@lenne.tech/cli 1.31.0 → 1.32.0

package/build/commands/dev/up.js

@@ -124,9 +124,10 @@ const UpCommand = {
                 return 'dev up: slug in use by another checkout';
             }
         }
-        // Sanft auto-migrate sichere Operationen (ohne Code-Modifikation):
-        // CLAUDE.md-URL-Block einfügen + .gitignore ergänzen.
-        // Code-Patches (config.env.ts, nuxt.config.ts) bleiben explizit `lt dev init`.
+        // Auto-establish every prerequisite so the user never has to run `lt dev
+        // init` first: CLAUDE.md URL block (base only) + `.gitignore` + the code
+        // patches that make config.env.ts / nuxt.config.ts / playwright.config.ts
+        // honour the env `lt dev` injects (PORT, URLs).
         {
             // NEVER patch the git-tracked CLAUDE.md for a ticket worktree: it would
             // differ per worktree and risk committing ticket-specific URLs. The lt-dev
@@ -149,20 +150,34 @@ const UpCommand = {
                 info(colors.dim('added `.lt-dev/` to .gitignore'));
             }
         }
-        // Warnung bei Legacy-Code (hardcoded ports) — kein Auto-Patch.
+        // Self-heal legacy hardcoded ports instead of just warning. An unmigrated
+        // project hardcodes `port: 3000`/`3001` and ignores the injected `PORT`, so
+        // it binds the framework defaults and misses Caddy → the (ticket) URLs don't
+        // route and collide with parallel stacks. `autoPatch` is idempotent (no-op on
+        // an already-env-aware config) and only ever touches config.env.ts /
+        // nuxt.config.ts / playwright.config.ts — never CLAUDE.md — so it is safe in a
+        // ticket worktree. In a worktree these are uncommitted patches; `lt ticket
+        // stop` recognises a pristine lt-dev patch and tears down without `--force`.
         {
-            const legacyFiles = [];
+            const filesToPatch = [];
             if (layout.apiDir) {
-                const f = (0, dev_project_1.apiNeedsPortPatch)(layout.apiDir);
-                if (f)
-                    legacyFiles.push(f);
+                const apiCfg = (0, path_1.join)(layout.apiDir, 'src', 'config.env.ts');
+                if ((0, fs_1.existsSync)(apiCfg))
+                    filesToPatch.push(apiCfg);
             }
-            if (layout.appDir)
-                legacyFiles.push(...(0, dev_project_1.appNeedsPortPatch)(layout.appDir));
-            if (legacyFiles.length > 0) {
-                warning('Legacy hardcoded ports detected — Caddy will proxy correctly only after running `lt dev init`:');
-                legacyFiles.forEach((f) => info(colors.dim(`  - ${f}`)));
-                info(colors.dim('  (Continuing — env-aware files will work; legacy files may bind on 3000/3001 and miss Caddy.)'));
+            if (layout.appDir) {
+                for (const rel of ['nuxt.config.ts', 'playwright.config.ts']) {
+                    const f = (0, path_1.join)(layout.appDir, rel);
+                    if ((0, fs_1.existsSync)(f))
+                        filesToPatch.push(f);
+                }
+            }
+            const patched = filesToPatch.map((f) => (0, dev_patches_1.autoPatch)(f)).filter((r) => r.patched);
+            if (patched.length > 0) {
+                patched.forEach((r) => success(`patched ${r.replacements}× in ${r.file} (env-aware ports for lt dev)`));
+                if (ticket) {
+                    info(colors.dim('  (worktree config self-healed — auto-discarded on `lt ticket stop`, or commit it to migrate the project)'));
+                }
             }
         }
         // Load any existing session up-front. The "is it already running?" decision

package/build/commands/ticket/stop.js

@@ -116,13 +116,15 @@ const StopCommand = {
             }
         }
         // 3. Remove the worktree (branch is kept). Auto-force when the ONLY dirty
-        //    files are framework-generated (e.g. `nuxt dev` rewrites the tracked
-        //    `.nuxtrc` on boot), which would otherwise block the remove — but NEVER
+        //    files are auto-discardable — framework-generated (e.g. `nuxt dev`
+        //    rewrites the tracked `.nuxtrc` on boot) OR pristine lt-dev self-heal
+        //    patches (config.env.ts/nuxt.config.ts/playwright.config.ts that
+        //    `lt dev up` env-aware'd) — which would otherwise block the remove. NEVER
         //    discard real source edits (those keep the non-forced remove, which
         //    errors with a hint so unsaved work is never lost).
