hatch3r 1.9.0 → 2.0.0

package/dist/content/skills/hatch3r-testability-verify/SKILL.md

@@ -0,0 +1,147 @@
+---
+id: hatch3r-testability-verify
+name: hatch3r-testability-verify
+type: skill
+description: Testability verification gate before commit/release — per-feature test-class mandate map, real-deal-first ratio, coverage thresholds, AI eval coverage, mutation kill-rate, contract tests, property tests, determinism contract
+tags: [review, testing, floor:content-quality]
+scope: conditional
+globs: "src/__tests__/**,tests/**,test/**,spec/**,e2e/**,evals/**,**/stryker.conf.json,**/pom.xml,**/pacts/**"
+precedence: normal
+quality_charter: agents/shared/quality-charter.md
+efficiency_patterns: agents/shared/efficiency-patterns.md
+cache_friendly: true
+---
+# Testability Verification Gate
+
+## Quick Start
+
+This skill defines what "done" means for any feature shipping test code or a feature in a mandate-map class (parser, payment, RPC, state machine, UI, AI feature). Run before declaring a feature complete. The 8 gates below mix automated checks (machine-checkable on every PR) with one release-cadence gate (mutation kill rate at release-cut). Skipping any gate = the feature is not done. Passing unit tests and reviewer approval alone do not satisfy this bar — a feature in a mandate class without its mandated test shape ships untested risk.
+
+Inputs the skill expects:
+
+- A test directory under one of: `src/__tests__/`, `tests/`, `__tests__/`, `e2e/`, `test/`, `spec/`.
+- A coverage configuration in `vitest.config.ts`, `jest.config.js`, `pyproject.toml`, `pom.xml`, or `.coveragerc`.
+- A mutation-test config in `stryker.conf.json` or `pom.xml` (when payment/auth/critical paths exist).
+- A contract-test artifact path (`pacts/`, Schemathesis report) when service boundaries exist.
+- An AI eval harness manifest (`evals/manifest.yaml`, `prompts/manifest.yaml`) when LLM features ship.
+
+Outputs the skill produces: an 8-line verdict block written to the PR conversation, plus a JSON artifact at `.audit-workspace/testability-verify-<sha>.json` for downstream consumption by `hatch3r-release`.
+
+## Step 0 — Detect Ambiguity (P8 B1)
+
+Before any work, scan the invocation for unresolved questions in scope, intent, acceptance criteria, target environment, or irreversibility. If any are found, ask the user via the platform-native question tool per `agents/shared/user-question-protocol.md`. Default path, not exception. Triggers for THIS skill: feature-surface class (parser vs payment vs RPC vs state machine vs UI vs AI), gate selection (coverage-threshold vs mandate-map vs AI-eval vs full), mock-justification budget (review all vs review new mocks only), mutation-test floor changes mid-cycle, and whether to block on Low-confidence findings.
+
+## Fan-out Discipline (P8 B2)
+
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
+
+## Invoked by
+
+This skill is the verification HARNESS — it declares HOW each testability gate is checked. The DISPATCHER that decides WHEN to run it is the CQ specialist agent:
+
+- `agents/hatch3r-testability.md` — invokes this skill as the closing testability gate (CQ5) on PRs modifying test code or features in a mandate-map class. The agent contributes the review trigger and Phase-4 dispatch; this skill contributes the 8-gate procedure.
+
+No duplication: the agent decides WHEN, this skill defines HOW.
+
+## Gate 1: Per-feature test-class mandate map compliance
+
+- For every changed feature, the mandated test class from `rules/hatch3r-testing.md` is present:
+  - parser → fuzz harness with documented corpus under `testdata/fuzz/`;
+  - payment → mutation test with documented kill-rate floor in `stryker.conf.json` or `pom.xml`;
+  - RPC → consumer + provider contract test under `pacts/` plus broker can-i-deploy gate;
+  - state machine → property test (fast-check or Hypothesis) with the invariant stated in a one-line comment;
+  - UI → visual regression suite with baselines under `__snapshots__/`.
+- Detection: read changed-file globs vs the mandate map; any miss → CRITICAL.
+
+## Gate 2: Real-deal test ratio ≥80%
+
+- Count: `(integration-tests-without-mocks) / (total-integration-tests) ≥ 0.80`.
+- Mocks detected by `grep -rn "// MOCK:" <test-dir>` plus framework-level helpers (`vi.mock`, `jest.mock`, `unittest.mock.patch`, `mockito.when`).
+- Every remaining mock carries `// MOCK: <reason>` comment + reviewer-acknowledged justification linked to a tracking issue.
+- Mock without the marker → FINDINGS row per mock. Ratio <80% → FINDINGS at suite level.
+
+## Gate 3: Coverage thresholds met per file class
+
+- Global floor 78% statements / 65% branches / 80% functions / 80% lines from `vitest.config.ts` (or equivalent).
+- Critical modules in this repo: `src/merge/` 90/80/90/90; `src/content/` 85/70/85/85; `src/adapters/customization.ts` 85/75/85/85.
+- Read coverage from `coverage/coverage-summary.json` (Istanbul/v8) or `coverage.xml` (Cobertura).
+- Below floor → FINDINGS with the specific module + metric named.
+
