@codyswann/lisa 1.31.0 → 1.31.1

package/all/copy-overwrite/.claude/rules/lisa.md

@@ -10,6 +10,21 @@ The following files are managed by Lisa and will be overwritten on every `lisa`
 | `jest.config.ts` | `jest.config.local.ts` |
 | `tsconfig.json` | `tsconfig.local.json` |
 | `eslint.ignore.config.json` | `eslint.config.local.ts` |
+
+## Create-only files (edit freely, Lisa won't overwrite)
+
+- `.claude/rules/PROJECT_RULES.md`
+- `eslint.thresholds.json`
+- `jest.thresholds.json`
+
+## Directories with both Lisa-managed and project content
+
+These directories contain files deployed by Lisa **and** files you create. Do not edit or delete Lisa-managed files — they will be overwritten. You **can** freely add your own. Check `.lisa-manifest` to see which specific files Lisa manages.
+
+- `.claude/skills/` — Add your own skill directories alongside Lisa's
+- `.claude/commands/` — Add your own command namespaces alongside Lisa's
+- `.claude/hooks/` — Add your own hook scripts alongside Lisa's
+- `.claude/agents/` — Add your own agent files alongside Lisa's
 | `eslint.thresholds.json` | Edit directly (create-only, Lisa won't overwrite) |
 | `jest.thresholds.json` | Edit directly (create-only, Lisa won't overwrite) |
 | `.claude/rules/coding-philosophy.md` | `.claude/rules/PROJECT_RULES.md` |
@@ -19,6 +34,7 @@ The following files are managed by Lisa and will be overwritten on every `lisa`
 
 ## Files and directories with NO local override (do not edit at all)
 
+- `.claude/rules/coding-philosophy.md`, `.claude/rules/plan.md`, `.claude/rules/verfication.md`
 - `CLAUDE.md`, `HUMAN.md`, `.safety-net.json`
 - `.prettierrc.json`, `.prettierignore`, `.lintstagedrc.json`, `.versionrc`, `.nvmrc`
 - `.yamllint`, `.gitleaksignore`, `commitlint.config.cjs`, `sgconfig.yml`, `knip.json`
@@ -27,7 +43,7 @@ The following files are managed by Lisa and will be overwritten on every `lisa`
 - `tsconfig.base.json`, `tsconfig.typescript.json`, `tsconfig.expo.json`, `tsconfig.nestjs.json`, `tsconfig.cdk.json`
 - `tsconfig.eslint.json`, `tsconfig.build.json`, `tsconfig.spec.json`
 - `eslint-plugin-code-organization/*`, `eslint-plugin-component-structure/*`, `eslint-plugin-ui-standards/*`
-- `.claude/settings.json`, `.claude/hooks/*`, `.claude/skills/*` (hyphen-named, e.g. `plan-create`), `.claude/commands/*`, `.claude/agents/*`
+- `.claude/settings.json`
 - `.claude/README.md`, `.claude/REFERENCE.md`
 - `.github/workflows/quality.yml`, `.github/workflows/release.yml`, `.github/workflows/claude.yml`
 - `.github/workflows/build.yml`, `.github/workflows/lighthouse.yml` (Expo)

package/all/copy-overwrite/.claude/skills/plan-create/SKILL.md

@@ -185,7 +185,7 @@ Include all required tasks defined in `@.claude/rules/plan-governance.md` (Requi
 
 ## Step 10: Implementation Team Instructions
 
-The plan must include instructions to spawn an Agent Team for implementation. Recommend these specialized agents:
+The plan must include explict instructions to "Create an agent team" for implementation. Recommend these specialized agents:
 
 | Agent | Use For |
 |-------|---------|

package/expo/copy-overwrite/knip.json

@@ -70,6 +70,7 @@
     "@shopify/flash-list",
     "@shopify/react-native-skia",
     "aws-exports",
+    "axios",
     "base-64",
     "baseline-browser-mapping",
     "date-fns",

package/package.json

@@ -88,7 +88,7 @@
     "@isaacs/brace-expansion": "^5.0.1"
   },
   "name": "@codyswann/lisa",
-  "version": "1.31.0",
+  "version": "1.31.1",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "bin": {

package/typescript/copy-contents/.husky/pre-push

@@ -84,7 +84,12 @@ elif [ "$PACKAGE_MANAGER" = "bun" ]; then
   # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
   # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
   # Risk: None - CLI build tool, not a production runtime dependency
-  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh; then
+
+  # Excluding GHSA-43fc-jf86-j433: axios DoS via __proto__ key in mergeConfig
+  # Transitive dependency via aws-amplify > @aws-amplify/api-rest > axios
+  # bun overrides/resolutions cannot reach nested node_modules copies
+  # Risk: Low - only affects server-side mergeConfig with attacker-controlled input
+  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-43fc-jf86-j433; then
     echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
     exit 1
   fi

package/typescript/copy-overwrite/.github/workflows/quality.yml

@@ -1014,7 +1014,12 @@ jobs:
             # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
             # Parent packages pin ^4.4.1; fix requires major version 5.x (incompatible)
             # Risk: None - CLI build tool, not a production runtime dependency
-            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh; then
+
+            # Excluding GHSA-43fc-jf86-j433: axios DoS via __proto__ key in mergeConfig
+            # Transitive dependency via aws-amplify > @aws-amplify/api-rest > axios
+            # bun overrides/resolutions cannot reach nested node_modules copies
+            # Risk: Low - only affects server-side mergeConfig with attacker-controlled input
+            if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-43fc-jf86-j433; then
               echo "::warning::Found high or critical vulnerabilities"
               exit 1
             fi

package/typescript/package-lisa/package.lisa.json

@@ -55,7 +55,8 @@
       "ts-jest": "^29.4.6"
     },
     "resolutions": {
-      "@isaacs/brace-expansion": "^5.0.1"
+      "@isaacs/brace-expansion": "^5.0.1",
+      "axios": ">=1.13.5"
     }
   },
   "defaults": {