Update UK release bundle to data 1.53.0

[anth-volk]

Fixes #343

Summary

This PR updates the bundled UK release contract to a TRO-compatible release pair:

• policyengine-uk==2.88.6
• policyengine-uk-data==1.53.0

It records the certified enhanced_frs_2023_24 artifact SHA and data build fingerprint in the UK manifest, updates the package pins and lockfile, refreshes tests, and adds the generated bundled TRACE TRO sidecars.

It also fixes refresh_release_bundle so future refreshes use release_manifest.json from the target data release when available. That prevents stale certification metadata, including built_with_model_version, from being carried forward after data/model bumps.

Current release-version behavior

The generated manifest/TRO files in this PR still show the current checked-in policyengine.py version, 4.3.1. That is an inconsistency in the current .py release workflow, not the final published identity for this change: after this merges, the Versioning workflow runs Towncrier, bumps pyproject.toml, syncs policyengine_version and bundle_id in the bundled manifests, regenerates the TRO sidecars, and commits those release artifacts before the package is published.

The forthcoming policyengine-bundles system should avoid this inconsistency by making the bundle version/digest the canonical certified artifact first. A .py release would then point to an already-published bundle version/digest rather than generating provisional pre-release TROs that are later rewritten by .py versioning.

UK validation requested

@vahid-ahmadi please confirm whether this policyengine-uk==2.88.6 / policyengine-uk-data==1.53.0 combination is valid and should be user-facing as the bundled UK runtime pair.

Verification

• uv run --extra dev pytest tests/test_bundle_refresh.py
• uv run --extra dev pytest tests/test_release_manifests.py tests/test_trace_tro.py
• ruff format --check .
• ruff check .

Notes

This is a stopgap update for the current .py release path. It does not replace the broader cross-repository bundle/orchestrator plan.

[anth-volk]

@vahid-ahmadi requested your review here. The main thing to confirm is whether policyengine-uk==2.88.6 with policyengine-uk-data==1.53.0 is a valid UK runtime pair and should be user-facing as the bundled UK default.

[anth-volk]

Blocked on PolicyEngine/policyengine-uk#1666

[MaxGhenis]

Update after merging/releasing the UK Marriage Allowance fix: policyengine-uk==2.88.14 is now on PyPI and fixes the raw child Marriage Allowance scenario, but it is not enough to safely update this PR.\n\nI tested bumping this branch locally from 2.88.6 to 2.88.14. Import fails before the snapshot test with:\n\nValueError: Runtime data build fingerprint does not match the bundled data certification.\n\nThat is the certification guard doing the right thing. The new UK package reports data_build_fingerprint sha256:dff5c5bb976ce254fa965ecfce6a0d84859fe1629a714ae28a79b3075522a0ae, while this PR bundle currently certifies data 1.53.0 with sha256:535d2fd64f9e2b2aa9991e5a5d65be25bdd126f18858682533789f5c7e467782.\n\nSo the next safe step is data-side: publish/finalize a UK 1.53.0 release manifest that explicitly certifies compatibility with policyengine-uk==2.88.14, or regenerate the UK data release with 2.88.14. PR PolicyEngine/policyengine-uk-data#397 is now merged, so the manifest finalization path has the strict bundle fields needed for that. I did not push the local 2.88.14 bump because doing so would require weakening or falsifying the bundled certification.

[vahid-ahmadi]

Edited: my earlier code-side push (97c0bb4) has been reverted (0b4b7be) and the analysis below is updated. After diffing against main, both halves of this PR have been independently overtaken on main, so the bundle.py fix I contributed is no longer load-bearing.

Where main stands today

Field	This PR	main
policyengine-uk	2.88.6	2.88.20
policyengine-uk-data	1.53.0	1.55.10
policyengine-us	1.687.0	1.700.0
policyengine_core	>=3.25.0	==3.26.1

main's UK pair is well past the 2.88.14 cutoff that fixes policyengine-uk#1666 (children receiving Marriage Allowance / income tax), so @MaxGhenis's original blocker is now resolved at HEAD.

bundle.py direction has also landed on main separately

main has implemented the "use the data release manifest as the source of build provenance" idea on its own track (_fetch_data_release_manifest returning _DataReleaseManifestFetch with x-repo-commit header capture and a main-revision fallback for repos that don't tag every data version). The drift is 461 lines on bundle.py alone, and the two implementations are alternative designs of the same feature rather than something that can be mechanically merged.

Validation answer to your original ask

policyengine-uk==2.88.6 + policyengine-uk-data==1.53.0 is not the pair to ship — CI on this branch still fails test_uk_household_snapshot[uk_couple_two_kids] with the children-income-tax regression. But that's now moot: main is at 2.88.20 / 1.55.10, which is the right user-facing pair.

Status

• 🔁 My code contribution to this PR has been reverted (0b4b7be) — main's bundle.py already covers the same ground.
• ❌ The pin bump in this PR is superseded by main.
• ⚠️ Merge conflicts remain (pyproject.toml, uk.json, both .trace.tro.jsonld files, bundle.py, four test files, uv.lock); resolving them mechanically would produce a no-op since every conflict resolves to "take main".

Happy to revisit if there's a unique idea here you still want to land — otherwise this PR is effectively a no-op vs. main.

🤖 Generated with Claude Code

[vahid-ahmadi]

pls see my comment