Skip to content

Overnight Maintenance Log - 2026-07-02

Branch: codex/overnight-maintenance Upstream: origin/codex/overnight-maintenance Spec: external overnight-maintenance/maintenance-spec.md skill spec Parameters: PASSES=25, MAX_PASSES=75, PUSH=yes, NUMBERED_DOCS=yes

1. Coverage Decisions

Applied checks: - Baseline repository scan: Python code, notebooks, tests, docs, scripts, CI, Docker, devcontainer, dependency manifests. - Documentation indexing and hierarchical numbering because NUMBERED_DOCS=yes. - End-to-end execution-flow tracing for notebooks, scripts, Makefile targets, and test/tooling entry points. - Design-pattern and refactoring opportunity scan. - Error-handling, configuration, secrets, versioning, build, supply-chain, complexity, dependency-contract, and examples/library-fit checks.

Skipped checks: - HTTP/RPC handler contracts: N/A, no service handlers found in this repository. - Database and migration hygiene: N/A, no persistent database or migration files found. - i18n/a11y UI checks: N/A, no user-facing frontend application found. - Multi-language parity for active surfaces: N/A for active notebooks and Python helpers; archived CodexGLUE material is reviewed as archive hygiene, not an active supported surface. - Performance budget benchmarking: N/A unless a repository-declared performance budget is found during pass review.

2. Pass History

Pass Type Issues Coverage Evidence Result
1 genuine 18 Inventory gathered: git state, tracked files, 51 notebooks / 61 Python files / 30 Markdown files; baseline and post-fix ruff check .; pytest tests/; pytest tests/nnx_surface; python scripts/verify_repo.py --check all --fast; pip-audit -r requirements.txt -r torch-requirements.txt; fresh-eyes report-only subagents for docs, notebooks, tooling/security/dependencies, and Python/tests/complexity. Non-zero pass; valid findings fixed or explicitly deferred
2 genuine 8 Fresh-eyes report-only subagents for changed docs/logs, changed code/tests/runtime, and CI/dependency/security; focused red/green tests for scalar one-hot encoding and multiline/spaced ToSparseTensor calls; ruff check .; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-2 follow-ups fixed
3 genuine 9 Fresh-eyes report-only subagents for committed docs/logs, code/tests/runtime, and CI/security/dependencies; focused red/green tests for string-source notebook guards and aliased deprecated import rewrites; ruff check .; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-3 follow-ups fixed or explicitly deferred
4 genuine 4 Fresh-eyes report-only subagents for committed docs/logs, code/tests/runtime, and CI/security/dependencies; focused red/green tests for parenthesized deprecated imports and alias/bare NNParams import coexistence; action tag SHA resolution with git ls-remote; ruff check .; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-4 follow-ups fixed
5 genuine 8 Fresh-eyes report-only subagents for committed docs/logs, code/tests/runtime, and CI/security/dependencies; focused red/green tests for comment/string-safe deprecated Params rewrites, unconfigured active notebook enforcement, and verifier timeout byte-stream handling; runtime-doc wording sweep; workflow/override/config YAML parse; make check-tier-a-clean; ruff check .; python -m py_compile scripts/rewrite_imports.py scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-5 follow-ups fixed
6 genuine 8 Fresh-eyes report-only subagents for committed docs/logs, code/tests/runtime, and CI/security/dependencies; focused red/green tests for parameter-cell baseline exclusions, papermill-unsafe parameter comments, string/comment-safe notebook static guards, and NNRun.load("best") AST detection; papermill parameter inspection of four Reddit phase3 notebooks; local Docker build smoke; workflow/override/config YAML parse; make check-tier-a-clean; ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-6 follow-ups fixed
7 local genuine 1 Attempted fresh-eyes report-only subagents for docs, code/tests/notebooks, and CI/security, but all errored on account usage limits; local audit covered CI install commands, Docker/devcontainer/venv setup docs, Makefile setup targets, workflow action/runner pins, Markdown anchor probe, and standard validation: make -n install-torch-stack codespace-setup; workflow/override/config YAML parse; ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-7 local finding fixed; subagent coverage unavailable
8 local genuine 1 Local audit while subagent quota remained unavailable; covered dependency manifest single-source-of-truth drift, Docker/Make/CI install paths, CI cache keys, dependency ledger, active config/Tier-A consistency, and standard validation: make -n install-torch-stack codespace-setup; workflow/override/config YAML parse; ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; docker build -t ml-eng-lab-ci .; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-8 local finding fixed; subagent coverage unavailable
9 local genuine 1 Local audit while subagent quota remained unavailable; covered verifier coverage for Markdown file/fragment links, code-span/fenced-code false-positive handling, and standard validation: focused S3 regression tests; ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; workflow/override/config YAML parse; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-9 local finding fixed; subagent coverage unavailable
10 local genuine 1 Local audit while subagent quota remained unavailable; covered notebook Markdown link hygiene, S3 relative-link base handling for notebooks, code-span false positives in notebook markdown, and standard validation: focused S3 regression tests; ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-10 local finding fixed; subagent coverage unavailable
11 local genuine 1 Local audit while subagent quota remained unavailable; covered papermill parameter contract enforcement for active notebooks, AST-safe parameter assignment detection, focused E10 regression tests, and standard validation: focused verifier tests (3 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-11 local finding fixed; subagent coverage unavailable
12 local genuine 1 Local audit while subagent quota remained unavailable; covered helper/verifier contract alignment for papermill parameter injection, existing tagged-cell repair behavior, and standard validation: focused injector tests (6 passed); ruff check scripts/inject_smoke_test_cell.py tests/test_inject_smoke_test_cell.py; python -m py_compile scripts/inject_smoke_test_cell.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-12 local finding fixed; subagent coverage unavailable
13 local genuine 1 Local audit while subagent quota remained unavailable; covered Tier-A execution-list drift between Makefile and scripts/verify_repo_config.yaml, focused E11 parser/current-state tests, and standard validation: focused verifier tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-13 local finding fixed; subagent coverage unavailable
14 local genuine 1 Local audit while subagent quota remained unavailable; covered the E11 missing/empty Makefile TIER_A edge case, focused missing-list regression tests, and standard validation: focused verifier tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-14 local finding fixed; subagent coverage unavailable
15 local genuine 1 Local audit while subagent quota remained unavailable; covered Tier-A CI artifact upload path drift against verifier config, focused E12 workflow parser/current-state tests, and standard validation: focused verifier tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-15 local finding fixed; subagent coverage unavailable
16 local genuine 1 Local audit while subagent quota remained unavailable; covered verifier CLI import/config failure modes, configless --help behavior, and standard validation: focused help tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-16 local finding fixed; subagent coverage unavailable
17 local genuine 1 Local audit while subagent quota remained unavailable; covered verifier --phase-b-out CLI argument contract, conditional --check requirement, focused CLI tests, and standard validation: focused verifier tests (3 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-17 local finding fixed; subagent coverage unavailable
18 local genuine 0 Local audit while subagent quota remained unavailable; covered verifier/tooling CLI contracts, Tier-A config/workflow sync, docs/runtime wording drift, current standard validation, and the corrected workflow/config/override YAML parse target. Validation: pytest tests/ -v (360 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25; subagent coverage unavailable
19 local genuine 1 Local audit while subagent quota remained unavailable; covered NNx surface-test discovery, untracked scratch-notebook isolation, deferred OM-018, focused regression coverage, and standard validation: focused discovery test (1 passed); full NNx surface file (291 passed); ruff check tests/nnx_surface/test_notebook_api_surface.py; python -m py_compile tests/nnx_surface/test_notebook_api_surface.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-19 local finding fixed; zero-issue streak reset; subagent coverage unavailable
20 local genuine 1 Local audit while subagent quota remained unavailable; covered verifier test isolation, synthetic repo fixtures, hidden --repo-root test hook, deferred OM-016, and standard validation: pytest tests/test_verify_repo.py -q (39 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py tests/test_verify_repo.py; pytest tests/ -v; python scripts/verify_repo.py --check all --fast; make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-20 local finding fixed; zero-issue streak remains reset; subagent coverage unavailable
21 local genuine 1 Local audit while subagent quota remained unavailable; covered maintenance-log issue-state consistency for previously deferred/fixed items and found OM-017 still marked deferred after pass-16 fixed the same verifier --help failure. Validation: pytest tests/test_verify_repo.py::test_help_does_not_require_adjacent_config -q (1 passed); python scripts/verify_repo.py --check docs --fast; python scripts/verify_repo.py --check all --fast; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt. Non-zero pass; pass-21 log consistency finding fixed; zero-issue streak remains reset; subagent coverage unavailable
22 local genuine 0 Local audit while subagent quota remained unavailable; covered remaining deferred Reddit NNx import/seed items, dependency/digest deferrals, and standard validation. The remaining deferred work still requires coordinated NNx/dependency/image upgrades rather than a safe standalone maintenance edit. Validation: pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25; subagent coverage unavailable
23 local genuine 0 Local audit while subagent quota remained unavailable; covered maintenance-log stale states, active documentation references, remaining deferred issue boundaries, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25; subagent coverage unavailable
24 local genuine 0 Local audit while subagent quota remained unavailable; covered Python package/tooling environment sanity, manifest review, compile checks, and standard validation. pip check reports shared-environment conflicts from globally installed packages outside the repo manifests; no repo-declared dependency drift was found. Validation: python -m compileall -q scripts tests; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25; subagent coverage unavailable
25 local genuine 0 Local audit while subagent quota remained unavailable; covered git/worktree hygiene, branch/upstream parity, ignored-artifact boundaries, generated cache cleanup, and standard validation. Validation: pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 4/25; subagent coverage unavailable
26 genuine 3 Fresh-eyes report-only subagents reviewed docs/logs, Python/tests/notebook guards, and dependency/security/build/runtime hygiene; local audit covered docs navigation, marker scans, tracked run metadata, secret/path scans, Tier-B smoke-contract wording, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-26 documentation findings fixed; zero-issue streak reset
