hatch3r 1.8.0 → 2.0.0

package/dist/content/skills/hatch3r-testability-verify/SKILL.md

@@ -0,0 +1,147 @@
+---
+id: hatch3r-testability-verify
+name: hatch3r-testability-verify
+type: skill
+description: Testability verification gate before commit/release — per-feature test-class mandate map, real-deal-first ratio, coverage thresholds, AI eval coverage, mutation kill-rate, contract tests, property tests, determinism contract
+tags: [review, testing, floor:content-quality]
+scope: conditional
+globs: "src/__tests__/**,tests/**,test/**,spec/**,e2e/**,evals/**,**/stryker.conf.json,**/pom.xml,**/pacts/**"
+precedence: normal
+quality_charter: agents/shared/quality-charter.md
+efficiency_patterns: agents/shared/efficiency-patterns.md
+cache_friendly: true
+---
+# Testability Verification Gate
+
+## Quick Start
+
+This skill defines what "done" means for any feature shipping test code or a feature in a mandate-map class (parser, payment, RPC, state machine, UI, AI feature). Run before declaring a feature complete. The 8 gates below mix automated checks (machine-checkable on every PR) with one release-cadence gate (mutation kill rate at release-cut). Skipping any gate = the feature is not done. Passing unit tests and reviewer approval alone do not satisfy this bar — a feature in a mandate class without its mandated test shape ships untested risk.
+
+Inputs the skill expects:
+
+- A test directory under one of: `src/__tests__/`, `tests/`, `__tests__/`, `e2e/`, `test/`, `spec/`.
+- A coverage configuration in `vitest.config.ts`, `jest.config.js`, `pyproject.toml`, `pom.xml`, or `.coveragerc`.
+- A mutation-test config in `stryker.conf.json` or `pom.xml` (when payment/auth/critical paths exist).
+- A contract-test artifact path (`pacts/`, Schemathesis report) when service boundaries exist.
+- An AI eval harness manifest (`evals/manifest.yaml`, `prompts/manifest.yaml`) when LLM features ship.
+
+Outputs the skill produces: an 8-line verdict block written to the PR conversation, plus a JSON artifact at `.audit-workspace/testability-verify-<sha>.json` for downstream consumption by `hatch3r-release`.
+
+## Step 0 — Detect Ambiguity (P8 B1)
+
+Before any work, scan the invocation for unresolved questions in scope, intent, acceptance criteria, target environment, or irreversibility. If any are found, ask the user via the platform-native question tool per `agents/shared/user-question-protocol.md`. Default path, not exception. Triggers for THIS skill: feature-surface class (parser vs payment vs RPC vs state machine vs UI vs AI), gate selection (coverage-threshold vs mandate-map vs AI-eval vs full), mock-justification budget (review all vs review new mocks only), mutation-test floor changes mid-cycle, and whether to block on Low-confidence findings.
+
+## Fan-out Discipline (P8 B2)
+
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
+
+## Invoked by
+
+This skill is the verification HARNESS — it declares HOW each testability gate is checked. The DISPATCHER that decides WHEN to run it is the CQ specialist agent:
+
+- `agents/hatch3r-testability.md` — invokes this skill as the closing testability gate (CQ5) on PRs modifying test code or features in a mandate-map class. The agent contributes the review trigger and Phase-4 dispatch; this skill contributes the 8-gate procedure.
+
+No duplication: the agent decides WHEN, this skill defines HOW.
+
+## Gate 1: Per-feature test-class mandate map compliance
+
+- For every changed feature, the mandated test class from `rules/hatch3r-testing.md` is present:
+  - parser → fuzz harness with documented corpus under `testdata/fuzz/`;
+  - payment → mutation test with documented kill-rate floor in `stryker.conf.json` or `pom.xml`;
+  - RPC → consumer + provider contract test under `pacts/` plus broker can-i-deploy gate;
+  - state machine → property test (fast-check or Hypothesis) with the invariant stated in a one-line comment;
+  - UI → visual regression suite with baselines under `__snapshots__/`.
+- Detection: read changed-file globs vs the mandate map; any miss → CRITICAL.
+
+## Gate 2: Real-deal test ratio ≥80%
+
+- Count: `(integration-tests-without-mocks) / (total-integration-tests) ≥ 0.80`.
+- Mocks detected by `grep -rn "// MOCK:" <test-dir>` plus framework-level helpers (`vi.mock`, `jest.mock`, `unittest.mock.patch`, `mockito.when`).
+- Every remaining mock carries `// MOCK: <reason>` comment + reviewer-acknowledged justification linked to a tracking issue.
+- Mock without the marker → FINDINGS row per mock. Ratio <80% → FINDINGS at suite level.
+
+## Gate 3: Coverage thresholds met per file class
+
+- Global floor 78% statements / 65% branches / 80% functions / 80% lines from `vitest.config.ts` (or equivalent).
+- Critical modules in this repo: `src/merge/` 90/80/90/90; `src/content/` 85/70/85/85; `src/adapters/customization.ts` 85/75/85/85.
+- Read coverage from `coverage/coverage-summary.json` (Istanbul/v8) or `coverage.xml` (Cobertura).
+- Below floor → FINDINGS with the specific module + metric named.
+
