chore(deps): aggregate weekly Dependabot batch (api, ui, docs, ci)

[agjs]

Consolidates the 21 open Dependabot PRs (#226–#246) into a single PR. All bumps are minor/patch. Lockfiles regenerated in all three workspaces; full verification run locally.

Bumps

apps/api

• @anthropic-ai/sdk 0.104.1 → 0.105.0, openai 6.42.0 → 6.44.0 (ai group, chore(deps)(deps): bump the ai group in /apps/api with 2 updates #241)
• @opentelemetry/sdk-node 0.218.0 → 0.219.0 (chore(deps)(deps): bump @opentelemetry/sdk-node from 0.218.0 to 0.219.0 in /apps/api #243)
• @sentry/bun 10.57.0 → 10.59.0 (chore(deps)(deps): bump @sentry/bun from 10.57.0 to 10.59.0 in /apps/api in the observability group #240)
• bullmq 5.78.1 → 5.79.1 (chore(deps)(deps): bump bullmq from 5.78.1 to 5.79.1 in /apps/api in the bullmq group #231) — still pins ioredis 5.10.1; the ioredis: 5.11.1 override collapses it (single copy verified, no nested 5.10.1)
• elysia 1.4.28 → 1.4.29 (chore(deps)(deps): bump elysia from 1.4.28 to 1.4.29 in /apps/api in the elysia group #228)
• resend 6.12.4 → 6.14.0 (chore(deps)(deps): bump resend from 6.12.4 to 6.14.0 in /apps/api in the email group #236), stripe 22.2.1 → 22.2.2 (chore(deps)(deps): bump stripe from 22.2.1 to 22.2.2 in /apps/api in the stripe group #235)
• eslint-plugin-sonarjs 4.0.3 → 4.1.0, eslint-plugin-unicorn 67 → 68 (lint group, chore(deps)(deps-dev): bump the lint group in /apps/api with 2 updates #238)

apps/ui

• react-hook-form 7.79.0 → 7.80.0 (chore(deps)(deps): bump react-hook-form from 7.79.0 to 7.80.0 in /apps/ui #246), react-router-dom 7.17.0 → 7.18.0 (chore(deps)(deps): bump react-router-dom from 7.17.0 to 7.18.0 in /apps/ui in the react group #227)
• zustand 5.0.13 → 5.0.14 (chore(deps)(deps): bump zustand from 5.0.13 to 5.0.14 in /apps/ui #245), @sentry/react 10.57.0 → 10.59.0 (chore(deps)(deps): bump @sentry/react from 10.57.0 to 10.59.0 in /apps/ui in the observability group #244)
• lucide-react 1.20.0 → 1.21.0 (chore(deps)(deps): bump lucide-react from 1.20.0 to 1.21.0 in /apps/ui in the tailwind-shadcn group #239)
• storybook + addon-a11y / addon-themes / react-vite 10.4.4 → 10.4.6 (storybook group, chore(deps)(deps-dev): bump the storybook group in /apps/ui with 4 updates #237)
• @playwright/test 1.60.0 → 1.61.0, vitest + @vitest/coverage-v8 4.1.8 → 4.1.9 (testing group, chore(deps)(deps-dev): bump the testing group in /apps/ui with 3 updates #233)
• eslint-plugin-sonarjs 4.0.3 → 4.1.0, eslint-plugin-unicorn 67 → 68 (lint group, chore(deps)(deps-dev): bump the lint group in /apps/ui with 2 updates #242)

apps/docs

• astro 6.4.6 → 6.4.8 (chore(deps)(deps): bump astro from 6.4.8 to 7.0.0 in /apps/docs #230) — still pins @astrojs/markdown-remark 7.2.0; override comment refreshed
• astro-mermaid 2.0.1 → 2.0.4 (chore(deps)(deps): bump astro-mermaid from 2.0.1 to 2.0.4 in /apps/docs #234), sharp 0.35.1 → 0.35.2 (chore(deps)(deps): bump sharp from 0.35.1 to 0.35.2 in /apps/docs #232)
• wrangler 4.100.0 → 4.103.0 (chore(deps)(deps-dev): bump wrangler from 4.100.0 to 4.103.0 in /apps/docs #226)

ci

• actions/cache 5.0.5 → 6.1.0 across 8 workflows (chore(ci): bump actions/cache from 5.0.5 to 6.1.0 #229)

Verification

• apps/api: bun run check clean, 1188 tests pass (1 skip, 0 fail) incl. Redis/BullMQ/valkey integration
• apps/ui: bun run check clean, 656 tests pass
• apps/docs: build:ci clean (astro 6.4.8 builds, markdown-remark override holds, fragments + rendered-markdown checks pass)
• bun install --frozen-lockfile clean (CI condition)
• Pre-push gates green (gitleaks, semgrep, osv-scanner, shellcheck, yamllint)

Note

Second commit adds a narrow gitleaks path allowlist for .tsforge/scaffold-manifest.json (added in #224) — a config manifest declaring required env-var names with no secret values. Pre-existing generic-api-key false positive; this is the first local push since #224 merged, so it surfaced on the push gate.

Closes #226, #227, #228, #229, #230, #231, #232, #233, #234, #235, #236, #237, #238, #239, #240, #241, #242, #243, #244, #245, #246