Failing test/log before + passing after (test/integration/connectors/mcp/claude-desktop-mcp-connector.test.ts, test/unit/connectors/mcp/claude-desktop-config-path.test.ts)
• Trace/log snippets
• Screenshot/recording
• npm audit --omit=dev clean after feat: [ENG-2079] patch npm high serity #417.

Checklist

• Tests added or updated and passing (npm test)
• Lint passes (npm run lint)
• Type check passes (npm run typecheck)
• Build succeeds (npm run build)
• Commits follow Conventional Commits format
• Documentation updated (CLAUDE.md, CHANGELOG.md)
• No breaking changes
• Branch is up to date with main

Risks and mitigations

• Risk: Claude Desktop config path detection misfires on uncommon Windows install layouts (e.g. Store vs. MSI).
  • Mitigation: Dedicated unit tests in claude-desktop-config-path.test.ts cover Store and standard installs; users can re-run brv connectors install to overwrite.
• Risk: install.sh layout change could leave stale bundled Node.js from prior installs on PATH.
  • Mitigation: CHANGELOG explicitly instructs users to reinstall to pick up the new layout.
• Risk: Auto-update clients pull 3.5.0 before the GCS release artifact (brv-releases) is published.
  • Mitigation: Confirm the oclif release pipeline uploads the 3.5.0 tarball to https://storage.googleapis.com/brv-releases before merging the announce.

[github-actions]

Claude finished @bao-byterover's task in 1m 37s —— View job

---

PR Review: Release/3.5.0

• Gather context (diff, changed files, CI status)
• Review CHANGELOG.md
• Review CLAUDE.md
• Review package.json
• Check CI status
• Post comprehensive review with score

---

Summary

This is a standard release consolidation PR. The branch itself only introduces three commits on top of the feature work already merged into it: a version bump, a CHANGELOG entry, and a CLAUDE.md doc update. The review is focused on those three changes — the underlying feature code (#406, #411, #413, #417) landed in earlier PRs.

CI: Pack and Release ✅ completed successfully. PR Validation still in progress.

---

CHANGELOG.md

praise: The entry is clear, user-focused, and well-organized across Added/Changed/Fixed. Good use of bold command names to aid scannability.

nit: ## [3.5.0] has no release date. Keep-a-Changelog convention is ## [3.5.0] - 2026-04-15. That said, this is consistent with your existing ## [3.4.0] header, so it's a project-level convention — not a new inconsistency introduced here. Worth standardizing in a future cleanup PR, but not a blocker.

suggestion: ENG-2085 (strip ANSI codes in query-renderer test assertions) is absent from the changelog. This is a test-only fix, so omitting it from a user-facing changelog is perfectly reasonable. If you'd like developer-facing transparency, a line under "Fixed" like "Fixed brittle test assertions caused by ANSI escape codes in TTY-attached environments" would add traceability. Not required.

---

CLAUDE.md

praise: Clean one-liner addition for brv locations, placed correctly in the VC/Worktrees section between brv search and resolveProject(). The description matches the implementation pattern (daemon-routed via transport events).

No issues.

---

package.json

praise: Straightforward 3.4.0 → 3.5.0 bump. Minor version increment is correct for a release that adds a new connector (Claude Desktop) — semver is respected.

issue (minor): package-lock.json is not in the changed files list. A version bump in package.json typically also updates package-lock.json. If this project omits the lock file from commits intentionally (or handles it in the publish pipeline), this is fine — but worth confirming it doesn't cause npm ci drift in CI or for contributors.

Fix this →

---

Commit Message

nit: Commit b27af1b has a typo in its message: "patch npm high serity" should be "patch npm high severity". Already in history — can't be changed — but worth noting for future commits.

---

Pre-Merge Risk (from PR body)

The PR itself calls out:

Risk: Auto-update clients pull 3.5.0 before the GCS release artifact (brv-releases) is published.

This is the one item that needs explicit confirmation before merge: confirm the oclif release pipeline has uploaded the 3.5.0 tarball to https://storage.googleapis.com/brv-releases before merging. The "Pack and Release" CI run completed successfully ✅, which is encouraging — but verify the artifact is actually reachable before merging if auto-update is live.

---

Overall Score: 4 / 5

The PR is clean, focused, and well-documented. The underlying feature code landed in prior PRs with test coverage. The only actionable items here are:

1. Confirm package-lock.json is intentionally excluded or add it
2. Verify GCS artifact is live before merging (per the PR's own risk register)

Everything else is minor polish. Approve once the GCS artifact is confirmed.