Skip to content

chore(deps)!: 7-day dependency cooldown (uv exclude-newer + CI assert)#788

Open
xdotli wants to merge 16 commits into
mainfrom
chore/dep-cooldown-7d
Open

chore(deps)!: 7-day dependency cooldown (uv exclude-newer + CI assert)#788
xdotli wants to merge 16 commits into
mainfrom
chore/dep-cooldown-7d

Conversation

@xdotli

@xdotli xdotli commented Jun 15, 2026

Copy link
Copy Markdown
Member

What

Adds a hard 7-day dependency cooldown: uv may never resolve a dependency to a release younger than ~7 days old. Motivation — the freshly-published-CVE churn during #787 (advisories landing on day-0 releases); a cooldown gives new releases time to be vetted.

How (two layers, both evaluated against today)

  1. Static cap, dynamically set. [tool.uv] exclude-newer caps every uv lock at a timestamp so the default resolution can't reach a brand-new release. It has to be a static literal (CI's uv sync --locked / uv export --locked must match the lock deterministically — a live value in pyproject would break --locked). So the date isn't hand-typed: python tools/lock.py computes midnight-UTC of now − 7d, writes it, and re-locks in one step. tests/test_dep_cooldown.py::test_uv_exclude_newer_caps_resolution fails if the committed cutoff is younger than 7 days.
  2. Dynamic enforcement, offline. test_locked_packages_respect_cooldown reads the upload-time that uv bakes into uv.lock for every resolved package and fails if any is younger than now − 7d. This is the genuinely live "7 days ago from the current date" check — evaluated every CI run against today, no stored date trusted and no PyPI queries (timestamps are already in the lock). It never flakes on an unchanged lock: upload times are immutable, so packages only age out of the window.

COOLDOWN_DAYS = 7 lives once in tools/lock.py and is imported by the gate, so the writer and the check can't drift.

Security / grandfather exception

uv has no rolling cooldown natively, so deps the repo already pins that are still <7 days old get a one-time override in [tool.uv.exclude-newer-package] (also the escape hatch for an urgent CVE fix). Each entry is exempted from layer 2 and should be removed as it ages past 7d:

  • litellm[proxy]==1.89.0 (2026-06-13) — exact pin; resolution fails without it.
  • starlette 1.3.1 (2026-06-12) — the CVE-2026-54282/54283 fix; the override keeps it instead of rolling back to the vulnerable 1.2.1.

Verified the audit has teeth: with exemptions removed it flags exactly litellm 1.89.0 and starlette 1.3.1; with them, it's clean.

Impact

Re-locking under the cap rolled 6 langchain-family packages back by a patch/minor (langchain, -anthropic, -core, -google-genai, -openai, langsmith) — their newest releases are <7d old. The CVE fixes from #787 (aiohttp 3.14.1, python-multipart 0.0.32, starlette 1.3.1) are preserved. Full suite 4202 passed; ruff/format/ty clean. python tools/lock.py --check today prints the committed 2026-06-08T00:00:00Z, so the lock is unchanged.

Latest automation fix (2026-07-03)

Pushed through 44133f5c to clear the current Users Simulation blockers:

  • 151c63d7 adds a machine-checkable rationale gate for [tool.uv.exclude-newer-package] entries using [tool.benchflow.dependency-cooldown.override-rationale]; this avoids brittle TOML comment parsing while enforcing the policy intent.
  • 44133f5c merges current origin/main, resolves the uv.lock conflict, and refreshes the cooldown cutoff/lockfile with tools/lock.py (exclude-newer = "2026-06-26T00:00:00Z").

Local validation on the merged head:

uv sync --extra dev --locked
uv lock --check
uv run python tools/lock.py --check  # 2026-06-26T00:00:00Z
uv run python -m pytest tests/test_dep_cooldown.py tests/test_lock_tool.py -q  # 24 passed
uv run ruff check tools/lock.py tests/test_dep_cooldown.py tests/test_lock_tool.py src/benchflow/task/prompts.py
uv run ty check src/ tools/lock.py
uv run ruff format --check tools/lock.py tests/test_dep_cooldown.py tests/test_lock_tool.py src/benchflow/task/prompts.py

GitHub CI is running on the new head and should be green before moving this back to status:ready.

Latest automation fix (2026-07-13)

Pushed through c2fe73120 to clear the current Users Simulation blockers:

  • Merged current origin/main into chore/dep-cooldown-7d, resolving the uv.lock conflict caused by main's TRL-SFT extra.
  • Added a temporary, machine-checkable trl cooldown override because current main requires trl>=1.8.0,<2 and trl 1.8.0 is newer than the active global cutoff.
  • Refreshed the lock to click 8.4.2 to clear PYSEC-2026-2132 while staying within the cooldown policy.
  • Updated the removed-short-option CLI regression to tolerate Click 8.4's quoted error wording while still requiring the same rejected aliases.

