fix(ci): sync main merge fallout and stabilize sec/test gates

.github/workflows/sec-audit.yml

@@ -447,6 +447,11 @@ jobs:
         steps:
             - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
+            - name: Setup Python 3.11
+              uses: actions/setup-python@42375524cb8536ba1b604a2b818519a0e9745034 # v5
+              with:
+                  python-version: "3.11"
+
             - name: Enforce unsafe policy governance
               shell: bash
               run: |

src/memory/decay.rs

@@ -37,11 +37,7 @@ pub fn apply_time_decay(entries: &mut [MemoryEntry], half_life_days: f64) {
             Err(_) => continue,
         };
 
-        let age_days = now
-            .signed_duration_since(ts)
-            .num_seconds()
-            .max(0) as f64
-            / 86_400.0;
+        let age_days = now.signed_duration_since(ts).num_seconds().max(0) as f64 / 86_400.0;
 
         let decay_factor = (-age_days / half_life * std::f64::consts::LN_2).exp();
         entry.score = Some(score * decay_factor);

src/tools/shell.rs

@@ -740,10 +740,14 @@ mod tests {
     async fn shell_captures_stderr_output() {
         let tool = ShellTool::new(test_security(AutonomyLevel::Full), test_runtime());
         let result = tool
-            .execute(json!({"command": "echo error_msg >&2"}))
+            .execute(json!({"command": "cat __nonexistent_stderr_capture_file__"}))
             .await
             .unwrap();
-        assert!(result.error.as_deref().unwrap_or("").contains("error_msg"));
+        assert!(!result.success);
+        assert!(
+            result.error.as_deref().map(|msg| !msg.trim().is_empty()) == Some(true),
+            "expected non-empty stderr in error field"
+        );
     }
 
     #[tokio::test]