chore(main): release hve-core 4.0.0

[hve-core-release-please]

🤖 I have created a release beep boop

4.0.0 (2026-06-30)

⚠ BREAKING CHANGES

• instructions: disclaimer SSOT migration (stacked on feat(agents): align sssc planner with rai parity, add signing and validation #1497) (#1639)
• agents: per-agent model selection for cost optimization and /compact loop fix (#1541)

✨ Features

• add experimental Caveman response style skill (#1861) (3620737)
• add Vally evaluation infrastructure (#1590) (8f3914c)
• agents: add acceptance criteria template and issue type hierarchy strategy to backlog manager (#1597) (a780b7f)
• agents: add accessibility planner, reviewer, and code-review accessibility agents (#1735) (1ca6269)
• agents: add enablement dimension to Experiment Designer for code-with MVEs (#1416) (84077a8)
• agents: add PR Walkthrough narrative orientation agent (#1947) (b98f527)
• agents: add Privacy Planner, SSSC reviewer, and privacy-standards skill (#2168) (0bc13ee)
• agents: add Task Challenger adversarial questioning agent (#1315) (a9014c9)
• agents: add Vally evaluation agents and prompts (#1834) (18ce4c6)
• agents: align sssc planner with rai parity, add signing and validation (#1497) (f5e8513)
• agents: consolidate code-review agents and add orientation-first review loop (#2100) (7ca4cb2)
• agents: document plain-text path convention for .copilot-tracking artifacts (#2147) (3362577)
• agents: keep internal workflow references out of comments (#2023) (0d6a3f0)
• agents: optimize RPI agent context management with discipline rules (#1492) (35e5924)
• agents: per-agent model selection for cost optimization and /compact loop fix (#1541) (e158d88)
• agents: remove issue-triage decomposition and improve labeling (#2223) (3420081)
• agents: security-planner SSSC parity (#1642) (f4f6b3c)
• agents: upgrade ADR Planner with phased identity and adr-author skill (#1554) (d2868d5)
• collections: register Vally artifacts and regenerate plugins (#1836) (74f0e86)
• evals: add behavior eval corpora and Pester test suite (#1832) (d44ad1e)
• evals: add npm eval scripts and shared environments (#1626) (1102901)
• graphify: Add graphify skill with thin prompt + applyTo instructions (#1600) (878843c)
• hooks: add local session telemetry hooks (#2008) (34fe036)
• Improve quality of rpi-agent.agent.md (#1949) (0d9c746)
• instructions: add accessibility instruction set and shared planner identity base (#1733) (2158ced)
• instructions: disclaimer SSOT migration (stacked on #1497) (#1639) (a09b333)
• instructions: harden ADR Creator against untrusted content and sensitive data (#1811) (02e353d)
• planning: add Security Planner state schema with contract suite and fixtures (#1638) (8947038)
• prompts: add cspell-config prompt for automated spell check maintenance (#1516) (79db525)
• prompts: add jira-setup credential configuration prompt (#1698) (b30a75d)
• rpi: introduce skill-forward RPI workflows (#1953) (44b42d4)
• rpi: update skill workflows and eval coverage (#2202) (01052e3)
• scripts: add accessibility state schema and noticeLog audit trail to planner schemas (#1734) (4044819)
• scripts: add evals orchestration modules and runners (#1831) (3175b5c)
• scripts: add instruction applyTo scope Pester suite (#1640) (d7a7a1c)
• scripts: add lint:py:fix to apply ruff autofixes across Python skills (#1450) (2b6dca7)
• scripts: add structured JSON log output to Validate-Collections.ps1 (57ea279)
• scripts: add structured JSON log output to Validate-Marketplace.ps1 (#1430) (ec2aa53)
• scripts: allowlist accessibility skills subdomain and recognize templates subdir (#1731) (81f379a)
• security: extract supply-chain-security skill and thin SSSC Planner (#1950) (2e9608c)
• security: migrate Security Planner to skill (#2045) (5202b71)
• skills: add 6 PowerPoint skill enhancements (#1481) (97c40e8)
• skills: add accessibility standards skills and shared backlog-templates skill (#1732) (a206f47)
• skills: add experimental mural skill with Python CLI, instructions, and agent integrations (#1561) (c5fcf0b)
• skills: add github-security code-scanning skill (#1418) (5bedf80)
• skills: add seven project-planning BRD skills (#1856) (2919d48)
• skills: add telemetry-foundations shared skill with consumer overlays (#1681) (ea0bec0)
• skills: add tts-voiceover skill for Azure Speech SDK voice-over generation (#1415) (c330c7a)
• skills: add vally-tests skill (#1830) (da9ffa2)
• skills: expand fuzz_has_formatting_variation to cover all formatting properties (#1143) (#1296) (d51b4d3)
• skills: replace doc-ops agents with unified documentation agent and skill (#2095) (a441419)
• workflows: add beval behavioral evaluation workflow for dt-coach agent (#1129) (f1a7043)
• workflows: add devcontainer lockfile integrity check (#1874) (d2996b7)
• workflows: add Pre-Release-As trailer override to pre-release w… (#1565) (310c68c)
• workflows: add weekly GitHub code scanning automation (#1495) (d307f8a)
• workflows: convert pr-review to manual /review slash command (#1544) (84e47f0)
• workflows: SLSA L3 provenance verify gate + branch-protection doc (#2231) (cae5d6d)

🐛 Bug Fixes

• 1633: docs: update docs/architecture/workflows.md npm script table for eval commands (#1655) (a586699)
• 1634: docs: sync lint:all chain in build-system.md with package.json (#1679) (ec35cec)
• build: bump basic-ftp override to 6.0.1 to clear high-severity advisory (#1545) (4353df1)
• build: override ip-address to 10.2.0 for GHSA-v2v4-37r5-5v8g (#1539) (ba520aa)
• build: pin tmp >=0.2.6 to resolve GHSA-ph9p-34f9-6g65 (#1686) (af67fec)
• build: pin uuid and postcss via overrides to resolve Dependabot alerts (#1491) (af1f9ca)
• ci: add composite action for PS module install with cache and retry (#2134) (78e3e8d)
• ci: align actionlint curl download with uv step pattern (#1870) (2ad24fd)
• ci: stabilize gitleaks fixture suppressions (#1883) (7d82c22)
• clarify markdownlint marker placement in PRD Builder (#2098) (b5c695f)
• deps: bump qs from 6.15.0 to 6.15.2 to resolve GHSA-q8mj-m7cp-5q26 (#1650) (6665e95)
• deps: remediate cryptography advisories and harden PowerPoint scripts (#2037) (2286c67)
• docs: adopt Docusaurus Faster and pin 3.10.1 (#1893) (011e69a)
• docs: harden homepage hero and search contrast for WCAG AA (#2250) (6da5316)
• docs: improve contrast for badges and search hint (#1922) (b0a0bda)
• docs: patch Docusaurus npm vulnerabilities and extend Dependabot scope (#1889) (65fe619)
• improve DT Coach Phase 1 initialization reliability and state schema (#2055) (027606c)
• instructions: enforce human review checkbox gate for backlog processing (#1920) (1ca08d7)
• instructions: update design thinking image prompt generation guidelines (fixes #1587) (#1629) (e8d4b8c)
• mural: send API-compliant arrow widget payload (#2136) (aaef669)
• scripts: Exclude plugins/ from ms.date freshness check to prevent duplicate stale reports (#1586) (0b617ce)
• scripts: npm run test:py fails when skills have uv-managed dev dependencies (#1938) (32a47dd)
• scripts: remove duplicate Included Artifacts heading in collection.md generation (#1855) (a343b5d)
• scripts: remove redundant moderation requirements.txt (#2273) (b6bb6ba)
• settings: remove markdownlint exclusion for collections/*.collection.md (#1372) (42cc137)
• skills: harden powerpoint PyMuPDF integration against malformed PDFs (#1018) (#1904) (c6d1ace)
• skills: remove "Brought to you by" attribution (#2047) (#2238) (a4769a0)
• skills: resolve pip-audit findings in tts-voiceover skill lock file (#1627) (2f206b5)
• skills: tighten strict-tier cite-only licensing in ADR standards (#1859) (ceb8c47)
• workflows: grant id-token write to docusaurus-tests callers for Codecov OIDC (#2085) (b69e34a)
• workflows: install PS modules with CurrentUser scope for copilot-setup-steps (#2244) (222f5bc)
• workflows: migrate gh-aw compiler to v0.79.4 and refresh lock files (#1903) (c3ced2b)
• workflows: refresh Dependabot PR Review and upgrade gh-aw to v0.76.1 (#1690) (cb4d871)

