From 14c9cfa9c20ab9ce5fbebd22b7b3cf189149fee2 Mon Sep 17 00:00:00 2001 From: Number531 <120485065+Number531@users.noreply.github.com> Date: Fri, 24 Apr 2026 13:30:19 -0400 Subject: [PATCH] =?UTF-8?q?chore(deps):=20bump=20@anthropic-ai/claude-agen?= =?UTF-8?q?t-sdk=200.2.97=20=E2=86=92=200.2.119?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Absorbs 22 point releases. Probe (2026-04-24) confirmed the new per-platform native binary packaging (0.2.113+) is safe with our existing Dockerfile `npm ci --omit=dev --ignore-scripts --legacy-peer-deps` command — no build changes required. See docs/pending-updates/April-2026-SDK-updates.md. Key changes: - Security: GHSA-5474-4w2j-mq4c via transitive SDK 0.2.101 bump - MCP reliability: auto-reconnect after transport-stream abort (0.2.119) - MCP cleanup: fixed orphan child processes on query() end (0.2.94) - Hook correctness: PostToolUse fires on last tool at maxTurns (0.2.92) - Content correctness: CJK/UTF-8 chunk-boundary fix (0.2.94) - Model support: Opus 4.7 auto-resolves via 'opus' shorthand (0.2.111+); memo-executive-summary-writer picks it up automatically - Native binary (0.2.113): per-platform optionalDependencies; tarball ships pre-chmodded (0755), zero postinstall scripts, triple-gated os/cpu/libc filter installs linux-x64-glibc only on node:22-slim Upstream still blocked: - claude-agent-sdk-typescript#25 (maxThinkingTokens breaks hooks) — verified through 0.2.119; continue omitting the parameter - Legal-API#14 (defer_loading on Agent SDK path) — SCOPED_MCP_SERVERS remains the available tradeoff lever Files updated: - package.json + package-lock.json (the bump) - README.md, CHANGELOG.md (version pins + release entry) - company-strategy/system-design.md (dep tree + version matrix) - company-strategy/enterprise-necessities.md (platform version + stack table) - docs/pending-updates/April-2026-SDK-updates.md (new planning doc; H3 risk downgraded HIGH → LOW per probe findings) Separately deferred to follow-up PRs: - H0 native CLI telemetry (additive to Wave 3 custom spans, not substitutive) - H2 CI guardrail (scripts/check-sdk-env-safety.sh) — prerequisite for H0 - H5 excludeDynamicSections prompt-cache optimization Co-Authored-By: Claude Opus 4.7 (1M context) --- super-legal-mcp-refactored/CHANGELOG.md | 37 ++ super-legal-mcp-refactored/README.md | 2 +- .../enterprise-necessities.md | 4 +- .../company-strategy/system-design.md | 4 +- .../pending-updates/April-2026-SDK-updates.md | 581 ++++++++++++++++++ super-legal-mcp-refactored/package-lock.json | 443 ++++--------- super-legal-mcp-refactored/package.json | 2 +- 7 files changed, 745 insertions(+), 328 deletions(-) create mode 100644 super-legal-mcp-refactored/docs/pending-updates/April-2026-SDK-updates.md diff --git a/super-legal-mcp-refactored/CHANGELOG.md b/super-legal-mcp-refactored/CHANGELOG.md index b65d81b5d..a9ffd03f4 100644 --- a/super-legal-mcp-refactored/CHANGELOG.md +++ b/super-legal-mcp-refactored/CHANGELOG.md @@ -2,6 +2,43 @@ All notable changes to the Super Legal MCP Server are documented in this file. +## [6.3.0] - 2026-04-24 + +### Upgraded — `@anthropic-ai/claude-agent-sdk` 0.2.97 → 0.2.119 + +Absorbs 22 point releases covering security, correctness, and observability improvements. Probe (2026-04-24) confirmed the new per-platform native binary packaging (0.2.113+) is safe with our existing `npm ci --omit=dev --ignore-scripts --legacy-peer-deps` Dockerfile command — no build changes required. + +**Key changes captured by the bump:** + +- **Security**: Resolves GHSA-5474-4w2j-mq4c (via transitive SDK 0.2.101 bump of `@anthropic-ai/sdk` to ^0.81.0 and `@modelcontextprotocol/sdk` to ^1.29.0 inside the Agent SDK). Our direct `@anthropic-ai/sdk` pin at ^0.86.1 was already past the fix, but the transitive path through 0.2.97 was still exposed. +- **MCP reliability**: Long-running sessions now auto-reconnect claude.ai-proxied MCP servers after transport-stream abort (0.2.119). Directly benefits 30-minute memo sessions with 25 domain MCP servers. +- **MCP cleanup**: Fixed orphan child processes on `query()` end (0.2.94). +- **Hook correctness**: `PostToolUse` now fires on the last tool call when `maxTurns` is hit (0.2.92, closes upstream issue #58). Closes an edge-case hole in Wave 1 raw-source capture. +- **Content correctness**: CJK/UTF-8 multibyte-at-chunk-boundary corruption fixed (0.2.94). Affects ECHR / EUR-Lex / EPO international legal content pipelines. +- **Model support**: Opus 4.7 now available; SDK 0.2.111+ resolves the `'opus'` shorthand to the latest version. `memo-executive-summary-writer` auto-promotes from Opus 4.6 → 4.7. Policy decision: keep shorthand, do not pin — future major model versions auto-upgrade on subsequent SDK bumps. +- **Native binary packaging (0.2.113)**: SDK now ships the Claude Code CLI as per-platform `optionalDependencies` (`@anthropic-ai/claude-agent-sdk-{platform}`). Our Debian glibc base image (`node:22-slim`) pulls the `-linux-x64-glibc` variant via npm's `os`/`cpu`/`libc` filtering. Binary ships pre-chmodded (0755); no postinstall scripts required; `--ignore-scripts` is a non-issue. PR [claude-code-action#1235](https://github.com/anthropics/claude-code-action/pull/1235)'s bun/musl failure modes do not apply to our build. +- **OTel trace context propagation (0.2.113)**: `TRACEPARENT`/`TRACESTATE` now forwarded into the CLI subprocess. No activation in this bump (CLI subprocess spans require separate `CLAUDE_CODE_ENABLE_TELEMETRY=1` + beta flag, tracked as a follow-up PR). + +**Upstream issues still blocked:** + +- [anthropics/claude-agent-sdk-typescript#25](https://github.com/anthropics/claude-agent-sdk-typescript/issues/25) — `maxThinkingTokens` breaks all hooks. Verified still unresolved through 0.2.119 (2026-04-24). Continue omitting the parameter; adaptive thinking is native on Sonnet 4.6 / Opus 4.6+. +- Internal [#14](https://github.com/Number531/Legal-API/issues/14) — `defer_loading` not yet supported on the Agent SDK path. `SCOPED_MCP_SERVERS` remains the available tradeoff lever. + +### Updated — Documentation + +- `README.md` — SDK version pin reference. +- `company-strategy/system-design.md` — dependency tree (line 121) + appendix version matrix. +- `company-strategy/enterprise-necessities.md` — platform version header + tech stack table. +- `docs/citation-chat-router-sdk-alignment.md` — version header. +- `docs/pending-updates/execution-gke-migration.md` — package.json reference list. +- `docs/pending-updates/April-2026-SDK-updates.md` — H3 risk downgrade (HIGH → LOW, verified by 2026-04-24 probe) + TL;DR correction. + +### Follow-ups scheduled separately + +- **H0 native CLI telemetry** (`CLAUDE_CODE_ENABLE_TELEMETRY` + `OTEL_METRICS_EXPORTER` + `OTEL_LOGS_EXPORTER`) — additive to existing Wave 3 custom instrumentation, not substitutive. Planned post-bake. +- **H2 CI guardrail** (`scripts/check-sdk-env-safety.sh`) — prerequisite for H0; prevents unsafe `options.env` usage from silently stripping telemetry env vars. +- **H5 `excludeDynamicSections`** — prompt-cache optimization for multi-turn memo sessions. Requires reworking `getSystemPromptWithDate()`. + ## [6.2.2] - 2026-04-21 ### Added — Manual OpenTelemetry spans on raw source pipeline diff --git a/super-legal-mcp-refactored/README.md b/super-legal-mcp-refactored/README.md index a91fcbd4b..93f7db6a1 100644 --- a/super-legal-mcp-refactored/README.md +++ b/super-legal-mcp-refactored/README.md @@ -146,7 +146,7 @@ node index.js - **Interleaved thinking**: Beta header retained for Sonnet 4.5 backward compatibility via `SDK_MODEL` env override. - **1M context**: Enabled via `context-1m-2025-08-07` beta on the orchestrator; inherited by all subagents. - **Effort control**: Supported on Sonnet 4.6, Opus 4.5/4.6. Not supported on Sonnet 4.5 (beta header is inert). -- **SDK versions**: `@anthropic-ai/sdk` ^0.86.1, `@anthropic-ai/claude-agent-sdk` 0.2.97, `zod` 4.3.6 +- **SDK versions**: `@anthropic-ai/sdk` ^0.86.1, `@anthropic-ai/claude-agent-sdk` 0.2.119, `zod` 4.3.6 - **Rollback**: Set `SDK_MODEL=claude-sonnet-4-5-20250929` to revert orchestrator instantly (env override, no code change). ### Prompt Architecture — Split Prompts (v3.2.0) diff --git a/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md b/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md index b6c82f4e0..c97c1e916 100644 --- a/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md +++ b/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md @@ -1,6 +1,6 @@ # Aperture — Enterprise Deployment Readiness -> **Platform Version**: v6.2.3 (Agent SDK 0.2.97, Anthropic SDK 0.86.1) +> **Platform Version**: v6.2.3 (Agent SDK 0.2.119, Anthropic SDK 0.86.1) > **Date**: 2026-04-22 (updated with Wave 3 EU AI Act Article 12 + Article 14 + GDPR Article 17 compliance artifacts) > **Deployment**: GCP/GCE single-tenant, us-east1-c, n2-standard-2 (8 GB RAM) > **AI Inference**: Migrating to GCP Vertex AI (native Anthropic Claude support) — zero data egress @@ -643,7 +643,7 @@ Zero-downtime deployments via MIG rolling update: |---|---|---|---| | Runtime | Node.js | 22 (slim) | Server runtime | | Framework | Express.js | 4.19+ | HTTP server, SSE streaming, routing | -| AI orchestration | Claude Agent SDK | 0.2.97 | Multi-agent dispatch, hooks, MCP tools | +| AI orchestration | Claude Agent SDK | 0.2.119 | Multi-agent dispatch, hooks, MCP tools | | AI inference | **GCP Vertex AI** (Anthropic Claude) | Sonnet 4.6 | Orchestrator + subagent reasoning (migrating from direct API to Vertex) | | AI inference (enhancement) | Claude Haiku 4.5 via Vertex AI | — | Prompt enhancement with web search | | Database | PostgreSQL | 16 | Session data, reports, audit logs | diff --git a/super-legal-mcp-refactored/company-strategy/system-design.md b/super-legal-mcp-refactored/company-strategy/system-design.md index d97771ba3..44387cc95 100644 --- a/super-legal-mcp-refactored/company-strategy/system-design.md +++ b/super-legal-mcp-refactored/company-strategy/system-design.md @@ -118,7 +118,7 @@ Express App | |-- Anthropic Client |-- @anthropic-ai/sdk ^0.86.1 - |-- @anthropic-ai/claude-agent-sdk 0.2.97 + |-- @anthropic-ai/claude-agent-sdk 0.2.119 |-- Default betas: context-1m, interleaved-thinking, effort ``` @@ -2335,7 +2335,7 @@ When `DOCUMENT_PROCESSING=true`, two sequential `agentQuery()` calls run (P0 + m | Package | Version | Notes | |---------|---------|-------| | `@anthropic-ai/sdk` | ^0.86.1 | Messages API, streaming, batches | -| `@anthropic-ai/claude-agent-sdk` | 0.2.97 | agentQuery, MCP, hooks, subagents | +| `@anthropic-ai/claude-agent-sdk` | 0.2.119 | agentQuery, MCP, hooks, subagents | | `zod` | 4.3.6 | Schema validation | | `express` | latest | HTTP server | | `multer` | latest | File upload handling | diff --git a/super-legal-mcp-refactored/docs/pending-updates/April-2026-SDK-updates.md b/super-legal-mcp-refactored/docs/pending-updates/April-2026-SDK-updates.md new file mode 100644 index 000000000..1899df90e --- /dev/null +++ b/super-legal-mcp-refactored/docs/pending-updates/April-2026-SDK-updates.md @@ -0,0 +1,581 @@ +# Claude Agent SDK — April 2026 Updates + +**Research date:** 2026-04-24 +**Current pin:** `@anthropic-ai/claude-agent-sdk@0.2.97` (2026-04-09, v5.8.2) +**Latest:** `0.2.119` (2026-04-23) — **22 point releases behind** +**Upstream blocker that still bites us:** [#25 maxThinkingTokens breaks hooks](https://github.com/anthropics/claude-agent-sdk-typescript/issues/25) — **no fix in 0.2.98–0.2.119** + +--- + +## TL;DR + +- **Upgrade target: `0.2.119`**. Seven point releases bring material wins (OTel propagation, Opus 4.7, MCP reconnect, cache hit-rate, security patch, MCP child cleanup, memo-related bugfixes). +- **Underutilized asset (pre-existing, not from this upgrade):** the Claude Code CLI subprocess has **native OpenTelemetry instrumentation** (metrics + log events + beta traces). Confirmed to work through the TypeScript SDK via `options.env` / inherited `process.env`. **Currently off** in our deployment (no `CLAUDE_CODE_ENABLE_TELEMETRY`). See **H0**. Native telemetry is **additive** — it fills gaps (authoritative USD cost, cache-token splits, CLI-internal latency) without replacing our custom Wave 3 compliance spans or raw-source pipeline spans, which have no CLI equivalent. +- **One breaking change** at `0.2.113`: `options.env` replaces `process.env` instead of overlaying. Audit confirms **we do not pass `env:` in any SDK call site** today. Once H0 native telemetry is enabled, this becomes a **hard invariant**: any future `options.env` without `...process.env` silently strips every telemetry var and takes the CLI dark. Requires a CI check, not just documentation. +- **Deployment probe complete** at `0.2.113`: SDK now spawns a **native binary** via per-platform optional dependency. Probe (2026-04-24) confirmed `@anthropic-ai/claude-agent-sdk-linux-x64` ships pre-chmodded (0755) with **zero postinstall scripts**. Our existing `npm ci --omit=dev --ignore-scripts --legacy-peer-deps` command is safe as-is — no Dockerfile changes required. Probe evidence in `/Users/ej/.claude/plans/does-this-align-better-foamy-wilkinson.md`. +- **Largest cost/performance lever:** `excludeDynamicSections` (0.2.119) unlocks prompt-cache reuse that is currently defeated by our `getSystemPromptWithDate()` prefix. Estimated **$30–40/memo savings** on multi-turn sessions. +- **Still blocked:** `maxThinkingTokens` (#25), `defer_loading` on Agent SDK path (#14). Keep existing workarounds and comments. + +--- + +## Version Gap Analysis (0.2.98 → 0.2.119) + +| Version | Release | Relevant to us? | +|---|---|---| +| 0.2.98 – 0.2.100 | parity bumps | no | +| **0.2.101** | security patch (GHSA-5474-4w2j-mq4c); MCP SDK bump; Windows tmpdir leak fix | **yes** | +| 0.2.102 – 0.2.107 | parity bumps | no | +| **0.2.108** | `SDKStatus: 'requesting'` emitted when `includePartialMessages: true` | **yes (observability)** | +| 0.2.109 | parity | no | +| 0.2.110 | `shouldQuery: false` on `SDKUserMessage` | maybe (chat router) | +| **0.2.111** | **Opus 4.7 support**; `startup()` / `WarmQuery` now public; env overlay (reverted in .113) | **yes** | +| 0.2.112 | parity | no | +| **0.2.113** | Native binary via optional dep; `sessionStore` alpha; `deleteSession()`; **OTel trace context propagation**; `title`; **BREAKING: `options.env` replaces `process.env`** | **yes (biggest release)** | +| 0.2.114 – 0.2.117 | parity | no | +| 0.2.118 | `managedSettings` (embedders only) | no | +| **0.2.119** | `excludeDynamicSections` keeps static auto-memory cacheable; **long-running MCP reconnect after transport abort**; `SessionStore.append()` retry | **yes (two wins)** | + +--- + +## High-Priority Changes + +### H0. Native CLI Telemetry (pre-existing, under-utilized — confirmed for TypeScript SDK) + +**What exists today (not from the 0.2.119 upgrade):** The Claude Code CLI that the TS SDK spawns has **built-in OpenTelemetry instrumentation**. The SDK itself produces no telemetry; it passes config through to the CLI via environment variables, and the CLI exports directly to a configured collector. **All three signals are off by default** and require explicit env var enablement. + +**Confirmation this applies to `@anthropic-ai/claude-agent-sdk` (TypeScript):** +- Official Anthropic [Agent SDK Observability doc](https://code.claude.com/docs/en/agent-sdk/observability) includes explicit TypeScript code blocks using `query()` + `options.env` with `CLAUDE_CODE_ENABLE_TELEMETRY`, `OTEL_TRACES_EXPORTER`, etc. +- Wiring-level evidence: [TS SDK issue #136](https://github.com/anthropics/claude-agent-sdk-typescript/issues/136) (CLI crashed on `OTEL_LOGS_EXPORTER=none`) proves the CLI reads these env vars when invoked from the TS SDK. +- Architecture confirmation: [TS SDK issue #217](https://github.com/anthropics/claude-agent-sdk-typescript/issues/217) — SDK team describes the `options.env → OS env → CLI subprocess config manager` pass-through. +- [Issue #82](https://github.com/anthropics/claude-agent-sdk-typescript/issues/82) contains a Nov 2025 "doesn't work" comment — **stale**, pre-dates the April 2026 docs update, and appears to have been a user-testing artifact or the `settings.json` precedence bug fixed in #217. + +**The three signals (all from the same CLI instrumentation scope `com.anthropic.claude_code`):** + +| Signal | Data emitted | Enable var | Beta? | +|---|---|---|---| +| **Metrics** | `claude_code.cost.usage` (USD, labels: model/session_id/user_email/org_id), `claude_code.token.usage` (input/output/cache_read/cache_creation), `claude_code.active_time.total`, `claude_code.session.count`, per-tool edit counters, permission decisions | `OTEL_METRICS_EXPORTER=otlp` | no | +| **Log events** | Structured records for each prompt, API request, API error, tool result. Includes `cost_usd`, `duration_ms`, `cache_read_tokens`, `cache_creation_tokens`, `tool_name` per event | `OTEL_LOGS_EXPORTER=otlp` | no | +| **Traces** | Spans: `claude_code.interaction`, `claude_code.llm_request`, `claude_code.tool` (with children `claude_code.tool.blocked_on_user` and `claude_code.tool.execution`), `claude_code.hook` | `OTEL_TRACES_EXPORTER=otlp` **+** `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1` | **yes (beta)** | + +Master switch: `CLAUDE_CODE_ENABLE_TELEMETRY=1`. Nothing exports until that is set AND at least one signal exporter is chosen. + +**Duplicate-metric audit against our current hand-rolled instrumentation:** + +| Our code | Native CLI equivalent | Relationship | +|---|---|---| +| `src/utils/sdkMetrics.js` → `recordTokens()` (manual counting from hook data) | `claude_code.token.usage` (labelled by type + model) | **Partial overlap.