chore(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0#61
Open
dependabot[bot] wants to merge 1 commit into
Open
chore(deps): bump google-github-actions/auth from 2.1.13 to 3.0.0#61dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
added
the
ci/cd
dependabot
Bot
force-pushed
the
dependabot/github_actions/google-github-actions/auth-3.0.0
branch
9 times, most recently
from
a66cbb4 to
7e3356f
Compare
jalaliamirreza
added a commit
that referenced
this pull request
May 25, 2026
claude-review on PR #120 flagged 4 categories. Three of the four "API facts will break implementation" findings were **wrong** — the bot misread graphiti-core 0.29: - `expired_at` IS a field on EntityEdge (edges.py:271, with `valid_at` and `invalid_at` neighbours). - `.save(driver)` IS a real method on EntityNode/EntityEdge/EpisodicNode (their abstract base `Node`/`Edge` declares it; concrete classes implement it with MERGE-by-uuid Cypher). - `EDGE_HYBRID_SEARCH_RRF` IS exported from search/search_config_recipes.py:111. - `SearchFilters` IS defined at search/search_filters.py:55. Citations live in the PR comment reply. The remaining findings were real: 1. **§4.2 line 133: `graphiti._search` (deprecated) contradicted §1.2 line 30 (`search_`).** Round-1 missed line 133. Now consistent: `search_` everywhere, plus the security note that `property_filters` for `workspace_id` are server-injected from authenticated context, never client-supplied. 2. **§1.2 dead anchor `./PLAN-v1.md#patterns--gotchas`** — that content lives in project memory (`~/.claude/projects/-home-arctux-mayia/memory/`), not in PLAN-v1.md. Fixed. 3. **§3 repo-layout missed apps/server/'s tree proxy modules** — Flow B PR #80 shipped `src/modules/{tree,entities,sub-entities,matters}` in apps/server/. They proxy to apps/memory/'s tree.py. v2 deleting the upstream without the proxies would 502 every gateway request. Now explicitly listed for lockstep deletion. 4. **§6 carry-forward gaps** — bot caught missing rows: - v1 §8.6 "Critical seams" (`test_the_big_one.py` catch-fire rule; primary mitigation for cross-org leak under v2's `group_id` fence). - v1 §4.3 "ACL enforcement layers" (`with_org_scope` Python dep + `requireOrgMember` middleware + CI grep gate). The grep gate is what makes "Graphiti is the only writer" a guarantee, not just a convention. 5. **§6 line 244 dead anchor `#61-phase-0--1`** — v1 has §6 (heading) §6.2 §6.3 §6.4 only; no §6.1. Phase 0/1 status lives in §6 intro bullets. Pointer corrected. 6. **§5 Step 4 silence on consent + quota + PII hashing** — v1 §6.2 B3-a landed a `consent_acknowledgments` table with `import` + `observer` scopes (GDPR Art. 6 lawful basis). v2 was silent. Step 4 preview now explicitly cites: consent gate, quota gate (item 9 promoted), HMAC-keyed IP hashing. 7. **§5 Step 6 (fact edit) — clarification** that `expired_at` + `invalid_at` live on graphiti-core 0.29's `EntityEdge` Pydantic model with line citations, in response to the bot's (wrong) claim that `expired_at` doesn't exist. 8. **§7 item 9 (quota)** — promoted from "revisit when Step 4 lands" to "designed before Step 4 lands". Otherwise observation loop ships with an unbounded financial-liability bug. 9. **Vertex billing prerequisite** — v1 §9 said cannot accept paying customers on AI Studio. Already satisfied by PR #109 (closed 2026-05-22), but v2 was silent. Now documented in Step 4+ preview.
jalaliamirreza
added a commit
that referenced
this pull request
May 25, 2026
* docs(plan): rewrite as v2.0; archive v1 as plan/PLAN-v1.md Three architectural decisions land in PLAN.md v2: 1. **Drop the 4-layer vault model.** Workspace becomes the only vault concept (Postgres, ACL boundary). Entity/SubEntity/Matter collapse into Graphiti's native graph — no more raw-Cypher tree CRUD. 2. **Graphiti is the only application layer writing to Neo4j.** add_episode for LLM extraction, EntityNode/EntityEdge .save() for deterministic writes. /facts/manual + the :SUPERSEDES dance disappear in favour of Graphiti's bi-temporal model (valid_at / invalid_at / expired_at + new edge). 3. **Webapp (mayia.app) is the front door.** Extension is one of N gateways (future CLI/desktop/API). Identity = Firebase only; gateways auth via our OAuth 2.0 + PKCE wrapper on apps/server (single 'mayia' scope, access + refresh tokens, per-gateway client_id). Step 0 (webapp + auth) and Step 1 (org creation + onboarding splash) are locked. Subsequent steps TBD. v1 preserved at plan/PLAN-v1.md as the authoritative record of how we got here; carries forward unchanged (referenced from v2 §6) the sections on CI/CD pipeline, TDD §8.1 lifecycle, test pyramid, coverage gates, risk register, definitions of done, and the closed Flow A/B/C work (PRs #102, #103, #104, #105, #106, #108). * docs(plan): apply review fix-ups (round 1) Round-1 reviewer findings addressed: - graphiti._search() is deprecated in graphiti-core 0.29.x; v2 §1.2 now uses graphiti.search_() (the supported form). Catch from comment-analyzer — would have landed Step 0 on a deprecated API. Note added inline so future readers don't relapse. - §3 repo-layout said apps/server/ "removes /tree/* (moved to webapp where applicable)" — misleading, since /tree/* lives in apps/memory/, not apps/server/. Corrected; deletion now correctly attributed to apps/memory/routers/tree.py. - :SUPERSEDES dance reference was unanchored — future maintainers wouldn't know what was being replaced. Now cross-references PR #105 (Flow C PR-A1)'s update_fact Cypher explicitly. - §1.2 also notes the swap resolves the pattern_search_nodes_vs_edges gotcha (PLAN-v1 §Patterns) — once /facts/manual is gone, no :Fact nodes to bridge via UNION; the edge-only path becomes coherent. - §5 Step 0 deliverable 7 (PR #102 migration) — added concrete cutover trigger: "extension PKCE client landed AND app-staging smoke green for 24h on the new path". Coexistence window now has an exit criterion instead of "until fully replaced". - §7 Apple sign-in — reframed from "Phase 8+" to "post-Step-8" since v2 abandoned the v1 phase numbering scheme. Doc-rot fix. Deferred to follow-up plan PRs or absorbed into Step 0 PR descriptions: the deeper security/architect findings (state CSRF binding, public- client explicit, branded GroupId fence, workspace_id stamping contract, defense-layer rewrite, audit-log scope, rate limiting). Each is documented in this PR's description as an open thread. * docs(plan): apply round-2 bot review fix-ups claude-review on PR #120 flagged 4 categories. Three of the four "API facts will break implementation" findings were **wrong** — the bot misread graphiti-core 0.29: - `expired_at` IS a field on EntityEdge (edges.py:271, with `valid_at` and `invalid_at` neighbours). - `.save(driver)` IS a real method on EntityNode/EntityEdge/EpisodicNode (their abstract base `Node`/`Edge` declares it; concrete classes implement it with MERGE-by-uuid Cypher). - `EDGE_HYBRID_SEARCH_RRF` IS exported from search/search_config_recipes.py:111. - `SearchFilters` IS defined at search/search_filters.py:55. Citations live in the PR comment reply. The remaining findings were real: 1. **§4.2 line 133: `graphiti._search` (deprecated) contradicted §1.2 line 30 (`search_`).** Round-1 missed line 133. Now consistent: `search_` everywhere, plus the security note that `property_filters` for `workspace_id` are server-injected from authenticated context, never client-supplied. 2. **§1.2 dead anchor `./PLAN-v1.md#patterns--gotchas`** — that content lives in project memory (`~/.claude/projects/-home-arctux-mayia/memory/`), not in PLAN-v1.md. Fixed. 3. **§3 repo-layout missed apps/server/'s tree proxy modules** — Flow B PR #80 shipped `src/modules/{tree,entities,sub-entities,matters}` in apps/server/. They proxy to apps/memory/'s tree.py. v2 deleting the upstream without the proxies would 502 every gateway request. Now explicitly listed for lockstep deletion. 4. **§6 carry-forward gaps** — bot caught missing rows: - v1 §8.6 "Critical seams" (`test_the_big_one.py` catch-fire rule; primary mitigation for cross-org leak under v2's `group_id` fence). - v1 §4.3 "ACL enforcement layers" (`with_org_scope` Python dep + `requireOrgMember` middleware + CI grep gate). The grep gate is what makes "Graphiti is the only writer" a guarantee, not just a convention. 5. **§6 line 244 dead anchor `#61-phase-0--1`** — v1 has §6 (heading) §6.2 §6.3 §6.4 only; no §6.1. Phase 0/1 status lives in §6 intro bullets. Pointer corrected. 6. **§5 Step 4 silence on consent + quota + PII hashing** — v1 §6.2 B3-a landed a `consent_acknowledgments` table with `import` + `observer` scopes (GDPR Art. 6 lawful basis). v2 was silent. Step 4 preview now explicitly cites: consent gate, quota gate (item 9 promoted), HMAC-keyed IP hashing. 7. **§5 Step 6 (fact edit) — clarification** that `expired_at` + `invalid_at` live on graphiti-core 0.29's `EntityEdge` Pydantic model with line citations, in response to the bot's (wrong) claim that `expired_at` doesn't exist. 8. **§7 item 9 (quota)** — promoted from "revisit when Step 4 lands" to "designed before Step 4 lands". Otherwise observation loop ships with an unbounded financial-liability bug. 9. **Vertex billing prerequisite** — v1 §9 said cannot accept paying customers on AI Studio. Already satisfied by PR #109 (closed 2026-05-22), but v2 was silent. Now documented in Step 4+ preview.
dependabot
Bot
force-pushed
the
dependabot/github_actions/google-github-actions/auth-3.0.0
branch
from
7e3356f to
cd478a6
Compare
Deploying mayia-staging with
|
| Latest commit: |
43c60c4
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://d5b1597e.mayia-staging.pages.dev |
| Branch Preview URL: | https://dependabot-github-actions-go.mayia-staging.pages.dev |
dependabot
Bot
force-pushed
the
dependabot/github_actions/google-github-actions/auth-3.0.0
branch
2 times, most recently
from
1d9f4f2 to
d78a5a6
Compare
dependabot
Bot
force-pushed
the
dependabot/github_actions/google-github-actions/auth-3.0.0
branch
4 times, most recently
from
4419e2d to
50a62d9
Compare
Bumps [google-github-actions/auth](https://github.com/google-github-actions/auth) from 2.1.13 to 3.0.0. - [Release notes](https://github.com/google-github-actions/auth/releases) - [Commits](google-github-actions/auth@v2.1.13...v3) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
Bot
force-pushed
the
dependabot/github_actions/google-github-actions/auth-3.0.0
branch
from
50a62d9 to
43c60c4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps google-github-actions/auth from 2.1.13 to 3.0.0.
Release notes
Sourced from google-github-actions/auth's releases.
Commits
7c6bc77Release: v3.0.0 (#510)42e4997Remove hacky script (#509)5ea4dc1Bump to Node 24 and remove old parameters (#508)