fix(security): remove stale package-lock.json (21 Dependabot alerts)

[ibuildthings-instrumentl]

Summary

• Removes the stale package-lock.json that was left behind after the npm → Bun migration (commit c85622fb)
• Adds package-lock.json to .gitignore to prevent re-introduction
• Resolves all 21 open Dependabot security alerts, which all target the stale lockfile

Context

The project migrated to Bun and uses bun.lock as the authoritative lockfile. The old package-lock.json contained outdated transitive dependency versions that Dependabot flagged:

Package	Severity	Alert Count
undici	high/medium	5
axios	high/medium	3
minimatch	high	2
lodash	high/medium	3
path-to-regexp	high/medium	2
flatted	high	1
follow-redirects	medium	1
picomatch	medium	1
qs	low/medium	2
Total		21

The actual versions in bun.lock are already newer for most of these packages.

Test plan

• Verified bun.lock exists and is the active lockfile
• Verified no CI config, scripts, or source files depend on package-lock.json
• Dependabot alerts should auto-close once merged to main

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added Scout APM performance optimization workflow for profiling and optimizing slow routes across your application.
  • Introduced Slack feature-to-review-app workflow enabling end-to-end feature request processing with interactive approval gates and automatic review app deployment.
  • Added interactive approval/feedback buttons in Slack for workflow gates.
  • Implemented workflow status heartbeats on chat platforms to keep users updated on long-running operations.
  • Added automatic receipt acknowledgment via emoji reactions on incoming Slack messages.

• Updates

  • Slack integration now requires reactions:write scope for enhanced interaction features.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR introduces an end-to-end interactive workflow for converting Slack feature requests to deployable review apps, including Scout performance optimization pipelines, new CLI helper scripts for CI/review app automation, interactive approval gates in Slack, and workflow heartbeat status messages for chat platforms.

Changes

Cohort / File(s)	Summary
Scout Performance Commands & Workflows .archon/commands/defaults/scout-discover-routes.md, .archon/commands/defaults/scout-consolidate-perf-plan.md, .archon/workflows/defaults/archon-scout-perf-roadmap.yaml	Adds new Scout APM discovery, profiling, and consolidation workflow pipeline with 10 parallel profiling jobs, consolidated planning, and interactive plan refinement loop.
Slack Feature-to-Review-App Workflow .archon/workflows/defaults/archon-slack-feature-to-review-app.yaml, docs/plans/2026-04-17-slack-archie-feature-to-review-app-plan.md, docs/specs/2026-04-17-slack-archie-feature-to-review-app-design.md	Defines an interactive multi-phase workflow: spec creation, planning, implementation, two-round code review with multi-agent synthesis, CI waiting, review app deployment, and Slack thread updates.
CLI Helper Scripts .archon/scripts/ci-wait.js, .archon/scripts/dispatch-review-app.js, .archon/scripts/fetch-review-app-url.js	Three new Bun executables: enforce hard timeout on gh pr checks --watch, dispatch GitHub Actions workflows via gh, and poll PR comments to extract review-app URL via regex matching.
Slack Adapter Interactive Gates & Receipt packages/adapters/src/chat/slack/adapter.ts, packages/adapters/src/chat/slack/adapter.test.ts	Adds gate action blocks (Approve/Request changes buttons) to loop-node messages, modal submission for feedback, and new acknowledgeReceipt() method posting :eyes: reaction on incoming messages.
Interactive Gate Metadata packages/core/src/types/index.ts, packages/workflows/src/deps.ts, packages/workflows/src/dag-executor.ts, packages/workflows/src/dag-executor.test.ts	Extends MessageMetadata and WorkflowMessageMetadata with optional interactiveGate field; updates loop-node gate-message dispatch to include run/node context.
Workflow Heartbeat Feature packages/workflows/src/workflow-heartbeat.ts, packages/workflows/src/workflow-heartbeat.test.ts	New module for periodic status messages on long-running workflows on chat platforms (Slack, Telegram, Discord); tracks active nodes and tool calls; post failures are silently logged.
Bundled Workflow Registration packages/workflows/src/defaults/bundled-defaults.ts, packages/workflows/src/defaults/bundled-defaults.test.ts	Imports and registers new archon-slack-feature-to-review-app workflow in BUNDLED_WORKFLOWS map; updates test expectations from 13 to 14 bundled workflows.
Configuration & Environment .archon/config.yaml, .cursor/mcp.json, .gitignore	Adds .env file copying to worktrees; configures Scout APM MCP server with Docker and env-var substitution; ignores package-lock.json.
Setup & Documentation .claude/skills/archon/guides/setup.md, .claude/skills/archon/guides/slack.md, packages/cli/src/commands/setup.ts, packages/docs-web/src/content/docs/adapters/slack.md, AGENTS.md	Updates Slack bot setup to require reactions:write scope; removes Claude binary path guidance; adds workspace notes on bun install and platform connection UI behavior.
Server & Slack Orchestration packages/server/src/index.ts	Fire-and-forget call to slackAdapter.acknowledgeReceipt() immediately after message validation, before thread-context retrieval.
Dependencies & State package.json, .cursor/hooks/state/continual-learning-index.json, .cursor/hooks/state/continual-learning.json	Adds overrides for flatted, axios, follow-redirects, lodash, path-to-regexp, picomatch, undici; adds continual-learning hook state files.

