Skip to content

mind 5.4.0 — second adversarial audit, hardened

Choose a tag to compare

@Da7-Tech Da7-Tech released this 02 Jul 17:14

A second adversarial audit (an Opus-4.8 fleet — 17 reviewers with distinct methodologies, each finding independently reproduced-or-refuted, plus a completeness critic) surfaced 8 real defects. All fixed, each with a regression test (86 tests).

Critical (data loss): export_to_agents could silently destroy a user's whole CLAUDE.md/AGENTS.md/GEMINI.md if it merely contained the phrase "mind working memory" — the stale-block heuristic is now a strict structural match.

Security: a symlinked .mind/dreams or .mind/cortex let dream/promote overwrite arbitrary files outside the project — every internal write now rejects symlinked parent directories.

Correctness: a future last_accessed (clock skew on synced memory) inflated node weight unboundedly (now clamped to [0,1]); edge decay was computed but never persisted, so the synaptic-homeostasis claim was false across real CLI runs (now saved — which surfaced and fixed a latent pruned-edge merge-revival bug); corrupt graph.json (non-numeric weight / bad keys) bricked every command (now coerced and validated on load); link created phantom edges by hashing raw text (now shares remember's sanitizer).

Honesty: the soak now also shells out to the real CLI (argv + disk-reload path); the light-sleep phase is documented as the telemetry it is, not a replay.

Install pin: raw.githubusercontent.com/Da7-Tech/mind/v5.4.0/mind.py sha256 50becf1e0f93e79c1fb411ce2aedc663d18bf77931c90cff6cfd3b9c72ce8ee4.