pakka v0.5.3

Security hardening release.

10 fixes across guard, commitgate, and semantic validator:

• [CRITICAL] Git hook RCE via last-pass-ts arithmetic — POSIX case guard added
• [CRITICAL] Commit-gate ; bypass — unrecognized git commit shapes now blocked
• [CRITICAL] Negation/percentage validator gap — reNegation and rePercent rules added
• guard: Write/Edit/MultiEdit/NotebookEdit now routed through checkPath (was Allowed unconditionally)
• guard: isDeniedPath extended — gh CLI, kube, docker, npm, pypi, shell history, key file patterns
• guard: evalRe bypass via bash -c quoted arg fixed (bashCEvalRe)
• guard: pipeShellRe extended to dash/fish/ksh/ash/csh; downloadExecRe added
• guard: absolute system path deny for /etc/passwd, /root, /proc/self/environ, /sys/kernel
• commitgate: [skip pakka] bypass now emits stderr notice and neutral audit note
• semantic/statusline: default level aligned to super-ultra across all fallback sites

Identified by 4-agent adversarial review. See adversarial-review-2026-05-08.md in repo root.