docs: add context-mode routing rules to CLAUDE.md

Add mandatory routing rules section for context-mode MCP plugin,
documenting blocked commands, redirected tools, tool selection
hierarchy, and output constraints.

.github/actions/setup-test-environment/action.yml

@@ -17,7 +17,7 @@ runs:
   using: composite
   steps:
     - name: Install uv
-      uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
+      uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7.5.0
       with:
         enable-cache: true
 

.github/workflows/action-security.yml

@@ -6,11 +6,9 @@ on:
   push:
     paths:
       - '**/action.yml'
-      - '**/action.yaml'
   pull_request:
     paths:
       - '**/action.yml'
-      - '**/action.yaml'
   merge_group:
 
 concurrency:

.github/workflows/pr-lint.yml

@@ -8,19 +8,17 @@ on:
       - main
       - master
     paths-ignore:
-      - '**.md'
-      - 'docs/**'
+      - '**/*.md'
       - '.github/*.md'
-      - 'LICENSE'
+      - 'LICENSE.md'
   pull_request:
     branches:
       - main
       - master
     paths-ignore:
-      - '**.md'
-      - 'docs/**'
+      - '**/*.md'
       - '.github/*.md'
-      - 'LICENSE'
+      - 'LICENSE.md'
   merge_group:
 
 env:

.github/workflows/release.yml

@@ -54,7 +54,7 @@ jobs:
       contents: write
     steps:
       - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
-      - uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
+      - uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
         with:
           format: cyclonedx-json
           output-file: sbom.cdx.json

.github/workflows/security-suite.yml

@@ -7,16 +7,12 @@ on:
     paths:
       - '**/package.json'
       - '**/package-lock.json'
-      - '**/yarn.lock'
-      - '**/pnpm-lock.yaml'
-      - '**/requirements.txt'
       - '**/Dockerfile'
       - '**/*.py'
       - '**/*.js'
       - '**/*.ts'
       - '**/*.yml'
       - '**/*.yaml'
-      - '.github/workflows/**'
 
 permissions: {}
 

.github/workflows/sync-labels.yml

@@ -8,7 +8,6 @@ on:
       - main
       - master
     paths:
-      - '.github/labels.yml'
       - '.github/workflows/sync-labels.yml'
       - 'sync-labels/action.yml'
       - 'sync-labels/labels.yml'

.github/workflows/test-actions.yml

@@ -263,7 +263,7 @@ jobs:
 
     steps:
       - name: Download test results
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           pattern: '*-test-results'
           merge-multiple: true

.pre-commit-config.yaml

@@ -14,7 +14,7 @@ repos:
         types: [markdown, python, yaml]
         files: ^(docs/.*|README\.md|CONTRIBUTING\.md|CHANGELOG\.md|.*\.py|.*\.ya?ml)$
   - repo: https://github.com/astral-sh/uv-pre-commit
-    rev: 0.10.8
+    rev: 0.10.11
     hooks:
       - id: uv-lock
       - id: uv-sync
@@ -55,7 +55,7 @@ repos:
       - id: yamllint
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.5
+    rev: v0.15.6
     hooks:
       # Run the linter with auto-fix
       - id: ruff-check
@@ -67,30 +67,35 @@ repos:
     rev: v3.12.0-2
     hooks:
       - id: shfmt
-        args: ['--apply-ignore']
+        args: ["--apply-ignore"]
         exclude: '^_tests/.*\.sh$'
 
   - repo: https://github.com/shellcheck-py/shellcheck-py
     rev: v0.11.0.1
     hooks:
       - id: shellcheck
-        args: ['-x']
+        args: ["-x"]
         exclude: '^_tests/.*\.sh$'
 
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.11
     hooks:
       - id: actionlint
-        args: ['-shellcheck=']
+        args: ["-shellcheck="]
 
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '3.2.507'
+    rev: "3.2.510"
     hooks:
       - id: checkov
         args:
-          - '--quiet'
+          - "--quiet"
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.30.0
+    rev: v8.30.1
     hooks:
       - id: gitleaks
+
+  - repo: https://github.com/mpalmer/action-validator
+    rev: v0.8.0
+    hooks:
+      - id: action-validator

