chore(deps): Update Composer dependencies (security-patch)

[nielsdrost7]

Composer Dependency Update

This PR updates Composer dependencies.

Update Type:
Triggered by: schedule

Updated Packages

## Direct Dependencies (from composer.json)

doctrine/dbal: 4.4.1 → 4.4.3
filament/actions: v5.0.0 → v5.6.3
filament/filament: v5.0.0 → v5.6.3
laravel/framework: v12.47.0 → v12.58.0
maatwebsite/excel: 3.1.67 → 3.1.69
nwidart/laravel-modules: v12.0.4 → v12.0.5
spatie/laravel-permission: 6.24.0 → 6.25.0
barryvdh/laravel-debugbar: v3.16.3 → v4.2.8
driftingly/rector-laravel: 2.1.9 → 2.3.0
larastan/larastan: v3.9.0 → v3.9.6
laravel/boost: v1.8.10 → v2.4.6
laravel/pail: v1.2.4 → v1.2.6
laravel/sail: v1.52.0 → v1.58.0
laravel/tinker: v2.11.0 → v3.0.2
nunomaduro/collision: v8.8.3 → v8.9.4
phpunit/phpunit: 11.5.48 → 11.5.55
rector/rector: 2.3.1 → 2.4.2

## Transient Dependencies (indirect)

blade-ui-kit/blade-heroicons: 2.6.0 → 2.7.0
blade-ui-kit/blade-icons: 1.8.0 → 1.10.0
brick/math: 0.14.1 → 0.14.8
chillerlan/php-settings-container: 3.2.1 → 3.3.0
danharrin/livewire-rate-limiting: v2.1.0 → v2.2.0
doctrine/deprecations: 1.1.5 → 1.1.6
filament/forms: v5.0.0 → v5.6.3
filament/infolists: v5.0.0 → v5.6.3
filament/notifications: v5.0.0 → v5.6.3
filament/query-builder: v5.0.0 → v5.6.3
filament/schemas: v5.0.0 → v5.6.3
filament/support: v5.0.0 → v5.6.3
filament/tables: v5.0.0 → v5.6.3
filament/widgets: v5.0.0 → v5.6.3
guzzlehttp/psr7: 2.8.0 → 2.9.0
kirschbaum-development/eloquent-power-joins: 4.2.11 → 4.3.1
laravel/prompts: v0.3.10 → v0.3.17
laravel/serializable-closure: v2.0.8 → v2.0.13
league/commonmark: 2.8.0 → 2.8.2
league/flysystem: 3.30.2 → 3.33.0
league/flysystem-local: 3.30.2 → 3.31.0
league/uri: 7.8.0 → 7.8.1
league/uri-components: 7.8.0 → 7.8.1
league/uri-interfaces: 7.8.0 → 7.8.1
livewire/livewire: v4.0.1 → v4.3.0
nesbot/carbon: 3.11.0 → 3.11.4
nette/php-generator: v4.2.0 → v4.2.2
nette/schema: v1.3.3 → v1.3.5
nette/utils: v4.1.1 → v4.1.3
nunomaduro/termwind: v2.3.3 → v2.4.0
phpoffice/phpspreadsheet: 1.30.2 → 1.30.4
ryangjchandler/blade-capture-directive: v1.1.0 → v1.1.1
spatie/laravel-package-tools: 1.92.7 → 1.93.0
spatie/shiki-php: 2.3.2 → 2.4.0
symfony/clock: v7.4.0 → v7.4.8
symfony/console: v7.4.3 → v7.4.9
symfony/css-selector: v7.4.0 → v7.4.9
symfony/deprecation-contracts: v3.6.0 → v3.7.0
symfony/error-handler: v7.4.0 → v7.4.8
symfony/event-dispatcher: v7.4.0 → v7.4.9
symfony/event-dispatcher-contracts: v3.6.0 → v3.7.0
symfony/finder: v7.4.3 → v7.4.8
symfony/html-sanitizer: v7.4.0 → v7.4.8
symfony/http-foundation: v7.4.3 → v7.4.8
symfony/http-kernel: v7.4.3 → v7.4.10
symfony/mailer: v7.4.3 → v7.4.8
symfony/mime: v7.4.0 → v7.4.9
symfony/polyfill-ctype: v1.33.0 → v1.37.0
symfony/polyfill-intl-grapheme: v1.33.0 → v1.37.0
symfony/polyfill-intl-idn: v1.33.0 → v1.37.0
symfony/polyfill-intl-normalizer: v1.33.0 → v1.37.0
symfony/polyfill-mbstring: v1.33.0 → v1.37.0
symfony/polyfill-php80: v1.33.0 → v1.37.0
symfony/polyfill-php83: v1.33.0 → v1.37.0
symfony/polyfill-php84: v1.33.0 → v1.37.0
symfony/polyfill-php85: v1.33.0 → v1.37.0
symfony/polyfill-uuid: v1.33.0 → v1.37.0
symfony/process: v7.4.3 → v7.4.8
symfony/routing: v7.4.3 → v7.4.9
symfony/service-contracts: v3.6.1 → v3.7.0
symfony/string: v7.4.0 → v7.4.8
symfony/translation: v7.4.3 → v7.4.10
symfony/translation-contracts: v3.6.1 → v3.7.0
symfony/uid: v7.4.0 → v7.4.9
symfony/var-dumper: v7.4.3 → v7.4.8
voku/portable-ascii: 2.0.3 → 2.1.1
iamcal/sql-parser: v0.6 → v0.7
laravel/mcp: v0.5.2 → v0.7.0
laravel/roster: v0.2.9 → v0.5.1
php-debugbar/php-debugbar: v2.2.6 → v3.7.6
php-debugbar/symfony-bridge: (new) → v1.1.0
phpstan/phpstan: 2.1.33 → 2.1.54
phpunit/php-file-iterator: 5.1.0 → 5.1.1
psy/psysh: v0.12.18 → v0.12.22
sebastian/comparator: 6.3.2 → 6.3.3
symfony/yaml: v7.4.1 → v7.4.10
webmozart/assert: 1.12.1 → 2.3.0
anourvalar/eloquent-serialize: 1.3.5 → (removed)

Checks Performed

• Unit tests passed (commented out until further notice)
• Static analysis completed (commented out until further notice)
• Code formatting checked (commented out until further notice)

Security Audit

Security vulnerabilities detected. Please review audit-report.json.

Review Checklist

• Review updated packages and their changelogs
• Verify all tests pass
• Check for breaking changes
• Update documentation if needed
• Test manually in development environment

---

This PR was automatically created by the Composer Update workflow.

Summary by CodeRabbit

• Security

  • Security advisories have been identified across multiple project dependencies, including web framework components, utility parsing libraries, debugging tools, and core development packages requiring immediate review.

• Chores

  • Updated comprehensive set of project dependencies to their latest versions, including core web framework, development tools, testing frameworks, static analysis packages, and indirect dependencies.

[coderabbitai]

📝 Walkthrough

Walkthrough

Composer dependencies are refreshed across direct and transient packages with newer pinned versions. Six packages receive security advisories that are recorded in the audit report with vulnerability details including CVE references, affected version ranges, severity, and reporting timestamps.

Changes

Dependency Update and Security Audit

Layer / File(s)	Summary
Security Advisory Report audit-report.json	advisories object populated with security vulnerability records for filament/tables, league/commonmark, phpoffice/phpspreadsheet, phpunit/phpunit, psy/psysh, and symfony/process, including IDs, CVEs, severity, and affected version ranges.
Direct Dependencies updated-packages.txt	Core and dev packages updated to newer versions (laravel/framework, filament/*, larastan/larastan, phpunit/phpunit, rector/rector); new direct dependencies added (doctrine/dbal, maatwebsite/excel, nwidart/laravel-modules, spatie/laravel-permission, barryvdh/laravel-debugbar, etc.).
Transient Dependencies updated-packages.txt	Indirect dependencies advanced across Symfony, Livewire, Blade/UI, polyfills, and analysis tooling; php-debugbar/symfony-bridge newly pinned to v1.1.0; anourvalar/eloquent-serialize removed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• InvoicePlane/InvoicePlane-v2#319: Both PRs modify audit-report.json advisories and updated-packages.txt with Composer dependency updates; directly related version and audit history.
• InvoicePlane/InvoicePlane-v2#361: Both PRs modify the same audit and dependency manifest files, with this PR populating advisories and dependency updates.
• InvoicePlane/InvoicePlane-v2#300: Both PRs update audit-report.json and updated-packages.txt to add security advisories and Composer package bumps, notably Filament-related updates.

Poem

🐰 Whiskers twitch with delight as we hop through the logs,
Security shields gleaming, dependencies no longer foggy dogs!
From Filament to Laravel, each package gets a boost,
Transients in lockstep, vulnerabilities on the loose—
Well, patched, that is! A safer crate for the crew! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): Update Composer dependencies (security-patch)' accurately describes the main change—a dependency update focused on security patches.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch automated/composer-update-35

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

updated-packages.txt (1)

6-6: ⚡ Quick win

Notable framework and tooling updates.

Several core packages received significant updates:

• laravel/framework: v12.47.0 → v12.58.0 (11 minor versions)
• barryvdh/laravel-debugbar: v3.16.3 → v4.2.8 (major version jump)
• php-debugbar/php-debugbar: v2.2.6 → v3.7.6 (major version jump)

The Laravel framework update spans multiple minor versions (12.47 to 12.58), which may include new features, deprecations, and fixes. Review the Laravel release notes for any changes that might affect your application.

Also applies to: 10-10, 92-92

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@updated-packages.txt` at line 6, The package updates bump laravel/framework
(v12.47.0→v12.58.0), barryvdh/laravel-debugbar, and php-debugbar/php-debugbar;
review each package's release notes for breaking changes or deprecations, run
composer update to apply the new versions, run the full test suite (phpunit) and
static analysis, and fix any failures (adjust middleware/config, replace
deprecated APIs, update service provider or debugbar integration code where
referenced) so the app is compatible with laravel/framework,
barryvdh/laravel-debugbar, and php-debugbar/php-debugbar new releases.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@audit-report.json`:
- Around line 21-54: The audit-report.json currently lists two league/commonmark
advisories but omits the other medium-severity findings called out in the
review; add JSON entries for psy/psysh (CVE-2026-25129, title "Local Privilege
Escalation via CWD .psysh.php auto-load") and symfony/process (CVE-2026-24739,
title "incorrect argument escaping under MSYS2/Git Bash") with affectedVersions,
link, reportedAt, sources and severity fields similar to the existing
league/commonmark objects, and ensure the "Also applies to: 159-194" range is
updated to include these new entries so the audit-report includes all four
medium issues referenced in the comment.

In `@updated-packages.txt`:
- Line 10: The dependency update entry shows major upgrades with breaking
changes: replace barryvdh/laravel-debugbar with fruitcake/laravel-debugbar and
update all imports/usages from Barryvdh\Debugbar to Fruitcake\LaravelDebugbar,
replace removed helper calls (e.g., change start_measure() to
debugbar()->startMeasure()), update Query Collector usage to use params instead
of bindings, rename config.hiddens → config.masked and remove references to
SocketStorage/Lumen-specific code and any assumptions about bundled
jQuery/FontAwesome; additionally verify Laravel Tinker v3 requires PHP ^8.1 and
update config/tinker.php for trust_project and adjust any CLI exception handling
assumptions; finally ensure Laravel Boost v2 compatibility by targeting PHP 8.2
and Laravel 11, rename CodeEnvironment → Agent and update custom agent
implementations to new Agent contracts, migrate config.code_environment →
config.agents, and update CLI commands to use the new positive flags
(--guidelines, --skills, --mcp) and revised Inertia asset paths—review each
package changelog and run tests to apply these code, import, config, and
platform-version changes across the codebase.

---

Nitpick comments:
In `@updated-packages.txt`:
- Line 6: The package updates bump laravel/framework (v12.47.0→v12.58.0),
barryvdh/laravel-debugbar, and php-debugbar/php-debugbar; review each package's
release notes for breaking changes or deprecations, run composer update to apply
the new versions, run the full test suite (phpunit) and static analysis, and fix
any failures (adjust middleware/config, replace deprecated APIs, update service
provider or debugbar integration code where referenced) so the app is compatible
with laravel/framework, barryvdh/laravel-debugbar, and php-debugbar/php-debugbar
new releases.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 89abcad4-cbcb-48b0-9391-3fde267e7f84

📥 Commits

Reviewing files that changed from the base of the PR and between cc00605 and 980800a.

⛔ Files ignored due to path filters (1)

• composer.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• audit-report.json
• updated-packages.txt

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Medium-severity vulnerabilities also addressed.

The update resolves several medium-severity issues:

1. league/commonmark (CVE-2026-33347): "embed extension allowed_domains bypass"
2. league/commonmark (CVE-2026-30838): "DisallowedRawHtml extension bypass via whitespace"
3. psy/psysh (CVE-2026-25129): "Local Privilege Escalation via CWD .psysh.php auto-load"
4. symfony/process (CVE-2026-24739): "incorrect argument escaping under MSYS2/Git Bash"

While medium severity, the psy/psysh vulnerability is particularly noteworthy for development environments where developers might work in untrusted directories.

Also applies to: 159-194

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@audit-report.json` around lines 21 - 54, The audit-report.json currently
lists two league/commonmark advisories but omits the other medium-severity
findings called out in the review; add JSON entries for psy/psysh
(CVE-2026-25129, title "Local Privilege Escalation via CWD .psysh.php
auto-load") and symfony/process (CVE-2026-24739, title "incorrect argument
escaping under MSYS2/Git Bash") with affectedVersions, link, reportedAt, sources
and severity fields similar to the existing league/commonmark objects, and
ensure the "Also applies to: 159-194" range is updated to include these new
entries so the audit-report includes all four medium issues referenced in the
comment.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

What are the breaking changes in Laravel Debugbar v4.0 compared to v3.x?

💡 Result:

Breaking changes in Laravel Debugbar v4.0.0 (vs v3.x): 1) Package name / ownership changed - Remove barryvdh/laravel-debugbar and install fruitcake/laravel-debugbar instead. [1][2] 2) Namespace changed - Namespace is now Fruitcake\LaravelDebugbar instead of Barryvdh\Debugbar (relevant if you manually register the service provider/facade or directly reference classes). [2] 3) php-debugbar dependency upgraded to 3.x (upstream breaking changes) - Laravel Debugbar 4.0 “brings the updates from php-debugbar 3.x” into Laravel Debugbar. [1] - php-debugbar 3.x breaks include: - jQuery removed; widgets are now JavaScript classes (custom widgets may need updates). [3][4] - FontAwesome removed; replaced by Tabler SVG icons (packages extending Debugbar may need to adjust icons). [3][4] - Widgets rendered when opening a tab, not when loading the page. [3][4] - TimeDataCollector removed from constructors; use setTimeDataCollector instead. [3][4] - useHtmlVarDumper removed; HtmlDataFormatter used by default (for plain text, configure to use DataFormatter). [3][4] - Storage changes: Storage now uses JSON instead of serialize (old stored data can’t be read) and StorageInterface adds prune. [3][4] - Additional method/interface changes: stricter typehinting, getAssets() signature change, OpenHandler requires op, DataFormatterInterface adds a 2nd “deep” parameter, etc. [3][4] 4) Laravel Debugbar features/subsystems removed - SocketStorage support removed. [2] - Lumen support removed. [2] - FileCollector removed. [2] - Helper methods start_measure(), add_measure(), stop_measure(), measure() removed; use debugbar()->startMeasure() etc. [2] 5) Laravel Debugbar collector/config API changes - Query Collector: it now extends the php-debugbar widget; bindings parameter removed in favor of params. [2] - Option rename: hiddens replaced by masked. [2] - For packages extending Laravel Debugbar: modifyResponse changed to handleResponse, now done via a listener instead of middleware. [2] - HttpDriver changed: session-less and uses cookies. [2] - Laravel Octane: Octane keeps the LaravelDebugbar state; collectors must be reset (you can remove Laravel Debugbar from flush config). [2]

Citations:

• 1: https://github.com/fruitcake/laravel-debugbar/releases/tag/v4.0.0
• 2: https://github.com/fruitcake/laravel-debugbar/blob/master/UPGRADE.md
• 3: https://github.com/php-debugbar/php-debugbar/releases/tag/v3.0.0
• 4: https://php-debugbar.com/docs/release-notes/

---

🌐 Web query:

What are the breaking changes in Laravel Tinker v3.0 compared to v2.x?

💡 Result:

Breaking changes in Laravel Tinker v3.0.0 compared to v2.x (as of 2026-05-11): 1) Minimum PHP requirement increased - v3.0.0 requires PHP ^8.1, whereas v2.x supported PHP ^7.2.5|^8.0. [1][2] 2) Dropped support for PHP 7.x and PHP 8.0 - The v3.0.0 release notes explicitly note removal of support for PHP 8.0 and 7.x. [3][4] 3) Updated Illuminate component support range (now includes Laravel 13) - In composer constraints, v3.0.0 expands the supported Illuminate/* versions to ^8.0|^9.0|^10.0|^11.0|^12.0|^13.0 (including illuminate/console, illuminate/contracts, illuminate/support). [1][2] 4) psysh dependency locked to a newer major line - v3.0.0 updates psy/psysh from ^0.11.1|^0.12.0 (v2.x) to ^0.12.0. [2] 5) Symfony VarDumper support range updated - v3.0.0 updates symfony/var-dumper constraint from ^4.3.4|^5.0|^6.0|^7.0|^8.0 (v2.x) to ^5.4|^6.0|^7.0|^8.0. [2] 6) Untrusted-project (“trust project”) prompts / behavior changes - The v3.0.0 release notes include “Avoid trust project prompts from PsySH”. [3][4] - v3.0.0 also adds a Project Trust Mode setting in config/tinker.php: 'trust_project' => env('TINKER_TRUST_PROJECT', 'always'), with accepted values like "prompt", "always", "never", etc. [1] - This can change interactive/non-interactive behavior compared with older v2.x PsySH integrations, especially where PsySH “untrusted project” warnings were shown. 7) CLI exit code behavior changed on exceptions - v3.0.0 includes “[3.x] Return correct exit code on exceptions”. This is a behavioral change when running tinker in scripts/CI. [3][4] In short: the most impactful breaking changes are the higher PHP floor (PHP ^8.1), dropped PHP 7.x/8.0, updated dependency constraints (psysh and Symfony VarDumper), plus behavior changes around PsySH project trust prompts and exception exit codes. [3][4][2]

Citations:

• 1: laravel/tinker@v2.10.1...v3.0.0
• 2: laravel/tinker@v2.11.1...v3.0.0
• 3: https://github.com/laravel/tinker/releases/tag/v3.0.0
• 4: laravel/tinker@4faba77

---

🌐 Web query:

What are the breaking changes in Laravel Boost v2.0 compared to v1.x?

💡 Result:

Breaking changes in Laravel Boost 2.0 vs v1.x (grounded in the official 2.x upgrade docs and release notes): 1) Minimum runtime requirements (PHP and Laravel) were raised - PHP 8.2 is now the minimum required version. [1] - Laravel 11.x is now the minimum required version. [1] 2) Custom agent terminology/API changed (“CodeEnvironment” -> “Agent”) and contracts were renamed - The upgrade guide states that “CodeEnvironment” was replaced with “Agent” throughout. [2] - It also calls out “Contract Renames” for custom agents and instructs custom agents to be updated to use the new namespace and contracts. [2] 3) config/boost.php guideline paths changed (code_environment -> agents) - The upgrade guide states configuration paths were updated from code_environment to agents in config/boost.php (example shown in the guide). [1] - It notes this was previously undocumented and impact is low unless you overrode these configuration values. [1] 4) boost:install command flag signature changed (negative opt-out -> positive opt-in) - The upgrade guide states the command flags changed from negative opt-out to positive opt-in: [1] - before: php artisan boost:install {--ignore-guidelines} {--ignore-mcp} - after: php artisan boost:install {--guidelines} {--skills} {--mcp} 5) Inertia guideline assets were reorganized by adapter version (structural change) - Release notes for later 2.x versions describe a structural breaking change to the Inertia guideline structure: the generic path was replaced with versioned adapter paths, e.g..ai/inertia-laravel/core.blade.php ->.ai/inertia-laravel/2/core.blade.php and.ai/inertia-laravel/1/core.blade.php. [3][4] 6) New Skills system introduced in the 2.0 architecture - Laravel Boost v2.0 introduced a new Skills system as the headline feature, including skill support/overrides and an artisan command to add skills. [5] If you want, tell me what you customized in v1.x (custom agents? config/boost.php overrides? any reliance on Inertia guideline paths?), and I’ll map the above breaking items to your likely upgrade impact.

Citations:

• 1: https://github.com/laravel/boost/blob/main/UPGRADE.md
• 2: https://github.com/laravel/boost/blob/5759fc7534d92d2dc6d7f672790a6c7a52d5448a/UPGRADE.md
• 3: https://github.com/laravel/boost/releases/tag/v2.2.0
• 4: https://laravel-news.com/laravel-boost-2-2-0
• 5: https://laravel-news.com/laravel-boost-v2

---

Switch Laravel Debugbar to fruitcake package; review breaking changes in all major version updates.

Three direct dependencies have major version bumps with significant breaking changes requiring careful upgrade planning:

Laravel Debugbar v3 → v4: Critical breaking change — The package ownership and namespace changed. You must switch from barryvdh/laravel-debugbar to fruitcake/laravel-debugbar and update imports from Barryvdh\Debugbar to Fruitcake\LaravelDebugbar. Additional breaking changes include: removed helper methods (use debugbar()->startMeasure() instead of start_measure()), removed SocketStorage and Lumen support, jQuery and FontAwesome removed (using Tabler SVG icons), Query Collector API changed (params replaces bindings), and hiddens config option renamed to masked.

Laravel Tinker v2 → v3: Minimum PHP raised to ^8.1 (dropped PHP 7.x and 8.0 support). Updated psysh and Symfony VarDumper dependencies. Project trust mode behavior changed; new trust_project config in config/tinker.php controls PsySH prompts. CLI exit code behavior changed on exceptions.

Laravel Boost v1 → v2: Minimum PHP raised to 8.2 and Laravel 11.x required. API terminology changed (CodeEnvironment → Agent); custom agents must use new contracts. Configuration paths in config/boost.php changed (code_environment → agents). Command flags changed to positive opt-in: --guidelines, --skills, --mcp. Inertia guideline asset paths reorganized by adapter version.

Review official changelogs and test thoroughly before deploying.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@updated-packages.txt` at line 10, The dependency update entry shows major
upgrades with breaking changes: replace barryvdh/laravel-debugbar with
fruitcake/laravel-debugbar and update all imports/usages from Barryvdh\Debugbar
to Fruitcake\LaravelDebugbar, replace removed helper calls (e.g., change
start_measure() to debugbar()->startMeasure()), update Query Collector usage to
use params instead of bindings, rename config.hiddens → config.masked and remove
references to SocketStorage/Lumen-specific code and any assumptions about
bundled jQuery/FontAwesome; additionally verify Laravel Tinker v3 requires PHP
^8.1 and update config/tinker.php for trust_project and adjust any CLI exception
handling assumptions; finally ensure Laravel Boost v2 compatibility by targeting
PHP 8.2 and Laravel 11, rename CodeEnvironment → Agent and update custom agent
implementations to new Agent contracts, migrate config.code_environment →
config.agents, and update CLI commands to use the new positive flags
(--guidelines, --skills, --mcp) and revised Inertia asset paths—review each
package changelog and run tests to apply these code, import, config, and
platform-version changes across the codebase.