chore(deps): update graphiti-core requirement from >=0.5.0 to >=0.29.1 in /auto-codex

[dependabot]

Updates the requirements on graphiti-core to permit the latest version.

Release notes

Sourced from graphiti-core's releases.

v0.29.1 - Optimizations and Efficiencies

Patch release covering quality and reliability improvements landed since 0.29.0.

Extraction quality

Attribute-hallucination guards (#1498) — addresses a customer report of up to 9KB of LLM meta-reasoning landing in entity attribute fields (e.g. phones, industry). The LLM was dumping internal deliberation and echoing schema description text back into values. Three layered defenses:

1. Prompt-level: extract_attributes prompts for both nodes and edges now have hard rules forbidding parenthetical reasoning, deliberative phrases, candidate alternatives, schema-description echoes, and null/N/A sentence stand-ins. Includes positive/negative examples.
2. Combined-extraction prompt: new OUTPUT DISCIPLINE block closes the "topic-as-Person" failure mode (full-sentence entity names) and pre-empts reasoning leaks into fact text and relation_type.
3. Provider-level preamble: a shared _apply_attribute_extraction_preamble on LLMClient mutates the system message across OpenAI, Anthropic, Gemini, and GLiNER2 so the "field descriptions are format specs, not values" instruction reaches every provider regardless of how structured output is wired. Sentinel-based idempotency.

Structural backstop — cap_string_attributes: drops any string attribute >250 chars before it reaches the graph. Configurable per-field via Pydantic Field(max_length=...) or globally via GRAPHITI_ATTRIBUTE_MAX_LENGTH. Also handles list[str] (per-item + aggregate cap of max_len * 8). Required-field carve-out retains the value with a louder WARNING rather than dropping (avoids ValidationError-ing the whole entity). Edge writes use scoped merge for over-cap drops only — fields the LLM legitimately omitted still clear. group_id flows to the log line for tenant correlation.

Combined-extraction entity & edge precision (#1498) — targets six classes of low-quality entities (multi-choice fragments, clock times, quantities, coordinates, imperative tip phrases, slogans) plus two systematic edge regressions (location-fragmentation through scenery intermediaries, dropped multi-episode setup facts).

• ENTITY RULE 6 expanded into 8 sub-bullets covering the skip classes; ENTITY RULE 9 added for didactic / tutorial scaffolding.
• FACT RULE 4 strengthened around narrative announcements, forward commitments, plans, and emotional setup in conversational episodes; FACT RULE 8 added requiring direct speaker-to-target edges over fragmenting through scenery intermediaries.
• Negative-examples block (A–G) added with paired source-and-extraction guidance per class.

Locomo 500-example eval (prompt change only):

• Entity F1: 0.674 (flat); precision −0.028, recall +0.025
• Edge volume: +7.7% over baseline; gold-edge recall +0.9pp
• Fact-text Jaccard on matched edges: 0.341 → 0.381
• Targeted entity classes on LME-derivative sample: quantities −93%, imperative tips −40%

Saga summarization

Episode-time watermarks for sagas (#1498) — saga (thread summary) timestamps now reflect originating-episode time rather than wall-clock time. SagaNode now carries two deliberately distinct watermarks:

• last_summarized_at (wall-clock) — the filter watermark. summarize_saga picks up any episode whose created_at > this value. Wall-clock + created_at comparison keeps backfilled episodes reachable on the next run.
• last_summarized_episode_valid_at (episode time) — the temporal watermark. Max valid_at across episodes covered by the current summary; advances monotonically. Public/temporal consumers ("how recent is this summary's content in event-time?") should use this field.

saga_get_episode_contents now returns list[(content, valid_at)] tuples so callers can compute the watermark. _get_or_create_saga renames now → created_at; callers pass the episode's valid_at so a newly minted saga's created_at matches the episode that produced it.

Docker / packaging

... (truncated)

Commits

• 34f56e6 Bump graphiti-core version to 0.29.1 (#1499)
• 7514b44 Forward-port: attribute-hallucination guards, combined-extraction precision, ...
• 9a2d6d0 fix: install MCP provider extras in Docker images (#1461)
• 304f4cc fix(docker): mount FalkorDB volume to actual data path (#1462)
• c427615 Bump the uv group across 2 directories with 4 updates (#1473)
• e381eaf docs(graphiti): drop stale add_episode_bulk edge-invalidation/date-extraction...
• 56cf7b3 Bump graphiti-core version to 0.29.0 (#1444)
• 164030f feat: add custom edge type support to combined extraction prompt (#1443)
• 9cdcc93 Bump the uv group across 4 directories with 2 updates (#1430)
• 673902c forward-port: combined node+edge extraction + prompt refinements (#1432)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[tytsxai]

已由 main 上的合并提交 81e4188 统一处理并验证，本 PR 分支因 #38 合入后出现 lockfile 冲突，单独 PR 不再合并。验证已覆盖：auto-codex-ui pnpm lint/typecheck/test，以及 Python 3.12 lock 安装后 pytest 全量通过。

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.