chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#3
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump actions/setup-python from 5.6.0 to 6.2.0#3dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@a26af69...a309ff8) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
danafitkowski
added a commit
that referenced
this pull request
May 24, 2026
Closes ChatGPT third-pass directive item #3: add a strict forensic run mode that fails hard on alerts that could change the opinion. New Section Q public API - computeCPM(activities, relationships, { forensic_strict: true }) - computeCPMForensicStrict(activities, relationships, opts) — sugar - StrictForensicViolation Error class (name, code STRICT_FORENSIC_ VIOLATION, .context, .alert) - FATAL_STRICT_CONTEXTS — Set of 36 fatal alert contexts grouped by hazard class - FATAL_STRICT_MESSAGE_PATTERNS — message-prefix patterns for alerts with dynamic context (SUB_DAY_LAG_ROUNDED) Semantics - In strict mode, walk result.alerts; any fatal-context alert throws unless the analyst overrides it with a written non-empty rationale via opts.forensic_strict_overrides. - Override applications recorded in result.manifest. forensic_strict_overrides_applied[] for audit trail. - Strict equality on the flag: only literal true enables strict mode. - runCPM (Section D) refuses strict mode immediately — Section D is intentionally not calendar-aware and is not appropriate for forensic opinion. Tests — 33 new (1,071 -> 1,104 total) - API surface exports + FATAL_STRICT_CONTEXTS taxonomy. - Clean input pass-through with manifest annotation. - Throws on each fatal-context family. - Valid override records audit-trail entry and lets result through. - Empty / whitespace / non-string rationales throw. - Unrelated override keys ignored. - runCPM strict-mode immediate refusal. - Default-off behavior preserved. - Truthy-not-true (string 'true') does NOT enable strict mode. DAUBERT.md - New section 9 Forensic Strict Mode (shipped v2.9.31): rationale, API examples, fatal-context taxonomy, override discipline, Section D refusal, what strict mode does and does not do. - 2.1 coverage line updated: strict mode is shipped, not roadmap. CHANGELOG, README, package.json, test fixtures bumped to v2.9.31. Verification - 1,104 / 1,104 unit tests - 747 / 747 crossval across 43 fixtures - Citation regression PASS - npm run verify PASS Engine math - computeCPM byte-identical on non-strict path to v2.9.27 / v2.9.28 / v2.9.29 / v2.9.30 by design. Strict mode is additive validation; existing callers see no behavior change. v2.9.31 SHAs - cpm-engine.js: a6b9e8d93f156b4af487082c15e4141236a93f20e9bfa90b57a95521309ac7fe - python_reference/cpm.py: 50ddea54d9098395199e808a037b4dde70b13e1373db79bcf12957c05e80d8d7 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
danafitkowski
added a commit
that referenced
this pull request
May 24, 2026
Third adversarial-audit pass on v2.9.31 surfaced 35 findings. Closes the 21 genuine bugs/drift/overclaim-language findings; the remaining 12-14 honest-disclosure findings get canned cross-exam responses in docs/cross-exam-prep.md. Added — version-drift regression gate (closes #1, #2, #3, #5, #6, #7, #18, #30) - tests/no-stale-version-refs.test.js: scans 13 doc surfaces for v2.9.X references; distinguishes current-state from historic narration via whitelist patterns; fails build if any current-state reference is not equal to ENGINE_VERSION. - Wired into npm run test:all and npm run test:version-refs. - The recurring drift class of bug (4 releases in a row) cannot recur in this form on v2.9.32+ without the build failing. Fixed — version-drift sweep - DAUBERT.md header v2.9.29 -> v2.9.32 - DAUBERT.md Layer 2 sigstore example: tag-agnostic v<TAG>/... - VERIFY_RELEASE.md full sweep (header, manifest, checkout, expected output, citation block, doc-version footer) - FORENSIC_USE_SOP.md, docs/jurisdictions.md, docs/api.md, P6 framework READMEs, XER corpus README: all current-state refs bumped to v2.9.32 - Coverage baseline regenerated: 93.33% stmts / 82.39% branches / 93.75% funcs / 93.33% lines (up from v2.9.31 due to 8 new tests). Fixed — overclaim language pass (closes #4, #19, #20, #26, #27, #28, #29) - DAUBERT §4 + §5: 'is satisfied by' -> 'is addressed by ... determination for the trier of fact' - DAUBERT §3.1: 'challenger can no longer claim untestability' -> 'substantially weakens an untestability objection' - FORENSIC_USE_SOP: 'The engine is reliable' -> 'The engine has a documented validation record' - package.json description: 'Forensically-defensible' -> 'Open-source' - P6 README: dropped 'roughly one work session' time estimate; replaced 'Layer-5-equivalent' coinage Fixed — API doc bug (closes #17) - docs/jurisdictions.md: getHolidays() documented as returning an array of ISO-8601 date strings (which is what it actually returns), not objects with {date, name, jurisdiction}. Added getJurisdictionCalendar() example showing the typed shape used by computeCPM's cal_map. Engine code — Section Q strict-mode hardening (closes #21, #22, #31) - computeCPMSalvaging now refuses forensic_strict at function entry, throwing StrictForensicViolation with context 'salvage-mode-not-forensic'. Mirrors runCPM's refusal. Categorically closes the route-around audit flagged. - FATAL_STRICT_CONTEXTS gains 'salvage-mode-not-forensic'. - SECTION R-v2.9.32 added to cpm-engine.test.js: 8 new tests including a dead-context regression — every entry in FATAL_STRICT_CONTEXTS must appear at least twice in cpm-engine.js source (set member + emission/throw). Closes false-coverage risk. Added — docs/cross-exam-prep.md (internal analyst resource) 17 pre-drafted defensive responses to predictable cross-examination questions arising from the engine's published disclosures. Explicitly marked NOT for court citation; analyst-prep only. Tests - 1,112 / 1,112 unit tests (was 1,104) - 747 / 747 crossval across 43 fixtures - Citation + truncation + version-drift regression PASS - npm run verify PASS Engine math byte-identical to v2.9.27 - v2.9.31 on non-strict path. Strict mode additively hardened. Sigstore witness regenerated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
danafitkowski
added a commit
that referenced
this pull request
May 24, 2026
Fourth-pass ChatGPT audit on v2.9.32 surfaced 19 items. v2.9.33 closes 14 genuinely-shippable items (8 fatal/high audit findings + 6 medium). The remaining 5 are tracked in the new ROADMAP_OPEN.md as either ACCEPTED-LIMITATION (with canned cross-exam responses) or OPEN (roadmap / Dana's action). No more silent open items. FATAL closes - F1 VERIFY_RELEASE.md test-count contradictions (1,071/1,104/1,112) swept to 1,128 across entire file. - F2 release-evidence/v2.9.32/ packet missing — backfilled retroactively from v2.9.32 CI canonical witness; release-evidence/v2.9.33/ will be built as a phase-2 follow-up after CI runs. HIGH closes - #3 SHA sidecar wording reframed as 'gitignored generated artifact' - #4 npm run verify now invokes truncation + version-drift gates; witness JSON records all five gate results - #5 version-refs gate now WARN-by-default, FATAL under CHECK_RELEASE_EVIDENCE=1 (CI / pre-tag hook) - #7 Cases 14/15 moved from validation/p6-comparison/cases/ to validation/engine-limitations/cases/; P6 matrix is now 13 cases - #8 validation/real-xer-corpus/ placeholder folder with full sanitization-checklist documentation MEDIUM closes - #11 docs/jurisdictions.md bottom guarantee section fixed - #12 'No silent wrong-answer paths exist' softened to 'No known silent wrong-answer paths remain on the disclosed validation surface' - #13 DAUBERT disclosure-format paragraph refreshed - #14 Dead-context test replaced with table-driven test that documents emission-path intent for every fatal context + verifies source presence + checks set/docs symmetry - #15 Structured override schema: {rationale, authority_source, analyst, date, exhibit_reference}; legacy string form still accepted with legacy_string_form: true audit flag - #18 README competitor table removed; single-column capability list retained - #19 ROADMAP_OPEN.md added at repo root — machine-readable CLOSED / ACCEPTED-LIMITATION / OPEN categorization for every audit-flagged item OPEN (tracked in ROADMAP_OPEN.md) - #6 P6 column capture (Dana's action) - #8 Real-XER corpus sourcing (Dana's action) - #9 Clean baseline 23 alerts (accepted limitation, Q6 in cross-exam-prep) - #10 1k-10k DAG fixtures (engineering roadmap) - #16 Cryptographic analyst signoff (schema-v2 roadmap) - #17 Machine-readable SOP checklist (schema-v2 roadmap) Engine code - _normalizeForensicStrictOverride() helper added to SECTION Q with backward-compat for string form - _applyForensicStrictValidation() refactored to use normalizer; audit-trail entries carry structured fields + legacy_string_form flag Tests - 1,128 / 1,128 unit tests (+16 from v2.9.32) - 747 / 747 crossval, citation, truncation, version-drift all PASS - npm run verify PASS — witness JSON includes all five gates Engine math byte-identical to v2.9.27-v2.9.32 on non-strict path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-python from 5.6.0 to 6.2.0.
Release notes
Sourced from actions/setup-python's releases.
... (truncated)
Commits
a309ff8Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)bfe8cc5Upgrade@actionsdependencies to Node 24 compatible versions (#1259)4f41a90Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)83679a8Bump@types/nodefrom 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...bfc4944Bump prettier from 3.5.3 to 3.6.2 (#1234)97aeb3eBump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)443da59Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...cfd55cagraalpy: add graalpy early-access and windows builds (#880)bba65e5Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)18566f8Improve wording and "fix example" (remove 3.13) on testing against pre-releas...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)