Address PR review feedback: fix CI, add security improvements, optimize performance

.eslintrc.js

@@ -13,6 +13,23 @@ module.exports = {
     '@typescript-eslint/explicit-function-return-type': 'warn',
     '@typescript-eslint/no-explicit-any': 'error',
     '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+    // Disallow general console usage in application code.
+    // We allow console.warn and console.error because:
+    //   - console.error is used for audit/error logging where a logging framework
+    //     may not be available (e.g. early bootstrapping, process-level failures).
+    //   - console.warn is allowed for non-fatal operational warnings.
+    // For application-level logging, prefer a proper logging framework that can be
+    // configured per environment (e.g. debug levels, transports, formatting).
     'no-console': ['warn', { allow: ['warn', 'error'] }]
-  }
+  },
+  // Examples and documentation snippets may use console.log freely for clarity.
+  // We disable the no-console rule for those files to avoid noisy warnings.
+  overrides: [
+    {
+      files: ['examples/basic-usage.ts'],
+      rules: {
+        'no-console': 'off'
+      }
+    }
+  ]
 };

.gitignore

@@ -3,7 +3,6 @@ node_modules/
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
-package-lock.json
 yarn.lock
 
 # Python
@@ -59,3 +58,4 @@ temp/
 # OS
 .DS_Store
 Thumbs.db
+

CHANGELOG.md

@@ -0,0 +1,42 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Circular dependency detection in ModuleRegistry
+- Dependency initialization enforcement before module init
+- Support for stopping modules in transitional states (STARTING, INITIALIZING, ERROR)
+- Error handling in example shutdown code
+- Documentation for console usage rationale in ESLint config
+- ESLint override for examples directory
+- package-lock.json for reproducible builds
+
+### Changed
+- Core Directive lookup now uses __dirname instead of process.cwd() for better reliability
+- SQL injection pattern refined to reduce false positives (removed * and ' checks)
+- PBKDF2 iterations increased from 100,000 to 600,000 (OWASP recommended)
+- Email validation regex improved to require 2+ character TLD
+- Audit event rotation optimized using shift() instead of slice()
+- Audit event query optimized to avoid intermediate arrays when limit specified
+
+### Fixed
+- CI/CD npm cache issue by adding package-lock.json
+- package-lock.json removed from .gitignore
+
+## [0.1.0] - 2025-12-17
+
+### Added
+- Initial release with core security framework
+- Module registry with dependency management
+- Autonomic DNA system for self-organization
+- Governance and compliance checking
+- Cryptographic primitives (AES-256-GCM, SHA-256/512, PBKDF2)
+- Input validation (SQL injection and XSS detection)
+- Audit logging system
+- Core Directive compliance framework
+- GitHub Actions CI/CD pipeline

README.md

@@ -287,3 +287,4 @@ Inspired by:
 ---
 
 **Built with ❤️ for a secure, self-organizing future.**
+

examples/basic-usage.ts

@@ -127,9 +127,21 @@ async function main() {
 
   // Step 6: Graceful shutdown
   console.log('6. Shutting Down:');
-  await registry.stop('example-module');
-  await primeSecurity.stop();
-  console.log('   ✓ System shutdown complete\n');
+  try {
+    await registry.stop('example-module');
+    console.log('   ✓ Module "example-module" stopped');
+  } catch (error) {
+    console.error('   ✗ Failed to stop module "example-module":', error);
+  }
+
+  try {
+    await primeSecurity.stop();
+    console.log('   ✓ System shutdown complete\n');
+  } catch (error) {
+    console.error('   ✗ Failed to stop Prime Security:', error);
+    // Rethrow so the top-level error handler can react appropriately.
+    throw error;
+  }
 
   console.log('=== Example Complete ===');
 }