From a9fde49bc05973b5d1acaa319180f225f28453c1 Mon Sep 17 00:00:00 2001
From: David Antoon <david@frontegg.com>
Date: Sat, 21 Feb 2026 14:21:47 +0200
Subject: [PATCH 1/5] chore(release): bump versions to 2.11.0

---
 libs/ast/package.json     | 2 +-
 libs/broker/package.json  | 8 ++++----
 libs/client/package.json  | 6 +++---
 libs/core/package.json    | 6 +++---
 libs/react/package.json   | 4 ++--
 libs/runtime/package.json | 8 ++++----
 libs/stream/package.json  | 4 ++--
 libs/types/package.json   | 2 +-
 8 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/libs/ast/package.json b/libs/ast/package.json
index 7f78fd0..0dbd3f5 100644
--- a/libs/ast/package.json
+++ b/libs/ast/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/ast",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "A production-ready AST security guard for JavaScript - validate, protect, and enforce code safety with extensible rules",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave/tree/main/libs/ast-guard",
diff --git a/libs/broker/package.json b/libs/broker/package.json
index 18b2ea0..65563ee 100644
--- a/libs/broker/package.json
+++ b/libs/broker/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/broker",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Tool broker and session management for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,9 +35,9 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0",
-    "@enclave-vm/core": "2.10.0",
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0",
+    "@enclave-vm/core": "2.11.0",
     "minimatch": "^10.1.1",
     "zod": "^4.3.6"
   }
diff --git a/libs/client/package.json b/libs/client/package.json
index 48bdb6f..5f1ebaf 100644
--- a/libs/client/package.json
+++ b/libs/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/client",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Browser and Node.js client SDK for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0"
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0"
   }
 }
diff --git a/libs/core/package.json b/libs/core/package.json
index 86f88b4..21155a0 100644
--- a/libs/core/package.json
+++ b/libs/core/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/core",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Sandbox runtime for secure JavaScript code execution",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -39,8 +39,8 @@
   },
   "dependencies": {
     "@babel/standalone": "^7.29.0",
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/ast": "2.10.0",
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/ast": "2.11.0",
     "acorn": "8.15.0",
     "acorn-walk": "8.3.4",
     "astring": "1.9.0",
diff --git a/libs/react/package.json b/libs/react/package.json
index 5b6450e..eaf9388 100644
--- a/libs/react/package.json
+++ b/libs/react/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/react",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "React hooks and components for the EnclaveJS streaming runtime",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -34,7 +34,7 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/client": "2.10.0"
+    "@enclave-vm/client": "2.11.0"
   },
   "peerDependencies": {
     "react": ">=18.0.0"
diff --git a/libs/runtime/package.json b/libs/runtime/package.json
index b2d236f..fb0d6f9 100644
--- a/libs/runtime/package.json
+++ b/libs/runtime/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/runtime",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Standalone runtime worker for EnclaveJS - deployable execution environment",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -37,9 +37,9 @@
     "enclave-runtime": "./dist/cli.js"
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/stream": "2.10.0",
-    "@enclave-vm/core": "2.10.0"
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/stream": "2.11.0",
+    "@enclave-vm/core": "2.11.0"
   },
   "devDependencies": {
     "ws": "^8.19.0"
diff --git a/libs/stream/package.json b/libs/stream/package.json
index db2bad5..8e740a3 100644
--- a/libs/stream/package.json
+++ b/libs/stream/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/stream",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Streaming protocol implementation for EnclaveJS runtime (NDJSON, encryption, reconnection)",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",
@@ -35,6 +35,6 @@
     }
   },
   "dependencies": {
-    "@enclave-vm/types": "2.10.0"
+    "@enclave-vm/types": "2.11.0"
   }
 }
diff --git a/libs/types/package.json b/libs/types/package.json
index 9537713..f152ad8 100644
--- a/libs/types/package.json
+++ b/libs/types/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@enclave-vm/types",
-  "version": "2.10.0",
+  "version": "2.11.0",
   "description": "Type definitions and Zod schemas for the EnclaveJS streaming runtime protocol",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://github.com/agentfront/enclave",

From 927e65ed7df535a0918009ad016519e4cbecf5a2 Mon Sep 17 00:00:00 2001
From: David Antoon <david@frontegg.com>
Date: Sat, 21 Feb 2026 14:27:27 +0200
Subject: [PATCH 2/5] feat: enhance release workflow with cherry-pick version
 sync to main

---
 .github/workflows/publish-release.yml | 152 ++++++++++++++++++++++++++
 yarn.lock                             |  82 +++++++++++++-
 2 files changed, 233 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index b913a8b..1da517f 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -35,6 +35,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     environment: release
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      is_prerelease: ${{ steps.version.outputs.is_prerelease }}
+      branch: ${{ steps.context.outputs.branch }}
     env:
       NX_DAEMON: "false"
 
@@ -433,3 +437,151 @@ jobs:
           echo "| Pre-release | ${{ steps.version.outputs.is_prerelease }} |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Branch | \`${{ steps.context.outputs.branch }}\` |" >> "$GITHUB_STEP_SUMMARY"
           echo "| Packages | All libs/* |" >> "$GITHUB_STEP_SUMMARY"
+
+  cherry-pick-version-to-main:
+    needs: publish
+    if: >
+      inputs.dry_run != true &&
+      needs.publish.outputs.is_prerelease == 'false'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check if latest semver
+        id: check
+        run: |
+          set -euo pipefail
+          VERSION="${{ needs.publish.outputs.version }}"
+
+          git fetch --tags
+
+          # Get all stable version tags, sort by semver, pick highest
+          LATEST=$(git tag --list 'v*' \
+            | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 \
+            | sed 's/^v//')
+
+          echo "Released version: $VERSION"
+          echo "Latest stable tag: $LATEST"
+
+          if [ "$VERSION" = "$LATEST" ]; then
+            echo "is_latest=true" >> "$GITHUB_OUTPUT"
+            echo "This is the latest version — will cherry-pick to main"
+          else
+            echo "is_latest=false" >> "$GITHUB_OUTPUT"
+            echo "Skipping: v$VERSION is not the latest (v$LATEST is newer)"
+          fi
+
+      - name: Configure git
+        if: steps.check.outputs.is_latest == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Cherry-pick version bump to main
+        if: steps.check.outputs.is_latest == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          VERSION="${{ needs.publish.outputs.version }}"
+          RELEASE_BRANCH="${{ needs.publish.outputs.branch }}"
+          DEFAULT_BRANCH="${{ github.event.repository.default_branch }}"
+
+          # Find the version bump commit on the release branch
+          VERSION_COMMIT=$(git log "origin/$RELEASE_BRANCH" \
+            --grep="chore(release): v${VERSION}" \
+            --format="%H" -1)
+
+          if [ -z "$VERSION_COMMIT" ]; then
+            echo "::warning::Could not find version bump commit for v${VERSION}"
+            exit 0
+          fi
+
+          echo "Found version bump commit: $VERSION_COMMIT"
+
+          # Prepare cherry-pick branch
+          CHERRY_BRANCH="cherry-pick/v${VERSION}-version-to-main"
+
+          git fetch origin "$DEFAULT_BRANCH"
+          git checkout "$DEFAULT_BRANCH"
+          git pull origin "$DEFAULT_BRANCH"
+
+          # Clean up existing remote branch if any
+          git push origin --delete "$CHERRY_BRANCH" 2>/dev/null || true
+          git checkout -b "$CHERRY_BRANCH"
+
+          # Attempt cherry-pick
+          if git cherry-pick "$VERSION_COMMIT" --no-commit; then
+            git commit -m "$(cat <<EOF
+          chore: sync version to $VERSION
+
+          Cherry-picked from $RELEASE_BRANCH (release v$VERSION)
+          Original commit: $VERSION_COMMIT
+          EOF
+          )"
+
+            git push origin "$CHERRY_BRANCH"
+
+            gh pr create \
+              --base "$DEFAULT_BRANCH" \
+              --head "$CHERRY_BRANCH" \
+              --title "chore: sync version to v${VERSION}" \
+              --label "cherry-pick" \
+              --label "auto-cherry-pick" \
+              --body "$(cat <<EOF
+          ## Version sync to main
+
+          Updates all \`@enclave-vm/*\` package versions to \`${VERSION}\` on \`${DEFAULT_BRANCH}\`.
+
+          This cherry-pick was automatically created because \`v${VERSION}\` is the **latest stable release**.
+
+          **Source:** \`${RELEASE_BRANCH}\` release v${VERSION}
+
+          ---
+          _Auto-generated by the publish-release workflow._
+          EOF
+          )"
+
+            echo "Cherry-pick PR created successfully"
+          else
+            git cherry-pick --abort || true
+            echo "::warning::Cherry-pick had conflicts. Creating issue for manual resolution."
+
+            gh issue create \
+              --title "Manual version sync needed: v${VERSION} to main" \
+              --label "cherry-pick" \
+              --label "conflict" \
+              --label "needs-attention" \
+              --body "$(cat <<EOF
+          ## Manual Version Sync Required
+
+          Auto cherry-pick of version bump to \`v${VERSION}\` failed due to conflicts.
+
+          ### Manual Steps
+
+          \`\`\`bash
+          git checkout $DEFAULT_BRANCH && git pull
+          git checkout -b cherry-pick/v${VERSION}-version-to-main
+          git cherry-pick $VERSION_COMMIT
+          # Resolve conflicts
+          git add . && git cherry-pick --continue
+          git push origin cherry-pick/v${VERSION}-version-to-main
+          gh pr create --base $DEFAULT_BRANCH --title "chore: sync version to v${VERSION}"
+          \`\`\`
+
+          ---
+          _Auto-generated by the publish-release workflow._
+          EOF
+          )"
+          fi
diff --git a/yarn.lock b/yarn.lock
index 4c34da0..e42cd56 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -937,6 +937,11 @@
   resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.28.6.tgz#d267a43cb1836dc4d182cce93ae75ba954ef6d2b"
   integrity sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==
 
