@codyswann/lisa 2.166.0 → 2.166.2

package/dist/codex/scripts/block-no-verify.sh

@@ -81,7 +81,7 @@ then
     "hookSpecificOutput": {
       "hookEventName": "PreToolUse",
       "permissionDecision": "deny",
-      "permissionDecisionReason": "Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue or ask the user before bypassing."
+      "permissionDecisionReason": "Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (security audit, lint, typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never bypass the hook."
     }
   }'
 fi

package/dist/configs/vitest/base.d.ts

@@ -53,10 +53,28 @@ export declare const defaultThresholds: PortableThresholds;
 export declare const defaultCoverageExclusions: readonly string[];
 /**
  * Default patterns to exclude from test discovery across all stacks.
- * Lisa manages `.claude/worktrees/` as scratch worktrees for subagents;
- * test files inside them should never be collected by the repo-level vitest run.
+ *
+ * The `.claude/worktrees/` exclusion is intentionally NOT baked in here —
+ * it is cwd-conditional and supplied by {@link worktreeExclusions} so that
+ * a vitest run launched from INSIDE a worktree can still discover its own
+ * tests. Stack factories spread `worktreeExclusions()` alongside this list.
  */
 export declare const defaultTestExclusions: readonly string[];
+/**
+ * Returns the worktree exclusion glob a stack config should add to skip
+ * test files / coverage that live inside `.claude/worktrees/`.
+ *
+ * Lisa manages `.claude/worktrees/` as scratch worktrees for subagents.
+ * When vitest runs from the primary checkout, tests inside those worktrees
+ * should be skipped — each worktree has its own vitest run. When vitest runs
+ * from INSIDE a worktree (the project root *is* the worktree), the same glob
+ * matches every path under root and vitest finds zero tests. This returns the
+ * glob only when the current working directory is outside a worktree, so each
+ * stack factory can spread it into its `exclude` arrays without hand-rolling
+ * the conditional. Mirrors jest's `worktreeTestPathIgnorePatterns()`.
+ * @returns Single-entry array with the worktree exclude glob, or an empty array when already inside a worktree.
+ */
+export declare function worktreeExclusions(): readonly string[];
 /**
  * Maps portable threshold format (with `global` wrapper) to Vitest's
  * flat threshold format. Projects store thresholds in the portable

package/dist/configs/vitest/base.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/base.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;CAClC;AAED;;;GAGG;AACH,eAAO,MAAM,iBAAiB,EAAE,kBAO/B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,MAAM,EActD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,MAAM,EAIlD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GACxB,YAAY,kBAAkB,KAC7B,gBAaD,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,GAC1B,UAAU,kBAAkB,EAC5B,WAAW,kBAAkB,KAC5B,kBAOD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAAI,GAAG,SAAS,UAAU,EAAE,KAAG,UA4C7D,CAAC"}
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/base.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAC3B,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;QAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;CAClC;AAED;;;GAGG;AACH,eAAO,MAAM,iBAAiB,EAAE,kBAO/B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,EAAE,SAAS,MAAM,EAatD,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,MAAM,EAGlD,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,IAAI,SAAS,MAAM,EAAE,CAMtD;AAED;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GACxB,YAAY,kBAAkB,KAC7B,gBAaD,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe,GAC1B,UAAU,kBAAkB,EAC5B,WAAW,kBAAkB,KAC5B,kBAOD,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAAI,GAAG,SAAS,UAAU,EAAE,KAAG,UA4C7D,CAAC"}

package/dist/configs/vitest/base.js

@@ -22,7 +22,6 @@ export const defaultCoverageExclusions = [
     "**/index.ts",
     "**/node_modules/**",
     "**/dist/**",
-    "**/.claude/worktrees/**",
     "**/*.test.ts",
     "**/*.spec.ts",
     "**/*.mock.ts",
@@ -34,14 +33,34 @@ export const defaultCoverageExclusions = [
 ];
 /**
  * Default patterns to exclude from test discovery across all stacks.
- * Lisa manages `.claude/worktrees/` as scratch worktrees for subagents;
- * test files inside them should never be collected by the repo-level vitest run.
+ *
+ * The `.claude/worktrees/` exclusion is intentionally NOT baked in here —
+ * it is cwd-conditional and supplied by {@link worktreeExclusions} so that
+ * a vitest run launched from INSIDE a worktree can still discover its own
+ * tests. Stack factories spread `worktreeExclusions()` alongside this list.
  */
 export const defaultTestExclusions = [
     "**/node_modules/**",
     "**/dist/**",
-    "**/.claude/worktrees/**",
 ];
+/**
+ * Returns the worktree exclusion glob a stack config should add to skip
+ * test files / coverage that live inside `.claude/worktrees/`.
+ *
+ * Lisa manages `.claude/worktrees/` as scratch worktrees for subagents.
+ * When vitest runs from the primary checkout, tests inside those worktrees
+ * should be skipped — each worktree has its own vitest run. When vitest runs
+ * from INSIDE a worktree (the project root *is* the worktree), the same glob
+ * matches every path under root and vitest finds zero tests. This returns the
+ * glob only when the current working directory is outside a worktree, so each
+ * stack factory can spread it into its `exclude` arrays without hand-rolling
+ * the conditional. Mirrors jest's `worktreeTestPathIgnorePatterns()`.
+ * @returns Single-entry array with the worktree exclude glob, or an empty array when already inside a worktree.
+ */
+export function worktreeExclusions() {
+    const isInsideWorktree = /[/\\]\.claude[/\\]worktrees(?:[/\\]|$)/.test(process.cwd());
+    return isInsideWorktree ? [] : ["**/.claude/worktrees/**"];
+}
 /**
  * Maps portable threshold format (with `global` wrapper) to Vitest's
  * flat threshold format. Projects store thresholds in the portable