-        const force = parameters.options.force === true || (0, dev_ticket_1.worktreeDirtyOnlyGenerated)(wt.path);
+        const force = parameters.options.force === true || (0, dev_ticket_1.worktreeDirtyOnlyAutoDiscardable)(wt.path);
         if (force && parameters.options.force !== true) {
-            info(colors.dim('  (worktree had only generated files dirty, e.g. .nuxtrc — removing)'));
+            info(colors.dim('  (worktree had only generated / lt-dev-patched files dirty — removing)'));
         }
         try {
             (0, dev_ticket_1.worktreeRemove)(mainRepoRoot, wt.path, force);

package/build/lib/dev-identity.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildIdentity = buildIdentity;
 exports.buildTestIdentity = buildTestIdentity;
 exports.buildTicketIdentity = buildTicketIdentity;
+exports.isUnmodifiedTemplateName = isUnmodifiedTemplateName;
 exports.projectSlug = projectSlug;
 exports.slugify = slugify;
 /**
@@ -19,6 +20,7 @@ exports.slugify = slugify;
  * The internal port behind each subdomain is opaque — Caddy proxies
  * arbitrary local ports. Developers and Claude only ever see the URL.
  */
+const child_process_1 = require("child_process");
 const fs_1 = require("fs");
 const path_1 = require("path");
 /**
@@ -104,13 +106,44 @@ function buildTicketIdentity(base, id) {
     return buildTestIdentity(base, `-${id}`);
 }
 /**
- * Read the bare project name from package.json (scope stripped).
- * Falls back to directory basename if no package.json or no `name`.
+ * package.json `name` values that are unchanged starter-template defaults.
+ *
+ * A project scaffolded by cloning a template (`git clone lenneTech/lt-monorepo
+ * my-project`) instead of running `lt fullstack init`, or one that predates the
+ * rename-on-init logic, keeps the template's default `name`. That value is not
+ * project-identifying, so {@link projectSlug} ignores it and falls back to the
+ * project directory name; `renameUnmodifiedTemplatePackage` (in package-name.ts)
+ * rewrites the field on the next `lt dev init`.
+ */
+const UNMODIFIED_TEMPLATE_NAMES = new Set(['lt-monorepo']);
+/**
+ * True when `name` matches a known unmodified starter-template default.
+ *
+ * Such names (e.g. `lt-monorepo`) are NOT project-identifying — see
+ * {@link UNMODIFIED_TEMPLATE_NAMES} — so {@link projectSlug} ignores them and
+ * derives the slug from the project directory instead.
+ */
+function isUnmodifiedTemplateName(name) {
+    return typeof name === 'string' && UNMODIFIED_TEMPLATE_NAMES.has(name);
+}
+/**
+ * Read the bare project name from package.json (scope stripped) and slugify it.
+ *
+ * Falls back to the PROJECT directory name when there is no usable name — i.e.
+ * no package.json, no `name`, or an unmodified starter-template default (e.g.
+ * `lt-monorepo`, left over from a project scaffolded before rename-on-init
+ * existed). The fallback is anchored on the MAIN git worktree, so a linked
+ * `lt ticket` worktree (`imo-2314/`) inherits the base project name (`imo`)
+ * rather than slugging to its own folder — otherwise {@link buildTicketIdentity}
+ * would double-suffix it to `imo-2314-2314`.
  */
 function projectSlug(root) {
+    var _a;
     const fromPkg = readPackageName(root);
-    const raw = fromPkg || (0, path_1.basename)(root);
-    return slugify(raw);
+    if (fromPkg && !isUnmodifiedTemplateName(fromPkg)) {
+        return slugify(fromPkg);
+    }
+    return slugify((0, path_1.basename)((_a = mainWorktreeDir(root)) !== null && _a !== void 0 ? _a : root));
 }
 /** Lowercase, alphanumerics + dashes only, trimmed dashes. */
 function slugify(input) {
@@ -119,6 +152,28 @@ function slugify(input) {
         .replace(/[^a-z0-9]+/g, '-')
         .replace(/^-+|-+$/g, '');
 }
+/**
+ * Best-effort directory of the MAIN git worktree containing `root`.
+ *
+ * For a linked worktree (e.g. an `lt ticket` worktree `imo-2314/`) this resolves
+ * to the primary checkout (`imo/`), NOT the worktree folder: `--git-common-dir`
+ * is the shared `.git`, identical for every worktree, and its parent is the main
+ * repo root. Used only by {@link projectSlug}'s fallback so every worktree
+ * inherits the same base project name. Returns null when `root` is outside a git
+ * repo or git is unavailable.
+ */
+function mainWorktreeDir(root) {
+    try {
+        const commonDir = (0, child_process_1.execFileSync)('git', ['-C', root, 'rev-parse', '--path-format=absolute', '--git-common-dir'], {
+            encoding: 'utf8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        }).trim();
+        return commonDir ? (0, path_1.dirname)(commonDir) : null;
+    }
+    catch (_a) {
+        return null;
+    }
+}
 /** Read `name` from package.json, scope-stripped (e.g. `@lenne.tech/foo` → `foo`). */
 function readPackageName(dir) {
     const pkgPath = (0, path_1.join)(dir, 'package.json');

package/build/lib/dev-test-session.js

@@ -47,6 +47,7 @@ const caddy_1 = require("./caddy");
 const dev_env_1 = require("./dev-env");
 const dev_env_bridge_1 = require("./dev-env-bridge");
 const dev_identity_1 = require("./dev-identity");
+const dev_patches_1 = require("./dev-patches");
 const dev_process_1 = require("./dev-process");
 const dev_project_1 = require("./dev-project");
 const dev_state_1 = require("./dev-state");
@@ -96,6 +97,31 @@ function bringUpTestSession(layout_1, baseIdentity_1, log_1) {
         const { dbName, testIdentity } = resolveTestSession(layout, baseIdentity, shardIndex, devDbName);
         // Always start from a clean slate — reclaim a stale/crashed test session.
         yield tearDownTestSession(layout, baseIdentity, log, { shardIndex, silent: true });
+        // Self-heal legacy hardcoded ports BEFORE the build below — the test API runs
+        // COMPILED (`node dist/...`), so config.env.ts must already honour the injected
+        // `PORT` or the compiled bundle binds 3000 and misses Caddy. Belt-and-suspenders
+        // for a project that never ran `lt dev up` first; idempotent and only ever
+        // touches the three configs (never CLAUDE.md), so it is ticket-safe. Mirrors the
+        // self-heal in `lt dev up` (see commands/dev/up.ts).
