chore: bump bun to v1.3 and add minimumReleaseAge

[HugoRCD]

Summary

Two related changes to harden the supply chain.

1. Bump bun to v1.3

packageManager: bun@1.2.22 → bun@1.3.14. Required to use the minimumReleaseAge setting added in bun 1.3.

2. Add minimumReleaseAge to harden supply chain

New bunfig.toml:

[install]
minimumReleaseAge = 172800
minimumReleaseAgeExcludes = ["@nuxt/*", "@nuxtjs/*", "nuxt", "nuxt-*", "@vercel/*", "@ai-sdk/*", "ai"]

Sets a 2-day minimum age (172800 seconds) before any newly published dependency can resolve. Mitigates compromised-package attacks. Trusted-source allowlist exempts the Nuxt and Vercel ecosystems.

Test plan

• bun install resolves cleanly with v1.3.14
• CI passes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
knowledge-agent-template	Ready	Preview, Comment	May 21, 2026 11:47am

[github-actions]

Thank you for following the naming conventions! 🙏

[autofix-troubleshooter]

Hi! I'm the autofix.ci troubleshooter bot.

It looks like you correctly set up a CI job that uses the autofix.ci GitHub Action, but the autofix.ci GitHub App has not been installed for this repository. This means that autofix.ci unfortunately does not have the permissions to fix this pull request. If you are the repository owner, please install the app and then restart the CI workflow! 😃