+## Gate 4: AI feature eval coverage 100%
+
+- Every AI feature ships golden examples + adversarial cases + regression suite running in CI on prompt or model changes.
+- Hallucination rate measured per release on a labelled sample and tracked as an SLI per Anthropic engineering guidance; threshold breach blocks rollout.
+- Detection: read the eval manifest, confirm CI workflow triggers on prompt/model file changes, read the SLI dashboard URL.
+- Eval coverage <100% on a release-bound prompt or model change → CRITICAL.
+
+## Gate 5: Mutation-test kill rate on critical paths
+
+- Stryker for JS/TS (`stryker run --incremental`, read `reports/mutation/mutation.json` → `metrics.mutationScore`).
+- Pitest for JVM (`mvn org.pitest:pitest-maven:mutationCoverage`, read `target/pit-reports/mutations.xml` → `mutationCoverage`).
+- Common 2026 floor: mutation score ≥80% on payment + auth + `critical`-labelled paths per qaskills.sh 2026.
+- Below floor → FINDINGS with the surviving-mutant count and file list.
+
+## Gate 6: Property-based tests on pure functions with stated invariants
+
+- Each pure function with a stated invariant carries a fast-check (`fc.property(fc.<arb>, fn => { /* invariant */ })`) or Hypothesis (`@given(...)`) test.
+- The invariant is documented in a one-line `// invariant:` comment above the test.
+- Missing invariant comment or missing test → FINDINGS row per function.
+- Pattern reference: MarkTechPost 2026 stateful / differential / metamorphic patterns.
+
+## Gate 7: Contract tests on every service-to-service boundary
+
+- Consumer-driven Pact pacts published to a broker (`pact-broker can-i-deploy --pacticipant <svc> --version <sha> --to production`).
+- Spec-driven Schemathesis (`schemathesis run --checks all <openapi.yaml>`) executed against staging.
+- Missing or failing → CRITICAL on auth/payment paths, FINDINGS elsewhere.
+- Cross-reference: `rules/hatch3r-contract-testing.md`.
+
+## Gate 8: Determinism contract — 0 flaky tests over 30 days
+
+- Read CI flake history: `gh run list --status failure --created >=$(date -d '30 days ago' +%Y-%m-%d) --json conclusion,name,startedAt | jq '[.[] | select(.conclusion=="failure")] | length'`.
+- Quarantined tests carry a tracking issue assignee and a re-enable date, not `test.skip` / `test.todo` / `@pytest.mark.skip` in perpetuity.
+- Flake count >0 with no owner → FINDINGS. Silenced flake without tracking issue → FINDINGS per occurrence.
+
+## Pass criteria
+
+All 8 gates pass = the feature is "done". Anything less = not done.
+
+- Mandate-map class compliance: 100% on changed features.
+- Real-deal ratio: ≥80% per cycle.
+- Coverage floors: met per file class (global 78/65/80/80; critical modules per `.claude/rules/test-requirements.md`).
+- AI eval coverage: 100% on release-bound prompt or model changes.
+- Mutation kill rate: ≥80% on payment + auth + critical paths.
+- Property-test coverage: 100% of pure functions with stated invariants.
+- Contract-test parity: 100% of service boundaries; broker `can-i-deploy` exit 0.
+- Flake count over 30 days: 0 (or quarantined with owner + re-enable date).
+
+## On fail
+
+The orchestrator running this skill emits a single-line verdict per gate (`GATE_N: PASS|FAIL <evidence-path>`) and aggregates them. One FAIL on a required gate blocks the merge regardless of reviewer approval status.
+
+Failure escalation per `agents/hatch3r-testability.md` status mapping: Gate 1 fail (mandate-map class missing) → CRITICAL; Gate 4 fail (AI eval coverage <100%) → CRITICAL; Gate 7 fail on auth/payment → CRITICAL; Gates 2/3/5/6/8 → FINDINGS at High or Medium.
+
+## When this skill runs
+
+- Reviewer on any PR that modifies test code, removes tests, or introduces a feature in a mandate-map class.
+- Implementer pre-write check when authoring new feature tests.
+- Verifier pre-merge gate immediately before `gh pr merge` on protected branches.
+- AI feature release gate before a prompt/model bump ships to production traffic.
+- Quarterly audit on real-deal ratio drift.
+
+## Cross-References
+
+- `rules/hatch3r-testing.md` — per-feature test-class mandate map.
+- `rules/hatch3r-ai-evals.md` — AI feature eval coverage.
+- `rules/hatch3r-contract-testing.md` — Pact + Schemathesis boundaries.
+- `.claude/rules/test-requirements.md` — coverage thresholds per file class.
+- `agents/shared/quality-charter.md` §Testing depth — mock-justification budget.
+
+## References
+
+- Stryker Mutator — `stryker-mutator.io/docs/`
+- Stryker 2026 floor guidance — `qaskills.sh/blog/mutation-testing-stryker-guide`
+- Hypothesis property-based testing 2026 patterns — `marktechpost.com/2026/04/18/a-coding-guide-for-property-based-testing-using-hypothesis-with-stateful-differential-and-metamorphic-test-design/`
+- Pact contract testing — `docs.pact.io/`
+- Schemathesis — `schemathesis.readthedocs.io/`
+- Anthropic engineering evals — `www.anthropic.com/engineering/demystifying-evals-for-ai-agents`
+- AI hallucination benchmarks 2026 — `suprmind.ai/hub/ai-hallucination-rates-and-benchmarks/`

