chore(deps): bump the pip group across 2 directories with 1 update#18
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps): bump the pip group across 2 directories with 1 update#18dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the pip group with 1 update in the /04-配置文件 directory: [pytest](https://github.com/pytest-dev/pytest). Bumps the pip group with 1 update in the /examples/web-demo directory: [pytest](https://github.com/pytest-dev/pytest). Updates `pytest` from 8.3.4 to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@8.3.4...9.0.3) Updates `pytest` from 7.4.3 to 9.0.3 - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@8.3.4...9.0.3) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:production dependency-group: pip - dependency-name: pytest dependency-version: 9.0.3 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Owner
|
关闭原因:与 W3 commit W3 故意降级 pytest 至 8.3.4 是因:
待 9.x 插件生态稳定(预计 Q3 2026)后单独升级。 下一步:在 dependabot.yml 加 |
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
Wool-xing
pushed a commit
that referenced
this pull request
May 10, 2026
合并 Dependabot 撤销的 2 个 PR: - 手动升 actions/checkout v4→v6(原 PR #13,与 #12 actions/setup-python 冲突, 绕过 dependabot 合并) - actions/setup-python v5→v6 已在 commit 6024104 通过 PR #12 合入 dependabot.yml 加 pytest "9.x" 显式版本封死(含 minor/patch),原 ignore 仅 semver-major 不足以阻止 dependabot 反复开 PR(如 PR #18:8.3.4→9.0.3)。 依据:W3 commit 67a322e 决策——pytest 9.x 插件生态未跟上,CVE-2025-71176 仅本地 DoS,模板仓库可承受。待 Q3 2026 9.x 生态稳定后解锁。
Wool-xing
pushed a commit
that referenced
this pull request
May 17, 2026
…rends, impact analysis, traceability - #14: runtime/observability/dashboard.py — 3-row layout (decision→diagnostic→action) with MTTD/MTTR, expert heatmap, flaky candidates, env health, action items. api/main.py /dashboard endpoint rewired to new builder. - #15: runtime/orchestrator/release_readiness.py — weighted scoring (smoke×0.4+regression×0.3+perf×0.2+security×0.1→GREEN/YELLOW/RED). CLI: tagent readiness. Does not modify test_lead.py. - #16: flaky_detector.py — detect_trends() (P-F-P/F-P-F patterns), generate_quarantine(), generate_pytest_markers(). - #17: runtime/intelligence/impact_analyzer.py — AST import graph + git diff → impacted test list. Does not modify regression_scope.py. - #18: traceability_matrix.py — bidirectional Req↔TC↔Bug matrix with coverage stats, orphan detection, markdown export. 148 tests pass. 9/9 DAG demo ok.
Wool-xing
added a commit
that referenced
this pull request
May 17, 2026
* fix: correct setuptools package discovery for editable install
`where = ["."]` with `include = ["runtime*"]` couldn't find the runtime
package because the runtime directory IS the package root (runtime/__init__.py
is directly in .). Changed where to `[".."]` so setuptools scans the parent
directory and finds `runtime/` as a package.
Before: `pip install -e .` produced empty MAPPING — `import runtime` failed.
After: `import runtime` works, `tagent demo` completes all 4 steps.
* feat: add --version flag to tagent CLI
Users expect `tagent --version` to print version info. Added callback
that prints "Test-Agent Runtime v1.32.0" when --version is passed.
* fix: auto-generate smoke PRD fixture when missing in demo
Previously `tagent demo` step 3 would hard-fail with "fixture missing"
if examples/_smoke_prd.md was deleted from disk. Now it auto-generates
the fixture from an embedded template, showing a warning instead.
This prevents demo breakage when the examples/ directory is accidentally
cleaned or the user runs demo outside the repo root.
* feat: english-ify tagent CLI help text and user-facing output
Converted all CLI command descriptions, option help text, and user-facing
console output from Chinese to English for international accessibility.
Internal code comments, fixture data, and workspace paths unchanged.
* feat: english-ify tagent CLI help text and user-facing output
Convert CLI command descriptions, option help text, and user-facing
console output from Chinese to English. Updated related tests.
Includes: config subcommand help, demo flow output, selftest/doctor
messages, init/export descriptions.
