build(deps): bump pydantic-settings from 2.14.1 to 2.14.2

[dependabot]

Bumps pydantic-settings from 2.14.1 to 2.14.2.

Release notes

Sourced from pydantic-settings's releases.

v2.14.2

What's Changed

This is a security patch release.

• Prevent NestedSecretsSettingsSource from following symlinks outside secrets_dir by @​hramezani in pydantic/pydantic-settings#889
• Prepare release 2.14.2 by @​hramezani in pydantic/pydantic-settings#890

Security

Fixes GHSA-4xgf-cpjx-pc3j: NestedSecretsSettingsSource with secrets_nested_subdir=True could follow a symbolic link inside secrets_dir pointing outside it, reading out-of-tree files into settings values and bypassing the secrets_dir_max_size cap. Affected versions: >= 2.12.0, < 2.14.2.

Full Changelog: pydantic/pydantic-settings@v2.14.1...v2.14.2

Commits

• d703bd7 Prepare release 2.14.2 (#890)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

roam-code Analysis

Mode: incremental (changed-only) — base aa263622b8a6d91fd29d5525da3165cfa67c0a1b, 1 changed+dependent files

Health Score: 81/100 HEALTHY

health: Healthy codebase (81/100) — 46 critical issues, focus: god_components
pr-risk: index-stale

Health Metrics

Metric	Value
Health Score	81/100
Tangle Ratio	0.1%
Propagation Cost	0.0019
Total Issues	67

PR Risk

Metric	Value
Risk Score	0/100

Quality Gate: PASSED

Gate expression: health_score>=50

SARIF Upload

Metric	Value
Category	roam-code-self-analysis/self-analysis/py3.12
Results Uploaded	80

Full analysis output

health

{
  "_meta": {
    "cache_ttl_s": 300,
    "cacheable": true,
    "index_age_s": 3,
    "latency_ms": null,
    "response_tokens": 4258,
    "roam_version": "13.6.1",
    "timestamp": "2026-06-23T18:32:16Z"
  },
  "actionable_count": 11,
  "actionable_cycles": 2,
  "agent_contract": {
    "confidence": null,
    "facts": [
      "Healthy codebase (81/100) — 46 critical issues, focus: god_components",
      "health score 81",
      "tangle ratio 0.1",
      "0.0019 propagation cost findings",
      "issue count 67"
    ],
    "next_commands": [
      "roam debt",
      "roam trends --days 30"
    ],
    "risks": []
  },
  "algebraic_connectivity": null,
  "algebraic_connectivity_available": false,
  "bottleneck_thresholds": {
    "p70": 816.8,
    "p90": 5445,
    "population": 1987,
    "utility_multiplier": 1.5
  },
  "category_severity": {
    "bottlenecks": {
      "critical": 15,
      "info": 0,
      "warning": 0
    },
    "cycles": {
      "critical": 1,
      "info": 0,
      "warning": 1
    },
    "god_components": {
      "critical": 30,
      "info": 10,
      "warning": 10
    },
    "layer_violations": {
      "critical": 0,
      "info": 0,
      "warning": 0
    }
  },
  "command": "health",
  "cycles_actionable": 2,
  "cycles_total": 15,
  "framework_filtered": 0,
  "health_score": 81,
  "ignored_cycles": 13,
  "imported_coverable_lines": 0,
  "imported_coverage_files": 0,
  "imported_coverage_pct": null,
  "imported_covered_lines": 0,
  "index_status": {
    "dirty_files": 0,
    "fresh": false,
    "head_commit": "f3c3220aa801",
    "hint": "index latest commit c21f22841d87 != HEAD f3c3220aa801 — git-derived metrics (commits, churn, co-change, weather) may be stale. Run `roam index --force`.",
    "indexed_commit": "c21f22841d87"
  },
  "issue_count": 67,
  "list_counts": {
    "bottlenecks": 15,
    "cycle_break_suggestions": 1,
    "cycles": 15,
    "god_components": 50,
    "layer_violations": 0,
    "next_steps": 2,
    "score_breakdown": 5
  },
  "project": "roam-code",
  "propagation_cost": 0.0019,
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "severity": {
    "critical": 46,
    "info": 23,
    "warning": 11
  },
  "summary": {
    "actionable_cycles": 2,
    "algebraic_connectivity": null,
    "algebraic_connectivity_available": false,
    "category_severity": {
      "bottlenecks": {
        "critical": 15,
        "info": 0,
        "warning": 0
      },
      "cycles": {
        "critical": 1,
        "info": 0,
        "warning": 1
      },
      "god_components": {
        "critical": 30,
        "info": 10,
        "warning": 10
      },
      "layer_violations": {
        "critical": 0,
        "info": 0,
        "warning": 0
      }
    },
    "cycles_actionable": 2,
    "cycles_definition": "Cycle counts derived from `roam.graph.cycles.find_cycles(G, min_size=2)` on the symbol graph. `cycles_total` = all SCCs of size >= 2; `cycles_actionable` = SCCs spanning >=2 files AND no test files (same-file and test-only cycles are informational). Run `roam health` for the per-cycle breakdown.",
    "cycles_total": 15,
    "detail_available": true,
    "god_components": 50,
    "god_components_definition": "God components: symbols where `(in_degree + out_degree) > 20` from the `graph_metrics` table, with utility-aware severity bands (standard >50=CRITICAL >30=WARNING; utility >150=CRITICAL >90=WARNING). Run `roam health` for the per-symbol breakdown. Legacy aliases: `god_objects` (fingerprint), `god_classes` (rules).",
    "health_score": 81,
    "health_score_definition": "weighted geometric mean (0-100) of 5 sigmoid health factors: tangle_ratio, god_components, bottlenecks, layer_violations, file_health (+coverage if available).",
    "ignored_cycles": 13,
    "imported_coverage_files": 0,
    "imported_coverage_pct": null,
    "issue_count": 67,
    "partial_success": true,
    "preserved_list_truncations": {},
    "propagation_cost": 0.0019,
    "severity": {
      "critical": 46,
      "info": 23,
      "warning": 11
    },
    "tangle_ratio": 0.1,
    "tangle_ratio_definition": "fraction of symbols inside non-trivial SCCs; higher = more cyclic coupling.",
    "total_cycles": 15,
    "truncated": true,
    "verdict": "Healthy codebase (81/100) — 46 critical issues, focus: god_components",
    "warnings_out": [
      "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
    ]
  },
  "tangle_ratio": 0.1,
  "total_cycles": 15,
  "utility_count": 39,
  "version": "13.6.1",
  "warnings_out": [
    "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
  ]
}

pr-risk

{
  "_meta": {
    "cache_ttl_s": 60,
    "cacheable": true,
    "index_age_s": 3,
    "latency_ms": null,
    "response_tokens": 160,
    "roam_version": "13.6.1",
    "timestamp": "2026-06-23T18:32:17Z"
  },
  "agent_contract": {
    "confidence": null,
    "facts": [
      "index-stale",
      "risk score 0",
      "1 risk rank findings"
    ],
    "next_commands": [],
    "risks": []
  },
  "command": "pr-risk",
  "message": "Changed files not found in index. Run `roam index` first.",
  "project": "roam-code",
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "summary": {
    "hint": "Changed files not in index — run `roam index`.",
    "partial_success": false,
    "risk_level": "low",
    "risk_level_canonical": "low",
    "risk_rank": 1,
    "risk_score": 0,
    "verdict": "index-stale"
  },
  "version": "13.6.1"
}

---

roam-code analysis | Commands: health pr-risk

[github-actions]

Roam Agent Review

Verdict: SAFE (risk_level low)

blast-radius 0/100 · ai-likelihood 14/100 · rule violations 0 · critique high-severity 0

Verdict: SAFE. All structural signals clean at the configured thresholds.

Next steps

• No structural concerns at the configured thresholds. Standard review still recommended.

---

_{Powered by roam-code — Apache 2.0, 100% local. Customize thresholds in .roam/rules.yml. Docs.}