v0.0.11-beta.4 — /audit share-card hotfix (desktop intent + correct domain)

/audit share-card hotfix

Two fast follow-ups on the /audit share flow introduced in 0.0.11-beta.3.

Fixes

• Desktop "share on X" / "share on LinkedIn" no longer open the Windows share dialog. lib/share-card.ts shareCardNative() early-returns false on non-mobile devices (detected via navigator.userAgentData.mobile with a UA-string fallback for Safari / Firefox + a maxTouchPoints check for iPadOS 13+), so the ShareDock falls through to its existing clipboard + x.com/intent/tweet / linkedin.com/sharing/share-offsite path. Mobile keeps the one-tap system share sheet because there the OS sheet actually surfaces the X / LinkedIn apps as targets (#425).
• Share templates linked to the wrong domain. Every X / LinkedIn template embedded https://failproof.ai, but the actual marketing site is befailproof.ai — so every shared post linked to a dead URL. Updated SITE_URL in both app/audit/_components/share-templates.ts and app/audit/_components/share-dock.tsx, plus the bare failproof.ai mention in the 4th X template; tightened the template test to assert the new domain so a regression fails fast (#425).

---

Full diff: v0.0.11-beta.3...v0.0.11-beta.4
Full changelog: https://github.com/FailproofAI/failproofai/blob/main/CHANGELOG.md#00114-beta4--2026-06-10

v0.0.11-beta.3 — /audit dashboard, email-OTP auth, pixel-craft design system

/audit dashboard, email-OTP auth, unified pixel-craft design system

This release ships the in-app /audit dashboard, email-OTP auth across CLI + dashboard, persistent re-audit reminders delivered via SES, and a brutalist pixel-craft design system unified across every dashboard page. Plus a deep correctness/efficiency hardening pass, a supply-chain security CI gate, and the usual telemetry coverage expansion.

Highlights

/audit dashboard

• New in-app report at /audit that turns the existing failproofai audit data into a personality-driven diagnostic. Every audited agent is classified into one of 8 archetypes — optimist, cowboy, explorer, goldfish, paranoid architect, precision builder, hammer, ghost — via a weighted classifier with full 47/47 signal coverage (every builtin policy + every audit-only detector).
• Rewritten score + classifier engine. Personas are evenly reachable (Monte-Carlo over 50k simulated users confirms every persona lands at 10–18% share). Scores are rate-normalised against a reference volume and use a saturating exponential curve (cap·(1−e^(−p/k))) so no two hit-counts collide on a fixed value. S/A/B/C/D/F grade bands. projectedScore previews the post-enable uplift.
• Six sections: Identity (archetype hero with 8×8 pixel sigil + meta grid), Show-off CTA, Strengths (real numbers from the audit), Score + cohort leaderboard with distribution histogram, Findings (per-policy cards: what happened / cost / evidence / fix), Prescribed Policies (with projected-score uplift callout), and a "re-audit in 7 days" return loop.
• Persona variant catalog. Every archetype has 4–6 deterministically-seeded copy variants (taglines, descriptions, signature blocks, "common in" / "primary risk" / closing lines) keyed by a behaviour fingerprint, so two agents that land on the same archetype see different language but the same render is byte-identical across reloads.
• Shareable PNG poster. "Make poster" captures the identity frame via html2canvas at scale 2 (failproofai-<archetype>-<YYYY-MM-DD>.png). Floating share-dock renders X / LinkedIn / save buttons stacked vertically with personalised templates (5 quirky for X, 5 measured for LinkedIn). Image attachment routes through navigator.share({ files }) → clipboard → download, picking the best route the browser allows.

Email-OTP auth (CLI + dashboard)

• New failproofai auth login | logout | whoami CLI subcommand wired to the Rust failproof-api-server (/v0/auth/login/request, /login/verify, /token/refresh, /logout, /me). Tokens persist to ~/.failproofai/auth.json at mode 0600 with auto-refresh within a 60s leeway window.
• Dashboard AuthDialog proxies the same flow through four new Next routes (/api/auth/{status,login-request,login-verify,logout}) so the refresh token never reaches the browser — only {authenticated, user} does.
• FAILPROOF_API_URL (default https://api.befailproof.ai) and FAILPROOFAI_AUTH_DIR (default ~/.failproofai) for overrides.

Persistent re-audit reminders

• New ~/.failproofai/next-audit.json (mode 0600, separate from auth.json so the reminder is independent of token refresh) + dashboard /api/auth/reminder GET/POST/DELETE.
• Reminders forward to the api-server's SES-backed scheduler (POST/DELETE /v0/reminders) so the audit nudge is actually delivered as email. The local file remains the dashboard/CLI source-of-truth.

Unified pixel-craft design system

• The audit page's brutalist pixel-craft tokens (--bg, --ink, --accent-pink, --accent-green, --font-mono → JetBrains Mono, --font-display → Bitcount Prop Single) are now declared once in app/globals.css and repoint every Tailwind alias (bg-card, text-foreground, border-border, --radius: 0, …) at the audit palette. /policies, /projects, and /audit now share the same chrome — pink corner brackets, dashed frames, green eyebrow captions — without rewriting any component markup.
• Dashboard chrome scales to fill ultrawide monitors via clamp(720px, 96vw, 1840px). Base font bumped 13px → 16px. Opt-in :focus-visible ring system. Navbar redesigned around .app-header with version chip + current-section eyebrow.

Reliability + efficiency

• Tier-A correctness pass. Concurrent refresh-token-exchange dedup (silent-logout bug fix), audit run-lock auto-expiry (5 min), JWT strict-base64url validation, AbortSignal.any fallback for Node < 20.3 / older Bun, dashboard cache schema-version rejection.
• Tier-B refactor pass. New shared lib/fetch-with-timeout.ts + lib/atomic-write.ts; ~30 LOC of copy-paste deleted across auth-dialog.tsx, rerun-button.tsx, api-server-client.ts, auth-store.ts, dashboard-cache.ts.
• Tier-C polish. Memoised detectorsTriggered + missing scan, rAF-coalesced scroll handler, memoised archetype-variant picker, 5s throttle on focus + visibilitychange status refresh.
• Max-effort code-review hardening: corrected failproof policy add → failproofai policy add on every finding card, app/layout.tsx favicon fix, whoAmI() 401-retry only wipes on unambiguous 401, Retry-After clamped to [0, 86400], AuthApiError(status: 0) → 504 mapping, +12 more.
• Reminder fetch + rerun loop now use fetchWithTimeout(15s) so a hung route can't permanently disable the CTA.
• Audit-aware atomic writes for auth.json, next-audit.json, and audit-dashboard.json (temp-file-then-rename with mode 0600 enforcement on both temp and final paths).

Telemetry

• 5 funnel-gap events on /audit: audit_dashboard_viewed, audit_reminder_cta_{shown,clicked}, audit_auth_dialog_{opened,dismissed,succeeded}, audit_rerun_failed, api_server_unreachable.
• audit_user_identity_linked from the CLI (src/auth/cli.ts) so OTP sign-ins via failproofai auth login are joined to pre-auth instance events.
• cli_policy_${action}_failure events for the policy add|remove failure path.
• Every PostHog event across all 4 channels (hooks/audit, server, web UI, npm-lifecycle) now stamped with product: "failproofai-oss" (#380).
• Raw verified email sent to PostHog (replacing the SHA-256 email_hash) for stronger verified-account → device identity stitch; still gated by FAILPROOFAI_TELEMETRY_DISABLED=1.

Infra

• New bump-platform-submodule.yml workflow auto-bumps the failproofai/oss gitlink in FailproofAI/platform on every merge into this repo's main, race-safe with a rebase-and-retry loop (#394).
• Supply-chain security CI gate: OSV-Scanner (bun.lock scanned against OSV.dev + OpenSSF malicious-packages feed) on every PR / push / weekly. Socket GitHub App behavioral early-warning layer. Blocks on any known-vulnerable or malicious dependency. 18 pre-existing transitive advisories remediated (#391).
• Default api-server base URL flipped to https://api.befailproof.ai.

Fixes

• CI: bump-platform-submodule SIGPIPE fix (#423). The first-line extraction printf '%s\n' "$COMMIT_SUBJECT" | head -n 1 raced under set -o pipefail on multi-KB squash-merge commit bodies. Replaced with pure-bash parameter expansion.
• Treat GitHub neutral check-run conclusions as non-failing in require-ci-green-before-stop (Socket Security on external-contributor PRs) (#410).
• Drop literal ━━ escape sequences rendering as visible text in the /policies activity-tab eyebrow labels.
• Submodule-bump workflow auth: Authorization: bearer … only authenticates GitHub's REST API; git-over-HTTPS smart-protocol needs Basic x-access-token:<pat> (#395).

Dependencies

• Swap Vitest DOM environment from happy-dom (single-maintainer, 2024 critical CVE) to jsdom (6 maintainers, ~7× weekly downloads, perfect Snyk maintenance score). Test suite (1691 tests across 82 files) stays green (#419).

Docs

• New docs/cli/auth.mdx covering failproofai auth login|logout|whoami, on-disk auth.json shape, env-var table, troubleshooting, plus a "Persistent re-audit reminder" section.
• README logo updated to the new fa_updated_full.svg wordmark (EN + 14 translated READMEs) (#387).
• README supply-chain badge changed from live OSV-Scanner status to a static "supply chain: secure" badge, still linked to the workflow runs (#393).

Tests

• +40 tests covering previously-untested audit + auth modules: __tests__/audit/{archetypes,findings,strengths,scoring,distribution,dashboard-cache,replay,share-templates}.test.ts, __tests__/lib/{auth-store,auth-store-refresh,api-server-client,share-card,fetch-with-timeout,atomic-write}.test.ts, __tests__/api/audit-state.test.ts.
• Full suite: 1777 tests passing.

---

Full diff: v0.0.11-beta.2...v0.0.11-beta.3
Full changelog: https://github.com/FailproofAI/failproofai/blob/main/CHANGELOG.md#00113-beta3--2026-06-09

v0.0.11-beta.2 — `failproofai audit`, first-run prompt, telemetry coverage

v0.0.11-beta.2 — failproofai audit, first-run prompt, telemetry coverage

Pre-release. Tracks every commit between v0.0.11-beta.1 (2026-05-20) and current main.

Highlights

• failproofai audit (beta) — retrospective scan of past agent sessions. New CLI command that walks transcripts from all 7 supported CLIs (Claude / Codex / Copilot / Cursor / OpenCode / Pi / Gemini), replays every tool-use event through the 39 builtin policies, and runs each through 8 new audit-only detectors for patterns not yet enforced in real time. Output is a GTM-oriented ANSI table (split into "✓ already protected" vs "○ slipping through" with per-row install CTAs) plus a sectioned, shareable markdown report at ./failproofai-audit.md. Flags + output may still change between beta releases.
• First-run install prompt on bare failproofai. PostHog showed only ~10% of npm-installed users ever ran failproofai policies --install; the no-args dashboard launch now detects "zero hooks installed across any detected CLI" and offers the existing interactive policy selection inline. Non-TTY (CI, piped) falls through with a stderr hint. Opt-out via FAILPROOFAI_NO_FIRST_RUN=1.
• PostHog telemetry coverage closed. 16 new server-side + 12 new web-UI events plug the gaps surfaced by the May audit — CLI install/uninstall outcomes, hook stdin/payload errors, builtin policy crashes (policy_evaluation_error, distinct from custom_hook_error), config validation warnings, postinstall lifecycle (first_install, version_changed), web dashboard interactions, and more.

Features

• failproofai audit (#377) — scan past agent transcripts and report how often the agent did things failproofai is built to stop. Replays through 39 builtin policies + 8 audit-only detectors:
  • redundant-cd-cwd, prefer-edit-over-read-cat, prefer-edit-over-sed-awk, prefer-write-over-heredoc, sleep-polling-loop, find-from-root, git-commit-no-verify, reread-after-edit
  • Flags: --cli, --project, --since, --policy, --limit, --show-examples, --report, --no-report, --json, --no-cache
  • Output: ANSI table (split into "already protected" vs "slipping through" sections with per-row install CTAs) + shareable markdown report
  • Per-transcript cache at ~/.failproofai/cache/audit/ auto-invalidates on policy/detector code changes
  • 4 PostHog events emitted (audit_started, audit_pattern_detected, audit_install_cta_shown, audit_completed); strict slug/count/boolean-only privacy contract, honors FAILPROOFAI_TELEMETRY_DISABLED=1
• First-run install prompt (#378) — bare failproofai invocation detects an unconfigured machine and offers the install flow inline; new src/hooks/first-run-nudge.ts module + 4 PostHog events to measure the uplift. Opt-out: FAILPROOFAI_NO_FIRST_RUN=1.
• PostHog telemetry expansion (#376) — 16 server-side + 12 web-UI events covering CLI lifecycle, hook errors, policy evaluation failures, config validation warnings, multi-scope warnings, beta-policy installs, postinstall lifecycle, and dashboard interactions. All honor FAILPROOFAI_TELEMETRY_DISABLED=1.

Breaking

• Removed undocumented cloud auth + event relay subsystem (#374). Deletes src/auth/ (OAuth 2.0 device-flow login against api.befailproof.ai, ~/.failproofai/auth.json token store) and src/relay/ (WebSocket event relay daemon, sanitized JSONL queue at ~/.failproofai/cache/server-queue/, PID tracking). Strips the failproofai login / logout / whoami / relay start|stop|status / sync subcommands and the internal --relay-daemon mode. Users who ran failproofai login should also wipe ~/.failproofai/{auth.json,cache/server-queue,relay.pid} and stop any running relay daemon by hand; new auth/cloud surface will land in a follow-up.

Docs

• New docs/cli/audit.mdx (beta) + nav entry, registered in docs/docs.json English section. Translation-sync workflow (#371) will add localized pages.
• First-run prompt documented in README, docs/introduction.mdx, and a new "First-run prompt" section in docs/cli/environment-variables.mdx (with FAILPROOFAI_NO_FIRST_RUN=1 opt-out).

Quality

• +62 tests (1623 → 1685 total). New __tests__/audit/ covers per-detector positive/negative cases, replay through real builtins, and an end-to-end fixture-transcript run via runAudit().
• New lib/format-date.ts unit tests (#373).
• Refactored per-CLI tool-name + tool-input canonicalization out of src/hooks/handler.ts into src/hooks/tool-name-canonicalize.ts so the live handler and audit replay share one implementation.
• 0 lint errors, tsc --noEmit clean, 7 CI jobs (build / docs / quality / test × 3 / test-e2e) green.

Upgrade notes

• Audit users: failproofai audit --since 30d is a good first run. The markdown report at ./failproofai-audit.md is shareable in Slack/PRs.
• Anyone using cloud auth/relay: see the Breaking section. Clean up ~/.failproofai/{auth.json,cache/server-queue,relay.pid} manually.
• CI consumers: telemetry is opt-out — set FAILPROOFAI_TELEMETRY_DISABLED=1 to silence all events.

---

Full changelog: v0.0.11-beta.1...v0.0.11-beta.2

v0.0.11-beta.1

0.0.11-beta.1 — 2026-05-20

Breaking

• Default policy namespace renamed from exospherehost to failproofai. Configs that explicitly reference builtins as exospherehost/<name> must update to failproofai/<name>. Flat-name shorthand (e.g. "sanitize-jwt") continues to work unchanged because it auto-resolves to the new default namespace. Builtin docs (EN + 14 translations) updated to show the new namespace.

Docs

• Rename GitHub org URLs across package.json metadata, README CI badge (EN + 14 translated READMEs), CONTRIBUTING, in-app "Star us" banners (bin/failproofai.mjs, scripts/launch.ts, navbar, reach-developers component), Mintlify docs/docs.json, and 30 translated docs (package-aliases.mdx issues link + examples.mdx repo-tree link) to reflect the exospherehost → failproofai org rename. X social handle in docs/docs.json updated from x.com/exospherehost to x.com/failproofai.

Fixes

• Remove orphan exospheresmall token from the Next.js proxy matcher in proxy.ts — no asset by that name exists in the repo.

v0.0.10 — 7-CLI policy enforcement: Claude, Codex, Copilot, Cursor, Gemini, OpenCode, Pi

First stable release of the 7-CLI cycle. failproofai now enforces policies across all major terminal coding agents:

CLI	Config path	Stop semantics
Claude Code	.claude/settings.json	exit-2 force-retry
OpenAI Codex	.codex/hooks.json	exit-2 force-retry
GitHub Copilot	.github/hooks/failproofai.json	{decision:"block",reason} JSON force-retry
Cursor Agent	.cursor/hooks.json	{followup_message} JSON force-retry
Gemini CLI	.gemini/settings.json	{decision:"block",reason} JSON force-retry
OpenCode	.opencode/plugins/failproofai.mjs + .opencode/opencode.json	in-process plugin
Pi	.pi/settings.json + bundled pi-extension/	before_agent_start next-turn injection

