Adds defence-in-depth against npm-worm attacks (Shai-Hulud / mini-Shai-Hulud).
- run.sh: gates dev launch on `npm audit signatures` whenever package-lock.json
is newer than .lumotia-last-audit. Fails loud on signature mismatch. Skip
with LUMOTIA_SKIP_AUDIT=1 for offline dev.
- README: documents `npm ci --ignore-scripts` as the install discipline
(blocks the postinstall vector worms exploit) and explains the audit hook.
- .gitignore: excludes the per-clone audit stamp.
Lumotia's current tree (192 packages) cross-references clean against the
mini-Shai-Hulud affected-package list — this is preventive, not remedial.
Extends hardware::CpuInfo with a CpuFeatures struct populated via
std::is_x86_feature_detected! on x86_64 and an architectural
assumption for aarch64 (NEON). Adds has_ggml_baseline() so callers
can cheaply ask 'will whisper.cpp / llama.cpp ship a fast path on
this CPU?' without knowing the arch-specific rule.
The point of #7 is giving the runtime a way to surface a clear
"non-AVX2 fallback" warning before the user hits a wall of silent
slowness. The banner itself ships in the next commit as part of
get_runtime_capabilities (item #1). Tests cover the baseline helper
on both x86 and non-x86 targets.
Co-authored-by: jars <jakejars@users.noreply.github.com>
HANDOVER.md was a working-notes file from the 2026/04/04 session that
was never committed. It described live transcription as broken — which
was fixed in the 2026/04/17 sprint. Leaving it untracked was a trap
for anyone cloning the repo. Deleted.
.firecrawl/ added to .gitignore (web-scraping cache, no repo value).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>