diff --git a/.release-please-manifest.json b/.release-please-manifest.json
index 8dcf3aea..b7bb17cd 100644
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,4 +1,5 @@
 {
   "dist/debian": "0.1.0",
-  "dist/alpine": "0.1.0"
+  "dist/alpine": "0.1.0",
+  ".": "1.0.0"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66c0ad75..2895d6ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,346 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 1.0.0 (2026-03-25)
+
+
+### Features
+
+* add cross-platform wrappers and Makefile target for gen-dependabot ([d00b7d2](https://github.com/snowdreamtech/template/commit/d00b7d2e9b815579a5f6dfa01691b75b6b304982))
+* add missing language runtime checks to check-env.sh ([782ca74](https://github.com/snowdreamtech/template/commit/782ca746e9b52fc65c6cf11d09798a734076f1bb))
+* add modular ABAP toolchain support ([8ebf19a](https://github.com/snowdreamtech/template/commit/8ebf19ab43b2f1f84410443755b7d5fb1f6e110f))
+* add modular AWK toolchain support ([00f1544](https://github.com/snowdreamtech/template/commit/00f1544ad1f6c7f9c25dbc7f5bcb363ce8949847))
+* add modular Cap'n Proto toolchain support ([6f24d7a](https://github.com/snowdreamtech/template/commit/6f24d7ab5248b6c34c7677e6ea3302a8ce3a163c))
+* add modular Capacitor toolchain support ([cbb95fc](https://github.com/snowdreamtech/template/commit/cbb95fc1cd84b1dab40b3edaf05e9b230839f361))
+* add modular ClickHouse toolchain support ([3c68fd8](https://github.com/snowdreamtech/template/commit/3c68fd8df3267b09b8002f3ea466756b5be9115a))
+* add modular Dagger toolchain support ([00d054f](https://github.com/snowdreamtech/template/commit/00d054fae7c6c93a639ad45778e2ff059c006467))
+* add modular Dapr toolchain support ([faac80a](https://github.com/snowdreamtech/template/commit/faac80a2ab9290e94f2153da5aaadf6501f527ee))
+* add modular dbt toolchain support ([aa51be4](https://github.com/snowdreamtech/template/commit/aa51be4dca7cf0d682053853fee2eb201e840a07))
+* add modular Django toolchain support ([2b62b81](https://github.com/snowdreamtech/template/commit/2b62b81ed9eaaa88350fde132e816dfeb6682aa2))
+* add modular FastAPI toolchain support ([ee94b6c](https://github.com/snowdreamtech/template/commit/ee94b6c23548e6c798792d1f0f5fad681660145d))
+* add modular Gnuplot toolchain support ([bea2a90](https://github.com/snowdreamtech/template/commit/bea2a90f51f81017707cbd59b96b6689844ca0e2))
+* add modular Graphviz toolchain support ([381c352](https://github.com/snowdreamtech/template/commit/381c3529763768b0faea74edeecec5b2e08b2ca0))
+* add modular LangChain toolchain support ([676f9fb](https://github.com/snowdreamtech/template/commit/676f9fb9820e408a485b561c44d1e52f1c98d6bd))
+* add modular Laravel toolchain support ([5d7be51](https://github.com/snowdreamtech/template/commit/5d7be51e25d0e5a7b1c6a01169268e3c20fd8013))
+* add modular Lit toolchain support ([8a6487e](https://github.com/snowdreamtech/template/commit/8a6487e28af1c51e4efcf39f7bb8dce2a9bf54e2))
+* add modular MongoDB toolchain support ([721f0e0](https://github.com/snowdreamtech/template/commit/721f0e0d01a73c882b3f860114cc185eb882fdde))
+* add modular NestJS toolchain support ([276e1a6](https://github.com/snowdreamtech/template/commit/276e1a6ae7e07da56b948a1860fda4074af2dda5))
+* add modular Next.js toolchain support ([ad8f87f](https://github.com/snowdreamtech/template/commit/ad8f87f930f79b9b89a1671b57dea43617d2a86d))
+* add modular Nuxt toolchain support ([5f53253](https://github.com/snowdreamtech/template/commit/5f532532d5fc50c4f4e7418b0ab4e1c36935f524))
+* add modular OpenTelemetry toolchain support ([010e242](https://github.com/snowdreamtech/template/commit/010e2422b7ade9744c9958ed69ceffcb91b99732))
+* add modular PlantUML toolchain support ([4af0651](https://github.com/snowdreamtech/template/commit/4af0651a5fb110041f8d3bfc2db20fa07e93f938))
+* add modular PostgreSQL toolchain support ([5d4fe9c](https://github.com/snowdreamtech/template/commit/5d4fe9c7dfe5ae436d5959c248bd2e08ee2d90c9))
+* add modular PRQL toolchain support ([b704017](https://github.com/snowdreamtech/template/commit/b7040170b5a3e1d0149583a0129b6fc670e8810e))
+* add modular PyTorch toolchain support ([3183a37](https://github.com/snowdreamtech/template/commit/3183a37424524cce81f59cfea510d574ff44a937))
+* add modular Redis toolchain support ([cfe0450](https://github.com/snowdreamtech/template/commit/cfe04506ddb8ca467c14b84211a0dfa0a67f529a))
+* add modular Remix toolchain support ([119bad3](https://github.com/snowdreamtech/template/commit/119bad3bd4458b45b54df94b828eda42e6d3443b))
+* add modular Sed toolchain support ([ff0b4ea](https://github.com/snowdreamtech/template/commit/ff0b4ea1e155cc3d50f4fce6cc83dac6dbfcff00))
+* add modular Spring Boot toolchain support ([9262822](https://github.com/snowdreamtech/template/commit/9262822acc758609ec73fc6eb371bb5c5dd814dd))
+* add modular Tailwind CSS toolchain support ([5035046](https://github.com/snowdreamtech/template/commit/5035046d9e138a78ef1ed6d9ceb896ab2de042bb))
+* add modular Temporal toolchain support ([d4b73f9](https://github.com/snowdreamtech/template/commit/d4b73f9e8587f6f0a6cc9a999c47c64216513f8e))
+* add modular Vite toolchain support ([62e282a](https://github.com/snowdreamtech/template/commit/62e282ad052953331baf5b65615ceb335f579fbc))
+* add modular Wasmer toolchain support ([0a25428](https://github.com/snowdreamtech/template/commit/0a25428e6d0bc69579db8a5549732346cd89a61e))
+* add yarn support to the template toolchain ([04e35e3](https://github.com/snowdreamtech/template/commit/04e35e3785b2eb2d236bde93b6ac3b0571457624))
+* align language checks with langs directory ([a9ff388](https://github.com/snowdreamtech/template/commit/a9ff3886595ca32c8319c530a1746a41d7042c9b))
+* attempt quiet execution for mise shims when no version is active to prevent immediate fallback ([ebe9514](https://github.com/snowdreamtech/template/commit/ebe95145d985acd0f4ba4cb31e73a9d1ff4288f8))
+* **audit:** enforce mandatory version verification for Trivy ([e5bed3c](https://github.com/snowdreamtech/template/commit/e5bed3c75a8baf19f895b511dcd41329292ca0c2))
+* **ci:** add automated approval and auto-merge for dependabot prs ([c28e856](https://github.com/snowdreamtech/template/commit/c28e85637c9f0c111e4c62a0a5c44a934338eb3e))
+* **ci:** add automated label branding and sync-labels script ([eb5a1dd](https://github.com/snowdreamtech/template/commit/eb5a1dd9e6f998779e9719c9e3f26950303f1610))
+* **ci:** add cross-platform label branding and Makefile support ([16fd0ef](https://github.com/snowdreamtech/template/commit/16fd0efbc1ee23ae16ee3948e1bff5777bc41a54))
+* **ci:** add docker buildx infrastructure with GHA caching boilerplate ([7eeb95c](https://github.com/snowdreamtech/template/commit/7eeb95ca4ab48a817fb4bd21b2f7bbc0aa786680))
+* **ci:** add harden-runner in audit mode ([7140604](https://github.com/snowdreamtech/template/commit/71406048ce4bad9eb97aa7425eef9e8b3753c773))