Highlights this cycle

• Per-CLI multi-select control panel in the dashboard /policies Configure tab — install / uninstall the diff across all 7 CLIs in one round-trip, with brand-colored per-row status pills, a 7-segment coverage strip, and pre-checked detected CLIs for one-click adoption (#344).
• Pi Stop policy enforcement via before_agent_start system-prompt injection — works around Pi's AgentEndEvent having no Result type by capturing the deny reason and gating the next user turn (#341).
• OpenCode + Pi tool-input canonicalization — two-layer (shim + handler) so block-read-outside-cwd, block-env-files, and block-secrets-write actually fire on read/write/edit calls. Existing user-scope shims auto-upgrade on the next failproofai version bump without a re-install (#337, #340).
• Per-CLI Stop semantics docs — new "Per-CLI Stop semantics" subsection in docs/built-in-policies.mdx with a 7-row table + Pi-limitation callout so users enabling require-*-before-stop understand what they'll see on each CLI (#342).
• Dashboard restyle: single dark theme, project pages keyed by encoded cwd, full Gemini session UUIDs, plain-text startup line replacing the ASCII wordmark (#319, #335, #336, #338).
• release-prep-check workflow policy + dated ## <version> — <YYYY-MM-DD> CHANGELOG headings so every PR ships release-ready (no ## Unreleased drift) (#335).

See CHANGELOG.md for the complete per-beta breakdown across the 13 betas in this cycle.

v0.0.10-beta.12

[luv-342] feat: enforce Pi Stop policies via before_agent_start hando…

v0.0.10-beta.11

What's Changed

• [luv-340] fix: regenerate OpenCode dev shim + handler-side canonicalization for OpenCode/Pi by @NiveditJain in #340

Full Changelog: v0.0.10-beta.10...v0.0.10-beta.11

v0.0.10-beta.10 - OpenCode + Pi policy enforcement; clean startup output

Fixes

• scripts/launch.ts: drop the dashboard-startup ASCII wordmark entirely. Every iteration (the original 10-row pixel-block banner, the 6-row trim, and the colored half-block render of the brand PNG) read poorly in standard terminals — too tall, vertically stretched, or just visual noise. Replace with a plain-text failproof ai title and a 📦 Version: <ver> line padded to the same column as the existing ⭐ Star us: / 📖 Docs: / 💬 Slack: lines, so version and URLs form one cleanly-aligned block (#338).
• Read full session UUID from each Gemini JSONL's metadata header at project-page session-listing time (lib/gemini-projects.ts), so links route to a valid [sessionId] segment instead of the 8-hex filename prefix that the session detail route's UUID_RE check rejects (404). Hooks-section links were already correct because hook stdin carries the full UUID; this aligns the projects-section with that path (#336).
• Canonicalize OpenCode and Pi tool-input arg keys so the path-checking builtin policies actually fire on read / write / edit tool calls. OpenCode delivers args as filePath / oldString / newString / replaceAll; Pi delivers path. The failproofai builtins read ctx.toolInput.file_path, so the shape mismatch silently no-op'd block-read-outside-cwd (OpenCode), block-env-files, and block-secrets-write for both CLIs — letting an OpenCode session read paths outside its CWD without any deny, and letting Pi sessions write to .env / SSH-key paths unchecked. Existing OpenCode users must regenerate their shim via failproofai policies --install --cli opencode to pick up the fix; Pi users must reinstall via failproofai policies --install --cli pi (#337).
• Route OpenCode project pages by encoded cwd (encodeFolderName(worktree)) instead of opencode's project name / basename, fixing the dashboard /project/<slug> 404 for OpenCode-only sessions and merging same-cwd OpenCode + other-CLI rows on the Projects page (#335).
• .failproofai/policies/workflow-policies.mjs: drop the ## Unreleased section; new release-prep-check policy + updated changelog-check instruct the agent to put entries under a dated ## <version> — <YYYY-MM-DD> heading so each PR ships release-ready, and all four workflow policies now anchor command-phrase matches to shell boundaries to avoid false-positives from HEREDOC bodies (#335)

