chore: hygiene + CI gate (PR3 of bug-audit-v2)

[lesnik512]

Summary

PR3 of the 2026-06-05 bug-audit-v2 plan. Closes the four remaining hygiene/CI findings — pure chore PR, no production code paths change. Final PR of the audit; closes the loop on all 26 findings.

Findings closed

• UX-4 — BaseBootstrapper.__init__ now emits a logger.warning(...) alongside the existing warnings.warn(InstrumentDependencyMissingWarning, ...) when a configured instrument is missing its optional dependency. Users who suppress one channel (python -W ignore, PYTHONWARNINGS=ignore) still see the other.
• UX-5 — Added a bullet to CLAUDE.md under "Conventions" documenting the asymmetry between BaseConfig.from_dict (accepts explicit None as an override) and BaseConfig.from_object (filters None attributes, default takes over). Both methods already have docstrings; CLAUDE.md surfaces the asymmetry to contributors.
• TEST-NEW-7 — Escalate InstrumentSkippedWarning (and its subclass InstrumentDependencyMissingWarning) to error during tests. Any unexpected emission outside a pytest.warns(...) block now fails the test.
• SEC-5 — New .github/workflows/security-audit.yml runs pip-audit against the locked dependency set on every PR and weekly via cron. Mirrors ci.yml conventions (setup-uv@v3 with cache, Python 3.10 install, concurrency group). --no-deps --disable-pip avoids pip's ensurepip path which fails on uv-managed cpython 3.14.

Implementation notes

• TEST-NEW-7 mechanism deviation: the spec placed filterwarnings = [...] in [tool.pytest.ini_options] of pyproject.toml. That triggers pytest's pytest_load_initial_conftests hook to resolve lite_bootstrap.exceptions.InstrumentSkippedWarning via __import__ BEFORE pytest-cov installs coverage tracing, causing lite_bootstrap module-level statements to execute outside coverage measurement (verified: drops total from 100% → 78.78%). Reviewer reproduced the drop locally. Workaround: register the filter via a pytest_configure() hook in tests/conftest.py, which runs after coverage is active. Functionally equivalent.
• The pre-existing 2 warnings in pytest output ("collector.example.com" SEC-2 + CORS-related from test_config.py) are intentional — they're emitted by tests that don't wrap in pytest.warns() and represent the SEC-2/SEC-3 warnings being correctly triggered. Distinct from the filter's purpose, which targets InstrumentSkippedWarning specifically.

Test plan

• just test — 187 passed (186 baseline + 1 new from UX-4 test), 100% coverage.
• just lint-ci — clean (ruff, eof-fixer, ty).
• pip-audit --no-deps --disable-pip locally — No known vulnerabilities found across 133 resolved packages.
• Each commit scoped to one finding ID; reviewable at the task level.

Audit status

With PR3 merged, all 26 findings from the 2026-06-05 audit are resolved:

• PR1 (fix: lifecycle & teardown correctness (PR1 of bug-audit-v2) #108, merged): LOG-1..9 + SEC-4 — 10 findings
• PR2 (fix: config UX & security validation (PR2 of bug-audit-v2) #109, merged): UX-1, UX-2, UX-3, SEC-1, SEC-2, SEC-3 — 6 findings
• PR3 (this): UX-4, UX-5, TEST-NEW-7, SEC-5 — 4 findings
• TEST-NEW-1..6 folded into their parent code-fix PRs

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
unittests	100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
lite_bootstrap/bootstrappers/base.py	100.00% <100.00%> (ø)
tests/conftest.py	100.00% <100.00%> (ø)
tests/test_free_bootstrap.py	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.