build(deps): bump sqlalchemy from 2.0.44 to 2.0.48 in /constraints#5
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
build(deps): bump sqlalchemy from 2.0.44 to 2.0.48 in /constraints#5dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.44 to 2.0.48. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-version: 2.0.48 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
neuron7xLab
added a commit
that referenced
this pull request
Apr 25, 2026
…— close silent-fallback gap (⊛-audit AP-#5) (#385) GeoSync credo (CLAUDE.md, INV-RC-FLOW) requires every clamp/clip to be observable: # INV-* / # bounds: comment, runtime logging, or a flag in the result struct. compute_capital_ratio in core/kuramoto/capital_weighted.py silently floored median(depth_mass) below cfg.r_floor with no caller visibility — flagged as anti-pattern #5 by the ⊛-audit. Surface the event: - compute_capital_ratio now returns (r, floor_engaged, floor_diagnostic). - CapitalWeightedCouplingResult carries floor_engaged: bool (default False) plus a short floor_diagnostic token: "median_clamped", "r_below_floor", or "median_clamped+r_below_floor". - The median IS clamped (kept — required for finite division and INV-KBETA finiteness). The per-node r_i is NOT clamped (an absolute clamp would break INV-KBETA scale invariance under uniform depth scaling); we only DETECT and surface the below-floor event. Tests: - test_floor_engaged_false_for_healthy_distribution - test_floor_engaged_true_for_zero_depth_node Both assert INV-KBETA preservation (finite/symmetric/zero-diag). Existing test_capital_ratio_floor updated to the tuple signature. Behavioral preservation: - 8/8 falsify_capital_beta.py PASS unchanged. - 1175 passed, 1 skipped across tests/unit/core/, tests/property/ research_extensions/, tests/integration/research_extensions/. - .claude/physics/validate_tests.py --audit-code: 0 silent clamps. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
neuron7xLab
added a commit
that referenced
this pull request
Apr 26, 2026
…ision score, enforce SPECULATIVE != P0/P1 (#414) Honest self-audit found four lapses in the seven physics-schema PRs from this session: (a) INV-OBSERVER-CPT (P5) was a tautological schema with no peer-reviewed model — shipped as a P2 invariant alongside ANCHORED entries. Demoted. (b) `TRUTH_COHERENCE_SCORE: float` introduced fake precision (vibes-derived numbers like 0.9 / 0.6 / 0.55 / 0.3 dressed as quantitative). Dropped. (c) Validator did not enforce that SPECULATIVE invariants stay below fail-closed tier. Now it does. (d) Session-level claim "operationalized 7 fundamental physics problems" overstated schema work as derivation work. Restated honestly: 6 contract schemas remain — 2 ANCHORED, 4 EXTRAPOLATED, 0 SPECULATIVE (the seventh, P5, is now a demo not a registered invariant). Changes: - Moved core/physics/observer_cpt_asymmetry.py → examples/observer_cpt_schema_demo.py with explicit DEMO ONLY header. Removed tests/unit/physics/test_observer_cpt_asymmetry.py. Removed pncc.observer_cpt block from .claude/physics/INVARIANTS.yaml, with a note pointing at the demo file. - In core/physics/{arrow_of_time, observer_bandwidth, cosmological_compute_bound, jacobson_observer_coherence}.py: replaced PROVENANCE_LEVEL: str = "..." TRUTH_COHERENCE_SCORE: float = 0.X with PROVENANCE_TIER: Literal["ANCHORED", "EXTRAPOLATED", "SPECULATIVE"] = "..." Discrete tier; no float score. Updated test files to assert PROVENANCE_TIER and dropped the floor/ceiling float assertions. - In .claude/physics/INVARIANTS.yaml: dropped all four `truth_coherence_score:` lines. Kept `provenance:` field as the canonical tier indicator. - In .claude/physics/validate_tests.py::_self_check: added check #5 — SPECULATIVE invariants cannot carry P0 or P1 priority. Validator reports FAIL with the offending IDs if found. Quality gates: pytest (4 modules) 59/59 PASS ruff check clean ruff format --check clean black --check clean mypy --strict (5 modules + tests) clean validate_tests.py --self-check PASSED — 80 invariants loaded, check #5 confirms 0 SPECULATIVE at P0/P1. Honest stack as of this PR: ANCHORED: INV-ARROW-OF-TIME (P0) INV-BEKENSTEIN-COGNITIVE (P0) EXTRAPOLATED: INV-OBSERVER-BANDWIDTH (P1) INV-COSMOLOGICAL-COMPUTE (P1) INV-JACOBSON-OBSERVER (P1) INV-SIMULATION-FALSIFICATION (P1, registry/statistical) Demoted: INV-OBSERVER-CPT → demo, no registry weight. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
6 tasks
neuron7xLab
added a commit
that referenced
this pull request
Apr 26, 2026
…ference flaw #5) (#422) Self-audit identified ε ∈ (0, 1] efficiency parameter on diamond_compute_budget / assess_compute_claim as empty as an invariant: for ε ≤ 1 the inequality I_useful ≤ ε · A/(4·ℓ_p²·ln 2) reduces to a tautology under the Bekenstein-Hawking bound. ε had no operational definition or first-principles derivation in this module — it was a caller-supplied scale dressed as a physics constant. Changes (atomic across both physics-contract layers): - core/physics/cosmological_compute_bound.py: * Removed `efficiency: float = 1.0` parameter from diamond_compute_budget() and assess_compute_claim(). * Consolidated ComputeBudget to a single `holographic_max_bits` field; dropped `efficiency` and `useful_max_bits`. * Module docstring rewritten to ship only the holographic ceiling (caller-side discounting is the caller's responsibility). * No downstream importers used the dropped fields outside this test file (verified by repo grep). - tests/unit/physics/test_cosmological_compute_bound.py: * Removed 4 efficiency-scaffolding tests (zero/negative, above-one, non-finite, scales-useful-bits). * Renamed `test_diamond_budget_default_efficiency_is_holographic` → `test_diamond_budget_returns_holographic_ceiling`. * Preserved coverage: closed-form coefficient, area=0 → 0 bits, negative/non-finite raise, Planck-area sanity, solar-mass BH OOM, Hubble-horizon OOM, claim within/at/above budget, Hypothesis property sweep linear-in-area. - .claude/physics/INVARIANTS.yaml `cosmological_compute:`: * statement: dropped ε; restated as caller-side-discounting note. * falsification: dropped "OR a derivation forcing ε > 1" clause. Quality gates (all green): - pytest tests/unit/physics/test_cosmological_compute_bound.py: 14 passed - ruff check + ruff format --check: pass - black --check: pass - mypy --strict: pass - .claude/physics/validate_tests.py --self-check: PASS Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
neuron7xLab
added a commit
that referenced
this pull request
Apr 27, 2026
…FIED loop) (#492) Closes the ACTIVE→VERIFIED transition opened by PR #491. Where #491 shipped the diff-bound acceptor schema + validator + CI gate, this PR adds the runner that actually executes measurement_command and falsifier.command, captures stdout+stderr to declared artifact paths, hashes every artifact (sha256, lowercase 64-char hex), and writes the evidence_sha256 list back to the acceptor YAML. With --promote and a PASS verdict, status flips from ACTIVE to VERIFIED in-place. Files added: - tools/commit_acceptor/run_evidence.py (557 lines) - tests/unit/commit_acceptor/test_run_evidence.py (23 tests) - tmp/run_evidence_dogfood.json (evidence-of-evidence for the runner itself, run against the two existing acceptors) Public API: - EvidenceResult (frozen dataclass, sorted JSON serialisation) - run_acceptor(acceptor, repo_root, *, timeout_s, runner) -> EvidenceResult - update_acceptor_yaml(path, result, *, promote_to_verified) -> None - main(argv) -> int (CLI: --acceptor-id/--all, --promote, --re-verify, --timeout-s [10, 3600], --summary-out, --repo-root) Test count: 23/23 PASS (67/67 in tests/unit/commit_acceptor) Gates: ruff check + ruff format --check + black --check + mypy --strict + validate_commit_acceptor (with and without --require-acceptor- for-code-change) — all green. Falsifier mutation probes (all 6 caught by tests): #1 skip --promote success guard → test 8 FAILS as expected #2 truncate sha256 to 8 chars → test 22 FAILS as expected #3 always return verdict=PASS → tests 2 + 3 FAIL as expected #4 skip artifact existence check → test 4 FAILS as expected #5 stop skipping DRAFT acceptors → test 10 FAILS as expected #6 strip evidence_sha256 sort → test 6 FAILS as expected Dogfood verdict counts (from tmp/run_evidence_dogfood.json): PASS: 1 (commit-acceptor-layer) SIGNAL_FAILED: 1 (canonical-action-result-comparator — tests/unit/control not present in this branch; honest null) Security: subprocess.run(shell=True, ...) trusts maintainer-committed acceptor YAML. Acceptor schema is enforced by the validator (PR #491) before the runner ever sees a file. Per the chronology-discipline contract, this runner is execution proof, NOT chronology proof — it claims only "command exited 0 and these are the artifact hashes". Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
neuron7xLab
added a commit
that referenced
this pull request
Apr 27, 2026
* feat(governance): diff-bound commit acceptor layer (promise→diff→signal→falsifier→rollback→evidence→memory)
Invariant: every code-modifying commit landing on main MUST be governed by
at least one acceptor under .claude/commit_acceptors/ that declares the
full six-step contract. Unbound code commits are rejected fail-closed by
the new Commit Acceptor Gate workflow on every PR and merge-queue entry.
Files added:
- .claude/commit_acceptor_policy.yaml (claim caps + forbidden imports)
- .claude/commit_acceptor_template.yaml (canonical schema, status DRAFT)
- .claude/commit_acceptors/canonical-action-result-comparator.yaml
(ACTIVE, documents PR #490)
- .claude/commit_acceptors/commit-acceptor-layer.yaml
(ACTIVE, self-acceptor for this PR)
- tools/commit_acceptor/{__init__.py,validate_commit_acceptor.py}
(validator + CLI)
- tests/unit/commit_acceptor/{__init__.py,test_validate_commit_acceptor.py}
(44 tests, all 41 spec probes)
- .github/workflows/commit-acceptor-gate.yml (PR + merge_group, 3.11/3.12)
- docs/reports/diff_bound_commit_acceptor_layer.md (closure report)
Forbidden schema fields (rejected anywhere): forbidden_symbols,
max_files_changed, generated_at. Forbidden import patterns enforced via
AST: trading, execution, forecast, policy. Distinct from CLAIMS layer
(.claude/claims/CLAIMS.yaml) — per-commit, diff-bound, not modified.
Local gates green: validator (static), validator (diff-binding +
require-acceptor-for-code-change), pytest 44/44, ruff, ruff format,
black, mypy --strict. Probe matrix 15/15 with idempotence
(sha256 of acceptor unchanged across two consecutive validator runs).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat(governance): commit acceptor evidence runner (closes ACTIVE→VERIFIED loop) (#492)
Closes the ACTIVE→VERIFIED transition opened by PR #491. Where #491
shipped the diff-bound acceptor schema + validator + CI gate, this PR
adds the runner that actually executes measurement_command and
falsifier.command, captures stdout+stderr to declared artifact paths,
hashes every artifact (sha256, lowercase 64-char hex), and writes the
evidence_sha256 list back to the acceptor YAML. With --promote and a
PASS verdict, status flips from ACTIVE to VERIFIED in-place.
Files added:
- tools/commit_acceptor/run_evidence.py (557 lines)
- tests/unit/commit_acceptor/test_run_evidence.py (23 tests)
- tmp/run_evidence_dogfood.json (evidence-of-evidence for the runner
itself, run against the two existing acceptors)
Public API:
- EvidenceResult (frozen dataclass, sorted JSON serialisation)
- run_acceptor(acceptor, repo_root, *, timeout_s, runner) -> EvidenceResult
- update_acceptor_yaml(path, result, *, promote_to_verified) -> None
- main(argv) -> int (CLI: --acceptor-id/--all, --promote, --re-verify,
--timeout-s [10, 3600], --summary-out, --repo-root)
Test count: 23/23 PASS (67/67 in tests/unit/commit_acceptor)
Gates: ruff check + ruff format --check + black --check + mypy --strict
+ validate_commit_acceptor (with and without --require-acceptor-
for-code-change) — all green.
Falsifier mutation probes (all 6 caught by tests):
#1 skip --promote success guard → test 8 FAILS as expected
#2 truncate sha256 to 8 chars → test 22 FAILS as expected
#3 always return verdict=PASS → tests 2 + 3 FAIL as expected
#4 skip artifact existence check → test 4 FAILS as expected
#5 stop skipping DRAFT acceptors → test 10 FAILS as expected
#6 strip evidence_sha256 sort → test 6 FAILS as expected
Dogfood verdict counts (from tmp/run_evidence_dogfood.json):
PASS: 1 (commit-acceptor-layer)
SIGNAL_FAILED: 1 (canonical-action-result-comparator —
tests/unit/control not present in this branch; honest null)
Security: subprocess.run(shell=True, ...) trusts maintainer-committed
acceptor YAML. Acceptor schema is enforced by the validator (PR #491)
before the runner ever sees a file. Per the chronology-discipline
contract, this runner is execution proof, NOT chronology proof — it
claims only "command exited 0 and these are the artifact hashes".
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(governance): bind tmp/run_evidence_dogfood.json to commit-acceptor-layer (#493)
The dogfood JSON committed in PR #492 has extension .json which the
commit-acceptor policy treats as code, triggering "code change without
acceptor" on the diff-binding CI gate. Add it to the self-acceptor's
diff_scope so the gate is satisfied.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): install numpy in commit-acceptor-gate workflow
The commit-acceptor-gate job runs `pytest tests/unit/commit_acceptor`
which transitively triggers the global `tests/conftest.py`. That conftest
imports `core/utils/determinism.py`, which imports `numpy`. Without
numpy in the venv, pytest fails during collection (before any test runs)
with `ModuleNotFoundError: No module named 'numpy'` — turning both
3.11 and 3.12 matrix jobs red.