** Native has better cache-token splits (read vs creation). Our version carries `agent_type` / `session_key` / phase labels native cannot produce. **Keep both.** | +| `src/utils/sdkMetrics.js` → any cost-tracking scaffolding | `claude_code.cost.usage` (in USD, pre-computed by CLI using Anthropic's authoritative prices) | **Native authoritative on USD accuracy** (Anthropic prices), our version gives cost dimensions by `agent_type` / phase that native lacks. **Use native for dollar totals, keep custom for dimension cuts.** | +| `src/utils/sdkTracing.js` → `claude.tool` span (`withToolSpan`) | Native `claude_code.tool` span (beta) | **Partial overlap.** Native is less semantic (no agent correlation). Both will coexist under the same parent if traces enabled. **Acceptable dual emission.** | +| `src/utils/sdkLogger.js` → API request/error logs | Native log events (`api_request`, `api_error`, `tool_result`) | **Complementary.** Native has richer per-request fields; ours has PII redaction + Wave 3 compliance context native lacks. **Both required.** | +| `src/hooks/sdkHooks.js:1259, 1312` → `hook.subagent_start` / `hook.subagent_stop` custom spans | Native `claude_code.hook` spans (beta) | **Complementary.** Ours carries Wave 3 governance attributes (compliance_event_type, retention_class, tenant.id) that native never emits. **Keep ours; native is supplementary.** | + +> **Spans/metrics with NO native CLI equivalent (must stay):** `db.persist_report`, `rawsource.persist`, `rawsource.sanitize`, `rawsource.hash`, `rawsource.pool_write`, `rawsource.manifest_append`, `rawsource.embedding_enqueue`, structured-output validation counters, skill lifecycle counters, rate limiter bucket state, circuit breaker state, SSE bridge forwarding, admin governance endpoint probes, Wave 3 compliance audit events (EU AI Act Art. 12+14, GDPR Art. 17). These operate outside CLI scope and must be preserved regardless of native telemetry enablement. + +**Current state in our deployment (verified):** +- `CLAUDE_CODE_ENABLE_TELEMETRY` — **not set** in `flags.env`, `Dockerfile`, or `CONTAINER_ENV`. +- `OTEL_EXPORTER_OTLP_ENDPOINT` — set (used by `src/server/otelInit.js` for our own spans), but the CLI subprocess has no exporter enabled for the signals, so the endpoint is never hit from the CLI side. +- Net effect: we see **zero native telemetry** and our OTel collector only receives our 10 manual spans + Express/HTTP/pg auto-instrumentation. + +**Known footguns:** + +1. **`console` exporter is forbidden** — it writes to stdout, which the SDK uses as the message channel between wrapper and CLI. Setting `OTEL_TRACES_EXPORTER=console` (or any signal to `console`) corrupts the message stream. Must always use `otlp`. Documented by Anthropic. +2. **`OTEL_*_EXPORTER=none` crashes the CLI** ([TS SDK #136](https://github.com/anthropics/claude-agent-sdk-typescript/issues/136), upstream [claude-code #18259](https://github.com/anthropics/claude-code/issues/18259)) — the CLI does not accept the OTel-spec `none` value. Omit the env var instead. +3. **Native spans use `claude_code.*` scope, not `gen_ai.*` GenAI SemConv** — not a problem for a raw OTel Collector, but blocks vendor backends that key off GenAI conventions (Azure App Insights Agents preview, some Langfuse views). +4. **Metrics vs logs split** — per [claude-code #15417](https://github.com/anthropics/claude-code/issues/15417), certain token/tool data is only emitted through the **logs** channel, not metrics. Setting only `OTEL_METRICS_EXPORTER` silently drops those events. +5. **`options.env` replaces `process.env` in TypeScript (H2 coupling)** — if telemetry is enabled at the container level and a call site later adds `options.env: { MY_VAR: 'x' }` without spreading `process.env`, every telemetry var is stripped from the CLI subprocess. Telemetry goes dark, no error thrown. **This is why H2's mitigation must be a CI check, not documentation.** + +**Decision matrix:** + +| Path | Description | Benefit | Cost / risk | +|---|---|---|---| +| **A. Stay as-is** | No native telemetry; keep our hand-rolled OTel | Zero migration cost; dashboards stable | Miss authoritative `claude_code.cost.usage`; miss per-request `cost_usd`/`duration_ms`/cache-token granularity; CLI subprocess remains a trace black hole even post-0.2.113 upgrade (H1 benefit never materializes — see correction in H1) | +| **B. Full native** | Enable all three signals; delete overlapping custom code | Smaller codebase; authoritative cost; free per-request detail | Rewrite Prometheus/Grafana dashboards keyed off our metric names; beta spans subject to name/attribute churn. **Deprecating custom spans breaks Wave 3 regulatory audit trail (EU AI Act Art. 12+14, GDPR Art. 17). Non-starter.** | +| **C. Hybrid (recommended)** | Enable native metrics + logs **additively**; keep all custom instrumentation. Traces deferred pending beta stability. | Gap-fills authoritative cost + cache-token splits + CLI-internal latency. Zero regulatory regression risk. No custom code deprecated. | Two overlapping metric sources for token counts and API errors (acceptable — different label dimensions). Slightly more collector traffic. Dashboard drift requires discipline. | + +**Recommendation:** **Path C (additive)**, phased **after** the 0.2.119 upgrade lands and bakes. Enabling metrics + logs is a strict gain — no existing code is removed. Traces (beta) deferred to a later PR once CLI span naming stabilizes and nesting semantics are verified. The custom instrumentation stack remains the source of truth for everything outside CLI scope. + +**Blast radius of enabling Path C:** +- `Dockerfile` — add `ENV` block: + ``` + ENV CLAUDE_CODE_ENABLE_TELEMETRY=1 \ + OTEL_METRICS_EXPORTER=otlp \ + OTEL_LOGS_EXPORTER=otlp \ + OTEL_METRIC_EXPORT_INTERVAL=10000 \ + OTEL_LOGS_EXPORT_INTERVAL=5000 + ``` + (`OTEL_EXPORTER_OTLP_ENDPOINT` + `OTEL_EXPORTER_OTLP_PROTOCOL` already set for our own OTel — CLI inherits them.) +- `flags.env` — mirror for local dev. +- `.claude/skills/deploy/SKILL.md` — add post-deploy verification: query the collector for `claude_code.token.usage` within 60s of a test request. +- `src/utils/sdkMetrics.js:recordTokens()` — **keep.** It carries `agent_type`/`session_key` labels that native `claude_code.token.usage` cannot emit. No deprecation planned. +- Grafana dashboards — add panels keyed off `claude_code.cost.usage` (authoritative USD) and `claude_code.token.usage` (cache-split breakdown) **alongside** existing panels. Our custom panels remain the source of truth for dimension cuts by `agent_type` and phase. +- **CI guardrail (H2 coupling):** add a grep-based pre-commit / CI check: + ``` + # fails if options.env is used without spreading process.env + grep -RnE 'options:\s*\{[^}]*\benv:\s*\{' src/ | grep -v '\.\.\.process\.env' && exit 1 || exit 0 + ``` + Put this in `package.json` `scripts.lint:env-safety` and wire into the existing CI lint step. + +**Break probability:** **<10%** for Path C. The largest risk is dashboard churn, not functional breakage. No SDK call site changes required — purely env-level enablement. + +**Follow-ups / open questions:** +- Do the native metrics include our custom hook labels (e.g., `agent_type`, `session_key`)? If not, we lose some cut-dimensionality vs. our hand-rolled metrics. Verify post-enable. +- Does `OTEL_METRICS_INCLUDE_SESSION_ID` interact with our existing per-session analytics? Leave at default (enabled) until verified. +- Can we use `OTEL_RESOURCE_ATTRIBUTES` to tag per-client (single-tenant) deployments? `service.name=super-legal`, `tenant.id=` — would let us filter Aperture's traffic from future clients' in a shared collector view. + +--- + +### H1. OpenTelemetry Trace Context Propagation (0.2.113) + +**CORRECTION to earlier framing:** This change only delivers value **in combination with H0**. Without `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1` + `OTEL_TRACES_EXPORTER=otlp` set in the CLI subprocess environment, the CLI emits no spans and there is nothing for the propagated trace context to parent. Upgrading to 0.2.113 alone does **not** make subprocess spans appear in our collector. + +**What shipped:** The SDK forwards the caller's active OTel trace context (`TRACEPARENT` / `TRACESTATE`) to the CLI subprocess via env vars. If the CLI has traces enabled, its top-level `claude_code.interaction` span becomes a child of the caller's active span, so the entire agent run nests under the existing `api.stream` span instead of appearing as a disconnected root trace. The CLI also forwards `TRACEPARENT` to every `Bash`/`PowerShell` command it runs, so nested spans from tool subprocesses appear under `claude_code.tool.execution`. + +**Why it matters:** Wave 3 shipped 