Releases

Upgraded `actions/checkout` and `actions/setup-node` to v5 across all workflows

Upgraded `pnpm/action-setup` to v5 across all workflows

Added `pnpm/action-setup` step to `sync-releases.yml` (was missing; caused pnpm not found error after setup-node@v5 auto-detects packageManager field)

Added `pnpm -r test` step to `ci.yml` (tests were never run in CI previously)

Removed `|| true` from `pnpm audit` in `security-audit.yml`

Updated Node.js from 20 to 22 across all workflows

`packages/io-json/package.json`, `packages/schema/package.json` — added missing `"test"` script; both packages' test files existed on disk but were never executed by turbo

`packages/io-json/test/io.test.ts` — updated stale v0.2 fixture to v0.4 (`version: "0.2"` → `"0.4"`); test had been silently skipped since the v0.2 → v0.4 wire-format migration

`.gitignore` — added `.claude/` entry

**34 passed** (was 32 — io-json and schema test suites now wired into turbo)

`@decisiongraph/cli`: wrap `JSON.parse` in try/catch in `validate`, `lint`, `replay`, `diff` commands — malformed JSON input no longer exposes raw stack traces; returns user-friendly error message with file path

`@decisiongraph/cli`: duplicate violations in `lint <directory>` and `traverse` — `lintStore` was called with `ConstitutionalPolicy` as both internal and caller policy, causing store-level violations to appear twice

Packages updated:

`@decisiongraph/schema`: `files` field added to `package.json` — `schemas/` directory was missing from npm published package

`@decisiongraph/schema`: v0.4 schema upgraded to full implementation — typed discriminated union (`AddNodeOp` / `AddEdgeOp` / `SupersedeEdgeOp` / `CommitOp`) and `Node.status` prohibition (`"not": {}`) now enforced at schema layer

`@decisiongraph/io-json` / `@decisiongraph/cli`: `workspace:*` dependencies were not resolved on publish — replaced with explicit version ranges

`@decisiongraph/cli`: `cmdLint` now uses `emptyGraph(graphId)` instead of `emptyStore()` — graph must exist before ops are applied

`@decisiongraph/cli`: `cmdLintDir` now initializes each graph in store before `applyBatch`

`@decisiongraph/schema`: v0.4 JSON Schema added (`schemas/v0.4/decision.schema.json`)

`@decisiongraph/io-json`: `version.ts` updated — `"0.4"` added to `SUPPORTED_VERSIONS`, `CURRENT_SCHEMA_VERSION` set to `"0.4"`

`decisions/demo.json` updated to v0.4 format (`version: "0.4"`, `graphId` added)

CI `decision-lint.yml`: `pnpm install` (was `pnpm -w install`) for full workspace resolution

All workspace dependencies use `workspace:*` for consistent turbo build ordering in CI

Packages updated:

Packages updated:

`effectiveStatus(store, nodeId): "Active" | "Superseded"` — topology-derived, sole authority for node supersession

`SELF_LOOP` violation code — edge from a node to itself is rejected

`supersede_edge` atomicity guarantee — old edge marked Superseded and new edge added in single operation

`ResolvedNode` / `ResolvedEdge` types exported from `@decisiongraph/core`

`emptyGraph(graphId)` helper for single-graph store initialization

Golden fixtures C01–C20 covering all v0.4 constitutional invariants

`io-json/decode.ts` updated to v0.4 (Node.status removed, supersede_node removed)

`fixtures.test.ts`: store initialized with `emptyGraph(graphId)` to ensure graph exists before ops

All v0.2 golden fixtures updated to v0.4 format (node.status removed, edge.status added)

`core.test.ts`: node.status removed from all test data

`@decisiongraph/cli`: `workspace:*` dependencies resolved to explicit versions for npm publish

`@decisiongraph/io-json`: `workspace:*` dependencies resolved to explicit versions for npm publish

Added `.npmrc` to root (`link-workspace-packages=false`) to prevent `workspace:*` from leaking into published packages

Packages updated:

`DEPENDENCY_ON_DEPRECATED` violation code (Constitution Section 6, severity: WARN)

CLI `--strict` flag — treat WARN as ERROR

Packages updated:

**Breaking**: `Graph` now requires `graphId`

**Breaking**: `applyBatch`, `lint`, `replay` signatures updated to accept `GraphStore` and `GraphId`

**Breaking**: All IDs (`NodeId`, `EdgeId`, `CommitId`) are now GraphStore-wide unique

`GraphStore` as top-level container (`GraphStore = one world`)

`GraphId` branded type

`lintStore` for store-wide cross-graph validation

`resolveNode` / `resolveEdge` as first-class kernel operations

`EDGE_NOT_RESOLVED` violation code for unresolvable cross-graph references

`CIRCULAR_DEPENDENCY` violation code (DFS across graph boundaries)

`DEPENDENCY_ON_SUPERSEDED` violation code (Constitution Section 6)

CLI `traverse <directory>` command with violation tree display

`Violation.payload` for structured context (`fromNodeId`)

`traceDependencyPath` kernel function for chain traversal