+        {
+            const filesToPatch = [];
+            if (layout.apiDir) {
+                const apiCfg = (0, path_1.join)(layout.apiDir, 'src', 'config.env.ts');
+                if ((0, fs_1.existsSync)(apiCfg))
+                    filesToPatch.push(apiCfg);
+            }
+            if (layout.appDir) {
+                for (const rel of ['nuxt.config.ts', 'playwright.config.ts']) {
+                    const f = (0, path_1.join)(layout.appDir, rel);
+                    if ((0, fs_1.existsSync)(f))
+                        filesToPatch.push(f);
+                }
+            }
+            for (const r of filesToPatch.map((f) => (0, dev_patches_1.autoPatch)(f))) {
+                if (r.patched)
+                    log.info(`patched ${r.replacements}× in ${r.file} (env-aware ports for lt dev test)`);
+            }
+        }
         // Allocate internal ports AND reserve them in the registry ATOMICALLY, under a
         // cross-process lock — so two parallel `lt dev test` runs (different ticket
         // worktrees) can never read the registry, pick the same free ports, and both

package/build/lib/dev-ticket.js

@@ -13,6 +13,7 @@ exports.pnpmInstall = pnpmInstall;
 exports.readTicketMarker = readTicketMarker;
 exports.resolveDevIdentity = resolveDevIdentity;
 exports.worktreeAdd = worktreeAdd;
+exports.worktreeDirtyOnlyAutoDiscardable = worktreeDirtyOnlyAutoDiscardable;
 exports.worktreeDirtyOnlyGenerated = worktreeDirtyOnlyGenerated;
 exports.worktreePathFor = worktreePathFor;
 exports.worktreeRemove = worktreeRemove;
@@ -39,8 +40,10 @@ exports.writeTicketMarker = writeTicketMarker;
  */
 const child_process_1 = require("child_process");
 const fs_1 = require("fs");
+const os_1 = require("os");
 const path_1 = require("path");
 const dev_identity_1 = require("./dev-identity");
+const dev_patches_1 = require("./dev-patches");
 const dev_project_1 = require("./dev-project");
 const dev_state_1 = require("./dev-state");
 /** Marker file (under `.lt-dev/`) that tags a worktree with its ticket id. */
@@ -261,6 +264,19 @@ function worktreeAdd(repoDir, worktreePath, branch, baseRef) {
 }
 /** Framework-generated / ephemeral paths a dev/build run dirties (never real work). */
 const GENERATED_PATHS = /(^|\/)(\.nuxtrc|\.nuxt|\.nitro|\.output|dist|\.turbo|\.cache|\.eslintcache)(\/|$)|\.tsbuildinfo$/;
+/** The three git-tracked configs `lt dev up` self-heals to be env-aware. */
+const LT_DEV_MANAGED_CONFIG = /(?:^|\/)(?:config\.env\.ts|nuxt\.config\.ts|playwright\.config\.ts)$/;
+/**
+ * True when a worktree has uncommitted changes AND every one is auto-discardable
+ * (framework-generated OR a pristine lt-dev self-heal patch). Lets `lt ticket
+ * stop` force-remove a provisioning-only worktree — e.g. an unmigrated project
+ * whose configs `lt dev up` env-aware'd — without `--force` and without ever
+ * discarding real developer work.
+ */
+function worktreeDirtyOnlyAutoDiscardable(worktreePath) {
+    const { autoDiscardable, realDirty } = classifyWorktreeDirt(worktreePath);
+    return realDirty.length === 0 && autoDiscardable.length > 0;
+}
 /**
  * True ONLY when a worktree has uncommitted changes AND every one is a
  * framework-generated / ephemeral file (`.nuxtrc`, `.nuxt`, `.output`, …).
@@ -268,14 +284,7 @@ const GENERATED_PATHS = /(^|\/)(\.nuxtrc|\.nuxt|\.nitro|\.output|dist|\.turbo|\.
  * `git worktree remove`; this lets `lt ticket stop` auto-clean those safely.
  */
 function worktreeDirtyOnlyGenerated(worktreePath) {
-    let out = '';
-    try {
-        out = git(worktreePath, ['status', '--porcelain', '--untracked-files=all']);
-    }
-    catch (_a) {
-        return false;
-    }
-    const lines = out.split(/\r?\n/).filter((l) => l.trim());
+    const lines = gitStatusPorcelain(worktreePath);
     if (lines.length === 0)
         return false; // clean → no force needed
     return lines.every((line) => GENERATED_PATHS.test(porcelainPath(line)));
@@ -301,25 +310,19 @@ function worktreeRemove(repoDir, worktreePath, force = false) {
  * the branch not on any remote (the branch is kept on stop, but local-only).
