v1.2.0 — CI matrix hardening, security updates, REST API service

What's new

Theme: HNSW approximate nearest-neighbour embedding index + BM25-HNSW fused recall (ruflo-mod contract), CI matrix hardening, security updates, REST API systemd service, and generated CLI. Covers E-45.

HNSW Embedding Index (E-45)

• HNSWStore — hnswlib-backed ANN index with lazy LocalEmbeddingBackend (384-dim all-MiniLM-L6-v2), label map + metadata sidecars, auto-save every 100 upserts, atomic writes via tmp + os.replace(); graceful degradation when hnswlib absent
• depthfusion_hnsw_capability MCP tool — returns HNSWCapability shape regardless of index state; always-on, no feature flag required; designed for agent-ops bridge startup probe
• publish_context HNSW integration — every publish upserts into HNSW when DEPTHFUSION_HNSW_ENABLED=true; indexed_in_hnsw: bool added to all responses (additive, back-compat)
• BM25+HNSW fused recall — final_score = 0.6 × bm25_score + 0.4 × hnsw_cosine; strategy field ("bm25-only" / "bm25+hnsw-fused") and hnsw_available: bool added to all recall_relevant response paths
• Graceful SIGTERM/SIGINT shutdown — HNSW store saves to disk on graceful server shutdown
• New hnsw extras group in pyproject.toml; also added to vps-gpu and mac-mlx extras

REST API systemd service

• infra/systemd/depthfusion-rest.service — user-level systemd unit for the FastAPI REST API (127.0.0.1:7300); reads ~/.claude/depthfusion.env via EnvironmentFile; Restart=on-failure
• infra/systemd/README.md — install instructions

Generated CLI

• 30-command Go CLI (depthfusion-pp-cli) generated from infra/depthfusion/openapi-spec.yaml via cli-printing-press v4.11.0; Scorecard: A (83%)
• Compound commands: discovery-audit, graph-inspect, batch-recall
• depthfusion-pp-mcp — stdio MCP server mirroring all 30 commands as agent tools
• docs/cli.md — full CLI reference

CI

• Windows CI matrix — all 9/9 jobs green (ubuntu/macos/windows × Python 3.10/3.11/3.12); Windows switched to subprocess-free test allowlist — 292 tests in ~2 min vs prior 40–60 min timeout; Ubuntu runs the full suite as authoritative reference
• Node.js 24 opt-in — FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true in both workflows ahead of GitHub's 2026-06-02 forced migration

Fixed

• core/file_locking.py — # type: ignore[attr-defined] on fcntl flock calls; mypy false-positive on Windows (runtime-guarded behind try/except ImportError)
• api/rest.py — body: SetMemoryScoreBody = ... Ellipsis default annotated with # type: ignore[assignment]; FastAPI idiom not understood by mypy

Security

• 34 → 0 Dependabot alerts: urllib3 2.7.0, cryptography 46.0.7, setuptools 78.1.1, requests 2.33.0, jinja2 3.1.6, certifi 2024.7.4, idna 3.15, configobj 5.0.9, pyasn1 0.6.3, wheel 0.46.2, pytest 9.0.3
• chromadb >=0.4 → >=1.0 — eliminates 0.x dep paths that brought in vulnerable Mako, PyJWT, and Markdown versions
• Explicit lower bounds in all chromadb extras: Mako>=1.3.12, PyJWT>=2.12.0, Pygments>=2.20.0, Markdown>=3.8.1

Housekeeping

• .gitignore extended: .claude/, .pm/, .rollback/, .codex, text.txt, .remember/

Test totals

• 2000 passed · 9 skipped · 0 failed (up from 1986 in v1.1.0)
• MCP tool count: 29 (28 in v1.1.0 + depthfusion_hnsw_capability)