diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 099030092..13b7e7f6f 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -153,6 +153,36 @@ jobs:
       - name: Build
         run: pnpm run build
 
+      # TEMPORARY: probe the tier1-reachability-scan endpoint to capture the
+      # legacy_mode field returned by depscan for the API token's org. Only
+      # purpose is to diagnose why Coana v15 e2e tests halt as if the org were
+      # promoted out of legacy mode. Remove this step once the response has
+      # been captured in CI logs.
+      - name: Probe tier1 legacy_mode (DIAGNOSTIC - REMOVE AFTER USE)
+        if: matrix.node-version == 22
+        env:
+          SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        run: |
+          set -eu
+          auth=$(printf '%s:' "$SOCKET_CLI_API_TOKEN" | base64 -w0)
+          response=$(curl -sS -X PUT https://api.socket.dev/v0/tier1-reachability-scan \
+            -H "Authorization: Basic $auth" \
+            -H "Content-Type: application/json" \
+            -d '{"cli_options":null,"coana_cli_version":"15.1.0","socket_cli_version":"legacy-mode-probe","system_information":null}')
+          echo "Raw response:"
+          echo "$response"
+          echo "---"
+          echo "$response" | python3 -c "import json,sys
+          try:
+              d = json.load(sys.stdin)
+          except Exception as e:
+              print('response was not valid JSON:', e)
+              sys.exit(0)
+          print('response keys:', sorted(d.keys()))
+          print('legacy_mode present:', 'legacy_mode' in d)
+          print('legacy_mode value:', d.get('legacy_mode', '(absent)'))
+          print('scan_id present:', bool(d.get('tier1_reachability_scan_id')))"
+
       - name: Run e2e tests
         env:
           SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN }} # zizmor: ignore[secrets-outside-env]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index aac1a18b8..e00b23047 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [1.1.88](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.88) - 2026-04-29
+
+### Changed
+- Updated the Coana CLI to v `15.1.0`.
+
 ## [1.1.87](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.87) - 2026-04-28
 
 ### Changed
diff --git a/package.json b/package.json
index bce8e50de..84a7c7825 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "socket",
-  "version": "1.1.87",
+  "version": "1.1.88",
   "description": "CLI for Socket.dev",
   "homepage": "https://github.com/SocketDev/socket-cli",
   "license": "MIT AND OFL-1.1",
@@ -97,7 +97,7 @@
     "@babel/preset-typescript": "7.27.1",
     "@babel/runtime": "7.28.4",
     "@biomejs/biome": "2.2.4",
-    "@coana-tech/cli": "14.12.222",
+    "@coana-tech/cli": "15.1.0",
     "@cyclonedx/cdxgen": "12.1.2",
     "@dotenvx/dotenvx": "1.49.0",
     "@eslint/compat": "1.3.2",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 8a73cbe4c..19fd6fead 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -128,8 +128,8 @@ importers:
         specifier: 2.2.4
         version: 2.2.4
       '@coana-tech/cli':
-        specifier: 14.12.222
-        version: 14.12.222
+        specifier: 15.1.0
+        version: 15.1.0
       '@cyclonedx/cdxgen':
         specifier: 12.1.2
         version: 12.1.2
@@ -749,8 +749,8 @@ packages:
     resolution: {integrity: sha512-hAs5PPKPCQ3/Nha+1fo4A4/gL85fIfxZwHPehsjCJ+BhQH2/yw6/xReuaPA/RfNQr6iz1PcD7BZcE3ctyyl3EA==}
     cpu: [x64]
 
-  '@coana-tech/cli@14.12.222':
-    resolution: {integrity: sha512-loRzorTOCuTigI5wLwZThIMHTlZfRBgnTR4FyoV/Dtfx0I61Kz+av3qpEqWIJFgLEf+kR7fbLQCsLL3Kzc01Tg==}
+  '@coana-tech/cli@15.1.0':
+    resolution: {integrity: sha512-2lKo4A3c6WXR1AjQW+8feuiR+ltDn/5Y8P32zCY92Nyp3u3ARCke9iuePAQR+YBW0DI4xCckLlf9cU/jlobTHw==}
     hasBin: true
 
   '@colors/colors@1.5.0':
@@ -5385,7 +5385,7 @@ snapshots:
   '@cdxgen/cdxgen-plugins-bin@2.0.2':
     optional: true
 
-  '@coana-tech/cli@14.12.222': {}
+  '@coana-tech/cli@15.1.0': {}
 
   '@colors/colors@1.5.0':
     optional: true
diff --git a/src/commands/scan/cmd-scan-reach.e2e.test.mts b/src/commands/scan/cmd-scan-reach.e2e.test.mts
index 8abb519b8..46b84ecb6 100644
--- a/src/commands/scan/cmd-scan-reach.e2e.test.mts
+++ b/src/commands/scan/cmd-scan-reach.e2e.test.mts
@@ -275,6 +275,11 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-debug',
         '--no-interactive',
         '--reach-disable-analytics',
+        // The fixture has empty subprojects (the workspace root and
+        // packages/package-a contain no source files), which Coana v15 halts
+        // on by default. The test exercises multi-workspace discovery, not
+        // strict source-file presence, so opt out of the halt.
+        '--reach-continue-on-no-source-files',
       ],
       'should run reachability analysis on workspace mono project',
       async cmd => {
@@ -434,6 +439,10 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-disable-analytics',
         '--reach-exclude-paths',
         'packages/package-b',
+        // Excluding package-b leaves only empty subprojects, which Coana v15
+        // halts on by default. The test asserts on the exclusion behavior,
+        // not source-file presence.
+        '--reach-continue-on-no-source-files',
       ],
       'should run reachability analysis with excluded paths',
       async cmd => {
@@ -637,6 +646,10 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-debug',
         '--no-interactive',
         '--reach-disable-analytics',
+        // Same fixture as the workspace mono tests: root and package-a have
+        // no source files, which Coana v15 halts on by default. The test
+        // exercises --cwd resolution, not source-file presence.
+        '--reach-continue-on-no-source-files',
       ],
       'should use --cwd to set the working directory',
       async cmd => {
@@ -955,6 +968,16 @@ describe('socket scan reach (E2E tests)', async () => {
         '--reach-ecosystems',
         'pypi',
         '--reach-disable-analytics',
+        // Filtering to pypi on this mixed mono project leaves the npm
+        // subproject with no source files for the requested ecosystem, which
+        // Coana v15 halts on by default. The test asserts on the ecosystem
+        // filter, not source-file presence.
+        '--reach-continue-on-no-source-files',
+        // The CI runner's network firewall blocks pypi.org, so the pypi
+        // pre-install step fails. Coana v15 halts on install errors by
+        // default; this test asserts on ecosystem-filter discovery, not
+        // successful installation.
+        '--reach-continue-on-install-errors',
       ],
       'should only analyze pypi ecosystem when --reach-ecosystems pypi is specified',
       async cmd => {
diff --git a/src/commands/scan/cmd-scan-reach.test.mts b/src/commands/scan/cmd-scan-reach.test.mts
index 3883c9c28..52dfa78b4 100644
--- a/src/commands/scan/cmd-scan-reach.test.mts
+++ b/src/commands/scan/cmd-scan-reach.test.mts
@@ -1070,6 +1070,11 @@ describe('socket scan reach', async () => {
         const output = stdout + stderr
         expect(output.length).toBeGreaterThan(0)
       },
+      // Non-dry-run invocation actually starts Coana, which under v15
+      // performs more upfront work (tier1 scan registration, legacy-mode
+      // resolution) before failing on the bad memory limit. The default
+      // 30s cmdit timeout is too tight for that path on slower CI runners.
+      { timeout: 60_000 },
     )
 
     cmdit(