chore(release): 2.8.0

[chernistry]

Cuts the 2.8.0 release.

• Bumps pyproject.toml (and the uv.lock self-entry) from 2.7.0 to 2.8.0, which the auto-release gate keys on.
• Adds human release notes at docs/release-notes/v2.8.0.md.

Highlights

• Feature: bernstein worktrees unlock to inspect and recover a stuck GC lock, recorded as a tamper-evident audit event. (feat(worktrees): add worktrees unlock to recover a stuck GC lock #2094)
• Fixes: Codex usable with a ChatGPT OAuth login (fix(codex): respect non-Claude model selection and OAuth, fix demo summary #2086); worktree GC no longer loses unmerged work on non-main repos or wedges after a crash (fix(worktrees): preserve unmerged work on non-main repos and recover stale GC lock #2093).
• Security: cleared the open code-scanning and Dependabot findings and bumped the flagged dependencies (chore(security): resolve code-scanning and Dependabot findings #2087, chore(deps): clear remaining pip-audit advisories (pyjwt, python-multipart) #2083).

Minor bump because of the new feature. On merge, a green main run triggers auto-release to tag v2.8.0 and hand off to publish (PyPI, GHCR, GitHub Release).

Summary by Sourcery

Cut the 2.8.0 release by bumping the package version and adding release notes for the new features, fixes, and security updates.

New Features:

• Document the new bernstein worktrees unlock command for inspecting and recovering stuck GC locks with audit logging.

Bug Fixes:

• Document fixes for Codex usage with ChatGPT OAuth login, worktree GC losing unmerged work on non-main default branches, and GC lock wedging after crashes.

Enhancements:

• Summarize maintenance improvements including cleared code-scanning findings, dependency upgrades, documentation additions, and quality cleanups in the 2.8.0 release notes.

Documentation:

• Add human-readable release notes for v2.8.0 covering features, fixes, security updates, documentation changes, and quality work.

Tests:

• Note CI permission tightening and dependency updates that help keep the test and scanning surface clean as part of the 2.8.0 release.

Summary by CodeRabbit

• New Features

  • Added a way to inspect and recover stuck worktree lock situations, with audit logging.

• Bug Fixes

  • Improved reliability around ChatGPT sign-in/session handling and fixed a demo crash regression.
  • Reduced issues caused by stale worktree locks, including better handling for repositories whose default branch is not main.

• Security

  • Cleared several outstanding security findings and removed outdated permission grants.
  • Updated bundled dependencies and tooling.

• Documentation

  • Added release notes updates, UI screenshots, and a community benchmark.

[sourcery-ai]

Reviewer's Guide

Prepares the 2.8.0 release by bumping the project version and adding detailed human-readable release notes documenting new features, fixes, and security/dependency updates.

File-Level Changes

Change	Details	Files
Bumped the project version to 2.8.0 to trigger the automated release pipeline.	Updated the project version field from 2.7.0 to 2.8.0 in the packaging metadata Updated the self-entry version in the dependency lockfile to stay consistent with the new release version	pyproject.toml uv.lock
Added human-readable release notes for v2.8.0 covering features, fixes, security, and doc updates.	Created a new release notes document for v2.8.0 with a high-level summary and categorized sections Documented the new worktree GC unlock feature and its audit logging behavior Recorded fixes for Codex OAuth usage, worktree GC behavior on non-main repos, and GC lock recovery Summarized security hardening, dependency bumps, CI permissions tightening, docs updates, and quality refactors	docs/release-notes/v2.8.0.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

Sonar insights (advisory, no merge-block)

Snapshot of bernstein on the configured Sonar instance:

Metric	Value
Coverage	80.1
Code smells	0
Bugs	0
Vulnerabilities	0
Security hotspots	0

Run bernstein doctor sonar locally for the full surface.

This comment is a soft signal. The Sonar scan runs on push to main; the PR check itself never fails on smells.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9d124689-f378-4ea2-8503-9181fe7abd69

📥 Commits

Reviewing files that changed from the base of the PR and between a8ce802 and 5165ad3.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock, !**/*.lock

📒 Files selected for processing (2)

• docs/release-notes/v2.8.0.md
• pyproject.toml

---

📝 Walkthrough

Walkthrough

Adds v2.8.0 release notes covering worktree unlock behavior, Codex and worktree fixes, security and dependency updates, docs/community additions, and quality cleanups. Updates pyproject.toml package version metadata to 2.8.0.

Changes

v2.8.0 release update

Layer / File(s)	Summary
Release notes content docs/release-notes/v2.8.0.md	Adds the v2.8.0 release header and the feature, fix, security, docs/community, and quality entries.
Package version bump pyproject.toml	Updates [project].version from 2.7.0 to 2.8.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• sipyourdrink-ltd/bernstein#1658: Updates release notes alongside the package version in the same release-automation path.
• sipyourdrink-ltd/bernstein#2039: Also changes only [project].version in pyproject.toml, matching the version bump here.

Suggested labels

docs, dependencies, size/xs

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately reflects the 2.8.0 release cut.
Description check	✅ Passed	The description covers the release intent, version bump, and key changes, and is sufficiently detailed despite not matching the template exactly.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/release-2.8.0

---

_{Comment @coderabbitai help to get the list of available commands.}

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="docs/release-notes/v2.8.0.md" line_range="17" />
<code_context>
+- Worktree GC no longer loses unmerged agent work on a repository whose default branch is not `main`. The graveyard pre-check compared against a hardcoded `main`, so when `main` did not exist the check failed and was read as "nothing to preserve", letting a stale worktree be deleted with its unmerged commits. The base branch is now resolved from the repo default, and an inconclusive check preserves the branch to the graveyard instead of dropping it. (#2093)
</code_context>
<issue_to_address>
**suggestion (typo):** Consider adjusting the preposition in "preserves the branch to the graveyard" for clearer grammar.

For example, you could say "preserves the branch in the graveyard," which more clearly indicates the branch is retained rather than deleted.

```suggestion
- Worktree GC no longer loses unmerged agent work on a repository whose default branch is not `main`. The graveyard pre-check compared against a hardcoded `main`, so when `main` did not exist the check failed and was read as "nothing to preserve", letting a stale worktree be deleted with its unmerged commits. The base branch is now resolved from the repo default, and an inconclusive check preserves the branch in the graveyard instead of dropping it. (#2093)
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion (typo): Consider adjusting the preposition in "preserves the branch to the graveyard" for clearer grammar.

For example, you could say "preserves the branch in the graveyard," which more clearly indicates the branch is retained rather than deleted.

Suggested change

- Worktree GC no longer loses unmerged agent work on a repository whose default branch is not `main`. The graveyard pre-check compared against a hardcoded `main`, so when `main` did not exist the check failed and was read as "nothing to preserve", letting a stale worktree be deleted with its unmerged commits. The base branch is now resolved from the repo default, and an inconclusive check preserves the branch to the graveyard instead of dropping it. (#2093)

- Worktree GC no longer loses unmerged agent work on a repository whose default branch is not `main`. The graveyard pre-check compared against a hardcoded `main`, so when `main` did not exist the check failed and was read as "nothing to preserve", letting a stale worktree be deleted with its unmerged commits. The base branch is now resolved from the repo default, and an inconclusive check preserves the branch in the graveyard instead of dropping it. (#2093)

[github-actions]

Review-bot acknowledgement summary

• Must-address findings: 0 (0 acknowledged, 0 open)
• Informational findings: 1

All must-address findings are resolved or acknowledged.

[github-actions]

bernstein doctor observe for PR #2095 (chore/release-2.8.0): ok=1, warn=1, fail=0, error=0, skipped=2

sonar -- OK (project bernstein)

metric	value	delta	threshold	status
coverage_pct	80.1%	new	80.0%	ok
code_smells	0	new	50	ok
bugs	0	new	0	ok
vulnerabilities	0	new	0	ok
security_hotspots	0	new	0	ok

code-scanning -- WARN (2 open alert(s))

metric	value	delta	threshold	status
open_alerts	2	new	0	warn
critical_alerts	0	new	0	ok
high_alerts	1	new	0	warn
medium_alerts	0	new	-	ok
low_alerts	0	new	-	ok

Skipped backends (credentials not configured)

• glitchtip: BERNSTEIN_GLITCHTIP_TOKEN not set
• dt: DTRACK_URL/TOKEN/PROJECT not set

See docs/observability/unified-doctor.md for backend setup notes.