@codyswann/lisa 1.89.0 → 1.91.0

package/dist/migrations/ensure-audit-ignore-local-exclusions.d.ts

@@ -0,0 +1,51 @@
+import type { Migration, MigrationContext, MigrationResult } from "./migration.interface.js";
+/**
+ * Migration: relocate project-specific exclusions from `audit.ignore.config.json`
+ * (Lisa-owned, copy-overwrite) into `audit.ignore.local.json` (project-owned,
+ * create-only) so they survive future Lisa postinstall runs.
+ *
+ * Without this migration, projects that add transient-dependency exclusions to
+ * the Lisa-owned config see them silently stripped every install, producing
+ * noisy diffs and tempting users to commit the regression.
+ *
+ * Mirrors the shape of `EnsureTsconfigLocalIncludesMigration`:
+ *   - `beforeStrategies` snapshots the project's pre-strategy exclusions that
+ *     are not in the Lisa template (i.e., project-specific additions).
+ *   - `apply` (post-strategy) writes any snapshotted exclusions missing from
+ *     `audit.ignore.local.json` into that file.
+ */
+export declare class EnsureAuditIgnoreLocalExclusionsMigration implements Migration {
+    readonly name = "ensure-audit-ignore-local-exclusions";
+    readonly description = "Relocate project-specific audit exclusions from audit.ignore.config.json into audit.ignore.local.json";
+    private snapshot;
+    /**
+     * Snapshot project-specific exclusions that would otherwise be stripped by
+     * the copy-overwrite strategy. An exclusion is "project-specific" when its
+     * `id` is present in the project's audit.ignore.config.json but absent from
+     * the Lisa template for the same project type.
+     *
+     * When no valid Lisa template can be found for the detected project type the
+     * method returns without snapshotting anything. This is intentionally
+     * conservative: without a template we cannot distinguish Lisa-owned from
+     * project-specific exclusions, so migrating could copy Lisa-owned entries
+     * into audit.ignore.local.json.
+     * @param ctx - Migration context
+     */
+    beforeStrategies(ctx: MigrationContext): Promise<void>;
+    /**
+     * The migration applies when at least one snapshotted project-specific
+     * exclusion is missing from `audit.ignore.local.json`.
+     * @param ctx - Migration context
+     * @returns True when there is work to do
+     */
+    applies(ctx: MigrationContext): Promise<boolean>;
+    /**
+     * Merge snapshotted project-specific exclusions into audit.ignore.local.json,
+     * skipping any whose id is already present. Deduplicates within the snapshot
+     * itself so that duplicate source entries are only written once.
+     * @param ctx - Migration context
+     * @returns Result describing the action taken
+     */
+    apply(ctx: MigrationContext): Promise<MigrationResult>;
+}
+//# sourceMappingURL=ensure-audit-ignore-local-exclusions.d.ts.map

package/dist/migrations/ensure-audit-ignore-local-exclusions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ensure-audit-ignore-local-exclusions.d.ts","sourceRoot":"","sources":["../../src/migrations/ensure-audit-ignore-local-exclusions.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAChB,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAyFlC;;;;;;;;;;;;;;GAcG;AACH,qBAAa,yCAA0C,YAAW,SAAS;IACzE,QAAQ,CAAC,IAAI,0CAA0C;IACvD,QAAQ,CAAC,WAAW,2GACsF;IAE1G,OAAO,CAAC,QAAQ,CAA4B;IAE5C;;;;;;;;;;;;OAYG;IACG,gBAAgB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkC5D;;;;;OAKG;IACG,OAAO,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;IAatD;;;;;;OAMG;IACG,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;CAkD7D"}