27 genuine 6 Fresh-eyes report-only subagents reviewed post-fix documentation consistency, notebook smoke-contract traces, and release/dependency/reproducibility/security contract drift; local audit covered residual smoke-policy strings, Codespaces install wording, CI trigger docs, task README sweep dimensions, helper docstring accuracy, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-27 documentation/tooling-doc findings fixed; zero-issue streak remains reset
28 genuine 3 Fresh-eyes report-only subagents reviewed post-pass-27 documentation/tooling consistency, notebook smoke contracts, and build/dependency/security/runtime hygiene; local audit covered residual stale-string scans, branch/upstream parity, active config counts, Docker context ignore boundaries, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-28 documentation/Docker hygiene findings fixed; zero-issue streak remains reset
29 local genuine 1 Local audit covered post-pass-28 branch/upstream parity, Tier-B/Tier-C CI trigger documentation against workflow if: clauses, residual trigger wording scans, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-29 Tier smoke-trigger documentation finding fixed; zero-issue streak remains reset
30 local genuine 0 Local audit covered post-pass-29 branch/upstream parity, Tier-B/Tier-C trigger docs against workflow if: clauses, residual smoke-trigger wording across active docs and task READMEs, workflow timeout/condition summary, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
31 local genuine 0 Local audit covered post-pass-30 branch/upstream parity, dependency-contract ledger consistency against current pip-audit JSON output, unique accepted advisory ID parity, current manifest/runtime documentation references, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
32 local genuine 1 Local audit covered post-pass-31 branch/upstream parity, Makefile help/header accuracy, setup/tooling command documentation against CI workflow usage, and standard validation. Validation: make help; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-32 Makefile CI-trigger comment finding fixed; zero-issue streak reset
33 local genuine 0 Local audit covered post-pass-32 branch/upstream parity, Docker/devcontainer/CI/Make setup-command parity, Torch-first install ordering, Codespaces postCreateCommand documentation, and standard validation. Validation: make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
34 local genuine 0 Local audit covered post-pass-33 branch/upstream parity, tracked ignored-artifact absence, tracked cache/secret/data/run pattern absence, ignored local artifact boundaries for data/runs/superpowers/Claude scratch, generated cache scan/cleanup, and standard validation. Validation: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
35 local genuine 0 Local audit covered post-pass-34 branch/upstream parity, CI action SHA pin integrity against remote tag refs, mutable-action-reference absence, ubuntu-24.04 runner pinning, read-only workflow permissions, checkout credential persistence settings, and standard validation. Validation: git ls-remote --tags for actions/checkout@v5, actions/setup-python@v6, and actions/upload-artifact@v5; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25
36 local genuine 1 Local audit covered post-pass-35 branch/upstream parity, Torch core/PyG manifest topology, duplicated core-pin absence, install-order parity across Make/Docker/CI/Codespaces docs, dependency-ledger exact-pin coverage, and standard validation. Validation: focused manifest-vs-ledger exact-reference check; make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-36 dependency-ledger finding fixed; zero-issue streak reset
37 local genuine 0 Local audit covered post-pass-36 branch/upstream parity, tracked active notebook coverage against verifier config, active task-directory coverage against README/config, Tier-A Makefile/YAML parity, documentation link verification, corrected YAML-key probe recovery, and standard validation. Validation: active notebook/config comparison (29/29); active task-dir README/config comparison (21/21); Tier-A Makefile/config comparison (19/19); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
38 local genuine 0 Local audit covered post-pass-37 branch/upstream parity, helper-script compileability, verifier help/config behavior, injector/rewriter/editor usage paths, JupyterHub wrapper uninitialized-submodule recovery, helper-doc reference scan, focused helper regression tests, and standard validation. Validation: python -m py_compile for helper scripts; python scripts/verify_repo.py --help; helper no-arg usage probes; bash -n scripts/start-jupyterhub.sh; wrapper recovery probe; focused helper tests (58 passed, 2 warnings); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
39 local genuine 0 Local audit covered post-pass-38 branch/upstream parity, maintenance pass numbering, issue-ID sequencing, issue-status validity, deferred-state inventory, recent-commit/log correspondence, OM-081 representation, and standard validation. Validation: pass sequence 1..38 before logging; issue sequence OM-001..OM-081; no duplicate pass/issue IDs; five expected deferred/documented-deferred items; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25
40 local genuine 0 Local audit covered post-pass-39 branch/upstream parity, ruff-only pyproject.toml configuration, Makefile target/help text parity, CI/docs references for test/lint/verify targets, TOML parseability, and standard validation. Validation: make help; tomllib parse of pyproject.toml; config reference scan across README/CONTRIBUTING/docs/CI/Makefile; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 4/25
41 local genuine 0 Local audit covered post-pass-40 branch/upstream parity, archive/read-only boundary checks, archive notebook exclusion from active config expectations, ruff archive/vendor/venv exclusions, ignored local data/runs/scratch isolation, tracked generated-cache/data pattern scan, and standard validation. Validation: archive inventory (22 archived notebooks); git status --ignored --short; tracked cache/data/run pattern scan; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 5/25
42 local genuine 0 Local audit covered post-pass-41 branch/upstream parity, NLP asset dependency paths, requirements.txt spaCy/NLTK presence, Makefile/CI/Codespaces nlp-assets parity, text/sentiment notebook dependency references, and standard validation. Validation: focused NLP asset consistency check; make -n nlp-assets codespace-setup; notebook source dependency probe; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 6/25
43 local genuine 0 Local audit covered post-pass-42 branch/upstream parity, Dockerfile install/runtime contract, .devcontainer/devcontainer.json JSONC parse and Codespaces settings, .dockerignore coverage for local-only credential/cache/data patterns, setup-command documentation references, and standard validation. Validation: Dockerfile contract probe; devcontainer JSONC parse (postCreateCommand: make codespace-setup, forwardPorts: [8888]); Docker ignore parity probe (47 Docker patterns checked against required local-only patterns); make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 7/25
44 local genuine 1 Local audit covered post-pass-43 branch/upstream parity, active notebook JSON metadata, cell-id coverage, kernelspec/language metadata, papermill parameter tags, verifier S1 coverage, and standard validation. Validation: active notebook metadata probe (29 checked, 0 missing cell IDs after fix); focused S1 missing-cell-id regression (1 passed); python scripts/verify_repo.py --check structure --fast (0 errors, 4 warnings); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (362 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-44 notebook metadata finding fixed; zero-issue streak reset
45 local genuine 0 Local audit covered post-pass-44 branch/upstream parity, latest commit/log correspondence, maintenance pass numbering, issue-ID sequencing through OM-082, pass-44 streak-reset recording, S1.cell_id references, and standard validation. Validation: pass sequence 1..44 before logging; issue sequence OM-001..OM-082; latest commit 88a5209 fix: enforce notebook cell ids; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (362 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
46 local genuine 1 Local audit covered post-pass-45 branch/upstream parity, pytest warning hygiene, injector synthetic notebook fixtures, inserted parameter-cell nbformat IDs, and standard validation. Validation: focused injector tests with MissingIDFieldWarning promoted to error (6 passed); ruff check scripts/inject_smoke_test_cell.py tests/test_inject_smoke_test_cell.py --no-cache; python -m py_compile scripts/inject_smoke_test_cell.py tests/test_inject_smoke_test_cell.py; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (362 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-46 warning-hygiene finding fixed; zero-issue streak reset
47 local genuine 0 Local audit covered post-pass-46 branch/upstream parity, active notebook cell-ID preservation, focused nbformat warning-as-error coverage for injector and verifier fixtures, S1.cell_id/smoke-params reference scan, pytest warning-baseline stability, and standard validation. Validation: focused warning-as-error tests (7 passed); active notebook missing-ID probe (0); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (362 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
48 local genuine 0 Local audit covered post-pass-47 branch/upstream parity, active notebook cell-ID uniqueness and nbformat-format validity, helper smoke-parameter ID collision behavior, notebook-edit helper ID generation references, and standard validation. Validation: active notebook ID probe (616 cells, 0 missing/invalid/duplicate IDs); injector collision probe (smoke-params-3); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (362 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
49 local genuine 1 Local audit covered post-pass-48 branch/upstream parity, script shebang/executable-bit parity, helper CLI no-arg behavior, helper compileability, S8 verifier coverage, and standard validation. Validation: focused script-mode probe (all four scripts/*.py shebang/executable pairs aligned after fix); focused S8 regression (1 passed); python scripts/verify_repo.py --check structure --fast (0 errors, 4 warnings); helper no-arg usage probes; python -m py_compile for helper scripts; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (363 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-49 script-mode finding fixed; zero-issue streak reset
50 local genuine 0 Local audit covered post-pass-49 branch/upstream parity, latest commit/log correspondence, pass/issue sequencing through pass 49 and OM-084, committed script-mode parity, S8 references, and standard validation. Validation: pass sequence 1..49 before logging; issue sequence OM-001..OM-084; latest commit ac53acf fix: verify script executable metadata; script mode probe (all four scripts/*.py aligned); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (363 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
51 local genuine 0 Local audit covered post-pass-50 branch/upstream parity, dependency-manifest duplicate package absence, Torch core/extension manifest inclusion, install-order references across Make/Docker/CI, dry-run setup order, and standard validation. Validation: dependency manifest probe (29 package entries, no duplicates); torch-requirements.txt includes torch-core-requirements.txt; install-reference probe for Dockerfile/Makefile/CI; make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (363 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
52 local genuine 0 Local audit covered post-pass-51 branch/upstream parity, CI action SHA pins against upstream tag refs, read-only workflow permissions, ubuntu-24.04 runner pinning, checkout credential persistence settings, and standard validation. Validation: workflow action/ref probe; git ls-remote --tags for actions/checkout@v5, actions/setup-python@v6, and actions/upload-artifact@v5; CI reference scan; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (363 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25
