---
engine: devin
cwd: /Users/sd9235/code/mygh/learning_ai_common_plat
yolo: true
lock: common-plat-dependabot
timeout: 4h
---

ROLE: Senior platform engineer. TRIAGE the open Dependabot dependency-update PRs in
`learning_ai_common_plat`, verify each one builds + tests green against CURRENT main,
and MERGE only the safe ones. This is a maintenance sweep — be conservative: a green
verify gate is the bar for merging; anything that fails, conflicts, or is a risky major
bump gets left open with a clear note. NEVER weaken or skip a test to make a PR pass.

PARALLEL-SAFETY: Other Devins may be running in this repo and in learning_ai_devops_tools
on gigafactory `fleet` work. You touch ONLY dependency manifests + lockfile as Dependabot
already changed them — do NOT edit application source. If a Dependabot branch conflicts
with main on anything other than package.json / pnpm-lock.yaml, SKIP it (leave open, note
why) rather than hand-resolving source conflicts.

THE BRANCHES (each is one open PR, ahead of main by ~1 commit):
- dependabot/npm_and_yarn/azure/cosmos-4.9.2
- dependabot/npm_and_yarn/fastify/cors-11.2.0
- dependabot/npm_and_yarn/happy-dom-20.8.4
- dependabot/npm_and_yarn/jose-6.2.2
- dependabot/npm_and_yarn/lint-staged-16.4.0
- dependabot/npm_and_yarn/multi-6d7db9f379   (a grouped multi-package bump)
- dependabot/npm_and_yarn/react-dom-19.2.4
- dependabot/npm_and_yarn/stripe-20.4.1
- dependabot/npm_and_yarn/types/node-25.5.0
- dependabot/npm_and_yarn/typescript-eslint/parser-8.57.1
- dependabot/github_actions/actions/checkout-6
- dependabot/github_actions/actions/setup-node-6
- dependabot/github_actions/actions/setup-python-6
(Re-list with `git branch -r | grep dependabot` in case the set changed.)

PER-PR PROCEDURE (do each in an ISOLATED worktree off CURRENT origin/main so the main
checkout + other Devins are never disturbed):
1. `git fetch origin --prune`; create a temp worktree at origin/main; merge the dependabot
   branch into it (`--no-commit --no-ff`).
   - If the merge touches ANY file other than package.json / pnpm-lock.yaml /
     .github/workflows/* -> ABORT, classify SKIP (unexpected scope), note it.
   - If it conflicts -> ABORT, classify SKIP (conflicts main), note it.
2. Identify the bump TYPE from the version delta (semver): patch / minor / major.
3. Run the VERIFY GATE in the merged worktree:
   - `pnpm install --frozen-lockfile` (must succeed with the bumped lockfile)
   - `pnpm build`
   - `pnpm test`
   - For react-dom: also run the dashboards' web tests if they have their own suite.
   - GitHub-actions bumps (checkout/setup-node/setup-python): no pnpm gate; just confirm
     the workflow YAML still parses and the action major is supported by our runners.
4. CLASSIFY:
   - MERGE if: scope is only manifests/lockfile/workflow, no conflicts, verify gate fully
     green. (Patch/minor with green gate = merge. A MAJOR bump may merge ONLY if the gate
     is green AND nothing in our code uses a removed/changed API — if unsure, HOLD.)
   - HOLD (leave open) if: gate fails, major bump with any ambiguity, or behavioral risk
     (e.g. stripe / jose / react-dom majors that need a human eye).
   - SKIP if: conflicts main or touches unexpected files.
5. To MERGE: merge the branch into main with `--no-ff` (first parent = main), message
   `chore(deps): <package> <old> -> <new> (#<pr>)`, push origin HEAD:main, then delete the
   dependabot branch. Re-fetch main before the NEXT PR so each builds on the latest (avoids
   lockfile churn between merges). Do the LOW-RISK ones first (types/node, lint-staged,
   happy-dom, the actions bumps), majors last.

CONSTRAINTS: no app-source edits; never modify/skip tests; ESM repo conventions; conventional
commits (chore(deps): ...); do not touch the gigafactory `fleet` modules; do not delete
backup/* branches; leave the gigafactory + hermes branches alone. Stay entirely in isolated
worktrees; clean every worktree up afterward (`git worktree remove --force` + `prune`).

VERIFY GATE (per merged PR, must be green to merge):
- pnpm install --frozen-lockfile && pnpm build && pnpm test  (no regression)

FINAL OUTPUT — report in EXACTLY this format:
## Dependency Triage Report — common-plat Dependabot
### Summary table
| PR / package | old -> new | bump | verify gate | decision |
(one row per branch: MERGE / HOLD / SKIP)
### Merged (pushed to main)
- <package> <old->new> (#pr) — commit <sha>
### Held open (with reason)
- <package> — <why: failing gate / major risk / needs human>
### Skipped (with reason)
- <package> — <conflicts main / unexpected scope>
### Verify gate results (build/test summary per merged PR)
### Branches deleted
### Anything that needs a human decision