Add `numpy` to the install line. Other deps unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(governance): close 6 adversarial-audit holes in commit acceptor validator
The first-pass validator (PR #491) shipped with six bypasses surfaced by
adversarial audit. All six are now closed; each fix is paired with a
test that fails without it (mutation-probed, both directions where
relevant).
Hole 1 — Relative-import bypass (`from . import trading`):
AST detector skipped relative imports entirely. Fixed: when
node.level > 0, check each `alias.name` against forbidden patterns.
Hole 2 — Relative-import false positive (`from .trading import x`):
Symmetric defect. The relative module name `.trading` is a repo-local
sibling submodule, not the forbidden absolute `trading` runtime.
Fixed: for relative imports, only inspect alias names (NOT node.module).
Hole 3 — Path traversal in `diff_scope.changed_files[*].path`:
`../etc/passwd`, `geosync/../../escape`, `/abs`, `path\\windows` were
accepted silently. Added `_is_safe_repo_relative_path` helper rejecting
leading `/`, backslashes, and any `..` component. Applied to both
`changed_files` and `forbidden_paths` for symmetry.
Hole 4 — Empty/whitespace `id` and `promise` summary:
`id: ""` and `promise: " "` passed schema validation. Fixed: explicit
non-empty-after-strip checks on `id` (string) and on `promise` whether
it is a string or a `{summary: ...}` mapping.
Hole 5 — `promise: null` (None / wrong type):
YAML `promise:` (no value) silently passed. Fixed: explicit
`INVALID_PROMISE_BLOCK` rejection when promise is None or
non-string-non-mapping (lists, ints).
Hole 6 — Theater test for relative-import path:
`test_14_relative_import_skipped` only asserted skip; never asserted
catch on `from . import trading` (Hole 1). Replaced with
`test_14_relative_import_two_directions` that asserts BOTH the catch
(alias is forbidden) and the non-flag (relative module name is
repo-local).
New tests added (parametrized where relevant, 17 cases total):
- test_14_relative_import_two_directions (both directions)
- test_path_traversal_in_changed_files_rejected (6 params)
- test_path_traversal_in_forbidden_paths_rejected (3 params)
- test_empty_id_rejected, test_whitespace_id_rejected
- test_empty_promise_summary_rejected, test_whitespace_promise_summary_rejected
- test_promise_dict_with_empty_summary_rejected
- test_null_promise_block_rejected
- test_promise_wrong_type_rejected
Probe matrix: each new test was mutation-probed by stashing the
validator change and re-running the test selector — all 17 cases failed
without the fix and passed with it. Full gate matrix (validator,
diff binding, pytest, ruff, ruff format, black, mypy --strict) green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): scope commit-acceptor pytest with --confcutdir to avoid global conftest deps
The previous fix added numpy to the workflow venv, but tests/conftest.py
also imports pandas (and transitively other deps via core/utils). Rather
than mirror the entire repo's runtime dependency tree into a governance
gate venv, use --confcutdir=tests/unit/commit_acceptor so pytest does
not load the global conftest at all. The commit_acceptor unit tests
are self-contained and need no shared fixtures.
Net effect: workflow dependency line stays minimal (pyyaml/black/ruff
/mypy/pytest only); CI no longer breaks when an unrelated dep is added
to tests/conftest.py.
Verified locally: 83/83 pass with --confcutdir; same set passes without
the flag too.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): silence detect-secrets false-positive on evidence-runner artifact + restore mypy plugin
Three coupled fixes for commit-acceptor-validation jobs:
1. Remove tracked tmp/run_evidence_dogfood.json — sha256 hex digests in
the evidence dogfood snapshot looked like high-entropy secrets to
detect-secrets. The runner can produce a fresh snapshot on demand;
committing one stale instance polluted the secret scanner.
2. Add tmp/ to .gitignore so future runner output stays out of git.
3. Add pydantic to commit-acceptor-gate workflow venv. The repo's
mypy.ini declares pydantic.mypy as a plugin; mypy --strict cannot
load it without the package installed, even when the files under
inspection do not import pydantic.
Self-acceptor updated to drop the dogfood path from changed_files.
Verified locally: 83/83 tests pass with --confcutdir; static validator
PASS; diff-binding gate PASS after this commit because the deletion
no longer appears in the net origin/main..HEAD diff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(ci): install types-PyYAML for mypy strict in commit-acceptor-gate
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps sqlalchemy from 2.0.44 to 2.0.48.
Release notes
Sourced from sqlalchemy's releases.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)