Add a machine-readable CSV companion for the 2026-03-29 security re-triage so maintainers can consume the refreshed statuses outside the markdown report.\n\nLink the refresh markdown and walkthrough to the new export to keep the historical baseline, addendum, and current-head report aligned.
Re-triage the 2026-03-15 security finding set against current main, keep the old snapshot as historical baseline, and add a current-head refresh with updated counts and finding status.\n\nLink the baseline and addendum to the new refresh report so maintainers have one current source of truth for what is still reproducible on HEAD.
Document the current static web-app behavior, local-only save flow, shallow installer path, and maintainer-only sync controls.\n\nAlign maintainer guides with the active audit-to-risk-sync workflow, canonical artifact bot contract, release/coverage requirements, and updated security triage context so the docs match the repository's real operating model.
Expand the conservative risk sync with explicit critical, offensive, and none patterns.\n\nAuto-apply high-confidence legacy label fixes, add the authorized-use notice when promoting offensive skills, and regenerate canonical and plugin artifacts so the unknown backlog keeps shrinking without loosening contributor input rules.
Add a maintainers script to safely promote high-confidence legacy risk labels from unknown to concrete values, cover it with tests, and regenerate the canonical skill artifacts and plugin copies. This reduces the legacy unknown backlog without forcing noisy classifications that still need manual review.
Clarify that validate and automated skill-review are necessary but not sufficient for skill and risky guidance changes. Add the requirement consistently to contributing guidance, the quality bar, and the PR checklist so maintainers explicitly review logic, safety, failure modes, and risk labeling before merge.
Treat generated plugin mirrors and marketplace outputs as managed
canonical artifacts so the main-branch sync bot can stage and commit
them instead of failing on unmanaged drift.
Ignore web-app coverage output during maintainer runs and update the
mirrored Office unpack scripts so plugin copies stay aligned with the
hardened source implementations.
Install apps/web-app dependencies before running the dedicated
coverage step in CI and publish workflows.
This fixes the failing main workflow where app:test:coverage could not
find vitest on GitHub runners because the web-app package had not been
installed yet.
Set PYTHONDONTWRITEBYTECODE for the shared Python runner and the
root test-suite launcher so local test runs do not create __pycache__
artifacts inside skills.
This keeps npm run test deterministic and avoids false negatives in the
editorial bundle inventory checks.
Tighten the repo-state automation so canonical bot commits remain
predictable while leaving main clean after each sync.
Make the public catalog UI more honest by hiding dev-only sync,
turning stars into explicit browser-local saves, aligning risk types,
and removing hardcoded catalog counts.
Add shared public asset URL helpers, risk suggestion plumbing,
safer unpack/sync guards, and CI coverage gates so release and
maintainer workflows catch drift earlier.
Sanitize WhatsApp Cloud API validator output across the root skill and plugin copies so code scanning no longer flags clear-text exposure.
Add a regression test that verifies successful and failed validation runs do not print sensitive response fields or API error details.
Major update across all 11 Three.js skills:
- Fix meta skill targeting r128 (5 years old) → modern r183 import map patterns
- Fix deprecated outputEncoding → outputColorSpace
- Add Clock → Timer migration (recommended in r183)
- Add WebGPU/TSL awareness across shader and material skills
- Add BatchedMesh, OrbitControls, GLTFLoader r183 features
- Fix incorrect WebGPU post-processing patterns
- Add setAnimationLoop as preferred animation pattern
- Remove stale CapsuleGeometry and OrbitControls warnings
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Capture the plugin manifest version bumps that release:prepare generated for 9.0.0 and update the release staging step so Claude and Codex plugin manifests are included automatically in future release commits.
Make the Codex marketplace release test follow package.json instead of pinning the previous release version, so scripted release prepares can bump plugin manifests safely.
Add a When to Use section for akf-trust-metadata so release validation stays within the current warning budget.\n\nRefresh the generated plugin-safe and catalog artifacts produced by the maintainer sync after the PR batch landed.
Document the new Claude Code and Codex plugin distributions and explain how root plugins, bundle plugins, and plugin-safe filtering relate to the full library install.\n\nSync the catalog, plugin compatibility artifacts, and generated plugin-safe subsets so main stays consistent before the v9.0.0 release flow.
Reuse sync_repo_metadata.sync_bundles_doc in audit_consistency so the\naudit path stays aligned with the editorial bundles renderer signature.\n\nThis fixes the CI failure caused by calling render_bundles_doc without\nthe required compatibility argument.
Add Codex marketplace metadata and a repo-local plugin scaffold so the repository can be installed as a Codex plugin without duplicating the skills catalog.
Document the new integration path and cover it with a regression test to keep the marketplace entry and plugin manifest in sync.
