dw-kit 1.3.5 → 1.4.0

package/.claude/hooks/supply-chain-scan.sh

@@ -60,9 +60,12 @@ fi
 
 START_TS=$(date +%s%N 2>/dev/null || date +%s)
 
-# Run scan in lockfile's project dir. Capture exit code without failing parent.
+# Pillar 3 (ADR-0006): heuristic-only mode probes ONLY the NEW/bumped packages
+# from the lockfile diff against npm registry metadata. Cached 1h per package
+# so repeat edits hit cache. This is the AI-Native moat — catches zero-day-ish
+# at the edit boundary, before OSV indexes and before any TL fixture bump.
 set +e
-SCAN_OUTPUT=$(cd "$LOCKFILE_DIR" && $DW_BIN security-scan --quick 2>&1)
+SCAN_OUTPUT=$(cd "$LOCKFILE_DIR" && $DW_BIN security-scan --heuristic-only 2>&1)
 SCAN_EXIT=$?
 set -e
 
@@ -73,28 +76,27 @@ case "$SCAN_EXIT" in
   0)
     # Clean — silent unless verbose
     if [ "${DW_SC_GUARD_VERBOSE:-}" = "1" ]; then
-      echo "✓ supply-chain-scan: clean (no advisory matches in $BASENAME)" >&2
+      echo "✓ supply-chain-scan: clean (no heuristic flags on NEW/bumped packages in $BASENAME)" >&2
     fi
     ;;
   1)
-    # Low/medium matches — warn, do not block
+    # Mid-risk heuristic flags — warn, do not block
     echo "" >&2
-    echo "⚠  supply-chain-scan: advisory matches in $BASENAME (low/medium)" >&2
-    echo "$SCAN_OUTPUT" | tail -20 >&2
-    echo "   (advisory — not blocking; run \`dw security-scan\` for full report)" >&2
+    echo "⚠  supply-chain-scan: heuristic flags on NEW/bumped packages in $BASENAME" >&2
+    echo "$SCAN_OUTPUT" | tail -30 >&2
+    echo "   (advisory — not blocking; run \`dw security-scan\` for full pillar 1+2+3 report)" >&2
     ;;
   2)
-    # HIGH+ matches — loud warning, still non-blocking per ADR-0005 v1.3.5 (advisory-only)
+    # HIGH-risk heuristic flag (score ≥80) — loud warning, still non-blocking
     echo "" >&2
-    echo "⚠  supply-chain-scan: HIGH+ severity advisory match in $BASENAME" >&2
-    echo "$SCAN_OUTPUT" | tail -25 >&2
-    echo "   ADVISORY ONLY — threshold matrix in v14-evaluation-protocol.md is authoritative." >&2
-    echo "   Run \`dw security-scan\` for full report. Public sunset review 2026-08-12 (ADR-0005)." >&2
+    echo "⚠  supply-chain-scan: HIGH-RISK heuristic flag on NEW/bumped package in $BASENAME" >&2
+    echo "$SCAN_OUTPUT" | tail -40 >&2
+    echo "   ADVISORY ONLY — review before commit. Public sunset review 2026-08-12 (ADR-0005)." >&2
     ;;
   *)
-    # Setup error (no snapshot, schema mismatch, etc.) — quiet hint
+    # Setup error (no lockfile, network failure) — quiet hint
     if [ "${DW_SC_GUARD_VERBOSE:-}" = "1" ]; then
-      echo "supply-chain-scan: setup needed — run \`dw security-scan --update-db\`" >&2
+      echo "supply-chain-scan: heuristic check skipped or errored — run \`dw security-scan\` manually" >&2
     fi
     ;;
 esac

package/.claude/skills/dw-archive/SKILL.md

@@ -54,6 +54,20 @@ mv {paths.tasks}/[task-name] {paths.tasks}/archive/[YYYY-MM]/
 
 Tổ chức theo tháng hoàn thành để dễ tìm kiếm sau.
 