package/dist/migrations/ensure-audit-ignore-local-exclusions.js

@@ -0,0 +1,192 @@
+import * as path from "node:path";
+import * as fse from "fs-extra";
+import { readJson, readJsonOrNull, writeJson } from "../utils/json-utils.js";
+const AUDIT_CONFIG = "audit.ignore.config.json";
+const AUDIT_LOCAL = "audit.ignore.local.json";
+/**
+ * Preferred order of project types for sourcing the Lisa audit template.
+ * First matching type wins.
+ */
+const TEMPLATE_PRIORITY = [
+    "typescript",
+    "expo",
+    "cdk",
+    "nestjs",
+    "npm-package",
+];
+/**
+ * Find the Lisa template audit.ignore.config.json path for the detected project.
+ * The Lisa-owned audit config lives under `<type>/copy-overwrite/audit.ignore.config.json`.
+ * Only returns a path when the file actually exists on disk; continues to the
+ * next priority type otherwise to avoid treating a missing template as an empty
+ * baseline.
+ * @param lisaDir - Lisa installation directory
+ * @param detectedTypes - Project types detected for the destination project
+ * @returns Template path, or null when no matching type ships one
+ */
+async function findTemplateConfigPath(lisaDir, detectedTypes) {
+    for (const type of TEMPLATE_PRIORITY) {
+        if (!detectedTypes.includes(type)) {
+            continue;
+        }
+        const candidate = path.join(lisaDir, type, "copy-overwrite", AUDIT_CONFIG);
+        if (await fse.pathExists(candidate)) {
+            return candidate;
+        }
+    }
+    return null;
+}
+/**
+ * Extract the set of exclusion ids from a parsed audit ignore file.
+ * Entries missing an `id` are ignored (they cannot be de-duplicated safely).
+ * @param file - Parsed audit ignore file
+ * @returns Set of exclusion ids found in the file
+ */
+function collectIds(file) {
+    if (!file || !Array.isArray(file.exclusions)) {
+        return new Set();
+    }
+    const ids = file.exclusions
+        .map(entry => entry.id)
+        .filter((id) => typeof id === "string" && id.length > 0);
+    return new Set(ids);
+}
+/**
+ * Read a project-owned local JSON file, distinguishing between a missing file
+ * (returns null) and a malformed file (throws). This prevents silent data loss
+ * when a file exists but contains invalid JSON.
+ * @param filePath - Path to the JSON file
+ * @returns Parsed content, or null when the file does not exist
+ */
+async function readLocalJson(filePath) {
+    if (!(await fse.pathExists(filePath))) {
+        return null;
+    }
+    return readJson(filePath);
+}
+/**
+ * Migration: relocate project-specific exclusions from `audit.ignore.config.json`
+ * (Lisa-owned, copy-overwrite) into `audit.ignore.local.json` (project-owned,
+ * create-only) so they survive future Lisa postinstall runs.
+ *
+ * Without this migration, projects that add transient-dependency exclusions to
+ * the Lisa-owned config see them silently stripped every install, producing
+ * noisy diffs and tempting users to commit the regression.
+ *
+ * Mirrors the shape of `EnsureTsconfigLocalIncludesMigration`:
+ *   - `beforeStrategies` snapshots the project's pre-strategy exclusions that
+ *     are not in the Lisa template (i.e., project-specific additions).
+ *   - `apply` (post-strategy) writes any snapshotted exclusions missing from
+ *     `audit.ignore.local.json` into that file.
+ */
+export class EnsureAuditIgnoreLocalExclusionsMigration {
+    name = "ensure-audit-ignore-local-exclusions";
+    description = "Relocate project-specific audit exclusions from audit.ignore.config.json into audit.ignore.local.json";
+    snapshot = [];
+    /**
+     * Snapshot project-specific exclusions that would otherwise be stripped by
+     * the copy-overwrite strategy. An exclusion is "project-specific" when its
+     * `id` is present in the project's audit.ignore.config.json but absent from
+     * the Lisa template for the same project type.
+     *
+     * When no valid Lisa template can be found for the detected project type the
