Trigger release

[marvin-hansen]

User description

Describe your changes

Trigger auto release

Issue ticket number and link

Code checklist before requesting a review

• I have signed the DCO?
• All tests are passing when running make test?
• No errors or security vulnerabilities are reported by make check?

For details on make, please see BUILD.md

Note: The CI runs all of the above and fixing things before they hit CI speeds
up the review and merge process. Thank you.

---

PR Type

Enhancement

---

Description

• Updated Software Bill of Materials (SBOM) files across all packages with regenerated timestamps and checksums

• Bumped multiple package versions: deep_causality from 0.11.10 to 0.13.0, deep_causality_effects from 0.0.1 to 0.0.2, deep_causality_core from 0.0.1 to 0.0.2, and various dependency versions

• Expanded dependency lists in several packages, particularly deep_causality_physics and deep_causality_effects with 50+ new package entries

• Updated internal package dependencies across the ecosystem (e.g., deep_causality_num from 0.1.8/0.1.9 to 0.1.11, deep_causality_haft from 0.2.4/0.2.5 to 0.2.7)

• Regenerated all SHA256 checksums for SBOM files to reflect content changes

• Reorganized and restructured relationship mappings in SBOM documents for consistency

---

Diagram Walkthrough

flowchart LR
  A["SBOM Files<br/>Regeneration"] --> B["Version Updates<br/>Multiple Packages"]
  A --> C["Dependency<br/>Expansion"]
  A --> D["Checksum<br/>Regeneration"]
  B --> E["deep_causality<br/>0.11.10 → 0.13.0"]
  B --> F["deep_causality_effects<br/>0.0.1 → 0.0.2"]
  C --> G["50+ New<br/>Dependencies"]
  D --> H["SHA256<br/>Updates"]

Loading

File Walkthrough

	Relevant files
Configuration changes	17 files deep_causality_physics_sbom.spdx.json SBOM update with expanded dependencies and version bumps  deep_causality_physics/deep_causality_physics_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-09T05:39:09Z to 2025-12-31T06:32:28Z Updated document namespace UUID and file checksums Significantly expanded package list from 7 to 60+ packages with detailed dependency information Updated deep_causality_num version from 0.1.9 to 0.1.11 and added many new internal/external dependencies Added comprehensive relationship mappings for all package dependencies +1738/-127 deep_causality_rand_sbom.spdx.json SBOM update with dependency version upgrades                          deep_causality_rand/deep_causality_rand_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-03T03:23:43Z to 2025-12-31T06:32:28Z Updated document namespace UUID and file checksums Updated deep_causality_rand version from 0.1.5 to 0.1.8 Updated deep_causality_num version from 0.1.8 to 0.1.11 Updated libc version from 0.2.175 to 0.2.178 and cfg-if from 1.0.3 to 1.0.4 Reorganized package and relationship ordering +80/-80  deep_causality_data_structures_sbom.spdx.json SBOM update with version bump and reordering                          deep_causality_data_structures/deep_causality_data_structures_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-03T03:23:43Z to 2025-12-31T06:32:27Z Updated document namespace UUID and file checksums Updated deep_causality_data_structures version from 0.10.4 to 0.10.7 Reordered relationships section (DESCRIBES before GENERATED_FROM) +10/-10  deep_causality_data_structures_sbom.spdx.json.sha Update checksum for SBOM file                                                        deep_causality_data_structures/deep_causality_data_structures_sbom.spdx.json.sha Updated SHA256 checksum hash to reflect changes in the corresponding SBOM JSON file +1/-1      deep_causality_effects_sbom.spdx.json SBOM update with expanded dependencies and version bumps  deep_causality_effects/deep_causality_effects_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-08 to 2025-12-31 Regenerated document namespace UUID Updated Cargo.lock SHA1 checksum Significantly expanded package list with new dependencies including mlx-rs, darling, syn, proc-macro2, and many others Updated deep_causality_effects version from 0.0.1 to 0.0.2 Updated deep_causality_topology version from 0.1.0 to 0.2.4 Updated deep_causality_multivector version from 0.1.3 to 0.2.4 Updated deep_causality_tensor version from 0.1.10 to 0.2.2 Updated deep_causality_haft version from 0.2.5 to 0.2.7 Updated deep_causality_num version from 0.1.9 to 0.1.11 Updated deep_causality_sparse version from 0.1.0 to 0.1.3 Added new deep_causality_metric package version 0.1.0 Completely restructured relationships section with many new dependency mappings +1604/-123 deep_causality_sbom.spdx.json SBOM update with version bumps and dependency changes        deep_causality/deep_causality_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-03 to 2025-12-31 Regenerated document namespace UUID Updated Cargo.lock SHA1 checksum Updated deep_causality version from 0.11.10 to 0.13.0 Updated deep_causality_data_structures version from 0.10.4 to 0.10.7 Updated deep_causality_uncertain version from 0.3.6 to 0.3.10 Updated deep_causality_rand version from 0.1.5 to 0.1.8 Updated deep_causality_num version from 0.1.8 to 0.1.11 Updated deep_causality_haft version from 0.2.4 to 0.2.7 Updated deep_causality_ast version from 0.1.2 to 0.1.3 Updated ultragraph version from 0.8.10 to 0.8.12 Updated libc version from 0.2.175 to 0.2.178 Updated cfg-if version from 1.0.3 to 1.0.4 Added deep_causality_core version 0.0.2 Simplified and reorganized relationships section +132/-147 deep_causality_metric_sbom.spdx.json SBOM timestamp and checksum update                                              deep_causality_metric/deep_causality_metric_sbom.spdx.json Updated SBOM creation timestamp from 2025-12-26 to 2025-12-31 Regenerated document namespace UUID Updated Cargo.lock SHA1 checksum +3/-3      deep_causality_core_sbom.spdx.json Update SBOM with new package versions and timestamps          deep_causality_core/deep_causality_core_sbom.spdx.json Updated creation timestamp from 2025-12-03T03:23:43Z to 2025-12-31T06:32:27Z Updated document namespace UUID to reflect new generation Bumped deep_causality_core version from 0.0.1 to 0.0.2 Bumped deep_causality_num version from 0.1.8 to 0.1.11 and deep_causality_haft from 0.2.4 to 0.2.7 Reorganized package and relationship entries in the SBOM +25/-25  deep_causality_ast_sbom.spdx.json Update SBOM with new package version and timestamp              deep_causality_ast/deep_causality_ast_sbom.spdx.json Updated creation timestamp from 2025-12-03T03:23:43Z to 2025-12-31T06:32:27Z Updated document namespace UUID to reflect new generation Bumped deep_causality_ast version from 0.1.2 to 0.1.3 Reordered relationships entries in the SBOM +10/-10  deep_causality_physics_sbom.spdx.json.sha Update physics SBOM checksum hash                                                deep_causality_physics/deep_causality_physics_sbom.spdx.json.sha Updated SHA256 checksum hash for the physics SBOM file +1/-1      deep_causality_effects_sbom.spdx.json.sha Update effects SBOM checksum hash                                                deep_causality_effects/deep_causality_effects_sbom.spdx.json.sha Updated SHA256 checksum hash for the effects SBOM file +1/-1      deep_causality_rand_sbom.spdx.json.sha Update rand SBOM checksum hash                                                      deep_causality_rand/deep_causality_rand_sbom.spdx.json.sha Updated SHA256 checksum hash for the rand SBOM file +1/-1      deep_causality_metric_sbom.spdx.json.sha Update metric SBOM checksum hash                                                  deep_causality_metric/deep_causality_metric_sbom.spdx.json.sha Updated SHA256 checksum hash for the metric SBOM file +1/-1      deep_causality_discovery_sbom.spdx.json.sha Update discovery SBOM checksum hash                                            deep_causality_discovery/deep_causality_discovery_sbom.spdx.json.sha Updated SHA256 checksum hash for the discovery SBOM file +1/-1      deep_causality_ast_sbom.spdx.json.sha Update AST SBOM checksum hash                                                        deep_causality_ast/deep_causality_ast_sbom.spdx.json.sha Updated SHA256 checksum hash for the AST SBOM file +1/-1      deep_causality_core_sbom.spdx.json.sha Update core SBOM checksum hash                                                      deep_causality_core/deep_causality_core_sbom.spdx.json.sha Updated SHA256 checksum hash for the core SBOM file +1/-1      deep_causality_sbom.spdx.json.sha Update main SBOM checksum hash                                                      deep_causality/deep_causality_sbom.spdx.json.sha Updated SHA256 checksum hash for the main SBOM file +1/-1
Additional files	1 files deep_causality_discovery_sbom.spdx.json +1227/-1004

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Avoid dependency with restrictive GPL-3.0 license The mach-sys dependency uses a GPL-3.0 license, which may create a license compliance risk. Review its usage and consider replacing it with an alternative that has a more permissive license. deep_causality_discovery/deep_causality_discovery_sbom.spdx.json [338-352] -{ - "SPDXID": "SPDXRef-Package-mach-sys-0.5.4", - "description": "forked from original mach, and merge from mach2/machx. A Rust interface to the user-space API of the Mach 3.0 kernel that underlies OSX.", - "downloadLocation": "registry+https://github.com/rust-lang/crates.io-index", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:cargo/mach-sys@0.5.4", - "referenceType": "purl" - } - ], - "licenseConcluded": "GPL-3.0 OR Apache-2.0", - "licenseDeclared": "GPL-3.0 OR Apache-2.0", - "name": "mach-sys", - "versionInfo": "0.5.4" -} +// It is recommended to remove this dependency and find an alternative +// with a more permissive license (e.g., MIT or Apache-2.0) to avoid +// licensing conflicts with the project's MIT license. +// If removal is not possible, a thorough legal review is required. [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical license compliance risk by flagging the mach-sys dependency's GPL-3.0 license, which can conflict with a project using a permissive license like MIT.	High
	Address critical license compliance risk The mach-sys dependency uses a GPL-3.0 license, which may conflict with the project's MIT license. Replace this dependency or consult legal counsel to ensure license compliance. deep_causality_physics/deep_causality_physics_sbom.spdx.json [833-848] -{ - "SPDXID": "SPDXRef-Package-mach-sys-0.5.4", - "description": "forked from original mach, and merge from mach2/machx. A Rust interface to the user-space API of the Mach 3.0 kernel that underlies OSX.", - "downloadLocation": "registry+https://github.com/rust-lang/crates.io-index", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:cargo/mach-sys@0.5.4", - "referenceType": "purl" - } - ], - "licenseConcluded": "GPL-3.0 OR Apache-2.0", - "licenseDeclared": "GPL-3.0 OR Apache-2.0", - "name": "mach-sys", - "versionInfo": "0.5.4" -} +// This suggestion does not involve a direct code change to the SBOM file, +// as the file is correctly reporting the license information. +// The required action is to address the underlying dependency issue, +// which may involve removing or replacing the 'mach-sys' package +// in the project's Cargo.toml file. Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical license compliance risk by flagging the GPL-3.0 license of the mach-sys dependency in an MIT-licensed project, which could have significant legal implications.	High
	Avoid dependency with copyleft LGPL license The r-efi dependency includes an LGPL-2.1-or-later license, which has complex compliance requirements. Verify that the project's usage complies with the LGPL or replace the dependency. deep_causality_discovery/deep_causality_discovery_sbom.spdx.json [738-754] -{ - "SPDXID": "SPDXRef-Package-r-efi-5.3.0", - "description": "UEFI Reference Specification Protocol Constants and Definitions", - "downloadLocation": "registry+https://github.com/rust-lang/crates.io-index", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:cargo/r-efi@5.3.0", - "referenceType": "purl" - } - ], - "homepage": "https://github.com/r-efi/r-efi/wiki", - "licenseConcluded": "MIT OR Apache-2.0 OR LGPL-2.1-or-later", - "licenseDeclared": "MIT OR Apache-2.0 OR LGPL-2.1-or-later", - "name": "r-efi", - "versionInfo": "5.3.0" -} +// It is recommended to replace this dependency with one that uses a +// more permissive license (e.g., MIT or Apache-2.0) to avoid the +// compliance complexities of the LGPL license. If this dependency is +// essential, ensure your project complies with all LGPL requirements. Apply / Chat Suggestion importance[1-10]: 8 __ Why: This suggestion correctly points out a significant license compliance concern with the r-efi dependency's LGPL-2.1-or-later license, which imposes obligations that may be incompatible with the project's goals.	Medium
High-level	Provide context for major dependency additions The PR adds numerous new dependencies, such as mlx-rs and arrow, without explaining their purpose. The PR description should be updated to justify these additions and describe the new functionality they enable. Examples: deep_causality_discovery/deep_causality_discovery_sbom.spdx.json [28-1828] "packages": [ { "SPDXID": "SPDXRef-Package-wit-bindgen-0.46.0", "description": "Rust bindings generator and runtime support for WIT and the component model.\nUsed when compiling Rust programs to the component model.