From 5f1231d7a53647ca729cae9e453ffba6128feb41 Mon Sep 17 00:00:00 2001 From: arulnidhii Date: Wed, 3 Jun 2026 15:32:16 +0100 Subject: [PATCH 1/2] fix(ci): scope pip-audit to shipped deps (server/requirements.txt) Addresses Codex review on PR #41: the no-argument pip_audit audited the entire runner environment including pip-audit's own dependencies, broader than the shipped dependency surface the gate claims to enforce. --- .github/workflows/pip-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 74a38a7..9343ea9 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -32,4 +32,4 @@ jobs: # server/requirements.txt are covered too. No --ignore-vuln: this surface is clean today. run: | pip install -e ".[server]" - python -m pip_audit + python -m pip_audit -r server/requirements.txt From e7dc3da2b63c4d7828cc61ecbc55bba24da4f9bb Mon Sep 17 00:00:00 2001 From: arulnidhii Date: Wed, 3 Jun 2026 15:51:46 +0100 Subject: [PATCH 2/2] fix(ci): audit installed shipped surface via isolated pip-audit Addresses second Codex review on PR #42: -r server/requirements.txt skipped pyproject deps (typer, rich, pyyaml, textual, mcp, alembic). pipx run pip-audit audits the installed .[server] environment (pyproject core + extra + requirements) while keeping pip-audit's own deps isolated. Confirmed clean locally. --- .github/workflows/pip-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 9343ea9..2d09194 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -32,4 +32,4 @@ jobs: # server/requirements.txt are covered too. No --ignore-vuln: this surface is clean today. run: | pip install -e ".[server]" - python -m pip_audit -r server/requirements.txt + pipx run pip-audit