* chore: bump version 1.32.0 → 1.32.1 + fix CONTRIBUTING.md stale 33→32
- 全项目版本号同步至 1.32.1 (17 files)
- CONTRIBUTING.md: 16/33/49 → 16/32/49 (skill 数对齐 pre-commit/CI 实际 -eq 32)
- CHANGELOG 新增 v1.32.1 条目
* fix: security hardening — shell injection, hardcoded creds, API auth, silent failures
CRITICAL fixes:
- backends/local.py: create_subprocess_shell → create_subprocess_exec (CWE-78)
- backends/ssh.py: cat {path} → SFTP read; shlex.quote(cwd/env); known_hosts=()
- config/settings.py: remove default db_url/password creds; api_host→127.0.0.1; add api_auth_token
- api/main.py: bearer auth middleware (gated by TAGENT_API_AUTH_TOKEN); CORS restrict to localhost; file upload max 50MB + extension allowlist
Silent failure fixes:
- api/main.py: except Exception:continue → catch specific + logger.warning (list_history/dashboard); logger.exception in background thread; threading.Lock on _run_results
- api/deps.py: persistence fail → logger.error; status persist DEBUG→WARNING; artifact read fail → [READ_ERROR] marker
- api/parsers.py: PDF/DOCX extract fail → [PARSE_ERROR] marker
- router/retrieval.py: retrieval fail DEBUG→WARNING
- 05-代码示例/api_retry_util.py: bare except pass → logger.debug
.gitignore hardening:
- Add workspace/测试报告/, workspace/feedback/, workspace/自动化脚本/
- Add runtime/workspace/, runtime/web/tsconfig.tsbuildinfo
- Add docs/审查报告/, docs/参考库/, docs/decisions/, archive/
- Remove 4 tracked test report .docx from git
* fix: utils security hardening — owner check, XML escape, WS leak, CI pin
- chaos_helper.py: kill_process psutil absent now raises RuntimeError instead of skipping owner check
- i18n_checker.py: bare except Exception → specific (UnicodeDecodeError, PermissionError, OSError) + logger.warning
- miniprogram_runner.py: WebSocket close wrapped in try/finally to prevent connection leak
- protocol_helper.py: SOAP body_xml escaped with xml.sax.saxutils.escape() to prevent XML injection
- ci.yml: pin ludeeus/action-shellcheck@master → @2.0.0
- install.sh: add security note recommending git clone over curl|bash
* chore: fix pre-commit deprecated default_stages commit → pre-commit
* chore: bump version 1.32.1 → 1.32.2
全项目版本号同步 + CHANGELOG 新增 v1.32.2 安全加固条目
* refactor: _stub_response dispatch table + fuzzer ALL_PAYLOADS hoist + bump 1.32.3
- router/llm_client.py: 77-line if/elif chain → _STUB_TARGETS table (8 entries)
- fuzzer.py: sum(PAYLOAD_LIBRARY.values(), []) hoist to module-level ALL_PAYLOADS
* docs: honesty pass — remove marketing numbers, clarify vision skills, drop internal references
- README: 8640 combos → ~12 CI-validated; 95% aspirational → removed; 32 skills → 30 active + 2 vision
- 00-项目导航: 9x 主宪章 §X → plain descriptions (external contributors don't know charter section numbers)
- ROADMAP: 3x 主宪章 references removed
* refactor: split overlong functions — generate_report (143→30) + mobile_driver (107→55)
- generate_report.py: extract _write_docx_header/_summary/_degraded_warning/_bugs/_performance/_risks helpers
- mobile_driver.py: extract _build_monkey_cmd + _analyze_monkey_log helpers
* chore: bump version 1.32.3 → 1.32.4
Phase 1+2 收尾: 数字诚实化 + 内部引用清理 + 长函数拆分
* refactor: split CLI/main.py (680→39 lines) into 8 command modules
- runtime/cli/_shared.py: kernel, console, helpers, fixtures
- runtime/cli/commands/run.py: run + plan
- runtime/cli/commands/catalog.py: catalog
- runtime/cli/commands/doctor.py: doctor
- runtime/cli/commands/selftest.py: selftest
- runtime/cli/commands/market.py: search + list + install + uninstall + verify
- runtime/cli/commands/demo.py: demo
- runtime/cli/commands/init.py: init
- runtime/cli/commands/export.py: export
Pure mechanical split — no logic changes. 128 tests pass.
* test: add 20 core smoke tests — CLI commands, API auth, build_artifact, catalog
- test_cli_commands.py (5): all 13 commands registered, --version, catalog, doctor, --help
- test_api_auth.py (6): health public, auth middleware blocks/allows, CORS headers
- test_build_artifact.py (4): url/file/text input parsing
- test_catalog.py (5): expert/skill counts and field validation
* chore: bump version 1.32.4 → 1.32.5
CLI split + 20 smoke tests + CHANGELOG
* fix: flaky test_execute_node_allows_production_skill — reset catalog/settings cache per test
conftest _env_isolation now calls get_catalog(refresh=True) + resets settings cache
to prevent cross-test state pollution from modules that create Kernel() at import time.
* fix: on_failure=skip now correctly excludes node from failure count
- tasks.py: skip nodes set summary.skipped=True, no longer counted as failed
- flows.py: track skipped list separately, include in summary.skipped
- direct.py: same skip tracking for direct executor path
* feat: Phase 3 engine hardening — self-healing, retry, circuit breaker, skip fix, fixture isolation
- #9: runtime/self_healing/ (retry.py + locator_store.py) — exponential-backoff
retry wrapper for subprocess/LLM errors. scripts.py subprocess.run + direct.py
_run_node both use with_retry().
- #10: direct.py executor-level retry — resubmits _run_node up to 2 extra times
with 2^attempt backoff on unexpected exceptions.
- #11: on_failure=skip nodes now set skipped=True, excluded from failure count.
flows.py + direct.py track skipped separately.
