ci(deps): bump the github-actions group across 1 directory with 9 updates

[dependabot]

Bumps the github-actions group with 9 updates in the / directory:

Package	From	To
step-security/harden-runner	2.17.0	2.19.2
pnpm/action-setup	5.0.0	6.0.8
actions/setup-node	6.3.0	6.4.0
actions/upload-artifact	7.0.0	7.0.1
actions/cache	5.0.4	5.0.5
github/codeql-action	4.35.1	4.35.4
actions/dependency-review-action	4.9.0	5.0.0
peter-evans/create-pull-request	8.1.0	8.1.1
actions/upload-pages-artifact	4.0.0	5.0.0

Updates step-security/harden-runner from 2.17.0 to 2.19.2

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.2

What's Changed

• Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in step-security/harden-runner#657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

Commits

• 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
• 1dee3df Update agent to v1.8.5
• a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
• 6e92856 build dist and trim ubuntu-slim message
• 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
• 8d3c67d Release v2.19.0 (#661)
• 6c3c2f2 Feature/deploy on self hosted vm (#658)
• 376d25a fix: detect ubuntu-slim runners early and bail out
• See full diff in compare view

Updates pnpm/action-setup from 5.0.0 to 6.0.8

Release notes

Sourced from pnpm/action-setup's releases.

v6.0.8

What's Changed

• docs(README): fix cache_dependency_path type by @​haines in pnpm/action-setup#257
• fix: drop patchPnpmEnv so standalone+self-update works on Windows by @​zkochan in pnpm/action-setup#258
• fix: update pnpm to 11.1.1 by @​mungodewar in pnpm/action-setup#248

New Contributors

• @​mungodewar made their first contribution in pnpm/action-setup#248

Full Changelog: pnpm/action-setup@v6.0.7...v6.0.8

v6.0.7

What's Changed

• fix: honor devEngines.packageManager.onFail=error (#252) by @​zkochan in pnpm/action-setup#254
• fix: restore inputs from state in post by @​haines in pnpm/action-setup#255
• fix: self-update bootstrap to packageManager-pinned version (#233) by @​zkochan in pnpm/action-setup#256

New Contributors

• @​haines made their first contribution in pnpm/action-setup#255

Full Changelog: pnpm/action-setup@v6.0.6...v6.0.7

v6.0.6

What's Changed

• fix: bin_dest output points to self-updated pnpm, not bootstrap by @​zkochan in pnpm/action-setup#249

Full Changelog: pnpm/action-setup@v6.0.5...v6.0.6

v6.0.5

What's Changed

• fix: append (not prepend) action node dir to PATH for npm bootstrap by @​zkochan in pnpm/action-setup#241

Full Changelog: pnpm/action-setup@v6.0.4...v6.0.5

v6.0.4

What's Changed

• fix: use npm co-located with the action node binary by @​benquarmby in pnpm/action-setup#239

New Contributors

• @​benquarmby made their first contribution in pnpm/action-setup#239

Full Changelog: pnpm/action-setup@v6.0.3...v6.0.4

v6.0.3

Updated pnpm to v11.0.0-rc.5

Full Changelog: pnpm/action-setup@v6.0.2...v6.0.3

... (truncated)

Commits

• 0e279bb fix: update pnpm to 11.1.1 (#248)
• 3e83581 fix: drop patchPnpmEnv so standalone+self-update works on Windows (#258)
• 551b42e docs(README): fix cache_dependency_path type (#257)
• 739bfe4 fix: self-update bootstrap to packageManager-pinned version (#233) (#256)
• f61705d chore: add CODEOWNERS
• 7a5507b fix: restore inputs from state in post (#255)
• 1155470 fix: honor devEngines.packageManager.onFail=error (#252) (#254)
• 91ab88e fix: bin_dest output points to self-updated pnpm, not bootstrap (#249)
• e578e19 fix: update pnpm to 11.0.4
• 8912a91 fix: append (not prepend) action node dir to PATH for npm bootstrap (#241)
• Additional commits viewable in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• See full diff in compare view

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates github/codeql-action from 4.35.1 to 4.35.4

Release notes

Sourced from github/codeql-action's releases.

v4.35.4

• Update default CodeQL bundle version to 2.25.4. #3881

v4.35.3

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• If multiple inputs are provided for the GitHub-internal analysis-kinds input, only code-scanning will be enabled. The analysis-kinds input is experimental, for GitHub-internal use only, and may change without notice at any time. #3892
• Added an experimental change which, when running a Code Scanning analysis for a PR with improved incremental analysis enabled, prefers CodeQL CLI versions that have a cached overlay-base database for the configured languages. This speeds up analysis for a repository when there is not yet a cached overlay-base database for the latest CLI version. We expect to roll this change out to everyone in May. #3880

4.35.4 - 07 May 2026

• Update default CodeQL bundle version to 2.25.4. #3881

4.35.3 - 01 May 2026

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
• Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
• Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #3781

4.35.0 - 27 Mar 2026

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #3767
• Update default CodeQL bundle version to 2.25.1. #3773

4.34.1 - 20 Mar 2026

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
• Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

... (truncated)

Commits

• 68bde55 Merge pull request #3885 from github/update-v4.35.4-803d9e8c3
• 9739ad2 Update changelog for v4.35.4
• 803d9e8 Merge pull request #3883 from github/mbg/test/macro-wrapper
• 0fd9c7d Merge pull request #3882 from github/dependabot/github_actions/dot-github/wor...
• 922d6fb Use makeMacro instead of test.macro
• df77e87 Update test macro snippet
• 6e3f985 Add wrapper for test.macro
• e7a347d Merge pull request #3881 from github/update-bundle/codeql-bundle-v2.25.4
• 17eabb2 Rebuild
• aaef09c Bump ruby/setup-ruby
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.9.0 to 5.0.0

Release notes

Sourced from actions/dependency-review-action's releases.

5.0.0

This is a new major version of the Dependency Review Action which updates the runtime to node24. This requires a minimum Actions Runner version v2.327.1 to run.

What's Changed

• Add .github/copilot-instructions.md for Copilot coding agent by @​ahpook in actions/dependency-review-action#1067
• Update Node.js runtime from 20 to 24 by @​scottschreckengaust in actions/dependency-review-action#1084
• Bump spdx-license-ids from 3.0.20 to 3.0.23 by @​mongolyy in actions/dependency-review-action#1091
• docs: bump actions/checkout from v4 to v6 in workflow examples by @​Marukome0743 in actions/dependency-review-action#1077
• fix: patched version display for advisories with non-strict semver ranges (e.g. Maven beta versions) by @​tspascoal in actions/dependency-review-action#1076
• Resolve security findings by @​AshelyTC in actions/dependency-review-action#1094
• v5.0.0 release branch by @​ahpook in actions/dependency-review-action#1098

New Contributors

• @​scottschreckengaust made their first contribution in actions/dependency-review-action#1084
• @​mongolyy made their first contribution in actions/dependency-review-action#1091
• @​Marukome0743 made their first contribution in actions/dependency-review-action#1077

Full Changelog: actions/dependency-review-action@v4.9.0...v5.0.0

Commits

• a1d282b Merge pull request #1098 from actions/ahpook/v5-release
• eb6c199 update examples to show @​v5
• 3943c2c v5.0.0 release branch
• 454943c Merge pull request #1094 from actions/ashelytc/security-findings
• 6d92a12 revert @​typescript-eslint/parser update
• a8e5a7e Merge pull request #1076 from tspascoal/fix-version-matching-for-non-string-s...
• b6b7079 update @​typescript-eslint/parser to 8.40.0
• 821a21d update more dependencies
• 05aaaae run npm audit fix
• 55d3e75 Merge pull request #1077 from Marukome0743/docs/checkout
• Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 8.1.0 to 8.1.1

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v8.1.1

What's Changed

• build(deps-dev): bump the npm group with 2 updates by @​dependabot[bot] in peter-evans/create-pull-request#4305
• build(deps): bump minimatch by @​dependabot[bot] in peter-evans/create-pull-request#4311
• build(deps): bump the github-actions group with 2 updates by @​dependabot[bot] in peter-evans/create-pull-request#4316
• build(deps): bump @​tootallnate/once and jest-environment-jsdom by @​dependabot[bot] in peter-evans/create-pull-request#4323
• build(deps-dev): bump undici from 6.23.0 to 6.24.0 by @​dependabot[bot] in peter-evans/create-pull-request#4328
• build(deps-dev): bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in peter-evans/create-pull-request#4334
• build(deps): bump picomatch by @​dependabot[bot] in peter-evans/create-pull-request#4339
• build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 by @​dependabot[bot] in peter-evans/create-pull-request#4344
• build(deps-dev): bump the npm group with 3 updates by @​dependabot[bot] in peter-evans/create-pull-request#4349
• fix: retry post-creation API calls on 422 eventual consistency errors by @​peter-evans in peter-evans/create-pull-request#4356

Full Changelog: peter-evans/create-pull-request@v8.1.0...v8.1.1

Commits

• 5f6978f fix: retry post-creation API calls on 422 eventual consistency errors (#4356)
• d32e88d build(deps-dev): bump the npm group with 3 updates (#4349)
• 8170bcc build(deps-dev): bump handlebars from 4.7.8 to 4.7.9 (#4344)
• 0041819 build(deps): bump picomatch (#4339)
• b993918 build(deps-dev): bump flatted from 3.3.1 to 3.4.2 (#4334)
• 36d7c84 build(deps-dev): bump undici from 6.23.0 to 6.24.0 (#4328)
• a45d1fb build(deps): bump @​tootallnate/once and jest-environment-jsdom (#4323)
• 3499eb6 build(deps): bump the github-actions group with 2 updates (#4316)
• 3f3b473 build(deps): bump minimatch (#4311)
• 6699836 build(deps-dev): bump the npm group with 2 updates (#4305)
• See full diff in compare view

Updates actions/upload-pages-artifact from 4.0.0 to 5.0.0

Release notes

Sourced from actions/upload-pages-artifact's releases.

v5.0.0

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#139)
• feat: add include-hidden-files input @​jonchurch (#137)

See details of all code changes since previous release.

Commits

• fc324d3 Merge pull request #139 from Tom-van-Woudenberg/patch-1
• fe9d4b7 Merge branch 'main' into patch-1
• 0ca1617 Merge pull request #137 from jonchurch/include-hidden-files
• 57f0e84 Update action.yml
• 4a90348 v7 --> hash
• 56f665a Update upload-artifact action to version 7
• f7615f5 Add include-hidden-files input
• See full diff in compare view

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

🔍 The Case of Pull Request #502

Plain-English Readout

• Holmes (evidence investigation): Holmes says this change should not ship in its current state. Main reasons: No evidence citations were available for trust analysis; test evidence is incomplete; schema coverage is incomplete.
• Watson (independent verification): Watson found verification concerns. Most important concern: Low migration risk claimed but schema incomplete.
• Moriarty (trend forecast): Moriarty sees progress as stalled right now, so forecast confidence is limited.

Suggested next actions

1. Tighten citations so the report points to exact lines instead of whole files or coarse references.
2. Resolve Watson’s verification concerns before trusting the Holmes verdict as final.
3. Treat the readiness forecast as stalled until new evidence or real progress moves the trend again.
4. Add or strengthen tests for the schema elements and operations HOLMES flagged as weakly proven.

📚 Glossary (what the Holmes terms mean)

• HOLMES: Wesley’s main evidence investigation. It decides whether the cited proof is strong enough to justify shipping this commit.
• WATSON: An independent verification pass. It checks Holmes’s citations and score math instead of trusting them blindly.
• MORIARTY: A readiness forecast over time. It is advisory trend analysis, not the release gate itself.
• Schema coverage score (SCS): How much of the schema has direct supporting evidence across generated artifacts and cited proof.
• Test confidence index (TCI): How much test evidence exists for constraints, policies, relationships, and operations.
• Migration risk index (MRI): How risky the schema change is to roll out. Lower is better.
• Evidence trust: Whether the report is backed by exact citations, whole-file citations, or coarse references. Weak trust means the claim may be directionally right but not specific enough to trust blindly.
• Citation quality: A count of exact line-span citations versus whole-file or coarse references.
• ELEMENTARY: Ready to ship based on the current evidence.
• REQUIRES INVESTIGATION: More work or review is needed before shipping.
• YOU SHALL NOT PASS: Do not ship this change in its current state.

---

🕵️ SHA-lock HOLMES full report (click to expand)

🕵️ SHA-lock HOLMES Investigation

• Generated: 2026-05-14T13:30:24.696Z
• Commit SHA: 80413c9
• Bundle Version: 2.0.0

⚠️ Evidence valid only for commit 80413c9

🔍 Executive Deduction

"Watson, after careful examination of the evidence, I deduce..."

Weighted Completion: ░░░░░░░░░░ 0.0%
Scores: SCS 0.0% · TCI 0.0% · MRI 0.0%
Verification Status: 0 claims verified
Citation Quality: 0 exact · 0 whole-file · 0 coarse
Evidence Trust: missing
Ship Verdict: YOU SHALL NOT PASS

🧩 SCS Breakdown

Component	Score	Coverage
Sql	0.0%	0.00/154.00
Types	0.0%	0.00/154.00
Validation	0.0%	0.00/154.00
Tests	0.0%	0.00/154.00

🧪 TCI Breakdown

Component	Score	Coverage	Note
Unit Constraints	0.0%	0/104	N/A
Unit Rls	0.0%	—	N/A
Integration Relations	0.0%	0/3	N/A
E2e Ops	N/A	—	Query operation test tracking not yet implemented

⚠️ MRI Breakdown

Component	Risk Share	Points	Count
Drops	0%	0	0
Renames Without Uid	0%	0	0
Add Not Null Without Default	0%	0	0
Non Concurrent Indexes	0%	0	0

📊 The Weight of Evidence

"Observe, Watson, how not all features carry equal importance..."

Element	Weight	Status	Evidence	Strength	Deduction

🚪 Security & Performance Gates

"Elementary security measures, Watson..."

Gate	Status	Evidence	Holmes's Ruling
Migration Risk	✅	MRI: 0.0%	"Trivial risk"
Test Coverage	⚠️	TCI: 0.0%	"Theatrical tests!"
Sensitive Fields	✅	0 fields	"All secured"
Evidence Quality	⛔	0 exact · 0 whole-file · 0 coarse	"No evidence citations were available for trust analysis."

📋 The Verdict

⛔ YOU SHALL NOT PASS
"Critical evidence is missing! Return to your laboratory!"

Signed and sealed,

• S. Holmes, Consulting Detective

[END OF INVESTIGATION FOR COMMIT 80413c9]

🧵 Command Run

• Run ID: run-mp5j0weo-gi0ggx
• Transmutation: holmes-investigate
• Command: investigate
• Status: completed
• Ledger: /home/runner/work/wesley/wesley/test/fixtures/examples/.wesley-cache/ledger

---

🩺 Dr. WATSON full report (click to expand)

🩺 Dr. Watson's Independent Verification Report

Medical Examination of Evidence

• Examination Date: 2026-05-14T13:31:30.406Z
• Patient SHA: 80413c9

🔬 Citation Verification

"Let me examine each piece of evidence independently..."

• Citations Examined: 0
• Verified: 0 ✅
• Failed: 0 ❌
• Unable to Verify: 0
• Exact Subrange Citations: 0
• Whole-file Citations: 0
• Coarse Citations: 0
• Evidence Trust: missing
• Trust Note: No evidence citations were available for trust analysis.

Verification Rate: 0.0%

📊 Mathematical Verification

"I shall recalculate Holmes's arithmetic..."

Holmes claimed SCS: 0.0%
Watson calculates: 0.0%
Difference: ✅ Negligible

🔍 Consistency Analysis

"Checking for contradictions in Holmes's deductions..."

⚠️ Low migration risk claimed but schema incomplete

🩺 Dr. Watson's Medical Opinion

VERIFICATION: CONCERNS NOTED ⚠️

"While Holmes's methods are generally sound, I have noted some"
"discrepancies that warrant further investigation. No evidence citations were available for trust analysis."

Respectfully submitted,

• Dr. J. Watson, M.D.
  Medical Examiner & Verification Specialist

🧵 Command Run

• Run ID: run-mp5j1of0-4zofxw
• Transmutation: watson-verify
• Command: verify
• Status: completed
• Ledger: /home/runner/work/wesley/wesley/test/fixtures/examples/.wesley-cache/ledger

---

🔮 Professor MORIARTY full report (click to expand)

🧠 Professor Moriarty's Temporal Predictions

The Mathematics of Inevitability

• Analysis Date: 2026-05-14T13:32:21.486Z

🔮 Current State

SCS: ░░░░░░░░░░ 0.0%
TCI: ░░░░░░░░░░ 0.0%
MRI: 0.0% risk
Evidence Trust: missing

📈 Velocity Analysis

SCS Velocity: +0.00%/day
Git Activity (window): 24h · commits 3 (0 relevant) · ~3.00 commits/day
↳ Magnitude: ~0 relevant LOC/day across ~0.0 files/day
Activity Index: 5 / 100 (PR 0, Window 13)
Blended Velocity: +0.03%/day
Commit Size Burstiness: 0 / 100 (higher = more uneven commit sizes)
⚠️ PLATEAU DETECTED - Low SCS movement and low recent Git activity.

⏰ Completion Predictions

ETA: Cannot predict (insufficient velocity)

"At current velocity, completion is... improbable."

⚠️ Warnings

• Evidence trust is missing; No evidence citations were available for trust analysis.

🧪 Readiness EXPLAIN

• SCS ≥ 80% → FAIL ❌ (actual 0.0%)
• TCI ≥ 70% → FAIL ❌ (actual 0.0%)
• MRI ≤ 40% → PASS ✅ (actual 0.0%)
• CI Stability ≥ 90% (branch main) → FAIL ❌ (actual 89% over ~168h)
• Evidence Trust ≥ moderate → FAIL ❌ (actual missing) — No evidence citations were available for trust analysis.
• Delivery context (last 168h): 0 issues closed · 8 PRs merged (informational, not gating)

Signals blend: SCS velocity (70%) + Git activity (30%, branch-first). Activity only suppresses false plateaus; it never inflates readiness.

📊 Historical Trajectory

05-14: ░░░░░░░░░░ 0.0%
05-14: ░░░░░░░░░░ 0.0%
05-14: ░░░░░░░░░░ 0.0%

"Every problem becomes elementary when reduced to mathematics"
— Professor Moriarty

🧵 Command Run

• Run ID: run-mp5j2ru4-58hpyv
• Transmutation: moriarty-predict
• Command: predict
• Status: completed
• Ledger: /home/runner/work/wesley/wesley/test/fixtures/examples/.wesley-cache/ledger

---

Machine-readable reports: holmes-report.json · watson-report.json · moriarty-report.json (see workflow artifacts).

---

Filed at 221B Repository Street