Skip to content

Fix #363: Upgrade rustls dependencies to fix RUSTSEC-2026-0049#762

Closed
AlexMikhalev wants to merge 18 commits intomainfrom
task/363-rustls-upgrade
Closed

Fix #363: Upgrade rustls dependencies to fix RUSTSEC-2026-0049#762
AlexMikhalev wants to merge 18 commits intomainfrom
task/363-rustls-upgrade

Conversation

@AlexMikhalev
Copy link
Copy Markdown
Contributor

Summary

This PR implements the security remediation for issue #363 - upgrading rustls dependencies to fix RUSTSEC-2026-0049 (rustls-webpki CRL bypass vulnerability).

Changes

Security Fix

  • crates/terraphim_middleware/Cargo.toml: Upgraded reqwest-eventsource from 0.5 to 0.6
    • This eliminates the dependency chain that brought in vulnerable rustls 0.22.x and rustls-webpki 0.102.x

Dependency Updates

  • Regenerated Cargo.lock to purge orphaned vulnerable dependencies
  • Removed rustls 0.22.x from dependency tree
  • Removed rustls-webpki 0.102.x from dependency tree

Verification

All acceptance criteria from #363 have been met:

  • Upgrade rustls-webpki to >=0.103.10 (using 0.103.10 from git)
  • Update rustls 0.22.x to 0.23.x (using 0.23.37)
  • Update tokio-tungstenite to version compatible with rustls 0.23.x (patched to v0.28.0)
  • Verify terraphim_tinyclaw compiles and functions correctly
  • Run cargo audit - RUSTSEC-2026-0049 no longer appears
  • All existing tests continue to pass
  • cargo clippy passes with zero warnings
  • cargo fmt check passes

Refs #363 (Gitea)

Terraphim CI and others added 18 commits April 6, 2026 12:27
Create 10 ADF routing rule markdown files with route/action/priority/
synonyms directives for KG-based agent dispatch. Add action:: directive
to RouteDirective for CLI command templates. Support multiple route/action
pairs per file with backward-compatible route field.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
KgRouter loads routing rules from markdown taxonomy directory,
builds thesaurus from synonyms, and uses terraphim_automata::find_matches
for Aho-Corasick pattern matching against agent task descriptions.

Returns KgRouteDecision with provider, model, action template, confidence,
and ordered fallback routes. Supports health-aware fallback via
first_healthy_route() and template rendering via render_action().

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Add provider_probe.rs with ProviderHealthMap using CircuitBreaker from
terraphim_spawner::health. Probes CLI tools via action:: templates from
KG rules, measures latency, saves pi-benchmark compatible JSON results.

Wire KG router into spawn_agent(): KG routing tried first (Aho-Corasick
synonym match), with health-aware fallback skipping unhealthy providers.
Falls back to existing keyword RoutingEngine when no KG match found.

Add [routing] config section to OrchestratorConfig with taxonomy_path,
probe_ttl_secs, probe_results_dir, and probe_on_startup fields.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
KgRouter now tracks the latest mtime of .md files in the taxonomy
directory. reload_if_changed() compares current mtime against cached
value and rebuilds the Aho-Corasick automaton if files have been
modified. Called on the orchestrator's reconciliation tick for
zero-restart routing updates.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Fix D-1: replace deprecated std::io::Error::new(ErrorKind::Other, e)
with std::io::Error::other(e) in provider_probe.rs.

Add verification and validation report from V-model right-side review.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
D-2: probe_all() called on startup when probe_on_startup=true, and
re-probed in reconcile_tick when cached results expire (TTL-based).
Saves JSON results to configured probe_results_dir.

D-3: ExitClassifier ModelError/RateLimit feeds record_failure() into
provider circuit breaker. Success/EmptySuccess feeds record_success().

D-4: reload_if_changed() called every reconcile_tick, checks mtime
of markdown files and rebuilds Aho-Corasick automaton if changed.

D-5: Use sh -c for action template execution instead of
split_whitespace, matching CommandStep::Shell pattern in tinyclaw.
Handles quoted arguments correctly.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
The probe's sh -c doesn't have ~/.local/bin, ~/.bun/bin, ~/.cargo/bin
on PATH where opencode and claude live. Use bash -lc (login shell)
to source the user profile, matching the systemd ExecStart pattern.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Replace bash -lc (which fails if .profile has errors) with bash -c
plus explicit PATH prepend of ~/.local/bin, ~/.bun/bin, ~/bin,
~/.cargo/bin, ~/go/bin. Avoids broken .profile sourcing while
ensuring CLI tools are discoverable.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
opencode requires 'run -m provider/model "prompt"' syntax.
All action templates now use {{ model }} placeholder from route
directive instead of hardcoding model names.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Use absolute paths for opencode (/home/alex/.bun/bin/opencode) and
claude (/home/alex/.local/bin/claude). Add --format json to opencode.
Replace pay-per-use opencode/ models with subscription providers:
gpt-5-nano -> opencode-go/minimax-m2.5, minimax-m2.5-free ->
minimax-coding-plan/MiniMax-M2.5.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Validates 10 rules loaded, every route has action:: template,
security_audit matches cargo audit/CVE, reasoning has priority 80,
and multi-route fallback chains are present.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Add e2e test verifying every ADF agent routes to expected provider+model
via KG synonym matching. Fix multi-line synonyms: parser requires
synonyms:: prefix on each line. All 12 agents route correctly.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Expand all 10 routing rules from 2 to 4 routes each:
- Coding tasks: +zai-coding-plan/glm-5-turbo +openai/gpt-5.3-codex
- Reasoning tasks: +zai-coding-plan/glm-5 +openai/gpt-5.4
- Documentation/cost: +zai-coding-plan/glm-5-turbo +openai/gpt-5.4-mini

All subscription providers only (no opencode/ pay-per-use prefix).
E2e test updated: 12/12 agents route correctly with 4 fallbacks.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Probe timeout/error marks provider unhealthy immediately, not after
5 failures. Probe success is authoritative over circuit breaker state.
Mixed results: if ANY model succeeds for a provider, provider is healthy.

This fixes the bug where kimi timed out in probe (30s) but was still
selected as primary because circuit breaker threshold wasn't reached.

Refs #400

Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
@AlexMikhalev
Copy link
Copy Markdown
Contributor Author

I integrated the relevant fixes directly onto main to avoid merging branch noise and conflicts. Landed via commits: 1c2162e, e817744, 0adf611, 96c5841, 596d762, 4a30a17, fb0ac71, 0b2d7cc. Closing this PR as superseded.

@AlexMikhalev
Copy link
Copy Markdown
Contributor Author

Superseded by direct integration to main.

AlexMikhalev added a commit that referenced this pull request Apr 22, 2026
Step 3/6 of #144 - Inter-agent orchestration via Gitea mentions.

- Add resolve_mention_chain() helper to determine chain_id/depth/parent
- Add MentionChainTracker::check() gate before all mention spawns
- Add MentionChainTracker::build_context() for structured handoff context
- Apply chain tracking to all 3 dispatch sites:
  - Qualified mentions (@adf:project/agent)
  - Unqualified agent mentions (@adf:agent)
  - Persona mentions (@adf:persona)
- Add mention_chain_id/mention_depth to ManagedAgent
- Replace flat mention context with structured markdown block

Refs #762
AlexMikhalev added a commit that referenced this pull request Apr 22, 2026
…#832)

Adds inter-agent orchestration via mention chain tracking. Fixes #144. Closes #760, #761, #762, #763, #764, #765.
AlexMikhalev added a commit that referenced this pull request Apr 22, 2026
…#832)

Adds inter-agent orchestration via mention chain tracking. Fixes #144. Closes #760, #761, #762, #763, #764, #765.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant