chore(deps): patch js-yaml lockfiles

[santoshkumarradha]

Summary

• pin js-yaml to 4.2.0 in the embedded client overrides so the pnpm lock stops resolving the vulnerable 4.1.1 path behind eslint
• pin js-yaml to 4.2.0 in the Mastra benchmark example so its transitive gray-matter lock entry no longer resolves vulnerable 3.x
• refresh the affected lockfiles only

Validation

• cd control-plane/web/client && pnpm install --frozen-lockfile
• cd control-plane/web/client && pnpm why js-yaml
• cd examples/benchmarks/100k-scale/mastra-bench && npm ci --ignore-scripts
• cd examples/benchmarks/100k-scale/mastra-bench && npm run benchmark -- --json --iterations=1 --warmup=0

Notes

• cd control-plane/web/client && pnpm test still fails on main because workflow components import date-fns, which is not present in the package graph. This is unrelated to the lockfile-only js-yaml remediation.

[github-actions]

📊 Coverage gate

Thresholds from .coverage-gate.toml: per-surface ≥ 84%, aggregate ≥ 85%, max per-surface regression ≤ 1.0 pp, max aggregate regression ≤ 0.50 pp.

Surface	Current	Baseline	Δ
control-plane	87.10%	87.40%	↓ -0.30 pp	🟡
sdk-go	91.80%	92.00%	↓ -0.20 pp	🟢
sdk-python	93.73%	93.73%	↑ +0.00 pp	🟢
sdk-typescript	90.31%	90.42%	↓ -0.11 pp	🟢
web-ui	84.83%	84.79%	↑ +0.04 pp	🟡
aggregate	85.67%	85.75%	↓ -0.08 pp	🟡

✅ Gate passed

No surface regressed past the allowed threshold and the aggregate stayed above the floor.

[github-actions]

📐 Patch coverage gate

Threshold: 80% on lines this PR touches vs origin/main (from .coverage-gate.toml:thresholds.min_patch).

Surface	Touched lines	Patch coverage	Status
control-plane	0	—	➖ no changes
sdk-go	0	—	➖ no changes
sdk-python	0	—	➖ no changes
sdk-typescript	0	—	➖ no changes
web-ui	0	—	➖ no changes

✅ Patch gate passed

Every surface whose lines were touched by this PR has patch coverage at or above the threshold.