+## Gate 4: AI feature eval coverage 100%
+
+- Every AI feature ships golden examples + adversarial cases + regression suite running in CI on prompt or model changes.
+- Hallucination rate measured per release on a labelled sample and tracked as an SLI per Anthropic engineering guidance; threshold breach blocks rollout.
+- Detection: read the eval manifest, confirm CI workflow triggers on prompt/model file changes, read the SLI dashboard URL.
+- Eval coverage <100% on a release-bound prompt or model change → CRITICAL.
+
+## Gate 5: Mutation-test kill rate on critical paths
+
+- Stryker for JS/TS (`stryker run --incremental`, read `reports/mutation/mutation.json` → `metrics.mutationScore`).
+- Pitest for JVM (`mvn org.pitest:pitest-maven:mutationCoverage`, read `target/pit-reports/mutations.xml` → `mutationCoverage`).
+- Common 2026 floor: mutation score ≥80% on payment + auth + `critical`-labelled paths per qaskills.sh 2026.
+- Below floor → FINDINGS with the surviving-mutant count and file list.
+
+## Gate 6: Property-based tests on pure functions with stated invariants
+
+- Each pure function with a stated invariant carries a fast-check (`fc.property(fc.<arb>, fn => { /* invariant */ })`) or Hypothesis (`@given(...)`) test.
+- The invariant is documented in a one-line `// invariant:` comment above the test.
+- Missing invariant comment or missing test → FINDINGS row per function.
+- Pattern reference: MarkTechPost 2026 stateful / differential / metamorphic patterns.
+
+## Gate 7: Contract tests on every service-to-service boundary
+
+- Consumer-driven Pact pacts published to a broker (`pact-broker can-i-deploy --pacticipant <svc> --version <sha> --to production`).
+- Spec-driven Schemathesis (`schemathesis run --checks all <openapi.yaml>`) executed against staging.
+- Missing or failing → CRITICAL on auth/payment paths, FINDINGS elsewhere.
+- Cross-reference: `rules/hatch3r-contract-testing.md`.
+
+## Gate 8: Determinism contract — 0 flaky tests over 30 days
+
+- Read CI flake history: `gh run list --status failure --created >=$(date -d '30 days ago' +%Y-%m-%d) --json conclusion,name,startedAt | jq '[.[] | select(.conclusion=="failure")] | length'`.
+- Quarantined tests carry a tracking issue assignee and a re-enable date, not `test.skip` / `test.todo` / `@pytest.mark.skip` in perpetuity.
+- Flake count >0 with no owner → FINDINGS. Silenced flake without tracking issue → FINDINGS per occurrence.
+
+## Pass criteria
+
+All 8 gates pass = the feature is "done". Anything less = not done.
+
+- Mandate-map class compliance: 100% on changed features.
+- Real-deal ratio: ≥80% per cycle.
+- Coverage floors: met per file class (global 78/65/80/80; critical modules per `.claude/rules/test-requirements.md`).
+- AI eval coverage: 100% on release-bound prompt or model changes.
+- Mutation kill rate: ≥80% on payment + auth + critical paths.
+- Property-test coverage: 100% of pure functions with stated invariants.
+- Contract-test parity: 100% of service boundaries; broker `can-i-deploy` exit 0.
+- Flake count over 30 days: 0 (or quarantined with owner + re-enable date).
+
+## On fail
+
+The orchestrator running this skill emits a single-line verdict per gate (`GATE_N: PASS|FAIL <evidence-path>`) and aggregates them. One FAIL on a required gate blocks the merge regardless of reviewer approval status.
+
+Failure escalation per `agents/hatch3r-testability.md` status mapping: Gate 1 fail (mandate-map class missing) → CRITICAL; Gate 4 fail (AI eval coverage <100%) → CRITICAL; Gate 7 fail on auth/payment → CRITICAL; Gates 2/3/5/6/8 → FINDINGS at High or Medium.
+
+## When this skill runs
+
+- Reviewer on any PR that modifies test code, removes tests, or introduces a feature in a mandate-map class.
+- Implementer pre-write check when authoring new feature tests.
+- Verifier pre-merge gate immediately before `gh pr merge` on protected branches.
+- AI feature release gate before a prompt/model bump ships to production traffic.
+- Quarterly audit on real-deal ratio drift.
+
+## Cross-References
+
+- `rules/hatch3r-testing.md` — per-feature test-class mandate map.
+- `rules/hatch3r-ai-evals.md` — AI feature eval coverage.
+- `rules/hatch3r-contract-testing.md` — Pact + Schemathesis boundaries.
+- `.claude/rules/test-requirements.md` — coverage thresholds per file class.
+- `agents/shared/quality-charter.md` §Testing depth — mock-justification budget.
+
+## References
+
+- Stryker Mutator — `stryker-mutator.io/docs/`
+- Stryker 2026 floor guidance — `qaskills.sh/blog/mutation-testing-stryker-guide`
+- Hypothesis property-based testing 2026 patterns — `marktechpost.com/2026/04/18/a-coding-guide-for-property-based-testing-using-hypothesis-with-stateful-differential-and-metamorphic-test-design/`
+- Pact contract testing — `docs.pact.io/`
+- Schemathesis — `schemathesis.readthedocs.io/`
+- Anthropic engineering evals — `www.anthropic.com/engineering/demystifying-evals-for-ai-agents`
+- AI hallucination benchmarks 2026 — `suprmind.ai/hub/ai-hallucination-rates-and-benchmarks/`

