tindalabs · Isonimus · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,9 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ## [Unreleased]
 
-A consumer-visible fix now lands (see **Fixed** below), so the next release
-should be a patch (`0.1.1`). The Changed/Internal/Chore items — which only
-affect the dev tree, CI, and internal architecture — roll up into it.
+## [0.1.1] - 2026-06-10
+
+First patch release. The one consumer-visible change is the published-`dist`
+`@/` import leak (see **Fixed**); the Changed/Internal/Chore items only affect
+the dev tree, CI, and internal architecture, and roll up into this patch.
 
 ### Fixed
 - **Self-referential `@/` import leaked into published `dist/`.** `dist/otel.js`
@@ -28,6 +30,7 @@ affect the dev tree, CI, and internal architecture — roll up into it.
 - **Pruned aspirational `ProtectionEventType` enum** ([af9f270]): dropped 19 unused event types and matching `EventDataMap` entries that nothing publishes. Enum is now 10 entries — exactly what flows through the mediator today. Header doc explains the detect-and-react vs direct-blocking architectural asymmetry.
 - **Test coverage uplift**: 40.42% → 78.18% line coverage; 58 → 372 tests across 10 incremental slices. Two real bugs surfaced and fixed along the way: `SecurityOverlayManager` overlay re-queue ([4d14467]) and `ProtectedContentManager` priority-supersession orphan ([5d5a607]).
 - **Bonus README section**: `attachShieldToSpan()` promoted to its own top-level section after `ContentProtector`, with quick-start, Blindspot integration, and full table of emitted span events.
+- **CodeQL note alerts cleared** (#18): added a missing semicolon in `DOMObserver` (`js/automatic-semicolon-insertion`) and dropped an unused `const value` binding in `defineGetterDetector` in favor of `void ...testProp` to keep the getter-triggering access as a pure side effect (`js/unused-local-variable`). No behavior change. The high-severity `js/path-injection` alert on the `e2e/serve.mjs` test fixture was triaged and dismissed as a false positive (127.0.0.1-only fixture, traversal already guarded via `normalize` + `startsWith` containment).
 
 ### Chore
 - `actions/checkout` v4 → v6 (#2)

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@tindalabs/shield",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "main": "dist/index.js",
   "type": "module",
   "types": "dist/index.d.ts",

diff --git a/src/utils/DOMObserver.ts b/src/utils/DOMObserver.ts
@@ -103,7 +103,7 @@ export class DomObserver {
                     if (child instanceof HTMLElement) {
                       addedElements.push(child);
                     }
-                  })
+                  });
                 }
 
                 if (this.options.debugMode) {

diff --git a/src/utils/detectors/defineGetterDetector.ts b/src/utils/detectors/defineGetterDetector.ts
@@ -169,9 +169,8 @@ export class DefineGetterDetector extends AbstractDevToolsDetector {
         configurable: true,
       })
 
-      // Access the property to see if the getter works
-      // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      const value = (testDiv as unknown as { testProp: string }).testProp
+      // Access the property to trigger the getter (side effect only).
+      void (testDiv as unknown as { testProp: string }).testProp;
 
       return testValue
       // eslint-disable-next-line @typescript-eslint/no-unused-vars
-Original file line number
+Diff line change
@@ Expand Up / @@ -103,7 +103,7 @@ export class DomObserver { @@
                         if (child instanceof HTMLElement) {
                           addedElements.push(child);
                         }
-                      })
+                      });
                     }
                     if (this.options.debugMode) {
@@ Expand Down @@