Version 0.1.15

[winstonsung]

Change-Id: I6b68ad7fe526aede117a03e44bd6553fd35a79ff

Summary by CodeRabbit

• New Features

  • Added experimental support for Python 3.13

• Bug Fixes

  • Improved modal input clearing to reduce stale state after submissions

• Documentation

  • Updated deployment docs and translated README to include Python 3.13
  • Revised security reporting guidance
  • Updated release notes to reflect maintenance release 0.1.15

• Chores

  • Bumped project version to 0.1.15 and updated dependency pins and hashes

• CI

  • Adjusted workflows and post-commit behavior; removed Notion sync workflow and Dependabot pip updates

[coderabbitai]

Walkthrough

Bumps project to 0.1.15, expands Python support to allow 3.13, updates many dependency pins and hashes, adjusts CI workflows and Dependabot config, removes import-time dotenv load, and adds modal clear_items() helpers in two cog modules.

Changes

Cohort / File(s)	Summary
Version & Release cog/version_info.py, pyproject.toml, RELEASE-NOTES-0.1.md	Project version bumped to 0.1.15 and date updated; pyproject Python upper bound and classifier updated; release notes replaced with 0.1.15 content.
Docs: Python support README.md, README_zh-Hant.md	Deployment docs updated to list Python 3.13 as an experimental option.
CI / Workflows .github/workflows/postcommit.yml, .github/workflows/test.yml	Added BRANCH_NAME; moved cancelled-run deletion step and adjusted checkout/ref and git push usage; test matrix extended to Python 3.13; pylint invocation changed and cancellation cleanup gated to 3.12.
Dependabot .github/dependabot.yml	Removed the package-ecosystem: "pip" update block (pip updates disabled).
Dependencies & Hashes requirements.txt, requirements_dev.txt, pyproject.toml	Updated runtime/dev dependency versions and many integrity hashes (e.g., flask, py-cord, multidict, black, isort, tomlkit).
Modal utilities cog/class_role.py, cog/ctf.py	Added clear_items(self) -> Self to nested modal classes to clear InputText components/state; added TYPE_CHECKING typing scaffolding.
Secrets / Env cog/core/secret.py	Removed import-time load_dotenv(...); env vars are now read only via os.getenv at import time.
Security guidance SECURITY.md	Reporting guidance reworded to reference GitHub Security Advisories.
Removed workflow .github/workflows/notion.yml	Deleted Notion-sync GitHub Actions workflow (issue→Notion sync removed).
Tests / Minor tests/pytest/legacy/test_user_record.py	Minor whitespace removal only.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Version 0.1.12 #336: Overlapping changes updating cog/version_info.py (version metadata bump).
• Version 0.1.11 #335: Related version metadata edits in cog/version_info.py.
• Version 0.1.14 #366: Edits touching CI workflows (postcommit.yml, test.yml) and version constants.

Suggested labels

dependencies

Suggested reviewers

• YuevUwU
• Maxhu787

Poem

A curious cat taps keys at night,
Version leaps to 0.1.15 in moonlight.
CI stretches to welcome three-dot-thirteen,
Modals wiped clean, envs read lean.
Purrs of hashes tucked away, all neat and bright.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Version 0.1.15' directly corresponds to the main purpose of this PR: releasing version 0.1.15. The changeset demonstrates this across version bumps in multiple files (pyproject.toml, cog/version_info.py, RELEASE-NOTES-0.1.md) and dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch REL0_1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Fix all issues with AI agents

In @.github/workflows/postcommit.yml:
- Around line 21-26: The job is failing for forked PRs because the
actions/checkout step uses a ref and later push/delete actions require base-repo
access; add a guard so the job (or the specific steps that push/delete) only
runs for non-fork PRs by checking that the PR head repo matches the base repo
(e.g., compare github.event.pull_request.head.repo.full_name to
github.repository or compare owner fields) and apply the same guard to the
delete-cancelled-runs step in test.yml; update the BRANCH_NAME usage to only be
used when that guard allows the checkout/push/delete flow.

In @.github/workflows/test.yml:
- Around line 39-51: The "Delete cancelled runs in the same concurrency group"
step should skip forked PRs to avoid 403s; update its if condition to require
both the existing matrix.python-version check and that the PR head repo is not a
fork (e.g., require github.event.pull_request.head.repo.fork == false or that
github.event.pull_request.head.repo.full_name == github.repository), leaving the
GH_TOKEN and TARGET_SHA env vars and the run block intact; ensure the new if
combines the checks (logical AND) so the deletion only runs for non-fork PRs on
Python 3.12.

In `@cog/class_role.py`:
- Around line 120-134: The clear_items implementation in TokenModal uses a
double-underscore attribute self.__weights which is name-mangled differently
than the parent discord.ui.Modal (causing AttributeError not caught by the
ValueError except); extract this logic into a shared mixin/utility used by both
cog/class_role.py and cog/ctf.py (e.g., a ClearableModalMixin with a clear_items
method) and update TokenModal and the duplicate in cog/ctf.py to call it; inside
the mixin's clear_items, attempt to clear self._children and then clear weights
by first trying self.__weights, and if that raises AttributeError, fall back to
the parent-mangled name (e.g., _Modal__weights) via getattr/setattr or a
try/except that catches AttributeError and clears the fallback attribute so both
modal subclasses work reliably.

In `@cog/ctf.py`:
- Around line 284-298: The clear_items method duplicates a workaround and uses a
double-underscore attribute (__weights) which will be name-mangled incorrectly
in SubmitModal subclasses; update by extracting this logic into a shared mixin
(e.g., ClearableModalMixin) and have both SubmitModal and any other modal
classes use it, and inside the mixin reference the correctly mangled attribute
name (_Modal__weights) alongside _children and handle both ValueError and
AttributeError; replace the existing clear_items implementations in cog/ctf.py
(clear_items) and cog/class_role.py with inheritance from the new mixin so the
duplicate fix is centralized.

In `@RELEASE-NOTES-0.1.md`:
- Around line 17-18: Replace the inconsistent "Upgraded" wording with the
project-standard "Updated" for dependency version changes in the RELEASE-NOTES
entries referencing "(`#385`) Upgraded multidict from 6.7.0 to 6.7.1." and "(`#371`)
Upgraded py-cord from 2.6.1 to 2.7.0." (and any other similar lines in the same
section, e.g., lines 22-26), so each dependency change uses "Updated" instead of
"Upgraded" to match the historical convention.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@RELEASE-NOTES-0.1.md`:
- Line 18: Update the py-cord version text in RELEASE-NOTES-0.1.md to match the
actual pinned dependency version (py-cord==2.7.1) used in pyproject.toml and
requirements.txt: find the occurrences that currently say "2.7.0" (notably the
entries around the referenced lines) and change them to "2.7.1" so the release
notes reflect the shipped version.

In `@requirements.txt`:
- Around line 137-139: The requirements lock currently pins werkzeug==3.1.5
which is vulnerable; update the entry for werkzeug (replace "werkzeug==3.1.5")
to version 3.1.6 and regenerate the corresponding hashes for requirements.txt
(or re-run your dependency lock/compile step) so the new --hash values match
3.1.6; ensure any dependency files or lock artifacts are updated consistently
across the repo after changing the version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6fa2cc56-02e1-43a8-abda-a30125dc4d02

📥 Commits

Reviewing files that changed from the base of the PR and between dee8b47 and abae553.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• RELEASE-NOTES-0.1.md
• cog/version_info.py
• pyproject.toml
• requirements.txt
• requirements_dev.txt

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check advisory status for Werkzeug 3.1.5 (read-only)
python - << 'PY'
import json, urllib.request
query = {
  "package": {"name": "werkzeug", "ecosystem": "PyPI"},
  "version": "3.1.5"
}
req = urllib.request.Request(
  "https://api.osv.dev/v1/query",
  data=json.dumps(query).encode(),
  headers={"Content-Type":"application/json"}
)
with urllib.request.urlopen(req) as r:
  data = json.load(r)
print(json.dumps(data, indent=2))
PY

Repository: SCAICT/SCAICT-uwu

Length of output: 2643

---

🏁 Script executed:

#!/bin/bash
# First, locate and check the requirements.txt file
fd -name "requirements.txt" -type f

# Get the total line count
wc -l requirements.txt 2>/dev/null || echo "File not found in root"

# Check lines around 460 for werkzeug
sed -n '455,465p' requirements.txt 2>/dev/null || echo "Could not read file"

Repository: SCAICT/SCAICT-uwu

Length of output: 851

---

🌐 Web query:

Werkzeug GHSA-29vq-49wr-vm6x security advisory vulnerability details

💡 Result:

GHSA-29vq-49wr-vm6x is a Moderate severity (CVSS 6.3) vulnerability in Werkzeug affecting versions before 3.1.6. It involves the safe_join function on Windows allowing special device names (e.g., NUL, CON) in multi-segment paths like "example/NUL". This bypasses prior filtering from GHSA-hgf8-39gv-g3f2. When send_from_directory serves such a path, the file opens but reading hangs indefinitely, causing Denial of Service (CWE-67: Improper Handling of Windows Device Names). Associated CVE is CVE-2026-27199. Patched in Werkzeug 3.1.6 (released 2026-02-19) via commit f407712fdc60a09c2b3f4fe7db557703e5d9338d. Upgrade to 3.1.6 or later. No specific workarounds mentioned beyond avoiding untrusted paths on Windows or not using send_from_directory with user input.

Citations:

• 1: GHSA-29vq-49wr-vm6x
• 2: https://nvd.nist.gov/vuln/detail/CVE-2026-27199
• 3: https://github.com/pallets/werkzeug/security
• 4: https://www.sentinelone.com/vulnerability-database/cve-2026-27199/
• 5: https://www.cvedetails.com/cve/CVE-2026-27199/
• 6: GHSA-29vq-49wr-vm6x
• 7: https://werkzeug.palletsprojects.com/en/stable/changes/
• 8: https://github.com/pallets/werkzeug/releases
• 9: https://github.com/pallets/werkzeug/blob/main/CHANGES.rst

---

Bump Werkzeug to 3.1.6 to address security vulnerability.
The lock contains werkzeug==3.1.5 (line 460), which is affected by GHSA-29vq-49wr-vm6x (CVSS 6.3). This Moderate severity vulnerability in the safe_join function on Windows allows device name bypass, potentially causing denial of service. Werkzeug 3.1.6, released 2026-02-19, patches this issue.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@requirements.txt` around lines 137 - 139, The requirements lock currently
pins werkzeug==3.1.5 which is vulnerable; update the entry for werkzeug (replace
"werkzeug==3.1.5") to version 3.1.6 and regenerate the corresponding hashes for
requirements.txt (or re-run your dependency lock/compile step) so the new --hash
values match 3.1.6; ensure any dependency files or lock artifacts are updated
consistently across the repo after changing the version.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@RELEASE-NOTES-0.1.md`:
- Line 26: The release note line "* (`#409`) (0.2.x branch only) Upgraded
hatchling from 1.28.0 to 1.29.0." in RELEASE-NOTES-0.1.md is misleading for the
0.1.15 notes; either remove that bullet if hatchling was not changed in 0.1.x,
or reword it to clarify scope (e.g., "Backport not applied to 0.1.x — change
applies to 0.2.x only") if it must remain; update the text accordingly so the
entry correctly reflects whether the upgrade occurred on the 0.1 branch.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ef79c1e7-05e6-4746-9fa1-456839c41903

📥 Commits

Reviewing files that changed from the base of the PR and between abae553 and e3d0a4a.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/notion.yml
• RELEASE-NOTES-0.1.md
• cog/version_info.py
• pyproject.toml
• requirements_dev.txt

💤 Files with no reviewable changes (1)

• .github/workflows/notion.yml