release: 2.7.0 — post-v2.6 independent multi-LLM reviewer SDK audit closure (#311-#357)#375
Conversation
…re (#311-#357) 47 issues filed, 44 closed across 4 sequential waves (W0 docs, W1 HIGH integrity, W2 MEDIUM correctness, W3 LOW polish/perf/deps); 17 PRs merged in disjoint git worktrees. 3 breaking-rename issues (#348, #349, #351) deferred to v3.0.0. Identified by a 9-reviewer parallel pass: 7 internal specialist agents plus fresh-eyes external LLM reviews via the Codex CLI (GPT-5) and Gemini CLI. Five behavioral fences: AmendOrderRequest Literal narrowing (#312), KalshiConfig.extra_headers post-construction immutability (#313), communications status Literal narrowing (#324), to_decimal NaN/Inf guard (#325), DollarDecimal request-side bounds (#343). Critical fixes: from_env ownership invariant (#311), WS TimeoutError wrap (#314), WS zombie-subscription cleanup (#315). Plus 36 medium/low correctness, performance, polish, docs, and dependency improvements — see CHANGELOG.md for the full per-issue breakdown. Main is mypy --strict clean, ruff clean, 2876 unit tests passing.
Code Review — v2.7.0 Release CommitOverviewThis is a pure release commit — no production code changes. All 235 additions are in documentation and config:
The actual fixes shipped via 17 prior PRs (#358–#374). This commit is purely the release envelope. What's Good
Minor Issues1. Both v2.6.0 and v2.7.0 are dated 2. Semver question: 5 breaking changes in a minor bump (2.6→2.7, not 3.0). The CHANGELOG rationalizes this as "behavioral fences — all surface bugs that were silently wrong." That's a reasonable policy position for pre-1.0 or for an SDK that treats silent-wrong-behavior fixes differently from intentional API removals. However, it's worth a note in the CHANGELOG itself (e.g., "Following the project's policy: bug-surfacing behavioral fences are treated as minor breaking changes; API surface renames go to v3.0.") so users who query why there are breaking changes in a 3. ROADMAP entry is dense and somewhat redundant with CHANGELOG. The 2.6.0 ROADMAP entry is much terser. The v2.7.0 entry is closer to a mini-CHANGELOG, which adds maintenance burden (two places to keep in sync). Consider trimming ROADMAP to the same bullet-summary style as v2.6.0 — the CHANGELOG is the authoritative detailed record. Risks / Nothing to Block On
VerdictApprove with suggestions. The release commit is clean, well-documented, and follows the project's established pattern. The semver policy note and ROADMAP verbosity are the only things worth addressing — neither is a blocker. |
|
Round-2 review addressed: clarified semver policy on bug-surfacing behavioral fences (minor releases) vs intentional API removals (major releases) in the Breaking section header. The same-date observation is factually correct (audit waves completed in a single day). Deferring the ROADMAP verbosity nit — keeping the detailed per-issue trace for archival; CHANGELOG remains the authoritative record. |
Code Review — v2.7.0 Release CommitOverviewThis is a pure release/bookkeeping PR — no new code, just the version bump and documentation artifacts that close out the 17-PR audit wave. The actual behavior changes shipped incrementally in #358–#374; this commit provides the CHANGELOG narrative, ROADMAP summary, version bump, and refreshed GitNexus index counts. What's included
CHANGELOG qualityThe entry is thorough and well-structured. A few observations:
One minor nit: the Version bump
GitNexus count update6266 → 8490 symbols (+35%), 13386 → 17402 relationships (+30%), 257 → 300 flows (+17%). The jump is large but credible given 17 merged PRs. No issue with the update itself, but the counts in Verification claimsThe PR states:
These are consistent between the PR body and the CHANGELOG entry, which is a good sign they were run together. CI should confirm independently before merge. SummaryNo blocking issues. This is a well-executed release commit. The nit about ✅ Approve once CI passes. |
v2.7.0 — Post-v2.6 independent multi-LLM reviewer audit closure
47 issues filed (#311–#357), 44 closed in this release. 3 breaking-rename issues (#348, #349, #351) deferred to the v3.0.0 milestone.
Pipeline
Identified by a 9-reviewer parallel pass combining 7 internal specialist agents (security/auth, HTTP transport, WebSocket, models/contracts, sync/async parity, performance, resources/API) with fresh-eyes external LLM reviews via the Codex CLI (GPT-5) and Gemini CLI. Executed across 4 sequential waves in disjoint git worktrees — 17 PRs merged ahead of this release commit.
Each PR went through the project's standard 1–4 round
claude-code-reviewbot iteration before squash-merge.Breaking changes
Five behavioral fences — all surface bugs that were silently wrong or invariants the SDK now enforces. See
CHANGELOG.mdfor full details.AmendOrderRequest.side/.action→Literal(AmendOrderRequest.side/.action still barestrafter v2.5 narrowed CreateOrderRequest #312, mirrors v2.5 Polish bundle: model small items (AwareDatetime in WS, V1 Literal, default=None, timestamp typing, Decimal NaN) #270)KalshiConfig.extra_headersimmutable post-construction (KalshiConfig.extra_headers is mutable post-construction, bypassing the #298 auth-header guard #313, closes bug(transport): case-mismatchedextra_headerskeys leak alongside auth/body Content-Type on the wire #298 bypass)statuskwarg →Literal(communications.list_rfqs / list_quotes acceptstatus: str | None— should be Literal-narrowed #324)to_decimal()rejectsNaN/Infinity(Public to_decimal() helper accepts NaN/Infinity despite docstring promising safety #325)DollarDecimalrequest fields reject negatives + sub-tick precision (DollarDecimal accepts arbitrary precision and negative values on request price fields #343)What's in this commit
CHANGELOG.md— full 2.7.0 entry organized by Breaking / Critical / High-impact / Performance / Polish / Additive / DependenciesROADMAP.md— v2.7.0 shipped entry summarizing the audit cyclepyproject.toml— version bump2.6.0→2.7.0AGENTS.md+CLAUDE.md— gitnexus symbol/relationship/flow counts refreshed (8490/17402/300 after all W0–W3 PRs merged)Verification
uv run ruff check kalshi/ tests/— cleanuv run mypy kalshi/— clean (76 source files, --strict)uv run pytest tests/— 2876 passed, 258 skipped (≈100 new regression tests added in this audit cycle)This release commit does not close further issues directly — every one of the 44 was closed by the wave PR that fixed it.