chore(deps): bump the npm-weekly group across 1 directory with 5 updates

[dependabot]

Bumps the npm-weekly group with 5 updates in the / directory:

Package	From	To
dashclaw	2.2.1	2.6.0
next	16.1.7	16.2.1
openai	6.31.0	6.32.0
eslint-config-next	15.5.13	15.5.14
jsdom	29.0.0	29.0.1

Updates dashclaw from 2.2.1 to 2.6.0

Changelog

Sourced from dashclaw's changelog.

DashClaw Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[2.3.0] - 2026-03-19

Added

• Approval Webhooks: Webhook subscriptions now support approval_pending, approval_granted, and approval_denied events. Webhooks fire when agents require approval and when admins approve or deny actions, enabling PagerDuty, Opsgenie, and custom bot integrations. Payloads include an approval_url for direct approve/deny from external systems.
• Policy Template Gallery: New GET /api/policies/templates endpoint returns browsable previews of all policy packs (Enterprise Strict, SMB Safe, Startup Growth, Development). The import endpoint now supports ?preview=true for dry-run mode showing what would be created vs skipped. Policies page includes a "Browse Templates" gallery with one-click install.
• Cost Dashboard: New GET /api/actions/costs endpoint with by-agent and by-day cost breakdowns. Mission Control gains an "Agent Spend" widget showing total spend, sparkline, and top agents. Cost and token columns added to the decisions list. Decision Replay shows cost and token usage in the result section.
• Communication Trail in Decision Replay: Messages between agents are now visible in Decision Replay. New GET /api/actions/{actionId}/messages endpoint uses a hybrid strategy — explicit action_id tags first, time-window correlation as fallback. Chat-bubble UI shows the conversation that led to a decision.
• webhook_deliveries Table: Tracks all webhook delivery attempts with status, response, and duration. Previously referenced in code but missing from the schema.
• Messages API Restored: /api/messages, /api/messages/threads, and /api/messages/attachments routes moved from archive back to active, fixing SDK sendMessage() which was returning 404.

Changed

• SDK sendMessage(): Added optional actionId parameter that links messages to action records for the communication trail (Node SDK v2.6.0, Python SDK v2.6.0).
• Webhook Event Types: VALID_SIGNAL_TYPES renamed to VALID_EVENT_TYPES to reflect the broader scope of supported events.
• Policy Pack Previews: PACK_PREVIEWS metadata extracted from the policies page into shared app/lib/policyPackPreviews.js module with inferPolicyType and summarizeRules utilities.

Tests

• Added 32 new tests: approval webhook wiring (7), policy templates endpoint (9), cost aggregation (8), message trail endpoint (8).

[2.2.0] - 2026-03-16

Added

• CLI Approval Client (@dashclaw/cli): New terminal package with an interactive approval inbox and approve/deny commands, enabling terminal-first governance workflows without opening a browser.
• Structured Approval Block in SDK: waitForApproval() now prints a formatted, boxed approval block on first poll showing action ID, agent, risk score, goal, and replay URL — giving operators all the context needed to act from the terminal.
• SDK Approval Methods (Node): Added getAction(), getPendingApprovals(), and approveAction() to the Node SDK, completing the full CLI approval channel surface.
• Claude Code Hooks: New hooks/dashclaw_pretool.py and hooks/dashclaw_posttool.py Python hooks for Claude Code governance. Pre-tool hook calls the guard before every tool use; post-tool hook records the outcome.
• Anthropic Claude SDK Governed Demo: New examples/anthropic-governed-agent/ showing the four-step governance loop with HITL approval using the Anthropic Claude SDK.
• OpenAI Agents SDK Governed Demo: New examples/openai-agents-governed/ showing governance integration with the OpenAI Agents SDK, including a guard gate and approval wait.
• CLI Governance Examples: examples/claude-code-review-agent/, examples/openai-deploy-pipeline/, and examples/python-research-agent/ with a shared examples/README.md and two-terminal demo instructions.
• npx dashclaw-demo: New one-command local demo. Starts the runtime in demo mode, runs the governed agent, extracts the replay URL from agent output, and opens the browser to the decision evidence automatically.
• GitHub Traffic Polling: npm run traffic:poll (scripts/poll-github-traffic.mjs) persists GitHub clone and view data to Neon for historical adoption signals beyond the 14-day API window.

Changed

• Prompt Injection Scanning Default: Prompt injection scanning is now on by default for all guard evaluations. Opt out with DISABLE_PROMPT_INJECTION_SCAN=true. Aligns with the platform's security-first posture.
• Platform Skill v2.3: Updated dashclaw-platform-intelligence skill with CLI approval channel and Claude Code hooks workflows. Skill description trimmed for better trigger matching.
• Demo Replay Correlation: openai-governed-agent example now uses openai-deployer-1 agent ID and deploy action type, matching the demo middleware fixture data so the replay page always loads with full context after npx dashclaw-demo.
• SDK Documentation: Replaced hardcoded dashclaw.io references with env vars. Added CLI Approval Channel and Claude Code Hooks sections. ?legacy=true toggle for Copy as Markdown / View raw.
• Connect Prompt: Uses the four-step governance loop and CLI approval channel pattern in the generated onboarding prompt.
• Marketing Site: Added terminal-first agent frameworks (Claude Code, OpenClaw) to the Works With section. New quickstart uses env vars instead of hardcoded keys.

Fixed

• Demo Guard Evaluations: app/api/guard/route.js and middleware.js now always return a 200 OK for all guard evaluations (including blocks and approvals). This prevents the SDK from throwing generic errors and properly exposes the decision object to agents.
• SDK GuardBlockedError Propagation: Updated both JS and Python SDKs so that if _request() encounters a 403 status due to a policy block, it explicitly raises GuardBlockedError instead of a generic Error/DashClawError.
• Demo Replay Action States: Updated the hardcoded demoTestEval mock to return require_approval instead of block so npx dashclaw-demo successfully triggers the Human-In-The-Loop terminal wait flow.

... (truncated)

Commits

• See full diff in compare view

Updates next from 16.1.7 to 16.2.1

Release notes

Sourced from next's releases.

v16.2.1

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• docs: post release amends (#91715)
• docs: fix broken Activity Patterns demo link in preserving UI state guide (#91698)
• Fix adapter outputs for dynamic metadata routes (#91680)
• Turbopack: fix webpack loader runner layer (#91727)
• Fix server actions in standalone mode with cacheComponents (#91711)
• turbo-persistence: remove Unmergeable mmap advice (#91713)
• Fix layout segment optimization: move app-page imports to server-utility transition (#91701)
• Turbopack: lazy require metadata and handle TLA (#91705)
• [turbopack] Respect {eval:true} in worker_threads constructors (#91666)

Credits

Huge thanks to @​icyJoseph, @​abhishekmardiya, @​ijjk, @​mischnic, @​unstubbable, @​sokra, and @​lukesandberg for helping!

v16.2.1-canary.4

Core Changes

• Fix adapter outputs for dynamic metadata routes: #91680

Misc Changes

• Turbopack: fix webpack loader runner layer: #91727
• [turbopack] Remove incorrect debug_assert in try_read_task_cell: #91699
• Add module count field to module graph tracing spans: #91697
• turbopack-cli: add --persistent-caching flag for filesystem-backed cache: #91657
• Turbopack: pull in updated vercel/nft tests: #91651
• Update Rspack development test manifest: #91695
• [test] Unflake use-node-streams-env-precedence test: #91733
• Update Rspack production test manifest: #91694
• [turbopack] Improve regressed build speed on cross-compiled MUSL: #91477

Credits

Huge thanks to @​ijjk, @​mischnic, @​sokra, @​vercel-release-bot, @​unstubbable, and @​mmastrac for helping!

v16.2.1-canary.3

Core Changes

• Fix layout segment optimization: move app-page imports to server-utility transition: #91701
• Fix server actions in standalone mode with cacheComponents: #91711
• Turbopack: lazy require metadata and handle TLA: #91705

Misc Changes

• [turbopack] Optimize compaction cpu usage: #91468

... (truncated)

Commits

• ed7d2ce v16.2.1
• 3e37bb4 docs: post release amends (#91715)
• a15ec6e docs: fix broken Activity Patterns demo link in preserving UI state guide (#9...
• 600cd2f Fix adapter outputs for dynamic metadata routes (#91680)
• 27886d3 Turbopack: fix webpack loader runner layer (#91727)
• 88fc430 Fix server actions in standalone mode with cacheComponents (#91711)
• 37aed86 turbo-persistence: remove Unmergeable mmap advice (#91713)
• d6195ec Fix layout segment optimization: move app-page imports to server-utility tran...
• 6cb97d6 Turbopack: lazy require metadata and handle TLA (#91705)
• e6b101a [turbopack] Respect {eval:true} in worker_threads constructors (#91666)
• Additional commits viewable in compare view

Updates openai from 6.31.0 to 6.32.0

Release notes

Sourced from openai's releases.

v6.32.0

6.32.0 (2026-03-17)

Full Changelog: v6.31.0...v6.32.0

Features

• api: 5.4 nano and mini model slugs (068df6d)

Changelog

Sourced from openai's changelog.

6.32.0 (2026-03-17)

Full Changelog: v6.31.0...v6.32.0

Features

• api: 5.4 nano and mini model slugs (068df6d)

Commits

• d95158f release: 6.32.0
• b6f0f44 feat(api): 5.4 nano and mini model slugs
• See full diff in compare view

Updates eslint-config-next from 15.5.13 to 15.5.14

Release notes

Sourced from eslint-config-next's releases.

v15.5.14

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• feat(next/image): add lru disk cache and images.maximumDiskCacheSize (#91660)
• Fix(pages-router): restore Content-Length and ETag for /_next/data/ JSON responses (#90304)

Credits

Huge thanks to @​styfle and @​lllomh for helping!

Commits

• d7b012d v15.5.14
• See full diff in compare view

Updates jsdom from 29.0.0 to 29.0.1

Release notes

Sourced from jsdom's releases.

v29.0.1

• Fixed CSS parsing of border, background, and their sub-shorthands containing keywords or var(). (@​asamuzaK)
• Fixed getComputedStyle() to return a more functional CSSStyleDeclaration object, including indexed access support, which regressed in v29.0.0.

Commits

• 34c7d6e 29.0.1
• 8ffc811 Add benchmark for computed style property access
• 5f2434c Update dependencies and dev dependencies
• 1e8a7ff Handle global keywords in CSS shorthand property handlers
• 0b79509 Wrap getComputedStyle return value for proper indexed access
• d589a8e Fix border shorthand parsing
• e528859 Modernize release infrastructure
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for jsdom since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashclaw	Ready	Preview, Comment	Mar 23, 2026 11:58am
my-dashclaw	Ready	Preview, Comment	Mar 23, 2026 11:58am