chore(release): bump to v0.8.4

[Rome-1]

Summary

Cuts v0.8.4. Headline impact: the customer's .rafter.yml triage flow is now fully working on local scans — #152 makes scan.exclude_paths enforcement actually fire on the default betterleaks code path, and #154 lets either the CLI dotfile or backend subdir file work with either schema. Bilateral remote-scan alignment still depends on rafter-backend's matching work (in flight).

How this ships

Standard prod-branch flow (same as v0.8.3):

1. This PR merges to main.
2. main → prod PR opened; merge triggers publish.yaml.
3. publish.yaml fires: tests → npm Trusted Publishing → PyPI (--skip-existing) → ClawHub → GitHub Release tagged v0.8.4 → smoke-tests against the live registries.
4. The v0.8.4 GitHub Release tag republishes the root /action.yml listing entry on the Marketplace.

Contents of this release (since v0.8.3)

Fixed

• fix(scan): honor .rafter.yml scan.exclude_paths on both engines (sable-yz0) #152 (sable-yz0) — rafter secrets honors .rafter.yml scan.exclude_paths on both engines. Customer-reported P0. Betterleaks engine no longer silently drops exclude_paths; pattern semantics now cover multi-segment paths (file paths, dir prefixes, dir-name-anywhere, globs) instead of only single dir NAMES.

Changed

• feat(policy): read backend's .rafter/config.yml + flat-shape compat (sable-c1c) #154 (sable-c1c) — CLI reads .rafter/config.yml indefinitely + accepts backend's flat-shape schema. Walks all four candidates in precedence order (.rafter.yml → .rafter.yaml → .rafter/config.yml → .rafter/config.yaml); accepts both nested scan.* and top-level exclude_paths / custom_patterns in either file, with nested winning on collision.

Added

• feat(agent-init): add Hermes platform support (sable-gyw) #151 (sable-gyw) — Hermes platform support. Ninth supported platform. rafter agent init --with-hermes merges Rafter into ~/.hermes/config.yaml. MCP-only v0; hooks deferred.
• feat: add JSON output for agent status #153 — rafter agent status --json. Reports installed state, version, detected agents, hook installations, scanner availability, config / audit paths. Schema in shared-docs/CLI_SPEC.md.

Pre-flight expected to be green

• validate-release.yml (push-to-main trigger after this merges) — verifies all four version sites at 0.8.4: node/package.json, python/pyproject.toml, both rafter-security-skill.md frontmatter copies. CHANGELOG entry present.

Post-merge verification plan

Same as v0.8.3 — Phase 1 + 2, autonomous, ~5 min:

• npm + PyPI registry index for 0.8.4
• gh release view v0.8.4 confirms release rendered
• Fresh install on both runtimes → rafter --version reports 0.8.4
• Fixture scan via --engine patterns detects fake AWS Access Key, exit 1
• For 0.8.4-specific verification: plant fake secret in scripts/ + safe/leaky.ts with .rafter.yml scan.exclude_paths: [scripts/] → exit 1 with only safe/leaky.ts reported (proves fix(scan): honor .rafter.yml scan.exclude_paths on both engines (sable-yz0) #152). Confirm .rafter/config.yml with top-level exclude_paths: [scripts/] produces the same result (proves feat(policy): read backend's .rafter/config.yml + flat-shape compat (sable-c1c) #154).

🤖 Generated with Claude Code