fix(security): patch hono JWT confusion and serveStatic file access CVEs

[sergioestebance]

Summary

Adds pnpm.overrides for hono core in docs/ to fix:

• Fix/responsive layout #95: JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery (CVE-2026-22817)
• fix: get reporter to work and with default #96: JWK Auth Middleware JWT algorithm confusion when JWK lacks "alg"
• refactor: use SDK constants for thread ID attribute #195: Arbitrary file access via serveStatic vulnerability

Overrides hono to >=4.12.4 (resolved to 4.12.16).

Part of #400

Test plan

• pnpm install --lockfile-only succeeds
• CI passes

[sergioestebance]

Dependency Impact Assessment: hono 4.10.4 → 4.12.16

1. Where is this dependency used?

Searched the entire codebase for imports/requires of hono and @hono/*:

grep -r "from ['\"]hono\|require(['\"]hono\|import.*['\"]hono" -- **/*.{ts,tsx,js,jsx,mjs,cjs,py}

Result: Zero imports. The only matches were false positives — the word "honored" in javascript/src/agents/judge/judge-agent.ts:507 and python/scenario/judge_agent.py:784. Neither file imports hono.

hono is not imported anywhere in the codebase — not in production code, not in examples, not in tests.

2. Production code impact

None. hono is not used in production code (javascript/src/ or python/scenario/). It exists only in docs/pnpm-lock.yaml as a transitive dependency of the docs site tooling.

3. Where it actually lives

hono is a transitive dependency of vocs (the docs framework), which is listed in docs/package.json. The dependency chain is:

vocs → @hono/node-server → hono

Vocs uses hono internally as its dev server for the documentation site. This is a docs-only dev tool — it does not ship in any production artifact.

4. Version jump size

• From: 4.10.4
• To: 4.12.16
• Jump: Two minor versions + patches within the same major version (v4)

Notable changes in this range:

• 4.11.4: JWT verify() method now requires the alg parameter (previously optional). This is a breaking change for direct JWT callers only — it does not affect framework core (routing, serving, middleware). Vocs uses hono for its dev server, not JWT verification, so this is irrelevant.
• 4.12.2: Fixed X-Forwarded-For handling in AWS Lambda adapter (not relevant to us).
• 4.12.4: Fixed serveStatic URL decoding inconsistency (the CVE we're patching).

No breaking changes affect our usage (transitive dep of a docs framework dev server).

5. Pinned version comments

Searched for pinning comments, upgrade warnings, and version constraints mentioning hono:

grep -ri "pinned\|do not upgrade\|do not update\|version constraint\|locked to" docs/

Result: None found. No version pin comments exist for hono anywhere in the codebase.

6. Transitive vs direct

Transitive only. hono is not listed in any package.json as a direct dependency. It only appears in docs/pnpm-lock.yaml via the dependency chain vocs → @hono/node-server → hono. The override in docs/package.json is the standard pnpm mechanism to force a transitive dependency to a minimum version.

7. Final verdict

TRIVIAL — Dev-only transitive dependency of the docs framework, not imported anywhere in our code. Safe to merge with CI passing.

Rationale:

• Zero direct imports of hono in the entire codebase
• Only exists in the docs/ workspace as a transitive dep of vocs (docs site tooling)
• Does not ship in any production artifact
• The one relevant breaking change (JWT verify parameter) only affects direct JWT callers — vocs uses hono for routing/serving, not JWT
• No version pinning comments or constraints exist
• Minor version bump within same major version (v4)

The only way this could cause issues is if vocs's internal use of hono is incompatible with 4.12.x, which would surface as the docs site failing to build in CI.

[sergioestebance]

CI green — all 7 checks pass (CodeQL, build, evaluate, PR title validation, approval gate). Ready for review.

[github-actions]

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure.

• Scope: Add pnpm.overrides for hono (>=4.12.4) in docs/package.json and update docs/pnpm-lock.yaml to bump hono to 4.12.16 and related lockfile entries.
• Exclusions confirmed: no changes to auth, security settings, database schema, business-critical logic, or external integrations.
• Classification: low-risk-change under the documented policy.

The changes are limited to the docs workspace: adding a pnpm.overrides entry for hono (>=4.12.4) in docs/package.json and updating docs/pnpm-lock.yaml to resolve hono to 4.12.16 to address identified CVEs. No application source files, authentication/authorization logic, secrets, database schemas/migrations, business‑critical logic, or external integrations are modified, so this meets the low‑risk criteria.

This classification allows merging without manual review once all required CI checks are passing and branch protection rules are satisfied.

[sergioestebance]

Rebased onto latest main. Conflicts resolved in docs/package.json (merged duplicate pnpm.overrides blocks — combined hono + minimatch overrides) and docs/pnpm-lock.yaml (regenerated via pnpm install --lockfile-only). CI green — all 7 checks pass. Ready for review.