build(deps): bump the dependencies group with 13 updates

[dependabot]

Bumps the dependencies group with 13 updates:

Package	From	To
@google/genai	2.3.0	2.6.0
openai	6.38.0	6.39.0
qs	6.15.1	6.15.2
shiki	4.0.2	4.1.0
@types/node	25.8.0	25.9.1
@typescript/native-preview	7.0.0-dev.20260516.1	7.0.0-dev.20260522.1
@vitest/coverage-v8	4.1.6	4.1.7
devtools-protocol	0.0.1629771	0.0.1634055
oxfmt	0.50.0	0.51.0
oxlint	1.65.0	1.66.0
puppeteer-core	25.0.2	25.0.4
tsx	4.22.0	4.22.3
vitest	4.1.6	4.1.7

Updates @google/genai from 2.3.0 to 2.6.0

Release notes

Sourced from @​google/genai's releases.

v2.6.0

2.6.0 (2026-05-21)

Features

• add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
• Add budget_exceeded status (1e97bd0)
• Add gemini-3.5-flash (1e97bd0)
• add new fields (b78eeee)

v2.5.0

2.5.0 (2026-05-20)

Features

• Add Gemini 3.5 Flash model to options (fcf26e3)

v2.4.0

2.4.0 (2026-05-17)

Features

• support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

• output_text for turns that don't end with text. (1a3d94f)

Changelog

Sourced from @​google/genai's changelog.

2.6.0 (2026-05-21)

Features

• add enable_prompt_injection_detection for Computer Use feature for the Gemini API. (f780f3c)
• Add budget_exceeded status (1e97bd0)
• Add gemini-3.5-flash (1e97bd0)
• add new fields (b78eeee)

2.5.0 (2026-05-20)

Features

• Add Gemini 3.5 Flash model to options (fcf26e3)

2.4.0 (2026-05-17)

Features

• support Agent and Environment APIs. (b0d9d2b)

Bug Fixes

• output_text for turns that don't end with text. (1a3d94f)

Commits

• a631549 chore(main): release 2.6.0 (#1623)
• f780f3c feat: add enable_prompt_injection_detection for Computer Use feature for th...
• b78eeee feat: add new fields
• 1e97bd0 feat: Add budget_exceeded status
• 2cb1814 chore(main): release 2.5.0 (#1616)
• f06e3a2 chore: update comment in BatchJobOutputInfo to unblock javadoc generation
• fcf26e3 feat: Add Gemini 3.5 Flash model to options
• b252753 chore: Cleanup
• dbe4484 chore(main): release 2.4.0 (#1604)
• b0d9d2b feat: support Agent and Environment APIs.
• Additional commits viewable in compare view

Updates openai from 6.38.0 to 6.39.0

Release notes

Sourced from openai's releases.

v6.39.0

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

Changelog

Sourced from openai's changelog.

6.39.0 (2026-05-21)

Full Changelog: v6.38.0...v6.39.0

Features

• api: api update (33ea11f)
• api: manual updates (c210b09)
• api: manual updates (92df9dc)
• api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

• types: allow runtime fetch options (8f5003d)
• typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

• api: docs updates (9d43adb)
• tests: remove redundant File import (5465bbe)

Commits

• 2002111 release: 6.39.0
• d6dc9b7 feat(api): manual updates
• 7444892 feat(api): api update
• f5db3f1 fix(types): allow runtime fetch options
• 33b391a chore(api): docs updates
• bfe3016 fix(typescript): upgrade tsc-multi so that it works with Node 26
• 3320b20 chore(tests): remove redundant File import
• 3250890 feat(api): manual updates
• d9fbf39 feat(api): update OpenAPI spec or Stainless config
• 8a8436e codegen metadata
• Additional commits viewable in compare view

Updates qs from 6.15.1 to 6.15.2

Changelog

Sourced from qs's changelog.

