- Fix import detection: use starts_with for from-line matching (no mid-line false positives)
- Reject classic PATs (ghp_) early with clear error in both auth scripts
- Fix base64url JWT decode for Azure OID extraction (proper padding + urlsafe)
- Fix entrypoint.sh: disable set -e around agent run so output collection works on failure
- Fix k8s-local-down: use lighter dependency check (no KVM required for teardown)
- Fix k8s-infra-down: only require az CLI (not kubectl/envsubst) for teardown
- Parameterise namespace in job manifests (uses NAMESPACE from envsubst)
- Escape prompt for safe YAML embedding (backslashes, quotes, newlines)

Note: edit_handler validation bypass (review comment hyperlight-dev#7) is a pre-existing
issue requiring a larger refactor — tracked separately.

* feat: Kubernetes deployment for HyperAgent on AKS and KIND

- Add K8s Job manifests with Key Vault and K8s Secret auth
- Add hyperagent-k8s CLI with log streaming, file retrieval, input injection
- Add --input-dir support via init containers
- Add device plugin DaemonSet, K8s Dockerfile, KIND local setup
- Add Azure infra scripts (AKS + ACR + KVM node pool)
- Fix code validator false positives on prose containing from in strings
- Fix Azure CLI Graph API: use --assignee-object-id for RBAC
- Use fine-grained PATs (classic PATs silently fail with Copilot SDK)
- Use HYPERAGENT_PROMPT env var instead of CLI arg for reliability

* fix: address PR review feedback

- Fix import detection: use starts_with for from-line matching (no mid-line false positives)
- Reject classic PATs (ghp_) early with clear error in both auth scripts
- Fix base64url JWT decode for Azure OID extraction (proper padding + urlsafe)
- Fix entrypoint.sh: disable set -e around agent run so output collection works on failure
- Fix k8s-local-down: use lighter dependency check (no KVM required for teardown)
- Fix k8s-infra-down: only require az CLI (not kubectl/envsubst) for teardown
- Parameterise namespace in job manifests (uses NAMESPACE from envsubst)
- Escape prompt for safe YAML embedding (backslashes, quotes, newlines)

Note: edit_handler validation bypass (review comment #7) is a pre-existing
issue requiring a larger refactor — tracked separately.

* fix: use strip_prefix for clippy compliance in import detection

* fix: system prompt, edit_handler validation, table contrast, bare exports

- System message: mandatory handler pattern box, edit_handler guidance
- edit_handler: validate edited code before applying (closes security bypass)
- Validator: handle bare 'export { name }' in .d.ts (fixes getThemeNames)
- PPTX tables: always autoTextColor for row text (no overrides)
- PDF tables: auto-contrast body text per row, auto-fix poor contrast
- Both: dark theme rows get explicit fill for readability on image backgrounds

* fix: update tests for auto-contrast table text (CI failures)

- Update pptx-readability tests: autoTextColor always wins, no overrides
- Regenerate PDF golden baseline for table-styles (contrast-corrected colors)