#252 fix(deps,stall): security vulns + stall-detector log correlation + dir-watch fix

[Anonymous]

Originally created by: kumaakh

Summary

Security fixes (#100)

• Ran npm audit fix to upgrade transitive dependencies (vite, picomatch, path-to-regexp, hono, express-rate-limit, @hono/node-server, postcss)
• Bumped uuid from ^11.0.0 to ^14.0.0 — direct production dependency; v4 API is compatible across all call sites
• 0 HIGH severity vulnerabilities remain; 3 MODERATE remain (ip-address via @modelcontextprotocol/sdk — unfixable without breaking SDK downgrade)

Version bump

• version.json: 0.1.9.0 → 0.1.9.1

Stall-detector dir-watch fix (src/tools/execute-prompt.ts)

• Added watcherSetupTime guard in onPidCaptured: captures Date.now() at pid-capture time; rejects any .jsonl file whose mtime <= watcherSetupTime
• Prevents false-positive stall log resolution when the LLM CLI touches old session files at startup
• Correctly handles Claude session resume (appends to existing file after watcherSetupTime → accepted)

Stall-detector LogScope refactor (src/services/stall/stall-detector.ts)

• _poll() now opens a LogScope('stall_poll_tick', ...) and calls scope.info()/scope.warn() for all per-member log entries
• All events in a single poll cycle share the same inv tag for visual correlation in logs
• stall_detected events emitted via scope.warn() rather than logLine()
• Tests: LogScope stub's warn is now a vi.fn() spy; assertions check mockScopeWarn via JSON parse

Fixes [#100]

Test plan

• [x] npm audit — 0 HIGH vulnerabilities
• [x] npm test — 73 test files, 1181 tests pass, 0 failures (verified by fleet-rev)
• [x] uuid v14 API compatibility confirmed
• [x] Stall-detector changes reviewed and approved by fleet-rev

🤖 Generated with Claude Code

[Anonymous]

Ticket changed by: kumaakh

• status: open --> closed