6.15.2

• [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + encodeValuesOnly instead of crashing in encoder
• [Fix] stringify: use configured delimiter after charsetSentinel (#555)
• [Fix] stringify: apply formatter to encoded key under strictNullHandling (#554)
• [Fix] stringify: skip null/undefined filter-array entries instead of crashing in encoder (#551)
• [Fix] parse: handle nested bracket groups and add regression tests (#530)
• [readme] fix grammar (#550)
• [Dev Deps] update @ljharb/eslint-config
• [Tests] add regression tests for keys containing percent-encoded bracket text

Commits

• 9aca407 v6.15.2
• 5e33d33 [Dev Deps] update @ljharb/eslint-config
• 21f80b3 [Fix] stringify: skip null/undefined entries in arrayFormat: 'comma' + `e...
• a0a81ea [Fix] stringify: use configured delimiter after charsetSentinel
• e3062f7 [Fix] stringify: apply formatter to encoded key under strictNullHandling
• 0c180a4 [Fix] stringify: skip null/undefined filter-array entries instead of crashi...
• 3a8b94a [Tests] add regression tests for keys containing percent-encoded bracket text
• 96755ab [readme] fix grammar
• a419ce5 [Fix] parse: handle nested bracket groups and add regression tests
• See full diff in compare view

Updates shiki from 4.0.2 to 4.1.0

Release notes

Sourced from shiki's releases.

v4.1.0

   🐞 Bug Fixes

• twoslash: Forward tsModule to createTwoslasher  -  by @​arthurfiorette in shikijs/shiki#1271 (be89a)

    View changes on GitHub

Commits

• c809af9 chore: release v4.1.0
• 95371cb chore: lint
• See full diff in compare view

Updates @types/node from 25.8.0 to 25.9.1

Commits

• See full diff in compare view

Updates @typescript/native-preview from 7.0.0-dev.20260516.1 to 7.0.0-dev.20260522.1

Commits

• See full diff in compare view

Updates @vitest/coverage-v8 from 4.1.6 to 4.1.7

Release notes

Sourced from @​vitest/coverage-v8's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Updates devtools-protocol from 0.0.1629771 to 0.0.1634055

Commits

• e47d08c Roll protocol to r1634055
• 357026f Roll protocol to r1632630
• See full diff in compare view

Updates oxfmt from 0.50.0 to 0.51.0

Changelog

Sourced from oxfmt's changelog.

Changelog

All notable changes to this package will be documented in this file.

The format is based on Keep a Changelog.

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• See full diff in compare view

Updates oxlint from 1.65.0 to 1.66.0

Release notes

Sourced from oxlint's releases.

oxlint v1.27.0 && oxfmt v0.12.0

Oxlint v1.27.0

🚀 Features

• 222a8f0 linter/plugins: Implement SourceCode#isSpaceBetween (#15498) (overlookmotel)
• 2f9735d linter/plugins: Implement context.languageOptions (#15486) (overlookmotel)
• bc731ff linter/plugins: Stub out all Context APIs (#15479) (overlookmotel)
• 5822cb4 linter/plugins: Add extend method to FILE_CONTEXT (#15477) (overlookmotel)
• 7b1e6f3 apps: Add pure rust binaries and release to github (#15469) (Boshen)
• 2a89b43 linter: Introduce debug assertions after fixes to assert validity (#15389) (camc314)
• ad3c45a editor: Add oxc.path.node option (#15040) (Sysix)

🐛 Bug Fixes

• 6f3cd77 linter/no-var: Incorrect warning for blocks (#15504) (Hamir Mahal)
• 6957fb9 linter/plugins: Do not allow access to Context#id in createOnce (#15489) (overlookmotel)
• 7409630 linter/plugins: Allow access to cwd in createOnce in ESLint interop mode (#15488) (overlookmotel)
• 732205e parser: Reject using / await using in a switch case / default clause (#15225) (sapphi-red)
• a17ca32 linter/plugins: Replace Context class (#15448) (overlookmotel)
• ecf2f7b language_server: Fail gracefully when tsgolint executable not found (#15436) (camc314)
• 3c8d3a7 lang-server: Improve logging in failure case for tsgolint (#15299) (camc314)
• ef71410 linter: Use jsx if source type is JS in fix debug assertion (#15434) (camc314)
• e32bbf6 linter/no-var: Handle TypeScript declare keyword in fixer (#15426) (camc314)
• 6565dbe linter/switch-case-braces: Skip comments when searching for : token (#15425) (camc314)
• 85bd19a linter/prefer-class-fields: Insert value after type annotation in fixer (#15423) (camc314)
• fde753e linter/plugins: Block access to context.settings in createOnce (#15394) (overlookmotel)
• ddd9f9f linter/forward-ref-uses-ref: Dont suggest removing wrapper in invalid positions (#15388) (camc314)
• dac2a9c linter/no-template-curly-in-string: Remove fixer (#15387) (camc314)
• 989b8e3 linter/no-var: Only fix to const if the var has an initializer (#15385) (camc314)
• cc403f5 linter/plugins: Return empty object for unimplemented parserServices (#15364) (magic-akari)