CLAUDE.md

@@ -168,3 +168,78 @@ Check: `make check-version-refs`
 ---
 
 All actions modular and externally usable. No exceptions to any rule.
+
+## context-mode — MANDATORY routing rules
+
+You have context-mode MCP tools available. These rules are NOT optional — they protect your context window from flooding. A single unrouted command can dump 56 KB into context and waste the entire session.
+
+### BLOCKED commands — do NOT attempt these
+
+#### curl / wget — BLOCKED
+
+Any Bash command containing `curl` or `wget` is intercepted and replaced with an error message. Do NOT retry.
+Instead use:
+
+- `ctx_fetch_and_index(url, source)` to fetch and index web pages
+- `ctx_execute(language: "javascript", code: "const r = await fetch(...)")` to run HTTP calls in sandbox
+
+#### Inline HTTP — BLOCKED
+
+Any Bash command containing `fetch('http`, `requests.get(`, `requests.post(`, `http.get(`, or `http.request(` is intercepted and replaced with an error message. Do NOT retry with Bash.
+Instead use:
+
+- `ctx_execute(language, code)` to run HTTP calls in sandbox — only stdout enters context
+
+#### WebFetch — BLOCKED
+
+WebFetch calls are denied entirely. The URL is extracted and you are told to use `ctx_fetch_and_index` instead.
+Instead use:
+
+- `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` to query the indexed content
+
+### REDIRECTED tools — use sandbox equivalents
+
+#### Bash (>20 lines output)
+
+Bash is ONLY for: `git`, `mkdir`, `rm`, `mv`, `cd`, `ls`, `npm install`, `pip install`, and other short-output commands.
+For everything else, use:
+
+- `ctx_batch_execute(commands, queries)` — run multiple commands + search in ONE call
+- `ctx_execute(language: "shell", code: "...")` — run in sandbox, only stdout enters context
+
+#### Read (for analysis)
+
+If you are reading a file to **Edit** it → Read is correct (Edit needs content in context).
+If you are reading to **analyze, explore, or summarize** → use `ctx_execute_file(path, language, code)` instead. Only your printed summary enters context. The raw file content stays in the sandbox.
+
+#### Grep (large results)
+
+Grep results can flood context. Use `ctx_execute(language: "shell", code: "grep ...")` to run searches in sandbox. Only your printed summary enters context.
+
+### Tool selection hierarchy
+
+1. **GATHER**: `ctx_batch_execute(commands, queries)` — Primary tool. Runs all commands, auto-indexes output, returns search results. ONE call replaces 30+ individual calls.
+2. **FOLLOW-UP**: `ctx_search(queries: ["q1", "q2", ...])` — Query indexed content. Pass ALL questions as array in ONE call.
+3. **PROCESSING**: `ctx_execute(language, code)` | `ctx_execute_file(path, language, code)` — Sandbox execution. Only stdout enters context.
+4. **WEB**: `ctx_fetch_and_index(url, source)` then `ctx_search(queries)` — Fetch, chunk, index, query. Raw HTML never enters context.
+5. **INDEX**: `ctx_index(content, source)` — Store content in FTS5 knowledge base for later search.
+
+### Subagent routing
+
+When spawning subagents (Agent/Task tool), the routing block is automatically injected into their prompt.
+Bash-type subagents are upgraded to general-purpose so they have access to MCP tools.
+You do NOT need to manually instruct subagents about context-mode.
+
+### Output constraints
+
+- Keep responses under 500 words.
+- Write artifacts (code, configs, PRDs) to FILES — never return them as inline text. Return only: file path + 1-line description.
+- When indexing content, use descriptive source labels so others can `ctx_search(source: "label")` later.
+
+### ctx commands
+
+| Command | Action |
+|---------|--------|
+| `ctx stats` | Call the `ctx_stats` MCP tool and display the full output verbatim |
+| `ctx doctor` | Call the `ctx_doctor` MCP tool, run the returned shell command, display as checklist |
+| `ctx upgrade` | Call the `ctx_upgrade` MCP tool, run the returned shell command, display as checklist |

Makefile

@@ -1,7 +1,7 @@
 # Makefile for GitHub Actions repository
 # Provides organized task management with parallel execution capabilities
 
-.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs
+.PHONY: help all docs update-catalog lint format check clean install-tools test test-unit test-integration test-coverage generate-tests generate-tests-dry test-generate-tests docker-build docker-push docker-test docker-login docker-all release release-dry release-prep release-tag release-undo update-version-refs bump-major-version check-version-refs lint-actions
 .DEFAULT_GOAL := help
 
 # Colors for output
@@ -98,7 +98,7 @@ update-validators-dry: ## Preview validation rules changes (dry run)
 format: format-markdown format-yaml-json format-python ## Format all files
 	@echo "$(GREEN)✅ All files formatted$(RESET)"
 
-lint: lint-markdown lint-yaml lint-shell lint-python ## Run all linters
+lint: lint-markdown lint-yaml lint-shell lint-python lint-actions ## Run all linters
 	@echo "$(GREEN)✅ All linting completed$(RESET)"
 
 check: check-tools check-syntax check-local-refs ## Quick syntax and tool availability checks
@@ -322,6 +322,19 @@ lint-python: ## Lint Python files with ruff and pyright
 		echo "$(GREEN)✅ Python linting and type checking passed$(RESET)"; \
 	fi
 
+lint-actions: ## Validate GitHub Actions workflows and action.yml files
+	@echo "$(BLUE)🔍 Validating GitHub Actions...$(RESET)"
+	@if command -v pre-commit >/dev/null 2>&1; then \
+		if PRE_COMMIT_USE_UV=1 pre-commit run action-validator --all-files; then \
+			echo "$(GREEN)✅ Actions validation passed$(RESET)"; \
+		else \
+			echo "$(RED)❌ Actions validation failed$(RESET)" | tee -a $(LOG_FILE); \
+			exit 1; \
+		fi; \
+	else \
+		echo "$(YELLOW)⚠️ pre-commit not found, skipping action-validator$(RESET)"; \
+	fi
+
 # Check targets
 check-tools: ## Check if required tools are available
 	@echo "$(BLUE)🔧 Checking required tools...$(RESET)"

docker-build/action.yml

@@ -563,7 +563,7 @@ runs:
 
     - name: Install Cosign
       if: inputs.sign-image == 'true' && inputs.push == 'true' && inputs.dry-run != 'true'
-      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+      uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
 
     - name: Sign Image
       id: sign