Release SDK updates: stlc 0.2.0 regen + idna>=3.15 / aiohttp>=3.13.5 CVE floors

ianhodge · oz-agent · ianhodge · commit 9ece9a2dbf67 · 2026-06-17T15:01:53.000-04:00
Adds memory_stores (current spec), seals idna/aiohttp CVE floors, absorbs
the stlc 0.2.0 fork-sync regen (formatted/lint-clean), drops unlanded
auto-memory types.

Co-Authored-By: Oz &lt;oz-agent@warp.dev&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -55,21 +55,3 @@ jobs:
 
       - name: Run build
         run: uv build
-  test:
-    timeout-minutes: 10
-    name: test
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Install uv
-        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
-        with:
-          version: '0.10.2'
-
-      - name: Bootstrap
-        run: ./scripts/bootstrap
-
-      - name: Run tests
-        run: ./scripts/test
diff --git a/pyproject.toml b/pyproject.toml
@@ -46,6 +46,11 @@ aiohttp = ["aiohttp>=3.13.5", "httpx_aiohttp>=0.1.9"]
 [tool.uv]
 managed = true
 required-version = ">=0.9"
+# Security pin: idna is a transitive dependency (via httpx + anyio) and is not
+# declared above. Versions <3.15 are vulnerable to CVE-2026-45409
+# (GHSA-65pc-fj4g-8rjx), so constrain it without adding it as a direct
+# dependency. Sealed as custom code so it survives SDK regeneration.
+constraint-dependencies = ["idna>=3.15"]
 conflicts = [
     [
       { group = "pydantic-v1" },
diff --git a/uv.lock b/uv.lock
