chore(release): cut 8.0.0 — Wrapped Subagents permanent mode (+ reconcile package.json 5.0.0→8.0.0)

super-legal-mcp-refactored/CHANGELOG.md

@@ -4,6 +4,33 @@ All notable changes to the Super Legal MCP Server are documented in this file.
 
 ## [Unreleased]
 
+_Nothing yet._
+
+## [8.0.0] - 2026-05-29 — Wrapped Subagents (permanent operating mode)
+
+> **Major release.** Cuts the accumulated work since `7.6.2` into a single version, headlined by the **Wrapped Subagents migration**: the in-process wrapped runner (`src/wrappedSubagents/runner.js`) replaces SDK CLI Task delegation as the **permanent subagent-dispatch mode** (PR [#182](https://github.com/Number531/Legal-API/pull/182), merge `0845cebd`). The **major** bump reflects (1) the architectural replacement of the entire subagent dispatch layer, (2) the persistence trio (`HOOK_DB_PERSISTENCE`/`EMBEDDING_PERSISTENCE`/`RAW_SOURCE_ARCHIVE`) now writing to the **production database** (EU AI Act Art. 12 audit trail), and (3) the sonnet-tier → **Opus 4.8** model/cost transition — even though every change is flag-gated with `WRAPPED_SUBAGENTS=false` rollback. It bundles the post-merge compliance + hygiene follow-ups (PRs #186/#187/#190) and the Opus 4.8 transition (PR #189). **`package.json` reconciled `5.0.0` → `8.0.0`** — it had drifted several majors behind this CHANGELOG's release line.
+>
+> Core scope: 165-commit migration (Phases 4.12 → 4.13 → 6) + Tasks #35 (prompt caching), #117 (bridge token observability), #118 (multi-agent frontend visibility), #121 (QA remediation pipeline) + the synthetic hook-permission engine, server-side compaction, envelope cleaning, and full-fidelity transcripts/sidecars.
+
+### Added — Wrapped-subagent transcript compliance: audit-export bundle + GDPR Art. 17 erasure + offboarding verify (PR [#186](https://github.com/Number531/Legal-API/pull/186), 2026-05-28)
+
+Wrapped subagents write **filesystem-only** transcript artifacts (`reports/<session_key>/wrapped-subagent-transcripts/*.{jsonl,full.jsonl,sidecar.json}` — `.full.jsonl` = Art. 12 record, `.sidecar.json` v1.3.0 = Art. 13/14). The lifecycle skills operated on DB rows only and were blind to them; this closes the gap (live once #189/#182 flags deploy `true`):
+- **`client-audit-export`** — new `collect-transcripts.sh` folds the in-scope sessions' transcripts into `wrapped-subagent-transcripts.tar.gz`, hashed into the SHA-256 manifest (Art. 13 regulator handoff). Range-mode session selection is whole-field anchored (no substring over-inclusion); a path-traversal-safe `--reports-dir` resolution warns loudly when DB-only.
+- **GDPR Art. 17 erasure + tombstone (server-side)** — new `src/utils/transcriptArtifacts.js` `eraseSessionTranscripts(pool, sessionId)` resolves `session_key` (validated against `SESSION_KEY_RE` before any `rm -rf` — path-traversal guard) and removes the transcript dir; best-effort, never blocks the DB op. Wired into `piiManager.erasePII` (Step 1.5) and `retentionManager.tombstoneSession` (post-commit); status surfaced in `adminRouter` responses + audit `event_data`, in `erase-pii.sh`/`tombstone.sh` output, and documented in `art-17-flow.md`.
+- **`client-offboarding`** — counts `wrapped-subagent-transcripts/` entries in the reports archive, hard-warns on the no-running-instance branch (artifacts are unrecoverable once the instance is gone), records the outcome in the final report.
+- Tests: `transcriptArtifacts.test.js` 6/6 (incl. path-traversal guard); collector session/range/skip smoke-verified.
+
+### Changed — Post-#182 hygiene + `report_artifacts` fresh-DB migration (PR [#187](https://github.com/Number531/Legal-API/pull/187), 2026-05-29)
+
+- **`post-deploy-verify` Tier-1 flag list** `REQ_VARS` 7 → 14 — adds the wrapped permanent-mode flags (`WRAPPED_SUBAGENTS`, `PROMPT_CACHE_WRAPPED_SUBAGENTS`, `SERVER_SIDE_COMPACTION`, `ENVELOPE_CLEANER`, `ENVELOPE_CLEANER_V1`, `TRANSCRIPT_FULL_FIDELITY`, `TRANSCRIPT_SIDECAR_WRITE`) so a deploy that silently drops one is caught.
+- **Doc-count corrections** — RUNBOOK.md + `feature-flags.md` "40 agents" → **45 registered** (42 wrapped + 3 unwrapped); the stale `OPUS_MODEL` "dead code" note corrected to **live** (consumed via `MODEL_SHORTHAND_MAP`/`resolveModelId`).
+- **`subagent-scaffold`** gains REQUIRED step 9 (`WRAPPED_SUBAGENT_ALLOWLIST`) — without it a new agent is undispatchable under `WRAPPED_SUBAGENTS=true`.
+- **`migrations/022_artifact-source-width`** (pre-existing fresh-DB bug, NOT from #182) — `report_artifacts.source` `VARCHAR(30)` → `VARCHAR(100)`; the boot-time ALTER in `postgres.js` widened existing DBs but fresh `client-provisioner` deploys via migrations got the truncating 30-char column. Validated on Postgres 16 (`30 → up → 100 → idempotent → down → 30`).
+
+### Fixed — Doc consistency: `OPUS_MODEL` → `claude-opus-4-8` (PR [#190](https://github.com/Number531/Legal-API/pull/190), 2026-05-29)
+
+Post-#189, code was `claude-opus-4-8` but `RUNBOOK.md:51/52/89` still said `4.7` (those lines had landed via #187) and `system-design.md:388` still said `4.6`. Aligned all live docs to `4.8`; historical CHANGELOG entries (4.5→4.7 era) left intact as append-only record.
+
 ### Changed — Wrapped subagents transitioned to Opus 4.8 (`WRAPPED_SUBAGENT_MODEL` deployed, 2026-05-29)
 
 Set `WRAPPED_SUBAGENT_MODEL=claude-opus-4-8` in `flags.env`, moving the **40 sonnet-tier wrapped subagents** (research/section-writer specialists) from `claude-sonnet-4-6` to **Opus 4.8**. Effective deployed mix: `claude-opus-4-8` × 41 (40 sonnet-tier + the always-opus exec-summary writer) + `claude-haiku-4-5` × 4. **Scoped to subagents only** — the orchestrator (`SDK_MODEL`) and code-execution bridge (`CODE_EXECUTION_MODEL`) remain `claude-sonnet-4-6`. The code default stays unset for rollback safety; re-commenting the `flags.env` line reverts to the Sonnet baseline.
@@ -27,7 +54,7 @@ Following the Opus-4.8-vs-Sonnet-4.6 A/B (sessions `1780022438` Sonnet baseline,
 
 New env knob (default UNSET → zero behavior change) enabling clean model A/B canaries on the wrapped-subagent layer without code edits. When set, `resolveModelId()` (consumed ONLY by the wrapped runner) overrides the **sonnet tier** — the research/section-writer subagents — while leaving `opus`/`haiku`-assigned agents (e.g. memo-executive-summary-writer) on their model. Scoped strictly to subagents: the orchestrator (`SDK_MODEL`) and code-execution bridge (`CODE_EXECUTION_MODEL`) resolve independently and are untouched. Built to support the Opus 4.8 vs Sonnet 4.6 token/cost comparison on the PLTR canary. 7 unit tests (`wrapped-subagent-model-override.test.js`); regression clean (312 pass / 2 pre-existing Task #67 / 0 new).
 
-> **Shipped to `main` 2026-05-28 via PR [#182](https://github.com/Number531/Legal-API/pull/182)** (merge commit `0845cebd`) — Wrapped Subagents permanent operating mode + Tasks #35/#117/#118/#121 + the `sessionLimiters` map-leak fix below. Entries above this line that post-date the merge are the next iteration (further decoupling), not yet released.
+> **Architectural core of 8.0.0** — PR [#182](https://github.com/Number531/Legal-API/pull/182) (merge commit `0845cebd`, 2026-05-28): Wrapped Subagents permanent operating mode + Tasks #35/#117/#118/#121 + the `sessionLimiters` map-leak fix below. The entries above (Opus 4.8 transition, compliance + hygiene follow-ups) are the post-merge iteration; all of it releases together as **8.0.0**.
 
 ### Fixed — wrapped runner `sessionLimiters` map leak (PR #182 review, 2026-05-28)
 

super-legal-mcp-refactored/package.json

@@ -1,6 +1,6 @@
 {
   "name": "super-legal-mcp-refactored",
-  "version": "5.0.0",
+  "version": "8.0.0",
   "description": "Enterprise legal MCP server with audit-trail compliance (EU AI Act Art. 12/13, GDPR Art. 17), code-execution traceability, and reproducibility-grade observability",
   "type": "module",
   "main": "index.js",