+"@babel/standalone@^7.28.6":
+  version "7.29.1"
+  resolved "https://registry.yarnpkg.com/@babel/standalone/-/standalone-7.29.1.tgz#0e4e6d9c8994f404d38c1d5e27d040601e8aa5b4"
+  integrity sha512-z42abD0C6fiHfgLyCWw8PYv6FCJ0IGVtSCxXk/NPykWO5LNIEGfdLDJ3HdYqlPcAhwtQ3oKH1PvNj2JGpTxQKg==
+
 "@babel/standalone@^7.29.0":
   version "7.29.0"
   resolved "https://registry.yarnpkg.com/@babel/standalone/-/standalone-7.29.0.tgz#910b5ddbab5a3b1ea0b9f1853b1c928c7519f5c5"
@@ -1039,6 +1044,62 @@
   dependencies:
     tslib "^2.4.0"
 
+"@enclave-vm/ast@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/ast/-/ast-2.10.0.tgz#0fe20a63975e580e84189fa79cc4130b1983d5e3"
+  integrity sha512-V42hgyU3bbvKA610R1El7oEq8zeMZfyRbzq92lzQhwqFiAsDBf1g9p+SD6X/OEpHXLvbON62GD1p4zhUsv6Mcw==
+  dependencies:
+    "@types/estree" "1.0.8"
+    acorn "8.15.0"
+    acorn-walk "8.3.4"
+    astring "1.9.0"
+
+"@enclave-vm/broker@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/broker/-/broker-2.10.0.tgz#a0d268602a1e19f32c75bf6f856ce61a5a7e3112"
+  integrity sha512-mPJ8scoDVr9t939RYZuxqr6C3lh6IKtmiWUFsphYBsTQB4EvdxMjBwlzsilbYFrwxNyzqMN3jBEg5/cfanhIow==
+  dependencies:
+    "@enclave-vm/core" "2.10.0"
+    "@enclave-vm/stream" "2.10.0"
+    "@enclave-vm/types" "2.10.0"
+    minimatch "^10.0.1"
+    zod "^4.1.13"
+
+"@enclave-vm/client@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/client/-/client-2.10.0.tgz#0b26cf23803aae81b40bf5f897b204ad3ba3cdbf"
+  integrity sha512-QJ0YL+p3Svlqfr1O9Bc28QDhIyIW2lQCUJVxRcVxj/dRYrOHqTilrDv9h5GhQ09RmK8qaspf/qQ93MMDiyNtzA==
+  dependencies:
+    "@enclave-vm/stream" "2.10.0"
+    "@enclave-vm/types" "2.10.0"
+
+"@enclave-vm/core@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/core/-/core-2.10.0.tgz#8c85e7be814900755b2da82ee84c00b0e81bd276"
+  integrity sha512-RAqR9RznHC9okSMpIqLChMA1M0iezT7ZYxUO9WJY1fFra3e4ZZtAJyHbBMT62GcKCmdAKy3OynsrO9iE5nG7sA==
+  dependencies:
+    "@babel/standalone" "^7.28.6"
+    "@enclave-vm/ast" "2.10.0"
+    "@enclave-vm/types" "2.10.0"
+    acorn "8.15.0"
+    acorn-walk "8.3.4"
+    astring "1.9.0"
+    zod "^4.1.13"
+
+"@enclave-vm/stream@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/stream/-/stream-2.10.0.tgz#6ae78c315b5941bbd1d06885b47d3a1b1d909495"
+  integrity sha512-U5xzHBW2mPn796g0BlT8sBhPgFOmN0iGMhko6OF2HE5yTgeMgmdCAmWmKUAF1cZsjV9bMXY5jlbjrkMgLRxPUA==
+  dependencies:
+    "@enclave-vm/types" "2.10.0"
+
+"@enclave-vm/types@2.10.0":
+  version "2.10.0"
+  resolved "https://registry.yarnpkg.com/@enclave-vm/types/-/types-2.10.0.tgz#c6ada3271892c478f13973243e63f0b9aaff7949"
+  integrity sha512-rFuT3krh9xOyo0obgDWrsDuQDHsNlVAj8Kd5y46wCvviocNsTCFSy4uiyL1KEi1IZIQkJQXEK/w7R3IKc1kQog==
+  dependencies:
+    zod "^4.1.13"
+
 "@esbuild/aix-ppc64@0.27.2":
   version "0.27.2"
   resolved "https://registry.yarnpkg.com/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz#521cbd968dcf362094034947f76fa1b18d2d403c"
@@ -3689,6 +3750,11 @@ balanced-match@^1.0.0:
   resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.2.tgz#e83e3a7e3f300b34cb9d87f615fa0cbf357690ee"
   integrity sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==
 
+balanced-match@^4.0.2:
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-4.0.3.tgz#6337a2f23e0604a30481423432f99eac603599f9"
+  integrity sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==
+
 base64-js@^1.3.1:
   version "1.5.1"
   resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.5.1.tgz#1b1b440160a5bf7ad40b650f095963481903930a"
@@ -3769,6 +3835,13 @@ brace-expansion@^2.0.1:
   dependencies:
     balanced-match "^1.0.0"
 
+brace-expansion@^5.0.2:
+  version "5.0.2"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-5.0.2.tgz#b6c16d0791087af6c2bc463f52a8142046c06b6f"
+  integrity sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==
+  dependencies:
+    balanced-match "^4.0.2"
+
 braces@^3.0.3, braces@~3.0.2:
   version "3.0.3"
   resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
@@ -6726,6 +6799,13 @@ minimatch@10.1.1, minimatch@^10.1.1:
   dependencies:
     "@isaacs/brace-expansion" "^5.0.0"
 
+minimatch@^10.0.1:
+  version "10.2.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-10.2.2.tgz#361603ee323cfb83496fea2ae17cc44ea4e1f99f"
+  integrity sha512-+G4CpNBxa5MprY+04MbgOw1v7So6n5JY166pFi9KfYwT78fxScCeSNQSNzp6dpPSW2rONOps6Ocam1wFhCgoVw==
+  dependencies:
+    brace-expansion "^5.0.2"
+
 minimatch@^3.0.4, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
@@ -9283,7 +9363,7 @@ zod@^3.24.0:
   resolved "https://registry.yarnpkg.com/zod/-/zod-3.25.76.tgz#26841c3f6fd22a6a2760e7ccb719179768471e34"
   integrity sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==
 
-zod@^4.3.6:
+zod@^4.1.13, zod@^4.3.6:
   version "4.3.6"
   resolved "https://registry.yarnpkg.com/zod/-/zod-4.3.6.tgz#89c56e0aa7d2b05107d894412227087885ab112a"
   integrity sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==

From 83a73d39f08fd9e4a85b49962d305490c8fbcafd Mon Sep 17 00:00:00 2001
From: David Antoon <david@frontegg.com>
Date: Sat, 21 Feb 2026 14:38:00 +0200
Subject: [PATCH 3/5] feat: add check to skip cherry-pick if version bump is
 already on default branch

---
 .github/workflows/publish-release.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 1da517f..bc5bff3 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -510,10 +510,17 @@ jobs:
 
           echo "Found version bump commit: $VERSION_COMMIT"
 
+          git fetch origin "$DEFAULT_BRANCH"
+
+          # Skip if the version bump is already on the default branch
+          if git merge-base --is-ancestor "$VERSION_COMMIT" "origin/$DEFAULT_BRANCH"; then
+            echo "Version bump commit $VERSION_COMMIT is already on $DEFAULT_BRANCH — skipping cherry-pick"
+            exit 0
+          fi
+
           # Prepare cherry-pick branch
           CHERRY_BRANCH="cherry-pick/v${VERSION}-version-to-main"
 
-          git fetch origin "$DEFAULT_BRANCH"
           git checkout "$DEFAULT_BRANCH"
           git pull origin "$DEFAULT_BRANCH"
 

From fe72c64b752af0aae3e211c4ad14e8c4f3e5766c Mon Sep 17 00:00:00 2001
From: David Antoon <david@frontegg.com>
Date: Sat, 21 Feb 2026 14:48:00 +0200
Subject: [PATCH 4/5] feat: add checks to handle empty cherry-pick scenarios
 for version bumps

---
 .github/workflows/publish-release.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index bc5bff3..4451dab 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -530,6 +530,13 @@ jobs:
 
           # Attempt cherry-pick
           if git cherry-pick "$VERSION_COMMIT" --no-commit; then
+            # Check if cherry-pick produced any changes (may be empty if already applied via a different commit)
+            if [ -z "$(git diff --cached --name-only)" ]; then
+              echo "Cherry-pick produced no changes — version bump already applied on $DEFAULT_BRANCH"
+              git reset HEAD 2>/dev/null || true
+              exit 0
+            fi
+
             git commit -m "$(cat <<EOF
           chore: sync version to $VERSION
 
@@ -562,6 +569,13 @@ jobs:
 
             echo "Cherry-pick PR created successfully"
           else
+            # Check if failure is due to empty cherry-pick (already applied) vs actual conflicts
+            if [ -z "$(git status --porcelain)" ]; then
+              echo "Cherry-pick is empty — version bump already applied on $DEFAULT_BRANCH"
+              git cherry-pick --abort 2>/dev/null || true
+              exit 0
+            fi
+
             git cherry-pick --abort || true
             echo "::warning::Cherry-pick had conflicts. Creating issue for manual resolution."
 

From 3f3f7e8e25d7d3c83e5db18a4a79665fa9a6ce7d Mon Sep 17 00:00:00 2001
From: David Antoon <david@frontegg.com>
Date: Sat, 21 Feb 2026 15:01:55 +0200
Subject: [PATCH 5/5] feat: update demo app dependencies to match new version

---
 .github/workflows/publish-release.yml | 31 +++++++++++++++++++++++++++
 apps/streaming-demo/package.json      |  8 +++----
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 4451dab..32ec019 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -268,6 +268,37 @@ jobs:
           echo "Setting version $VERSION for all libs"
           npx nx release version "$VERSION" --git-commit=false --git-tag=false
 
+      - name: Update demo app dependency versions
+        if: ${{ inputs.dry_run != true }}
+        shell: bash
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "Updating @enclave-vm/* dependencies in apps to $VERSION"
+          for pkg in apps/*/package.json; do
+            [ -f "$pkg" ] || continue
+            # Update any @enclave-vm/* dependency versions
+            node -e "
+              const fs = require('fs');
+              const p = JSON.parse(fs.readFileSync('$pkg', 'utf8'));
+              let changed = false;
+              for (const section of ['dependencies', 'devDependencies', 'peerDependencies']) {
+                if (!p[section]) continue;
+                for (const [name, ver] of Object.entries(p[section])) {
+                  if (name.startsWith('@enclave-vm/') && ver !== '$VERSION') {
+                    p[section][name] = '$VERSION';
+                    changed = true;
+                  }
+                }
+              }
+              if (changed) {
+                fs.writeFileSync('$pkg', JSON.stringify(p, null, 2) + '\n');
+                console.log('Updated: $pkg');
+              } else {
+                console.log('No changes: $pkg');
+              }
+            "
+          done
+
       - name: Commit version bump
         if: ${{ inputs.dry_run != true }}
         run: |
diff --git a/apps/streaming-demo/package.json b/apps/streaming-demo/package.json
index 77a88e4..a46b797 100644
--- a/apps/streaming-demo/package.json
+++ b/apps/streaming-demo/package.json
@@ -11,10 +11,10 @@
     "runtime": "ts-node src/runtime-server.ts"
   },
   "dependencies": {
-    "@enclave-vm/broker": "2.10.0",
-    "@enclave-vm/client": "2.10.0",
-    "@enclave-vm/types": "2.10.0",
-    "@enclave-vm/core": "2.10.0",
+    "@enclave-vm/broker": "2.11.0",
+    "@enclave-vm/client": "2.11.0",
+    "@enclave-vm/types": "2.11.0",
+    "@enclave-vm/core": "2.11.0",
     "express": "^4.21.0",
     "zod": "^3.24.0"
   },