Release history

New

• ·The tdd skill mechanically verifies the RED phase: it confirms a new test actually fails before you write the implementation, catching tests that pass by accident before they mask missing behavior.
• ·Code Review Audit now flags known-vulnerable dependencies: a pnpm audit pass surfaces high and critical CVEs during pre-merge review as an advisory, so you see them without blocking the merge.
• ·The wiki commands (/gaia-wiki sync, consolidate, lint) ship with native checks instead of depending on the external claude-obsidian plugin.

Improved

• ·The /gaia <subcommand> router is replaced by discrete /gaia-* commands, so every workflow appears in slash-command autocomplete: /gaia-plan, /gaia-spec, /gaia-audit, /gaia-fitness, /gaia-forensics, /gaia-wiki, /gaia-handoff, and /gaia-pickup. The old space-form /gaia <sub> is removed; sub-arguments are unchanged (for example /gaia-wiki sync). If you call the old form in scripts or notes, switch to the matching /gaia-<sub> command.
• ·The Code Review Audit merge gate skips pull requests that change only docs, wiki, or metadata, so a docs-only change merges without waiting on an audit marker.

Fixed

• ·/update-gaia merges your package.json field by field instead of as one opaque block: it never touches your name, version, description, or author, applies only the real dependency and script changes from the release, and never re-adds a dependency you removed. A version-only release now skips package.json entirely instead of raising a full-file conflict every time.

Fixed

• ·/update-gaia no longer re-adds files you intentionally deleted.
• ·/update-gaia only raises conflicts for files that actually changed in the release, instead of flooding you with spurious patches.
• ·Wiki entries take their dates from your system clock instead of the model, so timestamps are always correct.

New

• ·Dependency supply-chain hardening: new package versions are quarantined for 7 days before GAIA installs them, and downgrades are blocked, defending against a compromised fresh release.
• ·GAIA apps now ship with a Content-Security-Policy that restricts which scripts can run, hardening them against script injection.

Improved

• ·Code Review Audit on CI is now opt-in and installs on demand. When it runs, it only audits changes since the last green run instead of the whole codebase, so CI is faster and cheaper.
• ·React Router v8 future flags are enabled so your app is ready for the v8 upgrade early. One flag (v8_passThroughRequests) changes how loaders and actions receive the request: if you have customized app/root.tsx, a small migration is needed. See the full changelog for exact steps.
• ·Kickoff prompts print to the terminal instead of silently copying to your clipboard.

Fixed

• ·Form/Chain merges class names with twMerge, so your utility classes override the component's defaults instead of conflicting with them.

New

• ·/setup-gaia-ci now detects when your committed GAIA CI workflow files have drifted from what GAIA would generate today. On a re-run it compares each tool's workflow YAML against a fresh render and reports what is out of sync, then offers to re-render, skip, or fully reconfigure instead of silently doing nothing. A new drift-fix path opens a branch and PR that regenerates only the workflow YAML, leaving your tool selection and bot token untouched.

Fixed

• ·/update-gaia now finishes a full run and opens a pull request at the end, instead of leaving the update stranded on a branch.
• ·/update-gaia records the new version correctly when it busts its cache.

New

• ·GAIA apps now ship with a per-request nonce Content-Security-Policy, so only scripts carrying the request nonce can run and inline injection is blocked.
• ·axe-core accessibility testing is wired into both Vitest and Playwright, so you can catch a11y violations in unit tests and end-to-end flows.
• ·/gaia plan and /gaia spec can run concurrently in separate sessions without clashing. Atomic writes keep racing sessions from corrupting committed state.

Improved

• ·GAIA apps detect client hints with a pre-paint inline script instead of a reload, removing the flash and extra page load on first visit.
• ·The /setup-gaia command is renamed to /setup-cloned-gaia-project.

Fixed

• ·The Checkboxes, FieldDescription, and TextArea components ship accessibility fixes, including a dropped nested live region that screen readers announced incorrectly.
• ·Form components handle edge cases correctly across the board.
• ·GAIA apps reject non-local redirect targets and close an XSS vector, so a crafted redirect or payload cannot send users off-site or run injected markup.

Fixed

• ·Running two planning or orchestration sessions at once no longer corrupts shared state: a running sentinel detects a concurrent orchestrator, and plan creation uses an atomic directory claim to avoid a race.
• ·Husky git hooks now run on Linux and WSL.

New

• ·/gaia fitness, a command that audits your project's Claude integration, auto-heals the problems it finds, and reports a health grade so you can tell at a glance whether your setup is in good shape.

New

• ·Accessibility testing is built in: axe-core runs in both Vitest and Playwright, so your components and user flows are checked for a11y violations as part of the normal test suite.
• ·Dead-code detection via knip. Run pnpm knip after refactors or before release-candidate PRs to find unused files, exports, and dependencies. The config is template-aware, so intentional exports in your library surface are not flagged.
• ·Serena MCP gives Claude LSP-backed code intelligence for fast, accurate TypeScript and TSX symbol lookups instead of text search. Registered by /gaia-init; requires uv.
• ·/gaia forensics turns a workflow misfire into a redacted, filing-ready bug report in one pass.

Improved

• ·**BREAKING:** the /wiki-sync, /wiki-consolidate, and /wiki-lint slash commands are removed. Use /gaia wiki sync, /gaia wiki consolidate, /gaia wiki lint, or /gaia wiki for the full chain. This resolves a name collision with the claude-obsidian plugin. See the full changelog for details.
• ·/gaia audit no longer covers intra-wiki duplication or broken-wikilink checks, which overlapped with the wiki commands. Run /gaia wiki separately for wiki-internal audits.

Improved

• ·/gaia-init now asks for your primary language and any additional locales when it scaffolds a project, with an opt-out path that strips i18n entirely.

Fixed

• ·The /update-deps and /update-gaia prompts move to the statusline, so they stay visible instead of firing once where you might miss them.

Fixed

• ·A fresh pnpm install of a GAIA app no longer prints the pnpm build-script approval warning: the build scripts for core-js-pure, esbuild, msw, and unrs-resolver are pre-approved.

Fixed

• ·Running /init in a GAIA project now redirects you to /gaia-init reliably, and the "blocked by hook" banner no longer appears.