chore(main): release 0.8.8

[synthorg-repo-bot]

Highlights

AI-generated summary (model: openai/gpt-4.1-mini via GitHub Models). Commit-based changelog below.

What you'll notice

• New brownfield codebase intake mode supports merger and acquisition scenarios.
• Added deep CEO interview feature to improve project charter creation.
• Introduced mission control and flight recorder operator cockpit for better operational oversight.
• Research mode added for enhanced exploratory work.
• Runtime services now log safety-spine state at boot for clearer diagnostics.

What's new

• Research mode feature enables deeper data exploration.
• CEO interview integration helps shape project charters.
• Mission control and flight recorder cockpit introduced for operational tracking.

Under the hood

• Improved codebase modularity with module-size gates and lint tightening.
• Added init.py to 21 test directories for better test discovery.
• Promoted six transitive dependencies to direct dependencies for clarity.
• Split codespell ignore list into vocabulary and source renames.
• Decomposed oversized web utilities, hooks, and libraries for maintainability.
• Enhanced CI with Lychee link checker integration and retry logic for cosign signing.
• Sharded unit and integration tests and added Postgres service container in CI.
• Updated infrastructure and web dependencies; maintained lock files.

🤖 I have created a release beep boop

0.8.8 (2026-05-24)

Features

• brownfield codebase intake (merger/acquisition entry mode) (#2042) (e287621), closes #1975
• deep CEO interview to project charter (#2045) (904f2fb)
• mission control + flight recorder operator cockpit (#2044) (1c2660b)
• research mode (#2041) (f81a5ac), closes #1989
• surface safety-spine state in runtime-services boot log (closes #2096) (#2097) (f187b31)

Refactoring

• add init.py to 21 leaf test directories (INP001) (#2081) (2592118), closes #2064
• codebase modularity (1/4) - module-size gates + lint tightening + tools (#2078) (556fbd9), closes #2047 #2040
• promote 6 transitive deps to direct deps (#2083) (adedc6a)
• split codespell ignore-words-list into vocab + source renames (#2085) (917d98a), closes #2074
• web: PR A foundation, decompose oversized utils/hooks/lib (#2092) (#2098) (aedbba5)

CI/CD

• exclude slsa.dev from lychee (transient timeout on canonical badge) (#2090) (346c51d)
• fix paths-filter shallow-clone race and scorecard allowlist (#2089) (7cd7ce8)
• refresh .test_durations.{unit,integration} (#2087) (ddf2d86)
• retry cosign sign on transient GHCR/Rekor failures (#2100) (da9422a)
• shard test-unit + test-integration, sysmon coverage, Postgres service container (#2080) (0768787)
• wire Lychee link-checker (workflow + installer + pre-push hook) (#2084) (1c0694a)

Maintenance

• Lock file maintenance (#2086) (a78810a)
• Update Infrastructure dependencies (#2055) (041ad8b)
• Update Web dependencies (#2054) (4d57b9a)

---

This PR was generated with Release Please. See documentation.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codspeed-hq]

Merging this PR will not alter performance

✅ 54 untouched benchmarks

---

_{Comparing release-please--branches--main--components--synthorg (7c8a4f3) with main (f187b31)¹}

Footnotes

1. No successful run was found on main (da9422a) during the generation of this report, so f187b31 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​class-variance-authority@​0.7.1
	npm/​msw-storybook-addon@​2.0.7
	npm/​esbuild@​0.27.3 ⏵ 0.28.0			+1
	npm/​@​types/​d3-hierarchy@​3.1.7
	npm/​@​types/​d3-force@​3.0.10
	npm/​@​vitest/​coverage-v8@​4.1.7
	npm/​html-to-image@​1.11.13
	npm/​cmdk-base@​1.0.0
	npm/​lucide-react@​1.16.0
	npm/​@​types/​node@​24.12.4 ⏵ 25.9.1
	npm/​cross-env@​10.1.0
	npm/​d3-force@​3.0.0
	npm/​madge@​8.0.0
	npm/​eslint-plugin-security@​4.0.0
	npm/​openapi-typescript@​7.13.0
	npm/​axios@​1.16.1
	npm/​eslint-plugin-react-refresh@​0.5.2
	npm/​eslint@​10.4.0
	npm/​@​xyflow/​react@​12.10.2
	npm/​dpdm@​4.2.0
	npm/​fast-check@​4.8.0
	npm/​@​vitejs/​plugin-react@​5.2.0 ⏵ 6.0.2	+1
	npm/​msw@​2.14.6
	npm/​knip@​6.14.2
	npm/​motion@​12.40.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/@typescript-eslint/eslint-plugin@8.59.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.59.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm chrome-launcher is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/@lhci/cli@0.15.1 → npm/chrome-launcher@0.13.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chrome-launcher@0.13.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm csp_evaluator is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/@lhci/cli@0.15.1 → npm/csp_evaluator@1.1.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/csp_evaluator@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm csp_evaluator is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/@lhci/cli@0.15.1 → npm/csp_evaluator@1.1.5 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/csp_evaluator@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm formatly is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/knip@6.14.2 → npm/formatly@0.3.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/formatly@0.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm powershell-utils is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/powershell-utils@0.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/powershell-utils@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm puppeteer-core is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: web/package-lock.json → npm/@lhci/cli@0.15.1 → npm/puppeteer-core@24.43.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/puppeteer-core@24.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[synthorg-repo-bot]

🤖 Created releases:

• v0.8.8

🌻