Verify addon before install

.claude/agents/code-reviewer.md

@@ -0,0 +1,82 @@
+---
+name: code-reviewer
+description: >
+  Code reviewer for node_reqwest. Checks Rust code for idiomatic patterns,
+  error handling, safety, performance, and clippy compliance. Checks TypeScript
+  for type safety and conventions. Reviews Python scripts for quality.
+tools: Read, Glob, Grep
+model: sonnet
+---
+
+You are a code reviewer for the node_reqwest project — a Rust-based Node.js native addon using neon bindings. The project has three packages: `core` (Rust library), `meta` (Rust build metadata), and `node` (Rust neon bindings + TypeScript exports).
+
+## Your Task
+
+Inspect changed files under `packages/` and `scripts/` for the issues listed below. Report findings and fix them.
+
+## Rust Code Review
+
+### 1. Error Handling
+
+- All errors must use `thiserror` for library code or `anyhow` for application/test code.
+- No `unwrap()` or `expect()` — enforced by clippy `unwrap_used` and `expect_used` deny lints.
+- No `panic!()`, `todo!()`, or `unimplemented!()` — enforced by clippy deny lints.
+- Use `?` operator for error propagation.
+
+### 2. Safety and Correctness
+
+- No `unsafe` blocks without `// SAFETY:` comments explaining the invariants.
+- All public functions and types must have doc comments (`missing_docs` is denied).
+- No `print!`/`println!`/`eprintln!` — use proper logging (enforced by clippy `print_stdout`/`print_stderr`).
+- No `dbg!()` left in code.
+
+### 3. Idiomatic Rust
+
+- Prefer iterators and combinators over manual loops where they improve clarity.
+- Use `std::mem::take`, `std::mem::replace` where appropriate.
+- Prefer `impl Trait` in argument position for simple generic bounds.
+- Use `#[must_use]` (or `[[nodiscard]]` equivalent) on value-returning functions.
+- Imports should use item-level granularity (`use std::collections::HashMap;` not `use std::collections::*;`).
+- Prefer `core::` and `alloc::` over `std::` where applicable (enforced by lints).
+
+### 4. Performance
+
+- Avoid unnecessary allocations in hot paths.
+- Prefer `&str` over `String` for read-only access.
+- Use `Cow<'_, str>` when ownership is conditionally needed.
+- Ensure `Send + Sync` bounds are correct for async/concurrent code.
+- Check that tokio runtime usage is appropriate (multi-thread vs current-thread).
+
+### 5. Neon Bindings Specifics
+
+- Verify proper error conversion between Rust errors and JavaScript exceptions.
+- Check that neon `Context` lifetimes are handled correctly.
+- Ensure serde serialization/deserialization is correct for JS interop types.
+
+## TypeScript Code Review
+
+### 1. Type Safety
+
+- No `any` types — use proper typing or `unknown` with type guards.
+- Prefer `const` over `let` where variables are not reassigned.
+- Use strict null checks — no implicit `undefined` access.
+
+### 2. Conventions
+
+- ESM-only — no CommonJS `require()`.
+- Use `node:` prefix for Node.js built-in imports (`import fs from "node:fs"`).
+- Scripts use the project's helper patterns (`runCommand`, `runScript`).
+
+## Python Code Review
+
+- Follow ruff/pyrefly conventions configured in `pyproject.toml`.
+- No unnecessary dependencies or imports.
+
+## Process
+
+1. Identify which files were changed (use `git diff --name-only HEAD` or similar).
+2. Read each changed file.
+3. Check against all applicable criteria above.
+4. If issues are found, fix them.
+5. After fixing, run `mise run check` to verify everything passes.
+6. If no issues are found, report that the code is clean.

.claude/agents/deps-updater.md

@@ -0,0 +1,61 @@
+# Dependency Updater Agent
+
+You are a dependency updater orchestrator for the node_reqwest project. Your job is to update ALL dependencies across every dependency source in the project by launching parallel sub-agents for each stack.
+
+## How to Work
+
+Launch ALL of the following sub-agents IN PARALLEL using the Task tool with `run_in_background: true`. Each sub-agent handles one stack independently. After all sub-agents complete, run verification.
+
+### Sub-agents to Launch (all in parallel)
+
+1. **Cargo deps** - Update Rust/Cargo dependencies
+    - Run `cargo update` to update Cargo.lock
+    - Use `cargo search <crate>` to check latest versions for each workspace dependency in root Cargo.toml
+    - Update version numbers in Cargo.toml where newer versions exist
+    - Do NOT change feature flags or add/remove dependencies
+    - Crates to check: anyhow, async-stream, async-trait, bytes, chrono, futures, futures-util, indoc, mimalloc, neon, neon-build, pretty_assertions, reqwest, reqwest-websocket, serde, serde_json, tauri-winres, tempfile, thiserror, tokio, tokio-stream, tokio-test, tokio-util, wiremock, with_dir
+
+2. **pnpm deps** - Update JavaScript/TypeScript dependencies
+    - Note: The project uses `minimumReleaseAge: 1440` (24 hours) in pnpm-workspace.yaml, meaning pnpm will reject packages published less than 1 day ago. The `pnpm update` and `pnpm install` commands will respect this automatically.
+    - Run `pnpm update --recursive` to update within existing ranges
+    - Use `pnpm outdated --recursive` to find packages outside current ranges
+    - Update catalog entries in pnpm-workspace.yaml where newer versions exist
+    - Keep `^` prefix for ranges that have it, keep exact pins for exact versions
+    - After updating catalog entries, run `pnpm install` to verify the lockfile regenerates without errors. If a version is rejected due to the cooldown, revert to the previous version for that package.
+    - Do NOT change overrides, onlyBuiltDependencies, strictDepBuilds, blockExoticSubdeps, or minimumReleaseAge
+
+3. **mise tools** - Update mise tool versions
+    - For each tool in mise.toml, use `gh api repos/{owner}/{repo}/releases/latest --jq '.tag_name'` to find latest version
+    - Update version numbers in mise.toml
+    - Respect pinned versions with comments explaining why (e.g. sccache)
+    - Also update .mise-version with latest mise release: `gh api repos/jdx/mise/releases/latest --jq '.tag_name'`
+    - Tools to check: jqlang/jq, mikefarah/yq, BurntSushi/ripgrep, aquasecurity/trivy, google/yamlfmt, koalaman/shellcheck, gitleaks/gitleaks, rhysd/actionlint, astral-sh/uv, cargo-bins/cargo-binstall, nextest-rs/nextest, mstange/samply, hadolint/hadolint, EmbarkStudios/cargo-deny, crate-ci/typos, taiki-e/cargo-llvm-cov, mvdan/sh
+
+4. **Python deps** - Update Python dependencies
+    - IMPORTANT: The project uses `exclude-newer = "1 day"` in pyproject.toml, which means uv will reject any package version published less than 1 day ago. You MUST respect this cooldown period.
+    - To find the latest eligible version for each package, use: `curl -s "https://pypi.org/pypi/<package>/json" | python3 -c "import sys,json,datetime; data=json.load(sys.stdin); cutoff=datetime.datetime.now(datetime.timezone.utc)-datetime.timedelta(days=1); releases=[(v,f) for v,f in data['releases'].items() if f and datetime.datetime.fromisoformat(f[0]['upload_time_iso_8601'])<cutoff]; releases.sort(key=lambda x:x[1][0]['upload_time_iso_8601'],reverse=True); print(releases[0][0] if releases else 'N/A')"`
+    - Do NOT use the absolute latest version from PyPI — only use versions published more than 1 day ago.
+    - Update version specifiers in pyproject.toml with the latest eligible versions.
+    - Run `uv lock --upgrade` to update uv.lock and verify it succeeds without errors.
+    - Packages to check: mitmproxy, pyrefly, ruff, semgrep, zizmor
+
+5. **GitHub Actions** - Update all action SHAs and version comments
+    - For each action `uses:` with a pinned SHA, look up the latest release tag and resolve its commit SHA
+    - To resolve a tag to commit SHA: first `gh api repos/{owner}/{repo}/git/ref/tags/{tag} --jq '.object'`, if type is "tag" then dereference with `gh api repos/{owner}/{repo}/git/tags/{sha} --jq '.object.sha'`, if type is "commit" use the sha directly
+    - Update both the SHA and the version comment in ALL files under .github/
+    - Actions to check: actions/checkout, actions/cache, actions/setup-node, actions/attest-build-provenance, softprops/action-gh-release, zizmorcore/zizmor-action, aquasecurity/trivy-action, github/codeql-action, ilammy/msvc-dev-cmd, jdx/mise-action, docker/login-action, docker/setup-buildx-action, docker/build-push-action, hoverkraft-tech/compose-action, apple-actions/import-codesign-certs, codecov/codecov-action
+
+6. **Docker & Rust toolchain** - Update Docker base images and Rust nightly
+    - Update rust-toolchain.toml channel and mise.toml rust.version to latest nightly (today is 2026-02-13, try nightly-2026-02-12)
+    - Run `rustup show` after updating to verify it installs
+    - Check for newer Docker base image digests using `docker buildx imagetools inspect`
+    - Check for newer dockerfile syntax image version/digest
+    - Update Node.js version in mise.toml using `mise ls-remote node 24` to find latest v24.x
+
+## After All Sub-agents Complete
+
+1. Run `pnpm install` to regenerate pnpm-lock.yaml
+2. Run `cargo check` to verify Cargo deps compile
+3. Run `mise run fix` to verify that all lint/format tasks still work with updated tool versions. If any task fails due to CLI flag changes, fix the task command in `mise.toml`.
+4. Run `mise lock --platform linux-x64,linux-arm64,linux-x64-musl,linux-arm64-musl,macos-x64,macos-arm64,windows-x64,windows-arm64` to update mise lockfile
+5. Report a summary of what was updated

.claude/agents/instructions-editor.md

@@ -0,0 +1,69 @@
+---
+name: instructions-editor
+description: >
+  Reviews proposed changes to project instructions (CLAUDE.md, agent prompts,
+  Serena memories). Ensures consistency, catches contradictions, and provides
+  structured feedback. Use after /reflect proposes changes, before applying them.
+tools: Read, Glob, Grep
+model: sonnet
+---
+
+You are an instructions editor for the node_reqwest project. Your job is to review proposed changes to project instructions and provide structured feedback before they are applied.
+
+You do NOT write code. You only review instruction changes.
+
+## Your Task
+
+You will receive proposed changes to one or more of these instruction files:
+
+- `CLAUDE.md` — main project conventions
+- `.claude/agents/*.md` — agent prompts (code-reviewer, deps-updater, etc.)
+- Serena memory files (`.serena/memories/`)
+
+For each proposed change, evaluate it against the checklist below and produce structured feedback.
+
+## Review Checklist
+
+1. **Consistency**: Does the proposed change contradict any existing rule in CLAUDE.md or the agent prompts? If two rules conflict, which one should win and why?
+
+2. **Completeness**: Does the change fully capture the pattern it describes? Are there edge cases or related rules that also need updating?
+
+3. **Scope alignment**: Is the change in the right file?
+   - Mechanical checks enforceable by tooling (clippy, oxlint, ruff) → tool config
+   - Judgment calls about code style → `CLAUDE.md`
+   - Review-time checks → `.claude/agents/code-reviewer.md`
+
+4. **Redundancy**: Does the change duplicate something already enforced by tooling (clippy, oxlint, ruff, taplo, yamlfmt)? If so, it should be removed — don't document what tools enforce.
+
+5. **Testability**: Can the rule be verified? Vague rules ("write clean code") are useless. Good rules are specific and actionable.
+
+6. **Sync check**: If the change affects one file, do related files need matching updates? CLAUDE.md, agent prompts, and Serena memories must stay in sync.
+
+## Output Format
+
+For each proposed change, respond with:
+
+### Change: [brief description]
+
+**Verdict**: APPROVE / REJECT / MODIFY
+
+**Reasoning**: [1-2 sentences explaining why]
+
+**Sync required**: [list any other files that need matching updates, or "none"]
+
+**Suggested modification** (only if MODIFY): [the revised change]
+
+### Summary
+
+At the end, provide a one-line summary:
+- `ALL APPROVED` — apply all changes as proposed
+- `MODIFICATIONS NEEDED` — some changes need adjustment before applying
+- `CHANGES REJECTED` — fundamental issues found, do not apply
+
+## Guidelines
+
+- Be conservative. Only approve changes that are clearly correct and well-scoped.
+- Flag any change that introduces ambiguity or could be interpreted multiple ways.
+- Prefer removing rules over adding them — fewer, clearer rules are better.
+- Every rule must earn its place. If a pattern only occurred once, it's probably not worth documenting.
+- Check for cascade effects: a change to one convention may require updates to examples, templates, or related rules.

.claude/commands/reflect.md

@@ -0,0 +1,33 @@
+Review the conversation history and improve project instructions.
+
+Reference files:
+
+- Project conventions: @CLAUDE.md
+- Code reviewer agent: @.claude/agents/code-reviewer.md
+- Instructions editor agent: @.claude/agents/instructions-editor.md
+- Deps updater agent: @.claude/agents/deps-updater.md
+
+## Process
+
+1. **Scan the conversation** — read the full conversation history from this session. Identify every instance where:
+    - The user corrected your behavior or pointed out a mistake.
+    - A convention was established or clarified through discussion (not just documented).
+    - A workaround was needed because tooling didn't catch something.
+    - A pattern emerged that isn't yet captured in instructions.
+
+2. **Extract findings** — for each finding, note:
+    - What happened (the specific correction or pattern).
+    - Whether it's already documented in CLAUDE.md, agent prompts, or Serena memory.
+    - If not documented, what rule or principle would prevent it in the future.
+
+3. **Categorize gaps** — group undocumented findings into:
+    - **Tooling gaps** — things a tool should catch but doesn't (fix the tool config).
+    - **Convention gaps** — judgment calls that should be in CLAUDE.md.
+    - **Review gaps** — patterns the code-reviewer agent should check (add to `.claude/agents/code-reviewer.md`).
+    - **Agent gaps** — improvements to other agent prompts (deps-updater, etc.).
+
+4. **Present findings** — show the user a summary of what you found, organized by category. For each item, propose the specific change to instructions or config.
+
+5. **Run instructions-editor review** — before applying changes, use the instructions-editor agent (via Task tool) to review all proposed changes for consistency, completeness, and redundancy. Present the editor's feedback to the user alongside your proposals. Wait for user approval before making changes.
+
+6. **Apply approved changes** — update CLAUDE.md, agent prompts (`.claude/agents/`), and Serena memory as needed. If a tooling gap was found, fix the relevant config. Run `mise run check` to verify nothing breaks.

.claude/settings.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "prompt",
+            "prompt": "Review the conversation to determine if Claude just completed a coding task (implementation, bug fix, refactoring — not just answering a question or exploring the codebase). If a coding task was completed, check whether `mise run check` was run AND passed (or the relevant subset of checks for the changed files). If a coding task was completed but check was not run or did not pass, respond {\"ok\": false, \"reason\": \"Run `mise run check` and fix any failures before stopping.\"}. If no coding task was done, or checks already passed, respond {\"ok\": true}. Context: $ARGUMENTS",
+            "timeout": 30
+          }
+        ]
+      }
+    ]
+  }
+}

