get-tbd 0.1.28 → 0.1.29

package/dist/docs/SKILL.md

@@ -17,10 +17,6 @@ description: >-
 allowed-tools: Bash(tbd:*), Read, Write
 ---
 
----
-title: tbd Workflow
-description: Full tbd workflow guide for agents
----
 **`tbd` helps humans and agents ship code with greater speed, quality, and discipline.**
 
 1. **Beads**: Git-native issue tracking (tasks, bugs, features).

package/dist/docs/guidelines/bun-monorepo-patterns.md

@@ -34,7 +34,7 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 | **flowmark** | latest | [github.com/jlevy/flowmark](https://github.com/jlevy/flowmark) — Markdown auto-formatter (via `uvx`). |
 | **publint** | ^0.3.20 (0.3.21 too recent) | [npmjs.com/package/publint](https://www.npmjs.com/package/publint) — **Pinned to 0.3.20 (2026-05-08) per the 14-day rule**; 0.3.21 (2026-05-13) is 9 days old today. Incremental: re-enabled TS/TSX file existence checks; `exports["default"]` support. |
 | **actions/checkout** | v6 | [github.com/actions/checkout/releases](https://github.com/actions/checkout/releases) — v6.0.2 (2026-01-09). Credentials now stored in `$RUNNER_TEMP` rather than `.git/config`; Node 24 runtime; requires runner ≥ 2.327.1. |
-| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub's **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
+| **oven-sh/setup-bun** | v2 | [github.com/oven-sh/setup-bun](https://github.com/oven-sh/setup-bun) — v2.2.0 (2026-03-14). Migrated to Node.js 24 runtime ahead of GitHub’s **2026-06-02 deadline** that forces all Node.js 20 actions to Node.js 24. |
 | **lefthook** | ^2.1.5 (2.1.7/2.1.8 too recent) | [github.com/evilmartians/lefthook/releases](https://github.com/evilmartians/lefthook/releases) — **Pinned to 2.1.5 (2026-04-06) per the 14-day rule**; 2.1.7 and 2.1.8 both shipped 2026-05-19 (3 days old). Patch-level since 2.1.1: dependency bumps and config-warning improvements. v2 still excludes regexp `exclude` and `skip_output` from v1. |
 | **npm-check-updates** | ^22.0.0 (22.2.0 too recent) | [npmjs.com/package/npm-check-updates](https://www.npmjs.com/package/npm-check-updates) — **Major version jump from 19 to 22.** **Pinned to 22.0.0 (2026-04-25) per the 14-day rule**; 22.2.0 (2026-05-12) is 10 days old today. Now pure ESM; named imports only (`import { run } from 'npm-check-updates'`); `.ncurc.js` with `module.exports` no longer works in `"type": "module"` projects (use `.ncurc.cjs`). **Critical for supply chain: now ships `--cooldown <days>` to refuse versions younger than the specified age.** See [Supply-Chain Mitigation](#supply-chain-mitigation). |
 
@@ -62,9 +62,9 @@ author: Joshua Levy (github.com/jlevy) with LLM assistance
 
 6. **Review “Open Research Questions”** section for any resolved items
 
-7. **Honor the 14-day package-age rule** when bumping versions in code examples. See
-   [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should be
-   ≥14 days old at the time the table is updated, except where a clearly-noted
+7. **Honor the 14-day package-age rule** when bumping versions in code examples.
+   See [Supply-Chain Mitigation](#supply-chain-mitigation) — versions cited here should
+   be ≥14 days old at the time the table is updated, except where a clearly-noted
    security exception applies.
 
 * * *
@@ -146,17 +146,18 @@ research stock.
 - Missing some pnpm features: no `pnpm deploy`, less strict `node_modules` (phantom
   dependencies possible)
 
-- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic's first
+- **Notable**: Bun was acquired by Anthropic on 2025-12-02 — Anthropic’s first
   acquisition. Bun powers Claude Code (which ships as a `bun build --compile`
-  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling
-  strong ongoing investment and maintenance. **Language transition**: Bun 1.3.14
-  (2026-05-13) is the last Zig-based release. A full Rust rewrite (~960K lines,
-  generated by Claude agents over ~6 days, 6,755 commits) merged to `main` on
-  2026-05-14 and passes 99.8% of the test suite. The transition was motivated by
-  Zig's no-AI-contribution policy conflicting with the Bun team's workflow. The
-  external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`)
-  is unchanged; consumers should expect no breakage but watch the 1.4.x release
-  notes for migration details.
+  executable), the Claude Agent SDK, and other Anthropic AI tooling, signaling strong
+  ongoing investment and maintenance.
+  **Language transition**: Bun 1.3.14 (2026-05-13) is the last Zig-based release.
+  A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days, 6,755
+  commits) merged to `main` on 2026-05-14 and passes 99.8% of the test suite.
+  The transition was motivated by Zig’s no-AI-contribution policy conflicting with the
+  Bun team’s workflow.
+  The external API surface (`bun`, `bunx`, `bun install`, `bun test`, `bun build`) is
+  unchanged; consumers should expect no breakage but watch the 1.4.x release notes for
+  migration details.
 
 **Assessment**: Bun workspaces are functional and fast, but less strict than pnpm.
 The text-based `bun.lock` format (since Bun 1.2) resolves the earlier diffability
@@ -1709,11 +1710,11 @@ This is a unique advantage that the pnpm ecosystem does not offer natively.
 
 **Details**:
 
-npm-check-updates (`ncu`) works with Bun. The main difference is using `bun install`
-instead of `pnpm install` after updates. **All upgrade commands must honor the
-14-day package-age rule** — see [Supply-Chain Mitigation](#supply-chain-mitigation)
-for the rationale and exception process. `ncu` v22+ ships a native `--cooldown`
-flag that enforces this directly.
+npm-check-updates (`ncu`) works with Bun.
+The main difference is using `bun install` instead of `pnpm install` after updates.
+**All upgrade commands must honor the 14-day package-age rule** — see
+[Supply-Chain Mitigation](#supply-chain-mitigation) for the rationale and exception
+process. `ncu` v22+ ships a native `--cooldown` flag that enforces this directly.
 
 **Root `package.json` scripts**:
 
@@ -1728,13 +1729,12 @@ flag that enforces this directly.
 ```
 
 **Note on npm-check-updates v22**: v22 is pure ESM, named imports only
-(`import { run } from 'npm-check-updates'`), and config files must be
-`.ncurc.cjs` (not `.ncurc.js`) in projects with `"type": "module"`. The
-`--cooldown <days>` flag is the recommended enforcement point for the 14-day
-package-age rule.
+(`import { run } from 'npm-check-updates'`), and config files must be `.ncurc.cjs` (not
+`.ncurc.js`) in projects with `"type": "module"`. The `--cooldown <days>` flag is the
+recommended enforcement point for the 14-day package-age rule.
 
-**Assessment**: Identical workflow to pnpm. `bunx` replaces `npx`. Always
-include `--cooldown 14`.
+**Assessment**: Identical workflow to pnpm.
+`bunx` replaces `npx`. Always include `--cooldown 14`.
 
 * * *
 
@@ -1810,216 +1810,19 @@ in core library code if the library needs to work in Node.js environments.
 
 ## Supply-Chain Mitigation
 
-> **Sync note**: this section is normative and is duplicated **verbatim** in both
-> `bun-monorepo-patterns.md` and `pnpm-monorepo-patterns.md`. When you change one,
-> change the other in the same commit. Tooling-specific commands (e.g.
-> `bun audit` vs. `pnpm audit`) are called out inline.
+Supply-chain hardening applies to **every repo, not just new monorepos**, so the full
+policy and hands-on enforcement now live in a standalone guideline:
+**`tbd guidelines supply-chain-hardening`**. It covers the cross-ecosystem 14-day
+cool-off plus the Node/pnpm/Bun specifics — lifecycle-script allowlists, lockfile
+discipline, `npm-check-updates --cooldown 14`, the CI audit gate, and the
+`check-package-age` pre-push guard.
+Deeper background and the named-incident watch list:
+<https://github.com/jlevy/supply-chain-hardening>.
 
-Modern TypeScript supply-chain attacks land through fresh package versions — a
-maintainer's npm token is compromised, malware is published as a patch release, and
-the registry yanks it 1–10 days later once detection catches up. The
-**Shai-Hulud 2.0** campaign of May 2026 compromised 170+ npm packages this way, and
-similar campaigns ran through 2025 (`debug`, `chalk`, `ansi-styles` lookalikes;
-`expr-eval` post-install RCE). pnpm shipped `minimumReleaseAge` as a default in
-v11.0 (1 day). Bun ships a built-in trusted-dependency allowlist and `bun audit`.
-The settings below are stricter than the ecosystem defaults and intentionally so.
-
-### The 14-day package-age rule
-
-**Never install or upgrade to a package version less than 14 days old.**
-
-Why 14 days specifically:
-
-- **Detection window**: most malicious publishes are reported and yanked within
-  3–7 days; 14 days gives a generous buffer past that median.
-- **Patch-level releases ship dangerous code more often**: many compromises arrive
-  as `1.2.3 → 1.2.4` patch bumps. A trailing window neutralizes the entire class
-  of "fresh patch is malicious" attacks regardless of which dependency moved.
-- **Cheap to enforce, cheap to wait**: there is essentially no business cost to
-  waiting 14 days on a routine upgrade, and the upside is large.
-
-Scope:
-
-- Applies to **`dependencies`, `devDependencies`, `peerDependencies`, and
-  `optionalDependencies`** alike. devDependencies (bundlers, linters, test