Validation:

uv sync --extra dev --extra sandbox-daytona --extra sandbox-modal --locked
uv lock --check
uv run python tools/lock.py --check  # 2026-07-06T00:00:00Z
uv run python -m pytest tests/  # 4885 passed, 8 skipped, 7 deselected
uv run ruff check src tests tools
uv run ruff format --check src tests tools
uv run ty check
uv export --locked --extra dev --extra sandbox-daytona --extra sandbox-modal --format requirements-txt --no-hashes --output-file /tmp/req-audit
uv run --with pip-audit pip-audit -r /tmp/req-audit --no-deps --disable-pip --ignore-vuln GHSA-537c-gmf6-5ccf

GitHub checks on c2fe73120 are green: test, pip-audit, manifest-parity / parity, integration-light / rollout-smoke, and detect-scope all passed.

Current-head integration-light-jobs artifact validated healthy with benchflow-experiment-review: 1/1 rollout healthy, reward 1.0, ACP + LLM trajectories and training-ready results.jsonl present, 311,687 tokens, 16 tool calls, total timing 250.4s. cost_usd / price_source remain null for this GLM/user-endpoint smoke, matching the known shared accounting caveat rather than a dependency-cooldown regression.

… hard rule

Never resolve a dependency to a release younger than ~7 days (less-vetted; the
freshly-published-CVE churn during #787 is the motivating case). Enforced two ways:
- `[tool.uv] exclude-newer` caps every `uv lock` at a fixed timestamp (currently
  2026-06-08, >=7 days ago); advance it (kept >=7d in the past) to take updates.
- `tests/test_dep_cooldown.py` fails CI if `exclude-newer` is ever within the last
  7 days, so the cap can't silently drift forward.

Grandfather overrides in `[tool.uv.exclude-newer-package]` for deps the repo
already pins that are still <7d old (each should be removed as it ages past 7d):
- litellm[proxy]==1.89.0 (2026-06-13) — exact pin; blocks resolution otherwise.
- starlette 1.3.1 (2026-06-12) — CVE-2026-54282/54283 fix; don't roll back to
  the vulnerable 1.2.1.

Security exception is the override mechanism: an urgent fix younger than the cap
is allowed via a commented per-package entry. Re-locking under the cap rolled 6
langchain-family packages back by a patch/minor (their newest releases are <7d
old); full suite green (4190).
@xdotli xdotli temporarily deployed to pypi-internal-preview June 15, 2026 23:27 — with GitHub Actions Inactive
@greptile-apps

greptile-apps Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR introduces a hard 7-day dependency cooldown enforced at two layers: a static [tool.uv] exclude-newer timestamp in pyproject.toml (kept at now − 7 days by tools/lock.py) and a dynamic CI gate in tests/test_dep_cooldown.py that reads upload timestamps from uv.lock on every run. The approach avoids PyPI network calls and is deterministic because upload times in uv.lock are immutable. Six langchain-family packages were rolled back as a result of the tighter cap; the pydantic-settings CVE fix is preserved via a one-time per-package override.

  • tools/lock.py: new helper that computes midnight-UTC of now − 7d, rewrites exclude-newer in pyproject.toml, then shells out to uv lock. Includes LockError wrapping for I/O and subprocess failures, and exposes pure functions consumed directly by the test suite.
  • tests/test_dep_cooldown.py + tests/test_lock_tool.py: two complementary test files — one gating the live repo state, one unit-testing the helper's pure functions with a fixed synthetic lock.
  • pyproject.toml: adds [tool.uv] required-version = \">=0.8.4\" (floor for the per-package override table), sets the initial exclude-newer, and registers the pydantic-settings temporary exception with a documented comment.

Confidence Score: 5/5

Safe to merge. The cooldown enforcement is self-consistent across both layers, all previous findings have been addressed, and the pydantic-settings override will self-destruct via the CI gate on 2026-06-27 as designed.

The two-layer enforcement is logically coherent: the static cap and the dynamic lock audit use the same COOLDOWN_DAYS constant imported from the single source of truth, OSError wrapping is now complete across I/O and subprocess paths, and per-package overrides have an enforced expiry. The pydantic-settings override will cause test_exclude_newer_package_overrides_expire_with_cooldown to fail starting tomorrow — but that is the mechanism working as intended, not a defect.

The pydantic-settings override in pyproject.toml ages out on 2026-06-27 and must be removed (along with a re-lock) promptly after merge.

