feat(check): buildNotFoundOutput adoption + bare-name reclass (0.19.1) — CA-034 round 2

[thebenignhacker]

Summary

Closes the data-layer half of F2 (not-found shape) and F3 (git-style miss) parity
fixtures in opena2a-parity.

• Three check --json not-found emit sites now go through buildNotFoundOutput
  from @opena2a/check-core — npm git-style translated error, PyPI 404, GitHub 404.
• Bare names on npm 404 no longer fall through to the skill-identifier resolver.
  hackmyagent check totally-nonexistent-pkg-xyz789 previously emitted
  Invalid skill identifier on stderr with no JSON; it now emits the canonical
  NotFoundOutput shape and exits 1. Scoped names (@scope/name) still attempt skill
  fallback on npm 404.
• New __tests__/checker/check-not-found-json.test.ts regression test (CI-skipped —
  needs network + built dist/cli.js; local dev exercises the real shape).

Parent brief

briefs/check-core-adoption-round2-not-found.md (PR A).

Test plan

• Build: npm run build — clean
• Unit: npx vitest run __tests__/checker/ — 66/66 pass (1 new)
• Full: npx vitest run — 1712 pass / 16 skipped / 10 todo
• Smoke (bare): node dist/cli.js check totally-nonexistent-pkg-xyz789 --json --ci → {name, found:false, error, ecosystem:"npm"}
• Smoke (git-style): node dist/cli.js check anthropic/code-review --json --ci → {name, found:false, error, errorHint, ecosystem:"github"}
• Smoke (pypi): node dist/cli.js check pip:totally-nonexistent-xyz789 --json --ci → {name, found:false, error, ecosystem:"pypi"}
• Smoke (scoped skill fallback preserved): node dist/cli.js check @totally-nonexistent/pkg-xyz789 --json --ci --offline → still routes to skill resolver
• Self-scan: hackmyagent secure . → 98/100 (pre-existing LOW on CLAUDE.md size, unchanged from main)
• Lockfile sweep per feedback_sibling_symlink_lockfile_breaks_ci — all @opena2a/* entries resolved to registry.npmjs.org tarballs, no "link": true.

Publish timing

v0.19.1 tag created locally only. Publish budget today (2026-04-22) is 3/3 —
tag push + TP workflow run scheduled for tomorrow.

Follow-ups

• ai-trust 0.5.1 (companion PR — same brief, PR B).
• opena2a-parity F2/F3/F4 fixtures (PR C, blocked on A+B publish).

[github-actions]

Claude Code Review

VERDICT: APPROVE

SUMMARY: This PR adopts buildNotFoundOutput from @opena2a/check-core across three not-found code paths (npm git-style miss, PyPI 404, GitHub 404) and reclassifies bare npm misses to emit the canonical NotFoundOutput shape instead of falling through to the skill resolver. All changes are data-layer transformations that delegate to a shared, already-reviewed primitive. The new test is CI-skipped (network dependency) but provides local regression coverage. No security, correctness, or breaking interface issues introduced.

Verification performed:

• Checked all buildNotFoundOutput call sites for user-controlled input → all arguments are either constant strings or validated package names from prior classifier stages
• Verified bare-name reclassifier logic: scoped names still fall through to skill resolver (line 376–378), bare names exit early with NotFoundOutput (lines 365–377)
• Confirmed writeJsonStdout is a safe wrapper (not shell-interpolated)
• No command injection vectors: no child_process calls modified, test uses spawnSync with array arguments (not shell-interpolated)
• No prototype pollution: plain object literals passed to buildNotFoundOutput, no dynamic key assignment from user input
• Exit code behavior correct: bare-name miss exits 1 (line 387), scoped-name miss preserves existing flow

---

Reviewed 5 files changed (8811 bytes)

[github-actions]

ML-DSA-44 benchmark (ubuntu-latest, c6i.xlarge-class)

env: linux/x64 AMD EPYC 9V74 80-Core Processor (4 CPU) node=v20.20.2 noble=0.2.1
load avg: 0.40, 0.15, 0.05
ml-dsa-44-sign     p50=2.940ms p95=3.357ms p99=4.377ms max=4.752ms
ml-dsa-44-verify   p50=1.813ms p95=2.074ms p99=2.254ms max=3.065ms
budget: sign p99 OVER 2.5ms, verify p99 OVER 1.5ms
__BENCH_JSON__{"env":{"platform":"linux/x64","cpu":"AMD EPYC 9V74 80-Core Processor","cpuCount":4,"node":"v20.20.2","totalMemGB":16,"nobleVersion":"0.2.1","loadAvg":[0.4,0.15,0.05]},"budget":{"sign":2.5,"verify":1.5},"sign":{"op":"ml-dsa-44-sign","p50":2.9395730000001095,"p95":3.357362000000194,"p99":4.3766050000000405,"max":4.752031999999986,"iters":1000},"verify":{"op":"ml-dsa-44-verify","p50":1.813350999999784,"p95":2.0737260000005335,"p99":2.254063000000315,"max":3.064871999999923,"iters":1000},"signOver":true,"verifyOver":true}

Budget (AIComply D17): sign p99 < 2.5ms, verify p99 < 1.5ms.
Runner is shared; a single over-budget run is noisy. Check for consistent regression across PR commits.