chore(deps): bump urllib3 from 2.6.3 to 2.7.0#2
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
dependabot
Bot
added
dependencies
wallter
added a commit
that referenced
this pull request
Jun 9, 2026
WHY: adversarial audit #1 on 0316b1ad8 found 2 P1 + 3 P2 issues — scan-hijack still alive on trw_recall/trw_learn/trw_learn_update plus log_tool_call telemetry writes, compat-baseline provenance unclear, FR12 subprocess test missing, dead ctx var in heartbeat, off-by-one at grace boundary. P1-01 (scan-hijack survivors): - trw_recall, trw_learn, trw_learn_update in tools/learning.py now accept ctx: Context | None = None; _build_call_ctx() threads TRWCallContext through to _recall_impl.execute_recall which routes find_active_run(context=call_ctx) when ctx-aware. - tools/telemetry.py defines _extract_call_ctx(kwargs) and the @log_tool_call decorator threads call_ctx through _write_tool_event → _get_cached_run_dir(call_ctx=...) → find_active_run(context=...). The process-level cache is BYPASSED for ctx-aware callers to prevent cross-session pollution; scan fallback preserved for legacy no-ctx paths. - test_ctx_injection_parity.py::EXPECTED_CTX_TOOLS extended with the three learning tools. P1-02 (compat-baseline integrity): - tests/_compat_baseline.md documents provenance: baseline captured at commit 494731ea6 (immediate pre-PRD parent); the three modified test files' edits were monkeypatch lambda signature-only widening (lambda: x → lambda **_: x), behaviorally equivalent. P2-01 (subprocess inheritance): - test_trw_session_id_subprocess_inheritance spawns a real subprocess with TRW_SESSION_ID="parent-pin-001" in env and asserts the child's resolve_pin_key(ctx=None) returns the inherited key. P2-02 (dead call_ctx in heartbeat): - tools/ceremony.py — `del call_ctx` removed; variable bound to `_` with a comment documenting reserved-for-future-analytics intent. P2-03 (grace-window boundary): - state/_run_gc.py:350 changed `>` to `>=` so a run whose last_activity falls exactly on the grace cutoff is preserved (spec: "runs younger than staleness+grace"). test_sweep_preserves_run_at_exact_grace_boundary verifies with deterministic _now override. Adversarial audit #2 (post-fix): READY TO SHIP — 0 P0, 0 P1, 0 P2. 74/74 PRD-141 tests pass; mypy --strict + Pyright clean on 5 touched source files. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
wallter
added a commit
that referenced
this pull request
Jun 9, 2026
WHY: PRD-EVAL-037 audit findings P2 #1 and P2 #2. (1) TRACE-SCHEMA.md:173 documented analysis_depth_tokens and analysis_min_hypotheses_target as type 'int' but the actual BehavioralAnalysis schema declares both as 'int | None = None' for iter-11/12 backward compat — updated doc to match. (2) trw-mcp/tests/test_prd_integrity.py ellipsis-guard parametrize now explicitly covers 4-dot ('....') and multi-ellipsis-fragment ('.../.../.../x.py') inputs so a future narrowing of the guard to 'exactly three dots' would regress visibly.
wallter
added a commit
that referenced
this pull request
Jun 9, 2026
Adversarial auditor + reviewer (parallel Opus) found gaps the initial PRD-FIX-088 commit missed. Implementer agent closed all P1s in one pass: P1 fixes: - FR03 acceptance #2: build_check_complete log event now mirrors step_durations_ms onto the structlog payload. Previously the log fired BEFORE finalize/total were recorded, so even if the kwarg had been passed it would have been incomplete. New regression test test_step_durations_ms_mirrored_on_log_event uses structlog.testing.capture_logs() to pin the contract. - FR01 tool_call_id plumbing: extracted from contextvars (fallback uuid.uuid4().hex[:12]), threaded through _dispatch_q_learning_async → coalescing-queue tuples → _q_learning_worker → _process_q_learning_inline → process_outcome_for_event → process_outcome → outcome_correlation_applied. Now stamped on q_learning_complete, q_learning_worker_crashed, q_learning_queue_full, the QLearningDeferredDict response field, and the build_check_complete log. - FR04 env-override regression test: new test_correlation_window_default with default=7, env=60, env=12 cases. - QLearningDeferredDict + QLearningHealthDict TypedDicts replace dict[str, object] with Literal-typed fields. Removes 3 # type: ignore from tests. - _TransactionalBackend Protocol replaces 2 # type: ignore[attr-defined] in scoring/_io_boundary._sync_chunk. - except BaseException → except Exception in _q_learning_worker (KeyboardInterrupt/SystemExit now propagate per Python conventions). P1.5 hygiene: - DRY: build_check_invoke fixture in conftest replaces duplicated 14-line helper across 4 test files. - Single error-event source: removed inner try/except in _process_q_learning_inline so q_learning_worker_crashed becomes the authoritative crash event. - @DataClass _QLearningHealth in _q_learning_state replaces module-level globals + 2 `global` declarations. - import queue moved to module level (from queue import Empty). - Test name/cap drift: dispatch test renamed _under_10ms with cap tightened from 50ms→10ms (FR05 spec is <5ms, 10ms tolerates CI thread-spawn jitter). - list[str] replaces MagicMock for ordering in coalescing-queue test. - @pytest.mark.slow benchmark test_batch_sync_2000_rows_under_300ms closes FR02 wall-time acceptance. - _join_q_learning_worker(timeout=30.0) wired into trw_deliver path per FR01 shutdown contract. Verification: - 89 passed, 1 skipped on PRD-FIX-088 + adjacent regression files - mypy --strict: 0 issues across 7 source files - All findings from F1-F10 closed; honest status: implemented sustained Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wallter
added a commit
that referenced
this pull request
Jun 9, 2026
WHY: trw-distill lab's 4-config sweep shares one MemoryConfig
(one quarantine_db_path) but uses 4 distinct SQLiteBackend
instances. _runtime_canary.CANARY_STATE was keyed on quarantine
path only, so config-1's initialize_canaries seeded its backend
and marked the shared key seeded=True; configs 2-4 then
short-circuited init and never seeded their backends. Every
recall raised CanaryTamperError("missing canary canary-001"),
collapsing recall@10 to 0% in cycle 121 pass2.
FIX: introduce _state_key(config, backend) combining the
quarantine path with backend identity (_db_path / _dir / repr).
Apply in initialize_canaries, probe_canaries, and
should_halt_recalls. should_halt_recalls signature now requires
backend; three callers updated (trw-memory _client_recall.py
with None-guard, tools/recall.py, trw-mcp memory_adapter.py).
TESTS: 3 new regression tests in
tests/unit/security/test_canary_namespace_isolation.py covering
seeding isolation, probe non-cross-pollution, and halt
non-cross-pollution. All 60 trw-memory security unit tests
+ 166 trw-mcp memory_adapter/canary tests pass; mypy --strict
clean on touched files.
EMPIRICAL: lab re-run on n=377 corpus with /tmp/lab-cache-c122
shows real result_count=8..30 hits and ZERO recall_failed
events through 29 queries (vs 100% canary-tamper failure
under the bug). Headline recall@10 numbers carry to cycle 123.
Closes cycle 122 task #2 from HANDOFF.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.6.3 to 2.7.0. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](urllib3/urllib3@2.6.3...2.7.0) --- updated-dependencies: - dependency-name: urllib3 dependency-version: 2.7.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/uv/urllib3-2.7.0
branch
from
c06c93f to
87ee531
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps urllib3 from 2.6.3 to 2.7.0.
Release notes
Sourced from urllib3's releases.
Changelog
Sourced from urllib3's changelog.
... (truncated)
Commits
9a950b9Release 2.7.05ec0de4Merge commit from fork2bdcc44Merge commit from forkf45b0dfFix a misleading example forProxyManager(#4970)577193cSwitch to nightly PyPy3.11 in CI for now (#4984)e90af45Avoid infinite loop inHTTPResponse.read_chunkedwhenamt=0(#4974)67ed74fBump dev dependencies (#4972)3abd481Upgrade mypy to version 1.20.2 (#4978)2b8725dDrop support for EOL PyPy3.10 (#4979)2944b2aUpgradesetup-chromeandsetup-firefoxto fix warnings (#4973)