package/dist/content/skills/hatch3r-ui-ux-verify/SKILL.md

@@ -1,5 +1,6 @@
 ---
 id: hatch3r-ui-ux-verify
+name: hatch3r-ui-ux-verify
 type: skill
 description: UI/UX verification gate before declaring a feature done — axe-core, scripted keyboard trace, accessibility-tree snapshot, four-state coverage, visual-regression baseline, one human screen-reader pass per release
 tags: [review, floor:ui-ux, ui, ux, a11y]
@@ -19,12 +20,16 @@ Before any work, scan the invocation for unresolved questions in scope, intent,
 
 ## Fan-out Discipline (P8 B2)
 
-This skill delegates per task size:
-- Tier 1 (trivial single-file): inline execution acceptable.
-- Tier 2 (multi-file or multi-concern): spawn parallel sub-agents per concern via the Task tool.
-- Tier 3 (multi-module / high-risk): one fresh sub-agent per independent module or gate; orchestrator integrates only.
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
 
-Never under-fan-out to save tokens. Token cost is dominated by quality and completeness gains. Emit `sub_agents_spawned: { count, rationale }` in your output.
+## Invoked by
+
+This skill is the verification HARNESS — it declares HOW each UI/UX gate is checked. The DISPATCHERS that decide WHEN to run it are the CQ specialist agents:
+
+- `agents/hatch3r-ui.md` — invokes this skill as the axe-core + keyboard-trace + four-state + visual-regression + Core Web Vitals gate (CQ1). The agent contributes trigger conditions and Phase-4 dispatch; this skill contributes the 9-gate procedure.
+- `agents/hatch3r-ux.md` — invokes this skill when keyboard-trace, microcopy-lint, or human-screen-reader-pass gates flag a UX-pillar delta (CQ2).
+
+No duplication: the agent decides WHEN, this skill defines HOW. The agent bodies cite this skill in their Phase-4 output contract; this subsection is the symmetric upstream citation per `rules/hatch3r-agent-orchestration.md` (Phase-4 dispatch).
 
 ## Gate 1: Automated a11y scan (axe-core via Playwright)
 
@@ -63,10 +68,10 @@ Never under-fan-out to save tokens. Token cost is dominated by quality and compl
   - **loading** (skeleton)
   - **empty** (with CTA)
   - **error** (cause + retry)
-  - **partial** (banner + degraded data)
+  - **partial** (banner + degraded data) — the only state needing two concurrent requests at opposite outcomes; fixture it via the partial-state recipe (MSW 200+500 in one worker, or `Promise.allSettled` with a forced rejection) in `rules/hatch3r-ux-states-and-flows.md` -> Partial-state fixture recipe.
 - Missing snapshot = blocker.
 - Convention: `src/__tests__/states/<feature>.<state>.spec.ts`.
-- Discovery: a pre-test script greps for async data hooks (`useQuery`, `useSWR`, `fetch`, `axios`) and emits the list of features that must have all four state files. Missing files fail the gate before any test runs.
+- Discovery (reviewer-driven; no shipped script): grep the project for async data hooks — `rg -l 'useQuery|useSWR|\bfetch\(|axios'` — and list the surfaces that read remote data. Each listed surface must have all four state files under the convention path above. The reviewer flags any surface missing a state file as a Gate-4 failure. Projects that want this enforced pre-test author their own discovery check wired into CI; hatch3r ships the pattern, not the script (the framework does not own the project's data-fetch taxonomy).
 
 ## Gate 5: Visual regression baseline
 
@@ -93,14 +98,17 @@ Never under-fan-out to save tokens. Token cost is dominated by quality and compl
 
 ## Gate 8: AI-UX checks (when applicable)
 
-Applies only when the feature ships LLM-driven UI:
+Applies only when the feature ships LLM-driven UI. These 7 checks mirror the Verification Gate in `rules/hatch3r-ai-ux-patterns.md` one-for-one — running Gate 8 means executing all 7, not just the streaming/tool-call subset:
 
 - Streaming hooks in use — grep for `useChat`, `useCompletion`, `streamUI`, or the framework equivalent.
-- Tool-call cards visible by default — assert at least one rendered card per tool invocation in fixtures.
+- Tool-call cards visible by default — assert at least one rendered card per tool invocation in fixtures, with a snapshot per state (`pending`, `in-progress`, `complete`, `failed`).
 - Human-approval gates present for side-effectful tools — assert an approval card before `write`, `send`, or `post` tool calls.
-- Cancel/abort controls present and wired to an `AbortController`.
+- Cancel/abort/undo controls present and wired to an `AbortController` — cancellation produces a transcript marker, not a silent terminate.
+- Citation rendering — a grounded response renders an inline citation with source URL or anchor (snapshot test); an ungroundable claim renders the not-found flag string rather than emitting silently.
+- Failure-mode coverage — at least one test per AI failure mode: timeout, rate limit, token budget, tool unavailability, stream interruption, content-policy refusal, stale session. Missing coverage on any mode is a blocker.
+- Accessibility on AI states — axe-core scan against each AI surface state (idle, streaming, tool-call pending, approval-card open, error) returns 0 serious or critical violations.
 
-Cross-reference: `rules/hatch3r-ai-ux-patterns.md` (Slice 5).
+Cross-reference: `rules/hatch3r-ai-ux-patterns.md` — the "Verification Gate" section is the canonical 7-item list this gate executes; the "Cancel / Abort / Undo", "Citations and Grounding", and "Failure Modes and Degradation" sections define the expected behavior each check asserts.
 
