docs(sdk): README honesty pass — counts, audit chain, limitations#11
Merged
docs(sdk): README honesty pass — counts, audit chain, limitations#11
Conversation
- 12 framework integrations (was "10"): 10 featured + MCP toolkit + Bedrock. - 47 export paths (was "44"); plugin export list now lists all 16 paths (mcp-allowlist and mcp-call-recorder were missing). - 1,340 tests (was "1,328"). - Tamper-evident audit chain promoted to a hero callout — it's a competitive moat per the comparison table and was buried at line ~297. - Sandboxing reframed: leads with "Process isolation is the security model" instead of "No sandbox," same disclaimer but no longer reads as scope-gap. - "What this is NOT" → "Limitations & Honest Scope" — same content, less awkward heading for procurement readers. - Multi-modal disclaimer reframed as opt-in roadmap (cost/latency/egress reasons mean it ships opt-in, not on-by-default). Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
The repo treats root README as source of truth and generates packages/governance/README.md from it via scripts/sync-readme.mjs at prepublish + CI. The original commit on this branch only edited the package README directly, which CI flagged as drift on PR #11. This commit: - Re-applies all the honesty-pass edits to README.md (the source). - Runs sync-readme.mjs to regenerate packages/governance/README.md with the absolute GitHub URL transforms applied. Same edits as the original 55d860f, just now on the right file: 12 framework integrations / 47 export paths / 1,340 tests / promoted audit-chain hero / sandbox reframe / Limitations & Honest Scope / multi-modal opt-in framing / full plugin export list including mcp-allowlist + mcp-call-recorder. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
scotty595
force-pushed
the
chore/sdk-readme-honesty-pass
branch
from
55d860f to
8ab40f5
Compare
scotty595
added a commit
that referenced
this pull request
Apr 30, 2026
…y pass The auto-generated release notes only covered #9 (tool-result adapters). Code for #10 (multi-modal scan) and #11 (README honesty pass) shipped in 0.15.0 but neither got a CHANGELOG entry — the auto-release pulled from CHANGELOG.md so the GitHub Release body and the npm-displayed changelog were both incomplete. This commit extends the 0.15.0 entry with both missing sections. GitHub Release body has been updated to match. No code change; documentation only. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mcp-allowlistandmcp-call-recorder.Why now
Independent audit flagged that the published metrics undersell the actual codebase and that the audit-chain feature (a real competitive differentiator) is buried. Pure documentation; zero functional change.
Risk
None. README-only diff. No code changes, no test changes, no exports changed.
Test plan
npm run lintpasses by construction🤖 Generated with Claude Code
Note
Low Risk
README-only changes that adjust messaging, counts, and scope disclaimers without modifying runtime behavior or APIs.
Overview
Highlights tamper-evident HMAC audit chaining as a first-class differentiator in both READMEs (new callout near the top).
Refreshes documentation claims to match the current SDK surface: updates framework integration count (10 → 12), export-path count (44 → 47), and test count (1,328 → 1,340), and expands the listed plugin export paths to explicitly include additional MCP-related exports.
Reframes the “what this is not” section as
Limitations & Honest Scope, clarifying that process isolation (notnode:vm) is the security model and updating the multi-modal scanning disclaimer to emphasize opt-in, per-modality scanning as a roadmap item rather than on-by-default behavior.Reviewed by Cursor Bugbot for commit 8ab40f5. Bugbot is set up for automated code reviews on this repo. Configure here.