package/dist/configs/vitest/base.js.map

@@ -1 +1 @@
-{"version":3,"file":"base.js","sourceRoot":"","sources":["../../../src/configs/vitest/base.ts"],"names":[],"mappings":"AA4CA;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAuB;IACnD,MAAM,EAAE;QACN,UAAU,EAAE,EAAE;QACd,QAAQ,EAAE,EAAE;QACZ,SAAS,EAAE,EAAE;QACb,KAAK,EAAE,EAAE;KACV;CACF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAsB;IAC1D,WAAW;IACX,aAAa;IACb,oBAAoB;IACpB,YAAY;IACZ,yBAAyB;IACzB,cAAc;IACd,cAAc;IACd,cAAc;IACd,YAAY;IACZ,aAAa;IACb,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB;CACtB,CAAC;AAEF;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAsB;IACtD,oBAAoB;IACpB,YAAY;IACZ,yBAAyB;CAC1B,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAC3B,UAA8B,EACZ,EAAE,CAAC,CAAC;IACtB,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,UAAU,KAAK,SAAS;QAC7C,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE;QAC9C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS;QAC3C,CAAC,CAAC,EAAE,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC1C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,KAAK,SAAS;QAC5C,CAAC,CAAC,EAAE,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE;QAC5C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,KAAK,SAAS;QACxC,CAAC,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE;QACpC,CAAC,CAAC,EAAE,CAAC;CACR,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAC7B,QAA4B,EAC5B,SAA6B,EACT,EAAE,CAAC,CAAC;IACxB,GAAG,QAAQ;IACX,GAAG,SAAS;IACZ,MAAM,EAAE;QACN,GAAI,QAAQ,CAAC,MAAiC;QAC9C,GAAI,SAAS,CAAC,MAAiC;KAChD;CACF,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAG,OAAqB,EAAc,EAAE;IACzE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,YAAY,GAAG,CACnB,CAA0B,EAC1B,CAA0B,EACD,EAAE,CAC3B,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CACnB,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACX,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QAEpB,MAAM,MAAM,GACV,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;YACpC,CAAC,CAAC,OAAO,MAAM,KAAK,QAAQ;gBACxB,MAAM,KAAK,IAAI;gBACf,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;gBACtB,OAAO,IAAI,KAAK,QAAQ;gBACxB,IAAI,KAAK,IAAI;gBACb,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACtB,CAAC,CAAC;oBACE,GAAI,MAAkC;oBACtC,GAAI,IAAgC;iBACrC;gBACH,CAAC,CAAC,IAAI,CAAC;QAEb,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,CAAC,EACD,EAAE,GAAG,CAAC,EAAE,CACT,CAAC;IAEJ,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;QACpC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAC5D,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAElE,OAAO;YACL,GAAG,GAAG;YACN,GAAG,MAAM;YACT,IAAI,EAAE,YAAY,CAAC,OAAO,EAAE,UAAU,CAAC;SACxC,CAAC;IACJ,CAAC,EAAE,EAAgB,CAAC,CAAC;AACvB,CAAC,CAAC"}
+{"version":3,"file":"base.js","sourceRoot":"","sources":["../../../src/configs/vitest/base.ts"],"names":[],"mappings":"AA4CA;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAuB;IACnD,MAAM,EAAE;QACN,UAAU,EAAE,EAAE;QACd,QAAQ,EAAE,EAAE;QACZ,SAAS,EAAE,EAAE;QACb,KAAK,EAAE,EAAE;KACV;CACF,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAsB;IAC1D,WAAW;IACX,aAAa;IACb,oBAAoB;IACpB,YAAY;IACZ,cAAc;IACd,cAAc;IACd,cAAc;IACd,YAAY;IACZ,aAAa;IACb,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB;CACtB,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAsB;IACtD,oBAAoB;IACpB,YAAY;CACb,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,gBAAgB,GAAG,wCAAwC,CAAC,IAAI,CACpE,OAAO,CAAC,GAAG,EAAE,CACd,CAAC;IAEF,OAAO,gBAAgB,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;AAC7D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAC3B,UAA8B,EACZ,EAAE,CAAC,CAAC;IACtB,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,UAAU,KAAK,SAAS;QAC7C,CAAC,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE;QAC9C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,KAAK,SAAS;QAC3C,CAAC,CAAC,EAAE,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,QAAQ,EAAE;QAC1C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,KAAK,SAAS;QAC5C,CAAC,CAAC,EAAE,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,SAAS,EAAE;QAC5C,CAAC,CAAC,EAAE,CAAC;IACP,GAAG,CAAC,UAAU,CAAC,MAAM,EAAE,KAAK,KAAK,SAAS;QACxC,CAAC,CAAC,EAAE,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE;QACpC,CAAC,CAAC,EAAE,CAAC;CACR,CAAC,CAAC;AAEH;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAC7B,QAA4B,EAC5B,SAA6B,EACT,EAAE,CAAC,CAAC;IACxB,GAAG,QAAQ;IACX,GAAG,SAAS;IACZ,MAAM,EAAE;QACN,GAAI,QAAQ,CAAC,MAAiC;QAC9C,GAAI,SAAS,CAAC,MAAiC;KAChD;CACF,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAG,OAAqB,EAAc,EAAE;IACzE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,YAAY,GAAG,CACnB,CAA0B,EAC1B,CAA0B,EACD,EAAE,CAC3B,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CACnB,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACX,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;QAEpB,MAAM,MAAM,GACV,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;YAC1C,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;YACpC,CAAC,CAAC,OAAO,MAAM,KAAK,QAAQ;gBACxB,MAAM,KAAK,IAAI;gBACf,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;gBACtB,OAAO,IAAI,KAAK,QAAQ;gBACxB,IAAI,KAAK,IAAI;gBACb,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBACtB,CAAC,CAAC;oBACE,GAAI,MAAkC;oBACtC,GAAI,IAAgC;iBACrC;gBACH,CAAC,CAAC,IAAI,CAAC;QAEb,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,CAAC,EACD,EAAE,GAAG,CAAC,EAAE,CACT,CAAC;IAEJ,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;QACpC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAC5D,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,IAAI,IAAI,EAAE,CAA4B,CAAC;QAElE,OAAO;YACL,GAAG,GAAG;YACN,GAAG,MAAM;YACT,IAAI,EAAE,YAAY,CAAC,OAAO,EAAE,UAAU,CAAC;SACxC,CAAC;IACJ,CAAC,EAAE,EAAgB,CAAC,CAAC;AACvB,CAAC,CAAC"}

