Tags: ruvnet/RuVector
Tags
fix(notify): dedup welcome emails — max 1 per email per 24h Resend monthly limit hit by duplicate welcome emails. Added recent_welcomes HashMap tracking last welcome time per email. Skips if same email welcomed within 24 hours. Co-Authored-By: claude-flow <[email protected]>
feat(rvm): security audit remediation, TEE cryptographic verification… …, performance hardening Complete security audit remediation across all 14 RVM hypervisor crates: Security (87 findings fixed — 11 critical, 23 high, 30 medium, 23 low): - HAL: SPSR_EL2 sanitization before ERET, per-partition VMID with TLB flush, 2MB mapping alignment enforcement, UART TX timeout - Proof: Real P3 verification replacing stubs (Hash/Witness/ZK tiers), SecurityGate self-verifies P3 (no caller-trusted boolean) - Witness: SHA-256 chain hashing (ADR-142), strict signing default, NullSigner test-gated, XOR-fold hash truncation - IPC: Kernel-enforced sender identity, channel authorization - Cap: GRANT_ONCE consumption, delegation depth overflow protection, owner verification, derivation tree slot leak rollback - Types: PartitionId validation (reject 0/hypervisor, >4096) - WASM: Target/length validation on send(), module size limit, quota dedup - Scheduler: Binary heap run queue, epoch wrapping_add, SMP cpu_count enforcement - All integer overflow paths use wrapping_add/saturating_add/checked_add TEE implementation (ADR-142, all 4 phases): - Phase 1: SHA-256 replaces FNV-1a in witness chain, attestation, measured boot - Phase 2: WitnessSigner trait with SignatureError enum, HmacSha256WitnessSigner, Ed25519WitnessSigner (verify_strict), DualHmacSigner, constant_time.rs - Phase 3: SoftwareTeeProvider/Verifier, TeeWitnessSigner<P,V> pipeline - Phase 4: SignedSecurityGate, WitnessLog::signed_append, CryptoSignerAdapter, ProofEngine::verify_p3_signed, KeyBundle derivation infrastructure - subtle crate integration for ConstantTimeEq Performance (26 optimizations): - O(1) lookups: IPC channel, partition, coherence node, nonce replay - Binary max-heap scheduler queue (O(log n) enqueue/dequeue) - Coherence adjacency matrix + cached per-node weights - BuddyAllocator trailing_zeros bitmap scan + precomputed bit_offset LUT - Cache-line aligned SwitchContext (hot fields first) and PerCpuScheduler - DerivationTree O(1) parent_index, combined region overlap+free scan - #[inline] on 11+ hot-path functions, FNV-1a 8x loop unroll - CapSlot packing (generation sentinel), RunQueueEntry sentinel, MessageQueue bitmask Documentation: - ADR-142: TEE-Backed Cryptographic Verification (with 6 reviewer amendments) - ADR-135 addendum: P3 no longer deferred - ADR-132 addendum: DC-3 deferral resolved - ADR-134 addendum: SHA-256 + HMAC signatures 752 tests, 0 failures across 11 library crates + integration suite. Co-Authored-By: claude-flow <[email protected]>
Release: DrAgnes + Common Crawl WET + Gemini Grounding Agents Features: - DrAgnes dermatology AI (examples/dragnes/) - Common Crawl WET pipeline (178 domains) - 4 Gemini grounding agents (ADR-122) - SONA trajectory fix (#273) + state persistence (#274) - Brain: 2,064 memories, 57x sparsifier - 19 Cloud Scheduler jobs, 3 Cloud Run Jobs - ADRs 117-122 Published: - [email protected] (crates.io) - [email protected] (npm)
v2.0.5: Security hardening + CI fixes Security fixes: - SEC-001: Hardened mmap pointer arithmetic with checked bounds - SEC-002: Cryptographic hash binding for proof attestations - Fixed ruvector-verified CI clippy/unused_mut warnings CI fixes: - git add -f in all build workflows for .gitignore bypass - commit-binaries job added to build-gnn.yml (fixes #195) - WASM npm package published
PreviousNext