PR summary

This adds more static analysis to our CI / prek config.

• run clang-tidy on c/c++/objectiveC code (and fix or ignore issues found). This found a couple of real issues and will only run on CI (+ a helper script to run it locally). The dependencies are too heavy to try and launder through prek's virtual environments.
• run zizmor in prek (and hence automatically on CI). Had to explictily allow the 4 places we use pull_request_target and a couple of places we allow caching. Also enabled cooldown windows on our dependabot config. This also flagged we had a redundant checkout step in
• enable shellcheck in prek to hit the handful of bash scripts we ship and applied the hardening it found.
• run ruff on our checked in notebooks as well Our exsiting ruff config hits this already
• added static validation of svg files to prek (I got in my head that this could be used to get information out of developer's machines which is probably not possible (beyond what you give up by going to any website)), but now it will be harder for someone to sneak an active SVG into our baseline images.

Not reflected in the commits here, but I did look at https://github.com/PyCQA/bandit but every single thing it flagged was a false positive (either flagging things like exec in the plot directive or being too simplistic to notice that we had already mitigated the thing it was flagging in the code).

AI Disclosure

I started from the prompt

Analyze this repository and identify any programming languages, markup languages, document formats, build artifacts, generated files, embedded assets, or other non-core technologies that could be overlooked by traditional SAST or standard code-scanning tools.

Focus especially on:

languages or file types that are not part of the repository's primary tech stack
obscure, uncommon, legacy, or less frequently scanned formats
executable or scriptable content hidden in non-obvious places
document or graphics formats that may contain logic, macros, scripts, links, or embedded content
Include examples such as LaTeX, PostScript, SVG, and similar formats, but do not limit the analysis to those.

For each item you identify, provide:

the language, format, or artifact type
why it may be missed by classic SAST or scanning tools
the security relevance or potential risk
typical file extensions or repository locations where it may appear
whether it is likely source, generated output, embedded content, or supporting artifact

with opus 4.6 and then pushing on addressing the coverage with a mix of opus 4.6 and sonnet 4.6. I reviewed everything as I committed it and took a very heavy editing pass at the initial version of the documentation.

PR checklist

• "closes #0000" is in the body of the PR description to link the related issue
• new and changed code is tested
• Plotting related features are demonstrated in an example
• New Features and API Changes are noted with a directive and release note
• Documentation complies with general and docstring guidelines