v1.9.19 — close v1.9.17 review items (6/6)
What this is
The v1.9.17 internal review identified six follow-up items. v1.9.19 closes all six.
Changes
1. Fingerprint hardening: Insight #6 anchoring applied to 24 naked probes
The v1.9.17 audit found 24 body_contains probes in fingerprints.go that violated the README's load-bearing rule ("naked single-word body_contains is unsound at population scale"). v1.9.19 fixes all 24:
- High-FP-risk probes anchored to status + structured signal: vLLM, LiteLLM ×2, Jupyter, Milvus, Langfuse, Kubeflow, Whisper ASR, dcm4chee, plus the HTML-title fallbacks (Clawdbot, Coolify, Dify, OpenHands)
- 11 Exposed API Credentials probes now require
status_code=200— credential leaks in the wild come from 200-response surfaces (env-var dumps, build logs, JS bundles, debug endpoints) - 2 MCP Server permissive fallbacks gain
body_not_contains "<!DOCTYPE html"— keeps the spec-unique-string recall while excluding HTML doc-page FPs
20 regression tests added in fingerprints_anchoring_test.go: every fix has both a TP test (real-shape response still matches) and a FP-reject test (previously-FP-prone response is now rejected). Plus an inventory test that fails if a new credentialClass is added without a matching fingerprint probe.
2. scanSecrets ported to validation discipline (Insight #38 generalized)
Pre-v1.9.19: every match emitted Severity: "critical" regardless of evidence. Post: severity follows the evidence:
- Anchor only (env-var name visible, value not extracted) →
BaseSev(medium for env-vars, high for credential prefixes, low for very generic anchors) - Anchor + value extracted, Format valid →
critical - Anchor + value extracted, Format mismatch →
BaseSev(no upgrade — value is suspicious but doesn't match vendor's documented shape)
HUGGING_FACE (a very generic anchor that previously fired critical on any doc page) now emits at low unless a real hf_xxx value is extracted. 12 env-var patterns get format-validated against vendor-documented shapes (sk-proj-/sk-ant-/AKIA/AIza/hf_/etc.).
3. enum_credentials.go: credential code extracted from enumerators.go
The 363 lines of credential/secret-scanning code (secretPattern, credentialClass, redactKey, scanCredentials, scanSecrets, enumExposedCredentials) moved out of the 4,500-line enumerators.go into a focused enum_credentials.go. Partial split — the full category split (per-category files for vector/llm/observability/orchestration/bi/safety) is queued for a separate refactor.
4. Registry-pattern dispatcher
runEnumerators's 50-arm switch statement converted to a map[string]enumeratorFn lookup:
type enumeratorFn func(c *http.Client, svc ServiceMatch) EnumResult
var enumeratorRegistry = map[string]enumeratorFn{
"Weaviate": enumWeaviate,
"Ollama": enumOllama,
// ... 50 entries grouped by category
}Adding a new enumerator is one-line registration. "Did you wire it up?" becomes a compile error rather than a silent "no enumerator ran" miss. No behavior change.
5. GitHub Actions CI
New .github/workflows/ci.yml:
build-and-test:go build,go vet,go test -race, plus aversion.go↔-versionoutput consistency checkcross-platform-buildmatrix: linux+darwin × amd64+arm64 on every push/PR
6. PKGBUILD sha256 backfilled
v1.9.18's sha256sums=SKIP placeholder replaced with the real v1.9.18 tarball hash. v1.9.19 set to SKIP again pending the next tag-push; downstream packagers can compute against v1.9.19.tar.gz.
What's not in this release
No new fingerprints. No new enumerators. No new categories. Pure quality + structural improvements against the v1.9.18 baseline.
Install
curl -LO https://github.com/Nicholas-Kloster/aimap/releases/download/v1.9.19/aimap-linux-amd64
chmod +x aimap-linux-amd64 && sudo mv aimap-linux-amd64 /usr/local/bin/aimap
# Or
go install github.com/Nicholas-Kloster/aimap@v1.9.19Verify against SHA256SUMS attached to this release.
Stats
- 1 commit, 10 files changed, 1,384 insertions, 365 deletions
- 31 new regression tests (20 anchoring + 9 scan-secrets + 2 inventory)
- All existing tests still pass