mirror of
https://github.com/samvallad33/vestige.git
synced 2026-07-02 22:01:01 +02:00
All verified against real code before fixing (49/95 CRITICAL+HIGH confirmed real; the rest were false positives). This is the low-risk batch: panics/DoS: - backfill: clamp scan_limit to [10,5000] + lookback to [1,365] (negative scan_limit => SQLite LIMIT -1 => unbounded fetch = DoS) - trace_recorder/phases: char-boundary-safe truncation (byte-slice &s[..n] panics on multi-byte UTF-8) - compression: saturating_sub on bytes_saved (short inputs compress larger) - redmine list_live_ids: u64 offset + wrap/page-cap guards (u32 wrap => infinite loop + unbounded alloc) - speculative file_memory_map: dedup + cap (was unbounded growth) correctness: - dreams stage1_replay: select most-recent-N then order, not first-N-then-sort - prediction_error: count total_evaluations in direct evaluate_with_intent branches (rates could exceed 1.0) - relationships: reject duplicate ids (silent overwrite corrupted the index) - github: validate owner/repo charset (raw URL-path interpolation) - reconsolidation: document the (already-correct) idempotency via remove() core 535/0, mcp 453/0, clippy clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| vestige-core | ||
| vestige-mcp | ||