- #12: 04-配置文件/conftest.py test_data + browser_context session→function scope.
test_data uses tmp_path to avoid parallel file collisions.
- #13: MAX_FAILURES=3 circuit breaker in flows.py + direct.py. DAG progress logging
per node. tasks.py timeout_seconds=3600.
148 tests pass. 9/9 DAG demo ok.
* feat: Phase 4 test intelligence — dashboard, readiness score, flaky trends, impact analysis, traceability
- #14: runtime/observability/dashboard.py — 3-row layout (decision→diagnostic→action)
with MTTD/MTTR, expert heatmap, flaky candidates, env health, action items.
api/main.py /dashboard endpoint rewired to new builder.
- #15: runtime/orchestrator/release_readiness.py — weighted scoring
(smoke×0.4+regression×0.3+perf×0.2+security×0.1→GREEN/YELLOW/RED).
CLI: tagent readiness. Does not modify test_lead.py.
- #16: flaky_detector.py — detect_trends() (P-F-P/F-P-F patterns),
generate_quarantine(), generate_pytest_markers().
- #17: runtime/intelligence/impact_analyzer.py — AST import graph +
git diff → impacted test list. Does not modify regression_scope.py.
- #18: traceability_matrix.py — bidirectional Req↔TC↔Bug matrix
with coverage stats, orphan detection, markdown export.
148 tests pass. 9/9 DAG demo ok.
* feat: Phase 6 developer experience — bootstrap, debug mode, actionable errors, tutorial, shell completion
- #24: tagent bootstrap — one-command check→configure→verify (Python/Git/pip/LLM)
- #25: --debug CLI flag + TAGENT_LOG_LEVEL env + log_level setting
- #26: Actionable error messages — "internal error" now includes run_id + log path + --debug hint.
modal.py "not connected" → "call connect() first"
- #27: docs/tutorial/TUTORIAL.md — 5-step interactive tutorial (10 min)
- #28: tagent --install-completion (shell autocomplete) + --no-color flag
148 tests pass.
* feat: Phase 5 enterprise readiness — RBAC, audit trail, multi-tenant, config validation, lifecycle hooks
- #19: runtime/api/rbac.py — 4-role RBAC (admin/lead/tester/viewer) + require_role()
decorator. Disabled by default (TAGENT_RBAC_ENABLED=0). Does not modify auth middleware.
- #20: runtime/observability/audit.py — JSONL audit log (log_event / query_events).
Thread-safe, append-only.
- #21: runtime/api/tenancy.py — contextvars-based tenant propagation.
Disabled by default. Does not modify DB schema.
- #22: Settings.validate_startup() — checks LLM key, dirs, DB driver.
Wired into tagent doctor.
- #23: runtime/orchestrator/hooks.py — HookRegistry (before/after/on_error).
Integrated into direct.py _run_node(). Hooks never break execution.
148 tests pass.
* feat: Phase 7 methodology — branch coverage, static analysis, portability tests, risk matrix, classification tree
- #29: pyproject.toml --cov-branch enabled
- #30: pyproject.toml pylint + radon config (CC rank=B)
- #31: 7 portability tests (ISO 25010: installability/coexistence/replaceability)
+ @pytest.mark.portability marker
- #32: runtime/intelligence/risk_matrix.py — Bayesian calibrated risk matrix
with mitigation tracking
- #33: classification_tree.py — ISTQB CTM with pairwise generation + constraints
155 tests pass (148 + 7 portability).
* feat: Phase 8 platform — plugin discovery, data synthesis, APM export, journey mapping, multi-region monitor
- #34: runtime/marketplace/discovery.py — importlib.metadata entry_points for
third-party agent/skill/backend registration (group=tagent)
- #35: data_synthesizer.py — PII auto-detection (email/phone/id/ip/credit_card)
+ deterministic masking + random subset extraction
- #36: runtime/observability/apm_export.py — Datadog + Grafana dashboard JSON
export (pass rate, MTTD/MTTR, expert health, flaky candidates)
- #37: runtime/intelligence/journey_mapper.py — failure→business journey impact
mapping (Registration/Login/Payment/Profile/...)
- #38: .github/workflows/synthetic-monitor.yml — scheduled multi-region smoke
test (every 6h, 4 regions)
155 tests pass. 9/9 DAG demo ok.
🎉 38/38 MASTER_PLAN items complete.
