From 350a66b31a85e8f92a73508013f254022b0fc302 Mon Sep 17 00:00:00 2001
From: "M. Nihat Gurmen" <mng@dexalot.com>
Date: Wed, 29 Apr 2026 11:00:20 -0500
Subject: [PATCH 1/3] build(ci): enforce 100% coverage; fix pip-audit on
 release-prep PRs

* Add --cov-fail-under=100 to the pytest step so PRs that drop below
  full coverage fail fast.  Already at 100% on main.
* Replace pip-audit --strict with pip-audit --skip-editable in both
  the local make target and CI.  --strict treats the project's own
  editable install as a hard error when its version isn't yet on
  PyPI (i.e. every release-prep PR).  --skip-editable cleanly skips
  the project itself; pip-audit still exits non-zero on real CVEs in
  third-party deps.
---
 .github/workflows/ci.yml | 7 +++++--
 Makefile                 | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index de7e0e3..0687ec8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -56,10 +56,13 @@ jobs:
         run: uv run mypy --config-file mypy.ini --follow-imports=silent
 
       - name: Tests with coverage
-        run: uv run pytest --cov=src --cov-report=term-missing tests/unit
+        run: uv run pytest --cov=src --cov-report=term-missing --cov-fail-under=100 tests/unit
 
       - name: Static security analysis (bandit)
         run: uv run bandit -r src -c pyproject.toml --severity-level high
 
       - name: Dependency CVE audit (pip-audit)
-        run: uv run pip-audit --strict
+        # `--skip-editable` skips the project's own editable install (whose
+        # version may not yet exist on PyPI during a release-prep PR).
+        # pip-audit still exits non-zero on real CVEs in third-party deps.
+        run: uv run pip-audit --skip-editable
diff --git a/Makefile b/Makefile
index 5b54d12..5bbeb07 100644
--- a/Makefile
+++ b/Makefile
@@ -56,7 +56,7 @@ typecheck: mypy
 # PR to catch issues your downstream consumers would otherwise flag.
 security:
 	uv run --group security bandit -r src -c pyproject.toml --severity-level high
-	uv run --group security pip-audit --strict
+	uv run --group security pip-audit --skip-editable
 
 docs-serve:
 	uv run --group docs zensical serve

From bd3a595096ca750c925e28bf10881c4f9d881888 Mon Sep 17 00:00:00 2001
From: "M. Nihat Gurmen" <mng@dexalot.com>
Date: Wed, 29 Apr 2026 11:01:28 -0500
Subject: [PATCH 2/3] build(release): audit SDK runtime deps in pre-publish
 gate

The Pre-publish dependency CVE audit step previously ran pip-audit
in an env that contained only pip-audit and its own transitive deps.  Install the
project as an editable build first to pull in the SDK's actual
runtime deps, then run pip-audit --skip-editable so the audit
covers what users will actually receive on install while skipping
the unreleased project itself.
---
 .github/workflows/pypi.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml
index 053ab55..9af52f2 100644
--- a/.github/workflows/pypi.yml
+++ b/.github/workflows/pypi.yml
@@ -59,10 +59,16 @@ jobs:
       # CVE.  CI runs the same audit on every PR (.github/workflows/ci.yml),
       # but a vulnerability can be disclosed between the last green PR and the
       # release tag — this step closes that window.
+      #
+      # The project is installed editable so pip-audit sees its runtime deps;
+      # `--skip-editable` then skips the project itself (whose new tagged
+      # version isn't on PyPI yet — that's what this workflow is about to do).
+      # pip-audit still exits non-zero on real CVEs in third-party deps.
       - name: Pre-publish dependency CVE audit (pip-audit)
         run: |
           python -m pip install --upgrade pip-audit
-          pip-audit --strict
+          python -m pip install -e .
+          pip-audit --skip-editable
 
       - name: Build distributions
         run: python -m build

From 5923ab7b0ae07d68850bca63f208007ac0dff7e3 Mon Sep 17 00:00:00 2001
From: "M. Nihat Gurmen" <mng@dexalot.com>
Date: Wed, 29 Apr 2026 11:03:44 -0500
Subject: [PATCH 3/3] chore(release): update version to 0.5.13 in project files

---
 VERSION                     | 2 +-
 pyproject.toml              | 2 +-
 src/dexalot_sdk/__init__.py | 2 +-
 uv.lock                     | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/VERSION b/VERSION
index 9d6c175..964783a 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.5.12
+0.5.13
diff --git a/pyproject.toml b/pyproject.toml
index a7fc5d9..51cdc98 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -8,7 +8,7 @@ license = "MIT"
 license-files = [
     "LICENSE.txt"
 ]
-version = "0.5.12"
+version = "0.5.13"
 description = "Dexalot Python SDK - Core library for Dexalot interaction"
 readme = "README.md"
 requires-python = ">=3.12,<3.15"
diff --git a/src/dexalot_sdk/__init__.py b/src/dexalot_sdk/__init__.py
index 4c2adcf..78660a1 100644
--- a/src/dexalot_sdk/__init__.py
+++ b/src/dexalot_sdk/__init__.py
@@ -12,7 +12,7 @@
     secrets_vault_set,
 )
 
-__version__ = "0.5.12"
+__version__ = "0.5.13"
 
 
 def get_version() -> str:
diff --git a/uv.lock b/uv.lock
index 05f7565..74dd842 100644
--- a/uv.lock
+++ b/uv.lock
@@ -733,7 +733,7 @@ wheels = [
 
 [[package]]
 name = "dexalot-sdk"
-version = "0.5.12"
+version = "0.5.13"
 source = { editable = "." }
 dependencies = [
     { name = "aiohttp" },