@codyswann/lisa 2.165.8 → 2.166.1

package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Ruby on Rails-specific skills and hooks for RuboCop and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "TypeScript-specific hooks for formatting, linting, and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "Distributable LLM Wiki kernel — ingest, query, lint, and maintain a git-native markdown knowledge base across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.165.8",
+  "version": "2.166.1",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/hooks/block-no-verify.agy.sh

@@ -25,7 +25,7 @@ allow() {
 }
 
 deny() {
-  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (lint, tests, formatting) or ask the user before bypassing."}'
+  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (security audit, lint, typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never bypass the hook."}'
   exit 0
 }
 

package/plugins/src/base/hooks/block-no-verify.sh

@@ -91,11 +91,10 @@ PY
 then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
-or core.hooksPath disabling). Fix the underlying issue (lint error, failing
-test, formatting) or ask the user before bypassing.
-
-If the user has explicitly authorized the bypass for this specific command,
-re-run after they confirm.
+or core.hooksPath disabling). Fix the underlying issue (security audit, lint,
+typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the
+user to make the risk-acceptance decision and add a specific documented ignore;
+never bypass the hook.
 EOF
   exit 2
 fi

package/plugins/src/base/rules/eager/base-rules.md

@@ -25,6 +25,7 @@ Do not begin work if there are blockers, ambiguities, access requirements, or un
 ## Git Discipline
 
 - **Never use `--no-verify`** or bypass any git hook.
+- When a hook or quality gate fails, fix the root cause first. If no fix is genuinely possible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never use a blanket bypass.
 - **Never bypass branch protection** — no `--admin`, `--force`, no merging a PR with failing CI. "Green in CI" is the definition of done.
 - Never commit directly to environment branches (`dev`, `staging`, `main`).
 - Prefix `git push` with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.

package/plugins/src/base/rules/eager/security-audit-handling.md

@@ -1,6 +1,12 @@
 # Security Audit Handling (load-bearing)
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`** to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`**, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Core rule
 
@@ -17,7 +23,7 @@ Before adding any override, verify:
 
 1. Note GHSA ID, package, advisory URL.
 2. If a patched version exists: add a resolution AND override in `package.json` for the leaf package, regenerate the lockfile, commit, retry.
-3. If no patch but safe (transitive, no untrusted input, dev/build only): add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
+3. If no patch but safe (transitive, no untrusted input, dev/build only): ask the user to make the risk-acceptance decision, then add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
 
 ## Rails (bundler-audit)
 

package/plugins/src/base/rules/reference/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- When a pre-commit, pre-push, CI, or other quality gate fails, fix the root cause first: upgrade the vulnerable dependency, fix the lint/type/test failure, remove the secret, or repair the failing check. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a narrow, documented ignore for the specific failing rule or advisory. Never use `--no-verify`, hook environment switches, blanket ignores, or threshold reductions as a substitute for fixing the gate.
 - Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.

package/plugins/src/base/rules/reference/security-audit-handling.md

@@ -1,13 +1,19 @@
 # Security Audit Handling
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify` to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify`, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Node.js Projects (GHSA advisories)
 
 1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output
 2. Check the advisory URL to determine if a patched version of the vulnerable package exists
 3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
-4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): ask the user to make the risk-acceptance decision, then add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
 
 ### Critical: Override the vulnerable package, not its parent
 

package/rails/copy-contents/scripts/lisa-mutation.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# This file is managed by Lisa.
+# -----------------------------------------------------------------------------
+# Mutation-testing gate (mutant) for Rails
+# -----------------------------------------------------------------------------
+# Opt-in, diff-only mutation-testing gate shared by the lefthook pre-push hook
+# and CI.
+#
+# Behavior:
+#   1. Reads `mutation.gate.yml`. If the gate is disabled (the default), it
+#      prints a notice and exits 0 — pushes and CI are never slowed down until a
+#      project explicitly opts in.
+#   2. When enabled, it runs mutant with `--since <ref>` so only code changed on
+#      this branch (vs the configured `since` ref) is mutated. Mutation testing
+#      is slow, so a full-suite run is never done by this gate.
+#   3. The subjects to mutate are defined in `.mutant.yml` (matcher.subjects);
+#      mutant exits non-zero when surviving mutants remain in the changed code,
+#      which fails the gate.
+#
+# NOTE: mutant is commercially licensed for closed-source projects (free for
+#       open source). Enabling this gate requires a valid license or switching
+#       the integration to a permissively licensed alternative.
+#
+# Configuration (`mutation.gate.yml`, project-owned / create-only):
+#   enabled: false
+#   since: main
+#
+# Overridable via env: MUTATION_ENABLED=true|false, MUTATION_SINCE=<ref>.
+# -----------------------------------------------------------------------------
+set -euo pipefail
+
+GATE_FILE="mutation.gate.yml"
+
+read_gate() {
+  local key="$1" default="$2"
+  if [ -f "$GATE_FILE" ] && command -v ruby >/dev/null 2>&1; then
+    ruby -ryaml -e "puts (YAML.load_file('${GATE_FILE}') || {}).fetch('${key}', '${default}')" 2>/dev/null || echo "$default"
+  else
+    echo "$default"
+  fi
+}
+
+ENABLED="${MUTATION_ENABLED:-$(read_gate enabled false)}"
+SINCE="${MUTATION_SINCE:-$(read_gate since main)}"
+
+if [ "$ENABLED" != "true" ]; then
+  echo "⚪ Mutation-testing gate disabled (mutation.gate.yml: enabled: false). Skipping."
+  echo "   Set enabled: true (and configure matcher.subjects in .mutant.yml) to turn it on."
+  exit 0
+fi
+
+# Only mutate when changed Ruby files exist under app/ or lib/.
+BASE=""
+for ref in "origin/${SINCE}" "${SINCE}"; do
+  if BASE="$(git merge-base "$ref" HEAD 2>/dev/null)"; then
+    [ -n "$BASE" ] && break
+  fi
+done
+
+if [ -z "$BASE" ]; then
+  echo "⚪ Mutation gate: could not resolve a merge-base against '${SINCE}'. Skipping."
+  exit 0
+fi
+
+CHANGED="$(git diff --name-only --diff-filter=ACMR "${BASE}...HEAD" -- 'app/**/*.rb' 'lib/**/*.rb' || true)"
+if [ -z "$CHANGED" ]; then
+  echo "⚪ Mutation gate: no changed Ruby files under app/ or lib/ vs ${SINCE}. Nothing to mutate."
+  exit 0
+fi
+
+echo "🧬 Mutation gate: running mutant (--since ${SINCE}) on changed subjects..."
+exec bundle exec mutant run --since "$SINCE"

package/rails/copy-overwrite/Gemfile.lisa

@@ -31,6 +31,11 @@ group :development, :test do
   gem "flog", "~> 4.8", require: false
   gem "flay", "~> 2.13", require: false
 
+  # Mutation testing (opt-in gate — see mutation.gate.yml / scripts/lisa-mutation.sh).
+  # NOTE: mutant is commercially licensed for closed-source projects (free for OSS).
+  # The gate is disabled by default, so the gem is never invoked until opted in.
+  gem "mutant-rspec", "~> 0.12", require: false
+
   # Security
   gem "brakeman", "~> 7.0", require: false
   gem "bundler-audit", "~> 0.9", require: false

package/rails/copy-overwrite/lefthook.yml

@@ -28,3 +28,7 @@ pre-push:
       run: bundle exec flog --all --group app/ lib/
     flay:
       run: bundle exec flay app/ lib/
+    mutation:
+      # Opt-in, diff-only mutation gate. Self-skips instantly when disabled
+      # (mutation.gate.yml: enabled: false), so it adds no cost until opted in.
+      run: bash scripts/lisa-mutation.sh

package/rails/create-only/.mutant.yml

@@ -0,0 +1,21 @@
+# Mutant configuration (project-owned).
+# Docs: https://github.com/mbj/mutant/blob/main/docs/configuration.md
+#
+# The gate runs `mutant run --since <ref>` (see scripts/lisa-mutation.sh), so
+# only code changed on the branch is mutated. Define the subject scope below —
+# replace the example matcher with your application's top-level namespace(s).
+---
+integration:
+  name: rspec
+# `usage` must reflect your license: opensource | commercial | restricted.
+usage: opensource
+requires:
+  - ./config/environment
+includes:
+  - app
+  - lib
+matcher:
+  # Replace with your app's namespace(s), e.g. ["MyApp*"]. Mutant will only
+  # mutate subjects matching these expressions that are also in the diff.
+  subjects:
+    - '*'

package/rails/create-only/mutation.gate.yml

@@ -0,0 +1,8 @@
+# Mutation-testing gate toggle (project-owned).
+# Flip `enabled` to true to turn on the diff-only mutant gate in the pre-push
+# hook and CI. The mutation subjects are configured in `.mutant.yml`.
+#
+# NOTE: mutant requires a commercial license for closed-source projects.
+---
+enabled: false
+since: main

package/typescript/copy-contents/.husky/pre-push

@@ -224,6 +224,20 @@ if [ $? -ne 0 ]; then
   exit 1
 fi
 
+# Run mutation-testing gate - only if script exists.
+# The test:mutation script self-skips instantly when the gate is disabled
+# (mutation.gate.json: "enabled": false), so this adds no cost to projects that
+# have not opted in. When enabled, it runs Stryker diff-only on changed files
+# and fails the push when the mutation score is below thresholds.break.
+if jq -e '.scripts["test:mutation"]' package.json >/dev/null 2>&1; then
+  echo "🧬 Running mutation-testing gate..."
+  $RUNNER test:mutation
+  if [ $? -ne 0 ]; then
+    echo "❌ Mutation-testing gate failed (mutation score below threshold). Strengthen tests before pushing."
+    exit 1
+  fi
+fi
+
 # Run Lighthouse CI performance audit (only if installed)
 # Disable Lighthouse beause it takes too long to run on push. Just let it run in ci/cd 
 # Check if lighthouse:check script exists in package.json

package/typescript/copy-contents/scripts/lisa-mutation.mjs

@@ -0,0 +1,152 @@
+#!/usr/bin/env node
+// This file is managed by Lisa.
+// -----------------------------------------------------------------------------
+// Mutation-testing gate (StrykerJS)
+// -----------------------------------------------------------------------------
+// Opt-in, diff-only mutation-testing gate shared by the pre-push hook and CI.
+//
+// Behavior:
+//   1. Reads `mutation.gate.json`. If the gate is disabled (the default), it
+//      prints a notice and exits 0 — pushes and CI are never slowed down until
+//      a project explicitly opts in.
+//   2. When enabled, it computes the source files changed on this branch
+//      (vs the merge-base with the configured `since` ref) and runs Stryker on
+//      ONLY those files. Mutation testing is slow, so a full-repo run is never
+//      done by this gate.
+//   3. The mutation-score threshold itself lives in `stryker.conf.*`
+//      (`thresholds.break`) — Stryker exits non-zero when the score is below it,
+//      which fails the gate.
+//
+// Configuration (`mutation.gate.json`, project-owned / create-only):
+//   { "enabled": false, "since": "main" }
+//
+// Overridable via env: MUTATION_ENABLED=true|false, MUTATION_SINCE=<ref>.
+// -----------------------------------------------------------------------------
+
+import fs from "node:fs";
+import path from "node:path";
+import { execFileSync, spawnSync } from "node:child_process";
+
+const CWD = process.cwd();
+
+const readGate = () => {
+  const gatePath = path.join(CWD, "mutation.gate.json");
+  if (!fs.existsSync(gatePath)) {
+    return { enabled: false, since: "main" };
+  }
+  try {
+    return JSON.parse(fs.readFileSync(gatePath, "utf8"));
+  } catch (err) {
+    console.error(`⚠️  Could not parse mutation.gate.json: ${err.message}`);
+    return { enabled: false, since: "main" };
+  }
+};
+
+const envFlag = name => {
+  const v = process.env[name];
+  if (v === undefined) return undefined;
+  return v === "true" || v === "1";
+};
+
+const gate = readGate();
+const enabled = envFlag("MUTATION_ENABLED") ?? gate.enabled === true;
+const since = process.env.MUTATION_SINCE || gate.since || "main";
+
+if (!enabled) {
+  console.log(
+    '⚪ Mutation-testing gate disabled (mutation.gate.json: "enabled": false). Skipping.\n' +
+      '   Flip "enabled": true (and tune thresholds.break in stryker.conf.json) to turn it on.'
+  );
+  process.exit(0);
+}
+
+// --- Resolve the diff base (merge-base with the `since` ref) -----------------
+// stderr is ignored: failed merge-base/diff probes are expected (e.g. a missing
+// origin/<ref> candidate) and handled by the surrounding try/catch.
+const git = args =>
+  execFileSync("git", args, {
+    cwd: CWD,
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "ignore"],
+  }).trim();
+
+let base;
+try {
+  // Prefer the remote ref when present (CI checks out detached); fall back to local.
+  const candidates = [`origin/${since}`, since];
+  let resolved = "";
+  for (const ref of candidates) {
+    try {
+      resolved = git(["merge-base", ref, "HEAD"]);
+      if (resolved) break;
+    } catch {
+      /* try next candidate */
+    }
+  }
+  base = resolved;
+} catch {
+  base = "";
+}
+
+if (!base) {
+  console.log(
+    `⚪ Mutation gate: could not resolve a merge-base against "${since}" ` +
+      "(shallow clone or unknown ref). Skipping rather than mutating the whole repo."
+  );
+  process.exit(0);
+}
+
+// --- Compute changed, mutate-eligible source files ---------------------------
+const isMutable = f =>
+  /\.(ts|tsx)$/.test(f) &&
+  !/\.(spec|test)\.(ts|tsx)$/.test(f) &&
+  !/\.d\.ts$/.test(f) &&
+  !/\.stories\.tsx$/.test(f) &&
+  (f.startsWith("src/") || f.startsWith("lib/"));
+
+let changed = [];
+try {
+  changed = git(["diff", "--name-only", "--diff-filter=ACMR", `${base}...HEAD`])
+    .split("\n")
+    .map(f => f.trim())
+    .filter(Boolean)
+    .filter(isMutable)
+    .filter(f => fs.existsSync(path.join(CWD, f)));
+} catch (err) {
+  console.error(`⚠️  Could not compute changed files: ${err.message}`);
+  process.exit(0);
+}
+
+if (changed.length === 0) {
+  console.log(
+    "⚪ Mutation gate: no changed source files vs " +
+      since +
+      ". Nothing to mutate."
+  );
+  process.exit(0);
+}
+
+console.log(
+  `🧬 Mutation gate: running Stryker on ${changed.length} changed file(s):`
+);
+for (const f of changed) console.log(`   • ${f}`);
+
+// --- Run Stryker on just the changed files (diff-only) -----------------------
+const strykerBin = path.join(
+  CWD,
+  "node_modules",
+  ".bin",
+  process.platform === "win32" ? "stryker.cmd" : "stryker"
+);
+const useLocal = fs.existsSync(strykerBin);
+const command = useLocal ? strykerBin : "npx";
+const args = useLocal
+  ? ["run", "--mutate", changed.join(",")]
+  : ["--yes", "stryker", "run", "--mutate", changed.join(",")];
+
+const result = spawnSync(command, args, {
+  cwd: CWD,
+  stdio: "inherit",
+  shell: process.platform === "win32",
+});
+process.exit(result.status ?? 1);

package/typescript/create-only/mutation.gate.json

@@ -0,0 +1,4 @@
+{
+  "enabled": false,
+  "since": "main"
+}