Important Files Changed

Filename Overview
tools/lock.py New helper: computes cooldown cutoff, rewrites pyproject.toml in-place, and shells out to uv lock. I/O and subprocess failures are all wrapped in LockError. Logic is clean; regex correctly targets only the global exclude-newer line, not per-package table values.
tests/test_dep_cooldown.py Live CI gate: checks the global cutoff is ≥ 7 days old, audits locked packages for cooldown violations, and enforces that per-package overrides are removed once they age past the window. Three-test structure cleanly separates the two enforcement layers.
tests/test_lock_tool.py Comprehensive unit tests for the pure functions in tools/lock.py using a fixed synthetic lock. Covers cutoff arithmetic, idempotency, timezone normalisation, regex behaviour, OSError wrapping, and the override-expiry logic.
pyproject.toml Adds [tool.uv] block with required-version, exclude-newer, and a pydantic-settings temporary override. The override cutoff (2026-06-20) will trigger test_exclude_newer_package_overrides_expire_with_cooldown starting 2026-06-27 — this is the intended behaviour of the system.
uv.lock Six langchain packages rolled back to earlier versions that predate the cooldown window; [options] block added to record the global and per-package cutoffs. Mechanical output of uv lock under the new cap.
AGENTS.md Single-line addition documenting the cooldown workflow for contributors.

Reviews (6): Last reviewed commit: "Fix dependency cooldown override expiry" | Re-trigger Greptile

Comment thread tests/test_dep_cooldown.py Outdated
Comment on lines +22 to +37
def test_uv_exclude_newer_enforces_dependency_cooldown() -> None:
cfg = tomllib.loads(_PYPROJECT.read_text(encoding="utf-8"))
raw = cfg.get("tool", {}).get("uv", {}).get("exclude-newer")
assert raw, (
"[tool.uv] exclude-newer is missing from pyproject.toml — it enforces the "
f"{COOLDOWN_DAYS}-day dependency cooldown and must be set."
)
cutoff = datetime.datetime.fromisoformat(str(raw).replace("Z", "+00:00"))
if cutoff.tzinfo is None:
cutoff = cutoff.replace(tzinfo=datetime.UTC)
age = datetime.datetime.now(datetime.UTC) - cutoff
assert age >= datetime.timedelta(days=COOLDOWN_DAYS), (
f"[tool.uv] exclude-newer ({raw}) is only {age.days}d old; the dependency "
f"cooldown requires it to be >= {COOLDOWN_DAYS} days in the past. Bump it "
f"to an older date (>= {COOLDOWN_DAYS}d ago) when taking dependency updates."
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Grandfather overrides have no CI expiry enforcement

The test guards [tool.uv] exclude-newer but never inspects [tool.uv.exclude-newer-package]. The per-package overrides are the one channel through which a package newer than the global cooldown can enter the lockfile, yet nothing checks that those entries carry a required comment, or that they're removed once the package crosses the 7-day mark. In practice the litellm and starlette entries will silently linger forever after they age out, and a future engineer can add another entry without any guardrail. Adding a second assertion that iterates cfg["tool"]["uv"].get("exclude-newer-package", {}) and verifies each override timestamp is still within some reasonable tolerance (e.g., entry date ≥ global exclude-newer date) would close this gap without much code.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 151c63d7 on the pushed head 44133f5c. The original expiry side was already covered; this now also enforces the rationale side without relying on TOML comments. Each [tool.uv.exclude-newer-package] entry must have a matching non-empty [tool.benchflow.dependency-cooldown.override-rationale] entry, and stale rationale entries without an override fail too. Validation passed locally: tests/test_dep_cooldown.py tests/test_lock_tool.py (24 passed), uv lock --check, tools/lock.py --check -> 2026-06-26T00:00:00Z, ruff, ty, format check. GitHub CI is still running on the new head.

Comment on lines +33 to +37
assert age >= datetime.timedelta(days=COOLDOWN_DAYS), (
f"[tool.uv] exclude-newer ({raw}) is only {age.days}d old; the dependency "
f"cooldown requires it to be >= {COOLDOWN_DAYS} days in the past. Bump it "
f"to an older date (>= {COOLDOWN_DAYS}d ago) when taking dependency updates."
)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 The error message uses age.days, which is the integer days component of the timedelta, not the total elapsed days rounded. For a gap like 6 days 23 h 50 min, it prints "6d old" while the assertion correctly sees it as still less than 7 days — the diagnostic makes the boundary look farther away than it is. Prefer age.total_seconds() / 86400 for accurate sub-day precision.

