add rule 09: frontend dep changes — lockfile-correct workflow

[akkerkid]

Summary

Adds a new rule 09-frontend-dep-changes.md codifying the lockfile-correct workflow for any change touching frontend/package.json or frontend/package-lock.json. Wires it from the README index and from 11-work-phase.md.

Why

The autobox runs npm 9.2.0. Newer npm majors (10+) enforce stricter listing of transitive deps in package-lock.json than npm 9 does. A lockfile generated by npm install <pkg> under npm 9 can be silently missing entries that npm 10's npm ci then refuses with 16+ Missing: <pkg> from lock file errors.

The bot's autobox npm test and npm run build reuse a pre-populated node_modules and don't re-resolve, so the defect is invisible there. It only surfaces when a reviewer with newer npm tries a fresh npm ci — at which point the PR is blocked and a rebase + force-push is needed.

The trigger

PR akkerkid/meshcore-planner#55 (vite 5.4.21 → 6.4.2). The bot did everything else right — clean rebase onto fresh main, ✅ ship audit verdict, GPG-signed, breaking-change matrix complete, 38/38 tests passing on the autobox. But on npm ci against a fresh node:20-alpine (npm 10.8.2) the install failed:

npm error Missing: side-channel-weakmap@1.0.2 from lock file
npm error Missing: internal-slot@1.1.0 from lock file
... (16 transitive deps missing)

After npm install regenerated the lockfile from scratch, both build and the now-grown 70-test suite pass cleanly. So the version bumps themselves are fine — only the committed lockfile is incomplete.

What the rule says (TL;DR)

For any frontend dep change:

1. Always full-regenerate: rm -rf node_modules package-lock.json && npm install. Don't trust npm install <pkg> to keep the rest of the lockfile honest.
2. Verify with npm ci (strict mode) before committing — this is the reproducibility check.
3. Capture both npm run build and npm test output verbatim in the PR body. Don't reuse stale test counts.
4. Pre-PR audit subagent gets a Q6 for frontend diffs: confirm lockfile churn traces back to a package.json delta; flag orphan removals/additions.
5. Commit package.json and package-lock.json together, never one without the other.

Anti-patterns explicitly listed as ❌ block: hand-editing the lockfile, reusing prior audit numbers, claiming "build passes" without npm ci having succeeded first.

Files

• NEW 09-frontend-dep-changes.md (the rule itself, ~100 lines)
• README.md (index entry)
• 11-work-phase.md (TL;DR pointer in the "Three special rules" section)

Slot 09 was open in the existing 00–12 numbering; placed adjacent to 08-rebase-and-retest.md since both are PR-quality rules.

Out of scope

• Provisioning a newer npm on the autobox. The rule's Step-2 "additionally validate against newer npm" path is conditional on availability; falls back to documented disclosure in the PR body if unavailable. If we want hard provisioning, that's a separate autobox-provision change.
• Backend/Python equivalent. Pip/poetry don't have the same lockfile-vs-npm-major-skew failure mode; existing 11-work-phase.md Step 1 covers backend test verification.

Verification

• ✅ Markdown lints / link-checker not run (bot-rules has no CI).
• ✅ Cross-references intact: README index updated; 11-work-phase.md adds a one-paragraph pointer to 09. No other rules reference the old "frontend tests" gap.
• ✅ Rule is self-contained — no behavior change for issues/PRs that don't touch frontend/package*.json.

Once merged, takes effect on the bot's next iteration (it pulls bot-rules at the start of every iter).