+* **ci:** add multi-OS matrix and templates ([8cda803](https://github.com/snowdreamtech/template/commit/8cda80342e4d97dc50b6d9357889c75bdabf710d))
+* **ci:** add nightly security audit with automated issue reporting ([a3c7468](https://github.com/snowdreamtech/template/commit/a3c74685bedb10d0af11c9992b36db17344fe572))
+* **ci:** add smart dependabot config auto-generation ([06e3b8e](https://github.com/snowdreamtech/template/commit/06e3b8eb1b57d7790edb7c885ed427de41dad2b9))
+* **ci:** add universal language caching ([01cbe91](https://github.com/snowdreamtech/template/commit/01cbe9185a2841beea4c2de71a7e79c27ccf958a))
+* **ci:** add visual job summary for dependabot sync ([49b88fd](https://github.com/snowdreamtech/template/commit/49b88fd20bf50f46f5458668aecb4e1325e60987))
+* **ci:** enable universal SBOM coverage ([a585298](https://github.com/snowdreamtech/template/commit/a585298858d0377904ad382d4865a878e975ff91))
+* **ci:** finalize GHA summaries and enhance dependabot limits ([18e33e2](https://github.com/snowdreamtech/template/commit/18e33e2187b2891a494296e09d7bcbdf92a6b2ce))
+* **ci:** implement automated PR labeling and lychee link caching ([7195b07](https://github.com/snowdreamtech/template/commit/7195b07886eaf46339eb7daf7335f2bd6d4ee96f))
+* **ci:** implement comprehensive SBOM coverage for all artifact types ([57e126a](https://github.com/snowdreamtech/template/commit/57e126a4636bdda50b1a69bbd4d9fab2f7337a83))
+* **ci:** implement supply chain security and unified test summaries ([bd289a9](https://github.com/snowdreamtech/template/commit/bd289a90f1c0ab1e6e55566830daaabb26c0e32e))
+* **ci:** implement universal dependency caching ([fc3e763](https://github.com/snowdreamtech/template/commit/fc3e763515add4c3c0bae3fcd4bd6fb6947e6920))
+* **ci:** implement visual GHA Job Summaries for audit and check-env ([4c792af](https://github.com/snowdreamtech/template/commit/4c792affca59cc12bacff15d7924181bb77b8312))
+* **ci:** integrate SARIF security reporting and zizmor hook ([89fc7f8](https://github.com/snowdreamtech/template/commit/89fc7f849a70657c563f13777558a6edab4017a5))
+* **deps:** add full grouping for GitHub Actions updates ([e767328](https://github.com/snowdreamtech/template/commit/e767328262d95aa5187908f95adaf4aaac0f1c1a))
+* **deps:** add icons to Dependabot group names ([3302d8c](https://github.com/snowdreamtech/template/commit/3302d8c3162897687c8a0d5a0dacb67c5d3dc150))
+* **deps:** add private registry support placeholder to dependabot config ([9096926](https://github.com/snowdreamtech/template/commit/9096926de726d54a49129c5ffb60f1b92878fb96))
+* **deps:** add RHEL to Docker base image grouping ([06cf541](https://github.com/snowdreamtech/template/commit/06cf5415091249629a5de84462c76855776cb943))
+* **deps:** add Rocky Linux to Docker base image grouping ([ff64d2b](https://github.com/snowdreamtech/template/commit/ff64d2b4792567aef40019a0dfdca6505768c32c))
+* **deps:** add snowdreamtech suite to Go grouping ([8aa268b](https://github.com/snowdreamtech/template/commit/8aa268b2559c20b733e88e4e8ebcc10a73550c39))
+* **deps:** differentiate commit prefixes by ecosystem ([4e8c8ff](https://github.com/snowdreamtech/template/commit/4e8c8ff1ad29e4a8011858ff3eca8de4050b8975))
+* **deps:** enable auto-rebase strategy and auto-assign reviewers ([119882c](https://github.com/snowdreamtech/template/commit/119882c922e46b010d71abb35bd1c11634c45cd3))
+* **deps:** extend specialized grouping to Infrastructure and Languages ([a77d358](https://github.com/snowdreamtech/template/commit/a77d3588ac09db73c901caaeb31b44a64fe97041))
+* **deps:** implement comprehensive PR grouping in Dependabot ([7fddf7d](https://github.com/snowdreamtech/template/commit/7fddf7da43e67a71b0aa1fd96ab3881af3b36410))
+* **deps:** optimize Dependabot with tiered frequency, PR limits, and semantic labels ([48ec1ae](https://github.com/snowdreamtech/template/commit/48ec1aed663c6bfc02c97e7937ece7b4583acfff))
+* **deps:** set security vulnerability threshold to high ([353f9d9](https://github.com/snowdreamtech/template/commit/353f9d9693b20afae0ca82c2bd3bb908634ea47e))
+* enable google-java-format installation on ARM64 Linux by removing the skip condition ([e85ad8f](https://github.com/snowdreamtech/template/commit/e85ad8f5990ffbafb26ebcba9f5fc02f51e977d2))
+* implement advanced frontend and monorepo sector logic (turborepo, nx, biome, knip, lefthook, trpc, jotai, valtio, recoil, preact) ([7ee120a](https://github.com/snowdreamtech/template/commit/7ee120ac2b53bf721df3a8abcf24373f804d3ad1))
+* implement AI, data science and modern JVM sector logic (llamaindex, weaviate, polars, pandas, quarkus, micronaut) ([db2c3a1](https://github.com/snowdreamtech/template/commit/db2c3a19bcbc0c25de5bc867476921881d11b5cc))
+* implement backend frameworks and ORM sector logic (axum, actix, echo, gorm, adonis, strapi, phoenix, symfony, tortoise) ([c140a28](https://github.com/snowdreamtech/template/commit/c140a289af683f765d6ac1301dedfc657a708c5d))
+* implement cloud native and messaging sector logic (traefik, istio, kong, linkerd, nats, pulsar) ([7f606e7](https://github.com/snowdreamtech/template/commit/7f606e7e1a5cb17ac6f85c9fd3f2a0f10e11af88))
+* implement data, backend and CMS sector logic (noco-db, mongoose, sequelize, kysely, payload-cms, directus, ghost, hardhat, foundry, polars-js) ([913a4b4](https://github.com/snowdreamtech/template/commit/913a4b44a0a9fe3279d89faff364424b50406b2f))
+* implement distributed data and high-perf engine logic (neo4j, scylladb, cockroachdb, tidb, flink, beam, trino, typesense, tarantool, rocksdb) ([46155c2](https://github.com/snowdreamtech/template/commit/46155c24d6d73308b457d474745d80a873f7843f))
+* implement drizzle toolchain logic ([d3a4ad1](https://github.com/snowdreamtech/template/commit/d3a4ad1e37ea69fef013da9b7da4398ba7b0b647))
+* implement enterprise build, monorepo and AI logic (bazel, buck2, pants, langgraph, crewai, ollama, localstack, lerna, single-spa, module-federation) ([9c0bb67](https://github.com/snowdreamtech/template/commit/9c0bb67cbad8dedfe2842e2a2f106b4a11b41767))
+* implement expo toolchain logic ([7ee1f29](https://github.com/snowdreamtech/template/commit/7ee1f29730638a2dac2cd238106791284ae8e7f6))
+* implement express and fastify toolchain logic ([3d4c51c](https://github.com/snowdreamtech/template/commit/3d4c51cc0f740b7503a40be97059fb824185eb96))
+* implement fiber toolchain logic ([541ab57](https://github.com/snowdreamtech/template/commit/541ab57fe7885d5ad4a67e02bb3b73469bd9c8bd))
+* implement flask toolchain logic ([3d9c1af](https://github.com/snowdreamtech/template/commit/3d9c1afc0f52b260e164c15078ac8994b8d6f996))
+* implement frontend and documentation sector logic (astro, sveltekit, solidstart, storybook, docusaurus) ([887c9f5](https://github.com/snowdreamtech/template/commit/887c9f5363db6738283acbb5f1ef10cf96c2d933))
+* implement gin toolchain logic ([22623f5](https://github.com/snowdreamtech/template/commit/22623f5ef87e16abd1b85f0b8343d983cc159bb6))
+* implement hono toolchain logic ([c341126](https://github.com/snowdreamtech/template/commit/c3411262fcdd77267c5582545fab2bd8bfbf47aa))
+* implement infra and search sector logic (ansible, nginx, caddy, elasticsearch, meilisearch) ([660c082](https://github.com/snowdreamtech/template/commit/660c082af8afaa27c99c9a9541034b98e8a193a6))
+* implement ionic toolchain logic ([374e436](https://github.com/snowdreamtech/template/commit/374e43613a6763dc5e6f69b947d878b6ad1efd01))
+* implement languages, testing and devops sector logic (ef-core, grafana, loki, vector, fluentd, pytest, junit, mockito, uvicorn, gunicorn) ([8091960](https://github.com/snowdreamtech/template/commit/809196041aeed44dd65c07704caaa7e12bbdaa15))
+* implement mobile and observability sector logic (kmp, nativescript, kafka, rabbitmq, prometheus) ([44becb3](https://github.com/snowdreamtech/template/commit/44becb3e3eaba867a3b4f86fcfd5f0559e2f653b))
+* implement premium frontend and cloud native logic (cilium, falco, kyverno, opa, react-hook-form, tanstack-table, styled-components, emotion, vanilla-extract, husky) ([d74ebcb](https://github.com/snowdreamtech/template/commit/d74ebcb50167831993f94ba6a5f1c2cc61a4fcd3))
+* implement rails toolchain logic ([76fa9f7](https://github.com/snowdreamtech/template/commit/76fa9f7cdff814d0b033a455e56538a885bc9046))
+* implement react-native toolchain logic ([9ce6233](https://github.com/snowdreamtech/template/commit/9ce6233ca0aa1b01e2794531bab467465cb2bf95))
+* implement security, CI/CD and frontend sector logic (vault, semgrep, checkov, mage, tanstack-query, zustand, appium, testcafe) ([8556173](https://github.com/snowdreamtech/template/commit/8556173da58c1324dfd940caf0d89e8d0cf1dcca))
+* implement self-update logic for yarn and bun, and skip global npm self-update ([6cfa4ac](https://github.com/snowdreamtech/template/commit/6cfa4ac458933d79d46e2483730635a11a61576c))
+* implement sqlalchemy toolchain logic ([1db42d8](https://github.com/snowdreamtech/template/commit/1db42d854ed499068836785bbe356952453d48bd))
+* implement testing sector logic (playwright, vitest, cypress) ([e08c31d](https://github.com/snowdreamtech/template/commit/e08c31d34ba570d8a144ff50b33426d558a96e03))
+* implement typeorm toolchain logic ([5828646](https://github.com/snowdreamtech/template/commit/582864698f682190a157c1d92f145253528510ce))
+* **license:** add license management targets to Makefile ([cd1b2f2](https://github.com/snowdreamtech/template/commit/cd1b2f28ef7199d6128d341fbd11be4bc12f983b))
+* **license:** apply SnowdreamTech license headers to all source files ([3f0247a](https://github.com/snowdreamtech/template/commit/3f0247a6afb4a2c46d7ef6e41961914ba120d4af))
+* **license:** expand extension coverage for full-stack & mobile ([40a6e7c](https://github.com/snowdreamtech/template/commit/40a6e7c18516d0843aeaef0da822b543947bcccf))
+* **license:** integrate license check into pre-commit quality gate ([098d317](https://github.com/snowdreamtech/template/commit/098d317a4eef7d6aa453cf8f356c757eb9cf140b))
+* **make:** add fix target for automated infrastructure maintenance ([3d18acc](https://github.com/snowdreamtech/template/commit/3d18accf722043075393a89d9c4d483ddc4bc8d2))
+* **make:** add project version and git branch to help output ([ae163ca](https://github.com/snowdreamtech/template/commit/ae163ca8add8ed8aeee2abca557157ec2ee60681))
+* **make:** display architecture and shell in help message ([2704a33](https://github.com/snowdreamtech/template/commit/2704a3356b5100c60f835d1ebe49c9a7fe6748c6))
+* migrate pnpm and yarn to corepack and enhance mise version detection ([2ea9a62](https://github.com/snowdreamtech/template/commit/2ea9a62cb843f19b56367f7050d07b54742dc018))
+* optimize CI-only tools by moving to env-based management in .mise.toml and setup.sh ([26fc295](https://github.com/snowdreamtech/template/commit/26fc29597321d84b5b2e26e0a09db5664813c47b))
+* **release:** enhance release.sh to support docs/package.json and lockfile sync ([a43c8c2](https://github.com/snowdreamtech/template/commit/a43c8c2efc87047ba48a5366044bba3ca7201795))
+* **scaffold:** enhance init-project.sh into a full onboarding engine ([454952b](https://github.com/snowdreamtech/template/commit/454952bc55bf75bf282a049b342ff13ac26195f3))
+* **scripts:** prioritize native package managers for tool installation ([b5134b4](https://github.com/snowdreamtech/template/commit/b5134b4a1c4dc45106b4c46c7021cdf7e3a00540))
+* **security:** disable buildx binary caching in goreleaser.yml ([8ee9b8e](https://github.com/snowdreamtech/template/commit/8ee9b8e0f755a8673a497e22079c7f3dcc2c1d0c))
+* **security:** globally lock GitHub Actions to latest verified SHAs ([193eb0c](https://github.com/snowdreamtech/template/commit/193eb0cd997c8d19bb0d86c7f811cf99f332cde2))
+* **security:** implement artifact signing with cosign and SBOM auditing ([df86f8f](https://github.com/snowdreamtech/template/commit/df86f8f092631da18eb93148674f623b59f32b99))
+* **security:** implement binary artifact audit to prevent poisoning ([73cd7b3](https://github.com/snowdreamtech/template/commit/73cd7b399cd3ffd65c0134ea08f13ac587b89501))
+* **security:** implement OpenSSF Scorecard for continuous security health monitoring ([8c5015a](https://github.com/snowdreamtech/template/commit/8c5015a67693d941cb3f893b555b515c533acd18))
+* **security:** implement platinum-standard CI/CD supply chain hardening ([d101fe4](https://github.com/snowdreamtech/template/commit/d101fe4988cc532d5fa4efa1ae8b883da7314b0e))
+* **security:** implement PR dependency review shield ([16fd84e](https://github.com/snowdreamtech/template/commit/16fd84e627d0f8bbaed92522d07bf345e3aa6dc7))
+* **security:** integrate CycloneDX SBOM generation into audit script ([5e9598a](https://github.com/snowdreamtech/template/commit/5e9598a387f2f909d32605903bb1730e7e731096))
+* **security:** re-enable buildx with --oci-worker-no-cache ([1ed6882](https://github.com/snowdreamtech/template/commit/1ed6882e61e4e42b06fc15dd67747340ca46d1d2))
+* **setup:** add AI setup module ([ee4af4e](https://github.com/snowdreamtech/template/commit/ee4af4e69042500f140065530f1c9fa4b9251964))
+* **setup:** add base setup module ([ecca380](https://github.com/snowdreamtech/template/commit/ecca3807c995e93b1122927cf731266141305622))
+* **setup:** add CUE setup module ([e7bdafb](https://github.com/snowdreamtech/template/commit/e7bdafb17d04a34aa40d7f74fbedbc89d4804361))
+* **setup:** add Docker setup module ([47af5fd](https://github.com/snowdreamtech/template/commit/47af5fd1be8e704ffd56324b4a3a514f79111c20))
+* **setup:** add Docs setup module ([249af53](https://github.com/snowdreamtech/template/commit/249af538cabaef359bb4b9f870987e760e412753))
+* **setup:** add dynamic Go registration for on-demand installation ([391f79b](https://github.com/snowdreamtech/template/commit/391f79bd4f6381ec691e0809183d1a6fcabcbfc9))
+* **setup:** add dynamic registration for rust, java, dotnet, zig, bun, deno ([29b98be](https://github.com/snowdreamtech/template/commit/29b98bed85fc93e84a3c51ab8e274133f3c2ebd6))
+* **setup:** add dynamic registry hooks for infra/runner linters (tflint, tofu, just, task) ([e0d29c8](https://github.com/snowdreamtech/template/commit/e0d29c866ee726c6ae62114bfa99cb5dd6a4b118))
+* **setup:** add dynamic registry hooks for ktlint, swiftformat, and swiftlint ([08f67ab](https://github.com/snowdreamtech/template/commit/08f67abc377b3d5f23b4dcd42e1762bd5fca339d))
+* **setup:** add dynamic registry hooks for kube-linter, spectral, and buf ([ad9ec55](https://github.com/snowdreamtech/template/commit/ad9ec55131e96194160d325ffd6de18e98dd9bcd))
+* **setup:** add dynamic registry hooks for security scanners (trivy, osv, cargo-audit) ([45b5cdb](https://github.com/snowdreamtech/template/commit/45b5cdbb2537c4992f9a8e4bf9535fe0b53c8701))
+* **setup:** add global forced setup mode for explicitly requested modules ([338b954](https://github.com/snowdreamtech/template/commit/338b954c2f6130b3cadfbdcf991b1c9679c35036))
+* **setup:** add Markdown setup module ([29fa348](https://github.com/snowdreamtech/template/commit/29fa3485703f034ff0e10f1c2e4028c97f3115ef))
+* **setup:** add missing dynamic registry maps for language-specific linters ([a47f26e](https://github.com/snowdreamtech/template/commit/a47f26e7975b20025e86ad77645958d3895bea13))
+* **setup:** add missing modules and implement concurrency guard ([0ecda76](https://github.com/snowdreamtech/template/commit/0ecda7667fdf8602fdb57ab6b646c3368f14e1be))
+* **setup:** add OpenAPI setup module ([ca75ffc](https://github.com/snowdreamtech/template/commit/ca75ffcdba3d6cdf3ae304aac69fd213c7d7ffa7))
+* **setup:** add ormolu to haskell toolchain bridging pre-commit dependency gap ([75f6d83](https://github.com/snowdreamtech/template/commit/75f6d83dd9e08c2223fdf4b37ecbf06b3bb39492))
+* **setup:** add Protobuf setup module ([363d820](https://github.com/snowdreamtech/template/commit/363d8206803ef1992995fa471abc913edcf4f68d))
+* **setup:** add retry mechanism for remote downloads referencing rule 01 ([5b22b6d](https://github.com/snowdreamtech/template/commit/5b22b6df3218eec71b5e5da65bac2271764d972d))
+* **setup:** add Runner setup module ([a083e61](https://github.com/snowdreamtech/template/commit/a083e617c7b19e5905c88e8ca4d843e54d85c3dc))
+* **setup:** add scalafmt to scala toolchain bridging pre-commit dependency gap ([276773d](https://github.com/snowdreamtech/template/commit/276773d37df2856348ed6f343ee30e71c27455fb))
+* **setup:** add Security setup module ([e5981e5](https://github.com/snowdreamtech/template/commit/e5981e5ff5b8993153707c6dbb24f2471d54315f))
+* **setup:** add Shell setup module ([b734fc2](https://github.com/snowdreamtech/template/commit/b734fc2551f2be08eed49ba8018db42d73f65ed6))
+* **setup:** add SQL setup module ([0484b8c](https://github.com/snowdreamtech/template/commit/0484b8c3b376856f725f8710beac1ea0bf1b09f5))
+* **setup:** add Testing setup module ([462da3a](https://github.com/snowdreamtech/template/commit/462da3aab47be274799881307fc8de25dc5d1ba2))
+* **setup:** add TOML setup module ([a3a475e](https://github.com/snowdreamtech/template/commit/a3a475eaec0815c478744c45db65ec64e2b9ec76))
+* **setup:** add YAML setup module ([d7d3a5b](https://github.com/snowdreamtech/template/commit/d7d3a5b3b884eebc0c29c09ccec671b08147ad98))
+* **setup:** align tool installation with CI/CD specifications ([dc743eb](https://github.com/snowdreamtech/template/commit/dc743eb58def45541e34384fe767a799b891fd43))
+* **setup:** align tool installation with CI/CD specifications ([b0c1681](https://github.com/snowdreamtech/template/commit/b0c1681e5c073c1f98906bbd96d43e6017080bc7))
+* **setup:** configure native mise jar fallback for google-java-format on unsupported architectures ([b8ef4b9](https://github.com/snowdreamtech/template/commit/b8ef4b91b9fb644417efa2f77c983ee4b4fe7da6))
+* **setup:** consolidate Node.js based tools in node.sh ([9f1b460](https://github.com/snowdreamtech/template/commit/9f1b460f093281e11f1acca2113991cab438ebf9))
+* **setup:** define missing setup_registry mappers for secondary pre-commit tools ([7572144](https://github.com/snowdreamtech/template/commit/7572144b145dc58639e1854345e58015cf677ca2))
+* **setup:** hook rubocop, google-java-format, stylua into global registry ([a88f360](https://github.com/snowdreamtech/template/commit/a88f36097cdc6fdbde7ffb1d6ffc45159bea8018))
+* **setup:** implement dynamic tool registration and performance-first engine ([a49e23d](https://github.com/snowdreamtech/template/commit/a49e23d94c4ef2589ba228bf9b5f6e5edd37d3a4))
+* **setup:** implement LEAN mode to skip heavyweight tools by default ([4b71ace](https://github.com/snowdreamtech/template/commit/4b71ace1e1c424333042f4213770824a511f5f92))
+* **setup:** implement project-local lockfile concurrency guard ([62546d5](https://github.com/snowdreamtech/template/commit/62546d5872e4cf639043533ee0b4f56c2f83ef41))
+* **setup:** restore dynamic architecture fallback wrapper for google-java-format exclusively in java.sh ([db010f2](https://github.com/snowdreamtech/template/commit/db010f245261aa8206e8a42e1a15e6c2e16bd3d2))
+* **toolchain:** elevate Go to first-class citizen in mise.toml ([d39a9da](https://github.com/snowdreamtech/template/commit/d39a9da5bc3f761d52c67cf88fd064336314c8da))
+* **versions:** introduce versions.sh as Tier 2 SSoT; migrate grain.sh ([b615a30](https://github.com/snowdreamtech/template/commit/b615a30add8341d3467d903b5916e014d19e21b9))
+
+
+### Bug Fixes
+
+* align editorconfig with gitattributes and unify line endings to LF ([410d546](https://github.com/snowdreamtech/template/commit/410d5461dabe3ae22bc7b54e5fec4107c702072b))
+* **audit:** add lockfile existence check before osv-scanner ([f795bce](https://github.com/snowdreamtech/template/commit/f795bceb2fc3ee03d0b6b8685697016cc216fb68))
+* **audit:** correct GIT_CONFIG_PARAMETERS format for diff.renameLimit ([f58eeea](https://github.com/snowdreamtech/template/commit/f58eeeaf0e44aba8235d279fc4d0bca3ec74ccdc))
+* **audit:** force zizmor offline mode in CI to prevent 403 abuse rate limits ([50f7664](https://github.com/snowdreamtech/template/commit/50f7664199b15a4b4a1178936b262bfaf8ae76ed))
+* **audit:** remove gitleaks --verbose and suppress git rename warnings ([9c0ed75](https://github.com/snowdreamtech/template/commit/9c0ed759b279aaa0686b8873775c015f61fb3cbc))
+* **audit:** restrict heavy scans to CI environment ([b9e359c](https://github.com/snowdreamtech/template/commit/b9e359cdf65622b18d5a160e90b619b3ce5b7d8a))
+* **audit:** use absolute paths for tools and pass GITHUB_TOKEN to zizmor ([fa43ae8](https://github.com/snowdreamtech/template/commit/fa43ae89ac36b4bacb5218287de2bb3dac282e81))
+* **audit:** use NPM_CONFIG_REGISTRY env var instead of hardcoded npmjs.org ([981542c](https://github.com/snowdreamtech/template/commit/981542c1504e14e75a976b43308c81f85cd1f2ec))
+* **audit:** use official registry for pnpm audit; downgrade osv-scanner to warning ([a039e9e](https://github.com/snowdreamtech/template/commit/a039e9e2355314e4b9890a792e97a62cf75f8732))