Suggested change
assert age >= datetime.timedelta(days=COOLDOWN_DAYS), (
f"[tool.uv] exclude-newer ({raw}) is only {age.days}d old; the dependency "
f"cooldown requires it to be >= {COOLDOWN_DAYS} days in the past. Bump it "
f"to an older date (>= {COOLDOWN_DAYS}d ago) when taking dependency updates."
)
assert age >= datetime.timedelta(days=COOLDOWN_DAYS), (
f"[tool.uv] exclude-newer ({raw}) is only {age.total_seconds() / 86400:.1f}d old; "
f"the dependency cooldown requires it to be >= {COOLDOWN_DAYS} days in the past. "
f"Bump it to an older date (>= {COOLDOWN_DAYS}d ago) when taking dependency updates."
)

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: edfa207867

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread pyproject.toml
# comment recording why. Remove the override once the package is >= 7 days old.
exclude-newer = "2026-06-08T00:00:00Z"

[tool.uv.exclude-newer-package]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin uv before using exclude-newer-package

In environments that still have uv 0.7.x, this new table is an unknown [tool.uv] key: uv sync --locked reports unknown field exclude-newer-package, ignores the lockfile cutoff as removed, and tries to re-resolve from PyPI instead of installing the committed lock. Since the repo only requires users to have uv and does not set tool.uv.required-version, local setup and any older CI image can fail or bypass the intended cooldown; pin/install a uv version that supports per-package cutoffs before relying on this syntax.

Useful? React with 👍 / 👎.

The 7-day cooldown date in [tool.uv] exclude-newer was hand-typed. Add
tools/lock.py to compute it as midnight-UTC of (today - 7d) and re-lock in
one step, so the date is set dynamically instead of guessed. The committed
value stays static (CI's uv sync --locked must be deterministic against the
lock); the helper just rolls it forward to the newest still-vetted day.

- tools/lock.py: compute_cooldown_cutoff + rewrite_exclude_newer + CLI
  (--check / --no-lock); single COOLDOWN_DAYS source imported by the gate.
- tests/test_lock_tool.py: unit tests for the date/text transforms.
- test_dep_cooldown.py: import COOLDOWN_DAYS from tools.lock (no drift).
- pyproject/AGENTS.md: point contributors at the helper, not hand-edits.
@xdotli xdotli temporarily deployed to pypi-internal-preview June 15, 2026 23:39 — with GitHub Actions Inactive
…times

The cutoff date in [tool.uv] exclude-newer is inherently static (CI's
uv sync --locked must match the lock), so trusting that date alone isn't a
live '7 days ago from today' check. Add the dynamic half: read the upload-time
uv bakes into uv.lock for every resolved package and fail if any is younger
than now-7d, honoring documented [tool.uv.exclude-newer-package] exemptions.

This evaluates the window against the current date on every CI run, stays
offline (timestamps are in the lock — no PyPI queries), and never flakes on an
unchanged lock (upload times are immutable, so packages only age out).

- tools/lock.py: newest_upload_times + find_cooldown_violations.
- test_dep_cooldown.py: split into caps-resolution (static cutoff >= 7d) +
  locked-packages-respect-cooldown (dynamic, the real invariant).
- test_lock_tool.py: audit unit tests (latest-artifact, sourceless skip,
  exemptions, monotonic leniency over time).
@xdotli xdotli temporarily deployed to pypi-internal-preview June 15, 2026 23:49 — with GitHub Actions Inactive
Comment thread tools/lock.py Outdated
Comment on lines +203 to +206
original = args.pyproject.read_text(encoding="utf-8")
updated = rewrite_exclude_newer(original, cutoff)
if updated != original:
args.pyproject.write_text(updated, encoding="utf-8")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 OSError from file I/O is not caught. If args.pyproject doesn't exist (e.g., --pyproject wrong.toml) or lacks write permission, read_text() / write_text() raise FileNotFoundError / PermissionError, which fall outside the except LockError handler and produce a raw Python traceback. Catching OSError and converting it to LockError would give the same clean exit as every other failure path.

Suggested change
original = args.pyproject.read_text(encoding="utf-8")
updated = rewrite_exclude_newer(original, cutoff)
if updated != original:
args.pyproject.write_text(updated, encoding="utf-8")
try:
original = args.pyproject.read_text(encoding="utf-8")
except OSError as exc:
raise LockError(f"Cannot read {args.pyproject}: {exc}") from exc
updated = rewrite_exclude_newer(original, cutoff)
if updated != original:
try:
args.pyproject.write_text(updated, encoding="utf-8")
except OSError as exc:
raise LockError(f"Cannot write {args.pyproject}: {exc}") from exc

@bingran-you bingran-you added enhancement New feature or request P2 Anti-pattern / type safety / docs precision / minor schema drift / non-deterministic but contained. review:pending PR is ready-for-review, no reviewer engagement yet. labels Jun 16, 2026
@bingran-you

Copy link
Copy Markdown
Collaborator

Automation triage (2026-06-16): CI is green (test, pip-audit, eval-and-judge) and the PR is mergeable, but it has no human approval yet. Per repo policy, bot/self review is not enough for main, so I labeled it review:pending and am leaving it unmerged until a human reviewer approves.\n\nNo code changes made in this scan.