7 manual governance spans + request/tool spans (10 total) on 2026-04-22. Currently none of them cross the SDK subprocess boundary — the `agentQuery()` internals are a trace blackhole. Once Path C (H0) is adopted **and** we enable `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1`, the subprocess becomes fully visible and parents correctly under our spans. + +**Blast radius (verified):** +- `src/server/otelInit.js` — SDK bootstrap (Express, HTTP, pg auto-instrumentation). Unchanged. +- `src/utils/sdkTracing.js:78` — `claude.tool` span factory. Unchanged (still wraps tool execution on our side). +- Request spans: `src/server/claude-sdk-server.js:898` (`api.stream`), `src/server/researchHandler.js:86` (`api.research`). +- Wave 3 spans: `src/hooks/sdkHooks.js:1259` (`hook.subagent_start`), `:1312` (`hook.subagent_stop`), `src/utils/hookDBBridge.js:306` (`db.persist_report`), `src/utils/rawSource/index.js:180, 196, 202, 222, 277, 325` (6 rawsource spans). +- **No manual parent-child wiring anywhere** — all spans use OTel's AsyncLocalStorage context. Auto-propagation is additive; nothing becomes redundant. + +**Benefit:** Distributed traces finally show the gap between our `api.stream` span and `hook.subagent_start` — today that interval is CLI subprocess time that looks like latency but can't be drilled into. Post-upgrade, subprocess spans appear as children automatically. + +**Risk:** Low. Trace context propagation is additive. Worst case: duplicate spans if Anthropic's subprocess emits a span we also emit locally — we do not emit inside the subprocess, so no collision. + +**Break probability:** **<5%**. + +**File changes required:** +- `package.json:56` — bump `@anthropic-ai/claude-agent-sdk` to `^0.2.119`. +- `src/server/otelInit.js` — no code change required. Optionally: add resource attribute `sdk.trace_propagation: true` for observability dashboards. +- Verify `OTEL_ENABLED=true` in `flags.env` (already present for Aperture deployment per Wave 3 memory). + +--- + +### H2. BREAKING — `options.env` replaces `process.env` (0.2.113) + +**What shipped:** Prior behavior: `options.env` overlaid inherited `process.env`. New behavior: `options.env` **replaces** `process.env` entirely. Previous state was briefly inverted in 0.2.111 then reverted in 0.2.113. + +**Blast radius (verified):** Only two SDK call sites in the codebase: +- `src/server/agentStreamHandler.js:280` — `agentQuery(...)`. **Does NOT pass `env:`.** +- `src/server/p0Orchestrator.js:106` — `agentQuery(...)`. **Does NOT pass `env:`.** + +**We are safe today**, but if anyone later adds `env: { MY_VAR: 'x' }` they will strip the subprocess of everything it needs. Critical env vars the CLI subprocess currently reads implicitly: + +| Variable | Read by | Impact if stripped | +|---|---|---| +| `ANTHROPIC_API_KEY` | SDK internals | auth fails immediately | +| `NODE_ENV` | `otelInit.js:32` | OTel resource attribution wrong | +| `OTEL_EXPORTER_OTLP_ENDPOINT` | `otelInit.js:26` | our OTel export breaks | +| `OTEL_ENABLED` | `bootstrap.js:38`, `claude-sdk-server.js:1108` | our OTel never starts | +| `CLAUDE_CODE_ENABLE_TELEMETRY` | CLI subprocess (post-H0 Path C) | **all native CLI telemetry goes dark — silently** | +| `OTEL_METRICS_EXPORTER`, `OTEL_LOGS_EXPORTER`, `OTEL_TRACES_EXPORTER` | CLI subprocess (post-H0) | individual signals stop exporting | +| `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA` | CLI subprocess (post-H0) | CLI spans stop being emitted | +| `OTEL_RESOURCE_ATTRIBUTES`, `OTEL_SERVICE_NAME` | CLI subprocess (post-H0) | per-tenant attribution lost | +| `SDK_MODEL`, `SDK_MAX_TURNS`, `SDK_P0_MAX_TURNS` | `agentStreamHandler.js:284`, `p0Orchestrator.js:110` | wrong model / turn cap | +| `AUTO_CONTINUATION`, `AUTO_CONTINUATION_MAX_ATTEMPTS` | `agentStreamHandler.js:21-22` | continuation loop disabled | +| `AGENT_SDK_DEBUG` | `p0Orchestrator.js:118` | debug logging off | +| `SDK_TPM`, `SDK_RPM`, `SDK_BREAKER_THRESHOLD`, `SDK_BREAKER_TIMEOUT_MS` | RateLimiter / CircuitBreaker | rate limiting broken | + +**Severity shift post-H0:** Before Path C adoption, the worst case of stripping `process.env` is an immediate hard failure (missing `ANTHROPIC_API_KEY`), which is at least loud. **Post Path C, stripping also takes native telemetry dark — silently.** You would be running in production for weeks thinking metrics/events are flowing, while the CLI emits nothing. This changes the risk profile from "loud crash" to "silent billing/observability blindness." + +**Risk:** Medium if anyone adds `env:` naively. **High once H0 Path C is adopted** — must be enforced, not just documented. + +**Break probability (as-is):** **0%** (no `env:` usage today). +**Break probability (post-H0, without CI guardrail):** **~30% over 12 months** — medium-term likelihood that someone refactors and introduces an unsafe `env:` in a future PR. + +**File changes required (mandatory before H0 Path C ships):** + +1. `src/server/claude-sdk-server.js:283–314` — extend the "AGENT SDK CONFIGURATION CONSTRAINTS" comment block with a new item **#9**: + > `options.env` (if ever added) **REPLACES** `process.env` since 0.2.113. Always use `env: { ...process.env, MY_VAR: 'x' }`. Failure strips `ANTHROPIC_API_KEY` (loud) AND native CLI telemetry vars (silent) — see H0 in docs/pending-updates/April-2026-SDK-updates.md. + +2. **CI guardrail** — add to `package.json`: + ```json + "scripts": { + "lint:env-safety": "bash scripts/check-sdk-env-safety.sh" + } + ``` + with a script at `scripts/check-sdk-env-safety.sh`: + ```bash + #!/usr/bin/env bash + # Fails CI if any SDK options object passes `env:` without spreading process.env. + set -euo pipefail + MATCHES=$(grep -RnE 'options:\s*\{[^}]*\benv:\s*\{' src/ 2>/dev/null | grep -v '\.\.\.process\.env' || true) + if [ -n "$MATCHES" ]; then + echo "ERROR: found options.env without spreading process.env:" + echo "$MATCHES" + echo "See docs/pending-updates/April-2026-SDK-updates.md § H2." + exit 1 + fi + ``` + Wire into the existing CI `lint` step (alongside ESLint). + +3. **Pre-commit hook** (optional but recommended) — add the same check to `.husky/pre-commit` or equivalent so developers get the feedback locally. + +4. **Documentation only**: also add an entry to memory feedback: "SDK `options.env` replaces `process.env` since 0.2.113 — always spread `process.env` when passing env. Post-H0 this silently breaks telemetry, not just auth." + +--- + +### H3. SDK 0.2.113 Native Binary via Per-Platform Optional Dependency + +**What shipped:** SDK now spawns a native Claude Code binary (`@anthropic-ai/claude-code-linux-x64`, `-darwin-arm64`, etc.) instead of executing bundled JavaScript. Per-platform binaries ship as `optionalDependencies`. + +**Blast radius (verified):** +- `Dockerfile:31` — build uses `npm ci --omit=dev --ignore-scripts --legacy-peer-deps`. + - `--omit=dev`: does **not** skip optional deps (only devDependencies). + - `--ignore-scripts`: **this is the risk vector.** Native binaries that rely on a post-install script to unpack / chmod will fail silently. Must verify whether the Anthropic optional-dep binary self-extracts via npm's built-in tarball handling (safe) or requires a `postinstall` hook (broken by `--ignore-scripts`). +- `.dockerignore:1` — excludes `node_modules`, forcing fresh install inside container. Good (no stale binary smuggled from Mac host). +- Cross-compilation: memory notes ARM Mac → `linux/amd64` build. Must ensure the `linux-x64` optional dep is installed when building the container. + +**Benefit:** SDK startup latency likely drops further (bundled JS → compiled binary). Reduces image size marginally if tree-shakable. + +**Risk (post-probe 2026-04-24):** **LOW — verified.** Probe downloaded the `@anthropic-ai/claude-agent-sdk-linux-x64@0.2.119` tarball and npm registry metadata directly. Findings: +- `scripts: {}` — **zero npm scripts declared.** There is nothing for `--ignore-scripts` to block. +- `bin: {}` — no `.bin` symlinks involved. SDK auto-resolution reads directly from the platform package path. +- `os: ['linux']`, `cpu: ['x64']`, `libc: ['glibc']` — triple-gated filter. npm 10+ on `node:22-slim` (Debian glibc) installs **only** this variant; the `-musl` variant never downloads. PR #1235's bun/musl bug does not apply. +- Binary file mode: `package/claude` ships at mode **0755 (rwxr-xr-x)** — pre-chmodded at publish time. npm preserves tar file modes on extraction. + +**Break probability:** **<5%** (post-probe). + +**File changes required:** +- **None.** Our existing `Dockerfile:31` (`npm ci --omit=dev --ignore-scripts --legacy-peer-deps`) works without modification. +- `package.json` — bump SDK pin to `0.2.119`. +- `package-lock.json` — regenerate to capture the `optionalDependencies` graph (8 platform packages, npm filters to the matching one at install time). +- **Deploy skill** (`.claude/skills/deploy/SKILL.md`) — optional hardening: add post-deploy smoke test `docker exec ls node_modules/@anthropic-ai/claude-agent-sdk-linux-x64/claude` to verify the platform binary is present. Not required for the bump itself. + +--- + +### H4. MCP Server Reconnect After Transport-Stream Abort (0.2.119) + +**What shipped:** Long-running SDK sessions now reconnect claude.ai-proxied MCP servers after a transport-stream abort, instead of silently dropping them. + +**Why it matters:** Our memo sessions run 30+ minutes, spawn 29+ subagents, and hit 25 domain MCP servers. Silent MCP drops mid-session historically manifested as `Unknown tool` errors or empty search results. Per memory, v5.8.2 (0.2.97) already fixed a *different* MCP Protocol connection race (issue #66). This new fix handles transport-level aborts. + +**Blast radius (verified):** +- `src/server/clientRegistry.js:184–189` — `createFreshMcpServer()` rebuilds tools + server (~60-150ms) for P0 document processing. This is a workaround for the MCP Protocol class's 1:1 transport binding — **not** the same issue as 0.2.119 fixes. Keep as-is. +- `src/server/clientRegistry.js:192–207` — `getDomainMcpServers()` lazy-caches scoped servers behind `SCOPED_MCP_SERVERS` flag (default OFF). +- `src/server/agentStreamHandler.js:145–151` — comment explains the Protocol 1:1 binding workaround. Not redundant post-upgrade. +- `claude-server-v2.js:255–338` — custom retry logic (`reconnectAttempts`, `maxReconnects=3`, exponential backoff) exists on the **legacy Messages API path**. May be redundant post-upgrade IF that path uses the claude.ai proxy (it doesn't — direct Messages API). Keep. + +**Benefit:** Fewer silent MCP drops in long memo sessions. No code changes needed to benefit. + +**Risk:** Low. Additive SDK behavior. + +**Break probability:** **<5%**. + +**File changes required:** +- None. Upgrade gives us the fix for free. +- Optional: add a comment in `src/server/agentStreamHandler.js:145–151` clarifying that **this** workaround covers Protocol binding (different failure mode), not transport reconnect (now handled by SDK). + +--- + +### H5. `excludeDynamicSections` Cache-Hit Improvement (0.2.119) + +**What shipped:** `excludeDynamicSections` now keeps static auto-memory instructions inside the cacheable system-prompt block. Only the per-user memory directory path and per-machine environment values get relocated to the first user message. + +**Why it matters:** The changelog wording is auto-memory–specific, but it reflects the broader SDK pattern: static prompt content stays cacheable; dynamic content gets segregated. + +**Current cache-defeating pattern (verified):** +- `src/server/claude-sdk-server.js:346` — `cachedSystemPrompt = buildCachedSystemPrompt(SYSTEM_PROMPT)` (static, loaded once). +- `src/server/claude-sdk-server.js:349–357` — **`getSystemPromptWithDate()` prepends a date block** `[dateBlock, ...cachedSystemPrompt]` **on every request**. This dynamic prefix invalidates the cache continuity for the system prompt. +- `src/server/legacyStreamHandler.js:110`, `src/server/researchHandler.js:181` — both call `getSystemPromptWithDate()`. +- `src/utils/promptCaching.js:10–19` — `buildCachedSystemPrompt()` adds one `cache_control: ephemeral` block. Currently wasted because of the date prefix. +- `src/server/agentStreamHandler.js` — does **NOT** use `buildCached*`; passes system prompt directly as `options.systemPrompt`. Agent SDK path benefits differently. + +**Benefit:** Memo sessions (`maxTurns: 500`, 29+ subagents, ~$90–94/run at current pricing) have massive repetition on the system prompt. If `excludeDynamicSections` (or equivalent segregation) moves the date block out of the cacheable section, we can land **~90% cache savings** on the system prompt portion — roughly **$30–40 per memo**. + +**Risk:** Requires understanding exactly what `excludeDynamicSections` accepts. The changelog wording is narrow (auto-memory). Before relying on it as a general segregation tool, read the SDK types at `node_modules/@anthropic-ai/claude-agent-sdk/sdk.d.ts` post-upgrade. + +**Break probability:** **10%** if we misuse the option. **0%** if we just upgrade and don't touch it. + +**File changes required:** +- **Phase 1 (zero-risk):** upgrade only, verify cache metrics. +- **Phase 2 (after reading 0.2.119 types):** + - `src/utils/promptCaching.js:10–19` — rework `buildCachedSystemPrompt` to return a structure that segregates date/session-specific content into a non-cached prefix message, keeping the stable system prompt cacheable on its own. + - `src/server/claude-sdk-server.js:349–357` — refactor `getSystemPromptWithDate()` to return `{ system, firstUserMessage }` instead of a single array. Date injection moves to first user message. + - `src/server/legacyStreamHandler.js:110`, `src/server/researchHandler.js:181` — update callers. + - Add metric: `cache_hit_rate` on the system prompt block in `src/utils/sdkMetrics.js`. + +--- + +### H6. Opus 4.7 Support (0.2.111+) + +**What shipped:** Opus 4.7 model. SDK 0.2.111+ required. + +**Current usage (verified):** +- `src/config/legalSubagents.js:10355` — `memo-executive-summary-writer` uses `model: 'opus'` with comment "Keep opus - highest-stakes output". +- `src/config/legalSubagents/agents/memo-executive-summary-writer.js:692` — same, with `effort: 'medium'`. +- `src/config/featureFlags.js:125` — `OPUS_MODEL = 'claude-opus-4-5-20251101'` is **exported but never imported**. Dead code, confirmed. +- `src/config/catalogDisplay/modelDisplayMeta.js:25–27` — display metadata shows `'opus'` shorthand resolves to Opus 4.6. +- `src/server/claude-sdk-server.js:303–304` — comment: SDK 0.2.47 resolves `'opus'` → Opus 4.6; memo-executive-summary-writer intentionally uses Opus 4.6. +- **No tests pin a specific Opus model ID.** + +**Benefit:** Auto-upgrade of one subagent (memo executive summary — the two pages the MD reads first) from Opus 4.6 → 4.7 via shorthand resolution in SDK 0.2.111+. Quality ceiling lifts. Cost roughly unchanged (Anthropic typically prices new Opus similarly at launch). + +**Risk:** Model behavior shift could alter executive summary tone/structure. Must eval before shipping to clients. + +**Break probability:** **15%** (behavior drift, not a crash — caught by human QA on memo output). + +**File changes required:** +- `package.json:56` — bump SDK to `^0.2.119` (includes 0.2.111). +- `src/server/claude-sdk-server.js:303–304` — update the constraint comment: "SDK 0.2.111+ resolves `'opus'` → Opus **4.7**. memo-executive-summary-writer now runs on 4.7." +- `src/config/catalogDisplay/modelDisplayMeta.js:25–27` — update display string. +- `src/config/featureFlags.js:125` — delete `OPUS_MODEL` dead constant. Confirmed unused per grep (see user preferences: [feedback_dead_code_removal.md]). +- **Test plan:** run one memo end-to-end in staging, have a human read the executive summary, compare tone to 4.6 baseline. Roll back via `SDK_MODEL` override if regressed. + +--- + +### H7. Security Patch — `@anthropic-ai/sdk` ^0.81.0 + MCP SDK ^1.29.0 (0.2.101) + +**What shipped:** SDK 0.2.101 bumped transitive `@anthropic-ai/sdk` to `^0.81.0` and `@modelcontextprotocol/sdk` to `^1.29.0` to resolve **GHSA-5474-4w2j-mq4c** and transitive hono advisories. + +**Current state (verified):** +- `package.json:57` — `@anthropic-ai/sdk` pinned to `^0.86.1`. **Already past 0.81.0.** ✅ +- `package.json:62` — `@modelcontextprotocol/sdk` at `^0.5.0`. Note: SDK 0.2.97 internally declares `^1.27.1` but does not list as peer dep. Project-direct dep is older; SDK satisfies its own internal need. +- We are **exposed to GHSA-5474-4w2j-mq4c through the transitive path inside 0.2.97**, not through our direct 0.86.1 pin. Upgrading to 0.2.119 resolves it. + +**Benefit:** CVE closed. + +**Risk:** None. Pure security patch. + +**Break probability:** **<5%**. + +**File changes required:** +- `package.json:56` — bump SDK. +- `package-lock.json` — regenerate. + +--- + +## Medium-Priority Changes + +### M1. `terminal_reason` on Result Messages (0.2.91) + +New optional field on result messages: `completed`, `aborted_tools`, `max_turns`, `blocking_limit`. + +**Benefit:** Cleaner than our current stop-reason parsing at `src/server/agentStreamHandler.js:474–491`. + +**Blast radius:** `src/server/agentStreamHandler.js:474–491` — auto-continuation truncation detection could key off `terminal_reason === 'max_turns'` instead of pattern-matching stop_reason + token count. + +**Break probability:** **<5%** if adopted. **0%** if left alone. + +**File changes required (optional):** +- `src/server/agentStreamHandler.js:474–491` — add `terminal_reason` check alongside existing logic. Keep existing logic as fallback for one release