+### 4a. Clean up review render artifacts (ADR-0007)
+
+Nếu `.dw/reviews/[task-name]/` hoặc `.dw/reviews/[task-slug]/` tồn tại:
+
+```bash
+# Local-only ephemeral artifacts (gitignored) — safe to remove on archive.
+# User can regenerate via /dw:review --visual nếu cần lại.
+rm -rf .dw/reviews/[task-name]/
+```
+
+Báo cáo trong output Bước 6: "Đã dọn .dw/reviews/[task-name]/ (regenerate via /dw:review --visual nếu cần)."
+
+Nếu task có scope_slug khác task-name (kiểm tra `.dw/reviews/*/manifest.json` có `task_id` matching), dọn cả slug đó.
+
 ## Bước 5: Cập nhật archive index
 
 Ghi/cập nhật `{paths.tasks}/archive/README.md`:

package/.claude/skills/dw-review/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: dw:review
-description: "Review code thay đổi gần đây hoặc cả task. Kiểm tra correctness, security, conventions, test coverage. Tạo báo cáo phân loại Critical/Warning/Suggestion."
-argument-hint: "[task-name | branch | file]"
+description: "Review code thay đổi gần đây hoặc cả task. Kiểm tra correctness, security, conventions, test coverage. Tạo báo cáo phân loại Critical/Warning/Suggestion. Pass --visual để emit manifest cho visual artifacts (ADR-0007)."
+argument-hint: "[task-name | branch | file] [--visual]"
 context: fork
 agent: reviewer
 allowed-tools:
@@ -11,6 +11,8 @@ allowed-tools:
   - "Bash(git diff *)"
   - "Bash(git log *)"
   - "Bash(git show *)"
+  - "Bash(dw review render *)"
+  - "Write(.dw/reviews/**/manifest.json)"
 ---
 
 # Code Review
@@ -57,6 +59,35 @@ Nếu có plan file (`{paths.tasks}/$ARGUMENTS/$ARGUMENTS-plan.md`):
 
 Tạo báo cáo đầy đủ theo format của reviewer agent.
 
+### 5-alt. `--visual` flag (ADR-0007)
+
+Nếu user pass `--visual`, KHÔNG in báo cáo inline. Thay vào đó:
+
+1. **Tạo manifest JSON** tuân thủ `src/lib/review/manifest-schema.json` (schema_version 1):
+   - `scope`: nhãn review (branch name, task slug, hoặc free-form từ argument)
+   - `scope_slug`: sanitize qua `scope-slug` util — KHÔNG dùng scope thô làm tên thư mục
+   - `generated_at`: ISO timestamp hiện tại
+   - `task_id` (optional): nếu review thuộc một task — link tới `.dw/tasks/{id}/`
+   - `review_meta`: `{reviewer: "dw-review", depth, diff_base, files_reviewed}`
+   - `findings[]`: mỗi finding có `id, severity (critical|warning|suggestion), title, location {file, line_start, line_end}, rule_ref?, body, fix?, code_snippet (≤50 lines quanh finding), language?`
+
+2. **Ghi manifest** ra `.dw/reviews/{scope_slug}/manifest.json` qua Write tool. Đây là file DUY NHẤT skill được phép viết.
+
+3. **Gọi renderer**:
+   ```bash
+   dw review render .dw/reviews/{scope_slug}/manifest.json
+   ```
+   CLI sẽ:
+   - Validate manifest qua schema
+   - Phát hiện `dw-kit-render` package (optional sub-package)
+   - Nếu có: render SVG + PNG per finding → `.dw/reviews/{scope_slug}/finding-{id}.svg` + `.png`
+   - Nếu thiếu: ghi `summary.md` markdown + prompt user install `dw-kit-render`
+   - Luôn ghi `summary.md` tổng hợp với links tới artifacts
+
+4. **Surface kết quả**: in danh sách artifact paths cho user; gợi ý mở `summary.md` hoặc embed image vào PR comment.
+
+KHÔNG fallback inline report — manifest + render là contract của `--visual`.
+
 ## Sau Review
 
 - Nếu có Critical issues: "Cần fix trước khi merge"

package/.dw/config/config.schema.json

@@ -1,121 +1,149 @@
-{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "dw-kit Configuration Schema",
-  "description": "Schema for config/dw.config.yml",
-  "type": "object",
-  "additionalProperties": false,
-  "properties": {
-    "project": {
-      "type": "object",
-      "additionalProperties": false,
-      "required": ["name"],
-      "properties": {
-        "name":     { "type": "string", "minLength": 1 },
-        "language": { "type": "string", "enum": ["vi", "en"], "default": "vi" }
-      }
-    },
-    "workflow": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "default_depth": {
-          "type": "string",
-          "enum": ["quick", "standard", "thorough"],
-          "default": "standard"
-        }
-      }
-    },
-    "team": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "roles": {
-          "type": "array",
-          "items": {
-            "type": "string",
-            "enum": ["dev", "techlead", "ba", "qc", "pm"]
-          },
-          "minItems": 1,
-          "contains": { "const": "dev" },
-          "description": "dev is always required"
-        }
-      }
-    },
-    "quality": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "test_command":  { "type": "string", "default": "" },
-        "lint_command":  { "type": "string", "default": "" },
-        "block_on_fail": { "type": "boolean", "default": false }
-      }
-    },
-    "tracking": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "estimation":      { "type": "boolean", "default": false },
-        "log_work":        { "type": "boolean", "default": false },
-        "estimation_unit": {
-          "type": "string",
-          "enum": ["hours", "story-points", "t-shirt"],
-          "default": "hours"
-        }
-      }
-    },
-    "paths": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "tasks": { "type": "string", "default": ".dw/tasks" },
-        "docs":  { "type": "string", "default": ".dw/docs" }
-      }
-    },
-    "claude": {
-      "type": "object",
-      "additionalProperties": false,
-      "properties": {
-        "models": {
-          "type": "object",
-          "additionalProperties": false,
-          "properties": {
-            "plan":    { "type": "string", "default": "" },
-            "execute": { "type": "string", "default": "" },
-            "review":  { "type": "string", "default": "" }
-          }
-        },
-        "structured_output":  { "type": "boolean", "default": true },
-        "worktree_execution": { "type": "boolean", "default": false },
-        "mcp": {
-          "type": "array",
-          "items": {
-            "type": "object",
-            "required": ["name", "command"],
-            "additionalProperties": false,
-            "properties": {
-              "name":    { "type": "string" },
-              "command": { "type": "string" },
-              "args":    { "type": "array", "items": { "type": "string" } },
-              "env": {
-                "type": "object",
-                "additionalProperties": { "type": "string" }
-              }
-            }
-          }
-        }
-      }
-    },
-    "_toolkit": {
-      "type": "object",
-      "additionalProperties": true,
-      "properties": {
-        "core_version":     { "type": "string" },
-        "platform_version": { "type": "string" },
-        "capability_version": { "type": "string" },
-        "installed":        { "type": "string" },
-        "last_upgrade":     { "type": "string" },
-        "migrated_from":    { "type": "string" }
-      }
-    }
-  }
-}
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "dw-kit Configuration Schema",
+  "description": "Schema for config/dw.config.yml",
+  "type": "object",
+  "additionalProperties": false,
+  "properties": {
+    "project": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["name"],
+      "properties": {
+        "name":     { "type": "string", "minLength": 1 },
