chore(deps): bump the dependencies group with 9 updates

[dependabot]

Bumps the dependencies group with 9 updates:

Package	From	To
@earendil-works/pi-ai	0.75.5	0.78.0
commander	14.0.3	15.0.0
@types/node	24.12.4	25.9.1
@typescript/native-preview	7.0.0-dev.20260526.1	7.0.0-dev.20260603.1
@vitest/coverage-v8	4.1.7	4.1.8
oxfmt	0.52.0	0.53.0
oxlint	1.67.0	1.68.0
tsx	4.22.3	4.22.4
vitest	4.1.7	4.1.8

Updates @earendil-works/pi-ai from 0.75.5 to 0.78.0

Release notes

Sourced from @​earendil-works/pi-ai's releases.

v0.78.0

New Features

• Named startup sessions - --name / -n sets the session display name before startup across interactive, print, JSON, and RPC modes. See Naming Sessions and Session Options.
• Clickable file tool paths - built-in file tool titles render OSC 8 file:// hyperlinks when the terminal supports them, including supported tmux clients.

Added

• Exported convertToPng for extension authors (#5167 by @​xl0).
• Exported parseArgs and type Args for extension authors (#5202 by @​xl0).
• Added --name / -n to set the session display name at startup (#5153).
• Added a resume command hint when exiting interactive sessions (#5176 by @​yzhg1983).
• Added OSC 8 file:// hyperlinks to file paths shown in built-in file tool titles (#5189 by @​mpazik).
• Added custom Amazon Bedrock request header support inherited from @earendil-works/pi-ai (#5178 by @​stephanmck).

Fixed

• Clarified the WezTerm/WSL IME hardware cursor docs to state that cursor visibility remains opt-in (#5200).
• Fixed the GitLab Duo custom provider example to use adaptive thinking for Claude models, expose xhigh thinking, and include newer verified model IDs (#5201).
• Fixed Bun release archive creation to install and copy the matching @mariozechner/clipboard base package and native sidecars (#5184).
• Fixed early interactive input typed before the prompt loop starts so it is buffered instead of dropped (#5195 by @​yzhg1983).
• Fixed OpenRouter Moonshot Kimi K2.6 requests to use system instead of unsupported developer messages (#5159).
• Fixed OpenCode Go Kimi K2.6 thinking requests to send thinking objects instead of invalid string values, and fixed OpenCode Zen Grok Build thinking requests to omit unsupported reasoning_effort (#5169).
• Fixed OpenAI Codex Responses SSE streams to abort response body reads after terminal events.
• Fixed OpenCode Kimi K2.6 generated metadata to use Anthropic-style thinking metadata instead of invalid reasoning-effort parameters.
• Fixed OSC 8 hyperlinks to pass through tmux when the client supports them (#5189 by @​mpazik).
• Fixed ANSI text wrapping to avoid stack overflows on very long wrapped lines (#5185).

v0.77.0

New Features

• Claude Opus 4.8 support - Adds Anthropic Claude Opus 4.8 metadata and updates Opus adaptive-thinking coverage.
• Selective tool disablement - --exclude-tools / -xt disables specific built-in, extension, or custom tools while leaving the rest available. See Tool Options.
• Headless Codex subscription login - /login can use device-code auth for ChatGPT Plus/Pro Codex subscriptions. See Subscriptions and OpenAI Codex.
• Streaming-aware extension input - extensions can distinguish idle prompts, mid-stream steers, and queued follow-ups with InputEvent.streamingBehavior. See Input Events.

Added

• Added --exclude-tools / -xt to disable specific built-in, extension, or custom tools while leaving the rest available (#5109).
• Added OpenAI Codex subscription device-code login as a selectable headless alternative while keeping browser login as the default (#4911 by @​vegarsti).
• Added streamingBehavior to extension input events so extensions can distinguish idle prompts from mid-stream steers and queued follow-ups (#5107 by @​DanielThomas).
• Added Claude Opus 4.8 model metadata for Anthropic and updated Opus adaptive-thinking coverage to use it.

Fixed

• Fixed startup timing output so readPipedStdin no longer includes createAgentSessionRuntime work (#4829).
• Fixed OpenRouter DeepSeek V4 xhigh reasoning metadata to preserve OpenRouter's native effort instead of sending DeepSeek's max effort (#4801).
• Fixed custom session directories so current-folder resume/continue lookups stay scoped to the active cwd while all-session listings cover the custom directory.

... (truncated)

Changelog

Sourced from @​earendil-works/pi-ai's changelog.

[0.78.0] - 2026-05-29

Breaking Changes

• Changed direct provider stream functions to require explicit options.apiKey; top-level stream*/complete* helpers still resolve built-in environment auth.

