Release Notes
Added
- Real EmbeddingGemma embedder in pure candle (opt-in
gguf-embed): a
from-scratch forward pass of EmbeddingGemma-300m (Gemma3 encoder + dense head)
in candle 0.10 with no native dependencies, loading user-supplied
safetensors weights from a local path — never downloaded. Validated to cosine
0.99998 vs the official ONNX reference; 256-d Matryoshka output, asymmetric
query/document prompts. On CodeSearchNet the vector arm goes from feature-hash
noise (recall@50.34/0.005/0.035) to 0.95/0.99/0.885, hybrid now beats
BM25-only on all three slices, and the adaptive recovery gate closes — see
BENCHMARK.md. The default build is unchanged: still the
deterministic feature-hash, still zero-model and offline. - Project governance & OpenSSF Best Practices artifacts:
CONTRIBUTING.md,CODE_OF_CONDUCT.md
(Contributor Covenant 3.0),GOVERNANCE.md, this changelog,
docs/ASSURANCE.md(assurance case), and
docs/best-practices-silver.md(criteria
evidence map). - Supply-chain / OpenSSF Scorecard hardening:
cargo-deny+cargo-audit
jobs, a Dependabot config (Dependency-Update-Tool), a CodeQL workflow for
Rust + Actions (SAST), all GitHub Actions pinned to commit SHAs
(Pinned-Dependencies), and least-privilege top-levelcontents: readtoken
permissions across every workflow (Token-Permissions), with write elevated
per-job only where the release is created/published. - Fuzzing:
cargo-fuzztargets over the untrusted-input surface
(parse_source+chunk_file) plus a ClusterFuzzLite setup that runs them
on PRs (Scorecard Fuzzing). Thefuzz/crate is isolated from the main
workspace. - Registry publishing:
release.ymlnow publishes the crates to crates.io
(cargo publish, indexer first then bin) and the npx wrapper to npm
(Scorecard Packaging). Adds the crate metadata crates.io requires
(description/keywords/categories/repository). - Branch protection on
main: PRs + strict status checks (CI, CodeQL, deny,
audit, offline-isolation) + linear history + no force-push, enforced for admins.
Changed
chunks_vecwidth is parametrized by the active embedder's dimension
(open_db_with(path, dim)), decoupling the vector-table DDL from the
EMBED_DIM = 384feature-hash constant so an opt-in model with a different
dimension (e.g. EmbeddingGemma 256/768) stores correctly. The default path
(open_db) stays byte-identical; the existing refuse-to-mix guard rejects an
index built with a different embedder id/dim.
Download apohara-codesearch 0.2.0
| File | Platform | Checksum |
|---|---|---|
| apohara-codesearch-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| apohara-codesearch-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| apohara-codesearch-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| apohara-codesearch-aarch64-unknown-linux-gnu.tar.xz | ARM64 Linux | checksum |
| apohara-codesearch-x86_64-unknown-linux-gnu.tar.xz | x64 Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo SuarezPM/apohara-codesearchYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>