Skip to content

release: 2.7.0 — post-v2.6 independent multi-LLM reviewer SDK audit closure (#311-#357)#375

Merged
TexasCoding merged 2 commits into
mainfrom
release/2.7.0
May 22, 2026
Merged

release: 2.7.0 — post-v2.6 independent multi-LLM reviewer SDK audit closure (#311-#357)#375
TexasCoding merged 2 commits into
mainfrom
release/2.7.0

Conversation

@TexasCoding

Copy link
Copy Markdown
Owner

v2.7.0 — Post-v2.6 independent multi-LLM reviewer audit closure

47 issues filed (#311#357), 44 closed in this release. 3 breaking-rename issues (#348, #349, #351) deferred to the v3.0.0 milestone.

Pipeline

Identified by a 9-reviewer parallel pass combining 7 internal specialist agents (security/auth, HTTP transport, WebSocket, models/contracts, sync/async parity, performance, resources/API) with fresh-eyes external LLM reviews via the Codex CLI (GPT-5) and Gemini CLI. Executed across 4 sequential waves in disjoint git worktrees — 17 PRs merged ahead of this release commit.

Wave Issues / PRs Theme
W0 docs 9 issues / 3 PRs (#358, #359, #360) docs + docstring drift
W1 HIGH integrity 9 issues / 4 PRs (#361, #362, #363, #364) money / auth / WS integrity
W2 MEDIUM correctness 12 issues / 5 PRs (#365, #366, #367, #368, #369) transport retry / type guards / WS perf / spec types
W3 LOW polish / perf / deps 14 issues / 5 PRs (#370, #371, #372, #373, #374) auth perf / transport polish / WS polish / resources polish / pydantic floor

Each PR went through the project's standard 1–4 round claude-code-review bot iteration before squash-merge.

Breaking changes

Five behavioral fences — all surface bugs that were silently wrong or invariants the SDK now enforces. See CHANGELOG.md for full details.

  1. AmendOrderRequest.side / .actionLiteral (AmendOrderRequest.side/.action still bare str after v2.5 narrowed CreateOrderRequest #312, mirrors v2.5 Polish bundle: model small items (AwareDatetime in WS, V1 Literal, default=None, timestamp typing, Decimal NaN) #270)
  2. KalshiConfig.extra_headers immutable post-construction (KalshiConfig.extra_headers is mutable post-construction, bypassing the #298 auth-header guard #313, closes bug(transport): case-mismatched extra_headers keys leak alongside auth/body Content-Type on the wire #298 bypass)
  3. Communications status kwarg → Literal (communications.list_rfqs / list_quotes accept status: str | None — should be Literal-narrowed #324)
  4. to_decimal() rejects NaN / Infinity (Public to_decimal() helper accepts NaN/Infinity despite docstring promising safety #325)
  5. DollarDecimal request fields reject negatives + sub-tick precision (DollarDecimal accepts arbitrary precision and negative values on request price fields #343)

What's in this commit

  • CHANGELOG.md — full 2.7.0 entry organized by Breaking / Critical / High-impact / Performance / Polish / Additive / Dependencies
  • ROADMAP.md — v2.7.0 shipped entry summarizing the audit cycle
  • pyproject.toml — version bump 2.6.02.7.0
  • AGENTS.md + CLAUDE.md — gitnexus symbol/relationship/flow counts refreshed (8490/17402/300 after all W0–W3 PRs merged)

Verification

  • uv run ruff check kalshi/ tests/ — clean
  • uv run mypy kalshi/ — clean (76 source files, --strict)
  • uv run pytest tests/2876 passed, 258 skipped (≈100 new regression tests added in this audit cycle)

This release commit does not close further issues directly — every one of the 44 was closed by the wave PR that fixed it.

…re (#311-#357)

47 issues filed, 44 closed across 4 sequential waves (W0 docs, W1 HIGH integrity,
W2 MEDIUM correctness, W3 LOW polish/perf/deps); 17 PRs merged in disjoint git
worktrees. 3 breaking-rename issues (#348, #349, #351) deferred to v3.0.0.

Identified by a 9-reviewer parallel pass: 7 internal specialist agents plus
fresh-eyes external LLM reviews via the Codex CLI (GPT-5) and Gemini CLI.

Five behavioral fences: AmendOrderRequest Literal narrowing (#312),
KalshiConfig.extra_headers post-construction immutability (#313),
communications status Literal narrowing (#324), to_decimal NaN/Inf guard
(#325), DollarDecimal request-side bounds (#343).

Critical fixes: from_env ownership invariant (#311), WS TimeoutError wrap
(#314), WS zombie-subscription cleanup (#315). Plus 36 medium/low correctness,
performance, polish, docs, and dependency improvements — see CHANGELOG.md for
the full per-issue breakdown.

Main is mypy --strict clean, ruff clean, 2876 unit tests passing.
@claude

claude Bot commented May 22, 2026

Copy link
Copy Markdown

Code Review — v2.7.0 Release Commit

Overview

This is a pure release commit — no production code changes. All 235 additions are in documentation and config:

  • CHANGELOG.md — full v2.7.0 entry (47 issues, 44 closed, 17 wave PRs)
  • ROADMAP.md — v2.7.0 shipped summary
  • pyproject.toml2.6.02.7.0 version bump
  • AGENTS.md + CLAUDE.md — GitNexus index stats refreshed (6266→8490 symbols, 13386→17402 relationships, 257→300 flows)

The actual fixes shipped via 17 prior PRs (#358#374). This commit is purely the release envelope.