package/{skills → dist/content/skills}/hatch3r-ui-ux-verify/SKILL.md

@@ -1,8 +1,9 @@
 ---
 id: hatch3r-ui-ux-verify
+name: hatch3r-ui-ux-verify
 type: skill
 description: UI/UX verification gate before declaring a feature done — axe-core, scripted keyboard trace, accessibility-tree snapshot, four-state coverage, visual-regression baseline, one human screen-reader pass per release
-tags: [ui, ux, a11y]
+tags: [review, floor:ui-ux, ui, ux, a11y]
 quality_charter: agents/shared/quality-charter.md
 efficiency_patterns: agents/shared/efficiency-patterns.md
 cache_friendly: true
@@ -19,12 +20,16 @@ Before any work, scan the invocation for unresolved questions in scope, intent,
 
 ## Fan-out Discipline (P8 B2)
 
-This skill delegates per task size:
-- Tier 1 (trivial single-file): inline execution acceptable.
-- Tier 2 (multi-file or multi-concern): spawn parallel sub-agents per concern via the Task tool.
-- Tier 3 (multi-module / high-risk): one fresh sub-agent per independent module or gate; orchestrator integrates only.
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
 
-Never under-fan-out to save tokens. Token cost is dominated by quality and completeness gains. Emit `sub_agents_spawned: { count, rationale }` in your output.
+## Invoked by
+
+This skill is the verification HARNESS — it declares HOW each UI/UX gate is checked. The DISPATCHERS that decide WHEN to run it are the CQ specialist agents:
+
+- `agents/hatch3r-ui.md` — invokes this skill as the axe-core + keyboard-trace + four-state + visual-regression + Core Web Vitals gate (CQ1). The agent contributes trigger conditions and Phase-4 dispatch; this skill contributes the 9-gate procedure.
+- `agents/hatch3r-ux.md` — invokes this skill when keyboard-trace, microcopy-lint, or human-screen-reader-pass gates flag a UX-pillar delta (CQ2).
+
+No duplication: the agent decides WHEN, this skill defines HOW. The agent bodies cite this skill in their Phase-4 output contract; this subsection is the symmetric upstream citation per `rules/hatch3r-agent-orchestration.md` (Phase-4 dispatch).
 
 ## Gate 1: Automated a11y scan (axe-core via Playwright)
 
@@ -63,10 +68,10 @@ Never under-fan-out to save tokens. Token cost is dominated by quality and compl
   - **loading** (skeleton)
   - **empty** (with CTA)
   - **error** (cause + retry)
-  - **partial** (banner + degraded data)
+  - **partial** (banner + degraded data) — the only state needing two concurrent requests at opposite outcomes; fixture it via the partial-state recipe (MSW 200+500 in one worker, or `Promise.allSettled` with a forced rejection) in `rules/hatch3r-ux-states-and-flows.md` -> Partial-state fixture recipe.
 - Missing snapshot = blocker.
 - Convention: `src/__tests__/states/<feature>.<state>.spec.ts`.
-- Discovery: a pre-test script greps for async data hooks (`useQuery`, `useSWR`, `fetch`, `axios`) and emits the list of features that must have all four state files. Missing files fail the gate before any test runs.
+- Discovery (reviewer-driven; no shipped script): grep the project for async data hooks — `rg -l 'useQuery|useSWR|\bfetch\(|axios'` — and list the surfaces that read remote data. Each listed surface must have all four state files under the convention path above. The reviewer flags any surface missing a state file as a Gate-4 failure. Projects that want this enforced pre-test author their own discovery check wired into CI; hatch3r ships the pattern, not the script (the framework does not own the project's data-fetch taxonomy).
 
 ## Gate 5: Visual regression baseline
 
@@ -93,14 +98,17 @@ Never under-fan-out to save tokens. Token cost is dominated by quality and compl
 
 ## Gate 8: AI-UX checks (when applicable)
 
-Applies only when the feature ships LLM-driven UI:
+Applies only when the feature ships LLM-driven UI. These 7 checks mirror the Verification Gate in `rules/hatch3r-ai-ux-patterns.md` one-for-one — running Gate 8 means executing all 7, not just the streaming/tool-call subset:
 
 - Streaming hooks in use — grep for `useChat`, `useCompletion`, `streamUI`, or the framework equivalent.
-- Tool-call cards visible by default — assert at least one rendered card per tool invocation in fixtures.
+- Tool-call cards visible by default — assert at least one rendered card per tool invocation in fixtures, with a snapshot per state (`pending`, `in-progress`, `complete`, `failed`).
 - Human-approval gates present for side-effectful tools — assert an approval card before `write`, `send`, or `post` tool calls.
-- Cancel/abort controls present and wired to an `AbortController`.
+- Cancel/abort/undo controls present and wired to an `AbortController` — cancellation produces a transcript marker, not a silent terminate.
+- Citation rendering — a grounded response renders an inline citation with source URL or anchor (snapshot test); an ungroundable claim renders the not-found flag string rather than emitting silently.
+- Failure-mode coverage — at least one test per AI failure mode: timeout, rate limit, token budget, tool unavailability, stream interruption, content-policy refusal, stale session. Missing coverage on any mode is a blocker.
+- Accessibility on AI states — axe-core scan against each AI surface state (idle, streaming, tool-call pending, approval-card open, error) returns 0 serious or critical violations.
 
-Cross-reference: `rules/hatch3r-ai-ux-patterns.md` (Slice 5).
+Cross-reference: `rules/hatch3r-ai-ux-patterns.md` — the "Verification Gate" section is the canonical 7-item list this gate executes; the "Cancel / Abort / Undo", "Citations and Grounding", and "Failure Modes and Degradation" sections define the expected behavior each check asserts.
 
 ## Gate 9: Manual screen-reader pass (per release, not per PR)
 

package/{skills → dist/content/skills}/hatch3r-visual-refactor/SKILL.md

@@ -1,7 +1,9 @@
 ---
 id: hatch3r-visual-refactor
+name: hatch3r-visual-refactor
+type: skill
 description: UI/UX change workflow matching design, accessibility, and responsiveness requirements. Use when making visual changes, updating components, working on UI issues, or implementing design mockups.
-tags: [implementation]
+tags: [implementation, floor:ui-ux]
 quality_charter: agents/shared/quality-charter.md
 efficiency_patterns: agents/shared/efficiency-patterns.md
 cache_friendly: true
@@ -28,12 +30,7 @@ Before any work, scan the invocation for unresolved questions in scope, intent,
 
 ## Fan-out Discipline (P8 B2)
 
-This skill delegates per task size:
-- Tier 1 (trivial single-file): inline execution acceptable.
-- Tier 2 (multi-file or multi-concern): spawn parallel sub-agents per concern via the Task tool.
-- Tier 3 (multi-module / high-risk): one fresh sub-agent per independent module or gate; orchestrator integrates only.
-
-Never under-fan-out to save tokens. Token cost is dominated by quality and completeness gains. Emit `sub_agents_spawned: { count, rationale }` in your output.
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
 
 ## Step 1: Read Inputs
 
@@ -70,9 +67,11 @@ Before modifying code, output:
 - Animations at 60fps (if applicable).
 
 ```bash
-npm run lint && npm run typecheck && npm run test
+${HATCH3R:VERIFY_GATE_ALL}
 ```
 
+Resolved to the project's language-aware gate at sync time (fallback when detection is unknown: `npm run lint && npm run typecheck && npm run test`).
+
 ### 4b. Browser Verification
 
 - Confirm the dev server is running by checking the expected port. If not running, start it in the background.
@@ -111,3 +110,8 @@ Use the project's PR template. Include:
 - [ ] Snapshot tests updated
 - [ ] No visual regressions
 - [ ] Design system tokens used (no ad-hoc styling)
+
+## References
+
+- [Understanding SC 1.4.3: Contrast (Minimum) — W3C WCAG 2.2](https://www.w3.org/WAI/WCAG22/Understanding/contrast-minimum.html) — accessed 2026-05-31, official-docs (W3C). Source for the 4.5:1 AA text-contrast threshold verified in Step 1 and the Definition of Done.
+- [Design Tokens Format Module — W3C Design Tokens Community Group](https://tr.designtokens.org/format/) — accessed 2026-05-31, official-docs (W3C DTCG). Source for the design-token-over-ad-hoc-styling discipline (color, spacing, typography) the reuse/extend/create path enforces.

package/package.json

@@ -1,40 +1,57 @@
 {
   "name": "hatch3r",
-  "version": "1.8.0",
-  "description": "Battle-tested agentic coding setup framework. One command to hatch your agent stack -- agents, skills, rules, commands, and MCP for every major AI coding tool.",
+  "version": "2.0.0",
+  "description": "Agentic coding setup framework audited each release across 24 governance domains. One command to hatch your agent stack -- agents, skills, rules, commands, and MCP for Claude Code, Cursor, and GitHub Copilot.",
   "type": "module",
-  "exports": {
-    ".": {
-      "import": "./dist/cli/index.js",
-      "types": "./dist/cli/index.d.ts"
-    }
-  },
   "bin": {
     "hatch3r": "./dist/cli/index.js"
   },
   "scripts": {
-    "build": "tsup",
+    "build": "tsup && tsx scripts/copy-content.ts",
+    "postbuild": "tsx scripts/copy-content.ts",
     "dev": "tsup --watch",
     "lint": "eslint src/",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "npm run build",
+    "prepublishOnly": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\" && npm run build",
     "test": "vitest run",
+    "test:ci": "vitest run --no-update",
     "test:watch": "vitest",
     "inventory": "tsx scripts/inventory.ts",
     "inventory:check-docs": "tsx scripts/inventory.ts --check-docs",
     "validate:rule-parity": "tsx scripts/validate-rule-parity.ts && tsx scripts/validate-rule-pillar-currency.ts",
-    "validate:efficiency": "tsx scripts/validate-efficiency-invariants.ts && tsx scripts/validate-bridge-budget.ts && tsx scripts/validate-fanout-emission.ts",
+    "validate:efficiency": "tsx scripts/validate-efficiency-invariants.ts && tsx scripts/validate-bridge-budget.ts && tsx scripts/validate-fanout-emission.ts && tsx scripts/validate-tag-order.ts && tsx scripts/validate-modes-parity.ts && tsx scripts/validate-governance-currency.ts && tsx scripts/validate-traceability-matrix.ts && tsx scripts/validate-decision-id-consistency.ts && tsx scripts/validate-repo-token-adoption.ts && tsx scripts/validate-verify-gate-literals.ts && tsx scripts/validate-customize-doc-examples.ts && tsx scripts/validate-archive-path-currency.ts && tsx scripts/validate-references-currency.ts && tsx scripts/validate-pricing-currency.ts && tsx scripts/validate-subagent-casing.ts && tsx scripts/validate-governance-total.ts",
+    "validate:subagent-casing": "tsx scripts/validate-subagent-casing.ts",
+    "validate:references-currency": "tsx scripts/validate-references-currency.ts",
+    "validate:pricing-currency": "tsx scripts/validate-pricing-currency.ts",
     "validate:cli-skills": "tsx scripts/validate-cli-skills.ts",
     "validate:wiring": "tsx scripts/validate-wiring.ts",
+    "validate:control-reachability": "tsx scripts/validate-control-reachability.ts",
+    "validate:anti-slop": "tsx scripts/validate-anti-slop.ts",
+    "validate:specialist-roster": "tsx scripts/validate-specialist-roster.ts",
+    "validate:severity-vocabulary": "tsx scripts/validate-severity-vocabulary.ts",
+    "validate:retired-agent-refs": "tsx scripts/validate-retired-agent-refs.ts",
+    "validate:fanout-path": "tsx scripts/validate-fanout-path-currency.ts",
+    "validate:archive-path": "tsx scripts/validate-archive-path-currency.ts",
+    "validate:canonical": "tsx scripts/validate-canonical.ts",
+    "validate:adapter-parity": "tsx scripts/validate-adapter-output.ts",
+    "validate:trust-crosswalk": "tsx scripts/validate-trust-crosswalk-citations.ts",
+    "validate:id-uniqueness": "tsx scripts/validate-id-uniqueness.ts",
     "generate:cli-skills": "tsx scripts/generate-cli-skills.ts",
-    "validate": "npm run validate:rule-parity && npm run validate:efficiency && npm run validate:cli-skills && npm run validate:wiring",
+    "calibrate:tier-weights": "tsx scripts/calibrate-tier-weights.ts",
+    "validate": "npm run validate:rule-parity && npm run validate:efficiency && npm run validate:cli-skills && npm run validate:wiring && npm run validate:control-reachability && npm run validate:anti-slop && npm run validate:specialist-roster && npm run validate:severity-vocabulary && npm run validate:retired-agent-refs && npm run validate:fanout-path && npm run validate:canonical && npm run validate:adapter-parity && npm run validate:trust-crosswalk && npm run validate:id-uniqueness && npm run validate:codeowners && npm run validate:content-duplication",
     "audit:validate-registry": "tsx scripts/validate-finding-registry.ts",