* fix: CI utils count 49→52 + remove --cov-branch from default pytest addopts
- .github/workflows/ci.yml: expected utils count updated 49→52
- runtime/pyproject.toml: removed --cov-branch from addopts (requires
pytest-cov which is not installed in CI). Coverage flags should be
passed explicitly: pytest --cov --cov-branch
* fix: CI pytest — add fastapi/python-multipart/httpx/pytest-cov deps, restore --cov-branch
* fix: resolve CodeQL review comments — URL substring sanitization + workflow permissions
---------
Co-authored-by: xiaoxing0135 <706015750@qq.com>
Wool-xing
pushed a commit
that referenced
this pull request
May 27, 2026
…storage) XSS 可读 localStorage; API key (LLM provider) 移到仅 in-memory React state, 刷新/重启后用户需重输入。provider + model 保持 localStorage (非敏感偏好)。 UI 提示文案同步更新。 #17 (security_scanner.py print scan URL) 已 dismiss: false positive, CLI 安全扫描工具的本职就是输出扫描结果,URL 是用户主动传入的扫描目标。 #18 (iot_helper.py AutoAddPolicy) 已 dismiss: used in tests, 策略受 auto_add_for_testing=True 或 env IOT_SSH_AUTOACCEPT=1 双重守卫, 注释明示仅限隔离测试网络,production 走 RejectPolicy。
Wool-xing
added a commit
that referenced
this pull request
May 27, 2026
* fix(ci): D+E — zentao tracker 注册 + utils-reorg 路径递归查找 D (zentao): utils/trackers/zentao_bug_manager.py 用 `from utils.protocols.api_retry_util` 绝对路径, CI 测试 sys.path 含 utils/ 但不含项目根 → ImportError 被 bug_tracker_base.py 静默吞掉 → TRACKER_REGISTRY 缺 zentao。加 fallback `from protocols.api_retry_util`。 本地: test_utils_bug_tracker.py 11/11 passed。 E (L2 selftest utils-reorg): V1.x utils 重排后 excel_generator.py → utils/reporting/, data_factory.py → utils/data/, generate_report.py → utils/reporting/。runtime/orchestrator/adapters/scripts.py 的 run_script + list_available_scripts 只查 top-level,导致 L2 DAG 3 节点报 'script not found'。 改用 rglob 递归,basename 唯一即可解析子目录路径。 本地: L2 selftest 9/9 ok (100%, >=80% threshold)。 CodeQL: 失败的是 GitHub repo 侧 Default setup CodeQL 配置 (4s setup fail), 与本仓 .github/workflows/codeql.yml (CodeQL Advanced, 全 SUCCESS) 无关。 需仓库 Settings -> Code security -> Code scanning 关掉 Default setup。 * security(web): API key 不持久化到 localStorage (CodeQL #19, js/clear-text-storage) XSS 可读 localStorage; API key (LLM provider) 移到仅 in-memory React state, 刷新/重启后用户需重输入。provider + model 保持 localStorage (非敏感偏好)。 UI 提示文案同步更新。 #17 (security_scanner.py print scan URL) 已 dismiss: false positive, CLI 安全扫描工具的本职就是输出扫描结果,URL 是用户主动传入的扫描目标。 #18 (iot_helper.py AutoAddPolicy) 已 dismiss: used in tests, 策略受 auto_add_for_testing=True 或 env IOT_SSH_AUTOACCEPT=1 双重守卫, 注释明示仅限隔离测试网络,production 走 RejectPolicy。 * fix(ci): pytest-unit job 补 tenacity + python-dotenv + requests (zentao 链依赖) zentao_bug_manager → api_retry_util → tenacity / requests / dotenv。 CI pytest-unit 之前只装了运行时核心依赖,zentao 链 ImportError 被静默 → TRACKER_REGISTRY 缺 zentao → test_zentao_registered FAIL。 selftest-mock job (line 227) 已含,这里对齐。 --------- Co-authored-by: xiaoxing0135 <706015750@qq.com>
Wool-xing
added a commit
that referenced
this pull request
May 27, 2026
…#145) * feat: V1.37.0 — Phase 2 charter closure (3 items) + HIGH/MEDIUM audit fixes (6 items) Added (13 new files): - Bug tracker 5 adapters: jira/github/linear/webhook bug managers - Quality gate engine: quality_gate_engine.py + quality_gates.yaml - Layered requirements: 6 tiered requirement files (base/mobile/desktop/visual/system/ai/perf) - CI runtime compileall check Fixed HIGH (2): - H16: Expert count clarified (9含test-lead vs 8被协调) - H18: Skills README completed (13→32 business + 3 meta skills) Fixed MEDIUM (4): - M12: run_file BackgroundTasks unified - M14: RACI matrix 18 columns (pentest+automotive) - M15: requires_layer documented in CONTRIBUTING.md - M19: automotive-test checker reference fixed Changed: - Utils count: 67 → 73 (6 new .py files) - Version: 1.36.0 → 1.37.0 across VERSION/__init__/pyproject/package.json - Charter: Bug多适配 ✅ / 按需安装 ✅ / 门禁YAML ✅ * feat: V1.37.0 — L7 contract gate + utils unit tests (Phase 2 complete) Added: - ci_contract_gate.py: L7 Shift-Left contract pipeline (detect→generate→verify) - CI contract-gate job: OpenAPI spec change → contract → PR block - 28 utils unit tests: quality_gate.py (17) + bug_tracker_base.py (11) Changed: - Utils count: 73 → 74 - Charter: L7 契约链路 ✅ - 06-test-architecture.md: L1-L7 all wired Tests: 