53 local genuine 1 Local audit covered post-pass-52 branch/upstream parity, active numbered-doc heading shape across root docs, required docs, maintenance docs, and active task READMEs; fixed OM-085 and added D9 verifier coverage. Validation: active numbered-doc probe (30 files, 3 malformed headings before fix); focused D9 tests (2 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (365 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-53 numbered-doc finding fixed; zero-issue streak reset
54 local genuine 0 Local audit covered post-pass-53 branch/upstream parity, D9 verifier helper presence, active numbered-doc heading state after OM-085, maintenance pass/issue sequencing through pass 53 and OM-085, and standard validation. Validation: pass sequence 1..53; issue sequence OM-001..OM-085; D9 helper probe; active numbered-doc probe (30 files, 0 malformed headings); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (365 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
55 local genuine 0 Local audit covered post-pass-54 branch/upstream parity, active Markdown heading-anchor uniqueness after numbered-heading punctuation changes, structure/docs linkability checks, and standard validation. Validation: active Markdown anchor probe (31 files, 242 headings, 0 duplicate base slugs); python scripts/verify_repo.py --check structure --fast (0 errors, 4 warnings); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (365 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
56 local genuine 1 Local audit covered post-pass-55 branch/upstream parity, live pip-audit --format json advisory output versus docs/dependency-contracts.md, duplicate Torch advisory feed-record accounting, D10 verifier coverage, and standard validation. Validation: structured audit comparison found 23 live vulnerability records, 21 unique advisory IDs, and 2 collapsed duplicate records before fix; focused D10 tests (2 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-56 dependency-ledger finding fixed; zero-issue streak reset
57 local genuine 0 Local audit covered post-pass-56 branch/upstream parity, dependency-ledger feed-record reconciliation after OM-086, maintenance pass/issue sequencing through pass 56 and OM-086, and standard validation. Validation: pass sequence 1..56; issue sequence OM-001..OM-086; dependency-ledger reconciliation (torch=21, pytorch-lightning=1, nltk=1, total 23/23); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
58 local genuine 0 Local audit covered post-pass-57 branch/upstream parity, verifier check identifier inventory after D9/D10 additions, focused D9/D10 current-state coverage, docs verifier consistency, and standard validation. Validation: verifier ID inventory (48 finding IDs, D9/D10 test references present); focused D9/D10 current-state tests (2 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
59 local genuine 0 Local audit covered post-pass-58 branch/upstream parity, verifier CLI/help behavior after D9/D10 additions, copied-script --help resilience without adjacent config, focused CLI regressions, and standard validation. Validation: python scripts/verify_repo.py --help; copied-script help probe (rc=0, --check present); focused CLI tests (3 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25
60 local genuine 0 Local audit covered post-pass-59 branch/upstream parity, latest commit/log correspondence, pass and issue sequencing through pass 59 and OM-086, docs verifier consistency, and standard validation. Validation: latest commit 6aad700 chore: record overnight maintenance pass 59; pass sequence 1..59; issue sequence OM-001..OM-086; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 4/25
61 local genuine 0 Local audit covered post-pass-60 branch/upstream parity, active task directory and README coverage, required active documentation presence, tracked Markdown inventory, docs/structure verifier consistency, and standard validation. Validation: active task-dir/readme probe (21/21), required docs (5/5), tracked Markdown (32); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check structure --fast (0 errors, 4 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 5/25
62 local genuine 0 Local audit covered post-pass-61 branch/upstream parity, workflow trigger and job-gate contracts, Tier-B/Tier-C trigger documentation in contributor/setup docs and Makefile comments, Docker scheduled-run gating, and standard validation. Validation: workflow trigger probe for push/pull_request on main, workflow_dispatch, weekly cron, Tier-B dispatch/schedule/label gate, Tier-C dispatch/schedule gate, and non-scheduled docker-build; docs trigger-reference probe for CONTRIBUTING.md, docs/env-setup.md, and Makefile; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 6/25
63 local genuine 0 Local audit covered post-pass-62 branch/upstream parity, Makefile .PHONY/target parity, required local tooling target presence, pyproject ruff-only configuration, setup/verification target dry-runs, command-reference alignment across docs and CI, and standard validation. Validation: Makefile target probe (12 required targets, 0 phony drift); make help; make -n verify test test-nnx-surface lint install-torch-stack codespace-setup; tomllib parse of pyproject.toml (line-length=120, target-version=py311, select=E/F/W, archive/vendor excludes); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 7/25
64 local genuine 0 Local audit covered post-pass-63 branch/upstream parity, latest commit/log correspondence, maintenance pass sequencing through pass 63, issue sequencing through OM-086, issue-status vocabulary, deferred/fixed issue-state accounting, and standard validation. Validation: latest commit 67c684a chore: record overnight maintenance pass 63; branch/upstream SHA parity; pass sequence 1..63; issue sequence OM-001..OM-086; issue statuses (80 Fixed, 4 Deferred, 1 Fixed/documented, 1 Documented/deferred); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 8/25
65 local genuine 0 Local audit covered post-pass-64 branch/upstream parity, root README active task inventory against task folders, task-table link freshness, roadmap completed-item accounting, and standard validation. Validation: active task-folder/link probe (21 active folders, 21 linked task dirs, 0 missing task links, 0 stale task links, completed roadmap item diffusion-mnist-ddpm-pytorch); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 9/25
66 local genuine 0 Local audit covered post-pass-65 branch/upstream parity, .gitignore/.dockerignore local-only pattern parity, credential/cache/generated-artifact ignore coverage, tracked data/run/checkpoint/cache/key leakage, ignored artifact inventory, and standard validation. Validation: ignore parity probe (27 required patterns, 0 missing in .gitignore, 0 missing in .dockerignore); tracked-file leak probe (266 tracked files, 0 generated/credential leaks); git status --ignored --short; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 10/25
67 local genuine 0 Local audit covered post-pass-66 branch/upstream parity, active notebook inventory, required-section config coverage, Tier-A verifier-config/Makefile parity, Tier-B/Tier-C execution-list counts, manual-only notebook boundary, and standard validation. Validation: active notebook contract probe (29 active notebooks, 29 required-section entries, 0 missing/stale required entries, Tier-A config/Makefile 19/19, Tier-B 5, Tier-C 4, manual-only notebooks/quantization-mnist-ffnn-pytorch/notebook.ipynb); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (367 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 11/25
68 local genuine 1 Local audit covered post-pass-67 branch/upstream parity, helper-script shebang/executable parity, helper compileability, direct helper CLI/help behavior, and standard validation. Found and fixed OM-087: scripts/rewrite_imports.py --help treated --help as a missing notebook path instead of printing usage. Validation: helper metadata probe (4/4 shebang/executable aligned); python -m py_compile for helper scripts; red regression pytest tests/test_rewrite_imports.py::test_help_exits_zero_and_prints_usage -q failed before fix; focused regression passed after fix; pytest tests/test_rewrite_imports.py -q (11 passed); python scripts/rewrite_imports.py --help; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Non-zero pass; pass-68 helper CLI finding fixed; zero-issue streak reset
69 local genuine 0 Local audit covered post-pass-68 branch/upstream parity, OM-087 log/issue consistency, helper --help behavior after the fix, focused regression stability, pass/issue sequencing through pass 68 and OM-087, and standard validation. Validation: branch/upstream SHA parity at 9b922e3; python scripts/rewrite_imports.py --help; focused help regression (1 passed); pass sequence 1..68; issue sequence OM-001..OM-087; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 1/25
70 local genuine 0 Local audit covered post-pass-69 branch/upstream parity, CI action SHA pinning, runner-label stability, read-only workflow permissions, checkout credential persistence settings, setup cache dependency paths, and standard validation. Validation: workflow action/ref probe (12 action uses, all 40-character SHAs); ubuntu-latest count 0, ubuntu-24.04 count 6; permissions: contents: read; persist-credentials: false count matches checkout count (6/6); cache paths include torch-core-requirements.txt and torch-requirements.txt; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 2/25
71 local genuine 0 Local audit covered post-pass-70 branch/upstream parity, dependency accepted-advisory/feed-record reconciliation, package-level vulnerability ledger counts, D10 verifier coverage, focused D10 regressions, and standard validation. Validation: dependency advisory feed-record probe (torch=21, pytorch-lightning=1, nltk=1, total 23); focused D10 tests (2 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 3/25
72 local genuine 0 Local audit covered post-pass-71 branch/upstream parity, latest commit/log correspondence, pass sequencing through pass 71, issue sequencing through OM-087, issue-status accounting, streak-marker coherence after the pass-68 reset, and standard validation. Validation: branch/upstream SHA parity at 7c08e1c; pass sequence 1..71; issue sequence OM-001..OM-087; issue statuses (81 Fixed, 1 Fixed/documented, 1 Documented/deferred, 4 Deferred); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 4/25
73 local genuine 0 Local audit covered post-pass-72 branch/upstream parity, Markdown internal file/anchor link coverage, required top-level documentation presence, README active task table parity with task-folder READMEs, and standard validation. Validation: branch/upstream SHA parity at 8ceedf1; Markdown probe (44 files, 77 internal links, 0 broken internal file/anchor links); required docs 6/6; active task README/table-link parity (21/21, 0 missing, 0 stale); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 5/25
74 local genuine 0 Local audit covered post-pass-73 branch/upstream parity, script shebang/executable metadata, helper CLI/help behavior, Makefile documented target availability, and standard validation. Validation: branch/upstream SHA parity at 56745f8; entrypoint metadata probe (5 scripts checked, 0 shebang/executable mismatches); helper CLI probe (verify_repo.py --help, rewrite_imports.py --help, inject_smoke_test_cell.py no-args usage); make help lists 11 documented targets; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 6/25
75 local genuine 0 Local audit covered post-pass-74 branch/upstream parity, final hard-cap pass/log sequencing, issue sequencing through OM-087, streak-marker coherence after the pass-68 reset, latest commit/log correspondence, and standard validation. Validation: branch/upstream SHA parity at 9b4fcfc; pass sequence 1..74; issue sequence OM-001..OM-087; final pre-row streak 6/25; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (368 passed, 3 skipped, 17 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check; pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities. Zero-issue pass; zero-issue streak 7/25; reached MAX_PASSES=75

3. Validation Log

  • ruff check . passed before and after the pass-1 fix batch.
