chore(deps): remove unused tmp dependency and other unused packages

[renovate]

Summary

Investigation of the Renovate security alert for tmp (CVE-2025-54798, CVE-2026-44705) revealed that tmp was declared as a dependency but never imported anywhere in the codebase. Rather than bumping a package we don't use, we removed it entirely.

A broader audit of unused dependencies was performed at the same time.

Changes

Removed dependencies (src/package.json):

• tmp — never imported; was the subject of the security alerts
• cheerio, default-shell, node-ipc — no source imports (hits were only in compiled dist/ or stale test mocks)
• diff-match-patch, jwt-decode, pkce-challenge — no imports found
• puppeteer-chromium-resolver, puppeteer-core — no imports found
• sound-play, stream-json, string-similarity, strip-ansi, turndown — no imports found

Removed devDependencies:

• @types/diff-match-patch, @types/node-ipc, @types/stream-json, @types/string-similarity, @types/turndown, @types/tmp

Test cleanup:

• Removed stale vi.mock("default-shell", ...) from system-prompt.spec.ts and add-custom-instructions.spec.ts

Testing

• Unit tests: 384 files passed, 5731 tests passed, 0 failures
• E2E (mock mode): 59 passing, 1 pending (pre-existing suite.skip), 0 failures

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[proyectoauraorg]

Security Notice

This PR updates tmp to v0.2.6 to address a security vulnerability. All CI checks are passing and the PR is mergeable.

Recommendation: Ready for merge. Maintainers @taltas @hannesrudolph — please review when possible.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[edelauna]

Cleaning up dependency radius