     "audit:migrate": "tsx scripts/migrate-finding-registry.ts",
     "audit:archive": "tsx scripts/audit-archive.ts",
     "audit:find": "tsx scripts/audit-find.ts",
+    "audit:closed-loop": "tsx scripts/audit-closed-loop-report.ts",
+    "audit:stalled": "tsx scripts/audit-stalled-strategic.ts",
     "audit:reset": "tsx scripts/clean-audit-workspace.ts",
-    "lockfile:check": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
-    "mcp:cve-check": "tsx scripts/check-mcp-cves.ts"
+    "lockfile:check": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https --validate-integrity --validate-package-names",
+    "mcp:cve-check": "tsx scripts/check-mcp-cves.ts",
+    "cli-tools:cve-check": "tsx scripts/check-cli-cves.ts",
+    "validate:action-pins": "tsx scripts/validate-action-pins.ts",
+    "validate:codeowners": "tsx scripts/validate-codeowners.ts",
+    "validate:content-duplication": "tsx scripts/validate-content-duplication.ts"
   },
   "keywords": [
     "agents",
@@ -43,12 +60,6 @@
     "cursor",
     "copilot",
     "claude",
-    "opencode",
-    "windsurf",
-    "amp",
-    "codex",
-    "gemini",
-    "cline",
     "agentic",
     "ai-agents",
     "mcp",
@@ -73,47 +84,43 @@
     "node": ">=22.0.0"
   },
   "files": [
-    "dist/cli/",
-    "agents/",
-    "checks/",
-    "commands/",
-    "rules/",
-    "skills/",
-    "prompts/",
-    "github-agents/",
-    "mcp/",
-    "hooks/",
+    "dist/",
     "README.md",
     "LICENSE"
   ],
   "dependencies": {
-    "boxen": "^8.0.1",
-    "chalk": "^5.4.0",
-    "commander": "^14.0.3",
-    "inquirer": "^13.3.2",
-    "ora": "^9.3.0",
-    "p-limit": "^3.1.0",
-    "proper-lockfile": "^4.1.2",
-    "update-notifier": "^7.3.1",
-    "yaml": "^2.8.3"
+    "@inquirer/core": "11.2.1",
+    "@inquirer/figures": "2.0.7",
+    "boxen": "8.0.1",
+    "chalk": "5.6.2",
+    "commander": "15.0.0",
+    "inquirer": "14.0.2",
+    "ora": "9.4.0",
+    "p-limit": "^7.3.0",
+    "proper-lockfile": "4.1.2",
+    "update-notifier": "7.3.1",
+    "yaml": "2.9.0"
   },
   "devDependencies": {
-    "@types/node": "^25.5.0",
+    "@types/node": "^26.0.0",
     "@types/proper-lockfile": "^4.1.4",
     "@types/update-notifier": "^6.0.8",
-    "@vitest/coverage-v8": "^4.1.2",
-    "eslint": "^10.1.0",
+    "@vitest/coverage-v8": "^4.1.9",
+    "eslint": "^10.5.0",
     "lockfile-lint": "^5.0.0",
     "tsup": "^8.0.0",
-    "tsx": "^4.21.0",
+    "tsx": "^4.22.4",
     "typescript": "^6.0.2",
-    "typescript-eslint": "^8.57.2",
+    "typescript-eslint": "^8.61.1",
     "vitest": "^4.1.2"
   },
   "overrides": {
-    "flatted": "^3.4.2"
+    "flatted": "^3.4.2",
+    "brace-expansion": "^5.0.6"
   },
   "comments": {
-    "overrides/flatted": "Pinned to >=3.4.2 to resolve security advisory in transitive eslint > flat-cache > flatted dependency"
+    "overrides/flatted": "Pinned to >=3.4.2 to resolve security advisory in transitive eslint > flat-cache > flatted dependency",
+    "overrides/brace-expansion": "Pinned to >=5.0.6 to resolve GHSA-jxxr-4gwj-5jf2 (CWE-400, CVSS 6.5, patched 5.0.6) in transitive dev dependency minimatch@10.2.4 > brace-expansion (was 5.0.5). Surgical override preferred over `npm audit fix`, which pulls 78 new platform-binary packages.",
+    "dependencies/p-limit": "Cycle 10 L D4-SA4.2-F4.2.5 (D4): p-limit held at 3.1.0 is 4 majors behind 7.3.0 (no CVE — pure P3 currency hygiene). The bump is API-compatible: the only behavioral delta across majors 4-7 is the CommonJS drop, non-applicable here (hatch3r is pure ESM, engines node >=22), and all three call sites use the stable default-export `pLimit(concurrency)` signature — src/workspace/sync.ts, src/workspace/manifest.ts, src/pipeline/complianceVerification.ts. BLOCKED for a no-network audit SA, not deferrable by hand: bumping the spec alone desyncs package-lock.json (currently pins p-limit 3.1.0 + yocto-queue ^0.1.0 at lines ~4705-4727, AND a second transitive `p-limit ^3.0.2` requirer), and `release.yml` 'Verify lockfile sync' (git diff --exit-code package-lock.json) plus every `npm ci` integrity check fail closed on a spec-only or hand-edited lockfile. p-limit 7.x drops yocto-queue for a different internal queue, so the new resolved tree + SHA-512 integrity hashes can only come from the npm resolver. Follow-up (one commit): run `npm install` to land package.json (^7.3.0) + the regenerated lockfile together, then `npm test` to confirm the three pLimit call sites still pass."
   }
 }

