chore(release): 2.3.0 -- exit code semantics, BK formatting, dep bumps

Bumps the project version from 2.2.86 to 2.3.0 (minor) to signal the
breaking exit-code change in this PR:

  Exit 1 == blocking security finding (previously: anything)
  Exit 3 == infrastructure / API error  (NEW)

CHANGELOG.md:
- Breaking-change callout for the exit code semantics shift
- --exit-code-on-api-error documentation
- Commit message auto-truncation note
- Buildkite log formatting note
- Bundled Dependabot bumps roll-up
- CI hardening summary (dependabot.yml, dependabot-review.yml,
  python-tests guards, e2e skip-on-dependabot)

README.md:
- New "Exit codes" section with the canonical table
- Buildkite soft_fail examples (default exit 3 and custom 100)

pyproject.toml + socketsecurity/__init__.py + uv.lock:
- 2.2.87 (from the in-flight branch) -> 2.3.0

Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Author: lelia

CHANGELOG.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 2.3.0
+
+### Breaking change: exit codes for infrastructure errors
+
+API and infrastructure errors (timeouts, network failures, unexpected exceptions)
+now exit with code `3` instead of `1`. Exit code `1` is now exclusively used for
+blocking security findings.
+
+`--disable-blocking` no longer zeroes out infrastructure errors -- it only affects
+exit code `1` (security findings). If your pipeline relied on `--disable-blocking`
+to also swallow infra errors, use `--exit-code-on-api-error 0` instead.
+
+If you have pipeline logic that checks `exit_code == 1` to catch any CLI failure,
+update it to handle `3` separately for infrastructure errors. See the exit code
+reference in the README.
+
+### New: `--exit-code-on-api-error`
+
+New flag to remap the infrastructure error exit code. Useful for Buildkite
+`soft_fail` configs or pipelines with existing exit-code conventions:
+
+```
+socketcli --exit-code-on-api-error 100 ...
+```
+
+Set to `0` to swallow infrastructure errors entirely.
+
+### New: commit message auto-truncation
+
+`--commit-message` values longer than 200 characters are now automatically
+truncated before being sent to the API. This prevents HTTP 413 errors from
+oversized URL query parameters -- common when using AI-generated commit
+messages or piping in `$BUILDKITE_MESSAGE`.
+
+### Improved: Buildkite log formatting
+
+When running inside a Buildkite job (`BUILDKITE=true`), infrastructure errors
+now emit Buildkite log section markers (`^^^ +++` and `--- :warning:`) so the
+error section auto-expands in the Buildkite UI, along with a tip on using
+`soft_fail` to prevent blocking.
+
+### Dependencies
+
+Bundles eight Dependabot main-app upgrades (closes #175, #177, #181, #184, #188,
+#190, #198, #200) and three e2e fixture upgrades (closes #186, #187, #196).
+All target versions verified through Socket Firewall (`sfw`).
+
+### CI / Internal
+
+- New `.github/dependabot.yml` with grouped weekly bumps and a 7-day cooldown;
+  e2e fixtures are intentionally excluded.
+- New `dependabot-review` workflow runs Socket Firewall install smoke jobs on
+  every Dependabot PR -- no API secret required.
+- `python-tests` workflow now runs `uv lock --locked` drift check, a top-level
+  import smoke step, and `pip-audit`.
+- `e2e-test` workflow skips on Dependabot PRs (which can't access secrets);
+  Socket Firewall covers the supply-chain check.
+
 ## 2.2.83
 
 - Fixed branch detection in detached-HEAD CI checkouts. When `git name-rev --name-only HEAD` returned an output with a suffix operator (e.g. `remotes/origin/master~1`, `master^0`), the `~N`/`^N` was previously passed through as the branch name and rejected by the Socket API as an invalid Git ref. The suffix is now stripped before the prefix split, producing the bare branch name.

README.md

@@ -164,6 +164,42 @@ Minimal pattern:
     SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }}
 ```
 
+## Exit codes
+
+| Code | Meaning |
+|------|---------|
+| `0`  | Clean scan -- no blocking issues found (or `--disable-blocking` set) |
+| `1`  | Blocking security finding(s) detected |
+| `2`  | Scan interrupted (SIGINT / Ctrl+C) |
+| `3`  | Infrastructure or API error (timeout, network failure, unexpected error) |
+
+Exit code `3` is a Socket convention, not an industry standard. Use
+`--exit-code-on-api-error <N>` to remap it -- e.g. to a Buildkite
+`soft_fail` code, or to `0` to swallow infrastructure errors entirely.
+
+### Buildkite `soft_fail` example
+
+To prevent infrastructure errors from blocking PRs while still failing on
+real security findings:
+
+```yaml
+steps:
+  - label: ":lock: Socket Security Scan"
+    command: "socketcli ..."
+    soft_fail:
+      - exit_status: 3
+```
+
+Or with a custom exit code:
+
+```yaml
+steps:
+  - label: ":lock: Socket Security Scan"
+    command: "socketcli --exit-code-on-api-error 100 ..."
+    soft_fail:
+      - exit_status: 100
+```
+
 ## Common gotchas
 
 See [`docs/troubleshooting.md`](https://github.com/SocketDev/socket-python-cli/blob/main/docs/troubleshooting.md#common-gotchas).

pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketsecurity"
-version = "2.2.88"
+version = "2.3.0"
 requires-python = ">= 3.11"
 license = {"file" = "LICENSE"}
 dependencies = [

socketsecurity/__init__.py

@@ -1,3 +1,3 @@
 __author__ = 'socket.dev'
-__version__ = '2.2.88'
+__version__ = '2.3.0'
 USER_AGENT = f'SocketPythonCLI/{__version__}'