Audit Coverage-Miss — Playground

Follow-up to the 2026-05-31 library-currency audit (PRs #2121/2123/2124/2142/2143/2145). The /ork:assess pass found that the audit's per-cluster gap-sweeps were scoped per-skill, so sibling occurrences of already-fixed defects in other skills and in agent files were never touched. This branch closes them — found by re-running each pattern as a repo-wide grep, not per-cluster.

The systemic miss (why a 2nd pass was needed)

flowchart LR A["Audit cluster:
fix defect in skill X"] -->|per-cluster scope| B["✅ skill X fixed"] A -.->|never scoped| C["❌ same defect in skill Y"] A -.->|never scoped| D["❌ same defect in AGENT files"] C --> E["repo-wide pattern grep
(this branch)"] D --> E E --> F["✅ all siblings closed"]

What this branch fixes

PatternSite(s)Class
bare PostgresSaver.from_conn_string() assign
(returns a @contextmanager → compile() breaks)
agents/workflow-architect.md
agent-orchestration: claude-code-instance-management.md ×2, langgraph-implementation.md
runtime break
from jose import … (python-jose, CVE-2025-61152, unmaintained) agents/backend-system-architect.md
architecture-patterns: dependency-injection.md, backend-dependency-injection.md
CVE / dead lib
plain gpt-5.2 / gpt-5.2-mini / o1 (superseded by GPT-5.5, Apr 2026) agents/llm-integrator.md (fallback chain + provider tiers) currency
z.string().uuid() / z.string().datetime() (Zod 4 top-level) agents/frontend-ui-developer.md currency

Real diffs

PostgresSaver — short body (with-block):

- checkpointer = PostgresSaver.from_conn_string(DATABASE_URL, table_name="langgraph_checkpoints")
- workflow = graph.compile(checkpointer=checkpointer)
+ with PostgresSaver.from_conn_string(DATABASE_URL) as checkpointer:
+     checkpointer.setup()
+     workflow = graph.compile(checkpointer=checkpointer)

PostgresSaver — long-running orchestrator (explicit pool; a with would close the pool mid-run):

- checkpointer = PostgresSaver.from_conn_string(db_url)
+ pool = ConnectionPool(db_url, max_size=20, kwargs={"autocommit": True, "prepare_threshold": 0})
+ checkpointer = PostgresSaver(pool)
+ checkpointer.setup()

jose → PyJWT:

- from jose import jwt, JWTError
- except JWTError:
+ import jwt  # PyJWT
+ except jwt.PyJWTError:

Verified-current — left intentionally (NOT stale)

TokenVerdict
gpt-5.2-codex ×20 (agent-orchestration/gpt-5-2-codex.md) + gpt-5.2-realtime current Web-verified: GPT-5.2-Codex is the current dedicated agentic-coding model; there is no gpt-5.5-codex (GPT-5.5 is the Codex base). Renaming would strip capability.
gpt-4o-2024-08-06 / gpt-4o-2024-05-13 (eval-runner) pinned Dated eval baselines — pinned on purpose for regression comparison.
gpt-4o-transcribe, gpt-3.5-turbo valid Current transcription model / deliberate cheap-tier cost example.
create_react_agent mentions (langgraph SKILL.md) doc Both are deprecation notices pointing at create_agent — correct.

Out of scope (surfaced, not bundled)

The repo's own antipattern hook (src/hooks/src/prompt/antipattern-warning.ts) still recommends "python-jose" as an established JWT library. It's now CVE'd/unmaintained, so the advice is stale — but it touches security-sensitive hooks + three cross-repo antipatterns.md copies, so it's left for an explicit follow-up.