From e084788a07cc55782c5befd8526f90f8ae6e09fe Mon Sep 17 00:00:00 2001
From: Sean San <seanksan@gmail.com>
Date: Sun, 5 Apr 2026 22:44:22 -0700
Subject: [PATCH 1/6] devops: Add CodeQL and configs files for deepiri-modelkit

---
 .github/codeql/codeql-config.yml | 16 ++++++++++++++++
 .github/workflows/codeql.yml     | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
 create mode 100644 .github/codeql/codeql-config.yml
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..8975aa8
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,16 @@
+name: deepiri-modelkit-codeql-config
+
+# Focus analysis on maintained source code for this service.
+paths:
+  - src
+
+# Exclude generated/build/cache artifacts.
+paths-ignore:
+  - '**/__pycache__/**'
+  - '**/.pytest_cache/**'
+  - '**/.mypy_cache/**'
+  - '**/.venv/**'
+  - '**/venv/**'
+  - '**/dist/**'
+  - '**/build/**'
+  - '**/*.min.js'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..7594c2a
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,32 @@
+name: CodeQL
+
+on:
+  pull_request:
+    branches: [main, dev]
+  push:
+    branches: [main, dev]
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (python)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

From 0ea248691c1de4a94837a735debbe16fa6795465 Mon Sep 17 00:00:00 2001
From: Sean San <seanksan@gmail.com>
Date: Sun, 5 Apr 2026 22:48:01 -0700
Subject: [PATCH 2/6] docs: Add simple docs and instructions on how to maintain
 CodeQL

---
 .github/codeql/README.md | 131 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 .github/codeql/README.md

diff --git a/.github/codeql/README.md b/.github/codeql/README.md
new file mode 100644
index 0000000..c84cbca
--- /dev/null
+++ b/.github/codeql/README.md
@@ -0,0 +1,131 @@
+# CodeQL Setup for deepiri-modelkit
+
+This folder contains the CodeQL configuration for security scanning in this service.
+
+## What each file does
+
+- `.github/workflows/codeql.yml`
+  - Defines when scans run and how GitHub Actions executes CodeQL.
+- `.github/codeql/codeql-config.yml`
+  - Defines what folders to include and ignore during analysis.
+
+## Workflow breakdown (`.github/workflows/codeql.yml`)
+
+### `name: CodeQL`
+The display name in the Actions tab.
+
+### `on.pull_request.branches` and `on.push.branches`
+```yaml
+on:
+  pull_request:
+    branches: [main, dev]
+  push:
+    branches: [main, dev]
+```
+Runs scans when PRs target `main` or `dev`, and when commits are pushed to `main` or `dev`.
+
+### `permissions`
+```yaml
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+```
+Uses least-privilege permissions. `security-events: write` is required so CodeQL can upload findings.
+
+### Language setup (current)
+```yaml
+with:
+  languages: python
+```
+This workflow currently runs analysis for Python.
+
+### Checkout step
+```yaml
+with:
+  fetch-depth: 0
+```
+- `fetch-depth: 0` keeps full git history (safe default for analysis and troubleshooting).
+
+### Initialize CodeQL
+```yaml
+uses: github/codeql-action/init@v3
+with:
+  config-file: ./.github/codeql/codeql-config.yml
+```
+Starts the CodeQL engine and loads `.github/codeql/codeql-config.yml`.
+
+### Analyze
+```yaml
+uses: github/codeql-action/analyze@v3
+```
+Executes queries and uploads results to GitHub Security.
+
+## Config breakdown (`.github/codeql/codeql-config.yml`)
+
+### `paths`
+The current include list is intentionally scoped to active service code:
+
+```yaml
+paths:
+  - src
+```
+
+### `paths-ignore`
+Generated and cache artifact paths are excluded to reduce noise and runtime:
+
+```yaml
+paths-ignore:
+  - '**/__pycache__/**'
+  - '**/.pytest_cache/**'
+  - '**/.mypy_cache/**'
+  - '**/.venv/**'
+  - '**/venv/**'
+  - '**/dist/**'
+  - '**/build/**'
+  - '**/*.min.js'
+```
+
+## Best practices
+
+1. Keep trigger scope intentional.
+   Use branch filters (`main`, `dev`) to control cost and noise.
+2. Keep language list explicit.
+   Only include languages with meaningful source code.
+3. Keep `paths` focused when used.
+   Include actively maintained production code first.
+4. Exclude generated/cache artifacts.
+   Keep build outputs and runtime caches in `paths-ignore`.
+5. Pin to stable major action versions.
+   `@v3` is the current stable major for CodeQL actions.
+6. Review alerts regularly.
+   Triage high/critical findings first and suppress only with documented reasoning.
+
+## Maintenance examples
+
+### Keep language scope aligned with this service
+This workflow currently analyzes Python only:
+
+```yaml
+with:
+  languages: python
+```
+
+Only change this value when this service adds production code in another supported language.
+
+### Include only specific top-level packages
+Add explicit `paths` only for directories that exist in this checkout.
+
+Example:
+
+```yaml
+paths:
+  - src
+```
+
+### Exclude another generated folder
+Add a glob to `paths-ignore`, for example:
+
+```yaml
+- '**/generated/**'
+```

From 2c9c74df8af95756c8bc8c9ec9071b6754333b40 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:27:43 +0000
Subject: [PATCH 3/6] chore(deps): bump langchain-text-splitters

Bumps the pip group with 1 update in the / directory: [langchain-text-splitters](https://github.com/langchain-ai/langchain).


