#199 landed on main between the original 2.2.91 bump and this PR opening,
so 2.2.91 ties main and fails check_version. Bump to 2.2.92.

#199 landed on main between the original 2.2.91 bump and this PR opening,
so 2.2.91 ties main and fails check_version. Bump to 2.2.92.

* test: failing repro for empty title on gptDidYouMean alerts

* test: failing repro for empty title on unknown alert types

* test: lock in licenseSpdxDisj title fallback

* feat(core): add alert-type humanizer and override-map plumbing

* fix(core): fall back to humanized title for unmapped alert types

Resolves CUS2-2: gptDidYouMean and any future alert type without SDK
metadata previously rendered as a blank Alert column in the CLI output
table, SARIF report, and PR/security comments. Title resolution now
falls back through an explicit override map and a generic humanizer.

* test: hoist _humanize_alert_type import to module scope

* chore(release): bump to 2.2.92 to clear main collision

#199 landed on main between the original 2.2.91 bump and this PR opening,
so 2.2.91 ties main and fails check_version. Bump to 2.2.92.

Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.

Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.

CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).

Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.

Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.

CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).

Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.

Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.

CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).

Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.

Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.

CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).

Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore: prettify, sort, and round out .gitignore

Reorganizes .gitignore into labeled sections (Python cache, venvs, build
artifacts, IDE, OS, logs, env files, generated output, project scratch,
Conductor) with sorted entries within each group and trailing slashes on
directory patterns for clarity.

Folds in three smaller intents that would otherwise be separate commits:
- Add .context/ for Conductor workspaces (collaboration scratch)
- Add coverage.xml + .pytest_cache/ to fully cover pytest-cov outputs
  (.coverage.* and htmlcov/ were already on main from prior work)
- Add *.swp / *.swo for vim swap files

Drops the stale `*.cpython-312.pyc\`` line with a literal-backtick typo;
it wasn't matching anything and `*.pyc` already covers the case.

No behavior changes anyone would notice from the resulting rule set.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* ci: add .github/dependabot.yml to tame Dependabot PR noise

The repo had no explicit Dependabot config, so Dependabot ran on full
defaults: one PR per package per manifest, across every manifest in
the tree -- including the e2e test fixtures that are intentionally
crafted to exercise Socket's scanner. The cumulative result was the
"PR pileup" this PR is consolidating.

New config:
- uv ecosystem (main app): grouped weekly into ONE minor/patch PR and
  one major PR; matches the existing python:uv labeling
- github-actions: grouped weekly into ONE minor/patch PR
- docker: separate weekly PR per Dockerfile change
- 7-day cooldown across all ecosystems to give upstream time to pull
  bad releases
- e2e fixtures (tests/e2e/fixtures/{simple-npm,simple-pypi}) are
  INTENTIONALLY excluded -- their pins should be chosen for supply-
  chain signal, not auto-bumped (this is why we had three fixture
  PRs in the cleanup)

Pattern adapted from SocketDev/socket-basics.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* ci: add dependabot-review workflow with Socket Firewall smoke jobs

For every Dependabot-authored PR, inspect what changed and conditionally
run Socket Firewall (sfw) install smoke jobs against the affected
manifests. Because sfw uses the anonymous Socket public-data API it
needs NO secret, so this runs cleanly under the standard `pull_request`
context -- no pull_request_target, no token-leak surface.

Jobs (all conditional on file diff):
- python-sfw-smoke:      pyproject.toml / uv.lock -> `sfw uv sync` plus
                         an import smoke on the modules that depend on
                         the upgraded packages (cryptography, gitpython,
                         requests, ...). Catches API-removal breaks
                         from minor/patch deprecations.
- fixture-npm-sfw-smoke: tests/e2e/fixtures/simple-npm/** -> `sfw npm
                         install` in a clean cwd.
- fixture-pypi-sfw-smoke: tests/e2e/fixtures/simple-pypi/** -> `sfw pip
                         install -r requirements.txt` in a clean venv.
- dockerfile-smoke:      `docker build --pull` (no push) when the
                         Dockerfile changes.
- workflow-notice:       Flag Dependabot PRs that touch workflow or
                         dependabot config files for explicit human
                         review (anti-supply-chain-confusion guardrail).

Pattern adapted from SocketDev/socket-basics dependabot-review.yml.
Action SHAs match the pins already in python-tests.yml and e2e-test.yml
so zizmor stays happy.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* ci: add lock-drift, import-smoke, and pip-audit; skip e2e on dependabot

python-tests.yml:
- `uv lock --locked` -- fails if uv.lock has drifted from pyproject.toml.
  Prevents the "forgot to commit the lockfile" class of mistake.
- Import smoke step that loads every top-level module touching the
  upgraded packages (cryptography, gitpython, requests, urllib3, ...).
  Catches API-removal breaks from minor/patch deprecations that the
  unit suite alone wouldn't surface.
- `uvx pip-audit --strict` against the synced env -- light CVE check
  on the resolved transitive tree. Runs in seconds via uv's caching.

e2e-test.yml:
- Skip e2e on Dependabot PRs. They don't have access to the Socket API
  secret so e2e would always fail on them, polluting the PR check UI.
  Supply-chain risk for dep bumps is covered by dependabot-review.yml's
  Socket Firewall smoke jobs, which need no secrets.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* ci: fix pip-audit invocation to scan exported requirements

`uvx pip-audit --disable-pip` requires `-r` plus either hashed
requirements or `--no-deps`. The previous invocation crashed at start.

Now: export the locked deps via `uv export --no-hashes --no-emit-project`
into a tmp requirements file (skipping the local editable install of
the project itself), then feed that to pip-audit with `--disable-pip
--no-deps`. Verified locally -- no known vulnerabilities found across
the 85 locked transitive deps.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore(deps): bump 9 main-app dependencies to latest

Bundles the nine open Dependabot PRs against the main app into a single
uv.lock regeneration. Where Dependabot's target trailed the latest published
release, we went to the current latest and re-verified through sfw:

- urllib3       2.6.3   -> 2.7.0     (closes #200)
- gitpython     3.1.46  -> 3.1.50    (closes #198)
- python-dotenv 1.2.1   -> 1.2.2     (closes #190)
- pytest        9.0.2   -> 9.0.3     (closes #188)
- uv            0.9.21  -> 0.11.17   (closes #210; Dependabot targeted 0.11.15)
- cryptography  46.0.5  -> 46.0.7    (closes #181)
- pygments      2.19.2  -> 2.20.0    (closes #177)
- requests      2.32.5  -> 2.33.0    (closes #175)
- idna          3.11    -> 3.15      (closes #205, CVE-2026-45409)

idna 3.14 fixed CVE-2026-45409 -- a quadratic-time DoS via oversized inputs
that bypassed the earlier CVE-2024-3651 mitigation. The rest are hygiene.

All nine final versions verified clean through Socket Firewall (sfw) on the
full transitive tree.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore(deps): bump e2e fixture manifests

Closes the open Dependabot PRs against the e2e test fixtures. axios went to
the current latest (1.16.1) rather than Dependabot's 1.16.0 target:

- tests/e2e/fixtures/simple-npm:  axios    1.15.0 -> 1.16.1  (closes #209)
- tests/e2e/fixtures/simple-pypi: requests 2.31.0 -> 2.33.0  (closes #187)
- tests/e2e/fixtures/simple-pypi: flask    3.0.0  -> 3.1.3   (closes #186)

These fixtures were stale rather than intentionally pinned. Socket Firewall
verified the install paths. The new .github/dependabot.yml intentionally
excludes tests/e2e/fixtures/** from future auto-bumps.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

* chore(release): 2.2.93 with CHANGELOG backfill

Patch release. Scope is maintenance only: dependency bundle + Dependabot
review hardening + housekeeping + CHANGELOG backfill. No behavior changes.

Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix
release landing separately.

CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81,
2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered
2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note).

Version refs synced across pyproject.toml, socketsecurity/__init__.py, and
uv.lock per the version-incrementation CI check.

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

---------

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>