+     * method returns without snapshotting anything. This is intentionally
+     * conservative: without a template we cannot distinguish Lisa-owned from
+     * project-specific exclusions, so migrating could copy Lisa-owned entries
+     * into audit.ignore.local.json.
+     * @param ctx - Migration context
+     */
+    async beforeStrategies(ctx) {
+        this.snapshot = [];
+        const projectConfigPath = path.join(ctx.projectDir, AUDIT_CONFIG);
+        const projectConfig = await readJsonOrNull(projectConfigPath);
+        if (!projectConfig || !Array.isArray(projectConfig.exclusions)) {
+            return;
+        }
+        const templatePath = await findTemplateConfigPath(ctx.lisaDir, ctx.detectedTypes);
+        const template = templatePath
+            ? await readJsonOrNull(templatePath)
+            : null;
+        if (!template) {
+            return;
+        }
+        const templateIds = collectIds(template);
+        const projectSpecific = projectConfig.exclusions.filter(entry => {
+            if (typeof entry.id !== "string" || entry.id.length === 0) {
+                return false;
+            }
+            return !templateIds.has(entry.id);
+        });
+        this.snapshot = projectSpecific;
+    }
+    /**
+     * The migration applies when at least one snapshotted project-specific
+     * exclusion is missing from `audit.ignore.local.json`.
+     * @param ctx - Migration context
+     * @returns True when there is work to do
+     */
+    async applies(ctx) {
+        if (this.snapshot.length === 0) {
+            return false;
+        }
+        const localPath = path.join(ctx.projectDir, AUDIT_LOCAL);
+        const local = await readLocalJson(localPath);
+        const localIds = collectIds(local);
+        return this.snapshot.some(entry => {
+            const id = entry.id;
+            return typeof id === "string" && !localIds.has(id);
+        });
+    }
+    /**
+     * Merge snapshotted project-specific exclusions into audit.ignore.local.json,
+     * skipping any whose id is already present. Deduplicates within the snapshot
+     * itself so that duplicate source entries are only written once.
+     * @param ctx - Migration context
+     * @returns Result describing the action taken
+     */
+    async apply(ctx) {
+        const localPath = path.join(ctx.projectDir, AUDIT_LOCAL);
+        const local = await readLocalJson(localPath);
+        const existing = Array.isArray(local?.exclusions) ? local.exclusions : [];
+        const localIds = collectIds(local);
+        const seenIds = new Set(localIds);
+        const additions = this.snapshot.filter(entry => {
+            const id = entry.id;
+            if (typeof id !== "string" || seenIds.has(id)) {
+                return false;
+            }
+            seenIds.add(id);
+            return true;
+        });
+        if (additions.length === 0) {
+            return { name: this.name, action: "noop" };
+        }
+        const merged = {
+            ...(local ?? {}),
+            exclusions: [...existing, ...additions],
+        };
+        const addedIds = additions
+            .map(entry => entry.id)
+            .filter((id) => typeof id === "string");
+        const message = `Relocated ${additions.length} exclusion(s) into audit.ignore.local.json (${addedIds.join(", ")})`;
+        if (ctx.dryRun) {
+            ctx.logger.dry(`Would relocate exclusions: ${addedIds.join(", ")}`);
+            return {
+                name: this.name,
+                action: "applied",
+                changedFiles: [AUDIT_LOCAL],
+                message,
+            };
+        }
+        await fse.ensureDir(path.dirname(localPath));
+        await writeJson(localPath, merged);
+        ctx.logger.success(message);
+        return {
+            name: this.name,
+            action: "applied",
+            changedFiles: [AUDIT_LOCAL],
+            message,
+        };
+    }
+}
+//# sourceMappingURL=ensure-audit-ignore-local-exclusions.js.map

package/dist/migrations/ensure-audit-ignore-local-exclusions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ensure-audit-ignore-local-exclusions.js","sourceRoot":"","sources":["../../src/migrations/ensure-audit-ignore-local-exclusions.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,GAAG,MAAM,UAAU,CAAC;AAEhC,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAO7E,MAAM,YAAY,GAAG,0BAA0B,CAAC;AAChD,MAAM,WAAW,GAAG,yBAAyB,CAAC;AAkB9C;;;GAGG;AACH,MAAM,iBAAiB,GAA2B;IAChD,YAAY;IACZ,MAAM;IACN,KAAK;IACL,QAAQ;IACR,aAAa;CACd,CAAC;AAEF;;;;;;;;;GASG;AACH,KAAK,UAAU,sBAAsB,CACnC,OAAe,EACf,aAAqC;IAErC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,SAAS;QACX,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,YAAY,CAAC,CAAC;QAC3E,IAAI,MAAM,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,SAAS,UAAU,CAAC,IAA4B;IAC9C,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,GAAG,EAAE,CAAC;IACnB,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU;SACxB,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;SACtB,MAAM,CAAC,CAAC,EAAE,EAAgB,EAAE,CAAC,OAAO,EAAE,KAAK,QAAQ,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzE,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,aAAa,CAAI,QAAgB;IAC9C,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,QAAQ,CAAI,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,OAAO,yCAAyC;IAC3C,IAAI,GAAG,sCAAsC,CAAC;IAC9C,WAAW,GAClB,uGAAuG,CAAC;IAElG,QAAQ,GAAyB,EAAE,CAAC;IAE5C;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,gBAAgB,CAAC,GAAqB;QAC1C,IAAI,CAAC,QAAQ,GAAG,EAAE,CAAC;QAEnB,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QAClE,MAAM,aAAa,GACjB,MAAM,cAAc,CAAkB,iBAAiB,CAAC,CAAC;QAC3D,IAAI,CAAC,aAAa,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAC/C,GAAG,CAAC,OAAO,EACX,GAAG,CAAC,aAAa,CAClB,CAAC;QACF,MAAM,QAAQ,GAAG,YAAY;YAC3B,CAAC,CAAC,MAAM,cAAc,CAAkB,YAAY,CAAC;YACrD,CAAC,CAAC,IAAI,CAAC;QAET,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAEzC,MAAM,eAAe,GAAG,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAC9D,IAAI,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACpC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC;IAClC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,GAAqB;QACjC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACzD,MAAM,KAAK,GAAG,MAAM,aAAa,CAAkB,SAAS,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;YAChC,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;YACpB,OAAO,OAAO,EAAE,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,CAAC,GAAqB;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QACzD,MAAM,KAAK,GAAG,MAAM,aAAa,CAAkB,SAAS,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;QAEnC,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;YAC7C,MAAM,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;YACpB,IAAI,OAAO,EAAE,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBAC9C,OAAO,KAAK,CAAC;YACf,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM,MAAM,GAAoB;YAC9B,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;YAChB,UAAU,EAAE,CAAC,GAAG,QAAQ,EAAE,GAAG,SAAS,CAAC;SACxC,CAAC;QAEF,MAAM,QAAQ,GAAG,SAAS;aACvB,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAgB,EAAE,CAAC,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,aAAa,SAAS,CAAC,MAAM,+CAA+C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;QAEnH,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,8BAA8B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpE,OAAO;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,CAAC,WAAW,CAAC;gBAC3B,OAAO;aACR,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;QAC7C,MAAM,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QACnC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,SAAS;YACjB,YAAY,EAAE,CAAC,WAAW,CAAC;YAC3B,OAAO;SACR,CAAC;IACJ,CAAC;CACF"}

package/dist/migrations/index.d.ts

@@ -1,5 +1,6 @@
 import type { Migration, MigrationContext, MigrationResult } from "./migration.interface.js";
 export type { Migration, MigrationAction, MigrationContext, MigrationResult, } from "./migration.interface.js";
+export { EnsureAuditIgnoreLocalExclusionsMigration } from "./ensure-audit-ignore-local-exclusions.js";
 export { EnsureLisaPostinstallMigration } from "./ensure-lisa-postinstall.js";
 export { EnsureTsconfigLocalIncludesMigration } from "./ensure-tsconfig-local-includes.js";
 /**

package/dist/migrations/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migrations/index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAChB,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EACV,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAE3F;;GAEG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAuB;IAElD;;;OAGG;gBACS,UAAU,CAAC,EAAE,SAAS,SAAS,EAAE;IAO7C;;;OAGG;IACH,MAAM,IAAI,SAAS,SAAS,EAAE;IAI9B;;;;OAIG;IACG,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ/D;;;;OAIG;IACG,MAAM,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,eAAe,EAAE,CAAC;CAazE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,iBAAiB,CAE3D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/migrations/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,SAAS,EACT,gBAAgB,EAChB,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAElC,YAAY,EACV,SAAS,EACT,eAAe,EACf,gBAAgB,EAChB,eAAe,GAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,yCAAyC,EAAE,MAAM,2CAA2C,CAAC;AACtG,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAE3F;;GAEG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAuB;IAElD;;;OAGG;gBACS,UAAU,CAAC,EAAE,SAAS,SAAS,EAAE;IAQ7C;;;OAGG;IACH,MAAM,IAAI,SAAS,SAAS,EAAE;IAI9B;;;;OAIG;IACG,mBAAmB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ/D;;;;OAIG;IACG,MAAM,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,eAAe,EAAE,CAAC;CAazE;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,IAAI,iBAAiB,CAE3D"}

