Merge remote-tracking branch 'origin/main' into garrytan/security-wave-5

# Conflicts:
#	CHANGELOG.md

CHANGELOG.md

@@ -1,6 +1,6 @@
 # Changelog
 
-## [0.15.14.0] - 2026-04-06
+## [0.15.15.0] - 2026-04-06
 
 Community security wave: 8 PRs from 4 contributors, every fix credited as co-author.
 
@@ -36,6 +36,14 @@ Community security wave: 8 PRs from 4 contributors, every fix credited as co-aut
 - State load filters cookies from localhost, .internal, and metadata domains.
 - Telemetry sync logs upsert errors from installation tracking.
 
+## [0.15.14.0] - 2026-04-05
+
+### Fixed
+
+- **`gstack-team-init` now detects and removes vendored gstack copies.** When you run `gstack-team-init` inside a repo that has gstack vendored at `.claude/skills/gstack/`, it automatically removes the vendored copy, untracks it from git, and adds it to `.gitignore`. No more stale vendored copies shadowing the global install.
+- **`/gstack-upgrade` respects team mode.** Step 4.5 now checks the `team_mode` config. In team mode, vendored copies are removed instead of synced, since the global install is the single source of truth.
+- **`team_mode` config key.** `./setup --team` and `./setup --no-team` now set a dedicated `team_mode` config key so the upgrade skill can reliably distinguish team mode from just having auto-upgrade enabled.
+
 ## [0.15.13.0] - 2026-04-04 — Team Mode
 
 Teams can now keep every developer on the same gstack version automatically. No more vendoring 342 files into your repo. No more version drift across branches. No more "who upgraded gstack last?" Slack threads. One command, every developer is current.