  • Baseline pytest tests/ -v passed with 291 passed, 3 skipped; post-fix full suite passed with 325 passed, 3 skipped, 19 warnings.
  • Baseline pytest tests/nnx_surface -v passed with 258 passed, 3 skipped; post-fix NNx-surface coverage is included in the full pytest tests/ -v run.
  • python scripts/verify_repo.py --check all --fast passed before and after the fix batch with 0 errors, 5 warnings (torch_sparse unavailable in the local verifier environment for four Reddit phase3 notebooks, plus missing optional shellcheck).
  • bash -n scripts/start-jupyterhub.sh passed.
  • YAML parsing passed for .github/workflows/ci.yml and deploy/genai-vanilla-jupyterhub.override.yml.
  • scripts/start-jupyterhub.sh --help exited with status 1 by design in this checkout and printed the intended uninitialized-submodule recovery command.
  • git diff --check passed.
  • pip-audit -r requirements.txt -r torch-requirements.txt still reports 23 known vulnerabilities across resolved torch==2.4.1, pytorch-lightning==2.4.0, and nltk==3.9.4; this is recorded in docs/dependency-contracts.md and remains a coordinated dependency-upgrade follow-up rather than a local green check.
  • Pass-2 red tests failed for scalar one_hot_encode, multiline ToSparseTensor(...), and spaced remove_edge_index = False; the same focused set passed after the fix.
  • Pass-2 full validation passed: ruff check .; pytest tests/ -v (329 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check.
  • Pass-3 red tests failed for string-source notebook guards and aliased deprecated import rewrites; the same focused set passed after the fix.
  • Pass-3 full validation passed: ruff check .; pytest tests/ -v (334 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-4 red tests failed for parenthesized deprecated imports and alias/bare NNParams import coexistence; the same focused set passed after the fix.
  • Pass-4 full validation passed: ruff check .; pytest tests/ -v (336 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); workflow/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-5 red tests failed for comment/string-safe deprecated Params rewrites, unconfigured active notebook enforcement, and verifier timeout byte-stream handling; the same focused set passed after the fix. A first full pytest tests/ -v run exposed a multiline constructor-tokenization regression, which was fixed and covered by the existing multiline call-site test.
  • Pass-5 full validation passed: ruff check .; python -m py_compile scripts/rewrite_imports.py scripts/verify_repo.py; pytest tests/ -v (338 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-6 focused tests passed for Tier-C parameter-cell baseline exclusions, papermill-unsafe parameter trailing comments, comment/string-safe notebook migration guards, stale IDP guards, and NNRun.load("best") AST detection. papermill.inspection.inspect_notebook(...) inferred SMOKE_TEST, SMOKE_TEST_EPOCHS, and SMOKE_TEST_SUBSET for all four Reddit phase3 notebooks after the parameter-cell cleanup.
  • Pass-6 first full pytest tests/ -v run exposed a regression in the new string/comment masking for NNRun.load("best"); the guard was converted to AST inspection and the focused regression set passed.
  • Pass-6 Docker validation first failed while building PyG extensions because torch was not installed before torch-scatter build isolation; after splitting the Dockerfile install order and using --no-build-isolation for torch-requirements.txt, docker build -t ml-eng-lab-ci . completed successfully.
  • Pass-6 full validation passed: ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v (343 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-7 subagent attempts for docs, code/tests/notebooks, and CI/security all errored on account usage limits, so no fresh-eyes reviewer findings were available for this pass.
  • Pass-7 local audit found the non-Docker install-order mismatch left by OM-055. make -n install-torch-stack codespace-setup shows the intended sequence: upgrade pip, install pinned Torch core packages, reinstall torch-requirements.txt with --no-build-isolation, install requirements.txt, then download NLP assets.
  • Pass-7 full validation passed: workflow/override/config YAML parse; ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v (343 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-8 local audit found Torch core pin duplication introduced by the Docker/Make install-order fixes. The pins now live in torch-core-requirements.txt; torch-requirements.txt includes that file for complete audit/install commands, while Docker and Make install the core file first before --no-build-isolation PyG installation.
  • Pass-8 full validation passed: make -n install-torch-stack codespace-setup; workflow/override/config YAML parse; ruff check .; python -m py_compile scripts/verify_repo.py scripts/rewrite_imports.py scripts/inject_smoke_test_cell.py; pytest tests/ -v (343 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; docker build -t ml-eng-lab-ci . (compiled torch-scatter, torch-sparse, torch-cluster, and torch-spline-conv, then exported image a1913b7c...); git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-9 local audit found that S3.broken_link validated Markdown file existence but ignored #fragment anchors, including same-file anchors. Added S3.broken_anchor and regression coverage for missing anchors plus inline/fenced code examples that must not be treated as live links.
  • Pass-9 full validation passed: focused S3 regression tests (3 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; workflow/override/config YAML parse; pytest tests/ -v (346 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-10 local audit found that S3 still ignored live Markdown links inside notebook markdown cells. Added notebook markdown documents to the S3 scan with notebook-relative link bases and regression coverage for broken notebook links plus notebook code-span examples.
  • Pass-10 full validation passed: focused S3 regression tests (5 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (348 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); bash -n scripts/start-jupyterhub.sh; make check-tier-a-clean; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-11 local audit found that E7 verified only the presence of a papermill parameters tag, not that the tagged cell actually assigned SMOKE_TEST, even though Make smoke targets pass -p SMOKE_TEST 1.
  • Pass-11 full validation passed: focused E10 regression tests (3 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (351 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-12 local audit found that scripts/inject_smoke_test_cell.py still treated any existing parameters tag as sufficient, so it would skip a notebook that pass-11's verifier now correctly rejects for lacking a real SMOKE_TEST assignment.
  • Pass-12 full validation passed: focused injector tests (6 passed, 2 warnings); ruff check scripts/inject_smoke_test_cell.py tests/test_inject_smoke_test_cell.py; python -m py_compile scripts/inject_smoke_test_cell.py; pytest tests/ -v (352 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-13 local audit found that scripts/verify_repo_config.yaml documented the need to keep tier_a_notebooks in sync with Makefile TIER_A, but the verifier did not enforce the duplicated execution list.
  • Pass-13 full validation passed: focused E11 tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (354 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-14 local audit found that the new E11 guard would detect TIER_A mismatches but still pass silently if the Makefile variable was missing or parsed as empty.
  • Pass-14 full validation passed: focused E11 missing-list tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (355 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-15 local audit found that the Tier-A notebook list was also duplicated in the CI artifact upload path block, with no verifier check to catch workflow drift from scripts/verify_repo_config.yaml.
  • Pass-15 full validation passed: focused E12 workflow tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (357 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-16 local audit fixed deferred OM-017: verifier --help depended on adjacent YAML config loading at import time, so a missing config file blocked basic CLI help.
