release: v1.1.3 — security hardening, edition 2024, dependency updates

Security: - Fix RUSTSEC-2026-0007 (bytes integer overflow) - Restrict SQLite database file permissions to 0600 on Unix - Add 100KB size limit to intention descriptions (DoS prevention) - Redact JSON-RPC payloads from debug logs (data leakage prevention) - Update SECURITY.md with encryption docs and supported versions Modernization: - Upgrade Rust edition 2021 → 2024, MSRV 1.75 → 1.85 - Upgrade actions/checkout@v4 → v5, codecov/codecov-action@v3 → v5 - Update all dependencies to latest compatible versions - Fix edition 2024 match ergonomics in compression.rs Clippy fixes: - Rename from_str → parse_name to avoid shadowing FromStr trait - Replace .max().min() with .clamp() - Replace sort_by with sort_by_key Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-09 07:42:37 +02:00 · 2026-02-12 03:19:07 -06:00 · 2026-02-12 03:19:07 -06:00 · a92fb2b6ed
commit a92fb2b6ed
parent 6a5c3771fb
18 changed files with 332 additions and 118 deletions
--- a/crates/vestige-mcp/Cargo.toml
+++ b/crates/vestige-mcp/Cargo.toml
@ -1,7 +1,7 @@
 [package]
 name = "vestige-mcp"
-version = "1.1.2"
-edition = "2021"
+version = "1.1.3"
+edition = "2024"
 description = "Cognitive memory MCP server for Claude - FSRS-6, spreading activation, synaptic tagging, and 130 years of memory research"
 authors = ["samvallad33"]
 license = "MIT OR Apache-2.0"
--- a/crates/vestige-mcp/src/protocol/stdio.rs
+++ b/crates/vestige-mcp/src/protocol/stdio.rs
@ -37,7 +37,7 @@ impl StdioTransport {
                continue;
            }

-            debug!("Received: {}", line);
+            debug!("Received: {} bytes", line.len());

            // Parse JSON-RPC request
            let request: JsonRpcRequest = match serde_json::from_str(&line) {
@ -66,7 +66,7 @@ impl StdioTransport {
            if let Some(response) = server.handle_request(request).await {
                match serde_json::to_string(&response) {
                    Ok(response_json) => {
-                        debug!("Sending: {}", response_json);
+                        debug!("Sending: {} bytes", response_json.len());
                        writeln!(stdout, "{}", response_json)?;
                        stdout.flush()?;
                    }
--- a/crates/vestige-mcp/src/tools/intention_unified.rs
+++ b/crates/vestige-mcp/src/tools/intention_unified.rs
@ -233,6 +233,10 @@ async fn execute_set(
        return Err("Description cannot be empty".to_string());
    }

+    if description.len() > 100_000 {
+        return Err("Description too large (max 100KB)".to_string());
+    }
+
    let now = Utc::now();
    let id = Uuid::new_v4().to_string();