chore: remove orphaned per-plugin pnpm-lock files (clears axios Dependabot alerts)

[orioltf]

Summary

• Deletes apps/claude-code/auto-format/pnpm-lock.yaml and apps/claude-code/unic-confluence/pnpm-lock.yaml — two stale lockfiles left behind after @ralph-orchestrator/ralph-cli was dropped from the plugin manifests.
• These files are the only source of axios@1.15.2 in the repo; the root pnpm-lock.yaml has no axios. No manifest, source file, or root lockfile was modified.
• After merge to develop, Dependabot alerts #4 and #5 should auto-resolve because their manifest source no longer exists.

Closes #173.

Verification

# Confirmed before removal: only these two files matched
git ls-files '**/pnpm-lock.yaml'
# → apps/claude-code/auto-format/pnpm-lock.yaml
# → apps/claude-code/unic-confluence/pnpm-lock.yaml

grep -c "axios@1.15.2" pnpm-lock.yaml  # → 0 (root lockfile is clean)

# After removal: all green
pnpm install --frozen-lockfile   # ✓
pnpm ci:check                    # ✓ exit 0 (2 pre-existing infos, unrelated)
pnpm typecheck                   # ✓
pnpm test                        # ✓ 38 pass, 0 fail
git ls-files '**/pnpm-lock.yaml' # → (empty)

🤖 Generated with Claude Code

[orioltf]

🔍 Comprehensive PR Review

PR: #174 — Remove orphaned per-plugin pnpm-lock files
Reviewed by: 5 specialized agents (code-review, error-handling, test-coverage, comment-quality, docs-impact)
Date: 2026-06-02

---

Summary

Pure housekeeping deletion: two orphaned pnpm-lock.yaml files left in apps/claude-code/auto-format/ and apps/claude-code/unic-confluence/ after @ralph-orchestrator/ralph-cli was dropped from their manifests. These files were the sole source of axios@1.15.2 (Dependabot alerts #4 and #5). The PR is surgical, well-described, and verified with a full CI pass.

Verdict: ✅ APPROVE

Severity	Count
🔴 CRITICAL	0
🟠 HIGH	0
🟡 MEDIUM	0
🟢 LOW	3

---

🟢 Low Issues (Preventive / Optional)

1. No .gitignore guard against future per-plugin lockfiles

📍 .gitignore (root) · Code Review agent

The same orphaned-lockfile → Dependabot-alert pattern could silently recur. A two-line addition prevents it permanently.

View suggested fix

# pnpm workspace: per-plugin lockfiles should never exist; root lockfile is canonical
apps/**/pnpm-lock.yaml
packages/**/pnpm-lock.yaml

---

2. CLAUDE.md missing "no per-plugin lockfiles" invariant

📍 CLAUDE.md (root) · Docs Impact agent

The "Do not add" section doesn't mention this constraint, leaving it undiscoverable for future contributors.

View suggested addition

Under the "Do not add" list:

- Per-plugin `pnpm-lock.yaml` files — the root lockfile is canonical; sub-package lockfiles should never be committed

---

3. Commit scope omitted for cross-cutting chore

📍 Commit dc55010 · Code Review agent

chore: remove orphaned per-plugin pnpm-lock files has no scope. For future cross-cutting commits, chore(workspace): … would be more searchable. No action needed on this already-merged commit.

---

✅ What's Good

• Excellent PR description — verification commands with expected output, closes issue [repo] Orphaned per-plugin pnpm-lock files trip axios Dependabot alerts (#4, #5) #173, Dependabot connection explained clearly.
• Surgical scope — exactly the two files causing the problem, no unrelated changes.
• Full CI verification — pnpm install --frozen-lockfile, pnpm ci:check, pnpm typecheck, and pnpm test all confirmed passing.
• Zero-dep bar maintained — auto-format's zero-external-dependencies invariant is restored.
• No false-positive risk — root lockfile has zero axios references; deletions are unambiguously safe.

---

📋 Suggested Follow-up Issues (if not addressing inline)

Issue	Priority
Add .gitignore guard against per-plugin pnpm lockfiles	P3
Document no-per-plugin-lockfiles invariant in CLAUDE.md	P3

---

Next Steps

1. ⚡ No auto-fixes needed — 0 CRITICAL + 0 HIGH issues.
2. 📝 Optionally address the 2 LOW preventive items (gitignore + CLAUDE.md) in this PR or as follow-up.
3. 🎯 Ready to merge as-is.

---

Reviewed by Archon comprehensive-pr-review workflow · 5 agents · 3 findings (all LOW)

[orioltf]

⚡ Self-Fix Report (Aggressive)

Status: COMPLETE
Pushed: ✅ Changes pushed to archon/thread-902b7aa4
Commit: 1aff42b
Philosophy: Fix everything unless clearly a new concern

---

Fixes Applied (2 total)

Severity	Count
🔴 CRITICAL	0
🟠 HIGH	0
🟡 MEDIUM	0
🟢 LOW	2

View all fixes

• ✅ .gitignore guard against future per-plugin lockfiles (.gitignore) — Added apps/**/pnpm-lock.yaml and packages/**/pnpm-lock.yaml entries to prevent recurrence of the orphaned lockfile pattern
• ✅ CLAUDE.md "no per-plugin lockfiles" invariant (AGENTS.md) — Added bullet to "Do not add" section: "Per-plugin pnpm-lock.yaml files — the root lockfile is canonical; sub-package lockfiles should never be committed"

---

Tests Added

(none) — pure deletion PR; no new code paths

---

Docs Updated

File	Changes
AGENTS.md	Added per-plugin lockfile prohibition to "Do not add" section

---

Skipped (1)

Finding	Reason
Commit scope omitted (dc55010)	Already-merged commit — no action possible; style note for future cross-cutting commits only

---

Suggested Follow-up Issues

(none)

---

Validation

✅ Type check | ✅ Lint/format (Biome + Prettier) | ✅ Tests (881 passed)

---

Self-fix by Archon · aggressive mode · fixes pushed to archon/thread-902b7aa4

[Copilot]

Pull request overview

Removes two stale per-plugin pnpm-lock.yaml files under apps/claude-code/* that were the only source of axios@1.15.2 in the repo, with the goal of clearing Dependabot alerts tied to those orphaned manifests. It also adds guardrails intended to prevent per-plugin lockfiles from being reintroduced.

Changes:

• Delete apps/claude-code/auto-format/pnpm-lock.yaml.
• Delete apps/claude-code/unic-confluence/pnpm-lock.yaml.
• Add repo guidance + ignore rules discouraging per-plugin pnpm-lock.yaml files.

Reviewed changes

Copilot reviewed 1 out of 4 changed files in this pull request and generated 1 comment.

File	Description
apps/claude-code/unic-confluence/pnpm-lock.yaml	Removes an orphaned per-plugin lockfile that pins axios@1.15.2.
apps/claude-code/auto-format/pnpm-lock.yaml	Removes an orphaned per-plugin lockfile that pins axios@1.15.2.
AGENTS.md	Documents that per-plugin pnpm-lock.yaml files should not be committed.
.gitignore	Ignores per-plugin pnpm-lock.yaml files under apps/ and packages/ to prevent recurrence.

Files not reviewed (2)

• apps/claude-code/auto-format/pnpm-lock.yaml: Language not supported
• apps/claude-code/unic-confluence/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.