+* avoid GitHub API rate limits during mise tool registration ([4c62a14](https://github.com/snowdreamtech/template/commit/4c62a14d7f0fed6520856087403fbb661cdd77b2))
+* **bootstrap:** append PID to fallback temp directory for concurrent safety ([b7a3642](https://github.com/snowdreamtech/template/commit/b7a364279832b57db40590fb8bf70ec40d33e837))
+* **bootstrap:** skip installing 'usage' CLI on CI environments to prevent Windows hang ([b47ee7e](https://github.com/snowdreamtech/template/commit/b47ee7edc46032aa2800ec4d35ebbd3b88bec928))
+* **build:** resolve linter and verification test failures ([8d96594](https://github.com/snowdreamtech/template/commit/8d96594309f0e6a4527e120cc9aec94da46d5943))
+* **cd:** remove redundant pnpm version in action-setup ([829eb00](https://github.com/snowdreamtech/template/commit/829eb00d0a1e5012fa9b86b410f217705ad75a4e))
+* **check-env:** move CI-only guard before command -v in check_tool_version ([4ae3803](https://github.com/snowdreamtech/template/commit/4ae38034acc6516f810dd6abd12114d39511e5b7))
+* **check-env:** resolve shellcheck version detection and pnpm alignment ([6291eaf](https://github.com/snowdreamtech/template/commit/6291eaf486fcc59ad19a3c023afc63601e249acf))
+* **check-env:** use fully qualified mise tool keys for version lookups ([8216590](https://github.com/snowdreamtech/template/commit/8216590ea3b6a4272fc50856ff32cc33a947b02f))
+* **chore:** dynamically disable domestic mirrors in CI to prevent timeouts ([ce1e7e2](https://github.com/snowdreamtech/template/commit/ce1e7e243c0cc1ffab9adea5ef4372cc53564082))
+* **ci:** call zizmor via mise exec to resolve PATH issue ([56ce57a](https://github.com/snowdreamtech/template/commit/56ce57acd185251913ba3c1246d25d121297a681))
+* **ci:** correct trivy-action version tag to fix zizmor 403 limit and restore commit.sh error handling ([667741f](https://github.com/snowdreamtech/template/commit/667741f36448f082815c96509fcee34b55bc6d27))
+* **ci:** force zizmor offline mode for SARIF export ([f661c65](https://github.com/snowdreamtech/template/commit/f661c6581a35a4af553e6a5f718a7c4674d518a8))
+* **ci:** forward GITHUB_TOKEN at bootstrap and fix Bats on Windows ([7b4c937](https://github.com/snowdreamtech/template/commit/7b4c937ffcf8cbbe9f6fcabe3477be5e5df1558c))
+* **ci:** improve markdown table formatting for dependabot summary ([b3b9495](https://github.com/snowdreamtech/template/commit/b3b9495980fd8cbf1abe5ff52d879fc56005ef8f))
+* **ci:** increase MISE_FETCH_REMOTE_VERSIONS_TIMEOUT to 30s ([c207e80](https://github.com/snowdreamtech/template/commit/c207e804ce21b8bf02a07113f7876c86934a435f))
+* **ci:** make GITHUB_TOKEN rate limit check robust against DNS failures ([4cf7d90](https://github.com/snowdreamtech/template/commit/4cf7d905d0280ff0e5b40b8a6b08e1e4dd626dc4))
+* **ci:** optimize security tooling to avoid 403 API rate limits ([5a5e0b3](https://github.com/snowdreamtech/template/commit/5a5e0b3cc73ce6349ba47d61ca45950b6c3204e1))
+* **ci:** pin CodeQL action to verified underlying commit SHA ([11cb79b](https://github.com/snowdreamtech/template/commit/11cb79b81eae47e66917c33adbf41e36bfe26983))
+* **ci:** rename commitlint.config.js to .cjs for ES module compatibility ([ec7a59e](https://github.com/snowdreamtech/template/commit/ec7a59e30f06afa2f78bef5ffe2aa00e641d38cb))
+* **ci:** update gh cli version to 2.66.1 and use mise x in Makefile ([9f9977c](https://github.com/snowdreamtech/template/commit/9f9977cd429b68bbdb6853fefc7fa102e1e02330))
+* **codeql:** pin action to verified underlying commit SHA ([422a8c6](https://github.com/snowdreamtech/template/commit/422a8c6e9e1a3b5a095be9cd814d42c5fb33ee37))
+* **common:** get_mise_tool_version now falls back to VER_* env vars before 'latest' ([99c25a0](https://github.com/snowdreamtech/template/commit/99c25a09e613f326fb059f82ce6b3d7bbe1dc75e))
+* **common:** increase run_mise timeout from 60s to 120s and handle exit code 124 ([e299a6f](https://github.com/snowdreamtech/template/commit/e299a6f04bdce23b9e046eac24a71c0872976e31))
+* **common:** optimize GITHUB_TOKEN handling in run_mise for CI ([4db707a](https://github.com/snowdreamtech/template/commit/4db707a5183c24d24795e44706ca0faf5ae44fb2))
+* **common:** prioritize active mise versions in get_version to avoid dormant mismatches ([d1af77d](https://github.com/snowdreamtech/template/commit/d1af77de30cbdd13a07960db4380b62f33878870))
+* **common:** resolve_bin returns robust executable paths and prevents 127 errors ([e598805](https://github.com/snowdreamtech/template/commit/e598805c8376ee12e0071958f74c0c175e90c8e1))
+* **docker:** ensure entrypoint.d exclusion takes precedence in .dockerignore ([a5144a2](https://github.com/snowdreamtech/template/commit/a5144a2808bd7c9ead54b50289a70f1ceba16b8c))
+* **docs:** add package.json with vitepress dependency ([67c80cb](https://github.com/snowdreamtech/template/commit/67c80cb1c84b64004ec9351883b34b8026c9548b))
+* **docs:** install dependencies before building VitePress ([4541cf5](https://github.com/snowdreamtech/template/commit/4541cf57038c4c62cd193ecf8c115b64b9e3461c))
+* **docs:** skip dependency checks in dry-run mode ([e8bf2cf](https://github.com/snowdreamtech/template/commit/e8bf2cf8d431abedba880ca571a3e0285f5c3512))
+* **docs:** use mise exec for vitepress build in pages workflow ([9bac105](https://github.com/snowdreamtech/template/commit/9bac105f8f0163e1424a3db38d35a846eed9d6da))
+* ensure FastAPI logic module is executable ([7bb0c74](https://github.com/snowdreamtech/template/commit/7bb0c743b4046c21d1a2ee8d3a1f2c47a7bfc652))
+* ensure pnpm availability in CI by managing it via mise and robustifying PATH augmentation ([f93ca6b](https://github.com/snowdreamtech/template/commit/f93ca6b50c8077e4ec9999c83cf882f17a16637c))
+* **git:** prevent .gitignore from ignoring entrypoint.d directories ([df6b4e6](https://github.com/snowdreamtech/template/commit/df6b4e6fec5b2def2d73784c22848fb0a03757aa))
+* ignore revision suffixes during tool version comparison to avoid false positives ([be159eb](https://github.com/snowdreamtech/template/commit/be159ebd8d6319d683d5212667c367a7f2ab4060))
+* **lint:** allow CRLF line endings for Windows batch files ([29a2194](https://github.com/snowdreamtech/template/commit/29a219400d46c65bd6b57e9544433459f4870ac3))
+* **lint:** final project-wide quality alignment and version fixes ([a51531b](https://github.com/snowdreamtech/template/commit/a51531b908519d6e9e20cada150ad08589103cc5))
+* **lint:** prevent silent failure in lint-wrapper and relax markdown formatting in editorconfig ([b846ae8](https://github.com/snowdreamtech/template/commit/b846ae83e138cd32991879f9e13308b58c2bb840))
+* **lint:** run zizmor pre-commit hook in offline mode ([d1b07e2](https://github.com/snowdreamtech/template/commit/d1b07e276b347c5b878a658b61f81d00b4931114))
+* **mise:** add zizmor to Tier1 (pre-commit hook invokes it directly) ([0cf96c8](https://github.com/snowdreamtech/template/commit/0cf96c8c014d01dfd45f28411c85901ca8c31871))
+* **mise:** correct broken tool versions and remove invalid asdf:move plugin ([f288622](https://github.com/snowdreamtech/template/commit/f28862228a40846f1c5d10f255e5ec8ccfba699e))
+* **mise:** prefix legacy tools with asdf: to resolve registry warnings ([37f5b77](https://github.com/snowdreamtech/template/commit/37f5b776e20d708818dec901da9b42394fd4e683))
+* **mise:** remove url_replacements to restore GitHub download functionality ([fcf0996](https://github.com/snowdreamtech/template/commit/fcf0996bff6c39312efe92ff861f3df962359a55))
+* **mise:** replace asdf: plugins with cross-platform github: equivalents ([9c76f98](https://github.com/snowdreamtech/template/commit/9c76f9899f9d2cf551308b0090e05ddde94a9fda))
+* **mise:** resolve TOML duplication and improve version lookup ([2627226](https://github.com/snowdreamtech/template/commit/262722682125f657c95fb6e73cb04fd4287e3115))
+* **mise:** restore bats to Tier1; set COREPACK_INTEGRITY_KEYS=0 for Windows ([472fb70](https://github.com/snowdreamtech/template/commit/472fb70c085553b15efc07ed566796d6374b81d9))
+* **mise:** unify non-core tools under asdf: provider prefix ([ded0f88](https://github.com/snowdreamtech/template/commit/ded0f88ae134a1a922721cf845e2ab15feb7443c))
+* **mise:** update google-java-format to v1.35.0 and refine asset matching ([23ebf92](https://github.com/snowdreamtech/template/commit/23ebf92d42437e955db9defd48d64cf45d907826))
+* **node:** add DRY-RUN guard to install_vitepress, install_commitizen, install_stylelint ([eb9b3b8](https://github.com/snowdreamtech/template/commit/eb9b3b813fe90c72a34f0dc194d54a8c8a40ee0a))
+* **node:** export COREPACK_INTEGRITY_KEYS=0 before corepack calls ([a3d2caf](https://github.com/snowdreamtech/template/commit/a3d2cafd7d3732dda6b5044acba81f561c470fb4))
+* **node:** improve corepack resilience in CI with fallback to npm ([5c9e544](https://github.com/snowdreamtech/template/commit/5c9e54453f118b20252dc8123f882b0ce2b66235))
+* **orchestration:** ensure CI-only tools have active mise shims ([f7e5c63](https://github.com/snowdreamtech/template/commit/f7e5c63258317024fdaf0c17dc7d76b4aebc3d25))
+* **orchestration:** fallback to 'latest' for missing tool versions ([f600aab](https://github.com/snowdreamtech/template/commit/f600aab28b45f673f8323c7d029cce2aac63b006))
+* **orchestration:** restore environment compatibility for language scripts ([c6a2d23](https://github.com/snowdreamtech/template/commit/c6a2d234e3271bba5810751a11a86b189809dcea))
+* **orchestration:** robust namespaced tool resolution for CI ([b2434ad](https://github.com/snowdreamtech/template/commit/b2434adbb5e9570f76576aa286fa853c02535477))
+* prevent mise shim errors during setup summary by using safer version checks ([c6e1d98](https://github.com/snowdreamtech/template/commit/c6e1d98feb1c416cedf139cc446d148578514933))
+* **release:** bump pnpm to 10.30.3 in release-please workflow ([c3dcf5e](https://github.com/snowdreamtech/template/commit/c3dcf5e1f8900d96970cafd3c2b9a392c3a12785))
+* **release:** fallback to secrets.PAT for release-please-action token ([96d80af](https://github.com/snowdreamtech/template/commit/96d80af49e2423a2d41529684c6c0563e5f07a07))
+* **release:** use x-access-token for git push to satisfy zizmor ([41fba83](https://github.com/snowdreamtech/template/commit/41fba839a46f6363cf8644180b4b739721d32d73))
+* remediate security audit failure by updating commitlint dependencies ([a3c8d9e](https://github.com/snowdreamtech/template/commit/a3c8d9eec2abd9c93c48c66a3dd5e135417b9557))
+* resolve editorconfig-checker binary name mismatch via symlink ([49778be](https://github.com/snowdreamtech/template/commit/49778be83b58ebee9119785d3522b1787d2f5296))
+* resolve lockfile coexistence and CI audit path issue (re-implementation on dev) ([c53eecb](https://github.com/snowdreamtech/template/commit/c53eecb1e4cda113fe3ed070291d03116e1a18a9))
+* resolve lockfile coexistence by prioritizing lockfiles in detection ([cb671ad](https://github.com/snowdreamtech/template/commit/cb671ad23f45374b205ae6520263a300fcd29d2d))
+* **rules:** replace file:// relative links with standard markdown links in shell.md ([3c88e8f](https://github.com/snowdreamtech/template/commit/3c88e8f25a344a22333e4c005184d58b5476f8a3))
+* **scorecard:** pin action to verified underlying commit SHA ([5f6a357](https://github.com/snowdreamtech/template/commit/5f6a357398a746b4558c8f3f82e006e8cab78372))
+* **script:** ensure idempotency for pipx installation in setup.sh ([ab06718](https://github.com/snowdreamtech/template/commit/ab06718f2957bdf8b561ed62193eadcc822630f1))
+* **script:** ensure proxy fallback and safe version matching in common.sh ([c43f2ef](https://github.com/snowdreamtech/template/commit/c43f2eff647446e066b0dc4c8d842659f789578a))
+* **script:** ensure shfmt covers all nested shell scripts in format.sh ([1fa5e0a](https://github.com/snowdreamtech/template/commit/1fa5e0a295690a6681aeaccedd4397395a6cac4b))
+* **script:** null-parameter hardening in check-env.sh ([35fb367](https://github.com/snowdreamtech/template/commit/35fb367f05933bb7d195215ead0f5f37735329e7))
+* **script:** prevent perl regex crash when replacing paths with slashes ([3761c35](https://github.com/snowdreamtech/template/commit/3761c358b21e135a28a1eb1e150ac095806cfcf9))
+* **scripts:** add fault-tolerance to resolve_bin assignments to prevent set -e crashes ([49be60a](https://github.com/snowdreamtech/template/commit/49be60a481abd0f0be30143971cdc95176e70110))
+* **scripts:** add missing set -e to lint-wrapper.sh ([7cd20c8](https://github.com/snowdreamtech/template/commit/7cd20c827e4d59b2ab3e141aa66170b1df2e73da))
+* **scripts:** only match files in has_lang_files to avoid false positives on directories ([934f9de](https://github.com/snowdreamtech/template/commit/934f9de27823e8f742207cce8ff8db69510b0a5f))
+* **scripts:** prevent install_pre_commit from executing and logging twice ([cfc090b](https://github.com/snowdreamtech/template/commit/cfc090ba10abe7ee2c9f43b2307fddffeea61c76))
+* **scripts:** refactor mktemp lifecycles with global traps to prevent tmpdir leaks ([76f5060](https://github.com/snowdreamtech/template/commit/76f506057c9ed23182cff9b635d12cc9d8cbf953))
+* **scripts:** remove redundant run_with_timeout for run_mise calls ([d096afe](https://github.com/snowdreamtech/template/commit/d096afecaeb02414430700dcbe19ab05d93a9690))
+* **scripts:** resolve false-positive setup warnings for Go, Pipx, and Shellcheck ([68d7af0](https://github.com/snowdreamtech/template/commit/68d7af0a95cbe588ccc4ca09ef85daba7318eed6))
+* **scripts:** resolve missing llvm version stopping c/c++ toolchain setup ([9df2462](https://github.com/snowdreamtech/template/commit/9df246287dbca33fb67fbe5e101f36143d821dd6))
+* **scripts:** resolve unknown module errors by synchronizing setup mappings ([96f094f](https://github.com/snowdreamtech/template/commit/96f094f8cd73ea18df004be13ae80200096e4ada))
+* **scripts:** robust version detection for mocks and system tools ([3c6055e](https://github.com/snowdreamtech/template/commit/3c6055e398d434eb67b273da3a995191fd5007e4))
+* **script:** suppress SC2086 shellcheck warning for unquoted NPM audit registry arg ([81bbd94](https://github.com/snowdreamtech/template/commit/81bbd94617b18f38104d434ff82cd8c9f4b35895))
+* **security:** achieve 100% harden-runner coverage across all workflows ([9fdd8f3](https://github.com/snowdreamtech/template/commit/9fdd8f370ef019a36e14abe18ffaf1256052d109))
+* **security:** complete universal egress sync and bootstrap hardening ([1f7aea5](https://github.com/snowdreamtech/template/commit/1f7aea5b6dfd7f998adaaabf171b0b45711cdeb0))
+* **security:** disable GHA credential persistence to resolve zizmor findings ([2f255b5](https://github.com/snowdreamtech/template/commit/2f255b5eac5f360359aeef884d45514461a84352))
+* **security:** expand container registry whitelist for harden-runner ([a389e2d](https://github.com/snowdreamtech/template/commit/a389e2d9dd3fff358fe7259ff81b2c795743f6cb))
+* **security:** extend mise.lock with Windows-x64 checksums for full cross-platform security ([8da506e](https://github.com/snowdreamtech/template/commit/8da506e9b56970578f9dd48e389b4899f7406cea))
+* **security:** finalize comprehensive container registry whitelist ([3ffd2d6](https://github.com/snowdreamtech/template/commit/3ffd2d6480a95996e605715e2771f11eac85fd4c))
+* **security:** finalize global SHA-1 pinning for all 16 workflows ([2a14204](https://github.com/snowdreamtech/template/commit/2a1420406c5d80dcd14860dc7becc4919c50d8a7))
+* **security:** finalize SHA-1 pinning sweep for ci.yml ([0154a7e](https://github.com/snowdreamtech/template/commit/0154a7e7296223c0879e8f5d07eaebe01f9a3a89))
+* **security:** formalize mise toolchain integrity standards ([fcc6026](https://github.com/snowdreamtech/template/commit/fcc602653556e39266b0b74cf9b7d45b0f4fb361))
+* **security:** globally harmonize platinum-standard egress whitelists ([38f583c](https://github.com/snowdreamtech/template/commit/38f583c7e021db2df48647e54afd5b519efaecf9))
+* **security:** implement fail-safe offline fallback for zizmor and fix binary scan logic ([35a0cd7](https://github.com/snowdreamtech/template/commit/35a0cd739563045365f2d6af1e5c4849b63510d5))
+* **security:** implement MISE_LOCKED to prevent toolchain poisoning ([3aca5fa](https://github.com/snowdreamtech/template/commit/3aca5fa835300131470118b4e2b8c9249b9dfb11))
+* **security:** implement mise.lock for cryptographic toolchain integrity ([14515fe](https://github.com/snowdreamtech/template/commit/14515fee125ed87c41b67b81a8a47af2986960a5))
+* **security:** implement robust stealth binary detection in audit engine ([1c0f20d](https://github.com/snowdreamtech/template/commit/1c0f20ded821c5b44075cbd531af4dec1393b0a0))
+* **security:** pin all CI actions to immutable SHA-1 hashes ([bf7b42d](https://github.com/snowdreamtech/template/commit/bf7b42d5dce1e0896a1edfb4473cf2d42917bad8))
+* **security:** pin CD and Release actions to immutable SHA-1 hashes ([86881c2](https://github.com/snowdreamtech/template/commit/86881c2cbee00bc634a7c5e051f8842e66cb64e9))
+* **security:** pin mise-action to immutable SHA-1 hash ([239ad6c](https://github.com/snowdreamtech/template/commit/239ad6c08655aa7bf8890a7f5a42fb84b38b3545))
+* **security:** prune broad cloud wildcards from egress whitelist ([4ff0cb9](https://github.com/snowdreamtech/template/commit/4ff0cb95a35a7491e02672a73c8db1cc0a42cd8d))
+* **security:** reach 100% universal platinum-standard egress sync ([1917d82](https://github.com/snowdreamtech/template/commit/1917d82dd69a730c948cba2b10430c14b2d5edb5))
+* **security:** remediate zizmor finding and fix audit script ([b847843](https://github.com/snowdreamtech/template/commit/b8478438bc9ad2799a9071543476c7c55a12ea26))
+* **security:** resolve esbuild vulnerability (GHSA-67mh-4wv8-2f99) ([e971dca](https://github.com/snowdreamtech/template/commit/e971dcab80a2a25040e60a2df6bef9fc5b9288db))
+* **security:** resolve literal newline artifact in scorecard.yml ([4b6a3af](https://github.com/snowdreamtech/template/commit/4b6a3af9738a3479c72e6b91c5471c3588f4c574))
+* **security:** resolve Scorecard imposter commit error ([88e8bed](https://github.com/snowdreamtech/template/commit/88e8beded6f6fafccb39f7c5c209ad8b25a82630))
+* **security:** resolve Scorecard Pinned-Dependencies and Token-Permissions warnings ([d5238a6](https://github.com/snowdreamtech/template/commit/d5238a6fd2a3a706358e323533ea08fd92839831))
+* **security:** resolve syntax error in audit engine ([c222674](https://github.com/snowdreamtech/template/commit/c22267445a5a677fab2c0ee77e67af4db5057210))
+* **security:** robustify zizmor token handling and binary audit logic ([2a327aa](https://github.com/snowdreamtech/template/commit/2a327aacbcd43be4c018cfc034c84a3c1810cbb5))
+* **security:** universally synchronize egress whitelists with perfect formatting ([6ce96d8](https://github.com/snowdreamtech/template/commit/6ce96d8b94053b72030bddf9751035452042fff2))
+* **security:** universally synchronize language repo whitelists ([e4b39ed](https://github.com/snowdreamtech/template/commit/e4b39edcc61e9853d63b1b104a9df613da441afc))
+* **security:** widen egress whitelists for multi-distro linux support ([99dba63](https://github.com/snowdreamtech/template/commit/99dba63bfcb665451eba4bf694fc178c53fb2733))
+* **setup/java,kotlin:** add fast-path version checks to install_java_lint and install_ktlint ([656478c](https://github.com/snowdreamtech/template/commit/656478c4e15d5d5af790f2c4836fb8e3fc9828f8))
+* **setup/security:** add CI-only guards to osv-scanner, trivy, cargo-audit ([680e36f](https://github.com/snowdreamtech/template/commit/680e36f0103d04240eb08b00029d9879f3f3f10d))
+* **setup:** avoid hang on interruption and show progress for large installs ([1b09c61](https://github.com/snowdreamtech/template/commit/1b09c61a6a0f54e0cafed2167067410edb512736))
+* **setup:** avoid unsetting valid github tokens on network timeouts ([9e5dde4](https://github.com/snowdreamtech/template/commit/9e5dde4c0ff6da512a77d34272cefb6fe5d4c66b))
+* **setup:** correctly source modules in install.sh and fix k8s mapping ([62546d5](https://github.com/snowdreamtech/template/commit/62546d5872e4cf639043533ee0b4f56c2f83ef41))
+* **setup:** eliminate redundant installs with prefix matching and caching ([4e20246](https://github.com/snowdreamtech/template/commit/4e20246874c3a908b97642e02f8a2eaebaff2b57))
+* **setup:** ensure dry-run reports planned actions even if silent fast-path is active ([0cf8f66](https://github.com/snowdreamtech/template/commit/0cf8f66bc7d29be2ebab8c111a72780f48ec6c76))
+* **setup:** expand HEAVY_MODULES skip list for local dev mode ([0bc150b](https://github.com/snowdreamtech/template/commit/0bc150bc9ece17c82d5ca11d625ea5900c44d2d2))
+* **setup:** guard command -v in get_version to handle missing tools ([15beebb](https://github.com/snowdreamtech/template/commit/15beebb86237dd4e13d24761a95b426dde7d6f7a))
+* **setup:** implement command timeouts and session-level caching to prevent infinite hangs ([e822901](https://github.com/snowdreamtech/template/commit/e822901ff48d99647b492b083bea2dbeceffd057))