package/dist/configs/vitest/nestjs.d.ts

@@ -13,9 +13,9 @@
 import type { ViteUserConfig } from "vitest/config";
 /** Vite UserConfig augmented with Vitest's `test` property */
 type UserConfig = ViteUserConfig;
-import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs } from "./base.js";
+import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions } from "./base.js";
 import type { PortableThresholds } from "./base.js";
-export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, };
+export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, };
 export type { PortableThresholds };
 /**
  * Options for configuring the NestJS Vitest config factory.

package/dist/configs/vitest/nestjs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nestjs.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/nestjs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAGpD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,CAAC;AAEF,YAAY,EAAE,kBAAkB,EAAE,CAAC;AAEnC;;GAEG;AACH,UAAU,mBAAmB;IAC3B,mFAAmF;IACnF,QAAQ,CAAC,UAAU,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAwBD;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GAAI,kBAEnC,mBAAwB,KAAG,UAkB5B,CAAC"}
+{"version":3,"file":"nestjs.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/nestjs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAGpD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,CAAC;AAEF,YAAY,EAAE,kBAAkB,EAAE,CAAC;AAEnC;;GAEG;AACH,UAAU,mBAAmB;IAC3B,mFAAmF;IACnF,QAAQ,CAAC,UAAU,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAwBD;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GAAI,kBAEnC,mBAAwB,KAAG,UAkB5B,CAAC"}

package/dist/configs/vitest/nestjs.js

@@ -1,6 +1,6 @@
-import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, } from "./base.js";
+import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, } from "./base.js";
 // Re-export base utilities for entry-point configs
-export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, };
+export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, };
 /**
  * NestJS-specific patterns excluded from coverage collection.
  * These are generated or boilerplate files that don't benefit from coverage tracking.
@@ -41,12 +41,12 @@ export const getNestjsVitestConfig = ({ thresholds = defaultThresholds, } = {})
         // on "No test files found" otherwise. See typescript.ts for rationale.
         passWithNoTests: true,
         include: ["**/*.spec.ts"],
-        exclude: [...defaultTestExclusions],
+        exclude: [...defaultTestExclusions, ...worktreeExclusions()],
         testTimeout: 10000,
         coverage: {
             provider: "v8",
             include: ["**/*.ts"],
-            exclude: [...nestjsCoverageExclusions],
+            exclude: [...nestjsCoverageExclusions, ...worktreeExclusions()],
             thresholds: mapThresholds(thresholds),
         },
     },

package/dist/configs/vitest/nestjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"nestjs.js","sourceRoot":"","sources":["../../../src/configs/vitest/nestjs.ts"],"names":[],"mappings":"AAiBA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAInB,mDAAmD;AACnD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,CAAC;AAYF;;;GAGG;AACH,MAAM,wBAAwB,GAAsB;IAClD,GAAG,yBAAyB;IAC5B,gBAAgB;IAChB,aAAa;IACb,eAAe;IACf,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,iBAAiB;IACjB,cAAc;IACd,mBAAmB;IACnB,mBAAmB;IACnB,2BAA2B;IAC3B,sBAAsB;IACtB,eAAe;IACf,YAAY;CACb,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,EACpC,UAAU,GAAG,iBAAiB,MACP,EAAE,EAAc,EAAE,CAAC,CAAC;IAC3C,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM;QACnB,IAAI,EAAE,KAAK;QACX,8EAA8E;QAC9E,uEAAuE;QACvE,eAAe,EAAE,IAAI;QACrB,OAAO,EAAE,CAAC,cAAc,CAAC;QACzB,OAAO,EAAE,CAAC,GAAG,qBAAqB,CAAC;QACnC,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE;YACR,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,CAAC,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,GAAG,wBAAwB,CAAC;YACtC,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC;SACtC;KACF;CACF,CAAC,CAAC"}
+{"version":3,"file":"nestjs.js","sourceRoot":"","sources":["../../../src/configs/vitest/nestjs.ts"],"names":[],"mappings":"AAiBA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAInB,mDAAmD;AACnD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,CAAC;AAYF;;;GAGG;AACH,MAAM,wBAAwB,GAAsB;IAClD,GAAG,yBAAyB;IAC5B,gBAAgB;IAChB,aAAa;IACb,eAAe;IACf,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,iBAAiB;IACjB,cAAc;IACd,mBAAmB;IACnB,mBAAmB;IACnB,2BAA2B;IAC3B,sBAAsB;IACtB,eAAe;IACf,YAAY;CACb,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,EACpC,UAAU,GAAG,iBAAiB,MACP,EAAE,EAAc,EAAE,CAAC,CAAC;IAC3C,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM;QACnB,IAAI,EAAE,KAAK;QACX,8EAA8E;QAC9E,uEAAuE;QACvE,eAAe,EAAE,IAAI;QACrB,OAAO,EAAE,CAAC,cAAc,CAAC;QACzB,OAAO,EAAE,CAAC,GAAG,qBAAqB,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC5D,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE;YACR,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,CAAC,SAAS,CAAC;YACpB,OAAO,EAAE,CAAC,GAAG,wBAAwB,EAAE,GAAG,kBAAkB,EAAE,CAAC;YAC/D,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC;SACtC;KACF;CACF,CAAC,CAAC"}

package/dist/configs/vitest/typescript.d.ts

@@ -9,9 +9,9 @@
 import type { ViteUserConfig } from "vitest/config";
 /** Vite UserConfig augmented with Vitest's `test` property */
 type UserConfig = ViteUserConfig;
-import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs } from "./base.js";
+import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions } from "./base.js";
 import type { PortableThresholds } from "./base.js";
-export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, };
+export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, };
 export type { PortableThresholds };
 /**
  * Options for configuring the TypeScript Vitest config factory.

package/dist/configs/vitest/typescript.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"typescript.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/typescript.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAGpD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,CAAC;AAEF,YAAY,EAAE,kBAAkB,EAAE,CAAC;AAEnC;;GAEG;AACH,UAAU,uBAAuB;IAC/B,mFAAmF;IACnF,QAAQ,CAAC,UAAU,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GAAI,kBAEvC,uBAA4B,KAAG,UAmBhC,CAAC"}
+{"version":3,"file":"typescript.d.ts","sourceRoot":"","sources":["../../../src/configs/vitest/typescript.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD,8DAA8D;AAC9D,KAAK,UAAU,GAAG,cAAc,CAAC;AAEjC,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,EACnB,MAAM,WAAW,CAAC;AAEnB,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AAGpD,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,CAAC;AAEF,YAAY,EAAE,kBAAkB,EAAE,CAAC;AAEnC;;GAEG;AACH,UAAU,uBAAuB;IAC/B,mFAAmF;IACnF,QAAQ,CAAC,UAAU,CAAC,EAAE,kBAAkB,CAAC;CAC1C;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GAAI,kBAEvC,uBAA4B,KAAG,UAmBhC,CAAC"}

