Update deps; improve README

Signed-off-by: Will Killian <william.killian@outlook.com>

Author: willkill07

.github/workflows/linting.yml

@@ -11,14 +11,18 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.12", "3.13"]
     steps:
       - name: Checkout
         uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: ${{ matrix.python-version }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7
@@ -31,14 +35,18 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.12", "3.13"]
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: ${{ matrix.python-version }}
 
       - name: Install uv
         uses: astral-sh/setup-uv@v7

AGENT.md

@@ -45,7 +45,7 @@ skills/            # task playbooks (SKILL.md per subfolder) for assistants and
 
 1. **`Course` naming**: `scheduler.config` uses `Course` as a **course-id string** type in JSON config. `scheduler.models` defines a **`Course` class** (credits, meetings, etc.). `CourseInstance.course` is the model; use **`.course.course_id`** for the config-style id. (See README “Note on naming”.)
 2. **Generated artifacts**: After changing **`server.py`** or API-facing models, refresh **`fern/openapi.json`**. After **`CombinedConfig`** / config models change, refresh **`fern/docs/assets/combined-config.schema.json`**. After public **docstrings** change, refresh **`fern/docs/pages/python/reference.mdx`** — see CONTRIBUTING.
-3. **Style**: **Ruff** is authoritative (`pyproject.toml`: line length **120**, `py312`). CONTRIBUTING’s “88 / Black” note is outdated relative to the repo config — follow **`pyproject.toml`**.
+3. **Style**: **Ruff** is authoritative (`pyproject.toml`: line length **120**, `py312`). CONTRIBUTING matches this; when in doubt follow **`pyproject.toml`**.
 
 ## Skills
 

CONTRIBUTING.md

@@ -72,9 +72,10 @@ source .venv/bin/activate  # On macOS/Linux
 # OR
 .venv\Scripts\activate     # On Windows
 
-# Install dependencies
-pip install -r requirements.txt
+# Install the package (editable). There is no checked-in requirements.txt.
 pip install -e .
+# Dev tools (pytest, ruff, ty, …) are listed under [dependency-groups] dev in pyproject.toml;
+# install the ones you need with pip, or prefer uv sync.
 ```
 
 ### 3. Install Development Dependencies
@@ -225,7 +226,7 @@ We follow [PEP 8](https://pep8.org/) with some modifications enforced by our lin
 
 **Key Standards:**
 - Use 4 spaces for indentation (no tabs)
-- Maximum line length: 88 characters (enforced by Black)
+- Maximum line length: **120** characters (enforced by **Ruff** format; see `[tool.ruff]` in `pyproject.toml`)
 - Use descriptive variable and function names
 - Add type hints for all function parameters and return values
 - Use f-strings for string formatting (Python 3.6+)

README.md

@@ -89,6 +89,16 @@ curl -X POST "http://localhost:8000/schedules/{schedule_id}/next"
 curl -X GET "http://localhost:8000/schedules/{schedule_id}/count"
 ```
 
+### Server deployment and security
+
+The REST API is convenient for local use and trusted integrations. For production or internet-facing deployments:
+
+- **No built-in authentication** — use a reverse proxy, API gateway, or private network; do not expose the process directly without controls you trust.
+- **In-memory sessions** — active schedule sessions are lost on restart and are not shared across multiple server processes.
+- **CORS** — set the `CORS_ORIGINS` environment variable to a comma-separated list of allowed origins when browsers must send credentials. If unset, the server allows all origins without credentials (typical for local development).
+
+See [SECURITY.md](SECURITY.md) for how to report vulnerabilities.
+
 ## Documentation
 
 **Published docs (configuration, Python API, REST API, development):**

SECURITY.md

@@ -0,0 +1,13 @@
+# Security
+
+## Reporting a vulnerability
+
+Please **do not** open a public GitHub issue for security-sensitive reports.
+
+Instead, use **[GitHub Security Advisories](https://github.com/mucsci/scheduler/security/advisories/new)** for this repository (or the Security tab → *Report a vulnerability*). We will work with you to understand and address the issue before any public disclosure.
+
+## REST server expectations
+
+The `scheduler-server` process does not implement API keys or user authentication. Deploy it only on trusted networks, or place it behind infrastructure that provides authentication, rate limiting, and appropriate request size limits. Schedule sessions are stored in memory and are cleared when the process stops.
+
+For non-sensitive questions about deployment, open a regular GitHub issue on this repository.

pyproject.toml

@@ -42,11 +42,11 @@ dev = [
   "httpx~=0.28",
   "prek~=0.3",
   "pytest-cov~=6.0",
-    "ruff~=0.12",
-    "pytest~=8.0",
+  "ruff~=0.15",
+  "pytest~=8.0",
   "twine~=6.2",
   "ty~=0.0",
-  "pydoc-markdown>=4.8.2",
+  "pydoc-markdown~=4.8",
 ]
 