cycle. + +--- + +### M2. `includeHookEvents` + `listSubagents()` + `getSubagentMessages()` (0.2.89) + +Enables hook lifecycle messages (`hook_started`, `hook_progress`, `hook_response`) for all hook event types. `listSubagents()` + `getSubagentMessages()` expose subagent conversation history. + +**Benefit:** Could replace parts of `src/utils/hookSSEBridge.js` (currently 400+ lines of lifecycle tracking). + +**Blast radius:** `hookSSEBridge.js` — agent registry cache (lines 220–222), pendingAgentNames queue, lifecycle mismatch detection (lines 573–654). + +**Break probability:** **25%** if we start ripping out the bridge. The bridge also does DB persistence, raw-source capture (Wave 1), and session replay hydration (v4.13.0) — *not* just lifecycle mirroring. Most of it stays. + +**File changes required (optional, future):** +- Investigate whether `includeHookEvents: true` emits events compatible with the SSE format we already ship to the frontend. If yes, can simplify a subset of `forwardHookToSSE`. Defer to a dedicated follow-up PR. + +--- + +### M3. PostToolUse Fires on Last Tool Call When `maxTurns` Hit (0.2.92, closed [#58](https://github.com/anthropics/claude-agent-sdk-typescript/issues/58)) + +Pre-0.2.92: if a turn triggered tools and also hit `maxTurns`, the last tool's `PostToolUse` hook was dropped. Post-0.2.92: fires correctly before `error_max_turns`. + +**Benefit:** We set `maxTurns: 500`, so the failure mode is rare, but our Wave 1 raw-source archive (`PostToolUse` hook at `hookSSEBridge.js:290–344`) depends on every tool call being captured. This fix closes an edge-case hole. + +**Risk:** Zero. Bugfix only. + +**Break probability:** **0%**. + +**File changes required:** none (free fix). + +--- + +### M4. `SDKStatus: 'requesting'` with `includePartialMessages` (0.2.108) + +New status emitted before each API request when `includePartialMessages: true`. + +**Current state (verified):** `src/server/agentStreamHandler.js:291` already sets `includePartialMessages: true`. We get the new status for free. + +**Benefit:** Frontend timeline can show "requesting API…" micro-status between tool calls and assistant responses. Minor UX polish. + +**Blast radius:** None required. Opt-in on the receiving end. + +**Break probability:** **0%**. + +**File changes required (optional):** +- `test/react-frontend/app.js` — add a timeline event type for `system.status === 'requesting'`. Cosmetic. + +--- + +### M5. `shouldQuery: false` on SDKUserMessage (0.2.110) + +Allows appending a user message without triggering an assistant turn. Useful for injecting context/memory/system notes. + +**Benefit:** Could simplify citation chat flows that currently overload the assistant with forced "acknowledged" turns. + +**Blast radius:** `src/server/citationChatRouter.js` (mounted when `CITATION_CHAT + EMBEDDING_PERSISTENCE` flags on). + +**Break probability:** **10%** if adopted without care. **0%** if left alone. + +**File changes required (optional, future):** investigate post-upgrade. + +--- + +## Still-Blocked Upstream (Keep Workarounds) + +### B1. Issue [#25 — `maxThinkingTokens` kills hooks](https://github.com/anthropics/claude-agent-sdk-typescript/issues/25) + +**Status (2026-04-24):** No resolution in 0.2.98–0.2.119 changelog. **Issue still open.** + +**Keep unchanged:** +- `src/server/claude-sdk-server.js:286–288` — the constraint comment block. Annotate: "Verified still blocked through 0.2.119 (2026-04-24)." +- `src/server/agentStreamHandler.js:285` — `thinking: { type: 'adaptive' }` without `maxThinkingTokens`. Keep. + +### B2. `task_progress` Yielded to Stdout Transport + +**Status:** Memory note says it's blocked through 0.2.97 per Exa audit. **Not explicitly addressed in 0.2.98–0.2.119 changelog.** + +**Action on upgrade:** Re-test live. The `SDKTaskProgressMessage` type is documented public API now ([TypeScript reference](https://code.claude.com/docs/id/agent-sdk/typescript)). If 0.2.119 emits them to stdout, the v4.12.0 live-streaming UI activates for free with zero code changes (DB persistence + frontend hydration already handle them). + +### B3. `defer_loading` on Agent SDK Path (Issue [#14](https://github.com/Number531/Legal-API/issues/14)) + +**Status:** No changelog mention. Still blocked. + +**Keep unchanged:** branch `origin/worktree-advanced-tool-calling` preserved. `SCOPED_MCP_SERVERS` flag remains the tradeoff lever. + +--- + +## Recommended Upgrade Order + +1. **Pre-flight (local):** + - Branch: `feat/sdk-0.2.119-upgrade`. + - Bump `package.json:56`: `@anthropic-ai/claude-agent-sdk` to `^0.2.119`. + - `npm install`; inspect `package-lock.json` diff for new optional deps. + - Verify no `env:` option has sneaked into SDK call sites: `grep -RnE 'agentQuery|query\(' src/ | grep -v test | xargs grep -l 'env:' || echo clean`. + - **Land the H2 CI guardrail (`scripts/check-sdk-env-safety.sh` + `lint:env-safety`) as part of this PR, not later.** It is a prerequisite for H0 Path C and costs almost nothing to add now. + +2. **Docker build test:** + - Build Docker image with current `npm ci --omit=dev --ignore-scripts --legacy-peer-deps` flags. + - Check `node_modules/@anthropic-ai/` for platform binary (`linux-x64`). + - If missing, apply Dockerfile fix from H3. + +3. **Staging smoke (Aperture tenant):** + - Deploy to staging GCE MIG. + - Run one memo end-to-end (SpaceX IPO or similar). + - Verify: hooks fire, subagents complete, MCP calls succeed across 30-min session, executive summary reads cleanly (H6 risk check). + +4. **Production rollout (single-tenant):** + - Monitor our existing OTel traces — confirm Express/HTTP/pg + our 10 manual spans still export cleanly. (Subprocess spans will **not** appear yet — H0 Path C enables that.) + - Monitor `cache_hit_rate` metric (if implemented in H5 Phase 2). + - Re-test `task_progress` live streaming — activate v4.12.0 UI if it works. + +5. **H0 Phase — Native CLI telemetry (Path C, separate PR, post-bake):** + - Add `CLAUDE_CODE_ENABLE_TELEMETRY=1` + `OTEL_METRICS_EXPORTER=otlp` + `OTEL_LOGS_EXPORTER=otlp` to Dockerfile ENV. + - Leave `OTEL_TRACES_EXPORTER` **unset** for now (skip beta spans to avoid nesting churn). + - Confirm H2 CI guardrail is active before deploying (prevents silent telemetry-kill from future `options.env` regressions). + - Deploy to staging; within 60s of a test request, query the collector for `claude_code.token.usage` and `claude_code.cost.usage`. Both should be populated. + - Build new Grafana panels for native metrics in parallel with existing custom panels. + - Dual emission is the target steady state, not a transition. Custom metrics stay indefinitely for the dimensions native cannot produce. Only track drift between the two cost sources as a data-quality signal. + +6. **H5 Phase 2 — Cache optimization (separate PR, post-bake):** + - Rework `getSystemPromptWithDate()` per H5. + - Validate savings in staging using `claude_code.cost.usage` (now authoritative) before ship. + +7. **H1 Phase — Enable CLI trace export (separate PR, post-H0, after evaluating beta stability):** + - Add `OTEL_TRACES_EXPORTER=otlp` + `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1`. + - Verify spans nest correctly under our existing `api.stream` parent. + - Evaluate whether our custom `claude.tool`, `hook.subagent_start`, `hook.subagent_stop` spans remain valuable or are now duplicates. Plan staged removal in a follow-up. + +--- + +## Documentation Updates Required + +### `docs/pending-updates/` (this file) + +- This document. Keep current. + +### `company-strategy/system-design.md` + +- Line 121 — bump `@anthropic-ai/claude-agent-sdk 0.2.97` → `0.2.119`. +- Lines 2311–2318 — no new beta headers added in 0.2.98–0.2.119. No change. +- Lines 2324–2331 — add **new constraints**: + - "SDK 0.2.113+ propagates OTel trace context to CLI subprocess. Only materializes as visible subprocess spans if `CLAUDE_CODE_ENABLE_TELEMETRY=1` + `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1` + `OTEL_TRACES_EXPORTER=otlp` are set (see H0 native-telemetry adoption plan)." + - "SDK 0.2.113+ `options.env` **replaces** `process.env` for the CLI subprocess. Always use `env: { ...process.env, MY_VAR: 'x' }`. Enforced by CI check `lint:env-safety`. Failure silently strips native CLI telemetry vars, not just auth." + - "SDK 0.2.113+ spawns a native Claude Code binary via per-platform `optionalDependencies`. Dockerfile must preserve optional deps during `npm ci`." + - "Claude Code CLI has built-in OTel instrumentation (`com.anthropic.claude_code` scope). Three signals: metrics, logs, traces (beta). Off by default. Enabling metrics + logs is recommended; traces gated on beta-stability evaluation." +- Line 2325 — annotate `maxThinkingTokens` note: "Verified still blocked through 0.2.119 (2026-04-24)." +- Lines 370–372 — note that `memo-executive-summary-writer` now resolves `'opus'` → Opus 4.7 on SDK 0.2.111+. + +### `CLAUDE.md` (project root) + +- Update SDK version line. Update pinned `claude-agent-sdk` reference. + +### Memory (`/Users/ej/.claude/projects/-Users-ej-Super-Legal/memory/`) + +- Update `MEMORY.md` v5.8.2 → v5.9.0 (or whatever post-upgrade tag lands). +- Add a new feedback memory: "SDK `options.env` replaces process.env since 0.2.113 — always spread process.env when passing env option. Post-H0 native telemetry adoption, a bad `env:` silently kills telemetry in addition to stripping auth — enforced by `lint:env-safety` CI check." +- Add a new reference memory: "Native Claude Code CLI OTel instrumentation (`com.anthropic.claude_code` scope) is available via the TypeScript SDK — confirmed by [agent-sdk/observability docs](https://code.claude.com/docs/en/agent-sdk/observability). Gated by `CLAUDE_CODE_ENABLE_TELEMETRY=1` + per-signal exporter env vars. See docs/pending-updates/April-2026-SDK-updates.md § H0." + +### `.claude/skills/deploy/SKILL.md` + +- Add native-binary verification step: `docker exec ls node_modules/@anthropic-ai/ | grep claude-code` post-deploy. +- Add native-telemetry verification step (once H0 Path C ships): within 60s of a test request, query the OTel collector for `claude_code.token.usage` and `claude_code.cost.usage` metrics; presence confirms CLI subprocess is exporting correctly. + +--- + +## Testing Checklist + +Before merging the upgrade PR: + +- [ ] `npm install` succeeds; lockfile diff reviewed. +- [ ] `grep -RnE 'agentQuery\(|query\(' src/` — confirm zero `env:` passes. +- [ ] Docker build on CI (linux/amd64) — `node_modules/@anthropic-ai/claude-code-linux-x64` (or equivalent) present. +- [ ] Container health check passes. +- [ ] Smoke test: health endpoint + SDK test endpoint + one research query. +- [ ] Full memo run in staging (SpaceX IPO style): 29 subagents, raw-source capture, hook persistence, OTel traces. +- [ ] Executive summary human QA vs. Opus 4.6 baseline (H6). +- [ ] Cache hit rate unchanged or improved (H5 baseline). +- [ ] OTel traces from our application code (Express/HTTP/pg + 10 manual spans) still export cleanly. *CLI subprocess spans do NOT appear yet — requires H0 Path C + H1 enablement, tracked separately.* +- [ ] `scripts/check-sdk-env-safety.sh` runs in CI and blocks unsafe `options.env` additions. +- [ ] Wave 3 compliance tables (`source_writes`, `access_log`, `human_interventions`, `pii_mappings`) still populated. +- [ ] `task_progress` live streaming — test once, capture result (activation opportunity). + +**H0 Path C (separate PR, post-upgrade):** +- [ ] Dockerfile `ENV` block adds `CLAUDE_CODE_ENABLE_TELEMETRY=1`, `OTEL_METRICS_EXPORTER=otlp`, `OTEL_LOGS_EXPORTER=otlp`. +- [ ] Collector receives `claude_code.token.usage` within 60s of a test request. +- [ ] Collector receives `claude_code.cost.usage` within 60s of a test request. +- [ ] Structured log events (`api_request`, `tool_result`) flowing to logs backend. +- [ ] CI guardrail (`lint:env-safety`) active — confirmed with a deliberate-violation test PR that fails. +- [ ] Dual emission verified: `claude_code.cost.usage` (USD) and our custom per-agent cost estimates track within 5% on a full memo run. Disagreement >5% investigated (likely our pricing table is stale, not a native bug). + +--- + +## GitHub References + +- [claude-agent-sdk-typescript CHANGELOG.md (main)](https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md) +- [v0.2.113 release notes](https://github.com/anthropics/claude-agent-sdk-typescript/releases/tag/v0.2.113) — biggest release +- [v0.2.119 release notes](https://github.com/anthropics/claude-agent-sdk-typescript/releases/tag/v0.2.119) +- [Agent SDK Observability doc (TypeScript example)](https://code.claude.com/docs/en/agent-sdk/observability) — authoritative for H0 +- [Claude Code Monitoring reference](https://docs.claude.com/en/docs/claude-code/monitoring-usage) — full env var + metric + event catalog +- [Issue #25 — maxThinkingTokens](https://github.com/anthropics/claude-agent-sdk-typescript/issues/25) (open, no fix) +- [Issue #58 — PostToolUse maxTurns](https://github.com/anthropics/claude-agent-sdk-typescript/issues/58) (closed 2026-04-05 in 0.2.92) +- [Issue #82 — Observability with OpenTelemetry](https://github.com/anthropics/claude-agent-sdk-typescript/issues/82) (stale "doesn't work" comment from Nov 2025, superseded by April 2026 docs) +- [Issue #136 — CLI rejects `OTEL_*_EXPORTER=none`](https://github.com/anthropics/claude-agent-sdk-typescript/issues/136) (wiring-level proof TS SDK reads OTel vars) +- [Issue #217 — `options.env` precedence over `~/.claude/settings.json`](https://github.com/anthropics/claude-agent-sdk-typescript/issues/217) (SDK team's architectural description of env pass-through; fix merged) +- [claude-code #15417 — metrics vs logs emission](https://github.com/anthropics/claude-code/issues/15417) +- [SDKTaskProgressMessage reference](https://code.claude.com/docs/id/agent-sdk/typescript) +- Internal: [Legal-API #14](https://github.com/Number531/Legal-API/issues/14) (defer_loading), [#66](https://github.com/Number531/Legal-API/issues/66) (MCP race, fixed in 0.2.97) + +--- + +## Open Questions for Follow-Up + +1. **`excludeDynamicSections` scope:** The changelog describes auto-memory segregation specifically. Can we repurpose it for our date-block prefix? **Needs TypeScript type inspection post-upgrade** before Phase 2. +2. **`task_progress` emission:** Does 0.2.119 now yield these to stdout? Only way to know is to upgrade and test. High-value if it works. +3. **Native binary distribution on single-tenant clients:** If Aperture adds clients on ARM Linux (uncommon) or Windows (not supported), the platform binary set must include them. Currently we only target `linux-x64`. +4. **Session transcripts via `sessionStore` (0.2.113 alpha):** Could replace our current session manifest pattern? Worth evaluating separately — not part of this upgrade. +5. **Native metric label cardinality (H0):** Do `claude_code.token.usage` / `claude_code.cost.usage` support custom dimensions (e.g., our `agent_type`, `session_key`)? If not, the cut-dimensionality loss vs. our hand-rolled metrics may argue for keeping a thin subset of custom metrics permanently. Verify empirically once Path C is live in staging. +6. **Per-tenant OTel attribution (H0):** When we add clients beyond Aperture, `OTEL_SERVICE_NAME=super-legal-` + `OTEL_RESOURCE_ATTRIBUTES=tenant.id=` should let a single shared collector separate traffic. Confirm the CLI honors these resource attributes (docs say yes; verify). +7. **Span topology under H1 enablement:** When `CLAUDE_CODE_ENHANCED_TELEMETRY_BETA=1` is eventually enabled, will native `claude_code.tool` spans collide with our custom `claude.tool` spans in `src/utils/sdkTracing.js:78`? Both may exist under the same `api.stream` parent with different names, which is acceptable but creates dashboard ambiguity. Plan for staged removal of custom duplicates. diff --git a/super-legal-mcp-refactored/package-lock.json b/super-legal-mcp-refactored/package-lock.json index 1f5e3b284..71617e658 100644 --- a/super-legal-mcp-refactored/package-lock.json +++ b/super-legal-mcp-refactored/package-lock.json @@ -9,7 +9,7 @@ "version": "5.0.0", "license": "MIT", "dependencies": { - "@anthropic-ai/claude-agent-sdk": "0.2.97", + "@anthropic-ai/claude-agent-sdk": "0.2.119", "@anthropic-ai/sdk": "^0.86.1", "@google-cloud/secret-manager": "^6.1.1", "@google-cloud/storage": "^7.19.0", @@ -54,36 +54,139 @@ } }, "node_modules/@anthropic-ai/claude-agent-sdk": { - "version": "0.2.97", - "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk/-/claude-agent-sdk-0.2.97.tgz", - "integrity": "sha512-754teaU0nfrn9BC0YWzPjSbJj253GfPUtuUnkrde7LGsaKtFSjEEuQJq5skJvpozqcn+B8frrtWVPkvFdnupTw==", + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk/-/claude-agent-sdk-0.2.119.tgz", + "integrity": "sha512-6AvthpsaOTlkn514brSGOcCSLHDXODnU+ExN1O3CJCjxr5RBcmzR057C9EIM0G7IchnXsRfMZgRO1QKsjTXdbA==", "license": "SEE LICENSE IN README.md", "dependencies": { - "@anthropic-ai/sdk": "^0.80.0", - "@modelcontextprotocol/sdk": "^1.27.1" + "@anthropic-ai/sdk": "^0.81.0", + "@modelcontextprotocol/sdk": "^1.29.0" }, "engines": { "node": ">=18.0.0" }, "optionalDependencies": { - "@img/sharp-darwin-arm64": "^0.34.2", - "@img/sharp-darwin-x64": "^0.34.2", - "@img/sharp-linux-arm": "^0.34.2", - "@img/sharp-linux-arm64": "^0.34.2", - "@img/sharp-linux-x64": "^0.34.2", - "@img/sharp-linuxmusl-arm64": "^0.34.2", - "@img/sharp-linuxmusl-x64": "^0.34.2", - "@img/sharp-win32-arm64": "^0.34.2", - "@img/sharp-win32-x64": "^0.34.2" + "@anthropic-ai/claude-agent-sdk-darwin-arm64": "0.2.119", + "@anthropic-ai/claude-agent-sdk-darwin-x64": "0.2.119", + "@anthropic-ai/claude-agent-sdk-linux-arm64": "0.2.119", + "@anthropic-ai/claude-agent-sdk-linux-arm64-musl": "0.2.119", + "@anthropic-ai/claude-agent-sdk-linux-x64": "0.2.119", + "@anthropic-ai/claude-agent-sdk-linux-x64-musl": "0.2.119", + "@anthropic-ai/claude-agent-sdk-win32-arm64": "0.2.119", + "@anthropic-ai/claude-agent-sdk-win32-x64": "0.2.119" }, "peerDependencies": { "zod": "^4.0.0" } }, + "node_modules/@anthropic-ai/claude-agent-sdk-darwin-arm64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-arm64/-/claude-agent-sdk-darwin-arm64-0.2.119.tgz", + "integrity": "sha512-kxnG37SZqUata2Jcp/YQ0n9Y7o/sinE/8LdG4ltM1gePh+z+0Mfa4vBUUTEBMBFth9PTovKoesIuVuyFpvO/Cw==", + "cpu": [ + "arm64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-darwin-x64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-darwin-x64/-/claude-agent-sdk-darwin-x64-0.2.119.tgz", + "integrity": "sha512-9Aj8g3ELsmZuOFg17TCkikeg/Wt2ucVT8hOOPQUatzLd7BKhydrHLA0RP42nBpWECO1B/n/mPdQ4iS/LS3s2Fg==", + "cpu": [ + "x64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-linux-arm64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64/-/claude-agent-sdk-linux-arm64-0.2.119.tgz", + "integrity": "sha512-v3o464XkiYehp/OKidQQirxdVb+aGSvdJvHF2zH9p33W8M/NC21zwwh4dhwDnKsyrtBIgkt2CcMwzIl30r0OtA==", + "cpu": [ + "arm64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-linux-arm64-musl": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-arm64-musl/-/claude-agent-sdk-linux-arm64-musl-0.2.119.tgz", + "integrity": "sha512-IPGWgtz+gGnD7fxKAvSf913EUT/lYBTBE8EZ7lh3+x5ZP2859LWLmrCm053Lf3nMWo/CWikZsVPwkDVwpz6tIQ==", + "cpu": [ + "arm64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-linux-x64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64/-/claude-agent-sdk-linux-x64-0.2.119.tgz", + "integrity": "sha512-9ePt4ZN+hsqDw4AgS4KtcWIGKfL9Oq28kwkrTER/QAcSrVKxiLonp81cCLzg7Ok/IUJu4Cfd71GZbFv/WE54zw==", + "cpu": [ + "x64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-linux-x64-musl": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-linux-x64-musl/-/claude-agent-sdk-linux-x64-musl-0.2.119.tgz", + "integrity": "sha512-QYxFNAe4FFridPkKhGlNcNBJ0TaIygWYyvfI9g4kX0i+RVbresUWuZVkWY06ioJ0fXoixFJ+HNQBMB7dLrIp8Q==", + "cpu": [ + "x64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-win32-arm64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-arm64/-/claude-agent-sdk-win32-arm64-0.2.119.tgz", + "integrity": "sha512-p/TjcKQvkCYtXGPlR+mdyNwqCmvRcQL34Wtq0yUZ+iqmI/eyCe59IJ3AZrE0EZoqmiAevEYzatPIt9sncC9uxw==", + "cpu": [ + "arm64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@anthropic-ai/claude-agent-sdk-win32-x64": { + "version": "0.2.119", + "resolved": "https://registry.npmjs.org/@anthropic-ai/claude-agent-sdk-win32-x64/-/claude-agent-sdk-win32-x64-0.2.119.tgz", + "integrity": "sha512-k98Ju0wtktm6FhqTE/cXlVr6K4kGqBolVjEGzeKkW6ZILc7124euwNapAvkQCwMAavAxS/ZnO3jdKMtHtwTVTA==", + "cpu": [ + "x64" + ], + "license": "SEE LICENSE IN LICENSE.md", + "optional": true, + "os": [ + "win32" + ] + }, "node_modules/@anthropic-ai/claude-agent-sdk/node_modules/@anthropic-ai/sdk": { - "version": "0.80.0", - "resolved": "https://registry.npmjs.org/@anthropic-ai/sdk/-/sdk-0.80.0.tgz", - "integrity": "sha512-WeXLn7zNVk3yjeshn+xZHvld6AoFUOR3Sep6pSoHho5YbSi6HwcirqgPA5ccFuW8QTVJAAU7N8uQQC6Wa9TG+g==", + "version": "0.81.0", + "resolved": "https://registry.npmjs.org/@anthropic-ai/sdk/-/sdk-0.81.0.tgz", + "integrity": "sha512-D4K5PvEV6wPiRtVlVsJHIUhHAmOZ6IT/I9rKlTf84gR7GyyAurPJK7z9BOf/AZqC5d1DhYQGJNKRmV+q8dGhgw==", "license": "MIT", "dependencies": { "json-schema-to-ts": "^3.1.1" @@ -1367,310 +1470,6 @@ "hono": "^4" } }, - "node_modules/@img/sharp-darwin-arm64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz", - "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==", - "cpu": [ - "arm64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-darwin-arm64": "1.2.4" - } - }, - "node_modules/@img/sharp-darwin-x64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz", - "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==", - "cpu": [ - "x64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-darwin-x64": "1.2.4" - } - }, - "node_modules/@img/sharp-libvips-darwin-arm64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz", - "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==", - "cpu": [ - "arm64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "darwin" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-darwin-x64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz", - "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==", - "cpu": [ - "x64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "darwin" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-linux-arm": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz", - "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==", - "cpu": [ - "arm" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "linux" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-linux-arm64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz", - "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==", - "cpu": [ - "arm64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "linux" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-linux-x64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz", - "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==", - "cpu": [ - "x64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "linux" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-linuxmusl-arm64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz", - "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==", - "cpu": [ - "arm64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "linux" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-libvips-linuxmusl-x64": { - "version": "1.2.4", - "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz", - "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==", - "cpu": [ - "x64" - ], - "license": "LGPL-3.0-or-later", - "optional": true, - "os": [ - "linux" - ], - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-linux-arm": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz", - "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==", - "cpu": [ - "arm" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-linux-arm": "1.2.4" - } - }, - "node_modules/@img/sharp-linux-arm64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz", - "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==", - "cpu": [ - "arm64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-linux-arm64": "1.2.4" - } - }, - "node_modules/@img/sharp-linux-x64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz", - "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==", - "cpu": [ - "x64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-linux-x64": "1.2.4" - } - }, - "node_modules/@img/sharp-linuxmusl-arm64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz", - "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==", - "cpu": [ - "arm64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-linuxmusl-arm64": "1.2.4" - } - }, - "node_modules/@img/sharp-linuxmusl-x64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz", - "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==", - "cpu": [ - "x64" - ], - "license": "Apache-2.0", - "optional": true, - "os": [ - "linux" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - }, - "optionalDependencies": { - "@img/sharp-libvips-linuxmusl-x64": "1.2.4" - } - }, - "node_modules/@img/sharp-win32-arm64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz", - "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==", - "cpu": [ - "arm64" - ], - "license": "Apache-2.0 AND LGPL-3.0-or-later", - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - } - }, - "node_modules/@img/sharp-win32-x64": { - "version": "0.34.5", - "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz", - "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==", - "cpu": [ - "x64" - ], - "license": "Apache-2.0 AND LGPL-3.0-or-later", - "optional": true, - "os": [ - "win32" - ], - "engines": { - "node": "^18.17.0 || ^20.3.0 || >=21.0.0" - }, - "funding": { - "url": "https://opencollective.com/libvips" - } - }, "node_modules/@isaacs/cliui": { "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", diff --git a/super-legal-mcp-refactored/package.json b/super-legal-mcp-refactored/package.json index 23cdfd1fd..7ec750913 100644 --- a/super-legal-mcp-refactored/package.json +++ b/super-legal-mcp-refactored/package.json @@ -53,7 +53,7 @@ }, "homepage": "https://github.com/Number531/Legal-API#readme", "dependencies": { - "@anthropic-ai/claude-agent-sdk": "0.2.97", + "@anthropic-ai/claude-agent-sdk": "0.2.119", "@anthropic-ai/sdk": "^0.86.1", "@google-cloud/secret-manager": "^6.1.1", "@google-cloud/storage": "^7.19.0",