OrchestKit Library-Currency Audit · 2026-05-31

14 library clusters across 111 skills + 37 agents, audited vs the true latest via context7 + live web (Jan-2026 training cutoff not trusted), each finding adversarially re-verified against GitHub source / official migration guides / npm·PyPI registries. This is the "what can we upgrade" pass — no fixes applied yet. No sugarcoat: every diff below is real and cited.

Audit integrity

107
findings
7
critical
25
high*
35
medium*
31
low*
10
no-action
103
confirmed
4
overstated→down
0
refuted
12
version claims corrected
8
fabricated APIs
9
copy-paste hard-breaks

*severities after the verifier's corrections (4 findings down-ranked: ragas-result-indexing high→med, hypothesis low, sec-003 high→med, llm-sdk-006 stays low). "No-action" = libraries verified already current — kept as evidence, not work.

The damning part — skills inventing APIs that don't exist

Beyond version lag, the audit found 8 fabricated APIs — code the skill teaches that has no counterpart in the shipped library. A user copy-pasting these gets ImportError / TypeError / silently-ignored config, not a working result. Worst concentration: react-server-components-framework/references/nextjs-16-upgrade.md (3 invented APIs) and json-render SKILL.md (4 broken signatures).

Cluster severity map

Findings

sev kind

Verified version table — claimed vs independently re-confirmed

clusterlibrarytaught/claimedverified latest (2026-05-31)verdict

Upgrade roadmap — by impact × effort

🔴 Lane 1 — copy-paste hard-breaks (do first)

Code that throws on the version the skill targets. Highest user pain, mostly S/M effort.
  1. testing-llm: ragas>=1.2.0 pin is unsatisfiable + recalibrate=True invented → repin >=0.4.0, class-based metrics, drop recalibrate
  2. json-render: Render/defineCatalog/createMcpApp/registerJsonRenderTool signatures all wrong on 0.19 → one coordinated rewrite + re-sync
  3. observability: from langfuse.callback import CallbackHandlerlangfuse.langchain; new Resource()resourceFromAttributes()
  4. langgraph: langgraph.cache import + PostgresSaver.from_conn_string bare-assign → fix imports + with…as cp: cp.setup()
  5. mcp: 4 import paths resolve only against the 2.0-alpha split / fastmcp fork → align to @modelcontextprotocol/sdk subpaths + FastMCP
  6. python-backend: httpx.AsyncClient(app=app) removed in 0.28 → ASGITransport(app=app)
  7. vector-rag: gemini text-embedding-004 shut down 2026-01-14 → gemini-embedding-001

🟠 Lane 2 — deprecated / fabricated-but-non-crashing

Works today but wrong/deprecated, or invented config that's silently ignored. Misleads agents.
  1. next-react: rewrite nextjs-16-upgrade.md — kill invented next/proxy, revalidateTag({type}), cache() wrapper, next-browser
  2. langgraph: create_react_agent deprecated since v1.0 → langchain.agents.create_agent; stop selling pre/post_model_hook as "new 1.2"
  3. observability: @observe(type=)as_type=; v2 trace().generation()start_observation(); @langfuse/* ^4 → 5.x
  4. security: python-jose (CVE-2025-61152 alg=none) → PyJWT; OWASP LLM 2023 labels → 2025
  5. vector-rag: Cohere Client()/v3.0/max_chunks_per_docClientV2()/rerank-v4.0-pro/max_tokens_per_doc
  6. llm-sdk: google.generativeai (archived) → from google import genai
  7. frontend-libs: Zod 4 — z.string().email()/.uuid()z.email()/z.uuid(), .flatten()z.treeifyError() (shape change!)

🟡 Lane 3 — new-best-practice & version-pin

Not wrong, just behind the frontier. Additive guidance + pin bumps.
  1. db-migrations: PG18 uuidv7() over random v4; native WITHOUT OVERLAPS/PERIOD; B-tree skip-scan nuance
  2. vector-rag: pgvector halfvec/binary_quantize() for 3072-dim embeddings; voyage-3→3.5
  3. python-backend: = Depends()Annotated[…, Depends()] (21 sites); .dict().model_dump(); datetime.utcnow()×3; get_event_loop()×4
  4. next-react: next/image breaking defaults; async params for icon/og/sitemap; pins 16.2.6/19.2.6
  5. frontend-libs: Biome noFloatingPromises needs domains.types; Zustand checklist label is backwards
  6. llm-sdk: gpt-5.2→gpt-5.5 (~18 sites); OpenAI Responses API; Claude 4.6→4.8 table

🟢 Verified current (no action)

Audited and confirmed up-to-date — proof the suite isn't uniformly stale.
  1. testing-js: Vitest 4.1, Playwright 1.60, MSW already v2 — strong shape (only 1 fabricated config block)
  2. infra-events: Temporal 1.27.2, Celery 5.6.3, redis-py 8.0, aiokafka 0.14 — all current
  3. db-migrations: Alembic 1.18.4 / SQLAlchemy 2.0 APIs all valid (staleness is PG18 feature-awareness, not breakage)
  4. langgraph: stream v2 / GraphOutput / RemoteGraph / core import paths — current
  5. llm-sdk: Anthropic caching shape + vision content-blocks + Claude Opus 4.8 — current
  6. security: py_webauthn 2.7.1, PyJWT 2.13.0, OWASP LLM list mostly mapped