Sequence Diagram(s)

sequenceDiagram
    participant User as Slack User
    participant Slack as Slack Thread
    participant Orchestrator as Workflow Orchestrator
    participant CodeReview as Code Review Agents
    participant CI as CI System
    participant ReviewApp as Review App Deployment
    participant PrRepo as Pull Request

    User->>Slack: Request feature via `@archie`
    Slack->>Orchestrator: Extract feature request
    Orchestrator->>Orchestrator: Loop: Spec creation + approval
    Note over Orchestrator: Up to 3 iterations<br/>or explicit SPEC_APPROVED
    Orchestrator->>Slack: Post spec, await approval
    Slack->>Slack: User approves
    
    Orchestrator->>Orchestrator: Plan + Implementation
    Orchestrator->>PrRepo: Create Draft PR
    Orchestrator->>CodeReview: Round 1: Parallel review agents
    CodeReview->>CodeReview: Synthesize findings
    alt Has Blocking Issues
        Orchestrator->>Orchestrator: Apply fixes
        Orchestrator->>CodeReview: Round 2: Re-review
        CodeReview->>CodeReview: Synthesize again
    end
    
    Orchestrator->>CI: Wait for PR checks
    Note over Orchestrator: Enforce 60-min timeout
    CI->>Orchestrator: Checks pass
    
    Orchestrator->>ReviewApp: Dispatch deployment workflow
    ReviewApp->>ReviewApp: Deploy PR branch
    Orchestrator->>PrRepo: Poll comments for URL
    PrRepo->>Orchestrator: Extract URL via regex
    
    Orchestrator->>Slack: Post final message<br/>with PR & review-app URLs

Loading

sequenceDiagram
    participant Workflow as Interactive Loop Node
    participant SlackAdapter as Slack Adapter
    participant Slack as Slack
    participant User as Slack User

    Workflow->>SlackAdapter: sendMessage(text, metadata: interactiveGate)
    SlackAdapter->>SlackAdapter: Encode runId/nodeId in action IDs
    SlackAdapter->>Slack: Post with Approve & Request buttons
    Slack->>User: Display message + buttons
    
    User->>Slack: Click Approve
    Slack->>SlackAdapter: block_action (approve action)
    SlackAdapter->>SlackAdapter: Decode runId/nodeId
    SlackAdapter->>Slack: chat.update message
    SlackAdapter->>Workflow: Synthetic thread message: "approved"
    Workflow->>Workflow: Emit PROMISE_APPROVED
    
    alt User Clicks Request Changes
        User->>Slack: Click Request changes
        Slack->>SlackAdapter: block_action (request action)
        SlackAdapter->>Slack: Open modal with feedback form
        User->>Slack: Submit feedback
        Slack->>SlackAdapter: modal submission
        SlackAdapter->>Workflow: Synthetic message with feedback
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Possibly Related PRs

• fix(bundled-defaults): auto-generate import list, emit inline strings #1263: Implements auto-generation pipeline for bundled-defaults registration, directly superseding the manual workflow registration in this PR's bundled-defaults.ts changes.
• feat(web): loop node iteration visibility in workflow execution view #1026: Modifies dag-executor.ts safeSendMessage calls to attach metadata (category: 'tool_call_formatted'), overlapping with this PR's addition of interactiveGate metadata to the same call site.
• docs(worktree): fix stale rename example + document copyFiles properly #1328: Updates worktree.copyFiles configuration and documentation; this PR adds .env to the same configuration section.

Poem

🐰 A rabbit hops through Slack with glee,
Approvals flow from button clicks so free,
Scout finds the routes that make apps slow,
Review apps bloom from features' show,
Heartbeats keep us in the know! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.32% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: removing a stale package-lock.json file that was causing 21 Dependabot security alerts.
Description check	✅ Passed	The PR description is largely complete and follows the template structure with Summary, Context, Test plan sections, though some template sections (Architecture Diagram, Label Snapshot, Validation Evidence, Security Impact, etc.) are missing or incomplete.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix/remove-stale-package-lock

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}