package/dist/configs/vitest/typescript.js

@@ -1,6 +1,6 @@
-import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, } from "./base.js";
+import { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, } from "./base.js";
 // Re-export base utilities for stack-specific configs to use
-export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, };
+export { defaultCoverageExclusions, defaultTestExclusions, defaultThresholds, mapThresholds, mergeThresholds, mergeVitestConfigs, worktreeExclusions, };
 /**
  * Creates a Vitest configuration for TypeScript/Node projects.
  *
@@ -21,12 +21,12 @@ export const getTypescriptVitestConfig = ({ thresholds = defaultThresholds, } =
         // the test-world analog of allowing `files: []` in tsconfig for zero sources.
         passWithNoTests: true,
         include: ["tests/**/*.test.ts", "src/**/*.test.ts"],
-        exclude: [...defaultTestExclusions],
+        exclude: [...defaultTestExclusions, ...worktreeExclusions()],
         testTimeout: 10000,
         coverage: {
             provider: "v8",
             include: ["src/**/*.ts"],
-            exclude: [...defaultCoverageExclusions],
+            exclude: [...defaultCoverageExclusions, ...worktreeExclusions()],
             thresholds: mapThresholds(thresholds),
         },
     },

package/dist/configs/vitest/typescript.js.map

@@ -1 +1 @@
-{"version":3,"file":"typescript.js","sourceRoot":"","sources":["../../../src/configs/vitest/typescript.ts"],"names":[],"mappings":"AAaA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAInB,6DAA6D;AAC7D,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,GACnB,CAAC;AAYF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,EACxC,UAAU,GAAG,iBAAiB,MACH,EAAE,EAAc,EAAE,CAAC,CAAC;IAC/C,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM;QACnB,4EAA4E;QAC5E,uEAAuE;QACvE,2EAA2E;QAC3E,8EAA8E;QAC9E,eAAe,EAAE,IAAI;QACrB,OAAO,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;QACnD,OAAO,EAAE,CAAC,GAAG,qBAAqB,CAAC;QACnC,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE;YACR,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,CAAC,aAAa,CAAC;YACxB,OAAO,EAAE,CAAC,GAAG,yBAAyB,CAAC;YACvC,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC;SACtC;KACF;CACF,CAAC,CAAC"}
+{"version":3,"file":"typescript.js","sourceRoot":"","sources":["../../../src/configs/vitest/typescript.ts"],"names":[],"mappings":"AAaA,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,WAAW,CAAC;AAInB,6DAA6D;AAC7D,OAAO,EACL,yBAAyB,EACzB,qBAAqB,EACrB,iBAAiB,EACjB,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,kBAAkB,GACnB,CAAC;AAYF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,EACxC,UAAU,GAAG,iBAAiB,MACH,EAAE,EAAc,EAAE,CAAC,CAAC;IAC/C,IAAI,EAAE;QACJ,OAAO,EAAE,IAAI;QACb,WAAW,EAAE,MAAM;QACnB,4EAA4E;QAC5E,uEAAuE;QACvE,2EAA2E;QAC3E,8EAA8E;QAC9E,eAAe,EAAE,IAAI;QACrB,OAAO,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;QACnD,OAAO,EAAE,CAAC,GAAG,qBAAqB,EAAE,GAAG,kBAAkB,EAAE,CAAC;QAC5D,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE;YACR,QAAQ,EAAE,IAAI;YACd,OAAO,EAAE,CAAC,aAAa,CAAC;YACxB,OAAO,EAAE,CAAC,GAAG,yBAAyB,EAAE,GAAG,kBAAkB,EAAE,CAAC;YAChE,UAAU,EAAE,aAAa,CAAC,UAAU,CAAC;SACtC;KACF;CACF,CAAC,CAAC"}

package/package.json

@@ -85,7 +85,7 @@
     "lodash": ">=4.18.1"
   },
   "name": "@codyswann/lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Universal governance: agents, skills, commands, hooks, and rules for all projects.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/hooks/block-no-verify.agy.sh

@@ -25,7 +25,7 @@ allow() {
 }
 
 deny() {
-  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (lint, tests, formatting) or ask the user before bypassing."}'
+  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (security audit, lint, typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never bypass the hook."}'
   exit 0
 }
 

package/plugins/lisa/hooks/block-no-verify.sh

@@ -91,11 +91,10 @@ PY
 then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
-or core.hooksPath disabling). Fix the underlying issue (lint error, failing
-test, formatting) or ask the user before bypassing.
-
-If the user has explicitly authorized the bypass for this specific command,
-re-run after they confirm.
+or core.hooksPath disabling). Fix the underlying issue (security audit, lint,
+typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the
+user to make the risk-acceptance decision and add a specific documented ignore;
+never bypass the hook.
 EOF
   exit 2
 fi

package/plugins/lisa/rules/eager/base-rules.md

@@ -25,6 +25,7 @@ Do not begin work if there are blockers, ambiguities, access requirements, or un
 ## Git Discipline
 