+        "language": { "type": "string", "enum": ["vi", "en"], "default": "vi" }
+      }
+    },
+    "workflow": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "default_depth": {
+          "type": "string",
+          "enum": ["quick", "standard", "thorough"],
+          "default": "standard"
+        }
+      }
+    },
+    "team": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "roles": {
+          "type": "array",
+          "items": {
+            "type": "string",
+            "enum": ["dev", "techlead", "ba", "qc", "pm"]
+          },
+          "minItems": 1,
+          "contains": { "const": "dev" },
+          "description": "dev is always required"
+        }
+      }
+    },
+    "quality": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "test_command":  { "type": "string", "default": "" },
+        "lint_command":  { "type": "string", "default": "" },
+        "block_on_fail": { "type": "boolean", "default": false }
+      }
+    },
+    "tracking": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "estimation":      { "type": "boolean", "default": false },
+        "log_work":        { "type": "boolean", "default": false },
+        "estimation_unit": {
+          "type": "string",
+          "enum": ["hours", "story-points", "t-shirt"],
+          "default": "hours"
+        }
+      }
+    },
+    "paths": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "tasks": { "type": "string", "default": ".dw/tasks" },
+        "docs":  { "type": "string", "default": ".dw/docs" }
+      }
+    },
+    "claude": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "models": {
+          "type": "object",
+          "additionalProperties": false,
+          "properties": {
+            "plan":    { "type": "string", "default": "" },
+            "execute": { "type": "string", "default": "" },
+            "review":  { "type": "string", "default": "" }
+          }
+        },
+        "structured_output":  { "type": "boolean", "default": true },
+        "worktree_execution": { "type": "boolean", "default": false },
+        "review": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "Review render pipeline (ADR-0007).",
+          "properties": {
+            "renderer": {
+              "type": "object",
+              "additionalProperties": false,
+              "properties": {
+                "strategy": {
+                  "type": "string",
+                  "enum": ["auto", "plugin", "markdown-only"],
+                  "default": "auto"
+                },
+                "theme":  { "type": "string", "default": "github-dark" },
+                "font":   { "type": "string", "default": "JetBrains Mono" },
+                "formats": {
+                  "type": "array",
+                  "items": { "type": "string", "enum": ["svg", "png"] },
+                  "minItems": 1,
+                  "uniqueItems": true,
+                  "default": ["svg", "png"]
+                },
+                "output_dir": { "type": "string", "default": ".dw/reviews" }
+              }
+            }
+          }
+        },
+        "mcp": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "required": ["name", "command"],
+            "additionalProperties": false,
+            "properties": {
+              "name":    { "type": "string" },
+              "command": { "type": "string" },
+              "args":    { "type": "array", "items": { "type": "string" } },
+              "env": {
+                "type": "object",
+                "additionalProperties": { "type": "string" }
+              }
+            }
+          }
+        }
+      }
+    },
+    "_toolkit": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "core_version":     { "type": "string" },
+        "platform_version": { "type": "string" },
+        "capability_version": { "type": "string" },
+        "installed":        { "type": "string" },
+        "last_upgrade":     { "type": "string" },
+        "migrated_from":    { "type": "string" }
+      }
+    }
+  }
+}

package/.dw/config/dw.config.yml

@@ -59,6 +59,20 @@ claude:
   # Isolate execution trong git worktree (cho risky refactors)
   worktree_execution: false
 
+  # --- Review render pipeline (ADR-0007) ------------------------------------
+  # /dw:review --visual produces a manifest.json then invokes `dw review render`.
+  # Output goes to .dw/reviews/{scope-slug}/ — see ADR-0007.
+  review:
+    renderer:
+      # auto: try dw-kit-render package, fall back to markdown summary if missing
+      # plugin: require dw-kit-render to be installed (fail if missing)
+      # markdown-only: never invoke a renderer, emit markdown summary only
+      strategy: "auto"
+      theme: "github-dark"          # any shiki theme name
+      font: "JetBrains Mono"        # font family for code in SVG
+      formats: ["svg", "png"]       # outputs produced per finding
+      output_dir: ".dw/reviews"
+
   # MCP servers — Claude Code sẽ load các servers này
   mcp: []
   # Ví dụ:

package/.dw/security/advisory-snapshot.json

@@ -0,0 +1,157 @@
+{
+  "schema_version": "1.0",
+  "fetched_at": "2026-05-12T09:57:47.323Z",
+  "source": "osv.dev",
+  "ecosystem": "npm",
+  "package_count": 13,
+  "advisory_count": 2,
+  "advisories": [
+    {
+      "id": "GHSA-q3j6-qgpj-74h6",
+      "summary": "fast-uri vulnerable to path traversal via percent-encoded dot segments",
+      "details": "### Impact\n\n`fast-uri` v3.1.0 and earlier decodes percent-encoded path separators (`%2F`) and dot segments (`%2E`) before applying dot-segment removal in `normalize()` and `equal()`. This makes encoded path data behave like real `/` and `..`, so distinct URIs collapse onto the same normalized path.\n\nFor example, `http://example.com/public/%2e%2e/admin` normalizes to `http://example.com/admin`, and `equal()` considers them the same URI.\n\nApplications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed. A path that looks confined under an allowed prefix can normalize to a different location.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.1.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
+      "aliases": [
+        "CVE-2026-6321"
+      ],
+      "modified": "2026-05-09T16:44:22.524341929Z",
+      "published": "2026-05-08T17:15:09Z",
+      "related": [
+        "CGA-9j5f-2hwm-8hfc"
+      ],
+      "database_specific": {
+        "cwe_ids": [
+          "CWE-22"
+        ],
+        "github_reviewed": true,
+        "github_reviewed_at": "2026-05-08T17:15:09Z",
+        "severity": "HIGH",
+        "nvd_published_at": "2026-05-04T20:16:20Z"
+      },
+      "references": [
+        {
+          "type": "WEB",
+          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6"
+        },
+        {
+          "type": "ADVISORY",
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
+        },
+        {
+          "type": "WEB",
+          "url": "https://cna.openjsf.org/security-advisories.html"
+        },
+        {
+          "type": "PACKAGE",
+          "url": "https://github.com/fastify/fast-uri"
+        }
+      ],
+      "affected": [
+        {
+          "package": {
+            "name": "fast-uri",
+            "ecosystem": "npm",
+            "purl": "pkg:npm/fast-uri"
+          },
+          "ranges": [
+            {
+              "type": "SEMVER",
+              "events": [
+                {
+                  "introduced": "0"
+                },
+                {
+                  "fixed": "3.1.1"
+                }
+              ]
+            }
+          ],
+          "database_specific": {
+            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q3j6-qgpj-74h6/GHSA-q3j6-qgpj-74h6.json",
+            "last_known_affected_version_range": "<= 3.1.0"
+          }
+        }
+      ],
+      "schema_version": "1.7.5",
+      "severity": [
+        {
+          "type": "CVSS_V3",
+          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+        }
+      ]
+    },
+    {
+      "id": "GHSA-v39h-62p7-jpjc",
+      "summary": "fast-uri vulnerable to host confusion via percent-encoded authority delimiters",
+      "details": "### Impact\n\n`fast-uri` v3.1.1 and earlier decodes percent-encoded authority delimiters (`%40` as `@`, `%3A` as `:`) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.\n\nFor example, `http://trusted.com%40evil.com/` normalizes to `http://trusted.com@evil.com/`, which reparses as host `evil.com` with userinfo `trusted.com`.\n\nApplications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the original URL appeared to contain.\n\n### Patches\n\nUpgrade to `fast-uri` >= 3.1.2.\n\n### Workarounds\n\nNone. Upgrade to the patched version.",
+      "aliases": [
+        "CVE-2026-6322"
+      ],
+      "modified": "2026-05-10T04:44:28.903255090Z",
+      "published": "2026-05-08T19:13:01Z",
+      "related": [
+        "CGA-5vr9-c8qr-fqvg"
+      ],
+      "database_specific": {
+        "cwe_ids": [
+          "CWE-436"
+        ],
+        "github_reviewed": true,
+        "github_reviewed_at": "2026-05-08T19:13:01Z",
+        "severity": "HIGH",
+        "nvd_published_at": "2026-05-05T11:16:33Z"
+      },
+      "references": [
+        {
+          "type": "WEB",
+          "url": "https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc"
+        },
+        {
+          "type": "ADVISORY",
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
+        },
+        {
+          "type": "WEB",
+          "url": "https://cna.openjsf.org/security-advisories.html"
+        },
+        {
+          "type": "PACKAGE",
+          "url": "https://github.com/fastify/fast-uri"
+        }
+      ],
+      "affected": [
+        {
+          "package": {
+            "name": "fast-uri",
+            "ecosystem": "npm",
+            "purl": "pkg:npm/fast-uri"
+          },
+          "ranges": [
+            {
+              "type": "SEMVER",
+              "events": [
+                {
+                  "introduced": "0"
+                },
+                {
+                  "fixed": "3.1.2"
+                }
+              ]
+            }
+          ],
+          "database_specific": {
+            "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v39h-62p7-jpjc/GHSA-v39h-62p7-jpjc.json",
+            "last_known_affected_version_range": "<= 3.1.1"
+          }
+        }
+      ],
+      "schema_version": "1.7.5",
+      "severity": [
+        {
+          "type": "CVSS_V3",
+          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+        }
+      ]
+    }
+  ],
+  "snapshot_sha": "sha256:0b6ca61019fb234c"
+}