Updates `langchain-text-splitters` from 0.2.2 to 0.3.9
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-text-splitters==0.2.2...langchain-text-splitters==0.3.9)

---
updated-dependencies:
- dependency-name: langchain-text-splitters
  dependency-version: 0.3.9
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements-jupyter.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements-jupyter.txt b/requirements-jupyter.txt
index 23b4267..031f9af 100644
--- a/requirements-jupyter.txt
+++ b/requirements-jupyter.txt
@@ -60,7 +60,7 @@ onnxruntime>=1.15.0
 langchain==0.2.12
 langchain-core==0.2.43
 langchain-community==0.2.10
-langchain-text-splitters==0.2.2
+langchain-text-splitters==0.3.9
 langchain-openai==0.1.22
 langchain-milvus==0.1.4
 langchain-huggingface==0.0.3

From a9d68235a5239febc463bf9991a16d35a5496b5b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:27:45 +0000
Subject: [PATCH 4/6] chore(deps): bump langchain-core in the pip group across
 1 directory

Bumps the pip group with 1 update in the / directory: [langchain-core](https://github.com/langchain-ai/langchain).


Updates `langchain-core` from 0.2.43 to 1.2.28
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-core==0.2.43...langchain-core==1.2.28)

---
updated-dependencies:
- dependency-name: langchain-core
  dependency-version: 1.2.28
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements-jupyter.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements-jupyter.txt b/requirements-jupyter.txt
index 23b4267..6bb6202 100644
--- a/requirements-jupyter.txt
+++ b/requirements-jupyter.txt
@@ -58,7 +58,7 @@ onnxruntime>=1.15.0
 
 # LangChain for RAG & AI Orchestration
 langchain==0.2.12
-langchain-core==0.2.43
+langchain-core==1.2.28
 langchain-community==0.2.10
 langchain-text-splitters==0.2.2
 langchain-openai==0.1.22

From 749751f16f84014ce5af5e8d25dee6c65ffcad91 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 15 Apr 2026 18:11:25 +0000
Subject: [PATCH 5/6] chore(deps): bump langchain-community

Bumps the pip group with 1 update in the / directory: [langchain-community](https://github.com/langchain-ai/langchain-community).


Updates `langchain-community` from 0.2.10 to 0.3.27
- [Release notes](https://github.com/langchain-ai/langchain-community/releases)
- [Commits](https://github.com/langchain-ai/langchain-community/commits/libs/community/v0.3.27)

---
updated-dependencies:
- dependency-name: langchain-community
  dependency-version: 0.3.27
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements-jupyter.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements-jupyter.txt b/requirements-jupyter.txt
index d6a4f41..ee35c73 100644
--- a/requirements-jupyter.txt
+++ b/requirements-jupyter.txt
@@ -59,7 +59,7 @@ onnxruntime>=1.15.0
 # LangChain for RAG & AI Orchestration
 langchain==0.2.12
 langchain-core==1.2.28
-langchain-community==0.2.10
+langchain-community==0.3.27
 langchain-text-splitters==0.3.9
 langchain-openai==0.1.22
 langchain-milvus==0.1.4

From 3f914a96ed9861659a1a1d9e6e51cfabdb26bcb8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 17 Apr 2026 00:09:02 +0000
Subject: [PATCH 6/6] chore(deps): bump the pip group across 1 directory with 2
 updates

Bumps the pip group with 2 updates in the / directory: [langchain-text-splitters](https://github.com/langchain-ai/langchain) and [langchain-openai](https://github.com/langchain-ai/langchain).


Updates `langchain-text-splitters` from 0.3.9 to 1.1.2
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-text-splitters==0.3.9...langchain-text-splitters==1.1.2)

Updates `langchain-openai` from 0.1.22 to 1.1.14
- [Release notes](https://github.com/langchain-ai/langchain/releases)
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-openai==0.1.22...langchain-openai==1.1.14)

---
updated-dependencies:
- dependency-name: langchain-text-splitters
  dependency-version: 1.1.2
  dependency-type: direct:production
  dependency-group: pip
- dependency-name: langchain-openai
  dependency-version: 1.1.14
  dependency-type: direct:production
  dependency-group: pip
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements-jupyter.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/requirements-jupyter.txt b/requirements-jupyter.txt
index ee35c73..336cddb 100644
--- a/requirements-jupyter.txt
+++ b/requirements-jupyter.txt
@@ -60,8 +60,8 @@ onnxruntime>=1.15.0
 langchain==0.2.12
 langchain-core==1.2.28
 langchain-community==0.3.27
-langchain-text-splitters==0.3.9
-langchain-openai==0.1.22
+langchain-text-splitters==1.1.2
+langchain-openai==1.1.14
 langchain-milvus==0.1.4
 langchain-huggingface==0.0.3
 langchain-ollama==0.1.0
@@ -69,7 +69,7 @@ langchain-classic>=0.0.20
 langsmith>=0.1.0
 
 # LangGraph for multi-agent workflows
-langgraph>=0.2.0,<0.3.0
+langgraph>=0.2.0,<1.2.0
 langgraph-checkpoint-redis>=0.2.0
 
 # Local LLM Support