security(deps-dev): fix all dev dependency vulnerabilities (#34)

## Summary
- Update `vitest` 3 → 4 and `@vitest/coverage-v8` (fixes vite, rollup,
picomatch vulns)
- Update `eslint-plugin-boundaries` 5 → 6 (fixes handlebars vulns)
- Migrate eslint boundaries config to v6 syntax (`element-types` →
`dependencies`)
- Add `vite@7.3.2` as direct dev dep to resolve remaining vite vulns
- Add `smol-toml` override for `markdownlint-cli2` transitive dep
- Fix vitest v4 mock constructor breaking changes in tests

Resolves all 12 remaining dev dependency vulnerabilities (55 → 0 total).

## Test plan
- [ ] All 4016 tests pass
- [ ] ESLint clean (no warnings)
- [ ] TypeScript strict mode passes
- [ ] Build succeeds
- [ ] `pnpm audit` reports 0 vulnerabilities

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: marcstraube

eslint.config.js

@@ -124,31 +124,40 @@ export default [
       'no-sequences': ['error', { allowInParentheses: false }], // Disallow comma expressions
 
       // Module boundary enforcement
-      'boundaries/element-types': [
+      'boundaries/dependencies': [
         'error',
         {
           default: 'disallow',
           rules: [
             // Entry point can import any module
-            { from: ['entry'], allow: ['core', 'module'] },
+            {
+              from: { type: 'entry' },
+              allow: [{ to: { type: 'core' } }, { to: { type: 'module' } }],
+            },
             // Core can only import from core (internal)
-            { from: ['core'], allow: ['core'] },
+            {
+              from: { type: 'core' },
+              allow: [{ to: { type: 'core' } }],
+            },
             // Domain modules can import from core and from themselves (same family)
             {
-              from: ['module'],
-              allow: ['core', ['module', { family: '${family}' }]],
+              from: { type: 'module' },
+              allow: [
+                { to: { type: 'core' } },
+                { to: { type: 'module', captured: { family: '{{ from.captured.family }}' } } },
+              ],
             },
             // session extends BaseStorageManager from storage
             {
-              from: [['module', { family: 'session' }]],
-              allow: [['module', { family: 'storage' }]],
+              from: { type: 'module', captured: { family: 'session' } },
+              allow: [{ to: { type: 'module', captured: { family: 'storage' } } }],
             },
             // offline integrates indexeddb persistence with network status
             {
-              from: [['module', { family: 'offline' }]],
+              from: { type: 'module', captured: { family: 'offline' } },
               allow: [
-                ['module', { family: 'indexeddb' }],
-                ['module', { family: 'network' }],
+                { to: { type: 'module', captured: { family: 'indexeddb' } } },
+                { to: { type: 'module', captured: { family: 'network' } } },
               ],
             },
           ],

package.json

@@ -219,11 +219,11 @@
     "@types/node": "^25.2.3",
     "@typescript-eslint/eslint-plugin": "^8.55.0",
     "@typescript-eslint/parser": "^8.55.0",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/coverage-v8": "^4.1.4",
     "eslint": "^10.0.0",
     "eslint-config-prettier": "^10.0.0",
     "eslint-import-resolver-typescript": "^4.4.4",
-    "eslint-plugin-boundaries": "^5.4.0",
+    "eslint-plugin-boundaries": "^6.0.2",
     "eslint-plugin-jsdoc": "^62.5.4",
     "eslint-plugin-prettier": "^5.0.0",
     "eslint-plugin-security": "^3.0.0",
@@ -239,7 +239,8 @@
     "size-limit": "^12.0.0",
     "typedoc": "^0.28.0",
     "typescript": "^5.7.0",
-    "vitest": "^3.2.4"
+    "vite": "7.3.2",
+    "vitest": "^4.1.4"
   },
   "engines": {
     "node": ">=20.0.0"
@@ -254,7 +255,8 @@
   },
   "pnpm": {
     "overrides": {
-      "@isaacs/brace-expansion": ">=5.0.1"
+      "@isaacs/brace-expansion": ">=5.0.1",
+      "smol-toml": ">=1.6.1"
     }
   }
 }