build(deps): bump joserfc from 1.6.5 to 1.6.7

[dependabot]

Bumps joserfc from 1.6.5 to 1.6.7.

Release notes

Sourced from joserfc's releases.

1.6.7

   🐞 Bug Fixes

• jws: Validate payload size for b64=false  -  by @​lepture (4d4ea)
• typing: Accept any Collection for algorithms, not just list  -  by @​jonathangreen (102a7)
• typing: Use cast for type hints  -  by @​lepture (75d9f)

    View changes on GitHub

Changelog

Sourced from joserfc's changelog.

1.6.7

Released on May 23, 2026

• Update for type hints.

1.6.6

Released on May 18, 2026

• JWS: validate payload size when b64=false.

Commits

• 1e5b94d chore: release 1.6.7
• 75d9f95 fix(typing): use cast for type hints
• 6d24037 Merge pull request #98 from jonathangreen/algorithms-accept-collection
• 102a7a7 fix(typing): accept any Collection for algorithms, not just list
• 8b869e8 chore: release 1.6.6
• 00d599b chore: update actions
• 9186561 Merge pull request #97 from authlib/fix-b64
• 4d4ea2e fix(jws): validate payload size for b64=false
• b6554cc Merge pull request #96 from sebasxsala/fix-p512-fixture
• b89eadf test: normalize P-521 private key fixture
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

Roam Agent Review

Verdict: SAFE (risk_level low)

blast-radius 0/100 · ai-likelihood 14/100 · rule violations 0 · critique high-severity 0

Verdict: SAFE. All structural signals clean at the configured thresholds.

Next steps

• No structural concerns at the configured thresholds. Standard review still recommended.

---

_{Powered by roam-code — Apache 2.0, 100% local. Customize thresholds in .roam/rules.yml. Docs.}

[github-actions]

roam-code Analysis

Mode: incremental (changed-only) — base aa263622b8a6d91fd29d5525da3165cfa67c0a1b, 1 changed+dependent files

Health Score: 81/100 HEALTHY

health: Healthy codebase (81/100) — 46 critical issues, focus: god_components
pr-risk: index-stale

Health Metrics

Metric	Value
Health Score	81/100
Tangle Ratio	0.1%
Propagation Cost	0.0019
Total Issues	67

PR Risk

Metric	Value
Risk Score	0/100

Quality Gate: PASSED

Gate expression: health_score>=50

SARIF Upload

Metric	Value
Category	roam-code-self-analysis/self-analysis/py3.12
Results Uploaded	80

Full analysis output

health

{
  "_meta": {
    "cache_ttl_s": 300,
    "cacheable": true,
    "index_age_s": 4,
    "latency_ms": null,
    "response_tokens": 4258,
    "roam_version": "13.6.1",
    "timestamp": "2026-06-30T12:41:15Z"
  },
  "actionable_count": 11,
  "actionable_cycles": 2,
  "agent_contract": {
    "confidence": null,
    "facts": [
      "Healthy codebase (81/100) — 46 critical issues, focus: god_components",
      "health score 81",
      "tangle ratio 0.1",
      "0.0019 propagation cost findings",
      "issue count 67"
    ],
    "next_commands": [
      "roam debt",
      "roam trends --days 30"
    ],
    "risks": []
  },
  "algebraic_connectivity": null,
  "algebraic_connectivity_available": false,
  "bottleneck_thresholds": {
    "p70": 544.5,
    "p90": 4706.1,
    "population": 1987,
    "utility_multiplier": 1.5
  },
  "category_severity": {
    "bottlenecks": {
      "critical": 15,
      "info": 0,
      "warning": 0
    },
    "cycles": {
      "critical": 1,
      "info": 0,
      "warning": 1
    },
    "god_components": {
      "critical": 30,
      "info": 10,
      "warning": 10
    },
    "layer_violations": {
      "critical": 0,
      "info": 0,
      "warning": 0
    }
  },
  "command": "health",
  "cycles_actionable": 2,
  "cycles_total": 15,
  "framework_filtered": 0,
  "health_score": 81,
  "ignored_cycles": 13,
  "imported_coverable_lines": 0,
  "imported_coverage_files": 0,
  "imported_coverage_pct": null,
  "imported_covered_lines": 0,
  "index_status": {
    "dirty_files": 0,
    "fresh": false,
    "head_commit": "cfaff51a20d5",
    "hint": "index latest commit 35b05d180f39 != HEAD cfaff51a20d5 — git-derived metrics (commits, churn, co-change, weather) may be stale. Run `roam index --force`.",
    "indexed_commit": "35b05d180f39"
  },
  "issue_count": 67,
  "list_counts": {
    "bottlenecks": 15,
    "cycle_break_suggestions": 1,
    "cycles": 15,
    "god_components": 50,
    "layer_violations": 0,
    "next_steps": 2,
    "score_breakdown": 5
  },
  "project": "roam-code",
  "propagation_cost": 0.0019,
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "severity": {
    "critical": 46,
    "info": 23,
    "warning": 11
  },
  "summary": {
    "actionable_cycles": 2,
    "algebraic_connectivity": null,
    "algebraic_connectivity_available": false,
    "category_severity": {
      "bottlenecks": {
        "critical": 15,
        "info": 0,
        "warning": 0
      },
      "cycles": {
        "critical": 1,
        "info": 0,
        "warning": 1
      },
      "god_components": {
        "critical": 30,
        "info": 10,
        "warning": 10
      },
      "layer_violations": {
        "critical": 0,
        "info": 0,
        "warning": 0
      }
    },
    "cycles_actionable": 2,
    "cycles_definition": "Cycle counts derived from `roam.graph.cycles.find_cycles(G, min_size=2)` on the symbol graph. `cycles_total` = all SCCs of size >= 2; `cycles_actionable` = SCCs spanning >=2 files AND no test files (same-file and test-only cycles are informational). Run `roam health` for the per-cycle breakdown.",
    "cycles_total": 15,
    "detail_available": true,
    "god_components": 50,
    "god_components_definition": "God components: symbols where `(in_degree + out_degree) > 20` from the `graph_metrics` table, with utility-aware severity bands (standard >50=CRITICAL >30=WARNING; utility >150=CRITICAL >90=WARNING). Run `roam health` for the per-symbol breakdown. Legacy aliases: `god_objects` (fingerprint), `god_classes` (rules).",
    "health_score": 81,
    "health_score_definition": "weighted geometric mean (0-100) of 5 sigmoid health factors: tangle_ratio, god_components, bottlenecks, layer_violations, file_health (+coverage if available).",
    "ignored_cycles": 13,
    "imported_coverage_files": 0,
    "imported_coverage_pct": null,
    "issue_count": 67,
    "partial_success": true,
    "preserved_list_truncations": {},
    "propagation_cost": 0.0019,
    "severity": {
      "critical": 46,
      "info": 23,
      "warning": 11
    },
    "tangle_ratio": 0.1,
    "tangle_ratio_definition": "fraction of symbols inside non-trivial SCCs; higher = more cyclic coupling.",
    "total_cycles": 15,
    "truncated": true,
    "verdict": "Healthy codebase (81/100) — 46 critical issues, focus: god_components",
    "warnings_out": [
      "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
    ]
  },
  "tangle_ratio": 0.1,
  "total_cycles": 15,
  "utility_count": 39,
  "version": "13.6.1",
  "warnings_out": [
    "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
  ]
}

pr-risk

{
  "_meta": {
    "cache_ttl_s": 60,
    "cacheable": true,
    "index_age_s": 4,
    "latency_ms": null,
    "response_tokens": 160,
    "roam_version": "13.6.1",
    "timestamp": "2026-06-30T12:41:15Z"
  },
  "agent_contract": {
    "confidence": null,
    "facts": [
      "index-stale",
      "risk score 0",
      "1 risk rank findings"
    ],
    "next_commands": [],
    "risks": []
  },
  "command": "pr-risk",
  "message": "Changed files not found in index. Run `roam index` first.",
  "project": "roam-code",
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "summary": {
    "hint": "Changed files not in index — run `roam index`.",
    "partial_success": false,
    "risk_level": "low",
    "risk_level_canonical": "low",
    "risk_rank": 1,
    "risk_score": 0,
    "verdict": "index-stale"
  },
  "version": "13.6.1"
}

---

roam-code analysis | Commands: health pr-risk