⚡ Performance

• 25d577e language_server: Start tools in parallel (#15500) (Sysix)
• 3c57291 linter/plugins: Optimize loops (#15449) (overlookmotel)
• 3166233 linter/plugins: Remove Arcs (#15431) (overlookmotel)
• 9de1322 linter/plugins: Lazily deserialize settings JSON (#15395) (overlookmotel)
• 3049ec2 linter/plugins: Optimize deepFreezeSettings (#15392) (overlookmotel)
• 444ebfd linter/plugins: Use single object for parserServices (#15378) (overlookmotel)

📚 Documentation

• 97d2104 linter: Update comment in lint.rs about default value for tsconfig path (#15530) (Connor Shea)
• 2c6bd9e linter: Always refer as "ES2015" instead of "ES6" (#15411) (sapphi-red)
• a0c5203 linter/import/named: Update "ES7" comment in examples (#15410) (sapphi-red)
• 3dc24b5 linter,minifier: Always refer as "ES Modules" instead of "ES6 Modules" (#15409) (sapphi-red)
• 2ad77fb linter/no-this-before-super: Correct "Why is this bad?" section (#15408) (sapphi-red)
• 57f0ce1 linter: Add backquotes where appropriate (#15407) (sapphi-red)

Oxfmt v0.12.0

... (truncated)

Changelog

Sourced from oxlint's changelog.

[1.66.0] - 2026-05-18

🚀 Features

• 0440b0f linter/eslint: Implement id-match rule (#22379) (Vladislav Sayapin)
• 65bf119 linter: Implement react no-object-type-as-default-prop (#22481) (uhyo)
• 2a6ddce linter/eslint: Implement no-implied-eval rule (#22391) (Vladislav Sayapin)
• 625758a linter/vitest: Implement padding-around-after-all-blocks rule (#21788) (kapobajza)
• 37680b0 linter: Implement react no-unstable-nested-components (#22248) (Jovi De Croock)
• d8d9c74 linter: Implement import/newline-after-import rule (#19142) (Ryuya Yanagi)

Commits

• 5570206 release(apps): oxlint v1.66.0 && oxfmt v0.51.0 (#22528)
• 0440b0f feat(linter/eslint): implement id-match rule (#22379)
• 65bf119 feat(linter): implement react no-object-type-as-default-prop (#22481)
• 2a6ddce feat(linter/eslint): implement no-implied-eval rule (#22391)
• 625758a feat(linter/vitest): Implement padding-around-after-all-blocks rule (#21788)
• 37680b0 feat(linter): implement react no-unstable-nested-components (#22248)
• d8d9c74 feat(linter): implement import/newline-after-import rule (#19142)
• See full diff in compare view

Updates puppeteer-core from 25.0.2 to 25.0.4

Release notes

Sourced from puppeteer-core's releases.

puppeteer-core: v25.0.4

25.0.4 (2026-05-18)

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

puppeteer-core: v25.0.3

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

Changelog

Sourced from puppeteer-core's changelog.

25.0.4 (2026-05-18)

♻️ Chores

• puppeteer: Synchronize puppeteer versions

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • puppeteer-core bumped from 25.0.3 to 25.0.4

🛠️ Fixes

• Throw TargetCloseError when session ID not found (#15002) (611abef)

25.0.3 (2026-05-18)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​puppeteer/browsers bumped from 3.0.2 to 3.0.3

Commits

• 019b49b chore: release main (#15003)
• 611abef fix: Throw TargetCloseError when session ID not found (#15002)
• 272b850 chore(webmcp): Update list tools test with fixed declarative behavior (#15000)
• acb4b9e chore: release main (#14999)
• cce47de fix: fix tar.exe invocation (#14997)
• 2e315b9 chore(deps): bump the all group with 2 updates (#14995)
• 042838f chore(deps): bump node from e989123 to 050bf2b in /docker in the all grou...
• See full diff in compare view

Updates tsx from 4.22.0 to 4.22.3

Release notes

Sourced from tsx's releases.

v4.22.3

4.22.3 (2026-05-19)

Bug Fixes

• decode typed loader source (dce02fc)
• preserve entrypoint with TypeScript preload hooks (68f72f3)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.2

4.22.2 (2026-05-18)

Bug Fixes

• preserve CJS JSON require in ESM hooks (35b700b)
• preserve named exports from CommonJS TypeScript (11de737)
• support module.exports require(esm) interop (cf8f199)

---

This release is also available on:

• npm package (@​latest dist-tag)

v4.22.1

4.22.1 (2026-05-17)

Bug Fixes

• resolve tsconfig path aliases containing a colon (#780) (6979f28)

---

This release is also available on:

• npm package (@​latest dist-tag)

Commits

• dce02fc fix: decode typed loader source
• 68f72f3 fix: preserve entrypoint with TypeScript preload hooks
• 69455cf test: cover package exports for ambiguous ESM reexports
• 35b700b fix: preserve CJS JSON require in ESM hooks
• ef807db chore: update testing dependencies
• 3917090 test: document compatibility test taxonomy
• de8113f refactor: centralize Node capability facts
• c1f62db test: consolidate tsconfig path edge coverage
• 4e08174 test: consolidate loader hook coverage
• 674bb30 test: consolidate tsImport commonjs mts coverage
• Additional commits viewable in compare view

Updates vitest from 4.1.6 to 4.1.7

Release notes

Sourced from vitest's releases.

v4.1.7

   🐞 Bug Fixes

• runner: Limit concurrency per task branch in addition to per leaf callbacks (backport)  -  by @​hi-ogawa in vitest-dev/vitest#10384 (4f0f2)

    View changes on GitHub

Commits

• a09d472 chore: release v4.1.7
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[clawsweeper]

Codex review: needs maintainer review before merge.

Latest ClawSweeper review: 2026-05-22 20:32 UTC / May 22, 2026, 4:32 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
This Dependabot PR refreshes package.json and pnpm-lock.yaml for 13 runtime and development dependency updates.

Reproducibility: not applicable. this is a dependency refresh PR, not a bug report with a reproduction path.

PR rating
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Summary: Routine dependency PR with no blocking patch defect found, while provider and browser smoke validation remains the main merge confidence step.

Rank-up moves:

• Run CI plus focused OpenAI/Gemini and browser smoke coverage before merge.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Not applicable: Dependabot bot PRs are not subject to the contributor real-behavior proof gate.

Risk before merge

• OpenAI and Gemini SDK updates can affect provider request/response behavior even though this PR has no source changes.
• Puppeteer and DevTools protocol updates can affect browser-mode availability, so browser smoke coverage matters before merge.

Maintainer options:

1. Gate on targeted smokes (recommended)
   Run the normal checks plus focused OpenAI/Gemini and browser smoke coverage before merging the grouped provider and browser dependency bumps.
2. Split risky runtime bumps
   If any provider or browser smoke fails, split the runtime SDK and browser automation bumps away from formatting/test-tool updates for narrower review.
3. Accept routine Dependabot risk
   Maintainers may merge as routine dependency maintenance if CI and release-note review are enough for this repository's tolerance.

Next step before merge
The remaining action is maintainer validation and merge judgment for a dependency refresh, not an automated repair.

Security
Cleared: No concrete security or supply-chain regression is visible because the PR only changes package.json and pnpm-lock.yaml and does not add scripts, workflow permissions, or lifecycle allowlist entries.

Review details

Best possible solution:

Merge the dependency refresh only after CI and targeted OpenAI, Gemini, and browser smoke coverage pass for the touched runtime packages.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this is a dependency refresh PR, not a bug report with a reproduction path.

Is this the best way to solve the issue?

Yes, a Dependabot manifest and lockfile refresh is the normal solution for keeping these packages current; the safer merge path is to gate it with targeted provider and browser validation.

Label changes:

• add P3: This is routine dependency maintenance with no direct application source changes.
• add merge-risk: 🚨 auth-provider: The PR updates OpenAI and Gemini SDK versions used by the runtime provider clients.
• add merge-risk: 🚨 availability: The PR updates Puppeteer and DevTools protocol packages used by browser-mode tooling.
• add rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Routine dependency PR with no blocking patch defect found, while provider and browser smoke validation remains the main merge confidence step.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are not subject to the contributor real-behavior proof gate.

Label justifications:

• P3: This is routine dependency maintenance with no direct application source changes.
• merge-risk: 🚨 auth-provider: The PR updates OpenAI and Gemini SDK versions used by the runtime provider clients.
• merge-risk: 🚨 availability: The PR updates Puppeteer and DevTools protocol packages used by browser-mode tooling.
• rating: 🐚 platinum hermit: Current PR rating is 🐚 platinum hermit because proof is 🌊 off-meta tidepool, patch quality is 🐚 platinum hermit, and Routine dependency PR with no blocking patch defect found, while provider and browser smoke validation remains the main merge confidence step.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: Dependabot bot PRs are not subject to the contributor real-behavior proof gate.

Acceptance criteria:

• pnpm run check
• pnpm test
• pnpm run test:browser
• ORACLE_LIVE_TEST=1 pnpm vitest run tests/live/gemini-live.test.ts tests/live/openai-live.test.ts

What I checked:

• Changed files: The provided PR diff changes only package.json and pnpm-lock.yaml, with manifest edits to pinned dev dependencies and the devtools-protocol override plus the corresponding lockfile refresh. (package.json:90, 644d60b50587)
• Provider SDK surface: Current main uses openai in the default client factory and @google/genai in the Gemini adapter, so the OpenAI and Gemini package bumps are runtime-provider relevant rather than test-only churn. (src/oracle/client.ts:1, e0cfed0c449d)
• Gemini adapter surface: The Gemini client imports GoogleGenAI, HarmCategory, HarmBlockThreshold, and SDK response/tool types directly from @google/genai. (src/oracle/gemini.ts:1, e0cfed0c449d)
• Browser and rendering surface: Current main uses shiki for terminal/docs rendering, puppeteer-core for browser tools, and devtools-protocol types for browser protocol integration, matching several updated packages in the PR. (src/cli/markdownRenderer.ts:3, e0cfed0c449d)
• Dependency block provenance: The current package dependency block is attributed to the v0.13.0 release commit, and recent package history shows repeated dependency refreshes plus a prior grouped Dependabot update. (package.json:59, abb7c9a7d9c8)
• Feature-history provenance: History around the touched provider/browser dependency surfaces includes OpenAI provider routing work and the @google/genai migration, which are the relevant areas to smoke after this bump. (package.json:77, 85b0045c1614)

Likely related people:

• Peter Steinberger: Package dependency lines are currently attributed to the v0.13.0 release commit, and recent history shows Peter updating OpenAI/Gemini routing and dependency versions. (role: recent dependency and provider-routing contributor; confidence: high; commits: abb7c9a7d9c8, 85b0045c1614, 35e110603cd9; files: package.json, pnpm-lock.yaml, src/oracle/client.ts)
• Soham Dasgupta: Prior history shows related custom-base-url routing work in the OpenAI-compatible client path affected by provider SDK upgrades. (role: adjacent provider-routing contributor; confidence: medium; commits: 188ac5729710; files: src/oracle/client.ts)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e0cfed0c449d.

[clawsweeper]

ClawSweeper PR egg

✨ Hatched: 🥚 common Brave Review Wisp

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

Rarity: 🥚 common.
Trait: hums during re-review.
Image traits: location workflow harbor; accessory tiny test log scroll; palette seafoam, black, and opal; mood determined; pose curling around a status light; shell woven fiber shell; lighting bright celebratory glints; background small green status lights.
Share on X: post this hatch
Copy: My PR egg hatched a 🥚 common Brave Review Wisp in ClawSweeper.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.