📚 Documentation

• add content policies, refresh environment versions, drop description attribution (#2192) (691cdea)
• add reactivation workflow subsection to ai-artifacts.md (#1882) (b869504)
• add Responsible AI Transparency Note (#1900) (75029d0)
• ado-backlog: correct ADO Backlog Manager workflow documentation (#2205) (3d4dbad)
• adrs: adopt Vally as agent and skill behavior evaluation framework (#1828) (3e27fc3)
• agents: add accessibility planner and reviewer documentation (#1736) (716922a)
• agents: align language-skills.md with semantic skill selection (#1891) (fd908f0)
• agents: refresh stale docs/agents pages for accuracy (#2211) (342c138)
• align Transparency Note with AI Messaging Guidance (#2039) (04c9331)
• docs: clarify getting-started method guides (#1851) (b054051)
• docs: refresh workflow, tool-checksums, and environment documentation (#2201) (6d227bd)
• expand providerAllowlist and document model field in customization guide (#2014) (6cc41e1)
• Fix stale eval:lint references in documentation (#1951) (1cd3c0d)
• hve-guide: refresh 22 stale guide pages and fix broken refs (#2207) (88dc7f2)
• improve new user onboarding with terminology, CLI plugins, and collections clarity (#1520) (66b524a)
• Improve readme.md and contributing.md (#1635) (b836ac0)
• instructions: adopt "this" singleton naming for terraform resources and data sources (#2164) (311e570)
• realign stale references with current source of truth (#2220) (9ac46ed)
• refresh design-thinking, customization, getting-started, and scripts documentation for accuracy (#2208) (d720f85)
• refresh stale agent catalog, getting-started counts, and security/evals docs (#2203) (39365cc)
• refresh stale documentation and update ms.date across 12 files (#1625) (46c0c03)
• remove generated footers (#1919) (1bf0c2b)
• scripts: fix stale linting README descriptions for Invoke-PythonTests.ps1 and Invoke-PythonLint.ps1 (#2017) (fac1b19)
• update docs to reflect updated changes (#2167) (85db9d5)
• update ms.date frontmatter for 13 stale documentation files (#1588) (940773c)
• update sssc-planning agent-overview for consolidated instructions (#2212) (d06b518)

♻️ Refactoring

• agents: align security and rai planner wording (#1854) (6f00d3e)
• skills: consolidate accessibility planner phases into playbook skill (#2021) (33e0429)
• skills: consolidate RAI instructions into rai-standards and rai-planner-playbook skills (#2062) (bd6f996)
• skills: migrate design-thinking tier-2 instructions to skills (#1857) (da1ee1b)
• skills: replace arch-diagram-builder agent with reusable architecture-diagrams skill (#2068) (979e454)

