chore(deps): upgrade deps

.gitleaks.toml

@@ -14,3 +14,7 @@ paths = [
 [[allowlists]]
 description = "Mock workload access token in CDK handler tests (not a real credential)."
 stopwords = ["wat-opaque-123"]
+
+[[allowlists]]
+description = "Test fixture signing secret in Slack verification unit test (not a real credential)."
+stopwords = ["test-signing-secret-abc123"]

agent/Dockerfile

@@ -1,16 +1,22 @@
 ARG TARGETPLATFORM=linux/arm64
+ARG GH_VERSION=2.92.0
 
 FROM --platform=$TARGETPLATFORM jdxcode/mise:latest AS mise
 
+# Build gh with a patched Go toolchain; upstream packages can lag Go CVE fixes.
+FROM --platform=$TARGETPLATFORM golang:1.26.3-bookworm AS gh-builder
+ARG GH_VERSION
+RUN GOPROXY=direct GOBIN=/out go install "github.com/cli/cli/v2/cmd/gh@v${GH_VERSION}"
+
 FROM --platform=$TARGETPLATFORM python:3.13-slim
 
 # Install mise (polyglot dev tool manager)
 COPY --from=mise /usr/local/bin/mise /usr/local/bin/mise
+COPY --from=gh-builder /out/gh /usr/local/bin/gh
 
 # Install system dependencies in multiple layers:
 #   - Node.js 20 (required by Claude Code CLI)
 #   - git (repo operations)
-#   - gh (GitHub CLI for PR creation)
 #   - build-essential (native compilation for some repos)
 #   - curl (downloads)
 RUN apt-get update && \
@@ -31,20 +37,10 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
 
-# GitHub CLI (gh)
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
-        | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
-        > /etc/apt/sources.list.d/github-cli.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends gh && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
-
 # Install Claude Code CLI (the Python SDK requires this binary)
 # Then update known vulnerable transitive packages where fixed versions exist.
 RUN npm install -g npm@latest && \
-    npm install -g @anthropic-ai/claude-code@2.1.87 && \
+    npm install -g @anthropic-ai/claude-code@2.1.139 && \
     CLAUDE_NPM_ROOT="$(npm root -g)/@anthropic-ai/claude-code" && \
     npm --prefix "${CLAUDE_NPM_ROOT}" update tar minimatch glob cross-spawn picomatch
 

agent/mise.toml

@@ -3,7 +3,7 @@ min_version = "2026.2.6"
 [tools]
 python = "3.13"
 uv = "latest"
-"aqua:aquasecurity/trivy" = "v0.69.3"
+"aqua:aquasecurity/trivy" = "v0.70.0"
 
 [env]
 _.python.venv = { path = ".venv", create = true }

agent/pyproject.toml

@@ -4,14 +4,14 @@ version = "0.1.0"
 description = "Background coding agent — runs tasks in isolated cloud environments and produces pull requests"
 requires-python = ">=3.13"
 dependencies = [
-    "boto3==1.42.54",
-    "claude-agent-sdk==0.1.53",
-    "requests==2.33.0",
-    "fastapi==0.135.2",
-    "uvicorn==0.42.0",
-    "aws-opentelemetry-distro~=0.15.0",
-    "mcp==1.23.0",
-    "cedarpy>=4.8.0",
+    "boto3==1.43.6", #https://pypi.org/project/boto3/
+    "claude-agent-sdk==0.1.81", #https://github.com/anthropics/claude-agent-sdk-python
+    "requests==2.34.0", #https://pypi.org/project/requests/
+    "fastapi==0.136.1", #https://pypi.org/project/fastapi/
+    "uvicorn==0.46.0", #https://pypi.org/project/uvicorn/
+    "aws-opentelemetry-distro~=0.17.0", #https://pypi.org/project/aws-opentelemetry-distro/
+    "mcp==1.27.1", #https://pypi.org/project/mcp/
+    "cedarpy>=4.8.1", #https://github.com/k9securityio/cedar-py
 ]
 
 [tool.bandit]