fix: bound native picklescan state simulation

[mldangelo-oai]

Summary:\n- add fail-closed tracked-state budgets for native picklescan state simulation\n- bound tracked dictionary entries, memo/DUP references, recursive mapping traversal, and dotted global policy lookup\n- add regressions for C102/C133/C156/C176/C183/C184 plus benign FP guards\n\nValidation:\n- cargo fmt/check/clippy/test: 96 passed\n- maturin develop --release\n- pytest packages/modelaudit-picklescan/tests/test_native_interface.py -q: 2 passed\n- ruff format/check, mypy, git diff --check

[mldangelo-oai]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Delightful!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[github-actions]

Workflow run and artifacts

Performance Benchmarks

Compared 12 shared benchmarks with a regression threshold of 15%.
Status: 6 regressions, 0 improved, 6 stable, 0 new, 0 missing.
Aggregate shared-benchmark median: 790.61ms -> 1.262s (+59.6%).

Top regressions:

• tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint +434.1% (19.73ms -> 105.38ms, clean-training-checkpoint, safe_large, size=278.2 KiB, files=1)
• tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream +375.2% (22.83ms -> 108.49ms, chunked-upload-stream, chunked_stream, size=278.2 KiB, files=1)
• tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load +73.0% (39.26ms -> 67.92ms, single-checkpoint-preflight, single_checkpoint.pkl, size=183.0 KiB, files=1)

Workload	Benchmark	Target	Size	Files	Baseline	Current	Change	Status
clean-training-checkpoint	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_clean_training_checkpoint	safe_large	278.2 KiB	1	19.73ms	105.38ms	+434.1%	regression
chunked-upload-stream	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_chunked_upload_stream	chunked_stream	278.2 KiB	1	22.83ms	108.49ms	+375.2%	regression
single-checkpoint-preflight	tests/benchmarks/test_scan_benchmarks.py::test_scan_single_checkpoint_before_load	single_checkpoint.pkl	183.0 KiB	1	39.26ms	67.92ms	+73.0%	regression
duplicate-heavy-registry	tests/benchmarks/test_scan_benchmarks.py::test_scan_duplicate_registry_snapshot	registry-snapshot	915.2 KiB	13	212.99ms	361.80ms	+69.9%	regression
mixed-model-repository	tests/benchmarks/test_scan_benchmarks.py::test_scan_release_candidate_repository	release-candidate	547.3 KiB	32	314.25ms	409.72ms	+30.4%	regression
suspicious-pickle-intake	tests/benchmarks/test_scan_benchmarks.py::test_scan_suspicious_pickle_intake	suspicious-intake	183.8 KiB	4	106.14ms	133.40ms	+25.7%	regression
padded-multi-stream-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_padded_multi_stream_upload	multi_stream_padded	4.1 KiB	1	1.69ms	1.64ms	-2.9%	stable
direct-malicious-upload	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_direct_malicious_upload	malicious_reduce	52 B	1	1.59ms	1.55ms	-2.7%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_raw]	nested_raw	78 B	1	480.6us	468.9us	-2.4%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_hex]	nested_hex	130 B	1	496.1us	508.0us	+2.4%	stable
nested-payload-review	tests/benchmarks/test_picklescan_benchmarks.py::test_picklescan_nested_payload_review[nested_base64]	nested_base64	98 B	1	493.4us	484.2us	-1.9%	stable
warm-cache-rescan	tests/benchmarks/test_scan_benchmarks.py::test_scan_warm_cached_repository_rescan	release-candidate	547.3 KiB	32	70.67ms	70.34ms	-0.5%	stable

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4a94dbeea5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d241667d8b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5a5e70d2e5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2a60b60d9c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".