chore: add slophammer TypeScript constraints

[dutifulbob]

Summary

The TypeScript library now has enforceable Slophammer-style quality constraints instead of relying only on broad project checks.
This adds policy config, unsafe-type lint rules, mutation testing, dependency-boundary enforcement, and focused tests for the behavior the constraints touch.
The CI Slophammer job uses the published slophammer-ts@latest package through pnpm dlx, so acpx tracks the current checker without adding Slophammer as a package dependency.

What Changed

The change wires Slophammer constraints into the repo in places maintainers can run locally and CI can enforce.
It keeps the existing acpx toolchain and avoids fake ESLint, Prettier, or Vitest declarations just to satisfy checker assumptions.

• Added slophammer.yml with TypeScript coverage, complexity, DRY, mutation, and dependency-boundary policy.
• Added StrykerJS mutation testing for src/cli/flags.ts and included it in pnpm run check and CI.
• Tightened Oxlint unsafe-type rules for assignments, calls, member access, and returns in src/.
• Reworked dynamic CLI option reads and parser paths so external data is normalized through typed helpers.
• Hardened parser dispatch tables against prototype-key lookups.
• Moved process-liveness helpers into a neutral shared module so Slophammer boundaries no longer bless src/session depending on queue internals.
• Updated coverage to enforce the declared 85/85/85/85 gate with c8 --all over the current flows/runtime coverage target.
• Added a CI boundary gate that runs slophammer-ts@latest check . --only ts.dependency-boundaries-required directly.
• Added regression tests for invalid structured prompt blocks, runtime event parsing, queue owner message parsing, package scripts, direct Slophammer CI wiring, and CLI flag behavior.
• Documented the Slophammer policy in AGENTS.md, including the coverage target and current full-check limitation.

Testing

The local checks pass on head 63c15fe.
A separate code-quality subagent reviewed the PR for shortcuts; its dependency-boundary finding was fixed, the temporary local Slophammer report filter was removed after slophammer-ts@0.1.2 added direct rule selection, and the coverage scope limitation is explicit.

• pnpm run check passed.
• pnpm run check:docs passed.
• pnpm run test:coverage passed with 94.92 statements, 87.53 branches, 96.25 functions, and 94.92 lines for the configured coverage target.
• pnpm run mutate passed with mutation score 91.07 against threshold 80.
• pnpm dlx slophammer-ts@latest rules --format text passed.
• pnpm dlx slophammer-ts@latest dry . passed with 0 DRY candidates.
• pnpm dlx slophammer-ts@latest check . --only ts.dependency-boundaries-required passed with no findings.

I also measured a whole-source c8 --all gate at 85/85/85/85. The current repo is not there yet across every source file: 65.26 statements, 83.13 branches, 57.06 functions, and 65.26 lines. This PR does not claim whole-repository 85% coverage.

Risks

The main risk is CI runtime because Stryker now runs as part of the normal check job.
The mutation target is intentionally narrow so the added gate stays useful without turning every PR into a long mutation run.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	c8@​11.0.0
	@​stryker-mutator/​core@​9.6.1

View full report

[dutifulbob]

Final verification for this pass:

• Local pnpm run check passed, including the new Stryker mutation gate.
• Local pnpm run check:docs passed.
• Mutation score is 86.97 against threshold 80 for src/cli/flags.ts.
• Local Slophammer TypeScript dry check passed with no findings.
• Filtered Slophammer ts.dependency-boundaries-required findings are empty.
• Local codex review --base main completed with no discrete correctness issues.
• GitHub CI is green on head 85a7eab, including Format, Typecheck, Lint, Build, Conformance Smoke, Test, Mutation, and Socket checks.

The full local slophammer-ts check . --format json still reports checker/toolchain-recognition findings because acpx uses Oxlint, Oxfmt, Node's built-in test runner, and a nested replay-viewer project rather than the ESLint, Prettier, Vitest, and strict tsconfig conventions currently recognized by that checker. I did not add fake tool declarations to silence those findings.

[dutifulbob]

Final verification for the Slophammer TypeScript gates pass:

• Latest head: 4b803b5e0a401333b5ead233f7b9cbc5aad8414b (chore: enforce slophammer typescript gates).
• pnpm run check passed locally, including format, typecheck, lint, build, viewer typecheck/build, coverage, and mutation.
• pnpm run test:coverage passed locally. Enforced coverage result: statements 94.86%, branches 87.37%, functions 96.62%, lines 94.86% against the TypeScript library/runtime surfaces. The full test suite runs before the thresholded c8 pass.
• pnpm run mutate passed locally for src/cli/flags.ts: mutation score 91.07%, threshold 80, killed 357, survived 35, no coverage 0, errors 0. Remaining survivors are primarily help text strings and low-value/non-observable edge mutants; I did not add performative help-text tests just to kill them.
• Slophammer rules command passed: node /home/bob/repos/slophammer/typescript/dist/src/cli/main.js rules --format text.
• Slophammer dry command passed: node /home/bob/repos/slophammer/typescript/dist/src/cli/main.js dry --format text with DRY findings 0, copied block findings 0, DRY candidates 0.
• git diff --check passed.
• codex review --base main completed with no actionable regressions after rerunning tests, coverage, and mutation.
• PR review threads checked: no open inline review threads.
• GitHub checks are green on the latest head: Format, Typecheck, Lint, Build, Conformance Smoke, Test, Mutation, Socket Security, and scope all pass; Docs is skipped by CI scope detection.

This PR is finalized and ready for human review/merge. I did not merge it.