chore(deps): Bump the minor-and-patch group with 3 updates

[dependabot]

Bumps the minor-and-patch group with 3 updates: @cleocode/lafs, vite and vitest.

Updates @cleocode/lafs from 2026.4.0 to 2026.4.11

Release notes

Sourced from @​cleocode/lafs's releases.

v2026.4.11

Highlights

This release closes the T299 epic (Database Topology + Lifecycle) across 4 waves. It establishes the full CleoOS database topology (4 DBs × 2 tiers) as a first-class architectural concern, anchored by ADR-036. Key deliveries: walk-up getProjectRoot() that never auto-creates nested .cleo/, idempotent legacy file cleanup wired into CLI startup, global-tier VACUUM INTO backup for nexus.db, a runtime guard preventing stray nexus.db files outside getCleoHome(), and a 9-scenario integration test suite that validates the full topology contract. 9 tasks shipped in 8 commits, 42 new tests, ~2000 LOC. Zero pre-existing test failures introduced.

Added

• ADR-036 — .cleo/adrs/ADR-036-cleoos-database-topology.md (454 lines). Documents the 4-DB × 2-tier topology contract (project-tier: tasks.db, nexus.db; global-tier: brain.db, nexus.db), the walk-up scaffolding rule, VACUUM INTO backup mechanism with rotation policy, and forward references to T310 (Conduit + Signaldock separation) and T311 (cross-machine backup portability) (1f560327, +454 lines).

• packages/core/src/paths.ts — walk-up getProjectRoot() rewrite (T301). Walks ancestor directories looking for .cleo/ or .git/, stops at first hit, never auto-creates nested .cleo/. CLEO_ROOT env variable overrides walk-up for CI / Docker. 13 new unit tests in paths-walkup.test.ts covering clean roots, nested dirs, symlinks, env override, and edge cases (30dde2ab, +105 LOC paths.ts, +305 LOC test).

• packages/core/src/paths.ts — XDG comment fix (T303). Top-of-file comment updated to list per-OS resolution examples for Linux (~/.local/share/cleo), macOS (~/Library/Application Support/cleo), and Windows (%APPDATA%\cleo) so engineers can orient without reading XDG spec (b1323b70).

• packages/core/src/store/cleanup-legacy.ts — idempotent legacy global file cleanup (T304). New detectAndRemoveLegacyGlobalFiles() detects and removes workspace.db and *-pre-cleo.db.bak files left over from pre-CLEO global paths. Wired into CLI startup via packages/cleo/src/cli/index.ts. 11 unit tests covering detection, removal, idempotency, and no-op when files are absent (bc0cfe50, +208 LOC cleanup-legacy.ts, +268 LOC test).

... (truncated)

Changelog

Sourced from @​cleocode/lafs's changelog.

Changelog

All notable changes to the LAFS Protocol will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[2026.4.3] - 2026-04-06

Added

• Native Rust validation via napi-rs: Schema validation now uses a Rust-native validator (lafs-napi crate) with compile-time embedded schema and OnceLock-cached compilation. Falls back to AJV when the native binary is unavailable.
• crates/lafs-napi/: New napi-rs binding crate following the cant-napi pattern. Exposes lafsValidateEnvelope() returning structured errors matching StructuredValidationError.
• ValidationErrorDetail in lafs-core: Pure Rust structured validation error type with AJV-compatible keyword names and params. Exhaustive ValidationErrorKind mapping for 25+ JSON Schema keywords.
• native-loader.ts: Lazy native addon loader with @cleocode/lafs-native and development fallback paths.
• isNativeAvailable() export: Runtime check for native binding availability.
• Migration fixture: migrations/1.0.0-to-1.1.0.json for deprecation migration tests.

Changed

• lafs-core is now a pure Rust library: Removed napi dependencies, changed crate-type to rlib only. napi exports moved to dedicated lafs-napi crate.
• AJV initialization is now lazy: AJV is only loaded when the native binding is unavailable, reducing startup cost.
• validate_envelope_json() returns structured errors: Replaced the old string-only error with ValidateEnvelopeError::SchemaErrors(Vec<ValidationErrorDetail>).
• Upgraded napi-rs from alpha to stable: napi = "3" (was 3.0.0-alpha.26), napi-derive = "3" (was 3.0.0-alpha.22).

Fixed

• Vitest config: Added packages/*/tests/**/*.test.ts to workspace include pattern so packages/lafs/tests/ are discoverable.
• Test fixture paths: Resolved relative paths in 5 test files using import.meta.url for correct resolution from workspace root.
• fieldExtraction test assertions: Fixed 4 tests that expected 'standard' default MVI but source correctly returns 'minimal'.

Commits

• 1dfea61 chore(release): bump packages to 2026.4.11
• 49f602e chore(repo): untrack nested package .cleo/ dirs (T302)
• e78700d chore(release): bump packages to 2026.4.10
• 54de969 chore(release): v2026.4.9 — fix build order, CI cold gate, root version SSoT
• 992a5f6 chore(release): bump packages to 2026.4.8
• 31be42b chore(release): bump packages to 2026.4.7
• b71c77e chore(build): purge 1168 stale TS build artifacts + harden tsconfigs
• b57eb74 feat(v2026.4.6): CleoOS — autonomous orchestration is now real
• fe1b732 feat(v2026.4.5): Pi-as-primary harness — v3 architecture (BREAKING)
• 68a1bd1 chore: bump all packages to v2026.4.4 + fix cant/runtime sigstore provenance
• Additional commits viewable in compare view

Updates vite from 8.0.3 to 8.0.7

Release notes

Sourced from vite's releases.

v8.0.7

Please refer to CHANGELOG.md for details.

v8.0.6

Please refer to CHANGELOG.md for details.

v8.0.5

Please refer to CHANGELOG.md for details.

v8.0.4

Please refer to CHANGELOG.md for details.

Changelog

Sourced from vite's changelog.

8.0.7 (2026-04-07)

Bug Fixes

• use sync dns.getDefaultResultOrder instead of dns.promises (#22185) (5c05b04)

8.0.6 (2026-04-07)

Features

• update rolldown to 1.0.0-rc.13 (#22097) (51d3e48)

Bug Fixes

• css: avoid mutating sass error multiple times (#22115) (d5081c2)
• optimize-deps: hoist CJS interop assignment (#22156) (17a8f9e)

Performance Improvements

• early return in getLocalhostAddressIfDiffersFromDNS when DNS order is verbatim (#22151) (56ec256)

Miscellaneous Chores

• create-vite: remove unnecessary DOM.Iterable (#22168) (bdc53ab)
• replace remaining prettier script (#22179) (af71fb2)

8.0.5 (2026-04-06)

Bug Fixes

• apply server.fs check to env transport (#22159) (f02d9fd)
• avoid path traversal with optimize deps sourcemap handler (#22161) (79f002f)
• check server.fs after stripping query as well (#22160) (a9a3df2)
• disallow referencing files outside the package from sourcemap (#22158) (f05f501)

8.0.4 (2026-04-06)

Features

• allow esbuild 0.28 as peer deps (#22155) (b0da973)
• hmr: truncate list of files on hmr update (#21535) (d00e806)
• optimizer: log when dependency scanning or bundling takes over 1s (#21797) (f61a1ab)

Bug Fixes

• hasBothRollupOptionsAndRolldownOptions should return false for proxy case (#22043) (99897d2)
• add types for vite/modulepreload-polyfill (#22126) (17330d2)
• deps: update all non-major dependencies (#22073) (6daa10f)
• deps: update all non-major dependencies (#22143) (22b0166)
• resolve: resolve tsconfig paths starting with # (#22038) (3460fc5)
• ssr: use browser platform for webworker SSR builds (fix #21969) (#21963) (364c227)

Documentation

... (truncated)

Commits

• fdb2e6f release: v8.0.7
• 5c05b04 fix: use sync dns.getDefaultResultOrder instead of dns.promises (#22185)
• 7b3086f release: v8.0.6
• af71fb2 chore: replace remaining prettier script (#22179)
• 51d3e48 feat: update rolldown to 1.0.0-rc.13 (#22097)
• 17a8f9e fix(optimize-deps): hoist CJS interop assignment (#22156)
• d5081c2 fix(css): avoid mutating sass error multiple times (#22115)
• 56ec256 perf: early return in getLocalhostAddressIfDiffersFromDNS when DNS order is...
• bdc53ab chore(create-vite): remove unnecessary DOM.Iterable (#22168)
• 1a12d4c release: v8.0.5
• Additional commits viewable in compare view

Updates vitest from 4.1.2 to 4.1.3

Release notes

Sourced from vitest's releases.

v4.1.3

   🚀 Experimental Features

• Add experimental.preParse flag  -  by @​sheremet-va in vitest-dev/vitest#10070 (78273)
• Support browser.locators.exact option  -  by @​sheremet-va in vitest-dev/vitest#10013 (48799)
• Add TestAttachment.bodyEncoding  -  by @​hi-ogawa in vitest-dev/vitest#9969 (89ca0)
• Support custom snapshot matcher  -  by @​hi-ogawa, Claude Sonnet 4.6 and Codex in vitest-dev/vitest#9973 (59b0e)

   🐞 Bug Fixes

• Advance fake timers with expect.poll interval  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#10022 (3f5bf)
• Add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional dependency  -  by @​alan-agius4 in vitest-dev/vitest#10025 (146d4)
• Fix defineHelper for webkit async stack trace + update playwright 1.59.0  -  by @​hi-ogawa in vitest-dev/vitest#10036 (5a5fa)
• Fix suite hook throwing errors for unused auto test-scoped fixture  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#10035 (39865)
• expect:
  • Remove JestExtendError.context from verbose error reporting  -  by @​hi-ogawa in vitest-dev/vitest#9983 (66751)
  • Don't leak "runner" types  -  by @​sheremet-va in vitest-dev/vitest#10004 (ec204)
• snapshot:
  • Fix flagging obsolete snapshots for snapshot properties mismatch  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#9986 (6b869)
  • Export custom snapshot matcher helper from vitest  -  by @​hi-ogawa and Codex in vitest-dev/vitest#10042 (691d3)
• ui:
  • Don't leak vite types  -  by @​sheremet-va in vitest-dev/vitest#10005 (fdff1)
• vm:
  • Fix external module resolve error with deps optimizer query  -  by @​hi-ogawa and Claude Sonnet 4.6 in vitest-dev/vitest#10024 (9dbf4)

    View changes on GitHub

Commits

• 2dc0d62 chore: release v4.1.3
• 7827363 feat: add experimental.preParse flag (#10070)
• 691d341 fix(snapshot): export custom snapshot matcher helper from vitest (#10042)
• 59b0e64 feat(experimental/snapshot): support custom snapshot matcher (#9973)
• 487990a feat(experimental): support browser.locators.exact option (#10013)
• 146d4f0 fix: add @vitest/coverage-v8 and @vitest/coverage-istanbul as optional de...
• 3f5bfa3 fix: advance fake timers with expect.poll interval (#10022)
• 9dbf477 fix(vm): fix external module resolve error with deps optimizer query (#10024)
• ec20455 fix(expect): don't leak "runner" types (#10004)
• 66751c9 fix(expect): remove JestExtendError.context from verbose error reporting (#...
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions