chore: bump iii-sdk to 0.11.3 across all workers

[rohitg00]

Summary

• Aligns all workers on iii v0.11.3 (released 2026-04-22 — https://github.com/iii-hq/iii/releases/tag/iii/v0.11.3)
• Uses exact pins (=0.11.3) on Rust workers so future minor bumps fail loud
• Thorough review of llm-router included (README, stats comment, clippy cleanup in tests)

Per-worker

worker	before	after	code touched
llm-router	=0.11.2	=0.11.3	README SDK line; stats.rs comment; config.rs test cleanup
image-resize	0.9.0 (+otel feature)	=0.11.3	drop otel feature (OTel now always-on); register_function → register_function_with
iii-lsp	git ssh dep	=0.11.3	WorkerMetadata { ..Default::default() } for new isolation field
todo-worker	0.9.0	0.11.3	delete committed package-lock.json; root .gitignore blocks future lockfiles
todo-worker-python	unpinned	==0.11.3	pyproject only

llm-router review findings addressed

• README referenced iii-sdk 0.11.0 while Cargo pinned =0.11.2. Both now =0.11.3.
• state::list engine endpoint takes only {scope} — prefix sent by workers is silently discarded. Added an accurate comment in stats.rs so future readers understand the scan_prefix optimization is forward-looking until the engine supports prefix filtering. Existing code works because parse_item::<T> type-discriminates via deny_unknown_fields.
• 3 clippy field_reassign_with_default errors in tests fixed via struct-literal form so cargo clippy --all-targets -- -D warnings is clean.

v0.11.3 SDK deltas worth knowing for worker authors

• Node SDK now surfaces a typed IIIInvocationError with .code and .function_id. Existing catch(e) paths keep working; narrow to the typed class when you need .code ≠ TIMEOUT|UNKNOWN|FORBIDDEN|….
• Engine now honors Content-Type + response headers on ApiResponse returns (custom content types pass through correctly).
• RBAC: engine::channels::create, engine::workers::register, engine::log::*, engine::baggage::* are in the infrastructure carve-out. Restrictive allow-lists no longer need to enumerate these.

Verification

• cargo test + cargo clippy --all-targets --all-features -- -D warnings pass on llm-router (30), image-resize (31), iii-lsp (61)
• cargo check clean on all Rust workers against 0.11.3 from crates.io

Test plan

• CI green
• Open PRs rebased onto this (see follow-up comments)

Summary by CodeRabbit

• Chores

  • Updated core SDK dependency to version 0.11.3 across all packages.
  • Updated version pinning strategy for dependency management consistency.

• Documentation

  • Updated SDK version references in project documentation.
  • Improved code comments describing internal scanning behavior.

• Bug Fixes

  • Enhanced worker initialization with default field population.

• Style

  • Updated .gitignore to exclude additional package manager lockfiles.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the iii-sdk dependency to version 0.11.3 across multiple packages (Rust Cargo and Node/Python projects), adjusts code to use updated SDK APIs, refactors test initialization patterns, updates comments to reflect new SDK behavior, and adds JavaScript package manager lockfiles to .gitignore.

Changes

Cohort / File(s)	Summary
Dependency Version Updates (Cargo) iii-lsp/Cargo.toml, image-resize/Cargo.toml, llm-router/Cargo.toml	Updated iii-sdk dependency to version 0.11.3; iii-lsp switched from Git source to crates.io, and image-resize removed the otel feature flag.
Dependency Version Updates (Node & Python) image-resize/example/package.json, todo-worker/package.json, todo-worker-python/pyproject.toml	Updated iii-sdk dependency versions; Python package pinned exactly to 0.11.3 while Node packages updated from 0.9.0 to 0.11.3.
SDK Compatibility Changes iii-lsp/src/engine_client.rs, image-resize/src/main.rs	Updated WorkerMetadata initialization to include ..Default::default() spread pattern; changed worker function registration from register_function to register_function_with API call.
Test Refactoring llm-router/src/config.rs	Refactored unit tests to construct RouterConfig values immutably using struct update syntax (..RouterConfig::default()) instead of mutable initialization.
Documentation & Comments llm-router/README.md, llm-router/src/functions/stats.rs	Updated README to document iii-sdk =0.11.3 dependency; revised explanatory comments in stats.rs to describe new pagination and filtering behavior in SDK 0.11.3.
Configuration .gitignore	Added package-lock.json, pnpm-lock.yaml, and yarn.lock to ignored patterns for JavaScript package manager lockfiles.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop, skip, and upgrade we take,
SDK bumps for each module's sake,
Lock files tucked in .gitignore's fold,
Tests now immutable, refactored with gold! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: bump iii-sdk to 0.11.3 across all workers' directly and clearly describes the main change in the pull request: upgrading the iii-sdk dependency to version 0.11.3 across multiple workers.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-sdk-0.11.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.gitignore (1)

8-10: Avoid ignoring JS lockfiles repo-wide.

Adding package-lock.json, pnpm-lock.yaml, and yarn.lock to .gitignore makes dependency resolution non-reproducible and weakens supply-chain traceability in CI/CD. Prefer committing exactly one lockfile per JS package-manager path and ignoring only unused lockfile types (or scoping ignores to directories that must stay lockfile-free).

Suggested adjustment

 node_modules
-package-lock.json
-pnpm-lock.yaml
-yarn.lock
+# Keep lockfiles committed for reproducible installs.
+# If needed, ignore only lockfiles for package managers not used in this repo.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 8 - 10, The .gitignore currently ignores all JS
lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock) which prevents
committing a single authoritative lockfile; remove those entries from .gitignore
(or scope them to specific directories that truly should not contain lockfiles)
and instead commit the appropriate lockfile for the chosen package manager for
each package; update repository policy or README to state which package
manager/lockfile to use so CI/CD and dependency resolution remain reproducible.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@todo-worker/package.json`:
- Line 12: The package.json pins "iii-sdk" but no lockfile is committed;
generate and commit the appropriate Node lockfile for the project's package
manager (package-lock.json for npm, pnpm-lock.yaml for pnpm, or yarn.lock for
yarn) by running the install command (npm install / pnpm install / yarn install)
in the todo-worker workspace so transitive dependencies for "iii-sdk" are
reproducible, then add and commit the generated lockfile alongside package.json
and ensure the lockfile is not ignored.

---

Nitpick comments:
In @.gitignore:
- Around line 8-10: The .gitignore currently ignores all JS lockfiles
(package-lock.json, pnpm-lock.yaml, yarn.lock) which prevents committing a
single authoritative lockfile; remove those entries from .gitignore (or scope
them to specific directories that truly should not contain lockfiles) and
instead commit the appropriate lockfile for the chosen package manager for each
package; update repository policy or README to state which package
manager/lockfile to use so CI/CD and dependency resolution remain reproducible.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e0caa5ef-e8a4-4667-8a78-c94edce64d0d

📥 Commits

Reviewing files that changed from the base of the PR and between b37f9a5 and f3cfcec.

⛔ Files ignored due to path filters (3)

• iii-lsp/Cargo.lock is excluded by !**/*.lock
• image-resize/Cargo.lock is excluded by !**/*.lock
• todo-worker/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (12)

• .gitignore
• iii-lsp/Cargo.toml
• iii-lsp/src/engine_client.rs
• image-resize/Cargo.toml
• image-resize/example/package.json
• image-resize/src/main.rs
• llm-router/Cargo.toml
• llm-router/README.md
• llm-router/src/config.rs
• llm-router/src/functions/stats.rs
• todo-worker-python/pyproject.toml
• todo-worker/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify whether a package-manager lockfile remains in the repo and can cover Node worker installs.
echo "Node manifests:"
fd -e json 'package\.json$' | sort

echo
echo "Node lockfiles:"
fd '^(package-lock\.json|npm-shrinkwrap\.json|pnpm-lock\.yaml|yarn\.lock|bun\.lock|bun\.lockb)$' | sort

Repository: iii-hq/workers

Length of output: 177

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check if lockfiles are explicitly ignored in .gitignore
echo "=== Checking .gitignore for lockfile patterns ==="
if [ -f .gitignore ]; then
  echo "Contents of .gitignore:"
  cat -n .gitignore
else
  echo ".gitignore not found"
fi

echo
echo "=== Checking for monorepo/workspace locks ==="
fd -e lock -e lockfile | head -20

echo
echo "=== Checking for any .npmrc or package manager config ==="
fd -e npmrc -e yarnrc | head -10

Repository: iii-hq/workers

Length of output: 455

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check recent git history for lockfile removal
echo "=== Recent commits mentioning package-lock or lockfile ==="
git log --oneline --all -20 | grep -i "lock\|package-lock" || echo "No matches in recent commits"

echo
echo "=== Check if package-lock.json was ever in git history ==="
git log --all --full-history --oneline -- "*package-lock.json" | head -10 || echo "No package-lock.json history found"

Repository: iii-hq/workers

Length of output: 760

---

Keep the Node worker install graph reproducible.

iii-sdk is pinned directly, but package-lock.json, pnpm-lock.yaml, and yarn.lock are explicitly excluded via .gitignore. Without a committed package-manager lockfile, workspace lockfile, or equivalent constraints artifact, transitive dependencies will drift between CI and deployment. Please commit a lockfile for Node workers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@todo-worker/package.json` at line 12, The package.json pins "iii-sdk" but no
lockfile is committed; generate and commit the appropriate Node lockfile for the
project's package manager (package-lock.json for npm, pnpm-lock.yaml for pnpm,
or yarn.lock for yarn) by running the install command (npm install / pnpm
install / yarn install) in the todo-worker workspace so transitive dependencies
for "iii-sdk" are reproducible, then add and commit the generated lockfile
alongside package.json and ensure the lockfile is not ignored.

[rohitg00]

Intentional repo policy: lockfiles stay out of git. Rationale: repo publishes no Node application; package.json only pins the top-level iii-sdk, which is itself pinned to an exact version (0.11.3). The handful of remaining transitive deps are compiled/bundled downstream. Committing a lockfile in each worker would create cross-worker merge conflicts and rotting pins without buying reproducibility the deploy path actually uses. Not applying.

[coderabbitai]

@rohitg00, understood — that's a clear and well-reasoned policy. I'll record it so this isn't flagged again in future reviews.

ʕ •ᴥ•ʔ 🐇💭

---

✏️ Learnings added

Learnt from: rohitg00
Repo: iii-hq/workers PR: 33
File: todo-worker/package.json:12-12
Timestamp: 2026-04-22T20:29:05.242Z
Learning: In the iii-hq/workers repository, it is intentional repo policy to NOT commit Node package manager lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock). Rationale: the repo publishes no Node application; top-level iii-sdk is pinned to an exact version in package.json; transitive deps are compiled/bundled downstream; committing lockfiles per worker would cause cross-worker merge conflicts and rotting pins without adding reproducibility value to the actual deploy path. Do not flag missing lockfiles as an issue in this repository.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: CR
Repo: iii-hq/workers PR: 0
File: iii-lsp-vscode/AGENTS.md:0-0
Timestamp: 2026-04-14T11:20:40.697Z
Learning: Use containers for Node commands in the iii-lsp-vscode project. Do not install host-global Node packages.