update cl

[rachellerathbone]

What

One-sentence summary of this PR.

Why

What problem this solves.

How

Brief technical approach.

Testing

What you tested and how to verify locally.

Checklist

• Follows the 7.04 open-source readiness checklist in project instructions
• No hardcoded secrets or internal-only references in user-facing content
• Lint, typecheck, and build pass locally
• Internal links and changed pages verified

What

Brief description of changes

Why

Why this change was needed

Testing

How to verify the changes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
multicorn-learn	Ready	Preview, Comment	Mar 22, 2026 11:52pm

[github-actions]

multicorn-ops review

Persona	Role	Primary	Status	Summary
Jordan	Security Auditor	yes	Concern	The prebuild script fetches and executes remote content at build time, creating a supply-chain risk and potential for injecting malicious changelog entries into the build artifact.
Priya	Open Source Contributor	yes	Concern	The new fetch-changelog script is useful but lacks tests, has no documented way to run it locally in isolation, and the changelog.json now has a dual-source-of-truth problem.
Marcus	Design-Conscious Developer	yes	Passed	No UI changes in this diff; changelog content improvements are backend/data only and do not affect rendered UI quality.
Sarah	Non-Technical Decision-Maker	yes	Concern	Several changelog entries contain developer jargon that would confuse a non-technical reader evaluating the product.
The Team	Acquisition Due Diligence	yes	Concern	The prebuild network fetch introduces a build-time external dependency with no integrity verification, and the changelog.json committed fallback creates a dual-source-of-truth that complicates reproducible builds.
Alex	Accessibility Advocate	no	Passed	No UI, HTML, or accessibility-relevant changes in this diff.
Yuki	International User	yes	Concern	Several changelog entries contain internal code identifiers and regex literals that are not understandable to a non-native English reader using the product.

Concerns

Jordan (Security Auditor)

• scripts/fetch-changelog.mjs:13 - CHANGELOG_URL points to a raw GitHub URL over HTTPS, but there is no integrity check (e.g. subresource integrity hash or pinned commit SHA). A compromised upstream repo or MITM could inject arbitrary content into the build. Pin to a specific commit SHA instead of 'main'.
• scripts/fetch-changelog.mjs:100 - Parsed markdown content is written directly to disk and then consumed by the Next.js build with no sanitization. If changelog entries contain script tags or injection payloads they will be embedded in the built site. Sanitize or escape all string values before writing.
• scripts/fetch-changelog.mjs:1 - This script runs as a prebuild hook in CI and production builds (package.json). An attacker who can push to the upstream GitHub repo's main branch can influence what is written to content/changelog.json before the build completes. The graceful-exit-on-failure pattern makes this silent.
• package.json:11 - Adding a prebuild hook that performs an outbound network fetch means production build environments need egress to raw.githubusercontent.com. This may violate network isolation policies in regulated environments and should be explicitly documented.

Priya (Open Source Contributor)

• scripts/fetch-changelog.mjs:1 - There are no tests for parseKeepAChangelog. Edge cases like multi-line bullet items, nested lists, or malformed version headers are handled silently. A unit test file would make this safer to modify.
• content/changelog.json:1 - The file is both committed (serving as a fallback) and overwritten at build time. The README or a comment should explain which is the source of truth and when the committed version should be manually updated.
• package.json:11 - Running 'pnpm build' in an offline environment will silently fall through to the committed changelog.json without any indication. A SKIP_FETCH_CHANGELOG env var escape hatch would make this more contributor-friendly.

Sarah (Non-Technical Decision-Maker)

• content/changelog.json:14 - 'Agent name validation: must match /^[a-zA-Z0-9_-]+$/ before use in config files' — a regex pattern in user-facing copy is confusing for non-developers. Rephrase as 'Agent names may only contain letters, numbers, hyphens, and underscores'.
• content/changelog.json:1 - Entries reference internal identifiers like 'ShieldAuthError', 'buildInternalErrorResponse', 'resolveAgentRecord', and '-32000 JSON-RPC error codes'. If this changelog is shown in the product dashboard or marketing site, these entries will erode trust with non-technical buyers.
• content/changelog.json:1 - Version 0.1.12 previously had a human-readable note ('Version bump only (failed publish on 0.1.11)') that has been removed and replaced with empty arrays, losing the explanatory context entirely.

