Releases: nagisanzenin/engram
Release list
v0.3.0 — bulletproof-foundation hardening + Codex support
A deep hardening pass before new features — every reported bug fixed, plus a full adversarial sweep of the boundary where LLM- and human-supplied text meets the deterministic core. Fed by two independent security audits, two code reviews, and a QA pass; every fix is locked by a selftest (33 → 63 checks) and re-verified live end-to-end. Also adds OpenAI Codex support from the same repo (omni-repo).
Reported issues
- FSRS-4.5 difficulty anchor corrected to
D0(3)(wasD0(4), the FSRS-5 rule — inflated interval growth ~21%, undershooting the 90% retention target). - Evidence before state — the receipt is written before the graph is saved; a crash costs a re-review, never a silent unverified advance.
- Calibration reads the assessor
grade(partial = half credit, not a total miss), with a min-n verdict floor and an encode/review split. nextis stash-aware — skips stashed nodes and provisionally clears stashed prerequisites, so the batch-graded/learnflow advances instead of re-serving or dead-ending.refit --forceempty-data guard; corrupt JSON quarantined (not discarded);--add-goal; truncation marker.
Hardening (found in the sweep)
- Path-traversal / arbitrary-write closed (slug validation at every ingress + write confinement + no-symlink appends). An absolute/
..topic could previously write attacker-controlled JSON anywhere. - Shell-injection channel removed — skills pass learner text via file/stdin, never inlined into a command.
add-topicignores payload-supplied mastery;--replacepreserves surviving schedule + writes a.bak.model --setcan't brick the install; the learner model self-heals.- Batch receipts are atomic; malformed dates / bad states / ghost ids / one corrupt graph no longer brick aggregate views or the hook; report XSS closed; session-start emits only validated slugs.
Codex support (omni-repo)
skills/ and scripts/engram.py are shared verbatim. Added .codex-plugin/, .agents/plugins/marketplace.json, TOML subagent ports, a self-resolving hook, and INSTALL-CODEX.md. The Claude Code path is unchanged.
Known limitation
Re-running the exact same receipt --file twice still double-applies (the documented settle flow clears the stash after, so it's safe; batch atomicity is fixed). Full cross-invocation idempotence is deferred.
Verify: python3 scripts/engram.py selftest → 63/63.