v0.2.1 — Phase 1 community readiness blockers

Security and reliability patch. Adopt this release before v0.3.0 — it ships the CVE fix and git-sync correctness fixes independently of the larger v0.3.0 runtime rewrite.

Security

• Pinned simple-git to exact 3.36.0 across all three workspaces (core, cli, bot), resolving GHSA-hffm-xvc3-vprc (ReDoS in <3.36.0).

Fixed

• Bot git-sync push-before-commit ordering corrected across all 8 commitAndPush callsites in packages/bot. Push is now chained to the latest debounced commit via enqueuePushAfter, so a push can never race ahead of its commit.
• Push silently dropped on back-to-back commitAndPush calls (HIGH): removed pushPending guard from enqueuePush; the FIFO queue serialises pushes and enqueuePushAfter's commit-level debounce handles coalescing.
• drain() skipping chained push on SIGTERM (MEDIUM): drain() now flushes pendingPushFn alongside pendingCommitFn.
• /ctf start initial repo flow is now an atomic locked transaction: a per-ctfName FileLock is acquired before init, ensuring concurrent invocations for the same CTF cannot double-initialise the repository.

Internal

• enqueueTransaction(fns: AsyncFn[]) added to GitSyncQueue in @ctfd-warboard/core. Executes an ordered sequence of async operations inside the queue, propagating the first error and aborting on throw.

Verification

• 209 tests pass / 0 fail.
• bun audit --audit-level=high → 0 vulnerabilities.

Full Changelog: v0.2.0...v0.2.1