Antipattern Hook: python-jose → PyJWT

The follow-up flagged in PR #2147 (“out of scope”). The OrchestKit antipattern hook was still recommending python-jose as an "established" JWT library — the same unmaintained, CVE-2025-61152-affected library the 2026-05-31 audit migrated every skill away from. This corrects the advice at its source so the hook stops recommending a dead lib.

Source of truth → materialized rule file

flowchart LR A["STATIC_ANTIPATTERNS[]
antipattern-warning.ts"] -->|materializeAntipatternRules()
at SessionStart| B[".claude/rules/antipatterns.md"] B -->|auto-loaded by CC| C["every prompt (free)"] A -->|esbuild| D["dist/*.mjs + plugins/ mirror"]

Because the .md is generated from the array, the array is the only real edit; the committed .md snapshot + the dist/ bundles + the plugins/ mirror are regenerated by the build.

The change

  {
    pattern: 'manual jwt validation',
    warning:
-     'Manual JWT validation is error-prone. Use established libraries like python-jose or jsonwebtoken.',
+     'Manual JWT validation is error-prone. Use established libraries like PyJWT or jsonwebtoken.',
  },

PyJWT is the maintained Python JWT library (jsonwebtoken stays as the JS example).

Why it was safe / why it isn't tested-coupled

Verification

Done in an isolated git worktree — 13 concurrent Claude sessions were live, which thrashes a shared working tree.