chore(deps): bump github/codeql-action from 3 to 4#4
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Collaborator
|
Superseded by Dependabot grouping (PR #45 merged). Dependabot will re-raise these as grouped PRs on next weekly run. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/github_actions/github/codeql-action-4
branch
chrisdpurcell
added a commit
that referenced
this pull request
Mar 14, 2026
create_entry uses 'is not None' instead of truthy check for optional fields. Remove unused audit param from list_entries/search_entries. Fix stale 'Group allowlist' references in vault.py docstring and README Security Model. Remove unreachable TimeoutError from unlock_vault handler. Add tag bypass note to import_entries docstring. Fixes audit findings #4, #5, #7, #8, #11. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
Apr 20, 2026
Fix up-docs-audit-drift evidence fabrication reported 2026-04-20. - agents/up-docs-audit-drift.md: new <verification_discipline> block with two sanctioned responses when verification fails (omit the finding, or confidence: "unverifiable" with literal error text as evidence); worked example for "No such file" failure mode that previously produced invented findings; confidence enum extended to high|medium|low|unverifiable; stats block gains unverifiable counter. - templates/drift-finding.md: evidence field rule rewritten with explicit guard against fabrication; confidence enum updated. - docs/handoff.md: Bug #4 logged (Hermes v0.8.0→v1.0.0 fabrication); 0.5.1 row added to Last Updated + What Is Deployed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
May 8, 2026
Two issues missed in the 2026-05-07 v2.2.0 release surfaced during a post-migration audit: Bug A — verify-release.sh Check #4 inverted (real testing-branch residue): The check asserted `current branch != main` ("returned to dev branch") which was correct under the old testing-branch convention but is inverted now that releases stay on main. Every successful release was emitting "✗ Returned to dev branch (on: main)" and exiting 1. Fixed by deleting Check #4 entirely — there's no branch-state cleanup to verify under direct-to-main. The script now reports 3 checks: tag-on-remote, GitHub release, release notes. Bug B — test_helper.bash hook collision (environmental, same as plugin-test-harness v0.7.5 / TEST-003): make_git_repo didn't set core.hooksPath=/dev/null, so the workstation pre-commit hook (GH007 noreply-email regex) silently rejected the test@example.com author commits, leaving HEAD unwritten and breaking 13 downstream `git tag` test paths with "Failed to resolve 'HEAD'". verify-release.bats updated to match Bug A: VR4 deleted (asserted the now-removed check); VR1 expects "3 passed" instead of "4 passed". Bats suite: 76/76 ✓ (was 63/77). Plugin version held at 2.2.0; user can release v2.2.1 via /release-pipeline:release if publishing the fix is wanted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
May 8, 2026
…ured Evidence
17 pytest cases covering:
Propagator validation:
- valid_repo / valid_wiki / valid_notion (3 positive cases — confirm
discriminator dispatches to the right concrete class)
- rejects_unknown_action ("Frobnicated" not in Literal)
- rejects_unknown_layer ("drift" → union_tag_invalid; CR-008 regression)
- rejects_extra_top_level_field (extra="forbid")
- rejects_totals_mismatch (declared totals ≠ counted from rows)
- notion_rejects_ipv4_in_summary (Bug #4-class regression)
- notion_allows_ipv6_in_summary (sanity: scope of IPv4 check)
Auditor validation:
- valid_auditor (positive)
- rejects_unknown_confidence
- rejects_stats_mismatch (total_findings != len(findings))
- rejects_string_evidence (CR-003: free-form string no longer schema-valid)
- rejects_evidence_missing_signature
- rejects_high_confidence_with_null_evidence
- allows_unverifiable_with_null_evidence (sanction for command-failed cases)
- validators_cover_all_four_agent_names (registry sanity)
All 17 pass against the venv's pydantic 2.13.4.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
May 8, 2026
CR-003 fix (verifier side): v1's evidence_signature() extracted 40 chars after
the first colon and searched the union of tool_input + tool_response. So
"ssh host 'cat version.txt' returned 1.0.0" matched the transcript whenever
the command appeared, even if the actual output said "0.8.0". Direct
demonstration:
$ python -c "
sig = 'ssh hetzner ...version.txt returned 1.0.0'.split(':',1)[-1].strip()[:40]
print(sig) # 'ssh hetzner ...version.txt' — the COMMAND
"
# Searching for that signature in the transcript matched tool_input regardless
# of whether tool_response said 0.8.0 or 1.0.0.
v2 verifier reads structured Evidence objects (per T15 schema):
evidence = {command, expected_output_signature, source_tool_use_id?}
Grounding rule:
A finding is grounded iff there exists a transcript record where:
- record.command (tool_input.command) overlaps evidence.command (substring
match in either direction to absorb shell-quoting variation), AND
- record.output (tool_response.output) contains evidence.expected_output_signature
as a literal substring
If evidence.source_tool_use_id is set, the search is restricted to that record.
Smoke-tested:
- Contradiction case: command DID run but output was "0.8.0" instead of "1.0.0"
→ exit 1, fabrication detected. v1 would have passed this.
- Grounded case: command ran, output matches signature → exit 0.
- No-record case (the original Bug #4): transcript only has unrelated commands
→ exit 1, fabrication detected.
Plus structural checks:
- findings with confidence='unverifiable' skipped (their evidence may be null)
- findings with null evidence and confidence != 'unverifiable' → violation
- non-dict evidence → violation
- malformed transcript lines silently skipped (fail open)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
May 8, 2026
…ction case 9 pytest cases covering the verifier's grounding contract: - empty_report_passes: no findings → exit 0 - grounded_evidence_passes: command + signature both in matching record - command_ran_but_output_contradicts_fails: THE CR-003 regression — v1 would have passed this, v2 must reject it. Demonstrates that the new schema closes the loophole where matching tool_input alone was sufficient. - command_never_ran_fails: original Bug #4 scenario (auditor invented evidence for a command it never executed) - source_tool_use_id_narrows_search: when use_id is pinned, search is scoped to that single record — even if other records match, they're ignored - source_tool_use_id_grounded: positive case for the same narrowing behavior - unverifiable_finding_skipped_with_null_evidence: sanctioned escape for failed commands (confidence='unverifiable' with evidence=null is OK) - high_confidence_with_null_evidence_fails: confidence='high' must have evidence - malformed_transcript_lines_skipped: parser tolerates corrupt JSONL lines All 9 pass. Combined pytest suite (T16 + T18) now 26 tests, all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chrisdpurcell
added a commit
that referenced
this pull request
May 8, 2026
…on rule
CR-003 prompt-side resolution: the validator (T15) and verifier (T17) expect
evidence to be a structured object {command, expected_output_signature,
source_tool_use_id?}. v1 prompt asked for free-form strings, so the auditor
would have produced output that's rejected at parse time by the new schema.
Changes to plugins/up-docs/agents/up-docs-audit-drift.md:
- Added an Evidence-object schema block to <output_format> documenting the
three fields, their semantics, and when null is allowed.
- Added a "No-fabrication rule (v2 structural enforcement)" paragraph to
<verification_discipline> explaining how the new schema forces unverifiable
for unobserved values, and how the verifier + schema together reject
fabrications at two layers.
- Rewrote 4 example findings (BAO_ADDR rebind, Authentik port, Netdata
unreachable low-confidence, Hermes version unverifiable) from string-form
evidence to the object form. The Hermes case now uses evidence: null.
- Updated the verification_discipline table cell that recorded
"evidence": "Command failed: ..." for unverifiable cases — now records
"evidence": null.
- Updated the output_format JSON example to match: evidence object with
command, expected_output_signature, and source_tool_use_id.
- Updated the prose discussing the original Bug #4 wrong-response to
reference the new structured-evidence verifier and schema.
Verifications:
$ grep -c '"evidence": "' agents/up-docs-audit-drift.md
1 # only the prose line that quotes the forbidden v1 shape
$ grep -c '"command":' agents/up-docs-audit-drift.md
4 # 3 examples + the output_format prose schema
$ grep -c "No-fabrication rule" agents/up-docs-audit-drift.md
1
$ grep -c '"evidence": null' agents/up-docs-audit-drift.md
3 # Netdata low-confidence + Hermes unverifiable example + JSON example
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 3 to 4.
Release notes
Sourced from github/codeql-action's releases.
... (truncated)
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
c4b0f60Remove superfluous error handling details5135700Add a 5s timeout to requests4d44b57Type that registries must have either anurlor ahost700fc11Add missingelse9f2f6d0Remove superflous log message01ee641Test connections to registries, if FF is enabledDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)