Skip to content

SKI Framework v3.0.3 — Dependency security & EOL-Python removal

Patch release. Rolls up the correctness fixes, the transcript-signing hardening, and a full dependency CVE remediation accumulated since v3.0.2, and drops end-of-life Python 3.9 from the support matrix.

⚠️ Action required: Python 3.9 dropped

Python 3.9 reached end-of-life in October 2025. The security-patched dependency versions in this release no longer publish 3.9 wheels, so the minimum supported Python is now 3.10. If you run the SKI Model, the Sidecar, or any of the CLIs on 3.9, move to Python 3.10–3.12 before taking this release.

Security

  • Upgraded every deployable requirements set to CVE-free versions, clearing all pip-audit findings in the production runtime (SKI Model + Sidecar) and the four tools — including four cryptography advisories in the library used to sign LLM transcripts and the starlette/fastapi web-stack advisories.
  • The transcript signing key is now created with 0600 permissions from the outset, closing a brief first-run window in which the Ed25519 private key could exist at the default umask.

Fixed

  • The KG extractor's chunk_text no longer loops indefinitely on documents larger than the chunk size — previously any real-sized regulatory document could hang extraction.
  • The root pytest run is green again: a redundant pytest.ini that shadowed the project configuration was removed and the v3 endpoint tests are now hermetic.
  • The Symbolic Verifier reports an unknown predicate as "not mechanically verifiable" to match its contract.

Maintenance

  • Fixed the documentation site nav (mis-cased pages were dropped on the case-sensitive GitHub Pages build), removed stale duplicate pages, and de-drifted the published changelog.

See the changelog for the full list.