  • Pass-16 full validation passed: focused help tests (2 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (358 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-17 local audit found that --phase-b-out skips the main verifier loop but still required --check, contradicting the export-only CLI contract.
  • Pass-17 full validation passed: focused phase-B CLI tests (3 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py; pytest tests/ -v (360 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/override/config YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-18 local audit found no new actionable findings; covered verifier/tooling CLI contracts, Tier-A config/workflow sync, docs/runtime wording scan, and current standard validation.
  • Pass-18 full validation passed: pytest tests/ -v (360 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-19 local audit fixed deferred OM-018: NNx surface tests discovered notebooks via filesystem rglob, so untracked scratch notebooks could affect local static scans.
  • Pass-19 full validation passed: focused discovery test (1 passed); full NNx surface file (291 passed); ruff check tests/nnx_surface/test_notebook_api_surface.py; python -m py_compile tests/nnx_surface/test_notebook_api_surface.py; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-20 local audit fixed deferred OM-016: verifier tests with synthetic files no longer write into the real checkout; they use temporary git repo roots through a hidden --repo-root test hook.
  • Pass-20 full validation passed: pytest tests/test_verify_repo.py -q (39 passed); ruff check scripts/verify_repo.py tests/test_verify_repo.py; python -m py_compile scripts/verify_repo.py tests/test_verify_repo.py; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-21 local audit fixed maintenance-log state drift: OM-017 still said deferred even though pass 16 and OM-065 record the same verifier --help defect as fixed.
  • Pass-21 doc validation passed: focused help regression (1 passed); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-22 local audit found no new actionable findings; remaining deferred Reddit NNx import/seed work, lockfile work, and base-image digest pinning still require coordinated NNx/dependency/image upgrades.
  • Pass-22 full validation passed: pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-23 local audit found no new actionable findings; covered maintenance-log stale state checks, active documentation references, and the remaining deferred issue boundaries.
  • Pass-23 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-24 local audit found no new actionable findings; pip check reports shared Python environment conflicts from unrelated global packages, while repo manifests did not show a new local dependency contract issue.
  • Pass-24 full validation passed: python -m compileall -q scripts tests; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-25 local audit found no new actionable findings; tracked/untracked state was clean, branch/upstream parity was clean, ignored artifacts were limited to local data/runs/personal artifacts and generated caches, and generated caches were cleaned after validation.
  • Pass-25 full validation passed: pytest tests/ -v (361 passed, 3 skipped, 19 warnings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-26 fresh-eyes audit found three low documentation drift issues: README's repository-layout docs summary omitted current first-class docs, README pointed per-task docs at §10 instead of §4.1, and README/env-setup still described Tier-B phase2 Reddit smoke runs as hardcoded sweeps despite the notebooks' SMOKE_TEST_EPOCHS/SMOKE_TEST_SUBSET wiring.
  • Pass-26 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-27 fresh-eyes audit found six low documentation/tooling-doc drift issues: live changelog smoke-contract wording still described old phase2 behavior, the Codespaces changelog entry predated the Torch-first install split, several changelog references still cited the old env-setup Tier mapping section, CONTRIBUTING omitted the Tier-B label-triggered CI path, the Tier-B MNIST README omitted the dropout dimension in its full sweep, and the smoke-parameter injector docstring described pre-OM-061 behavior.
  • Pass-27 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-28 fresh-eyes audit found three documentation/Docker hygiene issues: the Tier-B MNIST README omitted the workflow_dispatch trigger, README/CHANGELOG described Codespaces dependency sync as happening at session start rather than one-time Codespace creation through postCreateCommand, and .dockerignore did not mirror local environment/scratch-document ignore patterns from .gitignore even though Dockerfile uses COPY . ..
  • Pass-28 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-29 local audit found one Tier smoke-trigger documentation drift: docs/env-setup.md said Tier-B ran on-demand plus weekly cron while omitting the PR-label trigger, and said Tier-C was on-demand while omitting its weekly schedule path.
  • Pass-29 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-30 local audit found no new actionable findings; residual smoke-trigger references were either current active docs, historical changelog context with later corrections, or the maintenance log itself.
  • Pass-30 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-31 local audit found no new actionable findings; current pip-audit -f json output has 21 unique advisory IDs, and the accepted-advisory table in docs/dependency-contracts.md has the same 21 package/advisory pairs with no missing or extra IDs.
  • Pass-31 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-32 local audit found one low tooling-doc drift: the Makefile header said Tier-B/C were on-demand even though the workflow also runs both on the weekly schedule and Tier-B on PRs labeled tier-b-smoke.
  • Pass-32 full validation passed: make help; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-33 local audit found no new actionable findings; Docker, CI, Make, Codespaces, README, CONTRIBUTING, and environment docs now describe the same Torch-first install order and Codespaces postCreateCommand flow.
  • Pass-33 full validation passed: make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); make check-tier-a-clean; workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-34 local audit found no new actionable findings; tracked ignored artifacts and tracked cache/secret/data/run patterns were absent, while ignored local artifacts were limited to expected data, runs, superpowers, and Claude scratch paths.
  • Pass-34 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-35 local audit found no new actionable findings; CI action pins still match the remote v5/v6 tag SHAs, no mutable action refs or ubuntu-latest runners were present, checkout credential persistence remained disabled, and workflow permissions remained read-only.
  • Pass-35 full validation passed: python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-36 local audit found one low dependency-ledger drift: docs/dependency-contracts.md said torch-requirements.txt pinned the PyG stack but named only the wheel index, not the exact PyG package pins from the manifest.
  • Pass-36 full validation passed: focused manifest-vs-ledger exact-reference check; make -n install-torch-stack codespace-setup; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-37 local audit found no new actionable findings; tracked active notebooks matched verifier required-section config, active task directories matched README/config coverage, and Tier-A Makefile/config membership stayed aligned.
  • Pass-37 full validation passed: active notebook/config comparison (29/29); active task-dir README/config comparison (21/21); Tier-A Makefile/config comparison (19/19); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-38 local audit found no new actionable findings; helper scripts compiled, documented CLI usage paths behaved as expected, the JupyterHub wrapper still fails closed with the submodule recovery command, and focused helper tests passed.
  • Pass-38 full validation passed: python -m py_compile for helper scripts; python scripts/verify_repo.py --help; helper no-arg usage probes; bash -n scripts/start-jupyterhub.sh; wrapper recovery probe; focused helper tests (58 passed, 2 warnings); python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-39 local audit found no new actionable findings; maintenance pass numbers and issue IDs were sequential and unique, issue statuses were valid, the deferred inventory remained the expected five items, and recent commit history matched the recorded maintenance passes/fixes.
  • Pass-39 full validation passed: pass/issue sequence checks; status/deferred inventory checks; recent commit/log correspondence check; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-40 local audit found no new actionable findings; pyproject.toml remains ruff-only as documented, Makefile help matched the target surface, and docs/CI references still align with make test, make lint, make verify, and make test-nnx-surface.
  • Pass-40 full validation passed: make help; tomllib parse of pyproject.toml; config reference scan across README/CONTRIBUTING/docs/CI/Makefile; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.
  • Pass-41 local audit found no new actionable findings; archived notebooks remain intentionally tracked and excluded from active notebook expectations, ruff excludes archive/vendor/venv, ignored local artifacts were limited to expected data/runs/scratch paths, and no tracked generated caches or active data/run artifacts appeared.
  • Pass-41 full validation passed: archive inventory (22 archived notebooks); git status --ignored --short; tracked cache/data/run pattern scan; python scripts/verify_repo.py --check docs --fast (0 findings); python scripts/verify_repo.py --check all --fast (0 errors, 5 warnings); ruff check . --no-cache; make check-tier-a-clean; pytest tests/ -v (361 passed, 3 skipped, 19 warnings); workflow/config/override YAML parse; bash -n scripts/start-jupyterhub.sh; git diff --check. pip-audit -r requirements.txt -r torch-requirements.txt still reports the documented 23 known vulnerabilities.

4. Issue Log

ID Severity Category Location Description Status Validation
OM-001 High §3.16 security / §3.14 CI .github/workflows/ci.yml CI ran PR-controlled code without explicit least-privilege permissions and with persisted checkout credentials. Fixed Added top-level permissions: contents: read; set persist-credentials: false on checkout steps; workflow YAML parsed successfully.
OM-002 High §3.16 security / §3.26 configuration scripts/start-jupyterhub.sh, deploy/genai-vanilla-jupyterhub.override.yml, runtime docs Wrapper mounted host ~/.ssh into JupyterHub by default. Fixed Host SSH mount now opt-in via HOST_SSH_DIR; docs updated; shell syntax and override YAML validated.
OM-003 High §3.16 dependency security / §3.31 consumed contracts requirements.txt, torch-requirements.txt, docs/dependency-contracts.md pip-audit reported 23 known vulnerabilities in resolved torch, pytorch-lightning, and nltk; exception state was undocumented. Fixed/documented Added dependency contract ledger with audit snapshot and upgrade criteria; full upgrade deferred to coordinated Torch stack pass.
OM-004 Medium §3.29 reproducibility Docker/devcontainer/PyPI/NLP assets Build inputs are tag-pinned/ranged and external NLP assets are not checksum locked. Documented/deferred Ledger records current contract and stricter reproducibility upgrade path; full lockfile/digest migration deferred due broad dependency blast radius.