Added

• Added custom Amazon Bedrock request header support via StreamOptions.headers, excluding reserved AWS signing headers (#5178 by @​stephanmck).

Fixed

• Fixed OpenRouter Moonshot Kimi K2.6 requests to use system instead of unsupported developer messages (#5159).
• Fixed OpenCode Go Kimi K2.6 thinking requests to send thinking objects instead of invalid string values, and fixed OpenCode Zen Grok Build thinking requests to omit unsupported reasoning_effort (#5169).
• Fixed OpenAI Codex Responses SSE streams to abort response body reads after terminal events.
• Fixed OpenCode Kimi K2.6 generated metadata to use Anthropic-style thinking metadata instead of invalid reasoning-effort parameters.

[0.77.0] - 2026-05-28

Added

• Added OpenAI Codex subscription device-code login as a selectable headless alternative while keeping browser login as the default (#4911 by @​vegarsti).
• Added Claude Opus 4.8 model metadata for Anthropic and updated Opus adaptive-thinking coverage to use it.

Fixed

• Fixed OpenRouter DeepSeek V4 xhigh reasoning metadata to preserve OpenRouter's native effort instead of sending DeepSeek's max effort (#4801).
• Fixed OpenAI Codex Responses replay after switching from Anthropic extended-thinking sessions by generating unique fallback message item IDs for converted thinking/text blocks (#5148).
• Fixed Anthropic-compatible replay for providers that return empty thinking signatures by adding an opt-in allowEmptySignature compatibility flag (#4464).
• Fixed OpenAI and OpenRouter GPT-5.5 Pro thinking level metadata to expose only supported medium, high, and xhigh efforts.
• Fixed OpenCode Go Kimi K2.6 thinking-off requests to send thinking: "none" (#5078).
• Fixed Xiaomi Token Plan model metadata to omit unsupported mimo-v2-flash variants (#5075).

[0.76.0] - 2026-05-27

Fixed

• Fixed OpenAI Codex Responses cache-affinity headers to send session-id instead of proxy-incompatible session_id (#4967).
• Fixed openai-codex/gpt-5.3-codex-spark generated metadata to use its 128k context window (#4969).
• Fixed OpenRouter/Poolside context overflow detection for maximum allowed input length errors (#4943).
• Fixed OpenAI Codex Responses WebSocket streams and SSE response-header waits to apply bounded timeouts instead of waiting indefinitely when no events arrive (#4945).
• Fixed provider retry controls so OpenAI Codex Responses honors maxRetries, SDK retries default to 0, and quota/billing 429s are not retried behind Pi's retry handling (#4991 by @​mitsuhiko).

Commits

• 0897f17 Release v0.78.0
• 886fa6c Audit unreleased changelog entries
• a213abb Fix OpenRouter Kimi K2.6 developer role
• ba2d313 fix(ai): handle OpenCode Kimi reasoning params
• a36a132 fix(ai): abort Codex SSE body reads
• 7921ae4 Require explicit provider API keys
• 01a8c2d Merge pull request #5196 from earendil-works/fix/opencode-thinking-requests
• 4faac05 fix(ai): handle OpenCode reasoning params
• 7619aae ai: add custom-header support to Bedrock provider
• 93600d8 fix(release): align package repository metadata
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​earendil-works/pi-ai since your current version.

Updates commander from 14.0.3 to 15.0.0

Release notes

Sourced from commander's releases.

v15.0.0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

v15.0.0-0

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 in May 2026 will move Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

... (truncated)

Changelog

Sourced from commander's changelog.

[15.0.0] (2026-05-29)

Commander 15 is ESM only. This is expected to be seamless for ESM consumers, but some CommonJS consumers may hit issues with tooling requiring configuration for ESM-only dependencies. See Migration Tips below.

The release of Commander 15 moves Commander 14 into maintenance. Commander 14 will get security updates for 12 months (to May 2027). For more info see Release Policy.

Added

• show excess command-arguments in error message (#2384)

Fixed

• Breaking: only lone --no-* option sets default option value to true, default not implicitly set when define both positive and negative option in either order (#2405)
• update example to use compatible character for MINGW64 (#2475)

Changed

• Breaking: migrated Commander implementation from CommonJS to ESM (#2464)
• Breaking: Commander 15 requires Node.js v22.12.0 or higher (for require(esm)).
• dev: switch tests from Jest to node:test test runner (#2463)

Deleted

• Breaking: removed deprecated export of commander/esm.mjs (#2464)

Migration Tips

Commander 15 is ESM only, but this does not mean you need to migrate to ESM to use it. Importing ESM from CommonJS is supported by Node.js, and Bun, and Deno. Hopefully it Just Works for you! However, you may be using a different runtime or some other part of your setup that may not yet natively support importing ESM from CommonJS, such as your testing framework or bundler.

If you have problems using Commander 15 in your environment, one option is stay on Commander 14 for now. Commander 14 will get security updates until May 2027 and things will hopefully improve for your setup in the meantime.

[15.0.0-0] (2026-02-22)

(Released as 15.0.0)

Commits

• ba6d13d Fix release dates in changelog (#2523)
• a752ed9 Pin GitHub actions with hash (#2521)
• 74d5dfe Drop EOL node 20 from test matrix, and add node 26 (#2520)
• 6df9b68 Update details for 15.0.0 release (#2519)
• 01ce5d0 Remove jest esm examples (#2517)
• d785d8b Update dependencies (#2518)
• 9098b48 Update dependencies (#2506)
• 373f660 Use node:util stripVTControlCharacters instead of own code (#2486)
• 987f289 Use simple match in test (to avoid warning about expensive regex) (#2485)
• 0ea3bb3 Update dependecies and lint (#2489)
• Additional commits viewable in compare view

Updates @types/node from 24.12.4 to 25.9.1

Commits

• See full diff in compare view

Updates @typescript/native-preview from 7.0.0-dev.20260526.1 to 7.0.0-dev.20260603.1

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.7 to 4.1.8

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Updates oxfmt from 0.52.0 to 0.53.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

Commits

• 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
• See full diff in compare view

Updates oxlint from 1.67.0 to 1.68.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.68.0] - 2026-06-01

🚀 Features

• e4b1f46 linter/typescript: Implement method-signature-style rule (#22679) (Mikhail Baev)
• bc462ca linter/vue: Implement no-reserved-component-names rule (#22741) (bab)
• ef9e751 linter/vue: Implement component-definition-name-casing rule (#22818) (bab)
• d67f51a linter/vue: Implement require-prop-type-constructor rule (#22708) (bab)
• 8422e8b linter/jsdoc: Implement require-yields-description rule (#22805) (Mikhail Baev)
• fe93f97 linter/eslint: Implement prefer-named-capture-group rule (#22759) (Sebastian Poxhofer)

Commits

• 964a758 release(apps): oxlint v1.68.0 && oxfmt v0.53.0 (#22883)
• 3f05c5e feat(linter): expose override::exclude_files option (#22884)
• e4b1f46 feat(linter/typescript): implement method-signature-style rule (#22679)
• bc462ca feat(linter/vue): implement no-reserved-component-names rule (#22741)
• ef9e751 feat(linter/vue): implement component-definition-name-casing rule (#22818)
• d67f51a feat(linter/vue): implement require-prop-type-constructor rule (#22708)
• 8422e8b feat(linter/jsdoc): implement require-yields-description rule (#22805)
• fe93f97 feat(linter/eslint): implement prefer-named-capture-group rule (#22759)
• See full diff in compare view

Updates tsx from 4.22.3 to 4.22.4

Release notes

Sourced from tsx's releases.

v4.22.4

4.22.4 (2026-05-31)

Bug Fixes

• resolve CommonJS directory requires inside dependencies (#803) (1ce8463)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• 1ce8463 fix: resolve CommonJS directory requires inside dependencies (#803)
• See full diff in compare view

Updates vitest from 4.1.7 to 4.1.8

Release notes

Sourced from vitest's releases.

v4.1.8

   🐞 Bug Fixes

• browser:
  • Disable client cdp API when allowWrite/allowExec: false [backport to v4]  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10450 (e4067)
  • Remove orphaned Playwright route when same module is mocked via multiple ids [backport to v4]  -  by @​toxik and @​Zelys-DFKH in vitest-dev/vitest#10474 (675b4)

    View changes on GitHub

Commits

• e61f2dd chore: release v4.1.8
• e4067b3 fix(browser): disable client cdp API when allowWrite/allowExec: false [ba...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[clawsweeper]

Codex review: needs changes before merge. Reviewed June 3, 2026, 9:31 PM ET / 01:31 UTC.

Summary
The PR bumps nine npm dependencies across the root package, core package, and pnpm lockfile, including runtime updates to @earendil-works/pi-ai and commander.

Reproducibility: yes. Source inspection shows the PR moves direct root and core @types/node dependencies to ^25.9.1 while current engines, docs, and CI still target Node 24.

Review metrics: 2 noteworthy metrics.

• Dependency updates: 9 packages changed. The PR mixes runtime dependency updates with tooling and type updates, so compatibility review cannot be reduced to lockfile churn.
• Package surfaces: 2 manifests plus 1 lockfile changed. Both the CLI package and core library package inherit the Node type-version decision.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🌊 off-meta tidepool
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Revert direct @types/node dependencies to the Node 24 line in both manifests and the lockfile.
• Run or provide CI output for pnpm -s check after the dependency update is repaired.

Risk before merge

• [P1] Merging as-is could let root or core code typecheck against Node 25 APIs even though package metadata, docs, and CI still support Node 24 users.
• [P1] The PR also includes runtime dependency bumps, including @earendil-works/pi-ai and the major commander update, so the normal workspace gate remains important after the Node type-line repair.

Maintainer options:

1. Keep Node types on 24 (recommended)
   Revert only the root and core @types/node bump to a Node 24-compatible line, regenerate the lockfile, and run the normal workspace gate.
2. Raise the runtime baseline
   If maintainers want Node 25 types, update engines, docs, CI, and release expectations together before merging so Node 24 users are not surprised.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Preserve the dependency bump, but revert `@types/node` in `package.json`, `packages/core/package.json`, and `pnpm-lock.yaml` back to the Node 24 line compatible with the repository's Node 24 runtime and CI boundary; then run `pnpm -s check` if dependencies are available.

Next step before merge

• [P2] A narrow automated repair can preserve the dependency bump while reverting only the Node type-version mismatch and regenerating the lockfile.

Security
Cleared: The diff changes package manifests and the lockfile only; no new scripts, lifecycle hooks, permissions, or downloaded execution paths were introduced.

Review findings

• [P1] Keep Node types on the supported runtime line — package.json:79

Review details

Best possible solution:

Preserve the useful dependency bump, but keep direct workspace @types/node dependencies on the Node 24 line unless maintainers intentionally raise engines, docs, and CI together.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows the PR moves direct root and core @types/node dependencies to ^25.9.1 while current engines, docs, and CI still target Node 24.

Is this the best way to solve the issue?

No as submitted. The narrow maintainable fix is to keep the dependency bump but leave direct Node types on the supported Node 24 line unless this PR intentionally raises the project baseline everywhere.

Full review comments:

• [P1] Keep Node types on the supported runtime line — package.json:79
  The PR upgrades the direct @types/node dependency to ^25.9.1, but the root and core packages still advertise Node 24 support and CI runs on Node 24. Compiling against Node 25 types can hide accidental use of APIs unavailable to supported Node 24 users, so keep these direct type dependencies on the Node 24 line unless engines, docs, and CI are raised together.
  Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.92

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 821e76613ded.

Label changes

Label justifications:

• P2: This is a normal dependency maintenance PR with a concrete compatibility blocker but no emergency runtime failure.
• merge-risk: 🚨 compatibility: The PR compiles the project against Node 25 types while package metadata, docs, and CI still target Node 24.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🌊 off-meta tidepool and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Not applicable: This is a Dependabot bot dependency PR, so contributor-provided real behavior proof is not required by this gate; validation should come from the workspace gate or CI.

Evidence reviewed

Acceptance criteria:

• [P1] pnpm -s check.

What I checked:

• Repository policy and gate: AGENTS.md was read fully and names the monorepo package split plus pnpm -s check as the workspace gate for this repository. (AGENTS.md:14, 821e76613ded)
• Root package Node boundary: Current main declares root @types/node on the Node 24 line and advertises engines.node as >=24; the PR changes the root type package to ^25.9.1. (package.json:79, 821e76613ded)
• Core package Node boundary: Current main declares core @types/node on the Node 24 line and advertises engines.node as >=24; the PR changes the core type package to ^25.9.1. (packages/core/package.json:59, 821e76613ded)
• CI Node baseline: The current CI workflow runs the workspace and extension jobs on Node 24, matching the package support boundary rather than Node 25. (.github/workflows/ci.yml:18, 821e76613ded)
• Package metadata provenance: git blame ties the current root/core @types/node 24 declarations and engines.node >=24 declarations to the 0.16.3 release commit. (package.json:79, fcf8c8e5e98d)
• Dependency call-site check: Source search found the repository uses top-level completeSimple, streamSimple, getModel, and getModels imports from @earendil-works/pi-ai; no direct provider stream function call was identified in this pass. (src/daemon/agent.ts:2, 821e76613ded)

Likely related people:

• steipete: The 0.16.3 release commit introduced the current root/core @types/node 24 declarations and engines.node >=24 package boundary. (role: package metadata introducer; confidence: high; commits: fcf8c8e5e98d; files: package.json, packages/core/package.json)
• dependabot[bot]: The only later package metadata change on current main is an automated dependency-group bump, so repair work will likely overlap generated dependency metadata. (role: recent dependency updater; confidence: medium; commits: 6d43d3427296; files: package.json, pnpm-lock.yaml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.