chore(deps): Bump the minor-and-patch group across 1 directory with 5 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
@biomejs/biome	2.4.9	2.4.10
@cleocode/lafs	2026.3.74	2026.4.0
@types/node	25.5.0	25.5.2
vitest	4.1.1	4.1.2
citty	0.2.1	0.2.2

Updates @biomejs/biome from 2.4.9 to 2.4.10

Release notes

Sourced from @​biomejs/biome's releases.

Biome CLI v2.4.10

2.4.10

Patch Changes

• #8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #9320 93c3b6c Thanks @​taberoajorge! - Fixed #7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #9630 1dd4a56 Thanks @​raashish1601! - Fixed #9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #9216 04243b0 Thanks @​FrederickStempfle! - Fixed #9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #9627 06a0f35 Thanks @​ematipico! - Fixed #191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #9643 5bfee36 Thanks @​dyc3! - Fixed #9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

... (truncated)

Changelog

Sourced from @​biomejs/biome's changelog.

2.4.10

Patch Changes

• #8838 f3a6a6b Thanks @​baeseokjae! - Added new lint nursery rule noImpliedEval.

  The rule detects implied eval() usage through functions like setTimeout, setInterval, and setImmediate when called with string arguments.

  // Invalid
  setTimeout("alert('Hello');", 100);
  // Valid
  setTimeout(() => alert("Hello"), 100);

• #9320 93c3b6c Thanks @​taberoajorge! - Fixed #7664: noUnusedVariables no longer reports false positives for TypeScript namespace declarations that participate in declaration merging with an exported or used value declaration (const, function, or class) of the same name. The reverse direction is also handled: a value declaration merged with an exported namespace is no longer flagged.

• #9630 1dd4a56 Thanks @​raashish1601! - Fixed #9629: noNegationElse now keeps ternary branch comments attached to the correct branch when applying its fixer.

• #9216 04243b0 Thanks @​FrederickStempfle! - Fixed #9061: noProcessEnv now also detects process.env when process is imported from the "process" or "node:process" modules.

  Previously, only the global process object was flagged:

  import process from "node:process";
  // This was not flagged, but now it is:
  console.log(process.env.NODE_ENV);

• #9692 61b7ec5 Thanks @​mkosei! - Fixed Svelte #each destructuring parsing and formatting for nested patterns such as [key, { a, b }].

• #9627 06a0f35 Thanks @​ematipico! - Fixed #191: Improved the performance of how the Biome Language Server pulls code actions and diagnostics.

  Before, code actions were pulled and computed all at once in one request. This approach couldn't work in big files, and caused Biome to stale and have CPU usage spikes up to 100%.

  Now, code actions are pulled and computed lazily, and Biome won't choke anymore in big files.

• #9643 5bfee36 Thanks @​dyc3! - Fixed #9347: useVueValidVBind no longer reports valid object bindings like v-bind="props".

• #9627 06a0f35 Thanks @​ematipico! - Fixed assist diagnostics being invisible when using --diagnostic-level=error. Enforced assist violations (e.g. useSortedKeys) were filtered out before being promoted to errors, causing biome check to incorrectly return success.

• #9695 9856a87 Thanks @​dyc3! - Added the new nursery rule noUnsafePlusOperands, which reports + and += operations that use object-like, symbol, unknown, or never operands, or that mix number with bigint.

• #9627 06a0f35 Thanks @​ematipico! - Fixed duplicate parse errors in check and ci output. When a file had syntax errors, the same parse error was printed twice and the error count was inflated.

• #9627 06a0f35 Thanks @​ematipico! - Improved the performance of the commands lint and check when they are called with --write.

• #9627 06a0f35 Thanks @​ematipico! - Fixed --diagnostic-level not fully filtering diagnostics. Setting --diagnostic-level=error now correctly excludes warnings and infos from both the output and the summary counts.

... (truncated)

Commits

• fcf216d ci: release (#9622)
• 8b7f55c chore: update sponsors (#9714)
• 9856a87 feat(lint/js): add noUnsafePlusOperands (#9695)
• 5bfee36 fix(useVueValidVBind): don't flag missing arguments (#9643)
• f3a6a6b feat(linter): add noImpliedEval rule (#8838)
• See full diff in compare view

Updates @cleocode/lafs from 2026.3.74 to 2026.4.0

Release notes

Sourced from @​cleocode/lafs's releases.

v2026.3.76

Added

• Agent Unification (T170): Unified cleo agent CLI with 10 subcommands (register, list, get, remove, rotate-key, claim-code, watch, poll, send, health)
• Agent Registry: agent_credentials table with AES-256-GCM encrypted API keys (machine-key bound, per-project derived)
• Conduit Architecture: ConduitClient + HttpTransport + factory (2-layer Transport/Conduit pattern)
• Transport interface: connect/disconnect/push/poll/ack/subscribe in @​cleocode/contracts
• AgentCredential + AgentRegistryAPI contracts: typed CRUD for credential management
• @​cleocode/runtime: AgentPoller with group @​mention support (fixes peek blind spot)
• 5 Rust crates migrated: signaldock-protocol, signaldock-storage, signaldock-transport, signaldock-sdk, signaldock-payments (5→13 workspace crates)
• Diesel ORM foundation for signaldock-storage (schema.rs, models, consolidated migration)
• diesel-async 0.8 with SyncConnectionWrapper for unified SQLite + Postgres adapter
• Conduit dispatch domain (5 operations: status, peek, start, stop, send)
• cleo agent watch command for continuous message polling
• cleo agent claim-code command for ownership verification
• cleo agent health command (merged from deprecated cleo agents)
• TypedDb pattern with drizzle-orm/zod validation schemas
• CANT DSL epic complete (T202): 694 tests, 17K Rust + 3.8K TS, 3 new crates (cant-napi, cant-lsp, cant-runtime)
• Crypto hardening: version byte in ciphertext (F-006), HOME validation (F-002), key length check (F-004)

Fixed

• E-FIND-004: ACL denial now audited + projectPath redacted in nexus/workspace.ts
• AgentRegistryAccessor: pre-flight checks on update/remove (C1/C2), deterministic getActive ordering (H3)
• HttpTransport: since param now passed to peek endpoint (H5)
• ConduitClient: connect() transitions to error state on failure (H6)
• CLI agent key redaction safe on short keys (H1)
• CAAMP library-loader.ts TS2352 type cast fix
• workflow-executor.ts unused variable build errors
• Test assertions updated for conduit dispatch domain (10→11 canonical domains)
• Audit test mock updated for agentCredentials schema export
• Message dedup P0 fixed server-side by signaldock-core-agent
• Biome lint: 24 errors resolved (all types from @​cleocode/contracts, zero any)
• Ferrous Forge: 4 violations resolved (cant-core file splits)
• CI pipeline: 5 layers of failures fixed (lint, lockfile, build order)
• AgentRegistryAccessor drizzle type mismatch (8 TS errors eliminated)

Changed

• Default API URL: api.clawmsgr.com → api.signaldock.io (legacy endpoint stays in parallel)
• packages/core/src/signaldock/ removed — replaced by conduit/ directory
• cleo agents deprecated — health monitoring moved to cleo agent health
• Conduit JSDoc updated: removed ClawMsgr references, documented Transport implementations
• DATABASE-ARCHITECTURE.md updated for Diesel as sole Rust ORM
• signaldock-storage traits split from monolithic mod.rs (432 lines) to 7 focused files
• Rust workspace version aligned to CalVer 2026.3.76

Changelog

Sourced from @​cleocode/lafs's changelog.

[2026.4.0] - 2026-04-01

Added

• T234 Agent Domain Unification: Complete separation of concerns — signaldock.db owns ALL agent data, tasks.db owns tasks only
• AgentRegistryAccessor rewrite: Reads/writes signaldock.db exclusively (no dual-write, no cache)
• agent_connections table: SSE/WebSocket lifecycle tracking with heartbeat monitoring
• agent_credentials migration: api_key_encrypted, transport_config, classification in signaldock.db
• LocalTransport proven: E2E lifecycle test (6 tests) — register, start, send, receive, stop
• TransportFactory wiring: createRuntime() auto-selects Local > SSE > HTTP
• cleo agent start: Full transport stack working with LocalTransport auto-selection
• .cant scaffold on register: T240 — generates valid CANT v2 persona file on agent registration
• CANT v2 ProseBlock: AST node for multi-line prose in .cant files
• DieselStore message traits: count_unread, unread_by_conversation, online agent listing
• Cross-DB write-guards: agentExistsInSignaldockDb() validation before cross-DB references
• Junction table sync: capabilities/skills synced to signaldock.db on register/update
• cleo-prime: Registered on api.signaldock.io as primary orchestrator identity

Removed

• 12 sqlx adapter files (102 queries eliminated) — Diesel is sole Rust ORM
• agent_credentials dual-write pattern (was writing to both tasks.db and signaldock.db)
• Backfill code from upgrade.ts

Fixed

• Drizzle migration FK ordering (lifecycle_evidence created before lifecycle_stages)
• Peek SQL timestamp filtering (was returning all messages from epoch)
• 3 CRITICAL security vulnerabilities on api.signaldock.io (AnyAuth bypass, message leakage, impersonation)
• ClawMsgr worker: 4-track message discovery, --agent flag, cursor stall fix
• ClawMsgr daemon: full message delivery (was count-only)
• signaldock.db embedded migrations work outside monorepo

Changed

• Database separation: tasks.db=tasks, signaldock.db=agents, brain.db=memory, nexus.db=collab
• SignalDock is primary communication channel (ClawMsgr is legacy backup)
• All agent configs updated with groupConversationIds + correct API URLs
• 5 agent personas updated with --agent polling standard

Added (T158 CAAMP 1.9.1 Integration)

• CAAMP ^1.9.1 with 16-event canonical hook taxonomy (T159)
• Hook types migrated to canonical names with backward compat (T160)
• Gemini CLI adapter: 10/16 hooks, getTranscript, install (T161)
• Codex adapter: 3/16 hooks, getTranscript, install (T162)
• Kimi adapter: install-only, no native hooks (T163)
• Claude Code adapter: 9→14 hooks via CAAMP normalizer (T164)
• OpenCode adapter: 6→10 hooks via CAAMP normalizer (T164)
• Cursor adapter: 0→10 hooks, fully implemented (T165)
• Brain automation handlers for SubagentStart/Stop, PreCompact (T166)
• cleo doctor --hooks provider hook matrix diagnostic (T167)
• E2E hook automation tests (T168)

[2026.3.76] - 2026-03-28

... (truncated)

Commits

• See full diff in compare view

Updates @types/node from 25.5.0 to 25.5.2

Commits

• See full diff in compare view

Updates vitest from 4.1.1 to 4.1.2

Release notes

Sourced from vitest's releases.

v4.1.2

This release bumps Vitest's flatted version and removes version pinning to resolve flatted's CVE related issues (vitest-dev/vitest#9975).