@bingran-you

Copy link
Copy Markdown
Collaborator

Follow-up automation review (2026-06-16): holding this despite green CI. Two dependency-policy blockers need author follow-up before human review/merge:\n\n1. [tool.uv.exclude-newer-package] relies on uv support that landed in uv 0.8.4, but the PR does not enforce a minimum uv version. Add [tool.uv] required-version = \">=0.8.4\" and consider pinning the CI setup-uv version so local/CI behavior cannot silently diverge on older uv.\n2. The sdist allowlist currently includes tests/ but not tools/, while the new tests import tools.lock. Either include tools in [tool.hatch.build.targets.sdist].only-include or stop shipping tests that depend on repo-only helper code.\n\nI moved the PR from review:pending to review:changes-requested. No merge until these are addressed, checks rerun, and a human review approves.

@bingran-you bingran-you added review:changes-requested Author needs to push more commits before this can merge. and removed review:pending PR is ready-for-review, no reviewer engagement yet. labels Jun 16, 2026
@xdotli

xdotli commented Jun 16, 2026

Copy link
Copy Markdown
Member Author

When this matters in practice

The cooldown only changes your workflow when you're updating dependencies (adding one, bumping a version, or pulling in a CVE fix). At that point, re-lock with:

python tools/lock.py

It sets [tool.uv] exclude-newer to today − 7d and re-locks in one step. Day-to-day there's nothing to do — no daily/scheduled bumps. The static cutoff only ages (safe), and the dynamic lock check only gets more lenient over time, so an unchanged lock never flips red.

The guardrail holds even if someone doesn't know about the helper

  • python tools/lock.py → cooldown applied at resolve time, lands clean ✓
  • plain uv lock that grabs a day-0 release → CI fails, listing any package younger than 7 days: "re-lock with python tools/lock.py, or add a commented override" 🛑

Escape hatch

A genuinely urgent fix that's <7 days old (e.g. an active CVE) goes through a commented [tool.uv.exclude-newer-package] override — a deliberate "accepting this fresh package, here's why" entry that exempts it from the dynamic check. Each one ages out (becomes a no-op) once the package crosses 7 days, so it's cleanup-when-convenient, not a scheduled chore.

TL;DR: update deps → run tools/lock.py; everything else is automatic.

Addresses two dep-cooldown policy gaps:

1. `required-version = ">=0.8.4"` — the `[tool.uv.exclude-newer-package]`
   override table is only honored by uv >= 0.8.4. Without a floor an older
   uv would silently ignore it and resolve a different lock.
2. Add `tools` to the sdist `only-include` allowlist. The shipped
   `tests/test_dep_cooldown.py` does `from tools.lock import ...`, so the
   sdist must include `tools` or the suite fails to import from a source
   distribution. Verified `uv build --sdist` now ships `tools/lock.py`.

uv lock --check clean; test_dep_cooldown.py passes (2).
@bingran-you bingran-you temporarily deployed to pypi-internal-preview June 16, 2026 06:05 — with GitHub Actions Inactive
@bingran-you

Copy link
Copy Markdown
Collaborator

Automation (2026-06-16): addressed both policy blockers I raised earlier, pushed as 7b92cbd3:

  1. uv version floor — added required-version = ">=0.8.4" under [tool.uv]. The exclude-newer-package override table is only honored by uv ≥ 0.8.4, so an older uv would silently ignore it.
  2. sdist ships tools/ — added tools to [tool.hatch.build.targets.sdist].only-include. tests/test_dep_cooldown.py does from tools.lock import ...; verified uv build --sdist now bundles tools/lock.py next to the test.

Verification: uv lock --check clean (lock unchanged), test_dep_cooldown.py 2 passed, sdist tarball confirmed to contain tools/lock.py.

Still holding for a human approval before merge per repo policy (bot/self review insufficient for main).

@bingran-you bingran-you added review:pending PR is ready-for-review, no reviewer engagement yet. and removed review:changes-requested Author needs to push more commits before this can merge. labels Jun 16, 2026
@bingran-you bingran-you added review:changes-requested Author needs to push more commits before this can merge. status:blocked Waiting on external dependency. Add a comment explaining why. review:approved Reviewer approved; awaiting merge / CI / second review. and removed review:pending PR is ready-for-review, no reviewer engagement yet. review:changes-requested Author needs to push more commits before this can merge. labels Jun 17, 2026
@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-08): ready by simulation on head 44133f5ca18bea19844831fd7216c1dc53ee1840.

Evidence:

  • Dependency cooldown tooling passed end to end: uv sync --extra dev --locked, uv lock --check, and uv run python tools/lock.py --check (2026-07-01T00:00:00Z).
  • Focused tests passed: tests/test_dep_cooldown.py tests/test_lock_tool.py (24 passed).
  • Static/CLI gates passed: ty check src/ tools/, ruff check src/ tools/ tests/test_dep_cooldown.py tests/test_lock_tool.py, bench --help, bench agent list, bench tasks check --help.
  • Synthetic override-rationale smoke passed with current-policy-issues: [].
  • Current-head integration-light-jobs artifact passed benchflow-experiment-review: ACP + LLM trajectories and training-ready results.jsonl; reward 1.0, 175,420 tokens, 7 tool calls, total timing 183.6s, and non-null USD cost $0.0094332 with price_source=litellm.

Thermo-nuclear review: no blocker. tools/lock.py is direct enough for the policy, date math is idempotent, and override expiry/rationale checks are machine-verifiable.

Labels: status:ready / review:pending.

@bingran-you bingran-you temporarily deployed to pypi-internal-preview July 9, 2026 08:41 — with GitHub Actions Inactive
@bingran-you bingran-you added the status:in-progress Has assignee or linked draft PR. label Jul 9, 2026 — with ChatGPT Codex Connector
@bingran-you bingran-you removed the status:ready Triaged, unassigned, available to claim. label Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Daily scan fix update (2026-07-09): pushed 956dde4ef to address the remaining non-outdated cooldown diagnostic thread.

What changed:

  • tests/test_dep_cooldown.py now reports the [tool.uv] exclude-newer age with age.total_seconds() / 86400 instead of integer age.days, so the failure message matches the actual sub-day boundary check.

Local validation on the PR branch:

  • uv run --extra dev python -m pytest tests/test_dep_cooldown.py tests/test_lock_tool.py -q -> 24 passed
  • uv run ruff check tests/test_dep_cooldown.py tests/test_lock_tool.py tools/lock.py -> passed
  • uv run ruff format --check tests/test_dep_cooldown.py tests/test_lock_tool.py tools/lock.py -> passed
  • uv run --extra dev ty check tests/test_dep_cooldown.py tools/lock.py -> passed

GitHub checks are running on the new head; I moved this to status:in-progress while CI is pending. Keep review:pending for fresh non-author review after checks settle.

Copy link
Copy Markdown
Collaborator

Daily scan follow-up (2026-07-09): pushed 0ac135c15 after the new CI failure exposed a merge-with-main cooldown violation.

What changed:

  • Merged current origin/main into this PR branch.
  • Re-ran python tools/lock.py, advancing [tool.uv] exclude-newer to 2026-07-02T00:00:00Z and regenerating uv.lock under the cooldown policy.
  • The lock refresh downgraded the young merge-result packages that failed CI (torch, setuptools, trl, plus related CUDA entries) to policy-compliant versions.

Validation on the pushed branch:

  • uv run --extra dev python -m pytest tests/test_dep_cooldown.py tests/test_lock_tool.py -q -> 24 passed
  • uv run --extra dev python tools/lock.py --check -> 2026-07-02T00:00:00Z
  • uv lock --check -> passed
  • focused ruff check / ruff format --check -> passed
  • uv run --extra dev ty check tools/lock.py tests/test_dep_cooldown.py tests/test_lock_tool.py -> passed

GitHub CI is running again on 0ac135c15; keeping status:in-progress until it settles, then this should return to status:ready + review:pending for fresh non-author review.

@bingran-you bingran-you temporarily deployed to pypi-internal-preview July 9, 2026 08:49 — with GitHub Actions Inactive
@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-09): ready by simulation on current head 0ac135c1550053b8dfb37fab6d236259ef765112.

Evidence:

  • GitHub CI is green on the new head: test, pip-audit, manifest-parity, and integration-light / rollout-smoke all passed.
  • Local PR worktree validation passed: uv sync --extra dev --locked, uv lock --check, uv run python tools/lock.py --check (2026-07-02T00:00:00Z), tests/test_dep_cooldown.py tests/test_lock_tool.py (24 passed), focused ruff, focused ruff format --check, focused ty, plus bench --help, bench agent list, and bench tasks check --help.
  • Current-head integration-light artifact from run 29006028771 passed benchflow-experiment-review: 1/1 rollout healthy, ACP trajectory present, LLM trajectory present, results.jsonl training-ready, reward 1.0, 224,541 tokens, 13 tool calls, 23 ACP events, 16 LLM exchanges with provider usage, total timing 285.5s.

