chore: align with Raintree standard

[admin-raintree]

Classification

• Repo: raintree-technology/agent-starter
• Classification: hybrid JavaScript/TypeScript library + app
• Lifecycle: live
• Root package: published Node.js ESM CLI/library (create-agent-starter) using npm + package-lock.json
• Site package: Next.js 16 App Router marketing site using Bun + bun.lock
• Stack: Node.js, commander, node:test, ESLint, Biome, Next.js 16, React 19, TypeScript, Tailwind CSS
• Existing CI before this PR: bespoke GitHub Actions workflow with root npm checks, site Bun checks, gitleaks, and CodeQL
• Baseline status before changes: frozen installs, root lint/test/audit/pack, and site audit/lint/typecheck/build all passed

Changes

• Wired central Raintree reusable CI for root npm and site/ Bun checks at a99e879574108241a5fc7e96479512b135248d2a, passing the same SHA as standard-ref.
• Added scheduled/config-triggered drift check caller at the same pinned standard SHA, also passed as standard-ref.
• Added renovate.json extending the org base config.
• Added exact-save config via root and site .npmrc.
• Added .nvmrc with Node 22 while preserving the root package's existing >=18.0.0 published runtime contract.
• Exact-pinned ranged site dependencies and updated site/bun.lock.
• Added @biomejs/biome@2.4.16, Biome configs, check scripts, and formatted the configured JS/TS surface.
• Added the canonical Biome base at the repo root and a package-local TypeScript base for the Next site.
• Updated README docs with live status badge, CI badge, stack, setup, scripts, env/deploy notes, license notes, and Raintree Technology branding.
• Corrected the site README repository URL from the old claude-starter repo to agent-starter.

Commands And Results

Baseline, before changes:

• npm ci - pass, 0 vulnerabilities
• bun install --frozen-lockfile in site/ - pass
• npm run lint - pass
• npm test - pass, 50 tests
• npm audit --audit-level=moderate - pass, 0 vulnerabilities
• npm pack --dry-run - pass, 223 package files
• bun audit in site/ - pass, no vulnerabilities
• bun run lint in site/ - pass
• bun run typecheck in site/ - pass
• bun run build in site/ - pass, Next generated 10 routes

Post-change:

• npm ci - pass, 0 vulnerabilities
• bun install --frozen-lockfile in site/ - pass, no lockfile changes
• npm run check - pass, Biome checked 45 files
• npm run lint - pass
• npm test - pass, 50 tests
• npm audit --audit-level=moderate - pass, 0 vulnerabilities
• npm pack --dry-run - pass, 223 package files
• bun run check in site/ - pass, Biome checked 21 files
• bun run lint in site/ - pass
• bun run typecheck in site/ - pass
• bun run build in site/ - pass, Next generated 10 routes
• bun audit in site/ - pass, no vulnerabilities
• node /tmp/raintree-standardization/.github/scripts/check-pinned-deps.mjs at repo root - pass
• node /tmp/raintree-standardization/.github/scripts/check-pinned-deps.mjs in site/ - pass
• STANDARD_DIR=/tmp/raintree-standardization/.github bash /tmp/raintree-standardization/.github/scripts/drift-check.sh - pass, no drift detected
• Real Codex install smoke: node bin/cli.js init /tmp/raintree-standardization/agent-starter-cli-verify/codex --yes --agent codex --profile minimal - pass, wrote AGENTS.md and .codex/skills/toon-formatter/SKILL.md
• Real Cursor install smoke: node bin/cli.js init /tmp/raintree-standardization/agent-starter-cli-verify/cursor --yes --agent cursor --profile minimal - pass, wrote .cursor/rules/agent-starter.mdc and .cursor/rules/toon-formatter.mdc

Compliance Matrix

Item	Status	Notes
Worktree isolation	PASS	Work was done only in /tmp/raintree-standardization/agent-starter.
Branch	PASS	Created chore/raintree-standard from origin/main; no existing remote branch was overwritten.
Package managers	PASS	Preserved root npm and site Bun.
Exact dependency pins	PASS	Root and site dependency specs are exact-pinned; peer deps not present.
Frozen installs	PASS	npm ci and bun install --frozen-lockfile pass.
Node pins	WARN	.nvmrc/CI use Node 22; root package engine remains >=18.0.0 to avoid changing its published runtime contract.
Biome	PASS	Added Biome configs/scripts and validated root + site checks.
TypeScript base	PASS	Vendored site-local base because Next/Turbopack did not accept ../tsconfig.base.json.
Central CI	PASS	Root npm and site Bun jobs call the central workflow by full SHA.
Drift check	PASS	Scheduled/config-triggered drift check calls the central workflow by full SHA.
Dependency Review / GHAS	PASS	No GitHub Dependency Review workflow added; repo visibility is public.
Renovate	PASS	Added org-base renovate.json.
README	PASS	Root and site READMEs now document status, stack, setup, scripts, env/deploy, license/branding notes.
Env examples	PASS	Existing site/.env.example retained; no secrets added.

NEEDS-HUMAN

None.

REVIEW-CLOSELY

• The reusable CI replaces the previous bespoke CodeQL/audit/pack jobs. Equivalent local gates were run here, while central CI now owns the standardized install, pin, Biome, typecheck/test/build, gitleaks, and optional Socket path.
• Biome formatting intentionally touches a broad JS/TS surface.
• site/biome.jsonc has a targeted override for JSON-LD dangerouslySetInnerHTML in site/app/page.tsx; the payload is local metadata serialized with < escaping.
• Root package engines.node remains >=18.0.0; raising it would be a package compatibility decision.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​biomejs/​biome@​2.4.16

View full report