fix: SPEC audit P0–P2 correctness, hardening, and walk-quality fixes#50
Merged
Conversation
Implements the actionable items from the code audit (SPEC waves 1–3 plus selected polish). Behavior-compatible except #3's exit-code change. Correctness & security (P0): - invalidate --by: record unresolved freetext attribution as a node property instead of minting an Event that leaks into walk output; drop ensure_event - relate(): MERGE instead of CREATE so re-runs don't accrete duplicate edges - add concept: exit 2 (not 0) when blocked as a fuzzy duplicate, so scripts checking $? can branch; add --quiet for hook/script use - walk traversal: constrain to Concept/KnowledgePatch, deny bookkeeping/session relationship types, and cap results with LIMIT (--limit escape hatch) - clippy: escalate unwrap_used/expect_used to deny so the stated policy fails the build; fix the real sites, narrow-allow provably-infallible statics + tests Robustness (P1): - OllamaClient: build the reqwest::Client once and reuse it (connection pooling) - describe: write the description even when Ollama is down; backfill fills the embedding later, rather than blocking knowledge capture on the sidecar - reflector: invoke the binary via current_exe() instead of `c0` on $PATH, and stamp provenance with --source reflector so its commits are auditable - find: stop logging zero-row Cypher results as knowledge dead-ends Architecture/polish (P2/P3): - add `c0 move patch <name> --to <ns>` mirroring move concept - docker-compose: allow NEO4J_AUTH override; document the single-user threat model - ship systemd timer units for discrete reflector runs (retire daemon framing) - Cargo.toml: declare rust-version = "1.85" (edition 2024 MSRV) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements the actionable findings from the code audit (SPEC waves 1–3 plus selected polish). All changes are behavior-compatible except #3's exit-code change (called out below for anyone whose hooks/scripts check
$?onadd concept).Verified locally:
cargo fmt,cargo build(default +sessions),cargo clippy --all-targets(now deniesunwrap_used/expect_usedwith zero violations),cargo test(26 pass). MERGE idempotency and the exit-2 path were also confirmed live against Neo4j.Correctness & security (P0)
invalidate --by— unresolved freetext attribution is now stored as a property on the invalidated node instead of minting anEventthat leaked intowalkoutput;ensure_eventremoved.relate()—CREATE→MERGE, so repeated hook/script runs no longer accrete duplicate edges.add conceptnow exits2(was0) when the fuzzy-duplicate guard blocks a create, so callers can branch on$?; adds--quiet/-qfor hook use.$?will now see2instead of0.Concept/KnowledgePatchlabels, a deny-list for bookkeeping/session relationship types, and aLIMITwith a--limitescape hatch (default 200). Previously any label over any rel type with no cap.unwrap_used/expect_usedescalated to deny so the stated policy fails the build; the real sites are fixed, provably-infallible statics and test modules carry narrow#[allow]s. (Full-D warningsnot yet enabled — 200+ style warnings remain, tracked separately.)Robustness (P1)
OllamaClientbuilds thereqwest::Clientonce and reuses it (connection pooling on hot loops).describewrites the description even when Ollama is down and letsbackfill embeddingsfill the vector later, instead of blocking capture on the sidecar.current_exe()instead ofc0on$PATH(fixes silent failures under systemd).--source reflectorso its commits are auditable.findno longer logs zero-row Cypher results as knowledge dead-ends.Architecture / polish (P2/P3)
c0 move patch <name> --to <ns>, mirroringmove concept.docker-composeallows aNEO4J_AUTHoverride; README documents the single-user threat model.scripts/systemd/) for discrete reflector runs.rust-version = "1.85".Deferred (not in this PR)
The larger structural/credibility items from the audit are intentionally left for follow-up: integration tests (#10), the
main.rs/graph.rsrefactors (#11/#12),findJSON output (#13),audit duplicates(#16), benchmark growth (#17), release hygiene (#18), and the relationship-type vocabulary (#21).🤖 Generated with Claude Code