Merge branch 'main' into chore/pysdk-000-claude-doc-review

Author: helmut-hoffer-von-ankershoffen

.github/CLAUDE.md

@@ -70,7 +70,7 @@ The Aignostics Python SDK uses a **sophisticated multi-stage CI/CD pipeline** bu
 
 | Workflow | Triggers | Purpose | Calls |
 |----------|----------|---------|-------|
-| **ci-cd.yml** | push(main), PR, release, tag | Main CI/CD pipeline | _lint, _audit, _test, _codeql, _ketryx, _package-publish, _docker-publish |
+| **ci-cd.yml** | push(main), PR, release, tag | Main CI/CD pipeline | _lint,_audit, _test,_codeql, _ketryx,_package-publish, _docker-publish |
 | **build-native-only.yml** | push, PR, release (if msg contains `build:native:only`) | Native executable builds | _build-native-only |
 | **claude-code-interactive.yml** | workflow_dispatch (manual) | Manual Claude sessions | _claude-code (interactive) |
 | **claude-code-automation-pr-review.yml** | PR opened/sync (excludes bots) | Automated PR reviews | _claude-code (automation) |
@@ -334,30 +334,32 @@ uv run pytest -m "(scheduled or scheduled_only)" -v
 1. Unit Tests (3 min)
    ├─ Python 3.11 ─┐
    ├─ Python 3.12 ─┼─ Parallel execution
-   └─ Python 3.13 ─┘
+   ├─ Python 3.13 ─┤
+   └─ Python 3.14 ─┘
 
 2. Integration Tests (5 min)
    ├─ Python 3.11 ─┐
    ├─ Python 3.12 ─┼─ Parallel execution
-   └─ Python 3.13 ─┘
+   ├─ Python 3.13 ─┤
+   └─ Python 3.14 ─┘
 
 3. E2E Regular (7 min)
    ├─ Python 3.11 ─┐
    ├─ Python 3.12 ─┼─ Parallel execution
-   └─ Python 3.13 ─┘
+   ├─ Python 3.13 ─┤
+   └─ Python 3.14 ─┘
 
 4. Long Running (if not skipped)
-   └─ Python 3.13 only (single version)
+   └─ Python 3.14 only (single version)
 
 5. Very Long Running (if explicitly enabled)
-   └─ Python 3.13 only (single version)
+   └─ Python 3.14 only (single version)
 ```
 
 **Matrix Testing**:
 
-* Unit, Integration, E2E run on **all 3 Python versions** (3.11, 3.12, 3.13)
-* Long running and very long running run on **Python 3.13 only** to save CI time
-* Windows ARM excludes Python 3.12.12 due to instability
+* Unit, Integration, E2E run on **all four Python versions** (3.11, 3.12, 3.13, 3.14)
+* Long running and very long running run on **Python 3.14 only** to save CI time
 
 ### Skip Markers System
 
@@ -509,7 +511,6 @@ Claude Code is integrated into the CI/CD pipeline for:
 # Inputs:
 #   - prompt: "Your task description"
 #   - max_turns: 200 (default)
-#   - platform_environment: staging (default) or production
 ```
 
 #### 2. Automation Mode
@@ -526,21 +527,20 @@ Claude Code is integrated into the CI/CD pipeline for:
 **Inputs**:
 
 ```yaml
-platform_environment: 'staging' | 'production'  # Default: staging
 mode: 'interactive' | 'automation'               # Required
 prompt: 'string'                                 # For automation mode
 max_turns: '200'                                 # Default: 200
 allowed_tools: 'comma,separated,list'            # Default: Read,Write,Edit,Glob,Grep,Bash(git:*),Bash(uv:*),Bash(make:*)
 ```
 
-**Environment Setup** (same as test environment):
+**Environment Setup**:
 
 1. Installs `uv` package manager
 2. Installs dev tools (`.github/workflows/_install_dev_tools.bash`)
 3. Syncs Python dependencies (`uv sync --all-extras`)
 4. Sets up headless display (for GUI tests)
-5. Creates `.env` with Aignostics credentials (staging or production)
-6. Configures GCP credentials for bucket access
+
+**Note**: Claude Code workflows intentionally do NOT have access to Aignostics platform credentials or GCP credentials to prevent accidental credential leakage.
 
 **Claude Configuration**:
 
@@ -555,10 +555,7 @@ claude \
 
 **Secrets Required**:
 
-* `ANTHROPIC_API_KEY` - For Claude Code
-* `AIGNOSTICS_CLIENT_ID_DEVICE_{STAGING|PRODUCTION}`
-* `AIGNOSTICS_REFRESH_TOKEN_{STAGING|PRODUCTION}`
-* `GCP_CREDENTIALS_{STAGING|PRODUCTION}`
+* `ANTHROPIC_API_KEY` - For Claude Code (only secret available to Claude Code workflows)
 
 ### Automated PR Review (claude-code-automation-pr-review.yml)
 
@@ -600,7 +597,6 @@ and adherence to CLAUDE.md guidelines.
 
 * `prompt`: What you want Claude to work on
 * `max_turns`: How many iterations (default 200)
-* `platform_environment`: staging (default) or production
 
 **Example Use Cases**:
 
@@ -618,16 +614,15 @@ and adherence to CLAUDE.md guidelines.
 * ✅ Use `--system-prompt` referencing CLAUDE.md
 * ✅ Limit tool access (`--allowed-tools`)
 * ✅ Set reasonable `--max-turns`
-* ✅ Use staging environment for development
 * ✅ Review Claude's changes before merging
 * ✅ Let Claude explore workflows and test strategies
 
 **DON'T**:
 
 * ❌ Grant unrestricted tool access
 * ❌ Skip CLAUDE.md system prompt
-* ❌ Test against production without approval
 * ❌ Merge without human review
+* ❌ Add platform/GCP credentials to Claude Code workflows (security risk)
 
 ## Scheduled Jobs
 
@@ -1013,14 +1008,18 @@ make dist_native
 
 1. Ensure `main` branch is clean and all tests pass
 2. Run version bump:
+
    ```bash
    make bump patch  # or minor, major
    ```
+
 3. This creates a commit and git tag
 4. Push with tags:
+
    ```bash
    git push --follow-tags
    ```
+
 5. CI detects tag and triggers:
    * Full CI pipeline (lint, audit, test, CodeQL)
    * Package build and publish to PyPI

.github/copilot-instructions.md

@@ -77,7 +77,7 @@ CLI and GUI layers depend on Service layer, never on each other.
 make install          # Install dev deps + pre-commit hooks
 make all             # Full CI pipeline (lint, test, docs, audit)
 make test            # Run tests with coverage (85% minimum)
-make test 3.12       # Run on specific Python version
+make test 3.14       # Run on specific Python version
 make lint            # Ruff formatting + MyPy type checking
 ```
 

.github/workflows/_audit.yml

@@ -13,7 +13,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 

.github/workflows/_build-native-only.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 

.github/workflows/_claude-code.yml

@@ -3,11 +3,6 @@ name: "> Claude Code"
 on:
   workflow_call:
     inputs:
-      platform_environment:
-        description: 'Environment to use, that is staging or production'
-        required: false
-        default: 'staging'
-        type: string
       mode:
         description: 'Mode: interactive or automation'
         required: true
@@ -31,21 +26,14 @@ on:
         required: false
         default: true
         type: boolean
+      use_sticky_comment:
+        description: 'Use just one comment to deliver PR comments (only applies for pull_request event workflows)'
+        required: false
+        default: false
+        type: boolean
     secrets:
       ANTHROPIC_API_KEY:
         required: true
-      AIGNOSTICS_CLIENT_ID_DEVICE_STAGING:
-        required: false
-      AIGNOSTICS_REFRESH_TOKEN_STAGING:
-        required: false
-      GCP_CREDENTIALS_STAGING:
-        required: false
-      AIGNOSTICS_CLIENT_ID_DEVICE_PRODUCTION:
-        required: false
-      AIGNOSTICS_REFRESH_TOKEN_PRODUCTION:
-        required: false
-      GCP_CREDENTIALS_PRODUCTION:
-        required: false
 
 jobs:
   claude-code:
@@ -58,7 +46,7 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: ${{ inputs.mode == 'interactive' && 0 || 1 }}
 
@@ -80,23 +68,6 @@ jobs:
       - name: Setup display
         uses: pyvista/setup-headless-display-action@7d84ae825e6d9297a8e99bdbbae20d1b919a0b19 # v4.2
 
-      - name: Create .env file
-        uses: SpicyPizza/create-envfile@ace6d4f5d7802b600276c23ca417e669f1a06f6f # v2.0.3
-        with:
-          # The following 3 lines are correct even if vscode complains
-          envkey_AIGNOSTICS_API_ROOT: ${{ inputs.platform_environment == 'staging' && 'https://platform-staging.aignostics.com' || 'https://platform.aignostics.com' }}
-          envkey_AIGNOSTICS_CLIENT_ID_DEVICE: ${{ inputs.platform_environment == 'staging' && secrets.AIGNOSTICS_CLIENT_ID_DEVICE_STAGING || secrets.AIGNOSTICS_CLIENT_ID_DEVICE_PRODUCTION }}
-          envkey_AIGNOSTICS_REFRESH_TOKEN: ${{ inputs.platform_environment == 'staging' && secrets.AIGNOSTICS_REFRESH_TOKEN_STAGING || secrets.AIGNOSTICS_REFRESH_TOKEN_PRODUCTION }}
-          fail_on_empty: false
-
-      - name: Set up GCP credentials for bucket access
-        shell: bash
-        env:
-          GCP_CREDENTIALS: ${{ inputs.platform_environment == 'staging' && secrets.GCP_CREDENTIALS_STAGING || secrets.GCP_CREDENTIALS_PRODUCTION }}
-        run: |
-          echo "$GCP_CREDENTIALS" | base64 -d > credentials.json
-          echo "GOOGLE_APPLICATION_CREDENTIALS=$(pwd)/credentials.json" >> $GITHUB_ENV
-
       - name: Print development version info
         if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         shell: bash
@@ -119,13 +90,15 @@ jobs:
             --model claude-sonnet-4-5-20250929
             --allowed-tools "${{ inputs.allowed_tools }}"
             --system-prompt "Read the CLAUDE.md file in the root folder of this repository and explicitely acknowledge you will apply **all** guidance therein and in **all** linked documents."
+
       - name: Run Claude Code (Automation Mode)
         if: inputs.mode == 'automation'
-        uses: anthropics/claude-code-action@v1.0.15
+        uses: anthropics/claude-code-action@v1.0.22
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           track_progress: ${{ inputs.track_progress }}
+          use_sticky_comment: ${{ inputs.use_sticky_comment }}
           additional_permissions: |
             actions: read
           allowed_bots: "dependabot[bot],renovate[bot]"

.github/workflows/_codeql.yml

@@ -40,7 +40,7 @@ jobs:
           # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
         # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`

.github/workflows/_docker-publish.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Install dev tools
         shell: bash

.github/workflows/_install_dev_tools.bash

@@ -6,6 +6,7 @@ set -o pipefail  # Return value of a pipeline is the value of the last command t
 # Log function for better debugging
 log() {
     echo "[$(date +'%Y-%m-%dT%H:%M:%S%z')] $*"
+    return 0
 }
 
 log "Starting installation of development tools..."
@@ -14,13 +15,16 @@ log "Starting installation of development tools..."
 sudo rm -f /var/lib/man-db/auto-update
 
 # Install APT packages
-wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
-echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+# Use signed-by to add GPG key securely (apt-key is deprecated)
+mkdir -p /etc/apt/keyrings
+wget --secure-protocol=TLSv1_2 --max-redirect=0 -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /etc/apt/keyrings/trivy.gpg > /dev/null
+echo "deb [signed-by=/etc/apt/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
 sudo apt-get update
 sudo apt-get install --no-install-recommends -y curl gnupg2 jq trivy xsltproc
 
 # Install further tools not project specific
-curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.57.0" sh
+# Download Sentry CLI securely: enforce HTTPS, disable redirects
+wget --secure-protocol=TLSv1_2 --max-redirect=0 -qO - https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.57.0" sh
 
 # Install project specific tools
 .github/workflows/_install_dev_tools_project.bash

.github/workflows/_ketryx_report_and_check.yml

@@ -29,7 +29,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0
 

.github/workflows/_lint.yml

@@ -13,7 +13,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           fetch-depth: 0