From 56edfad38af8dee852ae414fba66476a91ba9f1c Mon Sep 17 00:00:00 2001
From: Tristen Pierson <tpierson@bitconcepts.tech>
Date: Mon, 4 May 2026 16:24:45 -0400
Subject: [PATCH] chore(release): bump version to 0.10.1

Bumps `package.json` from 0.10.0 to 0.10.1 and renames the existing
`[Unreleased]` CHANGELOG section to `[0.10.1] - 2026-05-04`. The
0.10.0 tag captured the multi-agent + BYOE work (PRs #45/#47/#48);
this point release rolls in the security hardening from #49 (17
CodeQL alerts closed) and the regex follow-up.

Validation:
- npm run lint: clean.
- npm test: 144 passing.

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 CHANGELOG.md | 3 +++
 package.json | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0472253..cac1fcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,10 +3,13 @@
 All notable changes to the VS Code extension are documented here.
 
 ## [Unreleased]
+## [0.10.1] — 2026-05-04
 ### Security
 - **Resolved 17 CodeQL alerts in `media/session.js`, `src/ChatStreamConsumer.ts`, `src/extension.ts`, `src/GovernancePanel.ts` and `src/test/session-logic.test.ts`.** Hardened the chat-webview HTML escaping (`esc()` now also escapes `"` and `'`), rewrote the inline `onclick="rptTool(...)"` / `onclick="rptCrash(...)"` / `onclick="viewFull(...)"` buttons to use `data-action` + a delegated click listener (eliminates the brittle `replace(/'/g,"\\'")` JS-string smuggling and the matching `js/identity-replacement` finding), escaped LLM-controlled values flowing into `addImg` `src=` and the VCS additions/deletions span, swapped `Math.random()` session-id generation for `crypto.randomUUID()`, and made the shell-quote helpers in the preflight + agent-task paths escape backslashes before quotes. Also tightened the `<script>` discovery regex in the build-output integrity test so it matches uppercase tags. No behaviour change for end users.
 ### Removed
 - **Cloud Runs sidebar tree retired.** The `specsmith.cloud` view (`Cloud Runs`) and the `CloudTree` provider have been removed. The CLI-side `specsmith cloud spawn` / `specsmith cloud-serve` commands they fronted are no longer shipped.
+### Changed
+- `package.json` version bumped from 0.10.0 to 0.10.1. The 0.10.0 tag captured the multi-agent + BYOE work (PRs #45, #47, #48); this point release rolls in the security hardening above.
 ## [0.8.0] — 2026-05-01
 ### Added — Bring-Your-Own-Endpoint (REQ-142)
 - **`EndpointsClient` module** shells out to `specsmith endpoints list / test --json` and surfaces results to the host. JSON parsers (`parseEndpointsList`, `parseEndpointHealth`) and the `applyEndpointArg` bridge helper are exported pure-TS so they have direct mocha coverage.
diff --git a/package.json b/package.json
index 0cf1401..318898c 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "specsmith-vscode",
   "displayName": "specsmith - AEE Workbench",
   "description": "Applied Epistemic Engineering workbench. Multi-agent activity routing, BYOE endpoints, AEE phase tree, epistemic notebooks, hierarchical rules, MCP server registry, FPGA/HDL tool support, Ollama local LLMs.",
-"version": "0.10.0",
+"version": "0.10.1",
   "publisher": "BitConcepts",
   "license": "MIT",
   "engines": {