fix

[rachellerathbone]

What

Brief description of changes

Why

Why this change was needed

How

Brief technical approach

Testing

How to verify the changes

[github-actions]

multicorn-ops review

Persona	Role	Primary	Status	Summary
Jordan	Security Auditor	no	Passed	No security regressions visible in this truncated diff; the changelog notes positive security hygiene improvements.
Priya	Open Source Contributor	yes	Concern	The diff is entirely a whitespace/indentation fix to CHANGELOG.md with no new tests, code, or contributor guidance visible.
Marcus	Design-Conscious Developer	no	Passed	No UI changes are present in this diff.
Sarah	Non-Technical Decision-Maker	no	Concern	Internal implementation jargon ('JSON-RPC error codes', 'CJS hook duplication', 'agentName deprecated') appears in the changelog which could surface in UI or docs and confuse non-technical readers.
The Team	Acquisition Due Diligence	yes	Concern	Skipped version numbers, a double-bump release script bug, and a truncated diff make it difficult to assess architecture consistency or test coverage for the substantive changes described.
Alex	Accessibility Advocate	no	Passed	No UI or HTML changes present in this diff.
Yuki	International User	yes	Concern	Some changelog entries use idiomatic English phrases and internal jargon that may be unclear to non-native readers who rely on this as documentation.

Concerns

Priya (Open Source Contributor)

• CHANGELOG.md - PR appears to only reformat CHANGELOG.md indentation; no tests, no code changes visible in the truncated diff — hard to assess actual contribution scope or whether new features have test coverage.
• CHANGELOG.md:1 - Version numbers like 0.5.0 and 0.3.0 are documented as skipped due to a release script bug — this suggests fragile release automation that a contributor would need to understand before cutting a release.

Sarah (Non-Technical Decision-Maker)

• CHANGELOG.md - Entries like 'distinct JSON-RPC error codes: -32000, -32002' and 'CJS hook duplication comment' are developer-internal details that don't belong in a user-facing changelog and could erode trust if surfaced in product docs.

The Team (Acquisition Due Diligence)

• CHANGELOG.md - Two version numbers (0.3.0, 0.5.0) were skipped due to a release script double-bump bug — indicates fragile or manual release automation that is a tech debt and OSS health signal risk.
• CHANGELOG.md - Diff is truncated at ~31 KB; actual code changes for multi-agent config, CLI rewrite, HTTPS validation, and hosted proxy are not reviewable — no test coverage signals visible.
• CHANGELOG.md - Deprecated fields (agentName, platform on ProxyConfig) kept for backward compat with no indication of a deprecation timeline or removal plan — accumulating interface debt.

Yuki (International User)

• CHANGELOG.md - 'fails closed' is a security idiom that non-native English readers may not recognise — a brief parenthetical like '(blocks the action)' would make it actionable and clear.
• CHANGELOG.md - 'double-bumped' in the 0.5.0 skipped-version note is informal slang; prefer 'incremented twice' for clarity in documentation read by international developers.
• CHANGELOG.md - Error messages described in the changelog (e.g. HTTPS validation errors) are noted to 'no longer include the actual URL value' — it is unclear what the new message says, making it hard for users to diagnose errors.

Open-Source Readiness Checklist

Code Quality

• All functions have clear, descriptive names — CHANGELOG entries reference function names like readBaseUrlFromConfig(), parseConfigFile(), isAllowedShieldApiBaseUrl(), getAgentByPlatform() — all descriptive. No source code in diff to audit directly.
• No hardcoded secrets, API keys, internal URLs, or employee names in code or comments — Only public-facing URLs (https://api.multicorn.ai) visible in CHANGELOG. No secrets or employee names observed.
• [~] No // TODO without a public issue reference — Diff is limited to CHANGELOG.md reformatting; no source code shown.
• [~] No commented-out code blocks — Diff only covers CHANGELOG.md; no source files shown.
• [~] No debug logging (console.log, println) left in — No source code in diff to audit.
• [~] All any types eliminated (TypeScript) — No TypeScript source files in diff.
• [~] Error handling is complete — no swallowed exceptions, no empty catch blocks — No source code in diff to audit.
• No Atlassian-internal references, no proprietary patterns or terminology — No Atlassian references found in visible diff.

Testing

• [~] All new code has tests — Diff only shows CHANGELOG.md changes; no source or test files included.
• [~] Coverage meets or exceeds repo minimum — Cannot determine from diff alone.
• [~] Tests pass locally and in CI — CI results not visible in diff.
• [~] Edge cases and error paths are tested — No test files in diff.
• [~] No flaky tests — No test files in diff.

Security

• No secrets in code, comments, config files, or git history — No secrets visible in the diff.
• [~] All user input is validated — CHANGELOG mentions input sanitisation and validation added, but source not visible to verify.
• [~] Dependencies audited — no known vulnerabilities — No package.json or lock file changes in diff.
• HTTPS enforced for all external communication — CHANGELOG explicitly notes HTTPS scheme validation added in runInit() and isAllowedShieldApiBaseUrl() validator introduced.
• [~] API keys/tokens never logged — No source code in diff to verify.

Documentation

• [~] README.md is accurate and up to date — README.md not included in diff.
• [~] CONTRIBUTING.md is accurate and up to date — CONTRIBUTING.md not included in diff.
• CHANGELOG.md updated with this change — CHANGELOG.md is present and updated with 0.6.2 entry covering the changes in this PR.
• [~] New public APIs have JSDoc/KDoc with examples — Source files not included in diff; cannot verify JSDoc on new exports like readBaseUrlFromConfig(), isAllowedShieldApiBaseUrl(), etc.
• Any new config options are documented — CHANGELOG documents new config behaviours (baseUrl resolution priority, agents array, defaultAgent) clearly.
• [~] Architecture decisions documented in ADR if significant — No ADR files in diff; significance of changes is moderate but cannot confirm ADR policy for this repo.

Open Source Hygiene

• [~] Licence header present in source files (if required by licence) — No source files in diff.
• [~] CODE_OF_CONDUCT.md present — Not visible in diff.
• [~] Issue templates are current — Not visible in diff.
• [~] PR template is current — Not visible in diff.
• No internal company references or links — Only public URLs (multicorn.ai, keepachangelog.com, semver.org) present in visible diff.
• [~] Package name and description are correct in package.json — package.json not included in diff.
• [~] Repository topics/tags are set on GitHub — Cannot determine from diff alone.

---

Advisory only. Does not block merge. Actions logged to Shield as pr_review and oss_check.