ci: work around CVE-2026-3219 in setup-python's bundled pip

[aallan]

Summary

Fixes the dependency-audit CI job, which started failing on PR #62 due to CVE-2026-3219 in pip 26.0.1 — the version bundled into actions/setup-python@v6's Python 3.12 toolchain image. The CVE was patched in pip 26.1 on 2026-04-26, but the runner image hasn't refreshed yet, so pip-audit running inside the runner reports the runner's own pip as vulnerable regardless of what's available on PyPI.

Same workaround as aallan/vera#537: pip install --upgrade pip before pip-audit runs, pulling pip 26.1 from PyPI to replace the bundled 26.0.1.

Also opens KNOWN_ISSUES.md as the catalogue location for active workarounds, dev-env gotchas, and analytical caveats. Initial entries cover the CI workaround above plus three pre-existing items that didn't have a natural home before:

Entry	Why it's worth surfacing
CI: pip CVE workaround	New (this PR) — tracked in #63 with a clear removal trigger
assets/results-graph.png v0.0.7 pin	Currently only documented in scripts/README.md; cross-references it for visibility
input_tokens semantic shift across #60	Not previously documented anywhere; analytical caveat for anyone doing pre-vs-post-caching cost trending
/opt/homebrew/bin/vera is not the Vera language	Dev-env name-collision gotcha; previously only in private memory

Each entry has an explicit "removal trigger" so cleanup is straightforward when the underlying conditions change.

Test plan

• CI workflow change is mechanical and matches the vera#537 fix verbatim
• Inline # CVE-2026-3219 workaround; see #63 comment in ci.yml makes the intent legible at the call site
• KNOWN_ISSUES.md links cleanly to all relevant tracking issues and external CVE references
• No code or test changes — pure CI/docs PR
• CI green once this lands (the failure is the thing being fixed)

Closes / related

• Doesn't close CI: drop pip --upgrade in dependency-audit once setup-python ships pip 26.1+ #63 — that issue tracks the removal of this workaround when GitHub's runner image catches up. Stays open.
• Unblocks aver: strip module-level effects before injecting test main (planned 0.13) #62 (Aver module-effects strip) which is currently red in CI on this same dependency-audit failure.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Published comprehensive known issues documentation detailing active workarounds across deployment pipelines, documentation versioning, analytics metrics, and development environments, including mitigation steps and resolution timelines.

• Chores

  • Updated continuous integration workflow for dependency auditing.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR implements a pip vulnerability workaround in the CI dependency-audit workflow step by upgrading pip before installation, and documents active workarounds and caveats—including the pip CVE, documentation pinning rationale, analytics semantic shift, and development environment naming collisions—in a new KNOWN_ISSUES.md file.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	Modified the dependency-audit step to run pip install --upgrade pip before installing the project and pip-audit, with inline documentation referencing a pip 26.0.1 CVE workaround affecting GitHub runner toolchain images.
Known Issues Documentation KNOWN_ISSUES.md	New file documenting active workarounds and caveats: pip vulnerability in GitHub runners (with removal condition), results-graph.png version pinning justification (with restoration command), Anthropic input_tokens semantic shift post-PR #60 (permanent aggregation of billed and cached components), and Homebrew vera binary path collision (pending resolution or wrapper implementation).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• CI: drop pip --upgrade in dependency-audit once setup-python ships pip 26.1+ #63: PR implements and documents the pip install --upgrade pip workaround in CI as described in the related issue.
• CI: drop pip --upgrade in dependency-audit once setup-python ships pip 26.1+ vera#537: PR aligns with the tracked issue by adding the pip upgrade step and documenting removal criteria and CVE details in KNOWN_ISSUES.

Suggested labels

ci

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a CI workaround for CVE-2026-3219 in pip 26.0.1, which is the primary modification to the dependency-audit workflow step.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pip-audit-workaround

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 143-149: Replace the self-upgrade pip invocation in the "Install
dependencies and pip-audit" run step with a pinned pip via the setup-python
action: remove "pip install --upgrade pip" from the run command and configure
the preceding uses: "actions/setup-python@v6" to include the pip-version input
set to "26.1", leaving the rest of the run command ("pip install -e . && pip
install pip-audit") intact so CI deterministically uses pip 26.1 without runtime
upgrades.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 481cb015-41d4-4899-bd84-8bdbacfb9c33

📥 Commits

Reviewing files that changed from the base of the PR and between bd9b6d5 and 845262f.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• KNOWN_ISSUES.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.30%. Comparing base (bd9b6d5) to head (845262f).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #64   +/-   ##
=======================================
  Coverage   83.30%   83.30%           
=======================================
  Files          10       10           
  Lines        1366     1366           
=======================================
  Hits         1138     1138           
  Misses        228      228           

Flag	Coverage Δ
python	83.30% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.