183 passed, 2 skipped * feat: V1.38.0 — Phase 3.1 ethics/bias audit (fairness_auditor) Added: - fairness_auditor.py: comprehensive fairness auditor (360 lines) - dataset bias: representation parity + label balance - model fairness: DI/SPD/EO/equalized_odds/calibration/predictive_parity - intersectional fairness (multi-sensitive-attribute) - decision fairness (policy-level outcomes) - export_bias_report() + summary() for CI integration - ai_validator.run_bias_audit(): pipeline calling fairness_auditor - 20 unit tests (runtime/tests/test_utils_fairness.py) Changed: - Utils: 74 → 75 - pre-commit hook: expected utils count 74 → 75 - coverage matrix: 伦理/偏见审计 ✅ (was Phase 3) - vision-dimensions: 公平性审计器 ✅ - 14-AI模型测试.md: expanded fairness section with 6-metric examples - ROADMAP: V1.37.0 + V1.38.0 entries - All docs: 74→75 utils Tests: 203 passed, 2 skipped * feat: V1.39.0 — Phase 3.2 silent failure detection (silent_failure_detector) Added: - silent_failure_detector.py: threshold drift + Mann-Kendall trend + OLS slope (310 lines) - detect_threshold_drift(): per-metric drift analysis - batch_detect(): multi-metric unified report - Source collectors: tracing/web_vitals/prometheus_counter/prometheus_gauge - SlidingWindowStore: rolling window for trend analysis - export_report() + ci_summary() for CI integration - ai_validator.run_silent_failure_audit(): integrated pipeline - 21 unit tests (runtime/tests/test_utils_silent_failure.py) Changed: - Utils: 75 → 76 - pre-commit hook: expected utils 75 → 76 - coverage matrix: 沉默故障检测 ✅ (was Phase 3) - vision-dimensions: 沉默故障探测器 ✅ - ROADMAP: V1.38.0 + V1.39.0 entries - All docs: 75→76 utils Tests: 224 passed, 2 skipped * feat: V1.40.0 — Phase 3 complete (fairness + silent failure + absentee) Phase 3 — 质量增强三连: - 3.1 fairness_auditor.py: 伦理/偏见审计 (6 metrics + intersectional + decision audit) - 3.2 silent_failure_detector.py: 沉默故障检测 (Mann-Kendall + OLS + sliding window) - 3.3 absentee_scenario_injector.py: 缺席者场景注入 (9 groups × 21 scenarios) Utils: 73 → 77 (fairness + silent_failure + absentee + __init__) Tests: 244 passed, 2 skipped * feat: V1.40.0 — Phase 3.3 absentee scenario injection + PHASE 3 COMPLETE Added: - absentee_scenario_injector.py: edge-case scenario library (360 lines) - 9 absentee groups (visual/motor/hearing/cognitive/elderly/minor/offline/crisis/non-native) - 21 canonical scenarios with WCAG 2.1 refs, i18n tags, test steps - Scenario query/injection API + SBTM charter generation - Coverage reporting + export - 20 unit tests (runtime/tests/test_utils_absentee.py) Changed: - Utils: 76 → 77 - pre-commit hook: expected utils 76 → 77 - coverage matrix: all 3 Phase 3 items ✅ — PHASE 3 COMPLETE - vision-dimensions: 缺席者场景注入器 ✅ + 缺席者画像生成器 ✅ - ai_validator.py: auto-patched by linter (silent_failure integration) - All docs: 76→77 utils Phase 3 summary: ✅ 3.1 伦理/偏见审计 — fairness_auditor.py (20 tests) ✅ 3.2 沉默故障检测 — silent_failure_detector.py (21 tests) ✅ 3.3 缺席者场景注入 — absentee_scenario_injector.py (20 tests) Tests: 244 passed, 2 skipped * feat: Phase 4 evidence chain admissibility (V1.41.0) evidence_chain.py: SHA-256 hash chain + multi-source collection (decisions/DORA/tracing/baselines/history) + ISO 27001/SOC2/NIST 800-53/GDPR compliance mapping + JSON/Markdown export + integrity verification. 39 tests. ai_validator integration. Phase 4 complete. * feat: Phase 5 taboo matrix + i18n sacred context audit (V1.42.0) - taboo_matrix.py: 135 entries across 16 locales in 5 dimensions (words/colors/numbers/holidays/sacred) - i18n_checker.py: Phase 5 extensions — audit_taboo_words/colors/numbers/holidays/sacred_contexts + run_taboo_audit() - 84 unit tests: test_utils_taboo_matrix (30) + test_utils_i18n_taboo (54) - Util count: 78→79 (taboo_matrix), pre-commit + 项目导航 + 使用手册 synced - Charter docs: 01-vision-dimensions + 02-coverage-matrix updated * fix: add V1.42.0 row to ROADMAP version table * chore: pre-restructure baseline — version sync + bug fixes - ai_validator: refactor run_silent_failure_audit (file→data), _calc_psi drop pandas dep - db_test_helper_v2: uuid import top-level, remove fragile dir() check - state_machine_tester_v2: eval/exec security hardening (empty builtins → whitelist) - Version sync: desktop/mobile