Update documentation to match current codebase#13
Merged
Conversation
Add documentation for recently added data preparation utilities: - create_event_time: for staggered adoption event studies - aggregate_to_cohorts: for cohort-level aggregation - rank_control_units: for control unit selection in DiD/SDID Updates both CLAUDE.md module summary and README.md with usage examples and API reference.
igerber
pushed a commit
that referenced
this pull request
Jan 4, 2026
igerber
added a commit
that referenced
this pull request
Apr 18, 2026
Replace the hard-coded "< 10 successes" warning threshold in the four TROP bootstrap sites (local unit-resample, local Rao-Wu, global unit-resample, global Rao-Wu) plus the Rust global happy path with a proportional 5% failure-rate guard, matching the existing SyntheticDiD bootstrap and placebo convention. A shared helper `bootstrap_utils.warn_bootstrap_failure_rate` centralizes the check so future axis-D work (e.g. PowerAnalysis simulation counter) can reuse it. Before this change, a run with `n_bootstrap=200` and 11 successes (94.5% failure rate) passed silently because 11 >= 10. Now any run with failure rate > 5% emits a `UserWarning` surfacing the success count, total attempts, and failure rate. SDID bootstrap paths (`synthetic_did.py:1036-1070` and `:1229-1251`) were verified during this work to already have the same 5% proportional guard — D-2/D-3 in the audit are marked resolved rather than bundled. Covered by audit axis D (degenerate-replicate handling). Findings #13-#16 from `docs/audits/silent-failures-findings.md`. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
4 tasks
TDL77
pushed a commit
to TDL77/diff-diff
that referenced
this pull request
May 18, 2026
CodeQL alert igerber#14 (untrusted-checkout-toctou/critical) is the third re-fire of the same rule family on this workflow (igerber#11/igerber#12 → igerber#13 → igerber#14). PR igerber#427's fork-skip gate was load-bearing for igerber#11/igerber#12 but the rule re-classified as igerber#14 at a shifted line range with escalated severity. A structural fix (checkout BASE_SHA only; `git show` for PR-head reads) would close the rule cleanly but degrade reviewer quality: pr_review.md explicitly instructs Codex to `grep -n "pattern" diff_diff/*.py` for pattern-consistency checks, and Codex's `sandbox: read-only` lets it inspect workspace files. Under restructure, those operations would search BASE content, missing patterns added in the PR. Workarounds that materialize PR-head content via non-`actions/checkout` mechanisms (git worktree, overlay) satisfy CodeQL's pattern matcher without changing runtime risk — security theater dressed up. The honest path: dismiss with documented rationale + guard test. The actual threat model accepted by the dismissal: - Codex runs with sandbox: read-only — can read PR-head files, cannot execute or write them - head_sha is API-pinned in the resolve-pr step before checkout; TOCTOU window is sub-second and bounded by the is_fork gate - Same-repo PR contributors who can push to PR head branches already have write access to push to main; the checkout doesn't expand attack surface - Fork PRs are skipped entirely (PR igerber#427 fork-skip gate) The dismissal becomes invalid only if a future workflow edit adds a step that EXECUTES PR-head content. Guard test TestWorkflowDoesNotExecutePRHeadCode in tests/test_openai_review.py fails CI on any of: pip install, pytest, npm install, cargo run/test, make, ./configure, maturin develop/build, poetry install/run, pdm, uv sync/run, tox, setup.py, etc. The maturin entries are load-bearing for this repo (Rust build per CLAUDE.md is the most likely future regression vector). The dismissal API call (gh api PATCH .../code-scanning/alerts/14) will be run post-merge, separately from this PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add documentation for recently added data preparation utilities:
Updates both CLAUDE.md module summary and README.md with usage examples and API reference.