Caveat: this run used glm/glm-5.1; token/timing metadata is healthy, but result.json.agent_result.cost_usd and price_source are still null. That is the shared GLM user-endpoint cost-accounting caveat already tracked in this sweep, not a dependency-cooldown regression.

Thermo-nuclear review: no blocker. The policy logic remains localized in tools/lock.py, the rationale/override tests are machine-checkable, and the refreshed lock/cutoff path is direct enough for this PR.

Labels: moving status:in-progress back to status:ready; keeping review:pending for fresh non-author human review before merge.

@bingran-you bingran-you added status:ready Triaged, unassigned, available to claim. and removed status:in-progress Has assignee or linked draft PR. labels Jul 9, 2026
@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-10): ready by simulation on head 0ac135c1550053b8dfb37fab6d236259ef765112.

Verified:

  • benchflow --help
  • python tools/lock.py --help
  • python tools/lock.py --check (reported 2026-07-03T00:00:00Z)
  • uv lock --check
  • pytest tests/test_lock_tool.py tests/test_dep_cooldown.py -q (24 passed)
  • ruff check and ty check on tools/lock.py, src/benchflow/task/prompts.py, and the cooldown tests
  • Python import smoke for benchflow, tools.lock, and _document_user_model_kind(None)

Thermo-nuclear review: no blocking structure issue. tools/lock.py remains contained; the override policy is spread across script/config/tests but is coherent and covered. If this policy grows further, factor the pure policy checks into a smaller module.

Keeping status:ready / review:pending.

@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-11): ready by simulation on head 0ac135c1550053b8dfb37fab6d236259ef765112.

Scope checked: 7-day dependency cooldown (uv exclude-newer), lock tooling, CI assertion behavior, and broad CLI/SDK regression risk.

Evidence:

  • Local focused gate passed: uv sync --extra dev --locked; python tools/lock.py --check; uv lock --check; pytest tests/test_dep_cooldown.py tests/test_lock_tool.py -q -> 24 passed; focused ruff; ty check src tools; bench --help; SDK Scene.single(agent="oracle").
  • GitHub current-head checks are green: test, pip-audit, manifest-parity / parity, and integration-light / rollout-smoke passed.
  • tools/lock.py --check reported the expected cooldown timestamp and did not mutate the lock.

Artifact health:

  • Current-head integration-light run 29006028771 validated healthy with benchflow-experiment-review: 1/1 healthy, ACP + LLM trajectories present, training-ready results.jsonl, reward present, 224,541 tokens, 13 tool calls, 285.5s timing.
  • Caveat: this GLM user-endpoint artifact still has null agent_result.cost_usd / price_source; token, timing, and trajectory metadata are complete.

Thermo review: no blocker. tools/lock.py is a focused standalone tool with tests, the CI/assertion logic is local to dependency hygiene, and no runtime BenchFlow flow gains special-case branching.

@bingran-you bingran-you added status:blocked Waiting on external dependency. Add a comment explaining why. and removed status:ready Triaged, unassigned, available to claim. labels Jul 13, 2026
@bingran-you

Copy link
Copy Markdown
Collaborator

Daily scan hygiene (2026-07-13): live GitHub now reports this PR as DIRTY, so I moved the stale status:ready label back to status:blocked while keeping review:pending.

Current state:

  • Last recorded checks on head 0ac135c1550053b8dfb37fab6d236259ef765112 are green (test, pip-audit, manifest-parity, integration-light / rollout-smoke).
  • Merge state is no longer clean against current main, so this is not merge-safe today even before the non-author review gate.

Next action: rebase/merge current main, refresh the cooldown lock path if needed, rerun CI, then request fresh non-author human review.

@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-13): behavior-ready but merge-blocked on head 0ac135c1550053b8dfb37fab6d236259ef765112.

Scope checked: dependency cooldown helper, uv exclude-newer policy, lock/package upload-time checks, CLI/SDK regression risk, and current GitHub merge state.

Evidence:

  • Shared base smoke passed: uv sync --extra dev --extra sandbox-daytona --locked, repo ruff, ty check src, CLI help/list/check surfaces, and SDK smoke.
  • PR worktree checks passed: uv sync --extra dev --locked; python tools/lock.py --check -> 2026-07-06T00:00:00Z; uv lock --check; pytest tests/test_dep_cooldown.py tests/test_lock_tool.py tests/test_task_package.py -q -> 32 passed; focused ruff; ty check src tools/lock.py; CLI + SDK smoke.
  • Current-head GitHub checks are still green: test, pip-audit, manifest-parity / parity, and integration-light / rollout-smoke passed.
  • Downloaded run 29006028771 and revalidated it with benchflow-experiment-review: 1/1 healthy, ACP + LLM trajectories present, results.jsonl training-ready, reward 1.0, 18/18 LLM exchanges with usage, 309,996 tokens, 16 tool calls, timing total 296.1s.
  • Caveat: GLM user-endpoint cost accounting is still unpriced (agent_result.cost_usd=null, price_source=null) even though token/timing telemetry is complete.

Blocker:

  • Live GitHub merge state is DIRTY, so this is not merge-safe today even though the behavior checks are green.

Thermo-nuclear review: no blocker. tools/lock.py is a direct, focused policy tool, tests name PR #788 for regression guards, and no changed file crosses the 1k-line threshold. Keeping status:blocked + review:pending; next action is rebase/merge current main, refresh the lock if needed, rerun CI, then request non-author review.

@bingran-you bingran-you temporarily deployed to pypi-internal-preview July 13, 2026 13:07 — with GitHub Actions Inactive
@bingran-you bingran-you temporarily deployed to pypi-internal-preview July 13, 2026 13:10 — with GitHub Actions Inactive
@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation follow-up (2026-07-13): ready by simulation on current head c2fe73120c03a5f30ffa930fd1eb9cf4f59a54ca.

What changed:

  • Merged current origin/main into the dependency-cooldown branch, resolving the uv.lock conflict from main's TRL-SFT extra.
  • Added a temporary documented trl cooldown override for main's trl>=1.8.0,<2 requirement.
  • Refreshed click to 8.4.2 to clear PYSEC-2026-2132 without relaxing the global cooldown.
  • Updated the removed-short-option regression to tolerate Click 8.4's quoted error wording while preserving the same behavior check.

Validation:

  • Local CI-shaped suite: uv sync --extra dev --extra sandbox-daytona --extra sandbox-modal --locked; uv lock --check; python tools/lock.py --check -> 2026-07-06T00:00:00Z; pytest tests/ -> 4885 passed, 8 skipped, 7 deselected; repo ruff; format check; ty check; exact pip-audit export passed with the existing cryptography ignore.
  • GitHub current-head checks are green: test, pip-audit, manifest-parity / parity, integration-light / rollout-smoke, and detect-scope.
  • Current-head integration-light-jobs artifact passed benchflow-experiment-review: 1/1 rollout healthy, reward 1.0, ACP + LLM trajectories and training-ready results.jsonl present, 311,687 tokens, 16 tool calls, total timing 250.4s.

Note: cost_usd / price_source remain null for this GLM/user-endpoint smoke, matching the known shared accounting caveat from the sweep rather than a dependency-cooldown regression.

@bingran-you bingran-you added status:ready Triaged, unassigned, available to claim. and removed status:blocked Waiting on external dependency. Add a comment explaining why. labels Jul 13, 2026
@bingran-you

Copy link
Copy Markdown
Collaborator

Users Simulation automation review (2026-07-14): ready by simulation on current head c2fe73120c03a5f30ffa930fd1eb9cf4f59a54ca.

Scope checked: dependency cooldown policy, lock tooling, Click 8.4 error wording compatibility, package/trace import tests, CLI/SDK regression risk, and current rollout artifact health.

Evidence:

  • Shared base gates passed in the main checkout: uv sync --extra dev --extra sandbox-daytona --locked, repo ruff check ., repo ty check src, CLI help/list/check surfaces, and SDK smoke.
  • Current-head isolated worktree gates passed: uv sync --extra dev --locked; python tools/lock.py --check -> 2026-07-07T00:00:00Z; uv lock --check; focused tests -> 38 passed; focused ruff; ty check src tools/lock.py; CLI + SDK smoke.
  • GitHub current-head checks are green: test, pip-audit, manifest-parity / parity, and integration-light / rollout-smoke passed.
  • Current-head integration-light artifact run 29253275107 validated healthy with benchflow-experiment-review: ACP trajectory, LLM trajectory, one training-ready results.jsonl row, reward present, 18/18 LLM responses with usage, 311,687 tokens, 16 tool calls, timing total 250.4s.

Thermo-nuclear review:

  • No structural blocker found. tools/lock.py is 331 lines, focused on the canonical lock/cooldown policy; no changed file crosses the under-1k-to-over-1k threshold; no new CLI/SDK regression surfaced.

Cost caveat:

  • The GLM user-endpoint artifact has complete token/timing telemetry, but result.json.agent_result.cost_usd and price_source are still null.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request P2 Anti-pattern / type safety / docs precision / minor schema drift / non-deterministic but contained. review:pending PR is ready-for-review, no reviewer engagement yet. status:ready Triaged, unassigned, available to claim.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants