From 21100fc5ff8182ea4ec37b2bc628eb936145d06d Mon Sep 17 00:00:00 2001
From: kickthemoon0817 <kickthemoon0817@gmail.com>
Date: Tue, 5 May 2026 19:27:16 +0900
Subject: [PATCH 1/2] ci: SHA-pin GitHub Actions versions for supply-chain
 hardening
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the iter22 deferred MEDIUM (mutable action tags). Replaces
the 6 'uses: owner/repo@vN' references in ci.yml with the
specific commit SHA each tag currently resolves to:

- actions/checkout: v4 -> 34e114876b...  (v4.3.1)
- actions/setup-python: v5 -> a26af69be9...  (v5.6.0)
- astral-sh/setup-uv: v3 -> caf0cab7a6...  (v3.2.4)

The major-version contract is preserved via inline comments so
the human-readable intent (matrix supports each major) stays
visible. A future tag force-push or upstream account compromise
can no longer substitute malicious code into the CI runner — the
SHA is content-addressed and immutable.

Recommended renewal cadence: re-pin to the latest patch SHA
within each major every 6-12 months via Renovate, Dependabot,
or pinact. iter23 does this manually as a one-shot baseline.

CI run on this branch is the live verification — the workflow
must still complete green with the SHA pins in place.
---
 .github/workflows/ci.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4f28ea7..df9cacc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,15 +35,15 @@ jobs:
       matrix:
         python-version: ["3.11", "3.12", "3.13"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3.2.4
         with:
           enable-cache: true
 
@@ -76,15 +76,15 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main' || github.event_name == 'pull_request'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
         with:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v3
+        uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39  # v3.2.4
         with:
           enable-cache: true
 

From 92939d34fc579da3c321fe46c600a4f132b19436 Mon Sep 17 00:00:00 2001
From: kickthemoon0817 <kickthemoon0817@gmail.com>
Date: Tue, 5 May 2026 19:27:18 +0900
Subject: [PATCH 2/2] chore: bump version to 0.0.45, 4-file lockstep

---
 .claude-plugin/plugin.json                                      | 2 +-
 pyproject.toml                                                  | 2 +-
 src/simul_mcp/__init__.py                                       | 2 +-
 src/simul_mcp/bridge_ext/khemoo.simul.mcp/config/extension.toml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
index 70f8963..a6dd9b0 100644
--- a/.claude-plugin/plugin.json
+++ b/.claude-plugin/plugin.json
@@ -1,6 +1,6 @@
 {
   "name": "simul",
-  "version": "0.0.44",
+  "version": "0.0.45",
   "description": "3D simulation and DCC skills — scene setup, physics, materials, camera, scripting, and headless workflows for Isaac Sim, Unreal Engine, Blender, and USD",
   "author": {
     "name": "khemoo",
diff --git a/pyproject.toml b/pyproject.toml
index ad515c3..4678765 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "simul-mcp"
-version = "0.0.44"
+version = "0.0.45"
 description = "MCP server for 3D simulation and DCC tools — USD scene control, Isaac Sim, Blender, and Unreal Engine integration"
 authors = [
     {name = "khemoo"}
diff --git a/src/simul_mcp/__init__.py b/src/simul_mcp/__init__.py
index 73b7021..ca6a2c3 100644
--- a/src/simul_mcp/__init__.py
+++ b/src/simul_mcp/__init__.py
@@ -5,7 +5,7 @@
 USD scene understanding, mesh operations, and runtime integration capabilities.
 """
 
-__version__ = "0.0.44"
+__version__ = "0.0.45"
 __author__ = "khemoo"
 __email__ = ""
 
diff --git a/src/simul_mcp/bridge_ext/khemoo.simul.mcp/config/extension.toml b/src/simul_mcp/bridge_ext/khemoo.simul.mcp/config/extension.toml
index 9e117f8..e2f88d7 100644
--- a/src/simul_mcp/bridge_ext/khemoo.simul.mcp/config/extension.toml
+++ b/src/simul_mcp/bridge_ext/khemoo.simul.mcp/config/extension.toml
@@ -1,5 +1,5 @@
 [package]
-version = "0.0.44"
+version = "0.0.45"
 category = "Utility"
 title = "Simul MCP Bridge"
 description = "Production-oriented Isaac Sim bridge transport for Simul MCP with typed requests and VS Code fallback compatibility."