Release/v0.6.2

[rachellerathbone]

What

Brief description of changes

Why

Why this change was needed

How

Brief technical approach

Testing

How to verify the changes

[github-actions]

multicorn-ops review

Persona	Role	Primary	Status	Summary
Jordan	Security Auditor	yes	Concern	HTTPS validation error messages were changed to not leak URLs, which is good, but the CHANGELOG itself surfaces internal config paths and API endpoint defaults that warrant scrutiny.
Priya	Open Source Contributor	yes	Concern	The entire CHANGELOG has been re-indented with 4-space leading whitespace, which will render incorrectly on GitHub and break standard Markdown parsers.
Marcus	Design-Conscious Developer	no	Passed	No UI or frontend changes are visible in the truncated diff.
Sarah	Non-Technical Decision-Maker	no	Concern	The CHANGELOG is the only user-facing document visible, and its 4-space indentation bug means it will render as a code block — a poor first impression for anyone reading the release notes.
The Team	Acquisition Due Diligence	yes	Concern	The diff is truncated so implementation cannot be evaluated, the CHANGELOG formatting regression is a hygiene red flag, and three version numbers were skipped (0.3.0, 0.5.0) suggesting an unstable release process.
Alex	Accessibility Advocate	no	Passed	No UI or HTML changes are visible in the truncated diff.
Yuki	International User	yes	Concern	The CHANGELOG rendering bug will make release notes unreadable as formatted text, and some changelog entries mix internal implementation names with user-facing descriptions without explanation.

Concerns

Jordan (Security Auditor)

• CHANGELOG.md - The changelog documents that HTTPS validation error messages 'no longer include the actual URL value' — this is a positive change, but the PR diff does not include the source code implementing this; cannot verify the fix is actually applied.
• CHANGELOG.md - Default API base URL 'https://api.multicorn.ai' is hardcoded and documented publicly. Confirm that DEFAULT_SHIELD_API_BASE_URL is not also baked into distributed binaries in a way that bypasses enterprise override via env var or config.
• CHANGELOG.md - Diff is truncated at 31,838 characters — actual source changes (URL validation, sanitisation logic, fail-closed behaviour) are not visible. A security review cannot be completed on changelog text alone; the underlying implementation files must be included.

Priya (Open Source Contributor)

• CHANGELOG.md:1 - Every line in the new CHANGELOG has been indented with 4 leading spaces. In Markdown, 4-space indentation renders as a code block, not prose. The headings, bullet lists, and version sections will all display as raw preformatted text on GitHub and npm.
• CHANGELOG.md - A new version entry '0.6.2' was added but the '[Unreleased]' section has been removed entirely. Keeping an [Unreleased] section is the Keep a Changelog convention this file claims to follow.
• CHANGELOG.md - Diff is truncated — cannot confirm whether tests exist for new helpers (readBaseUrlFromConfig, parseConfigFile, isAllowedShieldApiBaseUrl). No test files are visible in this PR.

Sarah (Non-Technical Decision-Maker)

• CHANGELOG.md:1 - Due to the 4-space indent, GitHub will render the entire changelog as a monospace code block. Anyone visiting the repo to evaluate the product will see unformatted wall-of-text release notes, which undermines trust.

The Team (Acquisition Due Diligence)

• CHANGELOG.md:1 - Wholesale 4-space re-indentation of the entire CHANGELOG suggests an editor misconfiguration or a bulk find-replace gone wrong. This is a low-signal but real indicator of insufficient pre-commit checks (no markdownlint or prettier in CI, or hooks not enforced).
• CHANGELOG.md - Versions 0.3.0 and 0.5.0 are explicitly documented as skipped due to tooling errors. Double-bumping a semver is a release automation reliability concern and suggests the release pipeline needs hardening before scale.
• CHANGELOG.md - Diff truncated at ~31K chars — the actual source code changes are not reviewable. Architecture consistency, test coverage, and dependency hygiene cannot be assessed from changelog text alone. Full diff must be provided for due diligence.
• CHANGELOG.md - Multiple features added, changed, and reverted within the same day (0.4.0, 0.5.0 skipped, 0.6.0, 0.6.1, 0.6.2 all on 2026-04-08/09) indicates a high churn / unstable iteration pattern that is a tech debt signal.