package/agents/hatch3r-a11y-auditor.md

@@ -1,159 +0,0 @@
----
-id: hatch3r-a11y-auditor
-type: agent
-description: Accessibility specialist who audits for WCAG AA compliance. Use when auditing accessibility, reviewing UI components, or fixing a11y issues.
-model: standard
-tags: [review, a11y]
-quality_charter: agents/shared/quality-charter.md
-efficiency_patterns: agents/shared/efficiency-patterns.md
-efficiency_tier: standard
-cache_friendly: true
-parallel_tool_default: true
----
-> **Severity vocabulary:** see [governance/audit/templates/severity-mapping.md](../governance/audit/templates/severity-mapping.md) for canonical 5-column mapping. This agent's output rubric uses WCAG-domain terms `Critical/Major/Minor` which map to canonical `Critical/Medium/Low` respectively (WCAG A blockers → Critical; AA violations → Medium; advisory AA/AAA → Low).
-
-You are an accessibility specialist for the project.
-
-## §0 Detect Ambiguity (P8 B1)
-
-Before any action, scan the brief for unresolved questions in scope, acceptance criteria, irreversibility, or constraint conflicts (WCAG level target, which surfaces, whether autofix is in scope). If any are found, ask the user via the platform-native question tool per `agents/shared/user-question-protocol.md` — do not proceed under silent assumption. This is the default path, not an exception. Acceptable to proceed without asking ONLY when scope is single-file, single-concern, and the brief alone is testable.
-
-## Your Role
-
-- You audit WCAG AA compliance across the web app and embedded surfaces.
-- You verify keyboard navigation for all interactive elements.
-- You check color contrast ratios against the 4.5:1 minimum.
-- You validate ARIA attributes and live regions for dynamic content.
-- You verify `prefers-reduced-motion` is respected by checking that all animations are disabled or simplified when the media query is active.
-
-## Key Files
-
-- UI components (e.g., `src/ui/**/*.vue` or equivalent)
-- Embedded widgets or IDE surfaces
-
-## Key Specs
-
-- Project documentation on quality engineering and accessibility requirements
-
-## Browser-Based Audit
-
-Use browser automation MCP to perform live accessibility audits in the running application:
-
-- Start the dev server if not already running.
-- Navigate to each page or surface being audited.
-- **Keyboard navigation:** Tab through all interactive elements in the browser. Verify logical tab order, visible focus indicators, and no focus traps. Test Escape for modals, Enter/Space for buttons.
-- **Color contrast:** Inspect rendered text against backgrounds in the live UI. Use browser DevTools or screenshots to verify contrast ratios.
-- **ARIA and screen reader:** Check that dynamic content updates trigger `aria-live` announcements. Verify ARIA attributes render in the DOM with valid roles and states via browser inspection.
-- **Reduced motion:** Enable `prefers-reduced-motion: reduce` in browser DevTools and verify animations are disabled or simplified.
-- **Screenshot evidence:** Capture screenshots of each audited surface for the audit report.
-
-Browser verification provides ground-truth confirmation that cannot be achieved through static code analysis alone.
-
-## Standards to Enforce
-
-Follow the full accessibility standards defined in `.agents/rules/hatch3r-accessibility-standards.md` (WCAG 2.2 AA compliance, keyboard navigation, focus management, color/contrast, screen reader support, ARIA patterns, motion, forms). Summary of key thresholds:
-
-| Requirement         | Standard | Details                                                          |
-| ------------------- | -------- | ---------------------------------------------------------------- |
-| Reduced motion      | WCAG 2.2 | All animations respect `prefers-reduced-motion` and user setting |
-| Color contrast      | WCAG AA  | Text contrast ratio >= 4.5:1, non-text >= 3:1                   |
-| Keyboard navigation | WCAG 2.2 | All interactive elements focusable with visible focus indicator  |
-| Screen reader       | WCAG 2.2 | Dynamic state announced via `aria-live` regions                  |
-| High contrast mode  | Custom   | User-configurable high contrast theme supported                  |
-
-## Commands
-
-- Run tests to verify no regression after a11y changes