What's Good


Minor Issues

1. Both v2.6.0 and v2.7.0 are dated 2026-05-22 — same calendar day. This is accurate (the audit waves ran and closed on the same day), but two major releases on the same date will look odd in git log and PyPI release history. If there's any flexibility to date v2.7.0 as today+1, it would improve the release timeline's readability. If not, no blocker — the date is factually correct.

2. Semver question: 5 breaking changes in a minor bump (2.6→2.7, not 3.0). The CHANGELOG rationalizes this as "behavioral fences — all surface bugs that were silently wrong." That's a reasonable policy position for pre-1.0 or for an SDK that treats silent-wrong-behavior fixes differently from intentional API removals. However, it's worth a note in the CHANGELOG itself (e.g., "Following the project's policy: bug-surfacing behavioral fences are treated as minor breaking changes; API surface renames go to v3.0.") so users who query why there are breaking changes in a .7 bump get an answer without digging into the commit history. The v2.5 and v2.6 precedent suggests this is established policy — just not yet stated explicitly.

3. ROADMAP entry is dense and somewhat redundant with CHANGELOG. The 2.6.0 ROADMAP entry is much terser. The v2.7.0 entry is closer to a mini-CHANGELOG, which adds maintenance burden (two places to keep in sync). Consider trimming ROADMAP to the same bullet-summary style as v2.6.0 — the CHANGELOG is the authoritative detailed record.


Risks / Nothing to Block On

  • No production code changes means no regression risk from this PR itself.
  • The pydantic>=2.4 floor should be verified in pyproject.toml (it was mentioned in the changelog but the diff only shows the version bump). Confirming it shipped in a prior wave PR is sufficient.
  • Breaking changes are well-documented with upgrade paths. No silent traps for consumers.

Verdict

Approve with suggestions. The release commit is clean, well-documented, and follows the project's established pattern. The semver policy note and ROADMAP verbosity are the only things worth addressing — neither is a blocker.

@TexasCoding

Copy link
Copy Markdown
Owner Author

Round-2 review addressed: clarified semver policy on bug-surfacing behavioral fences (minor releases) vs intentional API removals (major releases) in the Breaking section header. The same-date observation is factually correct (audit waves completed in a single day). Deferring the ROADMAP verbosity nit — keeping the detailed per-issue trace for archival; CHANGELOG remains the authoritative record.

@claude

claude Bot commented May 22, 2026

Copy link
Copy Markdown

Code Review — v2.7.0 Release Commit

Overview

This is a pure release/bookkeeping PR — no new code, just the version bump and documentation artifacts that close out the 17-PR audit wave. The actual behavior changes shipped incrementally in #358#374; this commit provides the CHANGELOG narrative, ROADMAP summary, version bump, and refreshed GitNexus index counts.


What's included

File Change
pyproject.toml 2.6.02.7.0
CHANGELOG.md Full 2.7.0 entry (~210 lines)
ROADMAP.md v2.7.0 shipped summary
AGENTS.md + CLAUDE.md GitNexus index counts refreshed

CHANGELOG quality

The entry is thorough and well-structured. A few observations:

One minor nit: the Additive section lists SequenceTracker.track_sync as a new public entry point, but the Performance section also describes it under #330. The duplication is fine — the Performance entry explains why it exists, and the Additive entry signals it's public API — but it might confuse readers scanning the changelog. Consider a brief parenthetical in one of them, e.g. "(see also Additive)" or "(introduced as a Performance fix, #330)".


Version bump

pyproject.toml bump is correct (2.6.02.7.0). The pydantic>=2.4 floor bump (#346) is a real constraint change for downstream consumers on pydantic 2.0–2.3. It's documented in the Dependencies section, but it's worth making sure the release notes on PyPI / GitHub Releases surface this prominently since it's the kind of thing that silently breaks pip install --upgrade for anyone pinned below 2.4.


GitNexus count update

6266 → 8490 symbols (+35%), 13386 → 17402 relationships (+30%), 257 → 300 flows (+17%). The jump is large but credible given 17 merged PRs. No issue with the update itself, but the counts in AGENTS.md and CLAUDE.md are now duplicated (same block in both files). If those ever drift again it's a small maintenance hazard — worth noting, though not a blocker.


Verification claims

The PR states:

  • ruff check kalshi/ tests/ — clean
  • mypy kalshi/ (--strict) — clean, 76 source files
  • pytest tests/2876 passed, 258 skipped

These are consistent between the PR body and the CHANGELOG entry, which is a good sign they were run together. CI should confirm independently before merge.


Summary

No blocking issues. This is a well-executed release commit. The nit about track_sync appearing in both Performance and Additive is cosmetic; everything else is correct.

✅ Approve once CI passes.

@TexasCoding
TexasCoding merged commit 07d240f into main May 22, 2026
5 checks passed
@TexasCoding
TexasCoding deleted the release/2.7.0 branch May 22, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug(transport): case-mismatched extra_headers keys leak alongside auth/body Content-Type on the wire

1 participant