vestige/crates/vestige-core
Sam Valladares 70dae339fb fix(audit): data-loss, SSRF, off-by-one, dedup bugs (swarm, moderate tier 1)
All verified against real code:
- connectors: empty list_live_ids() no longer mass-tombstones the entire source
  (treat empty as "cannot enumerate", like None) — was catastrophic data loss
- redmine: SSRF guard — require http(s), reject loopback/private/link-local hosts
  + localhost (escape hatch VESTIGE_ALLOW_PRIVATE_CONNECTOR_HOSTS for local tests)
- KnowledgeEdge::is_valid now honors valid_from via was_valid_at(now) (was
  ignoring it; a future-dated edge read as valid). No production callers.
- emotional_memory: flashbulb counter reconciles to the FINAL is_flashbulb
  decision after the importance override (was undercounting via ==0 guard)
- chains path_to_chain: fixed off-by-one — step i now uses the INCOMING edge
  connections[i-1], not the outgoing connections[i]; removed the synthetic
  connection hack that masked the misalignment
- merge_supersede compose_merged_content: exact normalized dedup instead of
  substring containment (was silently dropping "cat" inside "cathedral")

core 535/0, clippy clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 14:09:31 -05:00
..
benches feat(v2.0.5): Intentional Amnesia — active forgetting via top-down inhibitory control 2026-04-14 17:30:30 -05:00
src fix(audit): data-loss, SSRF, off-by-one, dedup bugs (swarm, moderate tier 1) 2026-06-28 14:09:31 -05:00
Cargo.toml feat(cloud-sync): zero-knowledge client-side encryption (XChaCha20-Poly1305) 2026-06-19 21:19:16 -05:00