 ## Gate 9: Manual screen-reader pass (per release, not per PR)
 

package/dist/content/skills/hatch3r-visual-refactor/SKILL.md

@@ -1,5 +1,7 @@
 ---
 id: hatch3r-visual-refactor
+name: hatch3r-visual-refactor
+type: skill
 description: UI/UX change workflow matching design, accessibility, and responsiveness requirements. Use when making visual changes, updating components, working on UI issues, or implementing design mockups.
 tags: [implementation, floor:ui-ux]
 quality_charter: agents/shared/quality-charter.md
@@ -28,12 +30,7 @@ Before any work, scan the invocation for unresolved questions in scope, intent,
 
 ## Fan-out Discipline (P8 B2)
 
-This skill delegates per task size:
-- Tier 1 (trivial single-file): inline execution acceptable.
-- Tier 2 (multi-file or multi-concern): spawn parallel sub-agents per concern via the Task tool.
-- Tier 3 (multi-module / high-risk): one fresh sub-agent per independent module or gate; orchestrator integrates only.
-
-Never under-fan-out to save tokens. Token cost is dominated by quality and completeness gains. Emit `sub_agents_spawned: { count, rationale }` in your output.
+Fan-out scales with task size; token cost never justifies serializing independent work (`rules/hatch3r-fan-out-discipline.md` P8 B2; `agents/shared/efficiency-patterns.md`). Emit `sub_agents_spawned: { count, rationale }` in your output.
 
 ## Step 1: Read Inputs
 
@@ -70,9 +67,11 @@ Before modifying code, output:
 - Animations at 60fps (if applicable).
 
 ```bash
-npm run lint && npm run typecheck && npm run test
+${HATCH3R:VERIFY_GATE_ALL}
 ```
 
+Resolved to the project's language-aware gate at sync time (fallback when detection is unknown: `npm run lint && npm run typecheck && npm run test`).
+
 ### 4b. Browser Verification
 
 - Confirm the dev server is running by checking the expected port. If not running, start it in the background.
@@ -111,3 +110,8 @@ Use the project's PR template. Include:
 - [ ] Snapshot tests updated
 - [ ] No visual regressions
 - [ ] Design system tokens used (no ad-hoc styling)
+
+## References
+
+- [Understanding SC 1.4.3: Contrast (Minimum) — W3C WCAG 2.2](https://www.w3.org/WAI/WCAG22/Understanding/contrast-minimum.html) — accessed 2026-05-31, official-docs (W3C). Source for the 4.5:1 AA text-contrast threshold verified in Step 1 and the Definition of Done.
+- [Design Tokens Format Module — W3C Design Tokens Community Group](https://tr.designtokens.org/format/) — accessed 2026-05-31, official-docs (W3C DTCG). Source for the design-token-over-ad-hoc-styling discipline (color, spacing, typography) the reuse/extend/create path enforces.

package/package.json

@@ -1,14 +1,8 @@
 {
   "name": "hatch3r",
-  "version": "1.9.0",
-  "description": "Battle-tested agentic coding setup framework. One command to hatch your agent stack -- agents, skills, rules, commands, and MCP for every major AI coding tool.",
+  "version": "2.0.0",
+  "description": "Agentic coding setup framework audited each release across 24 governance domains. One command to hatch your agent stack -- agents, skills, rules, commands, and MCP for Claude Code, Cursor, and GitHub Copilot.",
   "type": "module",
-  "exports": {
-    ".": {
-      "import": "./dist/cli/index.js",
-      "types": "./dist/cli/index.d.ts"
-    }
-  },
   "bin": {
     "hatch3r": "./dist/cli/index.js"
   },
@@ -18,24 +12,46 @@
     "dev": "tsup --watch",
     "lint": "eslint src/",
     "typecheck": "tsc --noEmit",
-    "prepublishOnly": "npm run build",
+    "prepublishOnly": "node -e \"require('fs').rmSync('dist',{recursive:true,force:true})\" && npm run build",
     "test": "vitest run",
+    "test:ci": "vitest run --no-update",
     "test:watch": "vitest",
     "inventory": "tsx scripts/inventory.ts",
     "inventory:check-docs": "tsx scripts/inventory.ts --check-docs",
     "validate:rule-parity": "tsx scripts/validate-rule-parity.ts && tsx scripts/validate-rule-pillar-currency.ts",
-    "validate:efficiency": "tsx scripts/validate-efficiency-invariants.ts && tsx scripts/validate-bridge-budget.ts && tsx scripts/validate-fanout-emission.ts",
+    "validate:efficiency": "tsx scripts/validate-efficiency-invariants.ts && tsx scripts/validate-bridge-budget.ts && tsx scripts/validate-fanout-emission.ts && tsx scripts/validate-tag-order.ts && tsx scripts/validate-modes-parity.ts && tsx scripts/validate-governance-currency.ts && tsx scripts/validate-traceability-matrix.ts && tsx scripts/validate-decision-id-consistency.ts && tsx scripts/validate-repo-token-adoption.ts && tsx scripts/validate-verify-gate-literals.ts && tsx scripts/validate-customize-doc-examples.ts && tsx scripts/validate-archive-path-currency.ts && tsx scripts/validate-references-currency.ts && tsx scripts/validate-pricing-currency.ts && tsx scripts/validate-subagent-casing.ts && tsx scripts/validate-governance-total.ts",
+    "validate:subagent-casing": "tsx scripts/validate-subagent-casing.ts",
+    "validate:references-currency": "tsx scripts/validate-references-currency.ts",
+    "validate:pricing-currency": "tsx scripts/validate-pricing-currency.ts",
     "validate:cli-skills": "tsx scripts/validate-cli-skills.ts",
     "validate:wiring": "tsx scripts/validate-wiring.ts",
+    "validate:control-reachability": "tsx scripts/validate-control-reachability.ts",
+    "validate:anti-slop": "tsx scripts/validate-anti-slop.ts",
+    "validate:specialist-roster": "tsx scripts/validate-specialist-roster.ts",
+    "validate:severity-vocabulary": "tsx scripts/validate-severity-vocabulary.ts",
+    "validate:retired-agent-refs": "tsx scripts/validate-retired-agent-refs.ts",
+    "validate:fanout-path": "tsx scripts/validate-fanout-path-currency.ts",
+    "validate:archive-path": "tsx scripts/validate-archive-path-currency.ts",
+    "validate:canonical": "tsx scripts/validate-canonical.ts",
+    "validate:adapter-parity": "tsx scripts/validate-adapter-output.ts",
+    "validate:trust-crosswalk": "tsx scripts/validate-trust-crosswalk-citations.ts",
+    "validate:id-uniqueness": "tsx scripts/validate-id-uniqueness.ts",
     "generate:cli-skills": "tsx scripts/generate-cli-skills.ts",
-    "validate": "npm run validate:rule-parity && npm run validate:efficiency && npm run validate:cli-skills && npm run validate:wiring",
+    "calibrate:tier-weights": "tsx scripts/calibrate-tier-weights.ts",
+    "validate": "npm run validate:rule-parity && npm run validate:efficiency && npm run validate:cli-skills && npm run validate:wiring && npm run validate:control-reachability && npm run validate:anti-slop && npm run validate:specialist-roster && npm run validate:severity-vocabulary && npm run validate:retired-agent-refs && npm run validate:fanout-path && npm run validate:canonical && npm run validate:adapter-parity && npm run validate:trust-crosswalk && npm run validate:id-uniqueness && npm run validate:codeowners && npm run validate:content-duplication",
     "audit:validate-registry": "tsx scripts/validate-finding-registry.ts",
     "audit:migrate": "tsx scripts/migrate-finding-registry.ts",
     "audit:archive": "tsx scripts/audit-archive.ts",
     "audit:find": "tsx scripts/audit-find.ts",
+    "audit:closed-loop": "tsx scripts/audit-closed-loop-report.ts",
+    "audit:stalled": "tsx scripts/audit-stalled-strategic.ts",
     "audit:reset": "tsx scripts/clean-audit-workspace.ts",
-    "lockfile:check": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https",
-    "mcp:cve-check": "tsx scripts/check-mcp-cves.ts"
+    "lockfile:check": "lockfile-lint --path package-lock.json --type npm --allowed-hosts npm --validate-https --validate-integrity --validate-package-names",
+    "mcp:cve-check": "tsx scripts/check-mcp-cves.ts",
+    "cli-tools:cve-check": "tsx scripts/check-cli-cves.ts",
+    "validate:action-pins": "tsx scripts/validate-action-pins.ts",
+    "validate:codeowners": "tsx scripts/validate-codeowners.ts",
+    "validate:content-duplication": "tsx scripts/validate-content-duplication.ts"
   },
   "keywords": [
     "agents",
@@ -73,35 +89,38 @@
     "LICENSE"
   ],
   "dependencies": {
-    "@inquirer/core": "^11.1.9",
-    "@inquirer/figures": "^2.0.5",
-    "boxen": "^8.0.1",
-    "chalk": "^5.4.0",
-    "commander": "^14.0.3",
-    "inquirer": "^13.3.2",
-    "ora": "^9.3.0",
-    "p-limit": "^3.1.0",
-    "proper-lockfile": "^4.1.2",
-    "update-notifier": "^7.3.1",
-    "yaml": "^2.8.3"
+    "@inquirer/core": "11.2.1",
+    "@inquirer/figures": "2.0.7",
+    "boxen": "8.0.1",
+    "chalk": "5.6.2",
+    "commander": "15.0.0",
+    "inquirer": "14.0.2",
+    "ora": "9.4.0",
+    "p-limit": "^7.3.0",
+    "proper-lockfile": "4.1.2",
+    "update-notifier": "7.3.1",
+    "yaml": "2.9.0"
   },
   "devDependencies": {
-    "@types/node": "^25.5.0",
+    "@types/node": "^26.0.0",
     "@types/proper-lockfile": "^4.1.4",
     "@types/update-notifier": "^6.0.8",
-    "@vitest/coverage-v8": "^4.1.2",
-    "eslint": "^10.1.0",
+    "@vitest/coverage-v8": "^4.1.9",
+    "eslint": "^10.5.0",
     "lockfile-lint": "^5.0.0",
     "tsup": "^8.0.0",
-    "tsx": "^4.21.0",
+    "tsx": "^4.22.4",
     "typescript": "^6.0.2",
-    "typescript-eslint": "^8.57.2",
+    "typescript-eslint": "^8.61.1",
     "vitest": "^4.1.2"
   },
   "overrides": {
-    "flatted": "^3.4.2"
+    "flatted": "^3.4.2",
+    "brace-expansion": "^5.0.6"
   },
   "comments": {
-    "overrides/flatted": "Pinned to >=3.4.2 to resolve security advisory in transitive eslint > flat-cache > flatted dependency"
+    "overrides/flatted": "Pinned to >=3.4.2 to resolve security advisory in transitive eslint > flat-cache > flatted dependency",
+    "overrides/brace-expansion": "Pinned to >=5.0.6 to resolve GHSA-jxxr-4gwj-5jf2 (CWE-400, CVSS 6.5, patched 5.0.6) in transitive dev dependency minimatch@10.2.4 > brace-expansion (was 5.0.5). Surgical override preferred over `npm audit fix`, which pulls 78 new platform-binary packages.",
+    "dependencies/p-limit": "Cycle 10 L D4-SA4.2-F4.2.5 (D4): p-limit held at 3.1.0 is 4 majors behind 7.3.0 (no CVE — pure P3 currency hygiene). The bump is API-compatible: the only behavioral delta across majors 4-7 is the CommonJS drop, non-applicable here (hatch3r is pure ESM, engines node >=22), and all three call sites use the stable default-export `pLimit(concurrency)` signature — src/workspace/sync.ts, src/workspace/manifest.ts, src/pipeline/complianceVerification.ts. BLOCKED for a no-network audit SA, not deferrable by hand: bumping the spec alone desyncs package-lock.json (currently pins p-limit 3.1.0 + yocto-queue ^0.1.0 at lines ~4705-4727, AND a second transitive `p-limit ^3.0.2` requirer), and `release.yml` 'Verify lockfile sync' (git diff --exit-code package-lock.json) plus every `npm ci` integrity check fail closed on a spec-only or hand-edited lockfile. p-limit 7.x drops yocto-queue for a different internal queue, so the new resolved tree + SHA-512 integrity hashes can only come from the npm resolver. Follow-up (one commit): run `npm install` to land package.json (^7.3.0) + the regenerated lockfile together, then `npm test` to confirm the three pLimit call sites still pass."
   }
 }

package/dist/cli/index.d.ts

@@ -1,2 +0,0 @@
-
-export {  }