chore(deps): C-339 dependabot consolidation — supersedes #310–#314 (1 taken, 1 corrected, 3 held)

[kaizencycle]

EPICON Intent Block

• Intent: Consolidate the five open Dependabot PRs (chore(deps): bump @vercel/node from 5.8.16 to 5.8.17 in the npm-minor-patch group #310–chore(deps): bump tailwindcss from 3.4.18 to 4.3.0 #314) into one reviewable change with per-dependency judgment, per operator request ("check if they are safe to merge, if not, unify them to one big PR for safety").
• Scope: package-lock.json, three workspace package.json files, .github/dependabot.yml ignore rules. No workflow, canon, or attested content touched.
• Actor: Claude Code under operator identity, C-339.
• Consequence class: Dependency hygiene — net reduction of unreviewed major-version churn.

Safety verdict per PR

PR	Bump	Verdict	Disposition
#310	@vercel/node 5.8.16→5.8.17	✅ Safe (patch, in-range of ^5.5.15)	Taken — lockfile updated
#312	@types/node 18→25	⚠️ Wrong target — repo runtime is Node 20	Taken as 18→20: ^18.0.0→^20.0.0 in packages/atlas-sentinel, sentinels/atlas, sentinels/uriel; lockfile dedupes to one 20.x. Ignore rule for @types/node >=21
#311	hardhat-chai-matchers 2→3	❌ Incompatible — requires hardhat 3; gic-registry-contracts pins hardhat 2.22.5	Held via ignore rule; bump belongs in a hardhat-3 migration
#313	http-proxy-middleware 2→4	❌ Two majors; v3 rewrote the createProxyMiddleware API that apps/api-gateway uses	Held via ignore rule
#314	tailwindcss 3→4	❌ v4 is a CSS-first config rewrite; 8 apps pin ^3.4.x with tailwind.config.js	Held via ignore rule; migrate deliberately, not via dep bump

The ignore rules follow the repo's own precedent (#308, ESLint held at 8.x), each with a comment stating the unblock condition so they're revisitable, not permanent.

Lockfile diff verification

Verified the lock diff contains only: @vercel/node 5.8.16→5.8.17, removal of nested @types/node 18.19.130 copies (dedupe to root 20.19.43), in-range nested 22.19.1→22.19.21 refreshes, and the undici-types transitive. No major versions moved.

After merge

Dependabot auto-closes #310–#314 on its next run: #310/#312 because the dependencies moved, #311/#313/#314 because of the ignore rules. No manual closing needed.

Residual risk: the three packages whose types moved 18→20 are type-checked in CI, not locally (worktree had no node_modules) — if CI's type-check flags anything, I'll fix on this branch.

https://claude.ai/code/session_014WMkjWLnt4ezGEHujmukLk

---

Generated by Claude Code

[github-actions]

✅ Drift Compliance: All test vectors passed GI threshold validation

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0f1fc9b101

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep Node 22 type patch updates unblocked

This versions: [">=21"] ignore is global for every npm workspace, so it also suppresses Dependabot updates for workspaces that already declare Node 22 types. For example, packages/tokenomics-engine and sentinels/aurea both require @types/node ^22.x and the lockfile contains nested @types/node 22.19.21 entries, so future 22.x patch/minor fixes for those workspaces will be ignored along with the unwanted 20→21+ bumps. Use an update-type-based major ignore instead so existing Node 22 consumers can still receive 22.x maintenance updates.

Useful? React with 👍 / 👎.

[kaizencycle]

Codex P2 fixed in 1aa8f54 — the @types/node ignore is now update-types: ["version-update:semver-major"] instead of the global versions: [">=21"], so workspaces on ^22 (tokenomics-engine, sentinels/aurea) keep receiving 22.x maintenance while cross-major jumps like #312's 18→25 stay blocked.

On the failing checks — this is the C-339 gate (merged in #299) working as designed, not a defect of this PR:

• The manually-applied consensus:approved label was revoked by the hygiene workflow because the head SHA has no passing sentinel review. Since governance: C-339 hardening — close the fail-open consensus gate (PR-A, Claude Code) #299, that label is an output of sentinel review, never an input — applying it by hand can't open the gate anymore (that was the fail-open hole).
• To merge this PR: apply review:atlas, review:aurea, or consensus:requested. A real sentinel review then runs on the head SHA; on pass it applies consensus:approved itself and the Merge Gate goes green. Note this requires the OPENAI_API_KEY / ANTHROPIC_API_KEY repo secrets — without them the labeled review fails closed by design (mobius-operator-merge.yml remains the emergency path).

All 24 substantive checks pass, including type-checks over the three packages whose @types/node moved 18→20.

---

Generated by Claude Code

[github-actions]

✅ Drift Compliance: All test vectors passed GI threshold validation