The Team (Acquisition Due Diligence)

• scripts/fetch-changelog.mjs:13 - Fetching from 'main' branch at build time makes builds non-reproducible. Two builds of the same commit can produce different output. Pin to a commit SHA or tag for deterministic builds.
• scripts/fetch-changelog.mjs:1 - No timeout is set on the fetch call. In a slow network environment the prebuild step can hang indefinitely, blocking CI. Add an AbortController with a reasonable timeout (e.g. 10s).
• content/changelog.json:1 - The committed file will diverge from the fetched upstream over time, making git blame and code review misleading. Consider either removing the committed file and requiring network access, or removing the fetch and committing updates explicitly.
• scripts/fetch-changelog.mjs:85 - Multi-line bullet continuation logic (appending to the last array element) is fragile and untested. A blank line between continuation lines would silently produce malformed entries.

Yuki (International User)

• content/changelog.json:14 - '/^[a-zA-Z0-9_-]+$/' is a regex literal in a user-visible string. Non-native readers cannot understand what characters are valid. Replace with plain English: 'letters, numbers, hyphens, and underscores only'.
• content/changelog.json:1 - Entries like 'extractServiceFromToolName/extractActionFromToolName underscore-split replaced with explicit mapMcpToolToScope lookup table' are implementation details with no actionable meaning for SDK users. These should either be removed from the public changelog or rewritten in plain English.
• content/changelog.json:1 - 'falls back to manual on invalid JSON or user skip' — the phrase 'user skip' is ambiguous. Does it mean the user pressed Cancel, or skipped a step? Prefer 'if the user skips the wizard step'.

Open-Source Readiness Checklist

Code Quality

• All functions have clear, descriptive names — Functions parseKeepAChangelog and main are clearly named; regex variables are descriptively named.
• No hardcoded secrets, API keys, internal URLs, or employee names in code or comments — CHANGELOG_URL points to a public GitHub raw URL; no secrets or internal URLs present.
• No // TODO without a public issue reference — No TODO comments found in the diff.
• No commented-out code blocks — No commented-out code blocks present.
• No debug logging (console.log, println) left in — Only console.warn used for legitimate failure-path warnings, not debug logging.
• All any types eliminated (TypeScript) — Script is plain .mjs JavaScript with JSDoc annotations; no TypeScript any types involved.
• Error handling is complete — no swallowed exceptions, no empty catch blocks — All catch blocks log a warning and exit 0 gracefully with the fallback file intact; intentional and documented behavior.
• No Atlassian-internal references, no proprietary patterns or terminology — No Atlassian-internal references found.

Testing

• All new code has tests — The new fetch-changelog.mjs script (parsing logic, fetch error handling, file-writing) has no accompanying test file in the diff.
• [~] Coverage meets or exceeds repo minimum — Cannot determine coverage metrics from the diff alone.
• [~] Tests pass locally and in CI — CI results are not visible in the diff.
• Edge cases and error paths are tested — Edge cases for parseKeepAChangelog (malformed markdown, missing dates, multi-line entries, Unreleased section) are not tested in the diff.
• [~] No flaky tests — No tests added; cannot assess flakiness.

Security

• No secrets in code, comments, config files, or git history — No secrets detected.
• [~] All user input is validated — Script fetches from a fixed URL with no user input; not applicable.
• [~] Dependencies audited — no known vulnerabilities — No new dependencies introduced; cannot assess from diff alone.
• HTTPS enforced for all external communication — CHANGELOG_URL uses https://.
• API keys/tokens never logged — No API keys or tokens are used or logged.

Documentation

• [~] README.md is accurate and up to date — README.md not modified in this diff; cannot confirm accuracy.
• [~] CONTRIBUTING.md is accurate and up to date — CONTRIBUTING.md not present in the diff.
• CHANGELOG.md updated with this change — The changelog.json is updated with product changes, but the addition of the fetch-changelog.mjs build script itself is not recorded as a changelog entry.
• New public APIs have JSDoc/KDoc with examples — parseKeepAChangelog has a JSDoc comment with type annotations; main is a build script, not a public API.
• [~] Any new config options are documented — No new config options introduced; the prebuild script is self-contained.
• [~] Architecture decisions documented in ADR if significant — Adding a changelog fetch script is minor; ADR may not be required, but cannot confirm from diff alone.

Open Source Hygiene

• Licence header present in source files (if required by licence) — The new fetch-changelog.mjs file has no licence header; other source files in the repo may require one.
• [~] CODE_OF_CONDUCT.md present — Cannot determine presence from this diff alone.
• [~] Issue templates are current — Not visible in this diff.
• [~] PR template is current — Not visible in this diff.
• No internal company references or links — References are to public Multicorn-AI GitHub organization; no internal company links.
• Package name and description are correct in package.json — package.json change only adds a prebuild script entry; no name or description changes.
• [~] Repository topics/tags are set on GitHub — Cannot determine from the diff.

---

Advisory only. Does not block merge. Actions logged to Shield as pr_review and oss_check.