chore: merge main into validation branch

Resolved conflict in `script/build.ts`: kept both `ALTIMATE_CLI_CHANGELOG`
(from main) and `ALTIMATE_VALIDATE_*` constants (from validation branch) in
the build define block.

Author: Bharatram-altimate-ai

.github/workflows/ci.yml

@@ -11,12 +11,14 @@ jobs:
     name: TypeScript
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
 
       - name: Cache Bun dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.bun/install/cache
           key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
@@ -39,14 +41,14 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
 
       - name: Install linter
-        run: pip install ruff
+        run: pip install ruff==0.9.10
 
       - name: Lint
         run: ruff check src
@@ -59,9 +61,9 @@ jobs:
       matrix:
         python-version: ["3.10", "3.11", "3.12"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'

.github/workflows/docs.yml

@@ -20,10 +20,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
           cache: "pip"
@@ -36,10 +36,10 @@ jobs:
         run: mkdocs build -f docs/mkdocs.yml -d site
 
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: docs/site
 
@@ -52,4 +52,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.github/workflows/publish-engine.yml

@@ -13,22 +13,23 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
           cache: "pip"
           cache-dependency-path: packages/altimate-engine/pyproject.toml
 
       - name: Install build tools
-        run: pip install build
+        run: pip install build==1.2.2
 
       - name: Build package
         run: python -m build
         working-directory: packages/altimate-engine
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           packages-dir: packages/altimate-engine/dist/
+          skip-existing: true

.github/workflows/release.yml

@@ -9,28 +9,28 @@ concurrency:
   group: release
   cancel-in-progress: false
 
-permissions:
-  contents: write
-  id-token: write
-
 env:
   GH_REPO: AltimateAI/altimate-code
 
 jobs:
   build:
     name: Build (${{ matrix.os }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         os: [linux, darwin, win32]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
 
       - name: Cache Bun dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.bun/install/cache
           key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
@@ -50,7 +50,7 @@ jobs:
           MODELS_DEV_API_JSON: test/tool/fixtures/models-api.json
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: dist-${{ matrix.os }}
           path: packages/altimate-code/dist/
@@ -59,13 +59,17 @@ jobs:
     name: Publish to npm
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2
+        with:
+          bun-version: "1.3.9"
 
       - name: Cache Bun dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: ~/.bun/install/cache
           key: bun-${{ runner.os }}-${{ hashFiles('bun.lock') }}
@@ -76,7 +80,7 @@ jobs:
         run: bun install
 
       - name: Download all build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: dist-*
           path: packages/altimate-code/dist/
@@ -124,23 +128,23 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.12"
           cache: 'pip'
           cache-dependency-path: packages/altimate-engine/pyproject.toml
 
       - name: Install build tools
-        run: pip install build
+        run: pip install build==1.2.2
 
       - name: Build package
         run: python -m build
         working-directory: packages/altimate-engine
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           packages-dir: packages/altimate-engine/dist/
           skip-existing: true
@@ -152,7 +156,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
@@ -206,14 +210,14 @@ jobs:
           CURRENT_TAG: ${{ github.ref_name }}
 
       - name: Download all build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           pattern: dist-*
           path: packages/altimate-code/dist/
           merge-multiple: true
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
           body_path: notes.md
           draft: false

CHANGELOG.md

@@ -5,6 +5,39 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.4] - 2026-03-04
+
+### Added
+
+- E2E tests for npm install pipeline: postinstall script, bin wrapper, and publish output (#50)
+
+## [0.2.3] - 2026-03-04
+
+### Added
+
+- Postinstall welcome banner and changelog display after upgrade (#48)
+
+### Fixed
+
+- Security: validate well-known auth command type before execution, add confirmation prompt (#45)
+- CI/CD: SHA-pin all GitHub Actions, per-job least-privilege permissions (#45)
+- MCP: fix copy-paste log messages, log init errors, prefix floating promises (#45)
+- Session compaction: clean up compactionAttempts on abort to prevent memory leak (#45)
+- Telemetry: retry failed flush events once with buffer-size cap (#45, #46)
+- Telemetry: flush events before process exit (#46)
+- TUI: resolve worker startup crash from circular dependency (#47)
+- CLI: define ALTIMATE_CLI build-time constants for correct version reporting (#41)
+- Address 4 issues found in post-v0.2.2 commits (#49)
+- Address remaining code review issues from PR #39 (#43)
+
+### Changed
+
+- CI/CD: optimize pipeline with caching and parallel builds (#42)
+
+### Docs
+
+- Add security FAQ (#44)
+
 ## [0.2.2] - 2026-03-05
 
 ### Fixed

docs/docs/configure/telemetry.md

@@ -36,6 +36,12 @@ We collect the following categories of events:
 
 Each event includes a timestamp, anonymous session ID, and the CLI version.
 
+## Delivery & Reliability
+
+Telemetry events are buffered in memory and flushed periodically. If a flush fails (e.g., due to a transient network error), events are re-added to the buffer for one retry. On process exit, the CLI performs a final flush to avoid losing events from the current session.
+
+No events are ever written to disk — if the process is killed before the final flush, buffered events are lost. This is by design to minimize on-disk footprint.
+
 ## Why We Collect Telemetry
 
 Telemetry helps us:

docs/docs/getting-started.md

@@ -20,6 +20,8 @@ Unlike general-purpose coding agents, altimate is built for data teams:
 npm install -g @altimateai/altimate-code
 ```
 
+After install, you'll see a welcome banner with quick-start commands. On upgrades, the banner also shows what changed since your previous version.
+
 ## First run
 
 ```bash