package/dist/migrations/index.js

@@ -1,5 +1,7 @@
+import { EnsureAuditIgnoreLocalExclusionsMigration } from "./ensure-audit-ignore-local-exclusions.js";
 import { EnsureLisaPostinstallMigration } from "./ensure-lisa-postinstall.js";
 import { EnsureTsconfigLocalIncludesMigration } from "./ensure-tsconfig-local-includes.js";
+export { EnsureAuditIgnoreLocalExclusionsMigration } from "./ensure-audit-ignore-local-exclusions.js";
 export { EnsureLisaPostinstallMigration } from "./ensure-lisa-postinstall.js";
 export { EnsureTsconfigLocalIncludesMigration } from "./ensure-tsconfig-local-includes.js";
 /**
@@ -14,6 +16,7 @@ export class MigrationRegistry {
     constructor(migrations) {
         this.migrations = migrations ?? [
             new EnsureTsconfigLocalIncludesMigration(),
+            new EnsureAuditIgnoreLocalExclusionsMigration(),
             new EnsureLisaPostinstallMigration(),
         ];
     }

package/dist/migrations/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migrations/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAa3F,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAE3F;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACX,UAAU,CAAuB;IAElD;;;OAGG;IACH,YAAY,UAAiC;QAC3C,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI;YAC9B,IAAI,oCAAoC,EAAE;YAC1C,IAAI,8BAA8B,EAAE;SACrC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM;QACJ,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,mBAAmB,CAAC,GAAqB;QAC7C,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,IAAI,SAAS,CAAC,gBAAgB,EAAE,CAAC;gBAC/B,MAAM,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,GAAqB;QAChC,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBAC1D,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,IAAI,iBAAiB,EAAE,CAAC;AACjC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/migrations/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yCAAyC,EAAE,MAAM,2CAA2C,CAAC;AACtG,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAa3F,OAAO,EAAE,yCAAyC,EAAE,MAAM,2CAA2C,CAAC;AACtG,OAAO,EAAE,8BAA8B,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,oCAAoC,EAAE,MAAM,qCAAqC,CAAC;AAE3F;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACX,UAAU,CAAuB;IAElD;;;OAGG;IACH,YAAY,UAAiC;QAC3C,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI;YAC9B,IAAI,oCAAoC,EAAE;YAC1C,IAAI,yCAAyC,EAAE;YAC/C,IAAI,8BAA8B,EAAE;SACrC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,MAAM;QACJ,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,mBAAmB,CAAC,GAAqB;QAC7C,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,IAAI,SAAS,CAAC,gBAAgB,EAAE,CAAC;gBAC/B,MAAM,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACxC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,GAAqB;QAChC,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACxC,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC/C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;gBAC1D,SAAS;YACX,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO,IAAI,iBAAiB,EAAE,CAAC;AACjC,CAAC"}

package/package.json

@@ -78,7 +78,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/rules/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.
 - When opening a PR, watch the PR. If any status checks fail, fix them. For all bot code reviews, if the feedback is valid, implement it and push the change to the PR. Then resolve the feedback. If the feedback is not valid, reply to the feedback explaining why it's not valid and then resolve the feedback. Do this in a loop until the PR is able to be merged and then merge it.

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/skills/playwright-ci-debugging/SKILL.md

@@ -0,0 +1,140 @@
+---
+name: playwright-ci-debugging
+description: Debug Playwright E2E tests that pass locally but fail in CI (or vice versa) in Expo web projects. Covers local reproduction, network interception, CI environment discovery, commit SHA verification, and robust interaction patterns that eliminate flake. Use this skill when a Playwright test is failing in CI, a test is flaky, a PR is blocked by E2E checks, or you need to investigate CI-specific test behavior. Trigger on mentions of CI failure, failing Playwright test, flaky E2E test, or debugging E2E in CI.
+---
+
+# Debugging Playwright E2E Failures in CI
+
+The authoring-side rules (selectors, testID forwarding, naming) are in the `playwright-selectors` skill. This skill is for the other half of the job: when a test fails in CI and you need to find out why.
+
+## Debugging Order
+
+When a Playwright E2E test fails in CI, follow this exact order.
+
+### 1. Reproduce locally first — before anything else
+
+Start the project's dev server, then run the failing test in isolation:
+
+```bash
+# Start the dev server (discover the script from package.json — commonly `start`, `dev`, `start:dev`, or `web`)
+<pkg-manager> run <dev-script>
+
+# In another terminal, run the exact failing test with no retries
+BASE_URL=http://localhost:8081/ npx playwright test <file> --grep "<test name>" --retries=0
+```
+
+`--retries=0` is critical — retries mask flake. `--grep` isolates the single failing test so you're not waiting on a full suite.
+
+**Do NOT read source code, CI logs, or theorize until you can reproduce locally.** Most CI failures reproduce locally if you run the same test against the same served build. Guessing from logs is slow and usually wrong.
+
+### 2. Intercept the network request
+
+When a test involves an API call, set up a Playwright response listener and inspect the status code and response body. A 400/500 response tells you everything.
+
+```typescript
+page.on("response", async (response) => {
+  if (response.url().includes("/api/")) {
+    console.log(response.status(), response.url(), await response.text());
+  }
+});
+```
+
+UI failures are often downstream of a failed API call. The network log is cheaper evidence than the DOM.
+
+### 3. If it doesn't reproduce locally, understand the CI environment first
+
+CI runs against a different environment than your laptop. Before changing anything:
+
+- Find the CI job that runs Playwright (usually `.github/workflows/*.yml`).
+- Identify which `.env.*` file it loads — this varies by target branch (e.g., dev → `.env.development`, staging → `.env.staging`).
+- Note that CI typically builds a static web bundle (`expo export --platform web`) then serves it on `localhost:8081` via `serve dist`. It is NOT hitting your dev server. Timing, bundling, and env vars all differ.
+- Reproduce the CI setup locally: build the static bundle, serve it the same way, then run the test. If it now fails locally, you've isolated an env/build difference.
+
+### 4. Verify commit SHA before trusting CI results
+
+After pushing, confirm the CI run's `headSha` matches your latest commit:
+
+```bash
+gh run list --branch "$(git branch --show-current)" --limit 1 --json headSha,status,conclusion
+git rev-parse HEAD
+```
+
+Bots (review-response, auto-update, dependabot) can push commits between your push and the CI run, overwriting your changes. A green check on a stale SHA tells you nothing about your fix.
+
+## Patterns That Eliminate Flake
+
+### Never use fixed waits before interactions
+
+`waitForTimeout()` as the sole wait before a click is a silent failure waiting to happen — animations and rendering take variable time, especially on slower CI runners. Poll for the expected state, then act.
+
+```typescript
+// BAD — fixed wait; click silently fails if element not yet visible
+await clickVisibleText(page, "Translate");
+await page.waitForTimeout(1000);
+await clickVisibleText(page, "Spanish");
+
+// GOOD — poll for visibility, then click
+await clickVisibleText(page, "Translate");
+await expect
+  .poll(() => hasVisibleText(page, "Spanish"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+await clickVisibleText(page, "Spanish");
+```
+
+### Never silently swallow click return values
+
+Any helper that can return `false` on a missed click (e.g., `clickVisibleText`) should either have its return value asserted or be preceded by a visibility poll. A click that silently returns `false` is a hidden test bug — the test proceeds as if the click happened and fails downstream with a confusing error.
+
+```typescript
+// BAD — return value ignored; test continues on failed click
+await clickVisibleText(page, "Submit");
+
+// GOOD — assert the click happened
+expect(await clickVisibleText(page, "Submit")).toBe(true);
+
+// GOOD — precede with visibility poll
+await expect
+  .poll(() => hasVisibleText(page, "Submit"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+await clickVisibleText(page, "Submit");
+```
+
+### E2E tests must not depend on external API success
+
+Any test that calls an external service (AWS Bedrock, third-party APIs, rate-limited providers) must handle the failure case. Tests should verify UI behavior, not external service uptime. If an external call might fail, the test must accept both outcomes or skip the dependent assertion.
+
+```typescript
+// BAD — assumes translation always succeeds
+await expect
+  .poll(() => hasVisibleText(page, "Show Original"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+
+// GOOD — handle both success and failure
+await expect
+  .poll(
+    async () =>
+      (await hasVisibleText(page, "Show Original")) ||
+      (await hasVisibleText(page, "Translate")),
+    { timeout: TIMEOUT.expect }
+  )
+  .toBe(true);
+
+const translated = await hasVisibleText(page, "Show Original");
+if (!translated) return; // External API failed; skip downstream assertions
+```
+
+The alternative — mocking the external call — is a valid approach when the goal is to test the UI's handling of a successful response. Pick one strategy per test and commit to it.
+
+### E2E assertions must not depend on specific test data
+
+Do not assert specific text (e.g., "No lists detected") when the test user's data state varies across environments. If a zero-row state could have different empty-state messages depending on the user's data, either check for multiple possible states or skip the assertion entirely.
+
+See the `playwright-selectors` skill's "Data independence" section for authoring patterns that avoid this class of bug in the first place.
+
+## Escalation
+
+If you've worked through steps 1–4 and still cannot explain the failure:
+
+- Do NOT disable, skip, or `.fixme` the test to unblock the PR.
+- Do NOT use `--admin` or force-merge to bypass the check.
+- Escalate to a human with: the failing test name, your local reproduction attempt, the network trace, and the commit SHA verification. A real flake that cannot be root-caused is a legitimate reason to pause; it is never a reason to merge red.

package/plugins/lisa-nestjs/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "1.89.0",
+  "version": "1.91.0",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/rules/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.
 - When opening a PR, watch the PR. If any status checks fail, fix them. For all bot code reviews, if the feedback is valid, implement it and push the change to the PR. Then resolve the feedback. If the feedback is not valid, reply to the feedback explaining why it's not valid and then resolve the feedback. Do this in a loop until the PR is able to be merged and then merge it.

package/plugins/src/expo/skills/playwright-ci-debugging/SKILL.md

@@ -0,0 +1,140 @@
+---
+name: playwright-ci-debugging
+description: Debug Playwright E2E tests that pass locally but fail in CI (or vice versa) in Expo web projects. Covers local reproduction, network interception, CI environment discovery, commit SHA verification, and robust interaction patterns that eliminate flake. Use this skill when a Playwright test is failing in CI, a test is flaky, a PR is blocked by E2E checks, or you need to investigate CI-specific test behavior. Trigger on mentions of CI failure, failing Playwright test, flaky E2E test, or debugging E2E in CI.
+---
+
+# Debugging Playwright E2E Failures in CI
+
+The authoring-side rules (selectors, testID forwarding, naming) are in the `playwright-selectors` skill. This skill is for the other half of the job: when a test fails in CI and you need to find out why.
+
+## Debugging Order
+
+When a Playwright E2E test fails in CI, follow this exact order.
+
+### 1. Reproduce locally first — before anything else
+
+Start the project's dev server, then run the failing test in isolation:
+
+```bash
+# Start the dev server (discover the script from package.json — commonly `start`, `dev`, `start:dev`, or `web`)
+<pkg-manager> run <dev-script>
+
+# In another terminal, run the exact failing test with no retries
+BASE_URL=http://localhost:8081/ npx playwright test <file> --grep "<test name>" --retries=0
+```
+
+`--retries=0` is critical — retries mask flake. `--grep` isolates the single failing test so you're not waiting on a full suite.
+
+**Do NOT read source code, CI logs, or theorize until you can reproduce locally.** Most CI failures reproduce locally if you run the same test against the same served build. Guessing from logs is slow and usually wrong.
+
+### 2. Intercept the network request
+
+When a test involves an API call, set up a Playwright response listener and inspect the status code and response body. A 400/500 response tells you everything.
+
+```typescript
+page.on("response", async (response) => {
+  if (response.url().includes("/api/")) {
+    console.log(response.status(), response.url(), await response.text());
+  }
+});
+```
+
+UI failures are often downstream of a failed API call. The network log is cheaper evidence than the DOM.
+
+### 3. If it doesn't reproduce locally, understand the CI environment first
+
+CI runs against a different environment than your laptop. Before changing anything:
+
+- Find the CI job that runs Playwright (usually `.github/workflows/*.yml`).
+- Identify which `.env.*` file it loads — this varies by target branch (e.g., dev → `.env.development`, staging → `.env.staging`).
+- Note that CI typically builds a static web bundle (`expo export --platform web`) then serves it on `localhost:8081` via `serve dist`. It is NOT hitting your dev server. Timing, bundling, and env vars all differ.
+- Reproduce the CI setup locally: build the static bundle, serve it the same way, then run the test. If it now fails locally, you've isolated an env/build difference.
+
+### 4. Verify commit SHA before trusting CI results
+
+After pushing, confirm the CI run's `headSha` matches your latest commit:
+
+```bash
+gh run list --branch "$(git branch --show-current)" --limit 1 --json headSha,status,conclusion
+git rev-parse HEAD
+```
+
+Bots (review-response, auto-update, dependabot) can push commits between your push and the CI run, overwriting your changes. A green check on a stale SHA tells you nothing about your fix.
+
+## Patterns That Eliminate Flake
+
+### Never use fixed waits before interactions
+
+`waitForTimeout()` as the sole wait before a click is a silent failure waiting to happen — animations and rendering take variable time, especially on slower CI runners. Poll for the expected state, then act.
+
+```typescript
+// BAD — fixed wait; click silently fails if element not yet visible
+await clickVisibleText(page, "Translate");
+await page.waitForTimeout(1000);
+await clickVisibleText(page, "Spanish");
+
+// GOOD — poll for visibility, then click
+await clickVisibleText(page, "Translate");
+await expect
+  .poll(() => hasVisibleText(page, "Spanish"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+await clickVisibleText(page, "Spanish");
+```
+
+### Never silently swallow click return values
+
+Any helper that can return `false` on a missed click (e.g., `clickVisibleText`) should either have its return value asserted or be preceded by a visibility poll. A click that silently returns `false` is a hidden test bug — the test proceeds as if the click happened and fails downstream with a confusing error.
+
+```typescript
+// BAD — return value ignored; test continues on failed click
+await clickVisibleText(page, "Submit");
+
+// GOOD — assert the click happened
+expect(await clickVisibleText(page, "Submit")).toBe(true);
+
+// GOOD — precede with visibility poll
+await expect
+  .poll(() => hasVisibleText(page, "Submit"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+await clickVisibleText(page, "Submit");
+```
+
+### E2E tests must not depend on external API success
+
+Any test that calls an external service (AWS Bedrock, third-party APIs, rate-limited providers) must handle the failure case. Tests should verify UI behavior, not external service uptime. If an external call might fail, the test must accept both outcomes or skip the dependent assertion.
+
+```typescript
+// BAD — assumes translation always succeeds
+await expect
+  .poll(() => hasVisibleText(page, "Show Original"), { timeout: TIMEOUT.expect })
+  .toBe(true);
+
+// GOOD — handle both success and failure
+await expect
+  .poll(
+    async () =>
+      (await hasVisibleText(page, "Show Original")) ||
+      (await hasVisibleText(page, "Translate")),
+    { timeout: TIMEOUT.expect }
+  )
+  .toBe(true);
+
+const translated = await hasVisibleText(page, "Show Original");
+if (!translated) return; // External API failed; skip downstream assertions
+```
+
+The alternative — mocking the external call — is a valid approach when the goal is to test the UI's handling of a successful response. Pick one strategy per test and commit to it.
+
+### E2E assertions must not depend on specific test data
+
+Do not assert specific text (e.g., "No lists detected") when the test user's data state varies across environments. If a zero-row state could have different empty-state messages depending on the user's data, either check for multiple possible states or skip the assertion entirely.
+
+See the `playwright-selectors` skill's "Data independence" section for authoring patterns that avoid this class of bug in the first place.
+
+## Escalation
+
+If you've worked through steps 1–4 and still cannot explain the failure:
+
+- Do NOT disable, skip, or `.fixme` the test to unblock the PR.
+- Do NOT use `--admin` or force-merge to bypass the check.
+- Escalate to a human with: the failing test name, your local reproduction attempt, the network trace, and the commit SHA verification. A real flake that cannot be root-caused is a legitimate reason to pause; it is never a reason to merge red.