Yuki (International User)

• CHANGELOG.md:1 - 4-space indent causes the entire file to render as a code block on GitHub. Non-native English readers relying on formatted headings and bullet lists to navigate version history will see undifferentiated monospace text.
• CHANGELOG.md - Entries like 'parseConfigFile() shared helper eliminating duplicated file read/parse logic between loadConfig and readBaseUrlFromConfig' are implementation-internal and not actionable for SDK users. Changelog entries for public releases should describe user-visible impact, not refactor rationale.
• CHANGELOG.md - Error message change 'HTTPS validation error messages no longer include the actual URL value' gives no guidance on what the new message looks like. Users who hit this error will not know what actionable information to look for.

Open-Source Readiness Checklist

Code Quality

• [~] All functions have clear, descriptive names — Only CHANGELOG.md is visible in this diff; no source code functions are shown.
• No hardcoded secrets, API keys, internal URLs, or employee names in code or comments — CHANGELOG references https://api.multicorn.ai as a public API endpoint; no secrets or employee names visible.
• [~] No // TODO without a public issue reference — No source code is visible in this diff.
• [~] No commented-out code blocks — Only CHANGELOG.md is visible; no source code to evaluate.
• [~] No debug logging (console.log, println) left in — No source code is visible in this diff.
• [~] All any types eliminated (TypeScript) — No TypeScript source code is visible in this diff.
• [~] Error handling is complete — no swallowed exceptions, no empty catch blocks — No source code is visible in this diff.
• No Atlassian-internal references, no proprietary patterns or terminology — No Atlassian-internal references detected in the CHANGELOG.

Testing

• [~] All new code has tests — No source or test files are visible in this diff.
• [~] Coverage meets or exceeds repo minimum — Coverage data not available in this diff.
• [~] Tests pass locally and in CI — CI results are not visible in this diff.
• [~] Edge cases and error paths are tested — No test files are visible in this diff.
• [~] No flaky tests — No test files are visible in this diff.

Security

• No secrets in code, comments, config files, or git history — No secrets detected in the CHANGELOG diff.
• [~] All user input is validated — No source code is visible in this diff.
• [~] Dependencies audited — no known vulnerabilities — No package files are visible in this diff.
• HTTPS enforced for all external communication — CHANGELOG notes HTTPS validation added in runInit() and https://api.multicorn.ai as default endpoint.
• [~] API keys/tokens never logged — No source code is visible in this diff.

Documentation

• [~] README.md is accurate and up to date — README.md is not included in this diff.
• [~] CONTRIBUTING.md is accurate and up to date — CONTRIBUTING.md is not included in this diff.
• CHANGELOG.md updated with this change — The CHANGELOG has been reformatted with 4-space indentation throughout, which breaks standard Markdown rendering and Keep a Changelog conventions. Additionally, the [Unreleased] section has been removed and replaced with [0.6.2]; if there are still unreleased changes, this section is missing.
• [~] New public APIs have JSDoc/KDoc with examples — No source code is visible in this diff.
• Any new config options are documented — CHANGELOG mentions new config options (agents array, defaultAgent, baseUrl) with descriptions.
• [~] Architecture decisions documented in ADR if significant — No ADR files are visible in this diff.

Open Source Hygiene

• [~] Licence header present in source files (if required by licence) — No source files are visible in this diff.
• [~] CODE_OF_CONDUCT.md present — Not visible in this diff.
• [~] Issue templates are current — Not visible in this diff.
• [~] PR template is current — Not visible in this diff.
• No internal company references or links — No internal company references detected in the CHANGELOG.
• [~] Package name and description are correct in package.json — package.json is not included in this diff.
• [~] Repository topics/tags are set on GitHub — Cannot be determined from the diff.

---

Advisory only. Does not block merge. Actions logged to Shield as pr_review and oss_check.