Fix #363: Upgrade rustls dependencies to fix RUSTSEC-2026-0049#762
Closed
AlexMikhalev wants to merge 18 commits intomainfrom
Closed
Fix #363: Upgrade rustls dependencies to fix RUSTSEC-2026-0049#762AlexMikhalev wants to merge 18 commits intomainfrom
AlexMikhalev wants to merge 18 commits intomainfrom
Conversation
Create 10 ADF routing rule markdown files with route/action/priority/ synonyms directives for KG-based agent dispatch. Add action:: directive to RouteDirective for CLI command templates. Support multiple route/action pairs per file with backward-compatible route field. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
KgRouter loads routing rules from markdown taxonomy directory, builds thesaurus from synonyms, and uses terraphim_automata::find_matches for Aho-Corasick pattern matching against agent task descriptions. Returns KgRouteDecision with provider, model, action template, confidence, and ordered fallback routes. Supports health-aware fallback via first_healthy_route() and template rendering via render_action(). Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Add provider_probe.rs with ProviderHealthMap using CircuitBreaker from terraphim_spawner::health. Probes CLI tools via action:: templates from KG rules, measures latency, saves pi-benchmark compatible JSON results. Wire KG router into spawn_agent(): KG routing tried first (Aho-Corasick synonym match), with health-aware fallback skipping unhealthy providers. Falls back to existing keyword RoutingEngine when no KG match found. Add [routing] config section to OrchestratorConfig with taxonomy_path, probe_ttl_secs, probe_results_dir, and probe_on_startup fields. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
KgRouter now tracks the latest mtime of .md files in the taxonomy directory. reload_if_changed() compares current mtime against cached value and rebuilds the Aho-Corasick automaton if files have been modified. Called on the orchestrator's reconciliation tick for zero-restart routing updates. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Fix D-1: replace deprecated std::io::Error::new(ErrorKind::Other, e) with std::io::Error::other(e) in provider_probe.rs. Add verification and validation report from V-model right-side review. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
D-2: probe_all() called on startup when probe_on_startup=true, and re-probed in reconcile_tick when cached results expire (TTL-based). Saves JSON results to configured probe_results_dir. D-3: ExitClassifier ModelError/RateLimit feeds record_failure() into provider circuit breaker. Success/EmptySuccess feeds record_success(). D-4: reload_if_changed() called every reconcile_tick, checks mtime of markdown files and rebuilds Aho-Corasick automaton if changed. D-5: Use sh -c for action template execution instead of split_whitespace, matching CommandStep::Shell pattern in tinyclaw. Handles quoted arguments correctly. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
The probe's sh -c doesn't have ~/.local/bin, ~/.bun/bin, ~/.cargo/bin on PATH where opencode and claude live. Use bash -lc (login shell) to source the user profile, matching the systemd ExecStart pattern. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Replace bash -lc (which fails if .profile has errors) with bash -c plus explicit PATH prepend of ~/.local/bin, ~/.bun/bin, ~/bin, ~/.cargo/bin, ~/go/bin. Avoids broken .profile sourcing while ensuring CLI tools are discoverable. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
opencode requires 'run -m provider/model "prompt"' syntax.
All action templates now use {{ model }} placeholder from route
directive instead of hardcoding model names.
Refs #400
Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Use absolute paths for opencode (/home/alex/.bun/bin/opencode) and claude (/home/alex/.local/bin/claude). Add --format json to opencode. Replace pay-per-use opencode/ models with subscription providers: gpt-5-nano -> opencode-go/minimax-m2.5, minimax-m2.5-free -> minimax-coding-plan/MiniMax-M2.5. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Validates 10 rules loaded, every route has action:: template, security_audit matches cargo audit/CVE, reasoning has priority 80, and multi-route fallback chains are present. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Add e2e test verifying every ADF agent routes to expected provider+model via KG synonym matching. Fix multi-line synonyms: parser requires synonyms:: prefix on each line. All 12 agents route correctly. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Expand all 10 routing rules from 2 to 4 routes each: - Coding tasks: +zai-coding-plan/glm-5-turbo +openai/gpt-5.3-codex - Reasoning tasks: +zai-coding-plan/glm-5 +openai/gpt-5.4 - Documentation/cost: +zai-coding-plan/glm-5-turbo +openai/gpt-5.4-mini All subscription providers only (no opencode/ pay-per-use prefix). E2e test updated: 12/12 agents route correctly with 4 fallbacks. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Probe timeout/error marks provider unhealthy immediately, not after 5 failures. Probe success is authoritative over circuit breaker state. Mixed results: if ANY model succeeds for a provider, provider is healthy. This fixes the bug where kimi timed out in probe (30s) but was still selected as primary because circuit breaker threshold wasn't reached. Refs #400 Co-Authored-By: Terraphim AI <noreply@terraphim.ai>
Contributor
Author
Contributor
Author
|
Superseded by direct integration to main. |
AlexMikhalev
added a commit
that referenced
this pull request
Apr 22, 2026
Step 3/6 of #144 - Inter-agent orchestration via Gitea mentions. - Add resolve_mention_chain() helper to determine chain_id/depth/parent - Add MentionChainTracker::check() gate before all mention spawns - Add MentionChainTracker::build_context() for structured handoff context - Apply chain tracking to all 3 dispatch sites: - Qualified mentions (@adf:project/agent) - Unqualified agent mentions (@adf:agent) - Persona mentions (@adf:persona) - Add mention_chain_id/mention_depth to ManagedAgent - Replace flat mention context with structured markdown block Refs #762
AlexMikhalev
added a commit
that referenced
this pull request
Apr 22, 2026
AlexMikhalev
added a commit
that referenced
this pull request
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements the security remediation for issue #363 - upgrading rustls dependencies to fix RUSTSEC-2026-0049 (rustls-webpki CRL bypass vulnerability).
Changes
Security Fix
reqwest-eventsourcefrom 0.5 to 0.6rustls 0.22.xandrustls-webpki 0.102.xDependency Updates
Cargo.lockto purge orphaned vulnerable dependenciesrustls 0.22.xfrom dependency treerustls-webpki 0.102.xfrom dependency treeVerification
All acceptance criteria from #363 have been met:
cargo audit- RUSTSEC-2026-0049 no longer appearsRefs #363 (Gitea)