You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
[v1.103.0]
Git clone and remote-update operations now enforce wall-clock timeouts (20 min and 10 min defaults respectively) so a single unresponsive remote cannot park a clone worker indefinitely. Configurable via KF_GIT_CLONE_TIMEOUT_SECS and KF_GIT_UPDATE_TIMEOUT_SECS.
Deadline enforcement is now propagated through repository object indexing, commit-graph traversal, tree traversal, and blob metadata assembly, replacing the previous 100 ms polling loop with cooperative cancellation at each phase boundary.
Bounded concurrent in-flight repo scans with a permit pool sized at 2× repo_concurrency. Without this cap, a large multi-repo scan could queue thousands of closures into rayon's unbounded work queue and exhaust memory before any scan completed. Pass -v to enable a saturation-tracker thread that logs queue depth, active scan count, and permit availability every ~15 s.
Resilient tar archive extraction: truncated or malformed archives now yield whatever entries completed successfully instead of failing the whole archive. If no entry completed, the archive falls back to a raw-bytes scan rather than being silently skipped.
Archive decompression failures (broken zip, asar, etc.) now fall back to scanning the file's raw bytes instead of skipping the file entirely.
Raised the single-stream decompression cap from 512 MB to 4 GB.
Demoted expected truncation and path-filter log events from warn to debug across tar, zip, and asar extractors to reduce noise in normal operation.
Context verifier now stitches split assignments — where the variable name appears on one line and the value on the next — into a single candidate, so secrets assigned across two lines are no longer missed.
Expanded string literal coverage in the context verifier: Rust raw strings (r#"..."#, br#"..."#), Python/Ruby triple-quoted strings ("""...""", '''...'''), C# interpolated-verbatim strings ($@"...", @$"..."), and language-prefix variants (b"...", f"...", rb"...", etc.) are all now recognized and correctly stripped.
Go backtick strings are now parsed as verbatim string literals in the context verifier.
Hex and underscore-separated numeric literals (0xFF, 1_000_000) are now matched in assignment patterns.
