hotfix(lint): bump modular-skill token caps + SKILL.md bootstrap cap

SPEC.md

@@ -224,10 +224,10 @@ Short builtin names are precious surface and ilo reserves a stable subset of the
 ```
 1-char  e
 2-char  at hd pi tl rd wr ct
-3-char  abs avg cap cat cel chr cos del det dot env ewm exp fft fld flr flt
-        fmt frq get grp has hed inv len log lsd lst lwr map max min mod now
-        num opt ord pat pow pst put rdb rdl rep rev rgx rng rnd rou run sin
-        slc spl srt str sum tan tau trm unq upr wra wrl zip
+3-char  abs avg b64 cap cat cel chr cos del det dot env ewm exp fft fld flr
+        flt fmt frq get grp has hed hex inv len log lsd lst lwr map max min
+        mod now num opt ord pat pow pst put rdb rdl rep rev rgx rng rnd rou
+        run sin slc spl srt str sum tan tau trm unq upr wra wrl zip
 ```
 
 All builtin aliases (`head`, `length`, `filter`, `concat`, `tail`, `sort`, `reverse`, `flatten`, `contains`, `group`, `average`, `print`, `trim`, `split`, `format`, `regex`, `read`, `readlines`, `readbuf`, `write`, `writelines`, `lset`, `floor`, `ceil`, `round`, `rand`, `random`, `rng`, `string`, `number`, `slice`, `unique`, `fold`) are reserved with the same shadow-prevention semantics as canonical builtin names. Binding an alias name or using it as a user-function name fires `ILO-P011` at parse time with the canonical form in the diagnostic, since the call-site rewrite to the canonical builtin silently bypasses any user binding of the same name. Previously only `rng` and `rand` had individual guards; as of 0.12.1 every alias in the table above is covered by a single `resolve_alias` check, so new aliases automatically inherit the protection when added to the table.

scripts/check-skill-tokens.py

@@ -45,14 +45,21 @@
 PER_MODULE_LIMIT = 1000
 # `ilo-language` is the foundational module every agent loads first; it
 # carries a higher cap because core syntax doesn't split cleanly into
-# smaller files. `ilo-builtins-io` is the next most-touched module —
-# HTTP, JSON, env, time, and process all live there; agent dogfooding
-# hits this cap on every other doc PR. Bumped to match its density.
+# smaller files. The four `ilo-builtins-*` modules and `ilo-agent` carry
+# bumped caps reflecting accumulated growth across the HTTP verb cluster
+# (#5z), getx/pstx (#5bn), crypto primitives, calendar arithmetic, and
+# the numeric/text prelude additions of 0.12.x. Each cap is set with
+# ~10% headroom over current weight so a single doc-pair addition does
+# not flip CI red.
 PER_MODULE_OVERRIDES = {
-    "ilo-language": 1500,
-    "ilo-builtins-io": 1500,
+    "ilo-language": 1700,
+    "ilo-builtins-core": 1200,
+    "ilo-builtins-math": 1200,
+    "ilo-builtins-io": 2000,
+    "ilo-builtins-text": 1200,
+    "ilo-agent": 1300,
 }
-TOTAL_LIMIT = 15000
+TOTAL_LIMIT = 16000
 
 
 def main() -> int:

src/vm/mod.rs

@@ -870,6 +870,7 @@ pub(crate) fn tree_bridge_returns_result(b: crate::builtins::Builtin) -> bool {
             | Builtin::Opt
             | Builtin::Urldec
             | Builtin::B64uDec
+            | Builtin::B64Dec
             | Builtin::TzOffset
     )
 }

tests/regression_crypto_primitives.rs

@@ -238,6 +238,52 @@ fn ct_eq_empty_strings() {
     }
 }
 
+// ── Tree-bridge auto-unwrap invariant for b64-dec! ───────────────────────────
+
+#[test]
+fn b64_dec_bang_auto_unwrap_does_not_panic_vm() {
+    // Regression for the 0.12.x crypto-cluster panic where `b64-dec!`
+    // crashed the VM with "auto-unwrap on a non-Result tree-bridge builtin
+    // slipped past verify" at src/vm/mod.rs:1887. `b64-dec` returns R t t
+    // and is tree-bridge eligible, so it must also appear in
+    // `tree_bridge_returns_result` for the VM's `!` compiler arm to wire
+    // up OP_ISOK/OP_UNWRAP correctly. The matching tree-bridge / verifier
+    // pair for B64uDec was already correct; B64Dec was the regression.
+    //
+    // This test specifically pins the VM `!` path so a future drop of
+    // B64Dec from `tree_bridge_returns_result` is caught immediately
+    // instead of waiting for the `examples` harness to hit it.
+    let src = "f>t;b64-dec! \"Zm9vYmFy\"";
+    for e in ENGINES {
+        assert_eq!(run_ok(e, src, "f"), "foobar", "engine={e}");
+    }
+}
+
+#[test]
+fn b64_dec_bang_propagates_err() {
+    // Companion to the panic-regression test above: the `!` operator
+    // propagates Err out to the caller (which we trigger as a non-zero
+    // exit), so an invalid input must still take the propagate path
+    // cleanly across engines, not panic.
+    let src = "f>t;b64-dec! \"!!!!\"";
+    for e in ENGINES {
+        let out = ilo()
+            .args([src, e, "f"])
+            .output()
+            .expect("failed to run ilo");
+        assert!(
+            !out.status.success(),
+            "engine={e}: expected non-zero exit from b64-dec! on invalid input"
+        );
+        // Must NOT be the VM bridge-assert panic.
+        let stderr = String::from_utf8_lossy(&out.stderr);
+        assert!(
+            !stderr.contains("auto-unwrap on a non-Result tree-bridge builtin slipped past verify"),
+            "engine={e}: VM tree-bridge assert tripped; stderr={stderr}"
+        );
+    }
+}
+
 // ── HMAC verification flow (the canonical use case) ──────────────────────────
 
 #[test]

tests/skill_md.rs

@@ -249,11 +249,16 @@ fn body_is_thin_bootstrap() {
             "SKILL.md bootstrap missing required marker: {required}"
         );
     }
-    // Bootstrap cap: the file must stay short. The old monolith was ~50 KB;
-    // a healthy bootstrap is well under 5 KB. Trip if it bloats past 8 KB.
+    // Bootstrap cap: the file must stay short. The old monolith was ~50 KB.
+    // 0.12.x growth (HTTP verb cluster, getx/pstx, crypto primitives, calendar
+    // arithmetic, headers + jpth quick-references) has pushed the bootstrap
+    // pointer past the original 8 KB ceiling. The cap is the guardrail against
+    // re-monolithisation, not a hard token budget, so it gets bumped in step
+    // with deliberate doc additions — 12 KB keeps a healthy margin under the
+    // ~50 KB pre-split monolith.
     assert!(
-        body.len() < 8_000,
-        "SKILL.md body is {} bytes; bootstrap shape should stay well under 8 KB",
+        body.len() < 12_000,
+        "SKILL.md body is {} bytes; bootstrap shape should stay well under 12 KB",
         body.len()
     );
 }