Skip to content

chore: release v0.10.3#9

Merged
Destynova2 merged 1 commit intodevelopfrom
release-plz-2026-03-02T22-13-18Z
Mar 2, 2026
Merged

chore: release v0.10.3#9
Destynova2 merged 1 commit intodevelopfrom
release-plz-2026-03-02T22-13-18Z

Conversation

@Destynova2
Copy link
Copy Markdown
Contributor

@Destynova2 Destynova2 commented Mar 2, 2026

🤖 New release

  • grob: 0.10.2 -> 0.10.3 (✓ API compatible changes)
Changelog

0.10.3 - 2026-03-02

Other

  • extract ProviderBase, clean code audit fixes, and MS Rust guidelines

This PR was generated with release-plz.

@Destynova2 Destynova2 merged commit c6c950d into develop Mar 2, 2026
11 of 12 checks passed
Destynova2 added a commit that referenced this pull request Mar 16, 2026
@Destynova2 @claude
fix(security): resolve 21 CodeQL alerts (2 critical, 18 high, 1 medium)
7035f68 
Critical:
- #9 #10: Replace hard-coded HMAC key with random session key when
  GROB_DLP_SECRET is unset (unpredictable pseudonyms by default)

High:
- #11 #12: Cap Vec::with_capacity to 1024 in OpenAI transform
  (prevents uncontrolled allocation from malicious input)
- #17 #18 #19: Add path traversal check in token_store persist()
  (reject ".." in file path)
- #6 #7 #8: Stop logging full response bodies in OpenAI provider
  (log length instead, truncate to 200 chars on parse error)
- #13 #14: Warn at construction if OAuth token_url uses plaintext HTTP
- #15 #16: Warn at construction if Gemini base_url uses plaintext HTTP
  (new warn_if_cleartext() helper in providers/mod.rs)
- #20 #21 #22: Annotate benchmark TLS cert bypass with lgtm comment
  (intentional: benchmarks use self-signed certs)
- #3: Avoid flowing API key through format string in preset info
- #4 #5: Remove secret values from test assertion messages

Medium:
- #1: Add explicit permissions block to release-plz workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Destynova2 added a commit that referenced this pull request Mar 26, 2026
@Destynova2 @claude
chore(deps): update fuzz/Cargo.lock — fix Dependabot alerts
961dd8d 
- aws-lc-sys removed from dependency tree (no longer needed)
- rustls-webpki 0.103.9 → 0.103.10 (CRL matching fix)

Fixes: Dependabot alerts #9, #11, #15

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Destynova2 Destynova2 deleted the release-plz-2026-03-02T22-13-18Z branch March 30, 2026 19:51
@Destynova2 Destynova2 mentioned this pull request Apr 1, 2026
Closed
38 tasks
@Destynova2 Destynova2 mentioned this pull request Apr 21, 2026
Merged
5 tasks
Destynova2 added a commit that referenced this pull request Apr 21, 2026
@Destynova2
refactor(dispatch): split provider_loop 808 LoC into resolver + retry…
eaca2d4 
… + orchestration (T-SP-3 #9)

provider_loop.rs was hosting three distinct concerns in a single file:
1. Provider selection (registry + CB + HC + RE-1a endpoint health)
2. Retry + error classification + single-provider dispatch
3. Outer fallback loop orchestration

Split into:
- src/server/dispatch/resolver.rs (~128 LoC) — resolve_provider,
  try_direct_provider_lookup (backward-compat path).
- src/server/dispatch/retry.rs (~482 LoC) — ProviderLoopAction,
  ProviderAttempt, classify_and_handle_error, emit_provider_error_metrics,
  handle_provider_error, try_rotate_and_retry, dispatch_streaming,
  dispatch_non_streaming, wrap_stream_with_middleware, build_encrypted_content.
- src/server/dispatch/provider_loop.rs (~275 LoC down from 808) —
  dispatch_provider_loop (outer loop), log_dispatch_attempt,
  prepare_provider_request, emit_fallback.

No behavior change: public entry point src/server/dispatch/mod.rs:349
(provider_loop::dispatch_provider_loop) keeps the same signature and
callers are unaffected.

Validation:
- cargo build --all-targets green
- cargo test --lib : 949 passed, 0 failed
- cargo clippy --all-targets -- -D warnings clean
- RUSTFLAGS="-D warnings" cargo check --no-default-features clean

Addresses Phoenix audit 2026-04-20 item #9.
Destynova2 added a commit that referenced this pull request Apr 21, 2026
@Destynova2
Merge pull request #239 from azerozero/refactor/provider-loop-split
2503979 
refactor(dispatch): split provider_loop 808 LoC into resolver + retry + orchestration (T-SP-3 #9)
@Destynova2 Destynova2 mentioned this pull request Apr 21, 2026
Merged
Destynova2 added a commit that referenced this pull request Apr 21, 2026
@Destynova2 @claude
docs(routing): fix drift in router doc-comment and architecture mermaid
a3ffc0c 
Two drift fixes caught by Tier 2 audit (items #6, #14):

- `src/routing/classify/mod.rs`: the `route()` doc-comment listed only
  6 priority levels while the actual code has 9 (auto-map, declarative
  tier match, and algorithmic scoring were missing). The inline
  numbering also had a gap (skipping #7 and duplicating #9) — renumbered
  to match.
- `docs/explanation/architecture.md`: the request-flow mermaid still
  showed the pre-T-VS `router` subgraph and a single generic "Circuit
  Breaker" box. Updated to reflect the `routing/` parent module
  (classify + circuit_breaker + health_check) and the RE-1a / RE-1b
  split from ADR-0018, including the `is_endpoint_healthy` AND-gate
  and the security-layer global CB that runs after it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Destynova2 added a commit that referenced this pull request Apr 21, 2026
@Destynova2 @claude
fix(dispatch,router): wire grob_hint + doc drift (#5 #6 #14) (#245)
ae1c81d 
* fix(dispatch): wire grob_hint to override complexity tier (audit #5)

The MCP complexity hint (`X-Grob-Hint` header, `metadata.grob_hint` body
field, or one-shot MCP tool slot) was resolved and then dropped via
`let _ = grob_hint`. It now overrides `RouteDecision.complexity_tier`
right after routing, so clients that know their task is trivial can opt
out of `[[tiers]]` fan-out for a single request.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(routing): fix drift in router doc-comment and architecture mermaid

Two drift fixes caught by Tier 2 audit (items #6, #14):

- `src/routing/classify/mod.rs`: the `route()` doc-comment listed only
  6 priority levels while the actual code has 9 (auto-map, declarative
  tier match, and algorithmic scoring were missing). The inline
  numbering also had a gap (skipping #7 and duplicating #9) — renumbered
  to match.
- `docs/explanation/architecture.md`: the request-flow mermaid still
  showed the pre-T-VS `router` subgraph and a single generic "Circuit
  Breaker" box. Updated to reflect the `routing/` parent module
  (classify + circuit_breaker + health_check) and the RE-1a / RE-1b
  split from ADR-0018, including the `is_endpoint_healthy` AND-gate
  and the security-layer global CB that runs after it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Destynova2