  */
 function worktreeSafetyReport(worktreePath) {
-    let status = '';
-    try {
-        status = git(worktreePath, ['status', '--porcelain', '--untracked-files=all']);
-    }
-    catch (_a) {
-        return { dirtySource: [], unpushed: 0 };
-    }
-    const dirtySource = status
-        .split(/\r?\n/)
-        .filter((l) => l.trim())
-        .filter((l) => !GENERATED_PATHS.test(porcelainPath(l)));
+    // Only REAL developer work counts as dirtySource — framework-generated files
+    // AND pristine lt-dev self-heal patches (config.env.ts/nuxt.config.ts/
+    // playwright.config.ts that `lt dev up` env-aware'd) are auto-discardable, so
+    // `lt ticket stop` never refuses over them.
+    const { realDirty } = classifyWorktreeDirt(worktreePath);
     let unpushed = 0;
     try {
         unpushed = Number(git(worktreePath, ['rev-list', '--count', 'HEAD', '--not', '--remotes'])) || 0;
     }
-    catch (_b) {
+    catch (_a) {
         /* no remotes / detached HEAD → cannot determine; treat as 0 */
     }
-    return { dirtySource, unpushed };
+    return { dirtySource: realDirty, unpushed };
 }
 /** Write the ticket marker that tags a worktree (created by `lt ticket start`). */
 function writeTicketMarker(root, id) {
@@ -327,6 +330,24 @@ function writeTicketMarker(root, id) {
     (0, fs_1.mkdirSync)(dir, { recursive: true });
     (0, fs_1.writeFileSync)((0, path_1.join)(dir, TICKET_MARKER), `${id}\n`, 'utf8');
 }
+/**
+ * Split a worktree's uncommitted changes into "auto-discardable" (framework-
+ * generated files + pristine lt-dev self-heal patches) and "real" developer work.
+ * `lt ticket stop` may force-remove a worktree whose changes are ALL
+ * auto-discardable; anything in `realDirty` blocks removal (work could be lost).
+ */
+function classifyWorktreeDirt(worktreePath) {
+    const autoDiscardable = [];
+    const realDirty = [];
+    for (const line of gitStatusPorcelain(worktreePath)) {
+        const p = porcelainPath(line);
+        if (GENERATED_PATHS.test(p) || isPristineLtDevPatch(worktreePath, p))
+            autoDiscardable.push(p);
+        else
+            realDirty.push(p);
+    }
+    return { autoDiscardable, realDirty };
+}
 function finalizeWorktree(partial) {
     var _a, _b;
     const path = (_a = partial.path) !== null && _a !== void 0 ? _a : '';
@@ -336,6 +357,73 @@ function finalizeWorktree(partial) {
 function git(cwd, args) {
     return (0, child_process_1.execFileSync)('git', args, { cwd, encoding: 'utf8' }).trim();
 }
+/**
+ * `git status --porcelain` lines, each kept VERBATIM (not trimmed).
+ *
+ * Crucial: a tracked-but-modified file's porcelain prefix begins with a space
+ * (` M path`), so trimming the blob (as the generic `git()` helper does) would
+ * eat that leading space and shift `porcelainPath`'s `slice(3)` by one,
+ * corrupting the path (`projects/…` → `rojects/…`). Returns [] on error.
+ */
+function gitStatusPorcelain(cwd) {
+    let out = '';
+    try {
+        out = (0, child_process_1.execFileSync)('git', ['-C', cwd, 'status', '--porcelain', '--untracked-files=all'], { encoding: 'utf8' });
+    }
+    catch (_a) {
+        return [];
+    }
+    return out.split(/\r?\n/).filter((l) => l.trim() !== '');
+}
+/**
+ * True when the dirty tracked file at `relPath` (relative to the worktree root)
+ * differs from its committed (HEAD) version by EXACTLY the lt-dev self-heal
+ * patch — i.e. `lt dev up` env-aware'd a legacy config and the developer made no
+ * other edit. Verified by re-deriving: apply the same `autoPatch` to the HEAD
+ * blob and compare to the working-tree content. Any extra developer edit makes
+ * the two differ → treated as real work (never auto-discarded).
+ *
+ * Only the three lt-dev-managed configs qualify; everything else returns false.