OM-005 Medium §3.14 CI/tooling .github/workflows/ci.yml make verify was local-only, despite enforcing repo invariants. Fixed Added verify-repo CI job running make verify; workflow YAML parsed successfully. Pass 2 added fetch-depth: 0 so the tag-backed E5 baseline is available in CI.
OM-006 Low §3.17 bootstrap tracing scripts/start-jupyterhub.sh Wrapper only checked that vendor/genai-vanilla directory existed, not whether the submodule files were initialized. Fixed Wrapper now checks for start.sh and docker-compose.yml; local uninitialized-submodule run prints git submodule update --init --recursive and exits 1 by design.
OM-007 Low §3.6 docs README.md, .devcontainer/devcontainer.json Codespaces wording overpromised all active notebooks despite manual-only quantization. Fixed Wording now distinguishes 21 task folders, 29 active notebooks, 28 tier-covered runnable notebooks, and the manual-only quantization notebook.
OM-008 Medium §3.6 changelog hygiene CHANGELOG.md [Unreleased] had duplicate ### Fixed sections. Fixed Merged duplicate Fixed block.
OM-009 Low §3.9 numbered docs archive/README.md Archive README headings were unnumbered under NUMBERED_DOCS=yes. Fixed Renumbered archive headings hierarchically.
OM-010 Low §3.8 link hygiene CHANGELOG.md Historical broken-link example was itself a live broken Markdown link. Fixed Rendered as literal code text.
OM-011 Medium §3.4 correctness / §3.13 tests notebooks/image_classification-mnist-ffnn-numpy/utils.py one_hot_encode assumed dense zero-based integer labels and ignored explicit class order. Fixed Added tests/test_numpy_utils.py; focused test and full pytest tests/ -v passed.
OM-012 Medium §3.15 hygiene / §3.17 generated-helper trace scripts/rewrite_imports.py Simple import migration rewrote comments and string literals. Fixed Added regression test; focused test and full pytest tests/ -v passed.
OM-013 Medium §3.17 notebook trace / §3.31 PyG contract notebooks/node_classification-reddit-gnn-pyg/phase1-dataset-exploration-notebook.ipynb ToSparseTensor() dropped edge_index by default while later cells rely on edge_index. Fixed Added NNx surface guard; focused real-notebook test and full pytest tests/ -v passed.
OM-014 Medium §3.17 notebook reproducibility Reddit phase2/phase3 notebooks New upstream NNx supports NNGraphDataset(seed=...), but pinned thekaveh-nnx==0.2.0 does not. Deferred Do not add seed= until requirements bump; track with next NNx upgrade.
OM-015 Low §3.32 examples/library-fit Reddit notebooks Some Reddit notebooks still use deep NNx imports instead of top-level public facade; phase3 has stale manual-PyG imports. Deferred Needs notebook source sweep and Tier-C baseline/E5 handling; not mixed into security/doc batch.
OM-016 Medium §3.13 tests / §3.15 hygiene tests/test_verify_repo.py, scripts/verify_repo.py Some verifier tests wrote temporary files inside the real repo tree. Fixed Added a hidden --repo-root verifier test hook and moved synthetic Markdown/notebook/comment/common fixtures into temporary git repos; focused verifier tests and full validation passed.
OM-017 Medium §3.17 CLI trace scripts/verify_repo.py Config/YAML loaded at import time before argparse --help. Fixed Fixed in pass 16 / OM-065; help requests now tolerate missing adjacent config until real verification is requested, with copied-script regression coverage.
OM-018 Low §3.13 tests tests/nnx_surface/test_notebook_api_surface.py _active_notebooks() scanned all files, so untracked scratch notebooks could affect local tests. Fixed Notebook discovery now uses git ls-files -- *.ipynb and keeps archive/checkpoint exclusions; added a regression proving untracked scratch notebooks are ignored.
OM-019 Medium §3.13 tests / §3.31 PyG contract tests/nnx_surface/test_notebook_api_surface.py Pass-1 ToSparseTensor guard used a line regex, missing multiline calls and falsely flagging spaced remove_edge_index = False. Fixed Added red tests for multiline and spaced forms; replaced the check with AST call inspection; focused tests passed.
OM-020 Low §3.4 API compatibility notebooks/image_classification-mnist-ffnn-numpy/utils.py, tests/test_numpy_utils.py Pass-1 one_hot_encode narrowed behavior for scalar labels. Fixed Added scalar regression test; labels now normalize via np.asarray and preserve scalar/array output shape.
OM-021 Medium §3.14 CI/tooling .github/workflows/ci.yml New verify-repo CI job used default shallow checkout, so missing pre-cleanup-baseline tag could downgrade E5 enforcement to a warning. Fixed Added fetch-depth: 0 to the verify-repo checkout; workflow YAML parsed successfully.
OM-022 Low §3.16 dependency security / §3.6 docs docs/dependency-contracts.md Dependency ledger called nltk>=3.9.3 a pinned package even though audit resolved nltk==3.9.4. Fixed Ledger now distinguishes manifest constraint from audited resolved version.
OM-023 Medium §3.6 docs / §3.17 runtime trace docs/jupyterhub-integration.md Standalone JupyterHub path said import nnx resolves out of the box despite the documented retired nnx-pytorch image layer. Fixed Qualified the sentence to require either the image bump or the per-session install workaround.
OM-024 Low §3.6 changelog hygiene CHANGELOG.md [Unreleased] section order drifted from the documented Added / Changed / Removed / Fixed convention. Fixed Mechanically reordered Unreleased sections without changing entry text.
OM-025 Low §3.9 numbered docs docs/maintenance/overnight-2026-07-02.md New maintenance log used unnumbered H2s despite NUMBERED_DOCS=yes. Fixed Numbered the maintenance-log H2s hierarchically.
OM-026 Low §3.6 docs .devcontainer/devcontainer.json Codespaces comment implied JupyterLab is the default browser surface; README frames browser VS Code as default. Fixed Comment now says browser-based VS Code, or JupyterLab if selected as the Codespaces editor.
OM-027 Medium §3.6 docs / §3.17 runtime trace docs/jupyterhub-integration.md Build-failure guidance suggested docker exec as a workaround even though no container exists after a failed image build. Fixed Split build-failure guidance from runtime ModuleNotFoundError guidance.
OM-028 Medium §3.6 docs / §3.17 runtime trace docs/vscode-remote-access.md Intro said genai-vanilla ships the full ml-eng-lab dependency set, contradicting the later nnx image-bump caveat. Fixed Qualified the intro and Mode-1 coverage to external deps/assets, with nnx caveated.
OM-029 Low §3.6 docs docs/vscode-remote-access.md, .devcontainer/devcontainer.json VS Code remote docs said .devcontainer.json / Reopen in Container was not pursued, but the repo now has a Codespaces/local-devcontainer path. Fixed Reframed as not applicable for attaching to the existing JupyterHub container; devcontainer is a separate path.
OM-030 Low §3.6 docs docs/env-setup.md Tier-B MNIST PyTorch sweep description omitted the two dropout values. Fixed Updated the sweep to [9 hidden_dims × 2 dropouts × 500 epochs].
OM-031 Medium §3.13 tests / §3.17 notebook guards tests/nnx_surface/test_notebook_api_surface.py Static notebook guards assumed code-cell source is a list, missing cells serialized as a single string. Fixed Added string-source regression tests; _live_lines() now normalizes string/list source forms.
OM-032 Medium §3.15 hygiene / §3.17 generated-helper trace scripts/rewrite_imports.py, tests/test_rewrite_imports.py Deprecated aliased imports like GraphAttNNParams as GATParams rewrote to import NNParams from the wrong module. Fixed Added alias regression test; import dropping now preserves aliases via nnx.nn.params.nn_params.
OM-033 Medium §3.29 reproducibility / §3.16 dependency security requirements.txt, CI dependency installs Floating/ranged Python dependencies mean the same commit can resolve a different audited dependency set. Deferred Full Linux/Python 3.11 lockfile and CI install against it deferred to coordinated dependency-refresh pass.
OM-034 Medium §3.16 dependency security / §3.31 consumed contracts docs/dependency-contracts.md Vulnerability ledger recorded package-level counts but not advisory IDs/fix versions. Fixed Added accepted advisory ID/fix-version table for the 2026-07-02 pip-audit result.
OM-035 Low §3.29 reproducibility Dockerfile, .devcontainer/devcontainer.json Container bases are tag-pinned rather than digest-pinned. Deferred Digest pinning deferred to coordinated dependency-refresh pass with lockfile and image update validation.
OM-036 Medium §3.15 hygiene / §3.17 generated-helper trace scripts/rewrite_imports.py, tests/test_rewrite_imports.py Parenthesized deprecated imports could rewrite continuation lines to import NNParams from the wrong module. Fixed Added parenthesized-import regression test; rewriter now drops deprecated continuation symbols and injects NNParams from nnx.nn.params.nn_params.
OM-037 Medium §3.15 hygiene / §3.17 generated-helper trace scripts/rewrite_imports.py, tests/test_rewrite_imports.py Existing NNParams as Alias imports suppressed bare NNParams injection for rewritten call sites, causing NameError. Fixed Added alias-plus-call-site regression test; existing import tracking now distinguishes bound names.
