Number531 · Number531 · Apr 24, 2026 · Apr 24, 2026
diff --git a/super-legal-mcp-refactored/CHANGELOG.md b/super-legal-mcp-refactored/CHANGELOG.md
@@ -2,6 +2,43 @@
 
 All notable changes to the Super Legal MCP Server are documented in this file.
 
+## [6.3.0] - 2026-04-24
+
+### Upgraded — `@anthropic-ai/claude-agent-sdk` 0.2.97 → 0.2.119
+
+Absorbs 22 point releases covering security, correctness, and observability improvements. Probe (2026-04-24) confirmed the new per-platform native binary packaging (0.2.113+) is safe with our existing `npm ci --omit=dev --ignore-scripts --legacy-peer-deps` Dockerfile command — no build changes required.
+
+**Key changes captured by the bump:**
+
+- **Security**: Resolves GHSA-5474-4w2j-mq4c (via transitive SDK 0.2.101 bump of `@anthropic-ai/sdk` to ^0.81.0 and `@modelcontextprotocol/sdk` to ^1.29.0 inside the Agent SDK). Our direct `@anthropic-ai/sdk` pin at ^0.86.1 was already past the fix, but the transitive path through 0.2.97 was still exposed.
+- **MCP reliability**: Long-running sessions now auto-reconnect claude.ai-proxied MCP servers after transport-stream abort (0.2.119). Directly benefits 30-minute memo sessions with 25 domain MCP servers.
+- **MCP cleanup**: Fixed orphan child processes on `query()` end (0.2.94).
+- **Hook correctness**: `PostToolUse` now fires on the last tool call when `maxTurns` is hit (0.2.92, closes upstream issue #58). Closes an edge-case hole in Wave 1 raw-source capture.
+- **Content correctness**: CJK/UTF-8 multibyte-at-chunk-boundary corruption fixed (0.2.94). Affects ECHR / EUR-Lex / EPO international legal content pipelines.
+- **Model support**: Opus 4.7 now available; SDK 0.2.111+ resolves the `'opus'` shorthand to the latest version. `memo-executive-summary-writer` auto-promotes from Opus 4.6 → 4.7. Policy decision: keep shorthand, do not pin — future major model versions auto-upgrade on subsequent SDK bumps.
+- **Native binary packaging (0.2.113)**: SDK now ships the Claude Code CLI as per-platform `optionalDependencies` (`@anthropic-ai/claude-agent-sdk-{platform}`). Our Debian glibc base image (`node:22-slim`) pulls the `-linux-x64-glibc` variant via npm's `os`/`cpu`/`libc` filtering. Binary ships pre-chmodded (0755); no postinstall scripts required; `--ignore-scripts` is a non-issue. PR [claude-code-action#1235](https://github.com/anthropics/claude-code-action/pull/1235)'s bun/musl failure modes do not apply to our build.
+- **OTel trace context propagation (0.2.113)**: `TRACEPARENT`/`TRACESTATE` now forwarded into the CLI subprocess. No activation in this bump (CLI subprocess spans require separate `CLAUDE_CODE_ENABLE_TELEMETRY=1` + beta flag, tracked as a follow-up PR).
+
+**Upstream issues still blocked:**
+
+- [anthropics/claude-agent-sdk-typescript#25](https://github.com/anthropics/claude-agent-sdk-typescript/issues/25) — `maxThinkingTokens` breaks all hooks. Verified still unresolved through 0.2.119 (2026-04-24). Continue omitting the parameter; adaptive thinking is native on Sonnet 4.6 / Opus 4.6+.
+- Internal [#14](https://github.com/Number531/Legal-API/issues/14) — `defer_loading` not yet supported on the Agent SDK path. `SCOPED_MCP_SERVERS` remains the available tradeoff lever.
+
+### Updated — Documentation
+
+- `README.md` — SDK version pin reference.
+- `company-strategy/system-design.md` — dependency tree (line 121) + appendix version matrix.
+- `company-strategy/enterprise-necessities.md` — platform version header + tech stack table.
+- `docs/citation-chat-router-sdk-alignment.md` — version header.
+- `docs/pending-updates/execution-gke-migration.md` — package.json reference list.
+- `docs/pending-updates/April-2026-SDK-updates.md` — H3 risk downgrade (HIGH → LOW, verified by 2026-04-24 probe) + TL;DR correction.
+
+### Follow-ups scheduled separately
+
+- **H0 native CLI telemetry** (`CLAUDE_CODE_ENABLE_TELEMETRY` + `OTEL_METRICS_EXPORTER` + `OTEL_LOGS_EXPORTER`) — additive to existing Wave 3 custom instrumentation, not substitutive. Planned post-bake.
+- **H2 CI guardrail** (`scripts/check-sdk-env-safety.sh`) — prerequisite for H0; prevents unsafe `options.env` usage from silently stripping telemetry env vars.
+- **H5 `excludeDynamicSections`** — prompt-cache optimization for multi-turn memo sessions. Requires reworking `getSystemPromptWithDate()`.
+
 ## [6.2.2] - 2026-04-21
 
 ### Added — Manual OpenTelemetry spans on raw source pipeline

diff --git a/super-legal-mcp-refactored/README.md b/super-legal-mcp-refactored/README.md
@@ -146,7 +146,7 @@ node index.js
 - **Interleaved thinking**: Beta header retained for Sonnet 4.5 backward compatibility via `SDK_MODEL` env override.
 - **1M context**: Enabled via `context-1m-2025-08-07` beta on the orchestrator; inherited by all subagents.
 - **Effort control**: Supported on Sonnet 4.6, Opus 4.5/4.6. Not supported on Sonnet 4.5 (beta header is inert).
-- **SDK versions**: `@anthropic-ai/sdk` ^0.86.1, `@anthropic-ai/claude-agent-sdk` 0.2.97, `zod` 4.3.6
+- **SDK versions**: `@anthropic-ai/sdk` ^0.86.1, `@anthropic-ai/claude-agent-sdk` 0.2.119, `zod` 4.3.6
 - **Rollback**: Set `SDK_MODEL=claude-sonnet-4-5-20250929` to revert orchestrator instantly (env override, no code change).
 
 ### Prompt Architecture — Split Prompts (v3.2.0)

diff --git a/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md b/super-legal-mcp-refactored/company-strategy/enterprise-necessities.md
@@ -1,6 +1,6 @@
 # Aperture — Enterprise Deployment Readiness
 
-> **Platform Version**: v6.2.3 (Agent SDK 0.2.97, Anthropic SDK 0.86.1)
+> **Platform Version**: v6.2.3 (Agent SDK 0.2.119, Anthropic SDK 0.86.1)
 > **Date**: 2026-04-22 (updated with Wave 3 EU AI Act Article 12 + Article 14 + GDPR Article 17 compliance artifacts)
 > **Deployment**: GCP/GCE single-tenant, us-east1-c, n2-standard-2 (8 GB RAM)
 > **AI Inference**: Migrating to GCP Vertex AI (native Anthropic Claude support) — zero data egress
@@ -643,7 +643,7 @@ Zero-downtime deployments via MIG rolling update:
 |---|---|---|---|
 | Runtime | Node.js | 22 (slim) | Server runtime |
 | Framework | Express.js | 4.19+ | HTTP server, SSE streaming, routing |
-| AI orchestration | Claude Agent SDK | 0.2.97 | Multi-agent dispatch, hooks, MCP tools |
+| AI orchestration | Claude Agent SDK | 0.2.119 | Multi-agent dispatch, hooks, MCP tools |
 | AI inference | **GCP Vertex AI** (Anthropic Claude) | Sonnet 4.6 | Orchestrator + subagent reasoning (migrating from direct API to Vertex) |
 | AI inference (enhancement) | Claude Haiku 4.5 via Vertex AI | — | Prompt enhancement with web search |
 | Database | PostgreSQL | 16 | Session data, reports, audit logs |

diff --git a/super-legal-mcp-refactored/company-strategy/system-design.md b/super-legal-mcp-refactored/company-strategy/system-design.md
@@ -118,7 +118,7 @@ Express App
   |
   |-- Anthropic Client
       |-- @anthropic-ai/sdk ^0.86.1
-      |-- @anthropic-ai/claude-agent-sdk 0.2.97
+      |-- @anthropic-ai/claude-agent-sdk 0.2.119
       |-- Default betas: context-1m, interleaved-thinking, effort
 ```
 
@@ -2335,7 +2335,7 @@ When `DOCUMENT_PROCESSING=true`, two sequential `agentQuery()` calls run (P0 + m
 | Package | Version | Notes |
 |---------|---------|-------|
 | `@anthropic-ai/sdk` | ^0.86.1 | Messages API, streaming, batches |
-| `@anthropic-ai/claude-agent-sdk` | 0.2.97 | agentQuery, MCP, hooks, subagents |
+| `@anthropic-ai/claude-agent-sdk` | 0.2.119 | agentQuery, MCP, hooks, subagents |
 | `zod` | 4.3.6 | Schema validation |
 | `express` | latest | HTTP server |
 | `multer` | latest | File upload handling |