+ */
+function isPristineLtDevPatch(worktreePath, relPath) {
+    if (!LT_DEV_MANAGED_CONFIG.test(relPath))
+        return false;
+    let head;
+    try {
+        // NOT the trimming `git()` helper — the trailing newline must survive so the
+        // comparison against the (untrimmed) working-tree content is exact.
+        head = (0, child_process_1.execFileSync)('git', ['-C', worktreePath, 'show', `HEAD:${relPath}`], { encoding: 'utf8' });
+    }
+    catch (_a) {
+        return false; // not tracked at HEAD (e.g. a brand-new file) → never auto-discard
+    }
+    let current;
+    try {
+        current = (0, fs_1.readFileSync)((0, path_1.join)(worktreePath, relPath), 'utf8');
+    }
+    catch (_b) {
+        return false;
+    }
+    // Re-derive what `lt dev up`'s autoPatch produced from the HEAD blob. autoPatch
+    // dispatches by filename suffix, so the temp file must keep the basename.
+    const tmp = (0, path_1.join)((0, os_1.tmpdir)(), `lt-dev-verify-${process.pid}-${(0, path_1.basename)(relPath)}`);
+    try {
+        (0, fs_1.writeFileSync)(tmp, head, 'utf8');
+        (0, dev_patches_1.autoPatch)(tmp);
+        return (0, fs_1.readFileSync)(tmp, 'utf8') === current;
+    }
+    catch (_c) {
+        return false;
+    }
+    finally {
+        try {
+            (0, fs_1.unlinkSync)(tmp);
+        }
+        catch (_d) {
+            /* best-effort cleanup */
+        }
+    }
+}
 /** Path from a `git status --porcelain` line ("XY <path>" / "XY <old> -> <new>"). */
 function porcelainPath(line) {
     var _a;

package/build/lib/package-name.js

@@ -1,29 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.isUnmodifiedTemplateName = isUnmodifiedTemplateName;
+exports.isUnmodifiedTemplateName = void 0;
 exports.renameUnmodifiedTemplatePackage = renameUnmodifiedTemplatePackage;
 exports.setPackageName = setPackageName;
 const path_1 = require("path");
 const dev_identity_1 = require("./dev-identity");
-/**
- * package.json `name` values that are unchanged starter-template defaults.
- *
- * When a user clones a template manually (`git clone lenneTech/lt-monorepo
- * my-project`) instead of running `lt fullstack init`, the `name` field
- * stays at the template's default. That field is what
- * `dev-identity#projectSlug` reads to derive `<slug>.localhost`, so every
- * cloned project would collide on `https://lt-monorepo.localhost`.
- *
- * `lt fullstack init` rewrites this field already (see `setPackageName`);
- * the detection here is the safety net for projects that bypassed init.
- */
-const UNMODIFIED_TEMPLATE_NAMES = new Set(['lt-monorepo']);
-/**
- * True when `name` matches a known unmodified starter template default.
- */
-function isUnmodifiedTemplateName(name) {
-    return typeof name === 'string' && UNMODIFIED_TEMPLATE_NAMES.has(name);
-}
+// `isUnmodifiedTemplateName` and the template-name detection now live in
+// `dev-identity.ts` (the slug owner — `projectSlug` needs the same check to
+// ignore an unmodified `lt-monorepo` name). Re-exported here so existing
+// importers / tests of the package-name surface keep working unchanged.
+var dev_identity_2 = require("./dev-identity");
+Object.defineProperty(exports, "isUnmodifiedTemplateName", { enumerable: true, get: function () { return dev_identity_2.isUnmodifiedTemplateName; } });
 /**
  * If the package.json at `<projectRoot>/package.json` still carries an
  * unmodified starter-template `name` (e.g. `lt-monorepo` from a raw
@@ -47,7 +34,7 @@ function renameUnmodifiedTemplatePackage(options) {
     if (!pkg || typeof pkg !== 'object' || Array.isArray(pkg))
         return null;
     const currentName = typeof pkg.name === 'string' ? pkg.name : null;
-    if (!isUnmodifiedTemplateName(currentName))
+    if (!(0, dev_identity_1.isUnmodifiedTemplateName)(currentName))
         return null;
     // Slugify the directory basename: npm names must be lowercase and
     // URL-safe, and this keeps the rewritten value consistent with what
@@ -56,7 +43,7 @@ function renameUnmodifiedTemplatePackage(options) {
     // back). Anything else would produce a slug mismatch between
     // package.json and `<slug>.localhost`.
     const derived = (0, dev_identity_1.slugify)((0, path_1.basename)(projectRoot));
-    if (!derived || isUnmodifiedTemplateName(derived))
+    if (!derived || (0, dev_identity_1.isUnmodifiedTemplateName)(derived))
         return null;
     const written = setPackageName({ filesystem, name: derived, packageJsonPath });
     return written ? derived : null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/cli",
-  "version": "1.31.0",
+  "version": "1.32.0",
   "description": "lenne.Tech CLI: lt",
   "keywords": [
     "lenne.Tech",
@@ -20,7 +20,8 @@
   "scripts": {
     "c": "npm run check",
     "cf": "npm run check:fix",
-    "check": "npm install && npm run format && npm run build && npm run check:start",
+    "check": "bash scripts/check.sh",
+    "check:audit": "bash scripts/check.sh --audit-only",
     "check:fix": "npm install && npm audit fix && npm run format && npm run lint:fix && npm run build && npm run check:start",
     "check:start": "bash scripts/check-cli-start.sh",
     "postinstall": "node bin/postinstall.js 2>/dev/null || true",
@@ -68,7 +69,7 @@
     "glob": "13.0.6",
     "gluegun": "5.2.2",
     "js-sha256": "0.11.1",
-    "js-yaml": "4.1.1",
+    "js-yaml": "4.2.0",
     "jsdom": "29.1.1",
     "lodash": "4.18.1",
     "open": "11.0.0",
@@ -100,10 +101,16 @@
   },
   "//overrides": {
     "brace-expansion@5.0.2 - 5.0.5": "Security fix: GHSA-jxxr-4gwj-5jf2 (large numeric range defeats max DoS protection) in brace-expansion 5.0.2-5.0.5 - transitive via minimatch under glob, @ts-morph/common, @typescript-eslint/typescript-estree. Remove once those parents resolve minimatch to a brace-expansion >=5.0.6.",
-    "semver@*": "Force latest semver 7.x across all sub-deps; gluegun@5.2.2 pins semver@7.7.0 which is stale - remove once gluegun updates its dep."
+    "semver@*": "Force latest semver 7.x across all sub-deps; gluegun@5.2.2 pins semver@7.7.0 which is stale - remove once gluegun updates its dep.",
+    "js-yaml": "Security fix: GHSA-h67p-54hq-rp68 (quadratic-complexity DoS in merge-key handling) in js-yaml <=4.1.1. Forces 4.2.0 everywhere, incl. the 3.14.2 pulled transitively by @istanbuljs/load-nyc-config under babel-plugin-istanbul (jest coverage); that loader only runs js-yaml when reading a YAML nyc config, which this project does not use. Remove once the jest toolchain resolves js-yaml >=4.2.0 itself.",
+    "form-data": "Security fix: GHSA-hmw2-7cc7-3qxx (CRLF injection via unescaped multipart field names) in form-data 4.0.0-4.0.5 - transitive via axios. Remove once axios pins form-data >=4.0.6.",
+    "@babel/core": "Security fix: GHSA-4x5r-pxfx-6jf8 (arbitrary file read via sourceMappingURL) in @babel/core <=7.29.0 - transitive via the jest toolchain. Remove once jest resolves @babel/core >=7.29.6."
   },
   "overrides": {
+    "@babel/core": "7.29.7",
     "brace-expansion@5.0.2 - 5.0.5": "5.0.6",
+    "form-data": "4.0.6",
+    "js-yaml": "4.2.0",
     "semver@*": "7.8.1"
   },
   "jest": {