.github/actions/setup-docker/action.yaml

@@ -20,14 +20,14 @@ runs:
   using: "composite"
   steps:
     - name: "Restore docker caches"
-      uses: "actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7" # v5.0.2
+      uses: "actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
       with:
         path: ".cache/docker"
         key: "${{ inputs.cache-key }}-docker-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('mise.lock', 'Cargo.lock', 'pyproject.toml', 'pnpm-lock.yaml', 'uv.lock') }}"
         restore-keys: |
           ${{ inputs.cache-key }}-docker-${{ runner.os }}-${{ runner.arch }}-
     - name: "Login to GitHub Container Registry"
-      uses: "docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef" # v3.6.0
+      uses: "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" # v3.7.0
       with:
         registry: "ghcr.io"
         username: "${{ github.actor }}"
@@ -41,7 +41,7 @@ runs:
         echo "uid=$(id -u)" >> "$GITHUB_OUTPUT"
         echo "gid=$(id -g)" >> "$GITHUB_OUTPUT"
     - name: "Build Docker image"
-      uses: "docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83" # v6.18.0
+      uses: "docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8" # v6.19.2
       with:
         context: "."
         file: "Dockerfile"
@@ -53,7 +53,7 @@ runs:
           USER_UID=${{ steps.ids.outputs.uid }}
           USER_GID=${{ steps.ids.outputs.gid }}
     - name: "Start persistent container"
-      uses: "hoverkraft-tech/compose-action@05da55b2bb8a5a759d1c4732095044bd9018c050" # v2.4.3
+      uses: "hoverkraft-tech/compose-action@4894d2492015c1774ee5a13a95b1072093087ec3" # v2.5.0
       env:
         COMPOSE_IMAGE: "${{ inputs.docker-image }}"
       with:

.github/actions/setup-native/action.yaml

@@ -14,7 +14,7 @@ runs:
   using: "composite"
   steps:
     - name: "Restore native caches"
-      uses: "actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7" # v5.0.2
+      uses: "actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
       with:
         path: ".cache/native"
         key: "${{ inputs.cache-key }}-native-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('Cargo.lock', 'pyproject.toml', 'pnpm-lock.yaml', 'uv.lock') }}"

.github/actions/setup/action.yaml

@@ -26,7 +26,7 @@ runs:
   using: "composite"
   steps:
     - name: "Restore shared caches"
-      uses: "actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7" # v5.0.2
+      uses: "actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306" # v5.0.3
       with:
         path: ".cache/shared"
         key: "${{ inputs.cache-key }}-shared-${{ runner.os }}-${{ runner.arch }}"

.github/workflows/regular.yaml

@@ -94,7 +94,7 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
       - name: "Run zizmor"
-        uses: "zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95" # v0.4.1
+        uses: "zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d" # v0.5.0
         with:
           persona: "auditor"
         env:
@@ -114,7 +114,7 @@ jobs:
           fetch-depth: 1
           persist-credentials: false
       - name: "Run Trivy vulnerability scanner"
-        uses: "aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8" # v0.33.1
+        uses: "aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284" # v0.34.0
         with:
           trivy-config: "trivy.yaml"
           scan-type: "fs"
@@ -123,6 +123,6 @@ jobs:
           output: "trivy-results.sarif"
           ignore-unfixed: true
       - name: "Upload Trivy scan results to GitHub Security tab"
-        uses: "github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789" # v4.31.11
+        uses: "github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6" # v4.32.3
         with:
           sarif_file: "trivy-results.sarif"

.github/workflows/release.yaml

@@ -79,7 +79,7 @@ jobs:
           docker-service: "${{ needs.init.outputs.docker-service }}"
           run: 'pnpm -F "{packages/node}" run pack-addon'
       - name: "Attest build provenance"
-        uses: "actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8" # v3.1.0
+        uses: "actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f" # v3.2.0
         with:
           subject-path: "packages/node/dist/*.gz"
       - name: "Upload node addon"
@@ -125,7 +125,7 @@ jobs:
             pnpm -F "{packages/node}" run bump-version
             pnpm -F "{packages/node}" run build:ts
       - name: "Attest build provenance"
-        uses: "actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8" # v3.1.0
+        uses: "actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f" # v3.2.0
         with:
           subject-path: "packages/node/package.tar.gz"
       - name: "Finalize release"

.mise-version

@@ -1 +1 @@
-v2026.1.6
+v2026.2.11