chore: v0.3.5 — benchmarks, pytest 9.0.3, cortex stopword

- Fix benchmark suite: 9 sites passing create_entity tuple as entity_id
  (b1/b4/b5 had been broken since v0.2.2 when create_entity started
  returning tuple[str, bool])
- Bump pytest>=9.0.3 (closes GHSA-6w46-j5rx-g56g, dev-time tmpdir)
- Add 'cortex' to ENTITY_STOPWORDS so the classifier stops extracting
  the system's own name as a technology entity in self-referential
  captures
- Hold litellm>=1.60 deliberately (inline comment in pyproject.toml):
  bumping breaks 24 CLI tests via typer/click downgrades, and the
  flagged litellm CVEs only affect litellm's proxy endpoints which
  Cortex never starts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: grayisnotacolor

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.5] — 2026-05-03
+
+### Fixed
+
+- **Benchmark suite restored** — `b1_hybrid_retrieval`, `b4_graph_intelligence`, `b5_pattern_detection` failed with `ValueError: Invalid IRI code point ' '` because they passed `store.create_entity(...)` (which returns `tuple[str, bool]`) directly as an entity ID. Updated 9 sites in `benchmarks/corpus/generator.py`, `benchmarks/b4_graph_intelligence/test_bench.py`, and `benchmarks/b5_pattern_detection/test_bench.py` to unpack the tuple.
+
+### Changed
+
+- **`pytest>=9.0.3`** (was `>=8.3`) — pytest 9 includes a compat shim for the `config.inicfg` private-attribute change; addresses dependency advisory GHSA-6w46-j5rx-g56g (dev-time tmpdir handling).
+- **Entity classifier stopword list** — added `cortex` to `ENTITY_STOPWORDS` so the LLM no longer extracts the system's own name as a `technology` entity when users capture self-referential knowledge.
+- **`litellm` constraint deliberately held at `>=1.60`** — see inline comment in `pyproject.toml`. The flagged litellm CVEs are in litellm's proxy server endpoints, which Cortex never starts (Cortex calls `litellm.completion()` as a library only). Bumping forces typer/click downgrades that break ~24 CLI tests, with no security benefit given Cortex's local-only deployment model.
+
 ## [0.3.4] — 2026-05-01
 
 ### Changed

benchmarks/b4_graph_intelligence/test_bench.py

@@ -147,7 +147,7 @@ def test_entity_neighborhood(store: Store) -> None:
     gq = GraphQueries(store)
 
     # Create entity
-    redis_eid = store.create_entity(name="Redis", entity_type="technology")
+    redis_eid, _ = store.create_entity(name="Redis", entity_type="technology")
 
     # Create 5 fix objects that mention Redis
     fix_ids = []
@@ -226,7 +226,7 @@ def test_project_overview(store: Store) -> None:
     entity_names = [("Postgres", "technology"), ("Auth", "concept"), ("K8s", "technology")]
     entity_ids = []
     for name, etype in entity_names:
-        eid = store.create_entity(name=name, entity_type=etype)
+        eid, _ = store.create_entity(name=name, entity_type=etype)
         entity_ids.append(eid)
 
     # Link entities to objects

benchmarks/b5_pattern_detection/test_bench.py

@@ -40,7 +40,7 @@ def test_systemic_issue_detection(store: Store) -> None:
     # ── True positives ────────────────────────────────────────
 
     # Flaky-Service: 4 recent fixes mentioning the same entity
-    flaky_eid = store.create_entity(name="Flaky-Service", entity_type="technology")
+    flaky_eid, _ = store.create_entity(name="Flaky-Service", entity_type="technology")
     for i in range(4):
         fix_id = store.create(
             obj_type="fix",
@@ -50,7 +50,7 @@ def test_systemic_issue_detection(store: Store) -> None:
         store.add_mention(obj_id=fix_id, entity_id=flaky_eid)
 
     # Unstable-DB: 3 recent fixes (exactly at threshold)
-    unstable_eid = store.create_entity(name="Unstable-DB", entity_type="technology")
+    unstable_eid, _ = store.create_entity(name="Unstable-DB", entity_type="technology")
     for i in range(3):
         fix_id = store.create(
             obj_type="fix",
@@ -62,7 +62,7 @@ def test_systemic_issue_detection(store: Store) -> None:
     # ── True negatives ────────────────────────────────────────
 
     # Stable-API: only 2 fixes (below threshold of 3)
-    stable_eid = store.create_entity(name="Stable-API", entity_type="technology")
+    stable_eid, _ = store.create_entity(name="Stable-API", entity_type="technology")
     for i in range(2):
         fix_id = store.create(
             obj_type="fix",
@@ -72,7 +72,7 @@ def test_systemic_issue_detection(store: Store) -> None:
         store.add_mention(obj_id=fix_id, entity_id=stable_eid)
 
     # Old-Bug: 3 fixes but all created 30 days ago (outside 14-day window)
-    old_eid = store.create_entity(name="Old-Bug", entity_type="technology")
+    old_eid, _ = store.create_entity(name="Old-Bug", entity_type="technology")
     old_ts = _old_timestamp(30)
     for i in range(3):
         fix_id = store.create(
@@ -86,7 +86,7 @@ def test_systemic_issue_detection(store: Store) -> None:
     # Scattered-Fix: 3 fixes that each mention a *different* entity
     scattered_eids = []
     for i in range(3):
-        eid = store.create_entity(
+        eid, _ = store.create_entity(
             name=f"Scattered-Target-{i + 1}", entity_type="technology"
         )
         scattered_eids.append(eid)
@@ -160,7 +160,7 @@ def test_gap_analysis(store: Store) -> None:
         )
 
     # Entity "Buggy-Lib" has fixes but no lessons
-    buggy_eid = store.create_entity(name="Buggy-Lib", entity_type="technology")
+    buggy_eid, _ = store.create_entity(name="Buggy-Lib", entity_type="technology")
     for i in range(2):
         fix_id = store.create(
             obj_type="fix",
@@ -188,7 +188,7 @@ def test_gap_analysis(store: Store) -> None:
         )
 
     # Entity "Learned-Lib" has fixes AND a lesson
-    learned_eid = store.create_entity(name="Learned-Lib", entity_type="technology")
+    learned_eid, _ = store.create_entity(name="Learned-Lib", entity_type="technology")
     for i in range(2):
         fix_id = store.create(
             obj_type="fix",

benchmarks/corpus/generator.py

@@ -166,7 +166,7 @@ def generate(self) -> dict[str, str]:
     def _create_entities(self) -> None:
         """Create all entity nodes."""
         for tmpl in ENTITY_TEMPLATES:
-            eid = self.store.create_entity(
+            eid, _ = self.store.create_entity(
                 name=tmpl["name"], entity_type=tmpl["type"]
             )
             self.entity_ids[tmpl["name"]] = eid

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "abbacus-cortex"
-version = "0.3.4"
+version = "0.3.5"
 description = "Cognitive knowledge system with formal ontology, reasoning, and intelligence serving"
 readme = "README.md"
 authors = [
@@ -42,6 +42,12 @@ dependencies = [
     # HTTP client
     "httpx>=0.28",
     # LLM (provider-agnostic: Anthropic, OpenAI, Ollama, etc.)
+    # Pinned at >=1.60: bumping to >=1.83.7 (the patched version for current
+    # GHSA alerts) downgrades typer 0.24 -> 0.23 and click 8.3 -> 8.1 via the
+    # python-dotenv constraint chain, which breaks ~24 CLI tests that rely on
+    # click 8.3's CliRunner.Result.stderr behavior. The flagged litellm CVEs
+    # are all in litellm's proxy server endpoints, which Cortex never runs.
+    # Cortex is local-only and only calls litellm.completion() as a library.
     "litellm>=1.60",
 ]
 
@@ -60,7 +66,7 @@ cortex = "cortex.cli.main:app"
 
 [dependency-groups]
 dev = [
-    "pytest>=8.3",
+    "pytest>=9.0.3",
     "pytest-asyncio>=0.25",
     # Bundle 9 / F.1 + F.2: xdist for parallel runs (the CI workflow uses
     # ``pytest -n auto``); forked for the test-isolation suite that needs

src/cortex/__init__.py

@@ -1,3 +1,3 @@
 """Cortex — Cognitive knowledge system."""
 
-__version__ = "0.3.4"
+__version__ = "0.3.5"

src/cortex/services/llm.py

@@ -78,6 +78,7 @@
         "branch",
         "commit",
         "merge",
+        "cortex",
     }
 )