-  runners) have historically been *more* dangerous than runtime deps because
-  they execute with full developer privileges on every install.
-- Applies to **transitive dependencies** to the extent the package manager
-  enforces it (see below). Direct deps are the primary control point.
-- Applies to **upgrades and new installs**. Existing pins resolved before this
-  policy was adopted are grandfathered until their next planned upgrade.
-
-Exception process: if a security patch within the 14-day window is needed —
-e.g., a CVE patch published yesterday that fixes a vulnerability you are
-exposed to — the exception **must** be documented in the upgrade commit message
-or PR description, including:
-
-- The CVE ID (or vulnerability description if no CVE yet).
-- A link to the upstream release notes.
-- A reviewer sign-off line (`Reviewed-by: …`).
-
-No exception is "trivial" — even a `prettier` patch is in scope. The whole
-point of the rule is that we don't trust ourselves to spot-judge which fresh
-versions are safe.
-
-### Enforcement: Bun
-
-Bun blocks arbitrary lifecycle scripts by default via an internal allowlist of
-trusted packages. To extend that allowlist for your repo, declare the packages
-explicitly in `package.json`:
-
-```json
-{
-  "trustedDependencies": [
-    "esbuild",
-    "sharp"
-  ]
-}
-```
-
-Anything not in the allowlist runs without `postinstall`/`preinstall`/`install`
-scripts. This is the most important single mitigation Bun gives you out of the
-box.
-
-`bun audit` (documented at [bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit))
-checks the installed tree against the npm advisory database:
-
-```bash
-# Run as part of CI; non-zero exit on findings
-bun audit --audit-level=moderate
-
-# JSON output for parsing in scripts
-bun audit --json
-```
-
-Bun does **not yet** ship a built-in equivalent of pnpm's `minimumReleaseAge`,
-so age enforcement is handled at the upgrade-tool layer (see below).
-
-### Enforcement: cross-tool tooling
-
-**`npm-check-updates --cooldown`** is the primary upgrade-time check. Use it
-even on Bun-managed projects (via `bunx`):
-
-```bash
-# Refuse any candidate version younger than 14 days
-bunx npm-check-updates --cooldown 14
-
-# Interactive upgrade with the 14-day filter applied
-bunx npm-check-updates --cooldown 14 --target minor --interactive
-
-# CI-style check: exits non-zero if upgrades are available
-bunx npm-check-updates --cooldown 14 --errorLevel 2
-```
-
-**Direct registry query** (when in doubt about a specific version):
-
-```bash
-# Show all publish times for a package
-npm view typescript time
-
-# Show the time of a specific version
-npm view typescript time.6.0.3
-```
-
-If `npm view <pkg> time.<version>` reports less than 14 days ago, **wait**.
-
-### Enforcement: lockfile discipline
-
-- **Always commit `bun.lock`** (the text JSONC lockfile, default since Bun 1.2).
-- **Use `bun install --frozen-lockfile` in CI** so any drift between
-  `package.json` and `bun.lock` fails the build instead of silently resolving
-  to fresh versions.
-- **Never run `bun update` (or `bun install` on a fresh `node_modules` with an
-  unpinned `package.json`) without lockfile review.** Treat lockfile diffs the
-  same as code diffs.
-- In a monorepo, **a single root `bun.lock`** is the source of truth; per-package
-  lockfiles are an anti-pattern.
-
-### Enforcement: provenance and signatures
-
-- Prefer dependencies that publish with [npm provenance attestations](https://docs.npmjs.com/generating-provenance-statements).
-  Major projects (TypeScript, Vitest, Prettier, ESLint, etc.) ship these.
-- Run `npm audit signatures` (or the upcoming `bun audit signatures` once it
-  ships) in CI on a periodic basis to catch tampered packages.
-
-### Sample CI gate
-
-Add this job to the CI workflow alongside lint/test:
-
-```yaml
-audit:
-  runs-on: ubuntu-latest
-  steps:
-    - uses: actions/checkout@v6
-    - uses: oven-sh/setup-bun@v2
-      with:
-        bun-version: latest
-    - run: bun install --frozen-lockfile
-    - name: Vulnerability audit
-      run: bun audit --audit-level=moderate
-    - name: Package-age check
-      run: bunx npm-check-updates --cooldown 14 --errorLevel 0
-      # errorLevel 0 logs but doesn't fail — flip to 2 once you've cleared
-      # the existing backlog.
-```
-
-### Recommended local script
-
-Drop a `scripts/check-package-age.mjs` (or `.ts`) one-liner in the repo that a
-pre-push hook can call:
-
-```ts
-#!/usr/bin/env bun
-// Refuses to commit if any direct dependency in package.json was published
-// less than COOLDOWN_DAYS ago. Intended for the pre-push hook.
-import pkg from '../package.json' with { type: 'json' };
-
-const COOLDOWN_MS = 14 * 24 * 60 * 60 * 1000;
-const now = Date.now();
-const all = { ...pkg.dependencies, ...pkg.devDependencies };
-
-let violations = 0;
-for (const [name, spec] of Object.entries(all)) {
-  const version = String(spec).replace(/^[\^~=<>]+/, '');
-  const meta = await (await fetch(`https://registry.npmjs.org/${name}`)).json();
-  const publishedAt = meta.time?.[version];
-  if (!publishedAt) continue;
-  const ageMs = now - new Date(publishedAt).getTime();
-  if (ageMs < COOLDOWN_MS) {
-    const days = (ageMs / 86_400_000).toFixed(1);
-    console.error(`✗ ${name}@${version} is only ${days} days old (< 14)`);
-    violations++;
-  }
-}
-process.exit(violations > 0 ? 1 : 0);
-```
-
-Wire it into lefthook (see Appendix E):
-
-```yaml
-pre-push:
-  commands:
-    package-age:
-      glob: "package.json"
-      run: bun scripts/check-package-age.ts
-```
-
-### Exception bookkeeping
-
-When you take an exception, leave a one-line marker in `package.json` adjacent
-to the pin:
-
-```jsonc
-{
-  "devDependencies": {
-    // Exception: CVE-2026-XXXX patch within 14d window. Reviewed 2026-05-21.
-    "vitest": "4.1.7"
-  }
-}
-```
-
-(JSON strict-parsers will reject `//` comments — use a JSONC-aware tool or
-move the note to a `README.md` / `CHANGELOG.md` entry instead.)
+**Bun specifics**: Bun blocks lifecycle scripts by default — extend the allowlist via
+`trustedDependencies` in `package.json`, run `bun audit` in CI with
+`bun install --frozen-lockfile`, and commit `bun.lock`. Bun has no native release-age
+gate yet, so enforce the 14-day cool-off with `bunx npm-check-updates --cooldown 14`.
 
 * * *
 
@@ -2073,8 +1876,8 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
 ## Best Practices
 
 1. **Follow the 14-day package-age rule** for every dependency install and upgrade.
-   See [Supply-Chain Mitigation](#supply-chain-mitigation). Use
-   `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
+   See [Supply-Chain Mitigation](#supply-chain-mitigation).
+   Use `bunx npm-check-updates --cooldown 14` and `bun audit` in CI; declare
    `trustedDependencies` explicitly; commit `bun.lock`; use
    `bun install --frozen-lockfile` in CI.
 
@@ -2084,57 +1887,57 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
 3. **Enable `isolatedDeclarations`** in `tsconfig.base.json` for dramatically faster DTS
    generation with Bunup.
 
-3. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
+4. **Use Bunup’s auto-exports** (`exports: true`) to keep `package.json` exports
    synchronized with build output.
 
-4. **Use Biome for formatting + linting** via a single `biome.json`. Use
+5. **Use Biome for formatting + linting** via a single `biome.json`. Use
    `biome check --write` locally and `biome ci` in CI for stricter checks.
 
-5. **Add `bun update` after `changeset version`** to fix workspace reference resolution
+6. **Add `bun update` after `changeset version`** to fix workspace reference resolution
    in the lockfile.
 
-6. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
+7. **Use `bun publish` per package** instead of `changeset publish` to ensure proper
    workspace resolution.
 
-7. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
+8. **Run CLI from source with `bun`** directly — no need for `tsx` or any TypeScript
    execution wrapper.
 
-8. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
+9. **Consider `bun --compile`** for distributing CLI tools as standalone executables,
    especially for users who don’t have Node.js or Bun installed.
 
-9. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
-   Vitest only if you need test isolation, browser mode, or sharding.
+10. **Use `bun test`** for testing — fake timers are now supported (v1.3.4+). Switch to
+    Vitest only if you need test isolation, browser mode, or sharding.
 
-10. **Keep the root `package.json` private** with `"private": true` and only workspace
