feat: allow specifying actuator in csv sample store

[michael-johnston]

Adds ability to specify an actuator when importing data from a CSV. This allows data obtained from elsewhere (maybe from ado) to appear as ado data (can be used as memoized data in a space with that experiment)

The actuator/experiment combination will be validated against existing actuators and if passed imported.

Notes:

• Changes the schema of CSVSampleStoreDescriptor to simplify the code - upgrade path and warnings provided.
• column name are no longer converted to lower case automatically. User must do this in YAML if desired.

[DRL-NextGen]

Checks Summary

Last run: 2026-01-26T20:34:03.488Z

Code Risk Analyzer vulnerability scan found 2 vulnerabilities:

Severity	Identifier	Package	Details	Fix
◻ Unknown	CVE-2025-53000	nbconvert	nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows GHSA-xm59-rqc7-hhvf nbconvert:7.16.6->ado-core:1.3.3	>7.16.6
◻ Unknown	CVE-2026-0994	protobuf	protobuf affected by a JSON recursion depth bypass GHSA-7gcm-g887-7qv7 protobuf:6.33.4->ado-core:1.3.3,protobuf:6.33.4,vllm:0.14.1	>6.33.4

Mend Unified Agent vulnerability scan found 3 vulnerabilities:

Severity	Identifier	Package	Details	Fix
❗ Critical	CVE-2025-56005	ply-3.11-py2.py3-none-any.whl	An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Exec... An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the "picklefile" parameter in the "yacc()" function. This parameter accepts a ".pkl" file that is deserialized with "pickle.load()" without validation. Because "pickle" allows execution of embedded code via "reduce()", an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.	Not Available
🔺 High	CVE-2025-53000	nbconvert-7.16.6-py3-none-any.whl	The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja... The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a "inkscape.bat" file that defines a Windows batch script, capable of arbitrary code execution. When a user runs "jupyter nbconvert --to pdf" on a notebook containing SVG output to a PDF on a Windows platform from this directory, the "inkscape.bat" file is run unexpectedly. As of time of publication, no known patches exist.	Not Available
🔺 High	CVE-2026-0994	protobuf-6.33.4-cp39-abi3-manylinux2014_x86_64.whl	A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python,... A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.	Not Available

Code updated. Rereview required

[michael-johnston]

@AlessandroPomponio What is the process to resolve the vulnerability scan issues? I can't see anything reported in pipeline.

[AlessandroPomponio]

This is what AI suggest rewriting this to to make it clearer. I like this one better with the example next to the explanation. Feel free to edit.

NOTE: the code block renders incorrectly. Please click on EDIT for this comment to see the real suggestion

You must specify which CSV columns contain observed properties (measurements/results) 
and which contain constitutive properties (input parameters/configurations).

**Two ways to map columns:**

1. **Use CSV column names as-is** - Pass a list:
   ```yaml
   constitutivePropertyMap:
     - cpu_value
     - memory_gb

This uses cpu_value and memory_gb as both the column names AND property names.

2. Rename columns - Pass a dictionary:

   observedPropertyMap:
     wallClockRuntime: 'wall-clock runtime'
     throughput: 'requests_per_sec'

   This reads from CSV columns wall-clock runtime and requests_per_sec,
   but names them wallClockRuntime and throughput in the experiment.

[AlessandroPomponio]

This defaults to None in the signature