 [tool.uv]
@@ -88,6 +88,9 @@ line-ending = "auto"
 
 [tool.ty.rules]
 possibly-unresolved-reference = "warn"
+# Z3 / Starlette stubs and intentional test assignments produce noise at default severity.
+redundant-cast = "ignore"
+unused-type-ignore-comment = "ignore"
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]

src/scheduler/config.py

@@ -454,13 +454,14 @@ def validate(self):
         errors = []
 
         # Check that all days in time_slot_config are valid
-        valid_days = {"MON", "TUE", "WED", "THU", "FRI"}
+        weekdays: tuple[Day, ...] = ("MON", "TUE", "WED", "THU", "FRI")
+        valid_days = frozenset(weekdays)
         for day in self.times:
             if day not in valid_days:
                 errors.append(f"Invalid day '{day}' in time slot configuration")
 
         # Check that there are time blocks for each day
-        for day in valid_days:
+        for day in weekdays:
             if day not in self.times or not self.times[day]:
                 errors.append(f"No time blocks defined for {day}")
 

src/scheduler/scheduler.py

@@ -8,7 +8,7 @@
 from functools import cache
 from typing import cast
 
-import z3  # type: ignore
+import z3
 from bidict import frozenbidict
 from pydantic import BaseModel
 
@@ -607,10 +607,7 @@ def _build_faculty_constraints(self, z3_data: _Z3SortsAndConstants) -> list[z3.B
                             )
                         )
                     # ensure that each faculty is assigned <= unique course limit
-                    limit = cast(
-                        z3.BoolRef,
-                        self._simplify(z3.Sum([z3.If(tc, 1, 0) for tc in teaches_course]) <= unique_limit),
-                    )
+                    limit = self._simplify(z3.Sum([z3.If(tc, 1, 0) for tc in teaches_course]) <= unique_limit)
                     faculty_constraints.append(limit)
 
             # Track whether the faculty teaches on a given day
@@ -623,43 +620,27 @@ def _build_faculty_constraints(self, z3_data: _Z3SortsAndConstants) -> list[z3.B
                         slot_matches = [course.time == slot_const for slot_const in slot_constants]
                         if slot_matches:
                             course_day_assignments.append(
-                                cast(
-                                    z3.BoolRef,
-                                    self._simplify(
-                                        z3.And(
-                                            course.faculty == faculty_constant,
-                                            z3.Or(slot_matches),
-                                        )
-                                    ),
+                                self._simplify(
+                                    z3.And(
+                                        course.faculty == faculty_constant,
+                                        z3.Or(slot_matches),
+                                    )
                                 )
                             )
                 if course_day_assignments:
-                    day_indicator_map[day] = cast(
-                        z3.BoolRef,
-                        self._simplify(z3.Or(course_day_assignments)),
-                    )
+                    day_indicator_map[day] = self._simplify(z3.Or(course_day_assignments))
                 else:
                     day_indicator_map[day] = z3.BoolVal(False, ctx=self._ctx)
 
             # Maximum-day constraint
             day_sum_terms = [z3.If(indicator, 1, 0) for indicator in day_indicator_map.values()]
             day_sum = z3.Sum(day_sum_terms) if day_sum_terms else z3.IntVal(0, ctx=self._ctx)
-            faculty_constraints.append(
-                cast(
-                    z3.BoolRef,
-                    self._simplify(day_sum <= max_days),
-                )
-            )
+            faculty_constraints.append(self._simplify(day_sum <= max_days))
 
             # Mandatory-day constraints
             for mandatory_day in mandatory_days:
                 indicator = day_indicator_map.get(mandatory_day, z3.BoolVal(False, ctx=self._ctx))
-                faculty_constraints.append(
-                    cast(
-                        z3.BoolRef,
-                        self._simplify(indicator),
-                    )
-                )
+                faculty_constraints.append(self._simplify(indicator))
 
         return faculty_constraints
 

src/scheduler/server.py

@@ -5,6 +5,7 @@
 from concurrent.futures import Future, ThreadPoolExecutor
 from contextlib import asynccontextmanager
 from dataclasses import dataclass, field
+from typing import Any, cast
 
 import click
 from fastapi import BackgroundTasks, FastAPI, HTTPException
@@ -373,7 +374,7 @@ async def lifespan(app: FastAPI):
     _cors_credentials = False
 
 app.add_middleware(
-    CORSMiddleware,
+    cast(Any, CORSMiddleware),
     allow_origins=_cors_origins,
     allow_credentials=_cors_credentials,
     allow_methods=["*"],