+11. **Keep the root `package.json` private** with `"private": true` and only workspace
     tooling.
 
-11. **Scope your package names** with `@org/package-name` for GitHub Packages
+12. **Scope your package names** with `@org/package-name` for GitHub Packages
     compatibility.
 
-12. **Validate before publish** with `publint` in CI and before every release.
+13. **Validate before publish** with `publint` in CI and before every release.
 
-13. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
+14. **Use lefthook** for git hooks with `biome check` in pre-commit (single command
     replaces separate format + lint hooks).
 
-14. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
+15. **Add the `"bun"` export condition** to let Bun consumers import TypeScript source
     directly, bypassing compiled output.
 
-15. **Use dynamic git-based versioning** for dev builds — the pattern works identically
+16. **Use dynamic git-based versioning** for dev builds — the pattern works identically
     with Bun, and `bun` replaces `tsx` for script execution.
 
-16. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
+17. **Use `biome ci`** in CI workflows instead of `biome check` — it’s stricter and
     produces cleaner output for CI logs.
 
-17. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
+18. **Consider ESM-only output** for Bun-native CLI tools and packages targeting modern
     Node.js (>=22). Only add CJS if specific consumers require it.
 
-18. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
+19. **Use flowmark** for Markdown formatting in pre-commit hooks — Biome does not format
     Markdown, and consistent Markdown formatting improves documentation quality.
 
-19. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
+20. **Add golden/CLI tests** with `tryscript` alongside `bun test` for CLI tools — they
     catch regressions in help text, output formatting, and argument parsing.
 
-20. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
+21. **Consider tag-triggered OIDC releases** as an alternative to the Changesets GitHub
     Action — they provide npm provenance attestation and automatic GitHub Releases.
 
 * * *
@@ -2157,12 +1960,12 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
    It is diffable in code review and supported by GitHub rendering.
    The binary `bun.lockb` is deprecated.
 
-4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded
-   snippet formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML
-   accessibility rules enabled by default, and promoted Vue 3 / Next.js / Qwik
-   rules to stable. The rule set continues growing toward parity with security and
-   accessibility ESLint plugins. Custom ESLint rules remain a reason to keep ESLint
-   (see craft-agents-oss case study in Appendix G).
+4. **Biome plugin ecosystem**: Biome v2.4 (Feb 2026) added experimental embedded snippet
+   formatting (CSS/GraphQL inside JS/TS template literals), 15 HTML accessibility rules
+   enabled by default, and promoted Vue 3 / Next.js / Qwik rules to stable.
+   The rule set continues growing toward parity with security and accessibility ESLint
+   plugins. Custom ESLint rules remain a reason to keep ESLint (see craft-agents-oss case
+   study in Appendix G).
 
 5. **Bun workspace strictness**: Bun still uses flat `node_modules` (no
    content-addressable store).
@@ -2176,40 +1979,40 @@ move the note to a `README.md` / `CHANGELOG.md` entry instead.)
    The `--minify` and `--bytecode` flags help with startup time but not binary size.
 
 7. ~~**TypeScript 6.0**~~: **SHIPPED** 2026-03-23. TypeScript 6.0 is the last
-   JavaScript-based release; `strict: true` is the default; ESM is the default
-   module system; ~9 compiler settings flipped defaults. Currently 6.0.3. Adopt
-   for the codebase as part of the May 2026 currency refresh; review
-   `tsconfig.base.json` for now-redundant flag declarations.
+   JavaScript-based release; `strict: true` is the default; ESM is the default module
+   system; ~9 compiler settings flipped defaults.
+   Currently 6.0.3. Adopt for the codebase as part of the May 2026 currency refresh;
+   review `tsconfig.base.json` for now-redundant flag declarations.
 
 8. **TypeScript 7.0 (Project Corsa, Go rewrite)**: Beta shipped 2026-04-21 as
-   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed
-   and ~3x less memory; passes 95%+ of the test suite. Available in
-   Visual Studio 2026 18.6 Insiders by default. **Do not adopt for production
-   builds yet** — wait for stable (expected mid-to-late 2026). May change the
-   DTS generation landscape for Bunup and tsdown once stable.
+   `@typescript/native-preview` (binary `tsgo`). Claims ~10x type-check speed and ~3x
+   less memory; passes 95%+ of the test suite.
+   Available in Visual Studio 2026 18.6 Insiders by default.
+   **Do not adopt for production builds yet** — wait for stable (expected mid-to-late
+   2026). May change the DTS generation landscape for Bunup and tsdown once stable.
 
 9. **Bunup maturity**: Bunup is iterating rapidly (0.16.31 as of May 2026, up from 0.4.x
    a few months earlier).
    The API surface (`defineConfig`, `defineWorkspace`, `exports`, `compile`) appears
    stable, but pin versions carefully.
 
-10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on
-    2025-12-02 (Anthropic's first acquisition) and now powers Claude Code, the
-    Claude Agent SDK, and other Anthropic AI tooling. A full Rust rewrite
-    (~960K lines, generated by Claude agents over ~6 days) merged to `main` on
-    2026-05-14 and passes 99.8% of the test suite. **Bun 1.3.14 is the last
-    Zig-based release.** External API surface (`bun`, `bunx`, `bun install`,
-    `bun test`, `bun build`, `bun --compile`) is unchanged, but watch 1.4.x
-    release notes for migration details. Monitor whether the broader
-    open-source community continues to benefit equally as the codebase
-    integrates more deeply with Anthropic's AI tooling.
+10. **Bun + Anthropic + Rust rewrite**: Bun was acquired by Anthropic on 2025-12-02
+    (Anthropic’s first acquisition) and now powers Claude Code, the Claude Agent SDK,
+    and other Anthropic AI tooling.
+    A full Rust rewrite (~960K lines, generated by Claude agents over ~6 days) merged to
+    `main` on 2026-05-14 and passes 99.8% of the test suite.
+    **Bun 1.3.14 is the last Zig-based release.** External API surface (`bun`, `bunx`,
+    `bun install`, `bun test`, `bun build`, `bun --compile`) is unchanged, but watch
+    1.4.x release notes for migration details.
+    Monitor whether the broader open-source community continues to benefit equally as
+    the codebase integrates more deeply with Anthropic’s AI tooling.
 
 11. **`bun audit`**: Now a documented command
     ([bun.com/docs/pm/cli/audit](https://bun.com/docs/pm/cli/audit)) with
-    `--audit-level=<low|moderate|high|critical>` and `--json` output. Should be
-    a required CI check (see [Supply-Chain Mitigation](#supply-chain-mitigation)).
-    A `bun audit signatures` equivalent to npm's signature verification has not
-    yet shipped — monitor.
+    `--audit-level=<low|moderate|high|critical>` and `--json` output.
+    Should be a required CI check (see
+    [Supply-Chain Mitigation](#supply-chain-mitigation)). A `bun audit signatures`
+    equivalent to npm’s signature verification has not yet shipped — monitor.
 
 * * *
 
@@ -2486,17 +2289,17 @@ testing features.
 **Notes**:
 
 - All pinned versions above are ≥14 days old as of 2026-05-21 per the
-  [Supply-Chain Mitigation](#supply-chain-mitigation) policy. Newer releases
-  may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8, `npm-check-updates`
-  22.2.0) but were too fresh at the time of this document update.
+  [Supply-Chain Mitigation](#supply-chain-mitigation) policy.
+  Newer releases may exist (`@biomejs/biome` 2.4.15, `lefthook` 2.1.8,
+  `npm-check-updates` 22.2.0) but were too fresh at the time of this document update.
 - `"check:ci": "biome ci ."` uses `biome ci` (stricter than `biome check` — errors on
   formatting issues)
 - `bun run --filter '*' <script>` delegates to each workspace package
 - The `@changesets/changelog-github` dependency is optional — use
   `"changelog": "@changesets/cli/changelog"` in `.changeset/config.json` for a simpler
   built-in changelog generator
-- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per
-  the 14-day package-age rule (see Supply-Chain Mitigation section).
+- `npm-check-updates` v22+ is pure ESM. Add `--cooldown 14` to every invocation per the
+  14-day package-age rule (see Supply-Chain Mitigation section).
 
 ### Appendix C: Complete biome.json Example