Dependabot hardening + dependency update bundle

[lelia]

Summary

Mirrors the Dependabot hardening done in socket-python-cli (#207 / #217 / #218), adapted to this SDK (no Dockerfile, no e2e fixtures, hatch/pip build path), and extended so the Socket Firewall guardrail covers maintainer PRs, not just Dependabot. Three threads:

1. Bundle dependency updates — supersedes the 4 open Dependabot PRs in one verified change.
2. Dependency review — anonymous Socket Firewall smoke on every dependency PR, with an authenticated (enterprise) upgrade path for trusted SocketDev members.
3. Workflow plumbing — composite actions + Dependabot-aware skips on the publish/version workflows.

Dependencies (supersedes 4 Dependabot PRs)

PR	Package	Bump	Notes
#80	idna	3.11 → 3.17	CVE-2026-45409 fix (quadratic-time DoS)
#75	cryptography	46.0.5 → 46.0.7
#74	pygments	2.19.2 → 2.20.0
#83	uv	0.9.21 → 0.11.17	latest (Dependabot targeted 0.11.15)

All four are transitive build/dev deps; runtime deps (requests, typing-extensions) are unchanged. Targeted uv lock upgrades only — no unrelated churn. The 4 Dependabot PRs were closed manually (GitHub closing keywords only close issues, not PRs).

Dependency review (.github/workflows/dependency-review.yml)

On every PR: inspect changed files, then run a Socket Firewall (sfw uv sync --locked) + import-smoke job when Python deps change. The firewall edition is chosen per-PR in inspect:

• Enterprise (firewall-enterprise + socket-token) — for a trusted SocketDev member (author_association ∈ OWNER/MEMBER/COLLABORATOR) on an in-repo (non-fork) PR, when SOCKET_SFW_API_TOKEN is present. Full org-policy enforcement.
• Free (firewall-free, anonymous, no token) — Dependabot, forks, external contributors, or whenever the token is absent. Safe in the unprivileged pull_request context (no pull_request_target, no secret-leak surface).

The mode degrades to free whenever the token is missing, so this is safe to ship today and auto-upgrades to enterprise once the secret exists — no follow-up PR needed.

⚠️ Action required to enable enterprise mode: add a SOCKET_SFW_API_TOKEN secret (repo or org level) holding a Socket API token. The SDK has none today; the CLI uses SOCKET_CLI_API_TOKEN as precedent. Until it's added, all PRs use the free edition.

Verified live on this PR: inspect → firewall-free (no token yet) → python-sfw-smoke installs Socket Firewall Free v1.12.0 and runs sfw uv sync + import smoke successfully.

Dependabot config + workflow skips

• .github/dependabot.yml (new). Grouped (minor/patch + separate major), 7-day cooldown; uv + github-actions (scanning /.github/workflows and /.github/actions/*). No docker ecosystem — no Dockerfile here.
• version-check.yml skips Dependabot PRs (dep bumps carry no package-version bump).
• pr-preview.yml skips Dependabot + fork PRs and gains concurrency cancellation.
• This PR bumps the package version to 3.1.2 (Version Check requires an increment on maintainer PRs).

Workflow cleanup

• .github/actions/setup-sfw (now parameterized with mode + socket-token) and .github/actions/setup-hatch composite actions. pr-preview.yml and release.yml use setup-hatch to de-duplicate the pinned virtualenv/hatchling/hatch install.

Test plan

Automated (local + CI, all green):

• uv lock --locked; uv sync --locked --extra test --extra dev
• Import smoke; pytest tests/unit — 102 passed, 1 skipped
• actionlint on all workflows; YAML parse on all .github files
• CI on this PR: inspect, python-sfw-smoke (free mode), workflow-notice, check_version, preview all pass

Pending:

• Add SOCKET_SFW_API_TOKEN secret, then confirm a maintainer dep PR runs python-sfw-smoke in firewall-enterprise mode
• Next Dependabot PR: runs in firewall-free; Version Check + PR Preview show skipped

[github-actions]

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketdev==3.1.2.dev5