Hmbown · Hmbown · Jun 21, 2026 · Jun 18, 2026 · Jun 18, 2026 · Jun 18, 2026
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Open allowlist update PR
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const comment = context.payload.comment;

@@ -38,7 +38,7 @@ jobs:
   close:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           # We need at least the commits that this push introduced.
           # fetch-depth: 0 is the simplest correct option; the

@@ -28,7 +28,7 @@ jobs:
   tag:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
           # Prefer PAT so the resulting tag push triggers release.yml.

@@ -20,9 +20,9 @@ jobs:
     name: Version drift
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@stable
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 20
       - name: Check version drift
@@ -34,7 +34,7 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
       - uses: dtolnay/rust-toolchain@master
@@ -89,7 +89,7 @@ jobs:
         # coverage CNB cannot provide.
         os: [ubuntu-latest, macos-latest, windows-latest]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         if: runner.os != 'Linux'
       - uses: dtolnay/rust-toolchain@stable
         if: runner.os != 'Linux'
@@ -118,11 +118,11 @@ jobs:
       matrix:
         os: ${{ fromJSON(github.event_name == 'pull_request' && '["ubuntu-latest"]' || '["ubuntu-latest","macos-latest","windows-latest"]') }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         if: runner.os != 'Linux'
       - uses: dtolnay/rust-toolchain@stable
         if: runner.os != 'Linux'
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         if: runner.os != 'Linux'
         with:
           node-version: 20
@@ -145,7 +145,7 @@ jobs:
     if: github.event_name != 'schedule'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@stable
       - name: Install Linux system dependencies
         run: |
@@ -167,7 +167,7 @@ jobs:
     if: github.event_name == 'schedule'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@stable
       - name: Install Linux system dependencies
         if: runner.os == 'Linux'

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Welcome new external issue reporters
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const issue = context.payload.issue;

@@ -76,7 +76,7 @@ jobs:
             artifact_name: codewhale-tui-windows-x64.exe
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@stable
         with:
           targets: ${{ matrix.target }}
@@ -141,7 +141,7 @@ jobs:
           artifact=${{ matrix.artifact_name }}
           INFO
           echo "name=${{ matrix.artifact_name }}-${short_sha}" >> "${GITHUB_OUTPUT}"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ steps.stage.outputs.name }}
           path: nightly/*

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Gate unapproved external pull requests
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const pr = context.payload.pull_request;

@@ -22,7 +22,7 @@ jobs:
     if: github.event_name == 'push'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: '1.88'
@@ -69,7 +69,7 @@ jobs:
       source_ref: ${{ steps.release.outputs.source_ref }}
       sha: ${{ steps.release.outputs.sha }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
       - name: Resolve release source
@@ -166,7 +166,7 @@ jobs:
             artifact_name: codewhale-tui-windows-x64.exe
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           ref: ${{ needs.resolve.outputs.source_ref }}
       - uses: dtolnay/rust-toolchain@master
@@ -251,7 +251,7 @@ jobs:
             exit 1
           fi
           cp "${BIN_PATH}" "${{ matrix.artifact_name }}"
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v7
         with:
           name: ${{ matrix.artifact_name }}
           path: ${{ matrix.artifact_name }}
@@ -261,7 +261,7 @@ jobs:
     if: ${{ !cancelled() && needs.build.result == 'success' }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           ref: ${{ needs.resolve.outputs.source_ref }}
       - uses: actions/download-artifact@v8
@@ -351,7 +351,7 @@ jobs:
           cat "$MANIFEST"
 
       - name: Upload bundle artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: codewhale-bundles
           path: bundles/*
@@ -362,7 +362,7 @@ jobs:
     if: ${{ !cancelled() && needs.build.result == 'success' }}
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           ref: ${{ needs.resolve.outputs.source_ref }}
       - uses: actions/download-artifact@v8
@@ -393,7 +393,7 @@ jobs:
             throw "CodeWhaleSetup.exe was not produced"
           }
       - name: Upload installer artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: CodeWhaleSetup.exe
           path: scripts/installer/CodeWhaleSetup.exe
@@ -408,12 +408,12 @@ jobs:
       packages: write
     steps:
       - name: Checkout release source
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           ref: ${{ needs.resolve.outputs.source_ref }}
           path: source
       - name: Checkout release infrastructure
-        uses: actions/checkout@v4
+        uses: actions/checkout@v7
         with:
           path: infra
       - name: Set up QEMU
@@ -432,7 +432,7 @@ jobs:
         run: echo "name=ghcr.io/${GITHUB_REPOSITORY,,}" >> "$GITHUB_OUTPUT"
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ steps.image.outputs.name }}
@@ -476,7 +476,7 @@ jobs:
     steps:
       # Checked out into a subdirectory so it cannot clobber the downloaded
       # artifacts; used for the release-body generator and the CHANGELOG.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           ref: ${{ needs.resolve.outputs.tag }}
           path: repo
@@ -547,7 +547,7 @@ jobs:
           fi
       # Checkout main (not the tag) so the release-infra script is always
       # available, even for tags created before this workflow was added.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         if: steps.homebrew-token.outputs.available == 'true'
         with:
           ref: main

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Auto-close spam patterns from new accounts
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const issue = context.payload.issue;

@@ -49,7 +49,7 @@ jobs:
   sync:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v7
         with:
           fetch-depth: 0
 

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Auto-label by title and body
-        uses: actions/github-script@v7
+        uses: actions/github-script@v9
         with:
           script: |
             const issue = context.payload.issue;

@@ -24,14 +24,19 @@ jobs:
       run:
         working-directory: web
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'
           cache-dependency-path: web/package-lock.json
       - name: Install dependencies
         run: npm ci
+      - name: Generate derived facts
+        # facts.generated.ts is gitignored and produced by derive-facts.mjs;
+        # tsc --noEmit fails without it (TS2307) and downstream inferences
+        # cascade into spurious TS7006 errors, so regenerate before type check.
+        run: npm run prebuild
       - name: Run ESLint
         run: npm run lint
       - name: TypeScript type check
@@ -49,8 +54,8 @@ jobs:
       CLOUDFLARE_ACCOUNT_ID: ${{ vars.CLOUDFLARE_ACCOUNT_ID }}
       CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v7
+      - uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: 'npm'

@@ -6,20 +6,21 @@
   **not** hard-code a device-specific checkout path here — work in whichever
   local checkout you have and always **confirm with
   `git branch --show-current` before editing.**
-- **Active branch:** `hunter/0.8.62-glm-subagents` (also at
-  `origin/hunter/0.8.62-glm-subagents`). 0.8.61 has shipped; all new work lands
-  here.
-- **Workspace version is intentionally still `0.8.61`** in `Cargo.toml` — the
-  bump to `0.8.62` is deferred until the GLM-5.2 routing is smoke-tested end to
-  end against live Z.ai + OpenRouter (see CHANGELOG `## [Unreleased]`). Do not
-  bump it opportunistically.
-- **Milestone guidepost:** GitHub milestone `v0.8.62` (id 47). Check live state
-  with `gh issue list --repo Hmbown/CodeWhale --milestone "v0.8.62" --state open`.
-- **Default branch is `main`.** Never commit directly to `main`; always work on
-  `hunter/0.8.62-glm-subagents` (or a fresh branch off it for an isolated
-  change). Open a PR into `main` only when a unit of work is reviewable.
+- **Active branch:** `codex/v0.8.63-integration` (also at
+  `origin/codex/v0.8.63-integration`) for the current fix/integration lane.
+  If a newer handoff or objective file names a different branch, verify with
+  `git branch --show-current` and follow the live branch.
+- **Workspace version is `0.8.63`** in `Cargo.toml`. Do not bump versions
+  opportunistically; version bumps, tags, release artifacts, publishing, and
+  GitHub Releases require Hunter's explicit approval.
+- **Milestone guidepost:** GitHub milestone `v0.8.63`. Check live state with
+  `gh issue list --repo Hmbown/CodeWhale --milestone "v0.8.63" --state open`.
+- **Default branch is `main`.** Never commit directly to `main`; work on the
+  active integration branch or a fresh `codex/...` branch/worktree off it for
+  an isolated change. Open a PR into `main` only when a unit of work is
+  reviewable.
 - **Always run before pushing a change:** `cargo fmt`, then the targeted tests
-  for the area (`cargo test -p codewhale-tui --bins <filter>`,
+  for the area (`cargo test -p codewhale-tui --bin codewhale-tui --locked <filter>`,
   `cargo test -p codewhale-config`, `cargo test -p codewhale-protocol`, …). Full
   gate: `cargo test --workspace`. Release build:
   `cargo build --release -p codewhale-cli -p codewhale-tui`.
@@ -96,7 +97,7 @@
 - Close or update issues and PRs only after verifying the landed commit on the
   relevant branch. If the release branch already contains equivalent behavior,
   leave a clear note linking the commit and describing any remaining delta.
-- For the active release queue, start from the GitHub `v0.8.62` milestone
-  (`gh issue list --repo Hmbown/CodeWhale --milestone "v0.8.62"`) and refresh
+- For the active release queue, start from the GitHub `v0.8.63` milestone
+  (`gh issue list --repo Hmbown/CodeWhale --milestone "v0.8.63"`) and refresh
   state before acting. Older per-version triage docs under `docs/` are
   historical reference only.