+* **setup:** resolve mise warnings, missing dependencies, and performance bottlenecks ([1e80d7b](https://github.com/snowdreamtech/template/commit/1e80d7b0ed14b1a895595780f10554ae0a9d8c76))
+* **setup:** resolve two root causes of make setup stalling ([a37b8ca](https://github.com/snowdreamtech/template/commit/a37b8cadf36e291eaf01ed501b62f633b4ec8c36))
+* **setup:** skip go/rust runtime detection unless project files exist ([0ac8315](https://github.com/snowdreamtech/template/commit/0ac8315aada2df33d0b145b0194573fe78187523))
+* **setup:** skip google-java-format on linux/arm64 due to missing prebuilt binary ([8b5c055](https://github.com/snowdreamtech/template/commit/8b5c05539f67cff22acce1cf2e7f39c5704a12d0))
+* **setup:** use exact key matching in get_version to prevent false matches ([e0993fc](https://github.com/snowdreamtech/template/commit/e0993fcac1ecd3672cc247271ed8679073186ebd))
+* **shell:** add DRY-RUN guard to install_shfmt and install_shellcheck ([ab97ddd](https://github.com/snowdreamtech/template/commit/ab97ddd89e60c02359e22c079fa38d322995ff4e))
+* skip heavy linting tools locally and refine resolve_bin for hollow shims ([bd07483](https://github.com/snowdreamtech/template/commit/bd0748395b9e22e486465b5bdd96da1103ca3edd))
+* **test:** auto-install bats vendor libraries when missing ([30d7097](https://github.com/snowdreamtech/template/commit/30d7097c8abcdef1a18a212727a33d2f5c1d1cdf))
+* **test:** optimize setup dry-run and correct pre-commit tags ([c4578fa](https://github.com/snowdreamtech/template/commit/c4578fae5b2b6102a6eb6ea3d6032cb718f90ee6))
+* **test:** relocate bats vendor to tests/vendor and fix load paths ([20e9f69](https://github.com/snowdreamtech/template/commit/20e9f69b202835270d4b06a7e5dc0ae562839a78))
+* **test:** respect ENABLE_GITHUB_PROXY to prevent proxy timeouts in CI ([a912165](https://github.com/snowdreamtech/template/commit/a91216571d9d84fa311b53efebef97fa1807d954))
+* **test:** update lifecycle.bats grep patterns to match table output ([608ee76](https://github.com/snowdreamtech/template/commit/608ee76dc97db206180e594ae11db0ce9240a3dd))
+* **test:** use GITHUB_PROXY and retry for bats vendor library clones ([208a104](https://github.com/snowdreamtech/template/commit/208a1041a97cdd6381beca3654d524310e613a5d))
+* unify prettier configuration and stabilize formatters ([81ca044](https://github.com/snowdreamtech/template/commit/81ca0447d14604109ec97bea1068ca29bd86040a))
+* use cross-platform temp path and OS detection for token cache ([a787d48](https://github.com/snowdreamtech/template/commit/a787d480acb043690b312d60625d15b297d3ece4))
+
+
+### Performance Improvements
+
+* **ci:** cache mise binary in lint workflow ([b8e9917](https://github.com/snowdreamtech/template/commit/b8e9917c2b4d2d1d9c12e8df24ad018d2fc03573))
+* **ci:** cache mise binary in pages workflow ([b52535f](https://github.com/snowdreamtech/template/commit/b52535f860962c89a36365ede1b7e1296532be79))
+* **ci:** cache mise binary in test workflow ([6333d0b](https://github.com/snowdreamtech/template/commit/6333d0b4be0e97d4a010599dc784297eb54ca30b))
+* **ci:** cache mise binary in verify workflow ([baacd48](https://github.com/snowdreamtech/template/commit/baacd4857855d508708c64ecdf4eca23dcbca59a))
+* **ci:** enforce offline mode for environment health checks ([2b95934](https://github.com/snowdreamtech/template/commit/2b959343c87b4895e532a954193bbe9f954da6e3))
+* **ci:** implement advanced caching and offline modes ([bce1aa0](https://github.com/snowdreamtech/template/commit/bce1aa0421b91c14f7c135cd1b1560310b11ffd1))
+* **ci:** implement advanced caching and offline modes ([3faa417](https://github.com/snowdreamtech/template/commit/3faa417a9ca320fd92800c232c8dd87b1cdf5bae))
+* **ci:** implement incremental gitleaks scanning for PRs ([b3852c2](https://github.com/snowdreamtech/template/commit/b3852c2d30de8b2a00b95188c93de0f74fea47b7))
+* disable mise plugin auto-updates and remote version fetching ([e50ec33](https://github.com/snowdreamtech/template/commit/e50ec33bb8b6f1950b179d9613ccf614e15ceb00))
+* ensure 100% silent setup by making commitlint guard robust ([80e72a9](https://github.com/snowdreamtech/template/commit/80e72a97611ca9faa458941344d0e3f33a91bfec))
+* extend silent fast-path guards to all remaining binary tools ([14e398b](https://github.com/snowdreamtech/template/commit/14e398b2965f5e590fb2cc6924903c3773263356))
+* fix version mismatches for pipx and npm tools in setup guards ([3c71f1e](https://github.com/snowdreamtech/template/commit/3c71f1e5a6a89677039ab2649ff4e633e3c5be67))
+* implement audit mode for comprehensive environment health checks ([43ab8a8](https://github.com/snowdreamtech/template/commit/43ab8a874c6cd72ce0fc13e008e77332d05721fa))
+* implement mise state caching and fast-path guards for core tools and runtimes ([71183f6](https://github.com/snowdreamtech/template/commit/71183f6b3be3dd3c0a7eb658356dd146a77b2ccf))
+* implement mise state caching and fast-path guards for core tools and runtimes ([a20c84e](https://github.com/snowdreamtech/template/commit/a20c84edd8da222a166b97abe8f2c4ef85d87b67))
+* **license:** switch to incremental check in pre-commit ([fc4a166](https://github.com/snowdreamtech/template/commit/fc4a166a9a49b839a708580608805c2e0fa6d0a5))
+* **mise:** remove unused asdf runtimes for a leaner setup ([62546d5](https://github.com/snowdreamtech/template/commit/62546d5872e4cf639043533ee0b4f56c2f83ef41))
+* reduce GitHub API requests with mise update check and token cache ([f7cbe25](https://github.com/snowdreamtech/template/commit/f7cbe254ff7c037dd4540c6dfbf72758babf6a3e))
+* resolve duplicate commitlint function and finalize silent setup ([92e2759](https://github.com/snowdreamtech/template/commit/92e27593d4558607040b62899cf0e99e961acd26))
+* **script:** optimize find -exec rm efficiently with + ([5d60a0b](https://github.com/snowdreamtech/template/commit/5d60a0bf16c78b8cf2646e5e6241d9e09f731f86))
+* **setup:** add run_with_timeout helper and apply to security/helm modules ([4b71ace](https://github.com/snowdreamtech/template/commit/4b71ace1e1c424333042f4213770824a511f5f92))
+* **setup:** optimize finds and get_version for faster initialization ([62546d5](https://github.com/snowdreamtech/template/commit/62546d5872e4cf639043533ee0b4f56c2f83ef41))
+* **setup:** optimize get_version using mise cache for installed tools ([56eaadd](https://github.com/snowdreamtech/template/commit/56eaadd008bdb3e3dc6adf1d8f9c5bcc3465a284))
+* **setup:** optimize has_lang_files find by pruning AI/IDE hidden dirs ([3b86a01](https://github.com/snowdreamtech/template/commit/3b86a01a8f2a76a94f3ac68412f750c29564b405))
+* silence final binary tools and align version drift ([95b8d1c](https://github.com/snowdreamtech/template/commit/95b8d1ca02baf20a3a3564d55e5a719e6b6f7587))
+* **toolchain:** optimize pnpm installation via npm registry ([6179f8d](https://github.com/snowdreamtech/template/commit/6179f8d180ac39fe38cdbbccd5c11fe412d12b64))
+
 ## [Unreleased]
 
 ### Added