The follow-up flagged in PR #2147 (“out of scope”). The OrchestKit antipattern hook was still
recommending python-jose as an "established" JWT library — the same unmaintained,
CVE-2025-61152-affected library the 2026-05-31 audit migrated every skill away from. This corrects
the advice at its source so the hook stops recommending a dead lib.
Because the .md is generated from the array, the array is the only real edit; the committed
.md snapshot + the dist/ bundles + the plugins/ mirror are regenerated by the build.
{
pattern: 'manual jwt validation',
warning:
- 'Manual JWT validation is error-prone. Use established libraries like python-jose or jsonwebtoken.',
+ 'Manual JWT validation is error-prone. Use established libraries like PyJWT or jsonwebtoken.',
},
PyJWT is the maintained Python JWT library (jsonwebtoken stays as the JS example).
'manual jwt validation'), not the warning text — so changing the recommendation doesn't break it.drift-detection.test.ts hashes rule files session-over-session with mocked content; it does not compare the committed snapshot to the materializer output.python-jose.cd src/hooks && npm run build — bundle rebuilt; 0 python-jose left in dist/npm run build — plugins/ mirror updated, drift-freenpm run test:security — must pass (security-sensitive hook path)npm run typecheck + hook unit tests (antipattern-warning.test.ts)Done in an isolated git worktree — 13 concurrent Claude sessions were live, which thrashes a shared working tree.