* feat(auth): reuse preflight's authenticated session across agents
* fix(preflight): verify saved auth state parses and has cookies or origins
* fix(prompts): strip shared-session block when no auth is configured
* fix(shannon): store shared auth state in the per-session audit dir
* fix(prompts): write stub auth-state in pipeline-testing preflight
* fix(preflight): clear stale auth-state.json before validate-authentication
* fix(preflight): drop auth-state.json on workflow completion
* docs(claude): refresh auth-state.json description for new layout and cleanup
* refactor(prompts): drop unused PLAYWRIGHT_SESSION resolve in login instructions
* style(prompts): collapse verifySavedAuthState signature per biome
* refactor(prompts): require AUTH_STATE_FILE on authenticated runs
* style(prompts): trim numbered-step comments back to step headers
* feat(steerability): add config-driven profile with code_path avoid enforcement
* fix(steerability): write SDK deny rules once per workflow to avoid parallel-agent race
* fix(steerability): reference guidance by pointer in report DROP rules
* fix(steerability): tighten code_path avoid enforcement
* chore(steerability): use shared ALL_VULN_CLASSES const and tighten RunScope type
* fix(steerability): validate run scope before resume short-circuit
* fix(steerability): emit only documented Read/Edit deny rules for code_path
* fix(steerability): assemble report from analysis deliverables when exploit is disabled
* feat(steerability): preflight check that code_path rules match at least one repo entry
* fix(steerability): tag missing code_path entries with avoid/focus kind
* revert(steerability): assemble report from analysis deliverables when exploit is disabled
* feat(steerability): render per-class findings from queue JSON when exploit is disabled
* refactor(steerability): trim findings renderer to common mappable rows
* feat(steerability): allow report agent to rewrite category-label finding titles
* docs(steerability): document new config fields in README and CLAUDE.md
* docs(steerability): comment out optional config sections in examples
* feat: add ReportOutputProvider for consumer-extended report artifacts
* fix: thread deliverablesSubdir through report assembly
* fix: produce structured report JSON on resume path
* fix: fail loud on structured report output provider errors
* feat: extend checkpoint provider and container DI for consumer-specific backends
* fix: pre-create .shannon overlay mount points on all platforms
* chore: drop claude-code-router mode
* fix: drop 'resets' keyword from spending-cap text patterns
* feat: extract pipeline core for library consumption
* fix: chmod workspace directory for container write access
* fix: resolve playwright output dir relative to deliverables parent
* feat: add multi-provider LLM support via ProviderConfig
* fix: resolve model overrides via options.model, remove unused model env passthrough
* fix: use ANTHROPIC_AUTH_TOKEN for custom base URL and router auth
* fix: skip env-based credential validation when providerConfig is present
* fix: support large UID/GID values for AD/LDAP users in container
* feat: mount user repo as read-only with deliverables bind-mount overlay
* feat: add playground and .playwright-cli overlay mounts
* feat: add filesystem context to pipeline-testing prompts
* fix: use explicit REPO_PATH in filesystem prompt for clarity
* fix: update filesystem prompts with playground notes and absolute screenshot paths
* feat: namespace writable overlays under .shannon/ to avoid polluting host repo
* refactor: rename playground to scratchpad
* fix: redirect playwright-cli output to writable .shannon/ overlay
* fix: pre-create .shannon/ overlay mount points for Linux compatibility
* fix: exclude nested node_modules and dist from Docker build context
* fix: enforce LF line endings for shell scripts on Windows
- Add minimum-release-age=10080 (7 days) and ignore-scripts=true to .npmrc
- Upgrade pnpm from 10.12.1 to 10.33.0 (minimumReleaseAge requires >= 10.16.0)
- Document package installation age policy in CLAUDE.md
ezl-keygraph