From 8154ee8a60d5c1fa28c7bfe849ce93ef103313a0 Mon Sep 17 00:00:00 2001
From: longieirl <noreply@github.com>
Date: Thu, 30 Apr 2026 21:00:04 +0100
Subject: [PATCH 1/2] chore: ignore .worktrees directory

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 444dee5..4ae6947 100644
--- a/.gitignore
+++ b/.gitignore
@@ -248,3 +248,4 @@ tmp/
 # Integration test snapshot — personal to each developer's local input/ PDFs.
 # Never commit updates; the copy on main is kept only as a reference baseline.
 packages/parser-core/tests/integration/snapshots/output_snapshot.json
+.worktrees/

From ca537c8ea4833f7754357841b8ac767f120f3f7b Mon Sep 17 00:00:00 2001
From: longieirl <noreply@github.com>
Date: Thu, 30 Apr 2026 21:01:46 +0100
Subject: [PATCH 2/2] fix(#159): upgrade OS packages at build time to patch
 CVE-2026-31789

Add apt-get upgrade to the production stage so every Docker build pulls
the latest patched Debian packages. Fixes 3 critical OpenSSL findings
(libssl3t64, openssl, openssl-provider-legacy) reported by Trivy.
---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index b7cec82..c72667a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,10 +37,11 @@ RUN python -c "import sysconfig; print(sysconfig.get_path('purelib'))" | xargs -
 FROM base AS production
 
 # hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apt-get update && apt-get upgrade -y --no-install-recommends && apt-get install -y --no-install-recommends \
     poppler-utils \
     && rm -rf /var/lib/apt/lists/*
 # poppler-utils is runtime-critical; pinning not practical. Mitigated by Trivy CI gate.
+# apt-get upgrade ensures OS packages (e.g. openssl) are patched at build time (CVE-2026-31789).
 
 RUN groupadd -r appuser && useradd -r -g appuser -u 1000 appuser