 - **Never use `--no-verify`** or bypass any git hook.
+- When a hook or quality gate fails, fix the root cause first. If no fix is genuinely possible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never use a blanket bypass.
 - **Never bypass branch protection** — no `--admin`, `--force`, no merging a PR with failing CI. "Green in CI" is the definition of done.
 - Never commit directly to environment branches (`dev`, `staging`, `main`).
 - Prefix `git push` with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.

package/plugins/lisa/rules/eager/security-audit-handling.md

@@ -1,6 +1,12 @@
 # Security Audit Handling (load-bearing)
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`** to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`**, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Core rule
 
@@ -17,7 +23,7 @@ Before adding any override, verify:
 
 1. Note GHSA ID, package, advisory URL.
 2. If a patched version exists: add a resolution AND override in `package.json` for the leaf package, regenerate the lockfile, commit, retry.
-3. If no patch but safe (transitive, no untrusted input, dev/build only): add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
+3. If no patch but safe (transitive, no untrusted input, dev/build only): ask the user to make the risk-acceptance decision, then add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
 
 ## Rails (bundler-audit)
 

package/plugins/lisa/rules/reference/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- When a pre-commit, pre-push, CI, or other quality gate fails, fix the root cause first: upgrade the vulnerable dependency, fix the lint/type/test failure, remove the secret, or repair the failing check. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a narrow, documented ignore for the specific failing rule or advisory. Never use `--no-verify`, hook environment switches, blanket ignores, or threshold reductions as a substitute for fixing the gate.
 - Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.

package/plugins/lisa/rules/reference/security-audit-handling.md

@@ -1,13 +1,19 @@
 # Security Audit Handling
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify` to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify`, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Node.js Projects (GHSA advisories)
 
 1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output
 2. Check the advisory URL to determine if a patched version of the vulnerable package exists
 3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
-4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): ask the user to make the risk-acceptance decision, then add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
 
 ### Critical: Override the vulnerable package, not its parent
 

package/plugins/lisa-agy/hooks/block-no-verify.agy.sh

@@ -25,7 +25,7 @@ allow() {
 }
 
 deny() {
-  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (lint, tests, formatting) or ask the user before bypassing."}'
+  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (security audit, lint, typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never bypass the hook."}'
   exit 0
 }
 

package/plugins/lisa-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "AWS CDK-specific Lisa plugin.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cdk-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-copilot/hooks/block-no-verify.sh

@@ -91,11 +91,10 @@ PY
 then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
-or core.hooksPath disabling). Fix the underlying issue (lint error, failing
-test, formatting) or ask the user before bypassing.
-
-If the user has explicitly authorized the bypass for this specific command,
-re-run after they confirm.
+or core.hooksPath disabling). Fix the underlying issue (security audit, lint,
+typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the
+user to make the risk-acceptance decision and add a specific documented ignore;
+never bypass the hook.
 EOF
   exit 2
 fi

package/plugins/lisa-copilot/rules/eager/base-rules.md

@@ -25,6 +25,7 @@ Do not begin work if there are blockers, ambiguities, access requirements, or un
 ## Git Discipline
 
 - **Never use `--no-verify`** or bypass any git hook.
+- When a hook or quality gate fails, fix the root cause first. If no fix is genuinely possible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never use a blanket bypass.
 - **Never bypass branch protection** — no `--admin`, `--force`, no merging a PR with failing CI. "Green in CI" is the definition of done.
 - Never commit directly to environment branches (`dev`, `staging`, `main`).
 - Prefix `git push` with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.

package/plugins/lisa-copilot/rules/eager/security-audit-handling.md

@@ -1,6 +1,12 @@
 # Security Audit Handling (load-bearing)
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`** to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`**, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Core rule
 
@@ -17,7 +23,7 @@ Before adding any override, verify:
 
 1. Note GHSA ID, package, advisory URL.
 2. If a patched version exists: add a resolution AND override in `package.json` for the leaf package, regenerate the lockfile, commit, retry.
-3. If no patch but safe (transitive, no untrusted input, dev/build only): add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
+3. If no patch but safe (transitive, no untrusted input, dev/build only): ask the user to make the risk-acceptance decision, then add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
 
 ## Rails (bundler-audit)
 

package/plugins/lisa-copilot/rules/reference/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- When a pre-commit, pre-push, CI, or other quality gate fails, fix the root cause first: upgrade the vulnerable dependency, fix the lint/type/test failure, remove the secret, or repair the failing check. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a narrow, documented ignore for the specific failing rule or advisory. Never use `--no-verify`, hook environment switches, blanket ignores, or threshold reductions as a substitute for fixing the gate.
 - Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.

package/plugins/lisa-copilot/rules/reference/security-audit-handling.md

@@ -1,13 +1,19 @@
 # Security Audit Handling
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify` to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify`, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Node.js Projects (GHSA advisories)
 
