Add Python 3.14 support

[igerber]

Summary

• Upgrade PyO3 from 0.22 to 0.28 and rust-numpy from 0.22 to 0.28 for Python 3.14 header compatibility
• Bump ndarray from 0.16 to 0.17 (required by numpy 0.28)
• Rename 14 to_pyarray_bound(py) → to_pyarray(py) calls across 4 Rust source files (mechanical migration — code already used the modern Bound API)
• Update requires-python from <3.14 to <3.15 and add 3.14 classifier
• Add Python 3.14 to CI test matrix and all wheel build targets (Linux, macOS, Windows)
• Update pure-Python fallback CI job to test on Python 3.14

Methodology references (required if estimator / math changes)

• N/A — no methodology changes. All changes are Rust dependency upgrades, mechanical API renames, and CI/build configuration.

Validation

• Tests added/updated: No new tests. Existing suite validates correctness:
  • test_rust_backend.py: 68/68 passed (Rust↔Python equivalence)
  • Full suite: 3198 passed, 0 failures
• Backtest / simulation / notebook evidence: N/A

Security / privacy

• Confirm no secrets/PII in this PR: Yes

---

Generated with Claude Code

[github-actions]

Overall Assessment

✅ Looks good. No unmitigated P0/P1 findings. The Rust source edits are wrapper-level NumPy conversion migrations, not changes to estimator math, weighting, variance formulas, identification checks, or defaults; numpy 0.28 documents to_pyarray() as copying borrowed Rust data into a newly allocated NumPy array. (docs.rs)

Executive Summary

• No P0/P1 issues found. The touched Rust paths are array-return wrappers in bootstrap, robust-vcov/OLS, SyntheticDiD/SDID weights, and TROP exports; I did not find any methodology drift relative to the registry.
• The edge-case checklist is not materially engaged by this diff: no new inference formulas, NaN guards, control-group logic, or public parameter propagation paths were added.
• P2: the PyO3/rust-numpy upgrade raises the Rust source-build floor to 1.83, but the crate still does not declare rust-version, so sdist/source-build failures will be later and less actionable than they need to be. (docs.rs)
• P3: README.md:L2770-L2773 still says Python 3.9 - 3.13, which now conflicts with package metadata and CI.
• The CI/publish expansion itself is coherent: the Linux manylinux images used here include cp314-cp314, so the new wheel loop target is valid. (github.com)

Methodology

No findings. I cross-checked the touched Rust-backed code paths in rust/src/bootstrap.rs:L17-L52, rust/src/linalg.rs:L16-L190, rust/src/weights.rs:L41-L57, rust/src/weights.rs:L624-L723, rust/src/trop.rs:L37-L47, rust/src/trop.rs:L1088-L1101, and rust/src/trop.rs:L1828-L1841 against docs/methodology/REGISTRY.md:L35-L83, docs/methodology/REGISTRY.md:L87-L214, docs/methodology/REGISTRY.md:L1190-L1315, and docs/methodology/REGISTRY.md:L1607-L1752. The diff only renames to_pyarray_bound(py) to to_pyarray(py), and rust-numpy 0.28 documents that API as the same borrowed-to-new-array copy operation. (docs.rs)

Code Quality

No findings. The mechanical migration appears complete in diff scope; I found no remaining to_pyarray_bound usage in the touched Rust sources, and the diff does not introduce any new inline inference/NaN-guard anti-patterns.

Performance

No findings. No hot-path algorithm, allocation strategy, or parallelization behavior changed beyond the same Rust-to-Python array handoff.

Maintainability

• P2 Missing declared MSRV after the dependency bump in rust/Cargo.toml:L1-L42. Impact: this PR raises the effective Rust floor for source builds, but the crate still omits rust-version, while source builds remain part of the distribution story via publish.yml:L61-L62 and publish.yml:L122-L144. Users on older toolchains will get a later, less actionable failure. Concrete fix: add rust-version = "1.83" (or the minimum version you actually verify) to rust/Cargo.toml, and document that requirement anywhere sdist/source builds are described. (docs.rs)

Tech Debt

No findings. TODO.md does not already track the two non-blocking follow-ups above, but neither is a merge blocker.

Security

No findings. The diff adds no new secret material, credential handling, or untrusted-input surface.

Documentation/Tests

• P3 README support matrix is stale at README.md:L2770-L2773. Impact: the public docs would still advertise Python 3.9 - 3.13 even though pyproject.toml:L11-L42, rust-test.yml:L76-L84, publish.yml:L36-L45, publish.yml:L63-L69, and publish.yml:L93-L99 now advertise/test 3.14 support. Concrete fix: update the README requirement line to Python 3.9 - 3.14; optionally add a short source-build note about the Rust toolchain floor if a wheel is unavailable. (github.com)

[igerber]

/ai-review

[github-actions]

🔁 AI review rerun (requested by @igerber)

Head SHA: e07b0c7f71f7c0f25d236249e24f9382672b479d

---

Overall Assessment

✅ Looks good

Review based on the provided diff and local source context; I did not execute builds/tests in this read-only environment.

Executive Summary

• No unmitigated P0/P1 findings. The Rust source edits stay at the Python array-conversion boundary and do not alter estimator math, weighting, inference, identification checks, or defaults.
• Re-review status: the prior stale-README issue is resolved, while the prior MSRV concern is only partially resolved.
• One P2 maintainability issue remains in rust/Cargo.toml:L1-L38; details below.
• The Python 3.14 metadata, README, CI, and wheel-matrix updates are otherwise internally consistent across pyproject.toml:L11-L42, README.md:L2770-L2775, publish.yml:L36-L45, publish.yml:L68-L105, and rust-test.yml:L76-L199.
• I found no new edge-case or inference anti-patterns in the touched Rust files.

Methodology

• No findings. Affected methods in diff scope are the Rust export layers for multiplier bootstrap, robust OLS/VCV, SyntheticDiD weights, and TROP distance/bootstrap outputs in rust/src/bootstrap.rs:L30-L51, rust/src/linalg.rs:L140-L189, rust/src/weights.rs:L41-L57, rust/src/weights.rs:L624-L723, and rust/src/trop.rs:L36-L47. Each changed hunk only renames the NumPy/PyO3 conversion helper at return sites; the underlying SyntheticDiD and TROP methodology remains aligned with docs/methodology/REGISTRY.md:L1190-L1310 and docs/methodology/REGISTRY.md:L1607-L1754.

Code Quality

• No findings. The migration is mechanically consistent in diff scope, and I did not find new inline inference or partial-NaN-guard anti-patterns in the touched Rust files.

Performance

• No findings. No hot-path algorithm, estimator-side allocation strategy, or parallelism setting changed beyond the existing Rust-to-Python return conversion boundary.

Maintainability

• Severity: P2.
• Impact: rust/Cargo.toml:L1-L38 now declares rust-version = "1.83", but the same manifest still depends on faer = "0.24". numpy 0.28.0 documents Rust 1.83 as its floor, while faer 0.24.0 documents Rust 1.84 as its MSRV, so the manifest currently advertises a lower Rust floor than the dependency set actually guarantees. Source builds on Rust 1.83 can therefore fail later in dependency resolution/compilation instead of being rejected up front. (docs.rs)
• Concrete fix: Raise rust-version to 1.84, or pin/downgrade faer to a release you have verified on Rust 1.83 before claiming 1.83 support.

Tech Debt

• No findings. TODO.md:L51-L94 does not already track the MSRV mismatch above, so that item remains an active P2 rather than a deferred/mitigated limitation.

Security

• No findings. The diff does not add secrets, credential handling, shell injection surface, or new untrusted-input execution paths.

Documentation/Tests

• No findings. The prior stale-README issue is resolved, and the Python 3.14 support claim now lines up across README.md:L2770-L2775, pyproject.toml:L11-L42, publish.yml:L36-L45, publish.yml:L68-L105, and rust-test.yml:L76-L199.

[igerber]

/ai-review

[github-actions]

🔁 AI review rerun (requested by @igerber)

Head SHA: 30faedf4020727e7bca02b6453569c390492095e

---

Overall Assessment

✅ Looks good

Review based on the supplied unified diff and local source context. I did not execute builds/tests in this read-only environment.

Executive Summary

• No unmitigated P0/P1 findings.
• Methodology cross-check passed: the estimator-adjacent Rust hunks only rename NumPy return helpers at the Python boundary in rust/src/bootstrap.rs:32, rust/src/linalg.rs:44, rust/src/weights.rs:43, and rust/src/trop.rs:927; I found no change to estimator math, weighting, variance/SE formulas, assumptions, or defaults relative to docs/methodology/REGISTRY.md:1190 and docs/methodology/REGISTRY.md:1607.
• Re-review status: the prior maintainability concern is resolved by rust/Cargo.toml:5, which now declares rust-version = "1.84" alongside rust/Cargo.toml:34 faer = "0.24".
• Python 3.14 support claims are internally consistent across packaging, docs, CI, and wheel publication in pyproject.toml:11, pyproject.toml:42, README.md:2772, publish.yml:39, publish.yml:68, publish.yml:98, rust-test.yml:84, and rust-test.yml:187.
• Pattern-consistency check passed: I found no remaining to_pyarray_bound call sites under rust/src, so the numpy 0.28 migration is not partial within the Rust backend.

Methodology

• No findings. Severity: none. Impact: the affected methods are the multiplier-bootstrap export, robust OLS/VCOV exports, SyntheticDiD weight exports, and TROP distance/bootstrap exports in rust/src/bootstrap.rs:32, rust/src/linalg.rs:176, rust/src/weights.rs:626, and rust/src/trop.rs:1683. Each changed hunk only swaps to_pyarray_bound(py) for to_pyarray(py) at return sites, so the SyntheticDiD and TROP requirements documented in docs/methodology/REGISTRY.md:1190 and docs/methodology/REGISTRY.md:1607 remain unchanged. Concrete fix: none.

Code Quality

• No findings. Severity: none. Impact: the migration is mechanically consistent rather than partial; all touched Rust return conversions now use the same ToPyArray pattern, and I found no leftover _bound helper calls under rust/src. The touched TROP bootstrap paths also preserve the existing undefined-inference guard at rust/src/trop.rs:1087 and rust/src/trop.rs:1827. Concrete fix: none.

Performance

• No findings. Severity: none. Impact: no hot-path estimator loop, weighting kernel, or variance routine changed beyond Python-array return conversion and dependency metadata updates in rust/Cargo.toml:25, rust/Cargo.toml:26, and rust/Cargo.toml:27. Concrete fix: none.

Maintainability

• No findings. Severity: none. Impact: the previous re-review P2 is resolved because rust/Cargo.toml:5 now matches the dependency floor implied by rust/Cargo.toml:34. Concrete fix: none.

Tech Debt

• No findings. Severity: none. Impact: I did not identify a new deferred item introduced by this PR, and TODO.md:51 does not contain a relevant tracked limitation that would mask a correctness issue here. Concrete fix: none.

Security

• No findings. Severity: none. Impact: the diff only updates dependency versions, CI/build matrices, packaging metadata, and Rust-to-Python array return helpers; it does not add new secret handling, subprocess construction, or untrusted-input execution paths. Concrete fix: none.

Documentation/Tests

• No findings. Severity: none. Impact: the Python 3.14 support statement is synchronized across pyproject.toml:11, pyproject.toml:42, README.md:2772, publish.yml:39, publish.yml:68, publish.yml:98, rust-test.yml:84, and rust-test.yml:187. CI coverage was extended to Python 3.14 for both Rust-backed and pure-Python paths. Concrete fix: none.