OM-038 Medium §3.6 docs / §3.17 runtime trace README.md, docs/jupyterhub-integration.md, docs/vscode-remote-access.md Standalone runtime docs treated NumPy as the only exception after the NNx image bump, omitting manual-only quantization. Fixed Wording now distinguishes 28 tier-covered notebooks from the manual-only quantization notebook.
OM-039 Medium §3.16 supply chain / §3.14 CI .github/workflows/ci.yml Remote GitHub Actions used mutable major tags. Fixed Pinned actions/checkout, actions/setup-python, and actions/upload-artifact to current full-length tag SHAs resolved with git ls-remote, retaining version comments.
OM-040 Medium §3.6 docs / §3.17 runtime trace README.md, docs/env-setup.md, docs/jupyterhub-integration.md, CONTRIBUTING.md Standalone runtime and contributor docs still overclaimed notebook coverage after the NNx image bump. Fixed Reworded to the tier-covered contract, explicit NumPy bind-mount exception, and manual-only quantization caveat; stale broad-claim scan is clean.
OM-041 Medium §3.29 reproducibility / §3.14 CI .github/workflows/ci.yml CI jobs used mutable ubuntu-latest runner labels. Fixed Pinned all jobs to ubuntu-24.04; workflow YAML parsed successfully.
OM-042 Medium §3.16 supply chain / §3.26 configuration .dockerignore, Dockerfile Docker build context could include common local secret files because COPY . relies on .dockerignore. Fixed Added explicit .env, cloud/SSH/GPG credential, package-token, and private-key patterns to .dockerignore.
OM-043 Medium §3.14 CI/tooling / §3.17 notebook trace .github/workflows/ci.yml, Makefile Tier-A papermill CI uploaded refreshed notebooks but did not fail if tracked outputs changed. Fixed Added make check-tier-a-clean and wired it after make run-tier-a; local target passes.
OM-044 Medium §3.6 docs / §3.31 consumed contracts README.md, CONTRIBUTING.md NNx bump guidance said Tier-A CI re-runs every notebook, overstating PR coverage. Fixed Guidance now says Tier-A CI re-runs the Tier-A list and calls out Tier-B/C smoke plus manual quantization validation when affected.
OM-045 Medium §3.17 CLI trace / §3.25 error handling scripts/verify_repo.py, tests/test_verify_repo.py Timeout handling could raise TypeError when TimeoutExpired.stdout/stderr were bytes despite text=True. Fixed Added byte-stream timeout regression; _run() normalizes stdout/stderr before returning rc 124.
OM-046 Medium §3.15 hygiene / §3.17 generated-helper trace scripts/rewrite_imports.py, tests/test_rewrite_imports.py Deprecated Params call-site rewrite still mutated comments/string literals and injected real imports into prose-only cells. Fixed Added regression preserving comments/strings; call-site rewrite now uses Python tokenization and only rewrites real constructor-name tokens followed by (.
OM-047 Medium §3.13 tests / §3.6 docs scripts/verify_repo.py, tests/test_verify_repo.py, scripts/verify_repo_config.yaml New active notebooks could bypass required-section and papermill-parameters checks if omitted from YAML. Fixed Added D1.unconfigured_notebook enforcement and regression coverage for an omitted active notebook.
OM-048 Medium §3.16 security / §3.29 reproducibility .gitignore, .dockerignore Local secret-file ignores were stronger in .dockerignore than .gitignore, leaving common credential files easier to stage accidentally. Fixed Mirrored common .env.*, cloud credential, SSH/GPG, package-token, private-key, and certificate patterns into .gitignore; tracked-secret scan found no matching committed files.
OM-049 Medium §3.14 CI/tooling / §3.29 reproducibility .github/workflows/ci.yml, Dockerfile The Docker/devcontainer path had no CI build smoke, so runtime image drift could miss review. Fixed Added a non-scheduled docker-build CI job and validated the current image locally with docker build -t ml-eng-lab-ci ..
OM-050 Medium §3.6 docs / §3.31 consumed contracts CONTRIBUTING.md, scripts/verify_repo_config.yaml New-notebook documentation implied an omitted config entry would use a default six-section requirement, contradicting strict active-notebook config enforcement. Fixed Updated contributor and config comments to require every active notebook to be listed explicitly.
OM-051 Low §3.8 link hygiene / §3.6 docs docs/jupyterhub-integration.md, docs/vscode-remote-access.md Active runtime documentation contained stale intra-doc anchors after heading renumbering. Fixed Updated the stale anchors; targeted anchor sweep is clean for the touched links.
OM-052 Medium §3.17 notebook trace / §3.31 consumed contracts Reddit phase3 notebooks, scripts/verify_repo.py, tests/test_verify_repo.py Tier-C parameter cells used trailing comments on assignments that papermill 2.7 does not infer reliably. Fixed Moved parameter comments to preceding lines; added E9.parameter_trailing_comment verifier coverage; papermill inspection now infers all three smoke parameters in each phase3 notebook.
OM-053 Medium §3.17 notebook trace / §3.13 tests scripts/verify_repo.py, tests/test_verify_repo.py E5 Tier-C baseline comparison included papermill parameter cells, blocking safe boilerplate parameter fixes. Fixed Baseline comparison now excludes parameters and injected-parameters cells; added regression coverage.
OM-054 Medium §3.13 tests / §3.17 notebook guards tests/nnx_surface/test_notebook_api_surface.py Notebook static guards scanned comments and string literals, allowing examples/docstrings to fail migration guard checks. Fixed Tokenized executable-line filtering now ignores comments/strings for regex-style guards; NNRun.load("best") detection uses AST calls; added regression tests.
OM-055 Medium §3.29 reproducibility / §3.31 consumed contracts Dockerfile, torch-requirements.txt Local arm64 Docker builds failed when PyG source packages built before torch was importable in the build environment. Fixed Dockerfile installs the core Torch stack before torch-requirements.txt and uses --no-build-isolation; local docker build -t ml-eng-lab-ci . passed.
OM-056 Medium §3.29 reproducibility / §3.17 setup trace Makefile, .github/workflows/ci.yml, README.md, docs/env-setup.md, .devcontainer/devcontainer.json Non-Docker setup paths still installed the combined Torch/PyG manifest in one isolated pip transaction, leaving the same source-build failure mode fixed for Docker in OM-055. Fixed Added make install-torch-stack to install the pinned Torch core first and then torch-requirements.txt with --no-build-isolation; CI and Codespaces/venv docs now use the target; make -n install-torch-stack codespace-setup and workflow YAML parse passed.
OM-057 Medium §3.29 reproducibility / §3.31 consumed contracts torch-core-requirements.txt, torch-requirements.txt, Dockerfile, Makefile, .github/workflows/ci.yml, docs/dependency-contracts.md The Torch-first install fixes duplicated core Torch pins across manifests and install scripts, creating a new drift risk. Fixed Added torch-core-requirements.txt as the single source for core pins; torch-requirements.txt includes it; Docker/Make install it first; CI cache keys include it; dependency docs updated; Docker build and full validation passed.
OM-058 Medium §3.8 link hygiene / §3.13 tests scripts/verify_repo.py, tests/test_verify_repo.py S3.broken_link checked only Markdown file existence and missed stale #fragment anchors. Fixed Added Markdown heading slug validation with S3.broken_anchor; ignores inline and fenced code examples; focused regressions and full verifier pass.
OM-059 Medium §3.8 link hygiene / §3.17 notebook trace scripts/verify_repo.py, tests/test_verify_repo.py S3 link hygiene skipped Markdown links inside active notebook markdown cells. Fixed Active notebooks are now scanned as Markdown documents using notebook-relative link bases; added regressions for broken notebook links and notebook code-span examples.
OM-060 Medium §3.17 notebook trace / §3.13 tests scripts/verify_repo.py, tests/test_verify_repo.py Parameters-tagged cells could omit a real SMOKE_TEST assignment and still pass the verifier, making papermill -p SMOKE_TEST 1 ineffective for smoke targets. Fixed Added AST assignment extraction for parameter cells, new E10.missing_smoke_test_parameter enforcement, focused regression coverage, and full verifier pass.
OM-061 Medium §3.17 notebook trace / §3.15 helper hygiene scripts/inject_smoke_test_cell.py, tests/test_inject_smoke_test_cell.py The smoke-parameter injector skipped any notebook with a parameters tag, even if that cell did not assign SMOKE_TEST, leaving the helper unable to repair E10 failures. Fixed Injector now checks for a real SMOKE_TEST assignment and augments an existing parameters cell when absent; added regression coverage and full validation passed.
OM-062 Medium §3.14 CI/tooling / §3.17 notebook trace scripts/verify_repo.py, tests/test_verify_repo.py Tier-A notebook membership was duplicated in Makefile and verifier config, but no check failed when the two execution lists drifted. Fixed Added E11.tier_a_config_drift, a Makefile continuation-list parser, current-state regression coverage, and full verifier validation.
OM-063 Medium §3.14 CI/tooling / §3.17 notebook trace scripts/verify_repo.py, tests/test_verify_repo.py The new Tier-A drift check still passed when Makefile TIER_A was missing or empty, leaving the execution contract unenforced. Fixed Added E11.tier_a_makefile_missing and regression coverage for an absent Makefile variable; full verifier validation passed.
