Merge branch 'main' into dependabot/github_actions/actions/upload-artifact-5

Author: lbedner

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
         cache-dependency-glob: "uv.lock"
@@ -33,7 +33,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
         cache-dependency-glob: "uv.lock"
@@ -53,7 +53,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
         cache-dependency-glob: "uv.lock"
@@ -73,7 +73,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
 
@@ -85,13 +85,13 @@ jobs:
 
     - name: Test project creation with uvx aegis
       run: |
-        uvx --from . aegis init test-uvx-aegis --no-interactive --yes --force
+        uvx --from . aegis init test-uvx-aegis --to-version HEAD --no-interactive --yes --force
         test -d test-uvx-aegis
         test -f test-uvx-aegis/pyproject.toml
-    
+
     - name: Test project creation with uvx aegis-stack
       run: |
-        uvx --from . aegis-stack init test-uvx-aegis-stack --no-interactive --yes --force
+        uvx --from . aegis-stack init test-uvx-aegis-stack --to-version HEAD --no-interactive --yes --force
         test -d test-uvx-aegis-stack
         test -f test-uvx-aegis-stack/pyproject.toml
     
@@ -101,56 +101,3 @@ jobs:
         test -d app/components/backend
         test -d app/components/frontend
         test -f app/entrypoints/webserver.py
-
-  template-parity:
-    runs-on: ubuntu-latest
-    continue-on-error: true  # Non-blocking until Copier template is fixed
-    steps:
-    - uses: actions/checkout@v5
-
-    - name: Install uv
-      uses: astral-sh/setup-uv@v6
-      with:
-        enable-cache: true
-        cache-dependency-glob: "uv.lock"
-
-    - name: Set up Python
-      run: uv python install 3.11
-
-    - name: Install dependencies
-      run: uv sync --all-extras
-
-    - name: Run template parity tests
-      run: uv run pytest tests/test_template_parity.py -v
-      # Note: Tests are currently skipped (@pytest.mark.skip) because Copier
-      # template needs conditional _exclude patterns added. This job validates
-      # the CI infrastructure is ready. Once Copier template is fixed, remove
-      # the skip decorator and this will become an active validation step.
-
-  test-template-engines:
-    runs-on: ubuntu-latest
-    continue-on-error: true  # Non-blocking until Copier template is fixed
-    strategy:
-      fail-fast: false  # Let both engines complete even if one fails
-      matrix:
-        engine: [cookiecutter, copier]
-    steps:
-    - uses: actions/checkout@v5
-
-    - name: Install uv
-      uses: astral-sh/setup-uv@v6
-      with:
-        enable-cache: true
-        cache-dependency-glob: "uv.lock"
-
-    - name: Set up Python
-      run: uv python install 3.11
-
-    - name: Install dependencies
-      run: uv sync --all-extras
-
-    - name: Run tests with ${{ matrix.engine }} engine (fast tests)
-      run: uv run pytest -v -m "not slow" --engine=${{ matrix.engine }}
-      # Note: Copier tests will be skipped via skip_copier_tests fixture until
-      # template is fixed (ticket #128). This validates the test infrastructure.
-

.github/workflows/docs.yml

@@ -21,7 +21,7 @@ jobs:
         git config user.email 41898282+github-actions[bot]@users.noreply.github.com
     
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
         cache-dependency-glob: "uv.lock"

.github/workflows/release.yml

@@ -12,15 +12,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v5
+        uses: astral-sh/setup-uv@v7
         with:
           enable-cache: true
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.11"
 
@@ -102,7 +102,7 @@ jobs:
       url: https://pypi.org/project/aegis-stack/
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Download distribution artifacts
         uses: actions/download-artifact@v4

.github/workflows/security.yml

@@ -22,15 +22,15 @@ jobs:
       uses: actions/checkout@v5
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: python
 
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
 
   audit:
     name: Security Audit
@@ -39,7 +39,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@v7
       with:
         enable-cache: true
         cache-dependency-glob: "uv.lock"
@@ -52,8 +52,12 @@ jobs:
 
     - name: Run security audit
       run: |
-        # Ignoring GHSA-4xh5-x5gv-qwph: pip 25.2 symlink traversal vulnerability
+        # Ignoring pip 25.2 vulnerabilities (uv manages pip, not user-facing)
         # Risk: Low - only affects installation of malicious packages from untrusted sources
         # Mitigation: All packages installed from trusted PyPI with uv.lock verification
-        # Resolution: Will be fixed in pip 25.3 (not yet released)
-        uv run pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph
+        uv run pip-audit \
+          --ignore-vuln GHSA-4xh5-x5gv-qwph \
+          --ignore-vuln GHSA-6vgw-5pg2-w6jp \
+          --ignore-vuln GHSA-58qw-9mgm-455v \
+          --ignore-vuln ECHO-ffe1-1d3c-d9bc \
+          --ignore-vuln ECHO-7db2-03aa-5591

.github/workflows/stack-matrix.yml

@@ -0,0 +1,51 @@
+name: Stack Matrix
+
+# Runs the full 13-stack generate → install → lint → typecheck → pytest
+# pipeline. This is the slow tier — gated off the default ``ci.yml`` run so
+# day-to-day PRs stay fast, but it fires on any PR touching template or
+# core-engine code (where drift lands) and nightly to catch anything that
+# merged without touching a gated path.
+
+on:
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'aegis/templates/**'
+      - 'aegis/core/**'
+      - 'aegis/cli/**'
+      - 'tests/cli/**'
+      - 'pyproject.toml'
+      - 'uv.lock'
+      - '.github/workflows/stack-matrix.yml'
+  schedule:
+    # 07:00 UTC daily — catches drift merged via PRs that didn't match the
+    # path filter above (e.g. docs-only PRs that inadvertently move a
+    # template Jinja file).
+    - cron: '0 7 * * *'
+  workflow_dispatch: {}
+
+concurrency:
+  group: stack-matrix-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  stack-matrix:
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run full stack matrix
+        run: make test-stacks-full

.gitignore

@@ -133,4 +133,13 @@ Thumbs.db
 data/
 
 # Demos
-demos/recordings
+demos/recordings
+
+# Claude Stuff
+.claude/settings.json
+
+# Typical generated stack folders
+my-app/
+
+# Translation review artifacts
+aegis_*_review.csv