\n", "downloadLocation": "registry+https://github.com/rust-lang/crates.io-index", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceLocator": "pkg:cargo/wit-bindgen@0.46.0", "referenceType": "purl" ... (clipped 1791 lines) deep_causality_physics/deep_causality_physics_sbom.spdx.json [28-1858] "packages": [ { "SPDXID": "SPDXRef-Package-indexmap-2.12.1", "description": "A hash table with consistent order and fast iteration.", "downloadLocation": "registry+https://github.com/rust-lang/crates.io-index", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceLocator": "pkg:cargo/indexmap@2.12.1", "referenceType": "purl" ... (clipped 1821 lines) Solution Walkthrough: Before: PR Description: ### User description Trigger auto release ### Description - Updated Software Bill of Materials (SBOM) files... - Bumped multiple package versions... - Expanded dependency lists in several packages, particularly `deep_causality_physics` and `deep_causality_effects` with 50+ new package entries - ... After: PR Description: ### User description Trigger auto release for version X.Y.Z. This release introduces support for [New Feature], which requires integration with Apple's MLX framework and the Parquet file format. ### Description - **New Dependencies**: Added `mlx-rs` for machine learning on Apple Silicon and `parquet` for efficient data storage. This resulted in the addition of their transitive dependencies, expanding the dependency list across several packages. - **Version Bumps**: Bumped `deep_causality` to 0.13.0 to incorporate these new features. - **SBOM Update**: Regenerated SBOM files to reflect the new dependency tree. - ... Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that a massive number of dependencies are added without justification, which is a critical issue for project maintenance, security, and complexity.	Medium
General	Enforce percent-encoding of '+' Verify that the + character in the version for toml_edit is correctly percent-encoded as %2B in its PURL string to ensure SPDX compliance. deep_causality_discovery/deep_causality_discovery_sbom.spdx.json [232] +"referenceLocator": "pkg:cargo/toml_edit@0.23.10%2Bspec-1.0.0", - Apply / Chat Suggestion importance[1-10]: 7 __ Why: This suggestion correctly points out that the + character is already properly percent-encoded as %2B in the PURL, which is essential for SPDX compliance and tool compatibility. It serves as a useful verification of a correct implementation detail.	Medium
	Set valid downloadLocation Replace "downloadLocation": "NONE" with a valid URL for internal packages to improve reproducibility and auditability. deep_causality_effects/deep_causality_effects_sbom.spdx.json [77-85] { "SPDXID": "SPDXRef-Package-deep--causality--topology-0.2.4", "description": "Topological data structures for the DeepCausality project", - "downloadLocation": "NONE", + "downloadLocation": "registry+https://github.com/your-org/deep_causality_topology", ... } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 5 __ Why: The suggestion correctly points out that downloadLocation: NONE is not ideal, but it's a valid value for local packages, and changing it requires knowledge of the project's repository structure.	Low
	Deduplicate license expressions In the license fields for wit-bindgen, remove the duplicate "Apache-2.0" to simplify the SPDX expression to "Apache-2.0 OR MIT". deep_causality_discovery/deep_causality_discovery_sbom.spdx.json [41-42] -"licenseConcluded": "Apache-2.0 OR Apache-2.0 OR MIT", -"licenseDeclared": "Apache-2.0 OR Apache-2.0 OR MIT", +"licenseConcluded": "Apache-2.0 OR MIT", +"licenseDeclared": "Apache-2.0 OR MIT", Apply / Chat Suggestion importance[1-10]: 3 __ Why: The suggestion correctly identifies a redundant license string in the SPDX file. While not functionally incorrect, fixing it improves the clarity and correctness of the license metadata.	Low
	Remove duplicate license terms In the licenseConcluded and licenseDeclared fields, remove the duplicate "Apache-2.0" to simplify the license expression to "Apache-2.0 OR MIT". deep_causality_physics_sbom.spdx.json [236-237] -"licenseConcluded": "Apache-2.0 OR Apache-2.0 OR MIT", -"licenseDeclared": "Apache-2.0 OR Apache-2.0 OR MIT", +"licenseConcluded": "Apache-2.0 OR MIT", +"licenseDeclared": "Apache-2.0 OR MIT", [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 3 __ Why: The suggestion correctly identifies a redundant license string, but its impact is low as the file is auto-generated and the change is purely cosmetic.	Low
	Include version in namespace Update the documentNamespace to include the package version 0.0.2 for better identification of the SBOM. deep_causality_effects/deep_causality_effects_sbom.spdx.json [10] -"documentNamespace": "https://spdx.org/spdxdocs/deep_causality_effects-3e570f17-89dc-45ce-8de7-32a8dfe8c560", +"documentNamespace": "https://spdx.org/spdxdocs/deep_causality_effects-0.0.2-3e570f17-89dc-45ce-8de7-32a8dfe8c560", Apply / Chat Suggestion importance[1-10]: 3 __ Why: While including the version in the documentNamespace is a good practice for clarity, it is not a strict requirement of the SPDX specification, making this a minor style improvement.	Low
More