-- Run lint to catch a11y lint rules (e.g., vuejs-accessibility, eslint-plugin-jsx-a11y)
-
-## External Knowledge
-
-Follow the shared protocol in `agents/shared/external-knowledge.md` (tooling hierarchy, platform CLI, Context7 MCP, web research).
-
-**Context7 focus for this agent:**
-- ARIA patterns and component accessibility APIs for the project's UI framework (React ARIA, Radix UI, Headless UI, Vuetify a11y props)
-- Accessibility testing library APIs (axe-core, jest-axe, Playwright accessibility snapshots) for audit automation
-
-**Web research focus for this agent:**
-- Current WCAG success criteria interpretation, WAI-ARIA Authoring Practices, and design pattern guidance for complex interactive components
-- Screen reader compatibility notes across assistive technologies (NVDA, JAWS, VoiceOver)
-
-## Confidence Expression
-
-Rate every finding, compliance assessment, and fix suggestion as **high**, **medium**, or **low** confidence per the quality charter (`agents/shared/quality-charter.md`):
-
-- **High:** Verified against current code and WCAG criteria — you inspected the rendered output or source, traced the interaction, and confirmed the violation.
-- **Medium:** Based on established accessibility patterns but not fully verified against the specific component or interaction. Likely correct but could depend on runtime behavior.
-- **Low:** Best professional judgment based on general WCAG principles. Recommend human review or assistive technology testing before acting on this.
-
-Include confidence in the output: each finding row and the overall **Status** should state their confidence level.
-
-## Sub-Agent Delegation
-
-When auditing multiple pages or surfaces:
-
-1. **Identify audit targets**: List all pages/routes/surfaces to audit.
-2. **Spawn one sub-agent per surface** using the Task tool. Provide: surface URL/route, relevant component files, WCAG criteria to check.
-3. **Run surface audits in parallel** — as many as the platform supports.
-4. **Aggregate findings** from all sub-agents into a single consolidated report.
-5. **De-duplicate findings** that appear across multiple surfaces (e.g., shared component with missing focus indicator).
-
-## Output Format
-
-```
-## Accessibility Audit Result: {surface/page}
-
-**Status:** PASS | PARTIAL | FAIL
-
-**Findings:**
-
-| # | Severity | WCAG Criterion | Description | Location | Fix Suggestion |
-|---|----------|---------------|-------------|----------|----------------|
-| 1 | Critical | 2.1.1 Keyboard | ... | ... | ... |
-
-**Summary:**
-- Critical: {n} | Major: {n} | Minor: {n}
-- WCAG AA compliance: {YES/NO}
-- Reduced motion: {VERIFIED/NOT VERIFIED}
-
-**Browser verification:**
-- VERIFIED | SKIPPED | N/A
-- (screenshots or observations)
-
-**Issues encountered:**
-- (blockers, missing test infrastructure, etc.)
-
-**Notes:**
-- (follow-up items, deferred minor findings)
-```
-
-## Boundaries
-
-- **Always:** Test keyboard navigation, contrast, ARIA attributes, and reduced motion support. Use browser MCP for live verification when available.
-- **Ask first:** Before changing component APIs or props for a11y (may affect consumers)
-- **Never:** Remove existing a11y features, ignore contrast requirements, or skip `prefers-reduced-motion` for animations
-
-## Example
-
-**Invocation:** Audit the settings page for WCAG AA compliance.
-
-**Output:**
-
-```
-## Accessibility Audit Result: Settings Page
-
-**Status:** PARTIAL
-
-**Findings:**
-
-| # | Severity | WCAG Criterion | Description | Location | Fix Suggestion |
-|---|----------|---------------|-------------|----------|----------------|
-| 1 | Critical | 2.1.1 Keyboard | Theme toggle button not focusable via Tab key | src/components/ThemeToggle.vue | Add `tabindex="0"` and `role="switch"` with `aria-checked` |
-| 2 | Major | 1.4.3 Contrast | "Save" button text contrast is 3.2:1 against background | src/components/SettingsForm.vue | Change button text to `--color-text-primary` token (4.8:1) |
-| 3 | Minor | 4.1.2 Name/Role | Dropdown menu has no accessible label | src/components/LocaleSelector.vue | Add `aria-label="Select language"` |
-
-**Summary:**
-- Critical: 1 | Major: 1 | Minor: 1
-- WCAG AA compliance: NO (1 keyboard blocker)
-- Reduced motion: VERIFIED — all animations respect prefers-reduced-motion
-```