 1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output
 2. Check the advisory URL to determine if a patched version of the vulnerable package exists
 3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
-4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): ask the user to make the risk-acceptance decision, then add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
 
 ### Critical: Override the vulnerable package, not its parent
 

package/plugins/lisa-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-cursor/hooks/block-no-verify.sh

@@ -91,11 +91,10 @@ PY
 then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
-or core.hooksPath disabling). Fix the underlying issue (lint error, failing
-test, formatting) or ask the user before bypassing.
-
-If the user has explicitly authorized the bypass for this specific command,
-re-run after they confirm.
+or core.hooksPath disabling). Fix the underlying issue (security audit, lint,
+typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the
+user to make the risk-acceptance decision and add a specific documented ignore;
+never bypass the hook.
 EOF
   exit 2
 fi

package/plugins/lisa-cursor/rules/base-rules-reference.mdc

@@ -55,6 +55,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- When a pre-commit, pre-push, CI, or other quality gate fails, fix the root cause first: upgrade the vulnerable dependency, fix the lint/type/test failure, remove the secret, or repair the failing check. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a narrow, documented ignore for the specific failing rule or advisory. Never use `--no-verify`, hook environment switches, blanket ignores, or threshold reductions as a substitute for fixing the gate.
 - Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.

package/plugins/lisa-cursor/rules/base-rules.mdc

@@ -30,6 +30,7 @@ Do not begin work if there are blockers, ambiguities, access requirements, or un
 ## Git Discipline
 
 - **Never use `--no-verify`** or bypass any git hook.
+- When a hook or quality gate fails, fix the root cause first. If no fix is genuinely possible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never use a blanket bypass.
 - **Never bypass branch protection** — no `--admin`, `--force`, no merging a PR with failing CI. "Green in CI" is the definition of done.
 - Never commit directly to environment branches (`dev`, `staging`, `main`).
 - Prefix `git push` with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.

package/plugins/lisa-cursor/rules/security-audit-handling-reference.mdc

@@ -5,14 +5,20 @@ alwaysApply: false
 
 # Security Audit Handling
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify` to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify`, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Node.js Projects (GHSA advisories)
 
 1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output
 2. Check the advisory URL to determine if a patched version of the vulnerable package exists
 3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
-4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): ask the user to make the risk-acceptance decision, then add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
 
 ### Critical: Override the vulnerable package, not its parent
 

package/plugins/lisa-cursor/rules/security-audit-handling.mdc

@@ -5,7 +5,13 @@ alwaysApply: true
 
 # Security Audit Handling (load-bearing)
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`** to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`**, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Core rule
 
@@ -22,7 +28,7 @@ Before adding any override, verify:
 
 1. Note GHSA ID, package, advisory URL.
 2. If a patched version exists: add a resolution AND override in `package.json` for the leaf package, regenerate the lockfile, commit, retry.
-3. If no patch but safe (transitive, no untrusted input, dev/build only): add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
+3. If no patch but safe (transitive, no untrusted input, dev/build only): ask the user to make the risk-acceptance decision, then add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
 
 ## Rails (bundler-audit)
 

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Expo and React Native-specific skills, agents, rules, and MCP servers.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Harper/Fabric-specific Lisa rules for TypeScript component apps.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-harper-fabric-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-harper-fabric",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Harper/Fabric-specific rules for TypeScript component apps",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "NestJS-specific skills and migration write-protection hooks.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "NestJS-specific skills (GraphQL, TypeORM) and hooks (migration write-protection)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-openclaw-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-openclaw",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Connect staff roles to Telegram or Slack via OpenClaw — facilitator/specialist hub-and-spoke routing and repo-coding topics, for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-phaser-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-phaser",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Phaser 4 game-development rules for TypeScript projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Ruby on Rails-specific skills and hooks for RuboCop and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Ruby on Rails-specific hooks — RuboCop linting/formatting and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "TypeScript-specific hooks for formatting, linting, and ast-grep scanning on edit.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, ast-grep scanning, and error-suppression blocking on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "Distributable LLM Wiki kernel — ingest, query, lint, and maintain a git-native markdown knowledge base across Claude and Codex.",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-agy/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-copilot/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-wiki-cursor/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-wiki",
-  "version": "2.166.0",
+  "version": "2.166.2",
   "description": "LLM Wiki — a distributable, git-native markdown knowledge base for Claude Code and Codex",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/hooks/block-no-verify.agy.sh

@@ -25,7 +25,7 @@ allow() {
 }
 
 deny() {
-  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (lint, tests, formatting) or ask the user before bypassing."}'
+  printf '%s\n' '{"decision":"deny","reason":"This command bypasses Lisa pre-commit/pre-push quality gates (--no-verify, HUSKY=0, or core.hooksPath disabling). Fix the underlying issue (security audit, lint, typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never bypass the hook."}'
   exit 0
 }
 

package/plugins/src/base/hooks/block-no-verify.sh

@@ -91,11 +91,10 @@ PY
 then
   cat >&2 <<'EOF'
 Blocked: this command bypasses pre-commit/pre-push hooks (--no-verify, HUSKY=0,
-or core.hooksPath disabling). Fix the underlying issue (lint error, failing
-test, formatting) or ask the user before bypassing.
-
-If the user has explicitly authorized the bypass for this specific command,
-re-run after they confirm.
+or core.hooksPath disabling). Fix the underlying issue (security audit, lint,
+typecheck, tests, formatting) instead. If a fix is genuinely impossible, ask the
+user to make the risk-acceptance decision and add a specific documented ignore;
+never bypass the hook.
 EOF
   exit 2
 fi

package/plugins/src/base/rules/eager/base-rules.md

@@ -25,6 +25,7 @@ Do not begin work if there are blockers, ambiguities, access requirements, or un
 ## Git Discipline
 
 - **Never use `--no-verify`** or bypass any git hook.
+- When a hook or quality gate fails, fix the root cause first. If no fix is genuinely possible, ask the user to make the risk-acceptance decision and add a specific documented ignore; never use a blanket bypass.
 - **Never bypass branch protection** — no `--admin`, `--force`, no merging a PR with failing CI. "Green in CI" is the definition of done.
 - Never commit directly to environment branches (`dev`, `staging`, `main`).
 - Prefix `git push` with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.

package/plugins/src/base/rules/eager/security-audit-handling.md

@@ -1,6 +1,12 @@
 # Security Audit Handling (load-bearing)
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`** to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow the rules below. **Never use `--no-verify`**, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Core rule
 
@@ -17,7 +23,7 @@ Before adding any override, verify:
 
 1. Note GHSA ID, package, advisory URL.
 2. If a patched version exists: add a resolution AND override in `package.json` for the leaf package, regenerate the lockfile, commit, retry.
-3. If no patch but safe (transitive, no untrusted input, dev/build only): add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
+3. If no patch but safe (transitive, no untrusted input, dev/build only): ask the user to make the risk-acceptance decision, then add an exclusion to `audit.ignore.local.json` with `{"id", "package", "reason"}`, commit, retry.
 
 ## Rails (bundler-audit)
 

package/plugins/src/base/rules/reference/base-rules.md

@@ -50,6 +50,7 @@ Git Discipline:
 - Prefix git push with `GIT_SSH_COMMAND="ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=5"`.
 - Never commit directly to an environment branch (dev, staging, main).
 - Never use --no-verify or attempt to bypass a git hook.
+- When a pre-commit, pre-push, CI, or other quality gate fails, fix the root cause first: upgrade the vulnerable dependency, fix the lint/type/test failure, remove the secret, or repair the failing check. If a fix is genuinely impossible, ask the user to make the risk-acceptance decision and add a narrow, documented ignore for the specific failing rule or advisory. Never use `--no-verify`, hook environment switches, blanket ignores, or threshold reductions as a substitute for fixing the gate.
 - Never bypass branch protection. Never use `--admin`, `--force`, or any other flag to merge a PR that has failing CI checks. If CI fails, fix it. If you cannot fix it, escalate to the human. There are zero exceptions. "Green in CI" is the definition of done — not "green locally." A PR is not complete until CI passes on the actual PR branch.
 - Never stash changes you cannot commit. Either fix whatever is preventing the commit or fail out and let the human know why.
 - Never add "BREAKING CHANGE" to a commit message unless there is actually a breaking change.

package/plugins/src/base/rules/reference/security-audit-handling.md

@@ -1,13 +1,19 @@
 # Security Audit Handling
 
-If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify` to bypass the security audit.
+If `git push` fails because the pre-push hook reports security vulnerabilities, follow these steps. Never use `--no-verify`, `HUSKY=0`, `core.hooksPath`, or any other hook bypass to skip the security audit.
+
+## Fix before ignore
+
+1. Fix the root cause first: upgrade or override the actually-vulnerable leaf package to a patched compatible version, regenerate the lockfile, and retry the gate.
+2. Only if no safe fix exists, ask the user to make the risk-acceptance decision. Add a narrow documented ignore for the specific advisory, package, and reason.
+3. Never add a blanket audit bypass, lower an audit level, or self-approve a new risk-acceptance entry.
 
 ## Node.js Projects (GHSA advisories)
 
 1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output
 2. Check the advisory URL to determine if a patched version of the vulnerable package exists
 3. If a patched version exists: add a resolution/override in package.json to force the patched version (add to both `resolutions` and `overrides` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push
-4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only): ask the user to make the risk-acceptance decision, then add an exclusion entry to `audit.ignore.local.json` with the format `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push
 
 ### Critical: Override the vulnerable package, not its parent