[codex] Add dependency cooldown

[michaelmwu]

Description

Adds a seven-day uv dependency cooldown via [tool.uv] exclude-newer and updates uv.lock to record the P7D cooldown plus package upload-time metadata. This reduces exposure to freshly published PyPI packages during normal dependency resolution.

Related Issue

N/A

How Has This Been Tested?

• uv lock --check
• ./scripts/lint.sh
• ./scripts/typecheck.sh

Summary by CodeRabbit

• Chores
  • Modified project dependency resolution configuration settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 12f49a71-6f7c-4755-92e3-eb14e2e92953

📥 Commits

Reviewing files that changed from the base of the PR and between ea5e03a and 53c9126.

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml

---

📝 Walkthrough

Walkthrough

UV tool configuration added to pyproject.toml with an exclude-newer setting of 7 days, restricting package dependency resolution to versions at least 7 days old for stability.

Changes

UV Tool Configuration

Layer / File(s)	Summary
UV dependency caching settings pyproject.toml	UV tool block introduced with exclude-newer = "7 days" to constrain dependency resolution to packages older than 7 days.

🎯 1 (Trivial) | ⏱️ ~2 minutes

🐰 A hop, a skip, through config so neat,
Seven days of stability, oh what a treat!
UV now caches with prudent restraint,
No bleeding-edge packages—steady and quaint! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[codex] Add dependency cooldown' directly reflects the main change: adding a seven-day dependency cooldown configuration to the project via the uv tool.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch michaelmwu/npm-pip-cooldowns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR introduces a dependency “cooldown” for uv by configuring exclude-newer to avoid resolving newly-published PyPI packages for 7 days, and refreshes the lockfile to record the new resolution options plus per-artifact upload timestamps.

Changes:

• Add [tool.uv] exclude-newer = "7 days" to enforce a seven-day dependency publish-time cooldown during resolution.
• Update uv.lock to include the cooldown metadata (exclude-newer-span = "P7D") and record upload-time for sdists/wheels.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
pyproject.toml	Adds uv configuration to apply a seven-day exclude-newer window during dependency resolution.
uv.lock	Bumps lock revision and records the cooldown options and package artifact upload-time metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.