OM-064 Medium §3.14 CI/tooling / §3.17 notebook trace scripts/verify_repo.py, tests/test_verify_repo.py, .github/workflows/ci.yml CI artifact upload paths duplicated Tier-A notebook membership but could drift from verifier config without failing local or CI verification. Fixed Added E12.tier_a_artifact_paths_missing / E12.tier_a_artifact_paths_drift, workflow parsing, current-state regression coverage, and full verifier validation.
OM-065 Medium §3.17 CLI trace / §3.25 error handling scripts/verify_repo.py, tests/test_verify_repo.py verify_repo.py --help could fail before argparse ran because config loading happened at import time. Fixed Help requests now tolerate missing config keys/files until real verification is requested; added a copied-script regression with no adjacent config file and full validation passed.
OM-066 Medium §3.17 CLI trace / §3.13 tests scripts/verify_repo.py, tests/test_verify_repo.py --phase-b-out exported comment candidates without running the main check loop, but still required an irrelevant --check argument. Fixed Made --check conditionally required only outside phase-B export mode; added missing-check and checkless-export regressions; full validation passed.
OM-067 Low §3.6 docs / §3.8 documentation indexing README.md Repository-layout summary described docs/ as only env/JupyterHub/VS Code/findings docs, omitting current first-class docs such as dependency contracts and the maintenance log. Fixed Broadened the layout summary; docs verifier and full validation passed.
OM-068 Low §3.6 docs / §3.8 documentation indexing README.md README said per-folder docs were linked from §10, but active task folders are indexed in §4.1 and §10 covers secondary documentation. Fixed Updated the navigation sentence to point per-task folders at §4.1 and secondary docs at §10; docs verifier and full validation passed.
OM-069 Low §3.6 docs / §3.17 notebook trace README.md, docs/env-setup.md Tier-B docs still described the four phase2 Reddit notebooks as a hardcoded sweep even though they now honor SMOKE_TEST_EPOCHS/SMOKE_TEST_SUBSET, and notebook4 also reduces fanout under smoke mode. Fixed Reworded Tier-B policy text to match the current make smoke-tier-b contract; docs verifier and full validation passed.
OM-070 Low §3.6 docs / §3.17 notebook trace CHANGELOG.md Live [Unreleased] changelog smoke-contract wording still described phase2 Reddit notebooks as hardcoded/unparameterized despite current smoke truncation. Fixed Updated current and historical-context changelog wording to distinguish then-current behavior from the current smoke hooks; docs verifier and full validation passed.
OM-071 Low §3.6 docs / §3.29 reproducibility CHANGELOG.md Codespaces changelog entry still described the pre-Torch-first install recipe and omitted torch-core-requirements.txt / make install-torch-stack. Fixed Reworded the entry to match codespace-setup: install-torch-stack; docs verifier and full validation passed.
OM-072 Low §3.6 docs / §3.8 documentation indexing CHANGELOG.md Changelog entries still cited docs/env-setup.md §5 for Tier mapping after Codespaces renumbered Tier mapping to §6. Fixed Updated live references to docs/env-setup.md §6 Tier mapping; docs verifier and full validation passed.
OM-073 Low §3.6 docs / §3.14 CI/tooling CONTRIBUTING.md Contributor workflow said Tier-B/C CI run only on schedule and workflow_dispatch, omitting the tier-b-smoke PR-label trigger. Fixed Documented the Tier-B label trigger and clarified Tier-C remains schedule/dispatch only; docs verifier and full validation passed.
OM-074 Low §3.6 docs / §3.17 notebook trace notebooks/image_classification-mnist-ffnn-pytorch/README.md Tier-B MNIST README described the full sweep as 9 hidden_dims × 500 epochs, omitting the two dropout values. Fixed Updated the sweep to 9 hidden_dims × 2 dropouts × 500 epochs; docs verifier and full validation passed.
OM-075 Low §3.15 helper hygiene / §3.17 generated-helper trace scripts/inject_smoke_test_cell.py Smoke-parameter injector docstring still described the old skip-on-any-parameters-cell behavior, not the current augment-when-SMOKE_TEST-missing behavior. Fixed Updated the docstring; full pytest and verifier validation passed.
OM-076 Low §3.6 docs / §3.14 CI/tooling notebooks/image_classification-mnist-ffnn-pytorch/README.md Tier-B MNIST README said smoke CI runs only on the weekly schedule or PRs labeled tier-b-smoke, omitting the manual workflow_dispatch trigger. Fixed Added workflow_dispatch to the Tier-B smoke CI sentence; docs verifier and full validation passed.
OM-077 Low §3.6 docs / §3.29 reproducibility README.md, CHANGELOG.md Codespaces documentation said dependencies are auto-synced at session start, but .devcontainer/devcontainer.json uses a one-time postCreateCommand during Codespace creation. Fixed Reworded the live docs and changelog to say sync happens during Codespace creation via postCreateCommand; docs verifier and full validation passed.
OM-078 Medium §3.16 supply chain / §3.29 reproducibility / §3.26 configuration .dockerignore, .gitignore, Dockerfile Docker build context could include future ignored local environment or scratch-document files because .dockerignore missed patterns already excluded by .gitignore while Dockerfile uses COPY . .. Fixed Mirrored local environment and scratch-document ignore patterns into .dockerignore; full validation passed.
OM-079 Low §3.6 docs / §3.14 CI/tooling docs/env-setup.md, .github/workflows/ci.yml Tier mapping docs under-described smoke CI triggers: Tier-B omitted the tier-b-smoke PR-label path and Tier-C omitted the weekly schedule path. Fixed Reworded Tier-B/Tier-C trigger summaries to match the workflow if: clauses; docs verifier and full validation passed.
OM-080 Low §3.6 docs / §3.14 CI/tooling Makefile, .github/workflows/ci.yml Makefile header still said Tier-B/C were on-demand, omitting the weekly schedule and Tier-B PR-label CI paths. Fixed Updated the header comment to distinguish local/manual smoke targets from scheduled and label-triggered CI; full validation passed.
OM-081 Low §3.6 docs / §3.31 consumed contracts docs/dependency-contracts.md, torch-requirements.txt Dependency ledger said torch-requirements.txt pinned the PyG stack but listed only the wheel index, not the exact PyG package pins from the manifest. Fixed Added the five exact PyG package/version pins to the ledger; focused manifest-vs-ledger check and full validation passed.
OM-082 Medium §3.13 tests / §3.17 notebook trace Reddit phase2/phase3 notebooks, scripts/verify_repo.py, tests/test_verify_repo.py Eight active Reddit notebooks had 91 cells without nbformat v4 id fields; nbformat currently warns and auto-fills them in memory, but future versions may make this a hard error. Fixed Added deterministic IDs to the affected cells and an S1 verifier rule/regression that checks raw notebook JSON before nbformat can normalize it; full validation passed.
OM-083 Low §3.13 tests / §3.15 helper hygiene scripts/inject_smoke_test_cell.py, tests/test_inject_smoke_test_cell.py The smoke-parameter injector inserted a parameters cell without an nbformat id, leaving its own synthetic tests to emit MissingIDFieldWarning after OM-082 made cell IDs an explicit invariant. Fixed Inserted parameter cells now receive a unique smoke-params ID; focused injector tests pass with MissingIDFieldWarning promoted to error, and full pytest warning count dropped from 19 to 17.
OM-084 Low §3.15 helper hygiene / §3.17 CLI trace scripts/inject_smoke_test_cell.py, scripts/rewrite_imports.py, scripts/verify_repo.py, tests/test_verify_repo.py Two direct CLI helper scripts had shebangs but lacked executable bits, so script entrypoint metadata was inconsistent. Fixed Set executable bits on the shebang-bearing helpers and added S8 verifier/test coverage for script shebang/executable parity; full validation passed.
OM-085 Low §3.9 numbered docs / §3.13 tests notebooks/node_classification-reddit-gnn-pyg/README.md, scripts/verify_repo.py, tests/test_verify_repo.py Three active Reddit README H3 headings used 3.1 Phase... instead of the dotted numbered-doc form 3.1. Phase..., and the docs verifier did not enforce this heading shape. Fixed Corrected the headings and added D9.numbered_heading coverage for active numbered docs; focused D9 tests and full validation passed.
OM-086 Low §3.16 dependency security / §3.31 consumed contracts docs/dependency-contracts.md, scripts/verify_repo.py, tests/test_verify_repo.py The dependency ledger recorded 23 accepted vulnerability findings but the advisory table collapsed duplicate torch feed records for PYSEC-2025-191 and PYSEC-2025-41, leaving only 21 table records. Fixed Added feed-record counts to the accepted advisory table and D10.dependency_ledger_count verifier coverage; focused D10 tests and full validation passed.
OM-087 Low §3.17 CLI trace / §3.15 helper hygiene scripts/rewrite_imports.py, tests/test_rewrite_imports.py scripts/rewrite_imports.py --help treated --help as a missing notebook path and printed no usage text. Fixed Added a focused CLI regression test and a minimal -h/--help branch that prints usage to stdout with exit 0; focused and full validation passed.