From 42aae430a79b366542417c28348ff29b3f143d0a Mon Sep 17 00:00:00 2001
From: Drew Stone <drewstone329@gmail.com>
Date: Wed, 20 May 2026 09:05:20 -0600
Subject: [PATCH 1/2] chore(deps): bump ws past advisory

Pin ws to ^8.20.1 via pnpm override to close GHSA-58qx-3vcg-4xpx
(CVE-2026-45736, "Uninitialized memory disclosure", medium severity).

ws is a transitive dependency pulled by viem (peer of
@tangle-network/tcloud and @tangle-network/sandbox). Direct deps do not
expose ws, so the fix is applied via pnpm.overrides rather than a
direct-dep bump.

Versions:
- ws: 8.18.3 -> 8.20.1 (vulnerable range was >=8.0.0 <8.20.1)

Verification: typecheck + 1220 tests + build all green.
---
 package.json   |  3 ++-
 pnpm-lock.yaml | 17 +++++++++--------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index 278cf3a..f176d90 100644
--- a/package.json
+++ b/package.json
@@ -140,7 +140,8 @@
     "minimumReleaseAge": 4320,
     "minimumReleaseAgeExclude": [],
     "overrides": {
-      "postcss@<8.5.10": "^8.5.10"
+      "postcss@<8.5.10": "^8.5.10",
+      "ws@>=8.0.0 <8.20.1": "^8.20.1"
     }
   },
   "engines": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 776f884..7f3cf19 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -6,6 +6,7 @@ settings:
 
 overrides:
   postcss@<8.5.10: ^8.5.10
+  ws@>=8.0.0 <8.20.1: ^8.20.1
 
 importers:
 
@@ -639,7 +640,7 @@ packages:
   isows@1.0.7:
     resolution: {integrity: sha512-I1fSfDCZL5P0v33sVqeTDSpcstAg/N+wF5HS033mogOVIp4B+oHC7oOCsA3axAbBSGTJ8QubbNmnIRN/h8U7hg==}
     peerDependencies:
-      ws: '*'
+      ws: ^8.20.1
 
   joycon@3.1.1:
     resolution: {integrity: sha512-34wB/Y7MW7bzjKRjUKTa46I2Z7eV62Rkhva+KkopW7Qvv/OSWBqvkSY7vusOPrNuZcUG3tApvdVgNB8POj3SPw==}
@@ -927,8 +928,8 @@ packages:
     engines: {node: '>=8'}
     hasBin: true
 
-  ws@8.18.3:
-    resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==}
+  ws@8.20.1:
+    resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==}
     engines: {node: '>=10.0.0'}
     peerDependencies:
       bufferutil: ^4.0.1
@@ -1388,9 +1389,9 @@ snapshots:
 
   hono@4.12.18: {}
 
-  isows@1.0.7(ws@8.18.3):
+  isows@1.0.7(ws@8.20.1):
     dependencies:
-      ws: 8.18.3
+      ws: 8.20.1
 
   joycon@3.1.1: {}
 
@@ -1602,9 +1603,9 @@ snapshots:
       '@scure/bip32': 1.7.0
       '@scure/bip39': 1.6.0
       abitype: 1.2.3(typescript@5.9.3)(zod@4.3.6)
-      isows: 1.0.7(ws@8.18.3)
+      isows: 1.0.7(ws@8.20.1)
       ox: 0.14.20(typescript@5.9.3)(zod@4.3.6)
-      ws: 8.18.3
+      ws: 8.20.1
     optionalDependencies:
       typescript: 5.9.3
     transitivePeerDependencies:
@@ -1692,7 +1693,7 @@ snapshots:
       siginfo: 2.0.0
       stackback: 0.0.2
 
-  ws@8.18.3: {}
+  ws@8.20.1: {}
 
   yaml@2.8.3: {}
 

From dc8982279d2a9b3a2c7a5de109764439616301a6 Mon Sep 17 00:00:00 2001
From: Drew Stone <drewstone329@gmail.com>
Date: Wed, 20 May 2026 09:11:21 -0600
Subject: [PATCH 2/2] =?UTF-8?q?chore(0.31.1):=20republish=20=E2=80=94=20fi?=
 =?UTF-8?q?x=20stale=20dist=20on=20v0.31.0=20npm=20artifact?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v0.31.0 tag's published tarball shipped a dist/ predating the
source merge for JudgeScoresRecord. dist/index.d.ts was missing the
type re-export and dist/index.js was missing the
`recordOutcome.judgeScores = outcome.judgeScores` propagation line in
the campaign runner — even though the tagged commit had both.

Consumers that bumped to ^0.31.0 got a typecheck failure on
RunOutcome.judgeScores and a silent drop on the wire.

No source change beyond the version bump. The retag forces a clean
pnpm build and republish. Post-republish verification:
  - dist/index.d.ts contains JudgeScoresRecord
  - dist/index.js carries the recordOutcome.judgeScores assignment
  - pnpm typecheck + pnpm test clean (1220/1220)
---
 CHANGELOG.md                                  | 22 +++++++++++++++++++
 clients/python/pyproject.toml                 |  2 +-
 clients/python/src/agent_eval_rpc/__init__.py |  2 +-
 package.json                                  |  2 +-
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ac87aa..21644af 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,27 @@
 # Changelog
 
+## 0.31.1 — 2026-05-20
+
+### Republish of 0.31.0 — dist drift fix
+
+The `v0.31.0` tag's npm tarball shipped a stale `dist/` — `JudgeScoresRecord`
+was missing from `dist/index.d.ts` and the `recordOutcome.judgeScores`
+propagation never made it into `dist/index.js`, even though the source on
+the tagged commit had both. Consumers that bumped to `^0.31.0` got a
+typecheck failure on `RunOutcome.judgeScores` (since the type wasn't
+re-exported) and a silent drop on the wire (since the campaign runner
+didn't carry the field through).
+
+Cause: a build artifact picked up by the publish workflow predated the
+source merge. The retag forces a clean `pnpm build` and republish; this
+patch carries no source change beyond the version bump.
+
+Verified after this tag: `dist/index.d.ts` contains `JudgeScoresRecord`,
+`dist/index.js` propagates `outcome.judgeScores` end-to-end via
+`recordOutcome.judgeScores`, and a downstream `pnpm install
+@tangle-network/agent-eval@0.31.1` types-clean against the shape
+documented in 0.31.0.
+
 ## 0.31.0 — 2026-05-20
 
 ### `JudgeScoresRecord` on `RunRecord.outcome` — substrate-blessed ensemble shape
diff --git a/clients/python/pyproject.toml b/clients/python/pyproject.toml
index 09df840..5d0f31f 100644
--- a/clients/python/pyproject.toml
+++ b/clients/python/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agent-eval-rpc"
-version = "0.31.0"
+version = "0.31.1"
 description = "Python RPC client for @tangle-network/agent-eval — judge content against rubrics over HTTP or stdio RPC. Eval logic runs in the Node runtime; this package is a thin wire client."
 readme = "README.md"
 requires-python = ">=3.10"
diff --git a/clients/python/src/agent_eval_rpc/__init__.py b/clients/python/src/agent_eval_rpc/__init__.py
index c50579b..5686666 100644
--- a/clients/python/src/agent_eval_rpc/__init__.py
+++ b/clients/python/src/agent_eval_rpc/__init__.py
@@ -48,7 +48,7 @@
 try:
     __version__ = version("agent-eval-rpc")
 except PackageNotFoundError:
-    __version__ = "0.31.0"
+    __version__ = "0.31.1"
 
 __all__ = [
     "Client",
diff --git a/package.json b/package.json
index f176d90..2e89a53 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@tangle-network/agent-eval",
-  "version": "0.31.0",
+  "version": "0.31.1",
   "description": "Substrate for self-improving agents: traces, verifiable rewards, preferences, GEPA / reflective mutation, auto-research, replay, sequential anytime-valid stats, and release gates.",
   "homepage": "https://github.com/tangle-network/agent-eval#readme",
   "repository": {