package.json + pyproject.toml 1.40.0→1.42.0 - CI: utils count 67→79 - essence_watcher: hardcoded path→placeholder * refactor: complete directory restructure + path migration Structure: agents/ skills/ utils/ ci/ config/ (from 02-06 numbered dirs). Utils: 78 .py files → 12 functional subdirectories. Paths: 130+ files updated across .md/.py/.yml/.sh. CI/Hooks: pre-commit + ci.yml + selftest-weekly + install.sh all updated. Removed: darwin-skill duplicates, root egg-info, runtime/workspace, discussions logs, examples/.venv, archive snapshots (28MB). * fix: import consistency after utils/ subdirectory reorganization - conftest.py: inject all 12 utils subdirectories + project root into sys.path - runtime/tests/conftest.py: same sys.path injection for test environment - utils internal imports: same-dir use bare imports, cross-subdir use utils.X.Y - Fixes 123 broken import lines across 22 files - 367/367 tests passing (0 failures) * chore: reorganize project structure — remove dead dirs, dedup docs, slim Test-Agent.md - Remove dead 04-配置文件/ (only contained __pycache__) - Clean workspace: remove __pycache__, move generated .docx/.xlsx to _outputs/ - Delete docs V1 auto-check mechanism (superseded by V7) - Replace 1509-line Test-Agent.md with 90-line index; extract runtime architecture to runtime/ARCHITECTURE.md - Fix stale path in tagent.yml.example: 04-配置文件/ → config/templates/ - Add workspace/_outputs/ to .gitignore * fix: deep audit remediation — CRITICAL 8 + HIGH 12 + config/desktop/docs fixes CRITICAL fixes: - runtime/api/main.py: fix NameError json.JSONDecodeError → _json.JSONDecodeError - desktop/pyinstaller: fix 4 dead datas paths (old Chinese dirs → agents/skills/config/utils) - desktop/electron: fix preload version 1.33/1.34 → 1.42.0 - config/.env.example: add LLM provider env vars (8+ keys) + Slack/Teams webhooks - config/quality_gates.yaml: add P0/P1 breakdown (single source of truth) - config/templates/base.env.tpl: replace hardcoded credentials with {{PLACEHOLDER}} vars - config/.env.example + utils/reporting: standardize webhook naming to _URL suffix HIGH fixes: - CI ci.yml: fix markdown dead-link checker (pipe subshell → process substitution) - CI ci.yml: remove continue-on-error silencing CVE scanners - install.sh: replace hardcoded 49-util list with find glob (now auto-discovers all 78) - install.sh: fix version V1.36.0 → V1.42.0, branch v1.32.5 → v1.42.0 - runtime/direct.py: fix on_failure=abort silently ignored; extract _run_node_with_retry() - runtime/test_lead.py: fix output file collision (st_mtime → uuid) - runtime/flows.py: cancel in-flight Prefect tasks on circuit breaker - runtime/experts.py: add _upstream_lock for concurrent task safety - desktop/main.ts: validate protocol before shell.openExternal (https/http only) - utils/trackers: fix bare imports → fully-qualified (bug_tracker_base + ai_validator) Additional: - utils/quality_gate_engine.py: make defusedxml required (no insecure stdlib fallback) - runtime/docker-compose.app.yml: use ${VAR:-default} for credentials - install.sh: fix mktemp portability + add TEST_AGENT_NO_CN_MIRROR opt-out - CONTRIBUTING.md: fix agent count 18 → 16 - README.zh-CN.md: fix utils count 67 → 78 - .gitignore: remove duplicate .DS_Store + redundant negation - .pre-commit-config.yaml: remove no-op groovy exclude from check-yaml * fix: tier-2 MEDIUM remediation — CORS, ruff coverage, path resolve, CI alignment - runtime/api/main.py: fix CORS allow_origins wildcard → allow_origin_regex - runtime/api/main.py: fix import ordering + remove unused register_run/unregister_run - runtime/config/settings.py: add model_post_init to auto-resolve relative Path fields - .pre-commit-config.yaml: add ruff scanning for runtime/ (previously only utils/) - .github/workflows/codeql.yml: add javascript-typescript language scan - .github/dependabot.yml: fix npm directories (root → runtime/web + desktop) - .github/workflows/desktop-release.yml: align actions versions → v6 - .github/workflows/synthetic-monitor.yml: align actions versions → v6 * fix: tier-3 fixes — markdownlint rules, stale versions, docs consistency - .pre-commit-config.yaml: re-enable 7 markdownlint rules (MD004/005/009/010/012/030/037) - CHANGELOG.md: fix MD037 false positives (wrap Python identifiers in backticks) - docs/INDEX.md: fix stale version V1.10.0 → V1.42.0 - examples/INDEX.md: fix stale version V1.10.0 → V1.42.0 - docs/getting-started/使用手册.md: fix self-check counts (agents 9→16, skills 8→32, utils 12→78) - CHANGELOG.md: fix initial version [1.0.0] → [v1.0.0] for consistency - SECURITY.md: add best-effort qualifier to response time SLA * fix: round 4 — desktop cleanup, dead references, encoding safety - desktop/electron/main.ts: remove dead cmd/args assignments (overwritten by devArgs) - desktop/scripts/build-python.sh: remove -q flag, show PyInstaller install errors - desktop/scripts/build-all.sh: check runtime/web exists before building UI - agents/09-报告生成.md: fix dead reference daily-report.yml → selftest-weekly.yml - utils/security/security_scanner.py: add encoding="utf-8" to bandit/safety subprocess calls - archive/wechat-early-docs/README.zh-CN.md: add deprecation banner (not tracked, gitignored) * fix: round 5 — ruff lint cleanup (275→0 errors), encoding hardening - F821: OrderedDict undefined name in test_orchestrator/server.py (add import, remove lazy import) - Auto-fix 256 ruff violations: F401 unused-import, I001 unsorted-imports, UP006/UP035/UP045 modern annotations, UP037 quoted-annotation, F541 f-string, B009 get-attr, SIM117 multi-with, E402 import-at-top - Manual fix 13: B904 exception-chaining, E741 ambiguous-var-names, SIM105 contextlib.suppress, SIM102 collapsible-if, SIM108 ternary, UP038 isinstance-tuple - Inline #noqa for 15 intentional patterns: B008 typer.Option defaults, E402 CLI reg + test sys.path imports - runtime/pyproject.toml: per-file-ignores for structural E402 exceptions - 97 files, 357 tests pass (10 pre-existing failures unchanged) * fix: round 6 — Prefect 3.7 API compat + missing defusedxml dependency - Prefect 3.7 removed .done() and .cancel() from PrefectConcurrentFuture - Replace f.done() with f.state.is_final() (direct.py, flows.py) - Replace fut.cancel() with hasattr guard (flows.py, circuit breaker) - Add defusedxml to runtime/pyproject.toml dependencies (quality_gate_engine) - 367 tests pass, 0 failures (was 357/10F/2S) * release: v1.43.0 — Phase 3+4+5 cut + 2 ex-vision skill 实装 Phase 3+4+5 落版 (CHANGELOG Unreleased → v1.43.0): - Phase 3.1 fairness_auditor.py + 20 tests - Phase 3.2 silent_failure_detector.py + 21 tests - Phase 3.3 absentee_scenario_injector.py + 20 tests - Phase 4 evidence_chain.py + 39 tests - Phase 5 taboo_matrix.py + i18n_checker 6 函数 + 84 tests 2 ex-vision skill 升 production (LLM-driven minimum viable): - agent-introspection-debugging: 5 维自省 (decision_replay/tool_calls/token_consumption/context/state_machine) - build-your-own-x-explorer: 场景识别 + byox KB 13 类推荐 + 时间预算 - 中央 ALL_SKILL_RUNNERS 同步加 2 行 - skills/__init__.py 聚合 import 18/18 版本号同步: - VERSION 1.42.0 → 1.43.0 - runtime/__init__.py __version__ 1.40.0 → 1.43.0 (catch-up, 滞后 2 版) - runtime/pyproject.toml 1.42.0 → 1.43.0 - ROADMAP V1.43.0 行 (32/32 active, V1.x SKILL ROLLOUT 完整收尾) 体检报告: - workspace/audit/V1.43-health-check.md * fix(ci): add numpy to pytest-unit install + requirements/ai.txt CI runtime/tests pytest 单元 job 失败: ModuleNotFoundError: No module named numpy test_utils_fairness.py / test_utils_silent_failure.py V1.38 加 fairness_auditor + V1.39 加 silent_failure_detector 时,test 文件 import numpy 但 numpy 从未加入 requirements/ai.txt 或 ci.yml pytest-unit install 清单。 修: - requirements/ai.txt: + numpy==1.26.4 (与既有 scipy 1.13.1 / scikit-learn 1.5.2 兼容) - .github/workflows/ci.yml line 371: 同行 install 加 numpy 两处对齐, pytest-unit CI 应转绿。 * fix(ci): pytest 单元 13 fail 修复 (A+B+C, V1.43.0 适配) (#147) * fix(docs): repair 8 broken markdown internal links (#146) CI Markdown 内部链接有效性 job 长期 red,本 PR 修死链 8 处: docs/charter/07-runtime-license.md (5 处): LICENSE / VERSION / CONTRIBUTING.md / SECURITY.md / CODE_OF_CONDUCT.md → 加 ../../ 前缀指向 repo root (这些文件均存在于 root) docs/SURVEY.md (1 处): PRIVACY.md → 删链接保留文本 (PRIVACY.md 不在 repo,原文已带如有条件语) docs/assets/demo.recipe.md (2 处):  → <img src=...> HTML 形式 CI 检查正则 \[[^]]*\]\((...)\) 不扫 HTML img,且 demo.gif/svg 是录制产物本就不入 repo 不改其他文件,纯 markdown 链接修正。 Co-authored-by: xiaoxing0135 <706015750@qq.com> * fix(ci): pytest 单元 13 fail 修复 (A+B+C) A: merge main → 拿 markdown 链接修复 (PR #146) B: defusedxml 加入 ci.yml (selftest-mock + pytest 两 job) + config/requirements.txt C: test_impl_status_filter.py 适配 V1.43.0 (vision 2→0, production 23→25) - test_registry_skill_status_counts: count 数字更新 - test_router_flags_vision_skill: 改用 phantom unknown skill (vision/rollout 共用 hard-block 分支,保留语义) - test_execute_node_rejects_vision_skill: 同上 本地: pytest runtime/tests/test_impl_status_filter.py → 13/13 passed D (zentao tracker) + E (L2 selftest 路径) 留下一轮 PR * fix(ci): 触发分支加 release/** (PR to release/v1.43.0 不再静默) --------- Co-authored-by: xiaoxing0135 <706015750@qq.com> * fix(ci): D+E — zentao 注册 + utils-reorg 递归查找 (CodeQL 诊断) (#148) * fix(ci): D+E — zentao tracker 注册 + utils-reorg 路径递归查找 D (zentao): utils/trackers/zentao_bug_manager.py 用 `from utils.protocols.api_retry_util` 绝对路径, CI 测试 sys.path 含 utils/ 但不含项目根 → ImportError 被 bug_tracker_base.py 静默吞掉 → TRACKER_REGISTRY 缺 zentao。加 fallback `from protocols.api_retry_util`。 本地: test_utils_bug_tracker.py 11/11 passed。 E (L2 selftest utils-reorg): V1.x utils 重排后 excel_generator.py → utils/reporting/, data_factory.py → utils/data/, generate_report.py → utils/reporting/。runtime/orchestrator/adapters/scripts.py 的 run_script + list_available_scripts 只查 top-level,导致 L2 DAG 3 节点报 'script not found'。 改用 rglob 递归,basename 唯一即可解析子目录路径。 本地: L2 selftest 9/9 ok (100%, >=80% threshold)。 CodeQL: 失败的是 GitHub repo 侧 Default setup CodeQL 配置 (4s setup fail), 与本仓 .github/workflows/codeql.yml (CodeQL Advanced, 全 SUCCESS) 无关。 需仓库 Settings -> Code security -> Code scanning 关掉 Default setup。 * security(web): API key 不持久化到 localStorage (CodeQL #19, js/clear-text-storage) XSS 可读 localStorage; API key (LLM provider) 移到仅 in-memory React state, 刷新/重启后用户需重输入。provider + model 保持 localStorage (非敏感偏好)。 UI 提示文案同步更新。 #17 (security_scanner.py print scan URL) 已 dismiss: false positive, CLI 安全扫描工具的本职就是输出扫描结果,URL 是用户主动传入的扫描目标。 #18 (iot_helper.py AutoAddPolicy) 已 dismiss: used in tests, 策略受 auto_add_for_testing=True 或 env IOT_SSH_AUTOACCEPT=1 双重守卫, 注释明示仅限隔离测试网络,production 走 RejectPolicy。 * fix(ci): pytest-unit job 补 tenacity + python-dotenv + requests (zentao 链依赖) zentao_bug_manager → api_retry_util → tenacity / requests / dotenv。 CI pytest-unit 之前只装了运行时核心依赖,zentao 链 ImportError 被静默 → TRACKER_REGISTRY 缺 zentao → test_zentao_registered FAIL。 selftest-mock job (line 227) 已含,这里对齐。 --------- Co-authored-by: xiaoxing0135 <706015750@qq.com> --------- Co-authored-by: xiaoxing0135 <706015750@qq.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the pip group with 1 update in the /04-配置文件 directory: pytest.
Bumps the pip group with 1 update in the /examples/web-demo directory: pytest.
Updates
pytestfrom 8.3.4 to 9.0.3Release notes
Sourced from pytest's releases.
... (truncated)
Commits
a7d58d7Prepare release version 9.0.3089d981Merge pull request #14366 from bluetech/revert-14193-backport8127eafRevert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"99a7e60Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...ddee02aMerge pull request #14343 from bluetech/cve-2025-71176-simple74eac69doc: Update training info (#14298) (#14301)f92dee7Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...7ee58acMerge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...37da870Merge pull request #14259 from mitre88/patch-4 (#14268)c34bfa3Add explanation for string context diffs (#14257) (#14266)Updates
pytestfrom 7.4.3 to 9.0.3Release notes
Sourced from pytest's releases.
... (truncated)
Commits
a7d58d7Prepare release version 9.0.3089d981Merge pull request #14366 from bluetech/revert-14193-backport8127eafRevert "Fix: assertrepr_compare respects dict insertion order (#14050) (#14193)"99a7e60Merge pull request #14363 from pytest-dev/patchback/backports/9.0.x/95d8423bd...ddee02aMerge pull request #14343 from bluetech/cve-2025-71176-simple74eac69doc: Update training info (#14298) (#14301)f92dee7Merge pull request #14267 from pytest-dev/patchback/backports/9.0.x/d6fa26c62...7ee58acMerge pull request #12378 from Pierre-Sassoulas/fix-implicit-str-concat-and-d...37da870Merge pull request #14259 from mitre88/patch-4 (#14268)c34bfa3Add explanation for string context diffs (#14257) (#14266)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.