package/.dw/security/ioc-namespaces.json

@@ -1,7 +1,7 @@
 {
-  "schema_version": "1.0",
-  "updated": "2026-05-13",
-  "purpose": "Curated namespace patterns under ACTIVE incident — fallback for pre-install scan when OSV.dev is unavailable. Auto-expires per active_until date. TL updates when new incident requires fixture-level warning before OSV propagation.",
+  "schema_version": "1.1",
+  "updated": "2026-05-14",
+  "purpose": "Curated namespace patterns under ACTIVE incident — wired into default scan (v1.3.6+) AND pre-install scan. Auto-expires per active_until. TL updates when new incident requires fixture-level warning before OSV propagation. Per ADR-0006: pillar 2 of the 3-pillar guard architecture; pillar 3 (NEW-package heuristic) catches incidents BEFORE TL bump.",
   "namespaces": [
     {
       "pattern": "@tanstack/",
@@ -9,7 +9,11 @@
       "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
       "active_until": "2026-11-11",
       "severity": "critical",
-      "guidance": "If installing @tanstack/* fresh: verify version is NOT in 1.169.5-1.169.8 range; prefer 1.169.9+. Check SLSA provenance attestation matches expected publisher. If already installed and lockfile pins 1.169.5-8: rotate ALL credentials (npm tokens, GitHub PATs, SSH keys, cloud keys, Claude/AI configs) before continuing."
+      "affected_range": {
+        "type": "SEMVER",
+        "events": [{ "introduced": "1.169.5" }, { "fixed": "1.169.9" }]
+      },
+      "guidance": "Affected: 1.169.5-1.169.8. Safe: 1.169.9+. Verify SLSA provenance attestation matches expected publisher. If lockfile already pins affected range: rotate ALL credentials (npm tokens, GitHub PATs, SSH keys, cloud keys, Claude/AI configs) before continuing."
     },
     {
       "pattern": "@uipath/",
@@ -17,7 +21,7 @@
       "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
       "active_until": "2026-11-11",
       "severity": "critical",
-      "guidance": "Verify each @uipath/* install against official UiPath release notes. Worm SLSA attestations are VALID — provenance check alone is insufficient. Cross-reference with UiPath security bulletin."
+      "guidance": "Verify each @uipath/* install against official UiPath release notes. Worm SLSA attestations are VALID — provenance check alone is insufficient. Cross-reference with UiPath security bulletin. (No affected_range — range still under investigation; treat all recent versions as suspect.)"
     },
     {
       "pattern": "@mistralai/",
@@ -25,7 +29,11 @@
       "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
       "active_until": "2026-11-11",
       "severity": "critical",
-      "guidance": "Avoid @mistralai/mistralai 2.2.3-2.2.4. Pin to 2.2.2 or 2.2.5+ once available."
+      "affected_range": {
+        "type": "SEMVER",
+        "events": [{ "introduced": "2.2.3" }, { "fixed": "2.2.5" }]
+      },
+      "guidance": "Affected: 2.2.3-2.2.4. Pin to 2.2.2 or 2.2.5+."
     },
     {
       "pattern": "@opensearch-project/opensearch",
@@ -33,8 +41,12 @@
       "advisory": "https://github.com/advisories/GHSA-g7cv-rxg3-hmpx",
       "active_until": "2026-11-11",
       "severity": "critical",
-      "guidance": "Avoid version 3.6.2. Pin to 3.6.1 or 3.6.3+."
+      "affected_range": {
+        "type": "SEMVER",
+        "events": [{ "introduced": "3.6.2" }, { "fixed": "3.6.3" }]
+      },
+      "guidance": "Affected: 3.6.2 only. Pin to 3.6.1 or 3.6.3+."
     }
   ],
-  "maintenance_note": "This fixture is a SHORT-TERM defensive measure. Per ADR-0005 design, OSV.dev/GHSA auto-sync is the primary source; this fixture handles offline + post-incident pre-propagation window. TL prunes entries past active_until on regular release cycles."
+  "maintenance_note": "Per ADR-0005 + ADR-0006: this fixture handles the 'TL knows about incident' window (post-incident, pre-OSV-propagation). Pillar 3 (NEW-package heuristic, ADR-0006) handles the 'nobody knows yet' window. TL prunes entries past active_until on regular release cycles."
 }