fix(security): refresh frontend deps and stabilize hook guards

[Aarogaming]

Summary

• refresh frontend dependency graph to address vulnerability findings
• fix pre-commit secret-hygiene hook argument handling to avoid false failures
• normalize operation-envelope fixture used by targeted contract test gate

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Copilot]

Pull request overview

This PR updates the frontend dependency set to address security findings, tweaks the pre-commit secret-hygiene hook configuration to avoid argument/filename-related failures, and adjusts a contract-test fixture format.

Changes:

• Refresh frontend dependencies (axios, Vite, Vite React plugin) and add an npm override for lodash.
• Configure the secret-hygiene pre-commit hook to not receive filenames from pre-commit.
• Update the merlin.abtest.retrieval_profile.create request contract fixture to an AAS.OperationEnvelope shape and bump the budget stats artifact date.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/fixtures/contracts/merlin.abtest.retrieval_profile.create.request.json	Changes the contract request fixture format (now wrapped in an operation envelope).
frontend/package.json	Bumps key frontend deps and adds an overrides entry for lodash.
frontend/package-lock.json	Lockfile update reflecting the dependency bumps (including Vite 8 graph changes).
artifacts/budget_stats.json	Updates the artifact date stamp.
.pre-commit-config.yaml	Sets pass_filenames: false for the secret hygiene hook.

Files not reviewed (1)

• frontend/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This fixture is loaded by tests/test_merlin_api_server.py and sent directly as the request body to POST /abtest/retrieval-profile/create, but that endpoint expects profile_a, profile_b, and test_name at the top level (Pydantic RetrievalProfileABTestRequest). Wrapping the payload in an AAS.OperationEnvelope will cause request validation to fail (422). Either revert this fixture to the plain request shape for that endpoint, or update the endpoint/test to accept/unwrap the operation envelope and route based on operation.name.

Suggested change

	"schema_name": "AAS.OperationEnvelope",
	"schema_version": "1.0.0",
	"message_id": "7998d843-b63f-4b53-aa7f-bf4ca5f7a8f4",
	"correlation_id": "8c2f9477-f12f-4306-8cff-0f6db6a84fcb",
	"trace_id": "7901f33c-e61f-43a8-a67c-d93f63f149eb",
	"timestamp_utc": "2026-02-13T02:30:00Z",
	"source": {
	"repo": "AaroneousAutomationSuite/Hub",
	"component": "hub_orchestrator"
	},
	"target": {
	"repo": "AaroneousAutomationSuite/Merlin",
	"component": "merlin_api_server"
	},
	"operation": {
	"name": "merlin.abtest.retrieval_profile.create",
	"version": "1.0.0",
	"timeout_ms": 30000,
	"idempotency_key": "abtest-retrieval-profile-create-2026-02-13-0001",
	"expects_ack": true,
	"retry": {
	"max_attempts": 1
	}
	},
	"payload": {
	"profile_a": "hybrid",
	"profile_b": "vector",
	"test_name": "retrieval_profile_abtest"
	}
	"profile_a": "hybrid",
	"profile_b": "vector",
	"test_name": "retrieval_profile_abtest"

[Copilot]

vite was bumped to v8, and the resolved dependency graph now includes Node engine constraints (e.g., ^20.19.0 || >=22.12.0 in the lockfile). Since package.json doesn’t declare an engines.node requirement, developers/CI running an older Node 20 minor can hit install/build failures. Consider adding an explicit engines entry (and/or pinning the CI node version) to match Vite’s required Node range.

Suggested change

	},
	},
	"engines": {
	"node": "^20.19.0 || >=22.12.0"
	},