   🐞 Bug Fixes

• Don't resolve setupFiles from parent directory  -  by @​hi-ogawa in vitest-dev/vitest#9960 (7aa93)
• Ensure sequential mock/unmock resolution  -  by @​hi-ogawa and Claude Opus 4.6 in vitest-dev/vitest#9830 (7c065)
• browser: Take failure screenshot if toMatchScreenshot can't capture a stable screenshot  -  by @​macarie in vitest-dev/vitest#9847 (faace)
• coverage: Correct coverageConfigDefaults values and types  -  by @​Arthie in vitest-dev/vitest#9940 (b3c99)
• pretty-format: Fix output limit over counting  -  by @​hi-ogawa in vitest-dev/vitest#9965 (d3b7a)
• Disable colors if agent is detected  -  by @​sheremet-va and @​AriPerkkio in vitest-dev/vitest#9851 (6f97b)

    View changes on GitHub

Commits

• fc6f482 chore: release v4.1.2
• 6f97b55 feat: disable colors if agent is detected (#9851)
• b3c992c fix(coverage): correct coverageConfigDefaults values and types (#9940)
• 7c06598 fix: ensure sequential mock/unmock resolution (#9830)
• f54abad chore: add typo-checker skill and fix typos (#9963)
• 7aa9377 fix: don't resolve setupFiles from parent directory (#9960)
• See full diff in compare view

Updates citty from 0.2.1 to 0.2.2

Release notes

Sourced from citty's releases.

v0.2.2

compare changes

🚀 Enhancements

• Support subcommand aliases (#236)
• Add plugin system (#238)
• Support default sub command (#156)

🩹 Fixes

• main: Allow user-defined -h, --help, -v, --version args (#234)
• Resolve alias value over default (#228)
• Subcommand resolution incorrectly consumes flag values (#231)
• Coerce parsed arg values to match declared types (#239)

💅 Refactors

• Improve usage tips (#198)

📖 Documentation

• Add usage section (#70)
• Add example setup and cleanup option (#188)

✅ Tests

• Reproduce issue with short option (alias) and = (#230)
• parser: Add regression tests for hyphen-prefixed string values (#171)

❤️ Contributors

• 苏向夜 (@​fu050409)
• Pooya Parsa (@​pi0)
• Daniel Roe (@​danielroe)
• Kricsleo (@​kricsleo)
• Kanon (@​ysknsid25)
• Estéban (@​Barbapapazes)
• Wyatt Johnson (@​wyattjoh)
• Robin (@​OrbisK)

Changelog

Sourced from citty's changelog.

v0.2.2

compare changes

🚀 Enhancements

• Support subcommand aliases (#236)
• Add plugin system (#238)
• default: Support default sub command (#156)

🩹 Fixes

• main: Allow user-defined -h, --help, -v, --version args (#234)
• Resolve alias value over default (#228)
• Subcommand resolution incorrectly consumes flag values (#231)
• Coerce parsed arg values to match declared types (#239)

💅 Refactors

• Improve usage tips (#198)

📖 Documentation

• Add usage section (#70)
• Add example setup and cleanup option (#188)

🏡 Chore

• Update deps (49b416e)
• Init agents.md (3bee5c3)
• Apply automated updates (142bdc9)
• Rename fmt script (64e8f54)
• Apply automated updates (0228318)
• Apply automated updates (f509073)
• Update deps (033daea)

✅ Tests

• Reproduce issue with short option (alias) and = (#230)
• parser: Add regression tests for hyphen-prefixed string values (#171)

❤️ Contributors

• 苏向夜 (@​fu050409)
• Pooya Parsa (@​pi0)
• Daniel Roe (@​danielroe)
• Kricsleo (@​kricsleo)
• Kanon (@​ysknsid25)
• Estéban (@​Barbapapazes)
• Robin robin.kehl@singular-it.de

... (truncated)

Commits

• 9cb0edc chore(release): v0.2.2
• f40f1a2 feat(default): support default sub command (#156)
• 033daea chore: update deps
• 41311a9 chore(deps): update codecov/codecov-action action to v6 (#242)
• e6fa9ac fix: coerce parsed arg values to match declared types (#239)
• ea428c7 refactor: improve usage tips (#198)
• cc75125 fmt
• f57b301 compact docs
• f509073 chore: apply automated updates
• 88916bb docs: add example setup and cleanup option (#188)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions