From d5e5c8ff0102fc5adbd60ed29e05b300b853d08c Mon Sep 17 00:00:00 2001 From: Mandeep Singh Date: Tue, 7 Jul 2026 14:23:58 -0500 Subject: [PATCH 1/2] fix(security): suppress uv-missing-dependency-cooldown on agent/pyproject.toml (#532) semgrep's uv-missing-dependency-cooldown rule wants a global exclude-newer cooldown under [tool.uv]. Setting one is structurally incompatible with this repo: deps are exact-pinned (==) and several pins (fastapi, bedrock-agentcore, boto3) are to versions published within any reasonable cooldown window, so a global exclude-newer makes `uv lock`/`uv sync` unsatisfiable and re-breaks on every fresh pin bump. The rule's threat model (surprise malicious/unstable version) is already covered by exact pins + committed uv.lock + reviewed upgrade-main PRs + uv sync --frozen in the image. Suppress with a justified nosemgrep on the line preceding [tool.uv] rather than adding a redundant, workflow-breaking cooldown. Approach approved by maintainer (Option B) in #532. Verified: `mise run security:sast` -> 0 findings; `uv sync --all-groups` and `uv lock --check` both resolve. Fixes #532 Co-Authored-By: Claude --- agent/pyproject.toml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/agent/pyproject.toml b/agent/pyproject.toml index a89e3ce4..796849a0 100644 --- a/agent/pyproject.toml +++ b/agent/pyproject.toml @@ -49,6 +49,14 @@ dependencies = [ "jsonschema==4.26.0", #https://pypi.org/project/jsonschema/ ] +# The uv-missing-dependency-cooldown rule wants a global exclude-newer window. +# We intentionally do NOT set one: deps are exact-pinned (==) and lockfile-managed +# via upgrade-main.yml, and a global cooldown conflicts with fresh exact pins +# (fastapi/bedrock-agentcore/boto3 were published within the last week) — it makes +# `uv sync` unsatisfiable and re-breaks on every pin bump. The rule's threat model +# (surprise malicious/unstable version) is already covered by exact pins + reviewed +# lock upgrades. See #532. +# nosemgrep: uv-missing-dependency-cooldown [tool.uv] constraint-dependencies = [ "pyjwt>=2.13.0", # PYSEC-2026-175/177/178/179 — transitive via mcp; remove when mcp bumps floor (#267) From 9692282a26678c738dbaaa74f38646e66e9041c9 Mon Sep 17 00:00:00 2001 From: Mandeep Singh Date: Tue, 7 Jul 2026 17:23:11 -0500 Subject: [PATCH 2/2] =?UTF-8?q?chore:=20re-trigger=20CI=20=E2=80=94=20clea?= =?UTF-8?q?r=20stuck=20CodeQL=20run=20(#532)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit