Skip to content

v0.8.1

Choose a tag to compare

View all tags
@github-actions github-actions released this 14 May 23:10
· 75 commits to main since this release
v0.8.1
31e00cc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

gaze v0.8.1 — reversibility as the new default

TL;DR

v0.8.1 makes reversible pseudonymization the default safety-net behavior. When Pass-3 SafetyNet flags a suspect leak, the pipeline now attempts to promote the suspect to a manifest entry first (--safety-net-mode resolve), and only strips the span (--safety-net-fallback redact) if that promotion fails closed. Adopters who want hard-fail semantics keep opting into --safety-net-mode strict.

This is a minor release that ships behind the v0.8.0 manifest contract — bundle_version for SafeBundle adopters bumps from 1 to 2, but no breaking API changes in gaze, gaze-recognizers, gaze-audit, or gaze-mcp-*. v0.8.0 adopters can upgrade in place. If you're upgrading from v0.7.x: read UPGRADE.md first — v0.8.0 already flipped several defaults that v0.7.x users do not see in this CHANGELOG entry alone.

Defaults changed

  • --safety-net-mode resolve is the new default (was strict). Reversibility-first; falls back to redact on resolve failure. Strict mode is still available for hard-fail deployments via --safety-net-mode strict. Tolerant mode remains dev-only behind GAZE_ALLOW_TOLERANT=1 opt-in. (Axes 1, 2.)
  • --safety-net-fallback redact is the new default for the new fallback flag. Emits a :Redact_ token and a typed FallbackReason audit row when SafetyNet promotion cannot complete. (Axes 1, 2.)
  • The published release binary now bakes --features proxy so gaze proxy {serve,start,stop,status,logs,restart} works without rebuild. Source builds are unchanged. (Axis 5.)

Example: keep the old behavior explicitly with

gaze clean --safety-net-mode strict --safety-net-fallback none input.txt

Highlights

  1. SafetyNet resolve + redact + fallback flag impl (#223, axes 1+2+4). Suspect spans flagged by SafetyNet are now promoted to custom-recognizer matches and rejoin conflict resolution. On promotion failure (ValidatorVeto, AnchorMissing, OverlapConflict, ResidualSuspect), the typed fallback path kicks in — no more silent passthrough, no irreversible strip without a typed reason in the audit log.
  2. gaze-document layout report v2 (#219 + #222, axis 1). Vector-PDF text-extraction fallback when PDFs have selectable text; multi-column segmentation in the post-processor; per-page confidence + low-confidence flagging against low_confidence_threshold; table-cell preservation in markdown output; rotation/deskew preprocessing before OCR. SafetyNet has more structured text to work with, less to reconstruct.
  3. OcrBackend single-trait single-impl (#218 + #224, axes 4+5). gaze-document now exposes one OCR contract. Second-party backends (ocrs, Apple Vision, PaddleOCR) can slot in cleanly. Legacy OcrAdapter shims removed; magic-byte validation at the clean_with_ocr_backend boundary is now mandatory and fails closed via DocumentError::UnsupportedInput.
  4. Kiji model-SHA integrity (#221, axes 1+4). The KijiDistilbertSafetyNet backend's DistilBERT bundle SHA256 is pinned and verified at backend init. Mismatch fails closed via SafetyNetError::ModelIntegrityMismatch { expected, actual }. Direct-vs-observer benchmark harness shipped; metric fields stay null until populated on a machine with the local Kiji runtime — gaze does not publish uncited benchmark numbers.

Schema changes

  • SafeBundle BundleReport.bundle_version bumps 1 → 2. New per-page fields: ocr_source, ocr_backend, confidence, low_confidence, column_count, page_index. New top-level field: low_confidence_threshold. v1 bundles continue to parse on read; new emission is always v2. Adopter-tooling-reading SafeBundle JSON must handle the v2 field set.
  • gaze-audit row schema delta: new nullable column fallback_triggered: Option<FallbackReason>. Closed-enum FallbackReason variants: OverlapConflict, ValidatorVeto, AnchorMissing, ResidualSuspect. The existing decided_by column gains new variants: Redact, Resolve, Fallback. The column is nullable on pre-migration rows; existing queries continue to work.

Known limitations

  • Kiji cargo bench harness ships with null metric fields. Populating them requires a local Kiji runtime + pinned model directory. Axis 4: gaze does not publish uncited benchmark numbers.
  • Multi-backend SafetyNet bench (Kiji vs OpenAI Privacy Filter vs OpenMed) is a v0.9 thread, not v0.8.x.

Adopter notes

  • Upgrading from v0.7.x? Read UPGRADE.md. Multi-hop migrations require attention to defaults that flipped at v0.8.0 and again at v0.8.1.
  • Downstream tooling reads SafeBundle JSON? Handle the bundle_version=2 field. v1 reads work; v2 emission is non-optional.
  • You query the audit log? The new fallback_triggered column is nullable on existing rows; new decided_by variants are closed-enum.
  • Custom OCR via OcrAdapter? Port to OcrBackend (object-safe, same shape).
  • Pipeline expected --safety-net-mode strict as default? Pass the flag explicitly.

Download

  • aarch64-darwin: gaze-v0.8.1-aarch64-apple-darwin.tar.gz
  • x86_64-linux: gaze-v0.8.1-x86_64-unknown-linux-gnu.tar.gz
  • SHA256SUMS

Both binaries are built with --features proxy --features document.

Changelog

Full PR-by-PR detail: CHANGELOG.md.

Assets 7
Loading