🔧 Maintenance

• agents: strip attribution suffix from descriptions (#1723) (69f6ffa), closes #1714
• build: add evals config and dependency foundation (#1829) (ef978c9)
• build: dependabot uv moderation coverage + dependency remediation (#2237) (edb2688)
• deps-dev: bump @vscode/vsce from 3.9.1 to 3.9.2 in the npm-dependencies group (#1871) (dd9c5a7)
• deps-dev: bump fast-uri from 3.1.0 to 3.1.2 (#1549) (7a2ee69)
• deps-dev: bump markdownlint-cli2 from 0.22.0 to 0.22.1 in the npm-dependencies group (#1452) (5440396)
• deps-dev: bump the npm-dependencies group across 1 directory with 3 updates (#1810) (2bdcb8d)
• deps-dev: bump the npm-dependencies group across 2 directories with 2 updates (#1952) (4d23c18)
• deps-dev: bump tmp from 0.2.5 to 0.2.7 (#1687) (5e83fac)
• deps-dev: bump ws from 7.5.10 to 7.5.11 in /docs/docusaurus (#2002) (f3fa829)
• deps: bump actions/checkout from 6.0.2 to 7.0.0 in the github-actions group (#2104) (ba0840d)
• deps: bump brace-expansion from 5.0.5 to 5.0.6 in /docs/docusaurus (#1614) (e5dcd9a)
• deps: bump fast-uri from 3.1.0 to 3.1.2 in /docs/docusaurus (#1548) (80fbddd)
• deps: bump launch-editor from 2.13.1 to 2.14.1 in /docs/docusaurus (#2004) (86e17ab)
• deps: bump qs and express in /docs/docusaurus (#1632) (a2159fc)
• deps: bump the github-actions group across 1 directory with 5 updates (#1872) (31eb145)
• deps: bump the github-actions group with 2 updates (#1657) (2bf7e51)
• deps: bump the github-actions group with 2 updates (#2206) (c4b724b)
• deps: bump the github-actions group with 3 updates (#1453) (a3ee84e)
• deps: bump the github-actions group with 3 updates (#1601) (173d558)
• deps: bump the github-actions group with 6 updates (#2197) (59e5e81)
• deps: bump the npm-dependencies group across 1 directory with 11 updates (#1894) (a2eee65)
• deps: bump torch from 2.9.1 to 2.12.0 in /scripts/evals/moderation (#2011) (a847cfa)
• deps: bump urllib3 from 2.6.3 to 2.7.0 in /.github/skills/experimental/tts-voiceover (#1583) (8d3b095)
• deps: bump webpack-dev-server from 5.2.3 to 5.2.4 in /docs/docusaurus (#1613) (f689272)
• deps: bump webpack-dev-server from 5.2.4 to 5.2.5 in /docs/docusaurus (#2043) (85fbba9)
• instructions: strip attribution suffix from descriptions (#1721) (aa4b4c1), closes #1712
• prompts: strip attribution suffix from descriptions (#1722) (23be43f), closes #1713
• scripts: refine extension prep and editor settings (#1852) (f8b2672)
• scripts: standardize copyright headers to canonical 2026 format (#2169) (05a8e1a)
• skills: strip attribution suffix from descriptions (#1724) (50b5447), closes #1715

---

This PR was generated with Release Please. See documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.39%. Comparing base (b6bb6ba) to head (e362977).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1184      +/-   ##
==========================================
+ Coverage   81.32%   81.39%   +0.07%     
==========================================
  Files         130      120      -10     
  Lines       19142    19066      -76     
  Branches       12        0      -12     
==========================================
- Hits        15567    15519      -48     
+ Misses       3572     3547      -25     
+ Partials        3        0       -3     

Flag	Coverage Δ
docusaurus	?
pester	86.02% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 11 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/hve-core	4.0.0	Unknown	Unknown

Scanned Files

• package.json

[bindsi]

Automated review (bindsi batch). Routine release-please major release bump (3.3.101 → 4.0.0). Version strings updated consistently across all plugin.json, marketplace.json, package.json, extension template, and manifest files. No breakage observed. LGTM.

[bindsi]

Approved: this release-please update consistently applies the 4.0.0 release version across package and plugin metadata. I did not find actionable issues in the generated release changes.

[bindsi]

Approved: this release-please update consistently applies the release version and generated metadata. I did not find actionable issues in the current release changes.

[bindsi]

Approved: this release-please update applies the release metadata and changelog changes consistently. No actionable issues found.

[bindsi]

Approved: this release-please PR consistently applies the 4.0.0 release metadata and changelog updates. I did not find actionable issues in the generated release changes.

[github-actions]

Eval Execution

⚠️ No eval summary was produced.