v0.0.10-beta.9 - dashboard restyle, single dark theme

Features

• Restyle the dashboard to match the failproofai brand: near-black canvas (#0a0a0a) with pink primary #e4587d, sharper 0.5rem radius, Geist Mono via next/font/google, faint pink radial vignette, and the failproof wordmark in the navbar replacing the Exosphere icon + "Failproof AI" text combo. Drops light mode entirely — ThemeContext, ThemeToggle, Logo (theme-branching), the localStorage-keyed pre-paint script, the inline loading-splash <style>, the .light CSS block, and the obsolete public/exospheresmall*.png assets all go. Also fixes the entry-highlight keyframe (which referenced hsl(var(--primary) / …) against a hex variable so the row-click highlight never actually painted) using color-mix(in oklch, …) (#332).
• Redesign the dashboard-startup ASCII banner: hand-crafted chunky pixel-block lowercase "failproof ai" compressed with Unicode 2×2 quadrant block characters and horizontally scaled 4:3 so the full wordmark fits in ~75 cols × ~10 rows, with a plain-text fallback for narrower windows. Also drops the noisy "Using default .claude projects path: …" startup log line (#322).
• Remove the undocumented --projects-path / -p CLI flag — custom Claude project folders can still be pointed at via the CLAUDE_PROJECTS_PATH environment variable (#322).

Fixes

• .github/workflows/translate-docs.yml: when an [auto] update translations PR is already open, push the new translations to its existing branch instead of skipping. Previously the consolidate step exited early but the cache-save step ran first, so the cache advanced to mark the lost translations as done — and the next run saw them as cached and never re-translated (#325).

Docs

• Rewrite the English README.md: new layout with shields.io badges, CDN-hosted wordmark logo, the existing 7-CLI logo grid (Claude / Codex / Copilot / Cursor / OpenCode / Pi / Gemini), a tighter "What it stops" table, a License section explaining the MIT + Commons Clause split, and a docs index linking to docs.befailproof.ai. Hero GIF swapped to readme-arch-hq.gif (#321).

Tick "Set as a pre-release" since the version contains -beta..

Full changelog: https://github.com/exospherehost/failproofai/blob/v0.0.10-beta.9/CHANGELOG.md#0010-beta9--2026-05-09

v0.0.10-beta.8

[luv-324] fix: enforce Stop hook on OpenCode + cut 0.0.10-beta.8 (#323)

* [luv-324] fix: enforce Stop hook on OpenCode

Stop hooks fired on OpenCode (visible in dashboard activity feed) but
the agent stopped without retry — same failure mode Cursor had pre-#318
and Copilot had pre-#299. Root cause: no `cli === "opencode"` branch in
policy-evaluator's Stop / SubagentStop handling, so OpenCode fell into
the generic exit-2 path. The plugin shim's applyDecision turns exit-2
into `throw new Error(reason)`, but throwing from the `session.idle`
event callback is a no-op — OpenCode is already idle by the time the
event fires.

Fix: emit `{hookSpecificOutput: {additionalContext: <MANDATORY ACTION
reasonText>}}` for opencode Stop / SubagentStop in both deny and
instruct paths. The shim already routes `additionalContext` through
`client.session.prompt(...)` which submits a new user message that
re-triggers the agent loop — same model as Cursor's `followup_message`
and Copilot's `{decision: "block", reason}`. Promote applyDecision to
async and `await client.session.prompt` for Stop/SubagentStop events
so the SDK round-trip completes before the plugin context tears down;
keep fire-and-forget for tool events to avoid hot-path latency.

Sister CLIs verified while in here:
- Gemini AfterAgent (canonical Stop) was already correctly emitting
  `{decision: "block", reason}`; new unit tests pin both deny and
  instruct shapes to prevent regression.
- Pi `agent_end` is observation-only by upstream design — Pi's agent
  loop has already exited and `AgentEndEventResult` exposes no `block`
  field. CLAUDE.md already documents this; no code change.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [luv-324] docs: clarify OpenCode plugin shim Stop semantics

Update configuration.mdx to reflect the new Stop / SubagentStop force-
retry channel: deny on Stop now routes through `client.session.prompt`
just like instruct, since `session.idle` is notification-only and
throwing from it is silently dropped.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* [luv-324] fix: address CodeRabbit feedback + cut 0.0.10-beta.8

Address PR #323 review:
- CHANGELOG.md: append (#323) to the Unreleased entry per repo convention
  (every entry ends with the PR number).
- docs/configuration.mdx:199: "Unlike the other four CLIs" → "Unlike the
  other six CLIs" — the page now lists six other integrations
  (Claude Code, Codex, Copilot, Cursor, Pi, Gemini) so the count was
  stale.

Release prep: promote the Unreleased entry to a versioned heading
`## 0.0.10-beta.8 — 2026-05-08`. Add a fresh `## Unreleased` heading
at the top for the next development cycle. package.json is already at
0.0.10-beta.8 (pre-bumped by chore commit a146ae6 after beta.7 release).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>