Skip to content

fix(security): patch command injection and SONA bugs, publish mincut-wasm#266

Merged
ruvnet merged 16 commits intomainfrom
feat/common-crawl-piq-poc
Mar 17, 2026
Merged

fix(security): patch command injection and SONA bugs, publish mincut-wasm#266
ruvnet merged 16 commits intomainfrom
feat/common-crawl-piq-poc

Conversation

@ruvnet
Copy link
Owner

@ruvnet ruvnet commented Mar 17, 2026

Summary

Changes

Security (Critical)

  • Add sanitizeShellArg() function to strip shell metacharacters from user input
  • Apply sanitization to name, preset, triggers in workers_create handler
  • Add validation to reject empty worker names

Bug Fixes

  • sona-wrapper.js: Add fallback parser for Rust debug format strings in getStats()
  • background.rs: Add force parameter to run_cycle() to bypass 100-trajectory minimum
  • coordinator.rs: Pass force=true from force_background() for forceLearn() API

Features

  • mincut-wasm: Build WASM package with Stoer-Wagner algorithm (disabled wasm-opt for SIMD compat)
  • pipeline.rs: Add Wayback Machine CDX fallback when Common Crawl is unreachable

Published Packages

  • @ruvector/mincut-wasm@0.1.0 - WASM bindings for dynamic minimum cut
  • ruvector@0.2.13 - Security fix release

Test Results

  • SONA crate: 85 tests passed (including new force_learn test)
  • ruvector npm: 69 tests passed

Issues Resolved

Test plan

  • Run cargo test -p ruvector-sona (85 pass)
  • Run npm test in ruvector package (69 pass)
  • Syntax check mcp-server.js
  • Verify npm packages published

🤖 Generated with claude-flow

Reuven and others added 16 commits March 17, 2026 00:23
@ruvnet
feat(mcp-brain-server): add PiQ3 quantization for Common Crawl POC (A…
219960b 
…DR-115)

Implements tier-aware product quantization for embedding compression:
- 3-bit (CentroidMerged): 8.68x compression, 99.05% recall
- 4-bit (DeltaCompressed): 6.83x compression, 99.78% recall
- 2-bit (Archived): 11.91x compression, 95.43% recall

Key changes:
- Add quantization.rs with PiQQuantizer and QuantizedEmbedding types
- Integrate quantization into web_ingest.rs Phase 5
- Add quantized_embedding field to WebMemory struct
- Update ADR-115 with POC validation results

Throughput: 97K-134K embeddings/sec on Apple Silicon

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
feat(adr-115): add CommonCrawlAdapter and WebMemoryStore to AppState
64e113f 
- Add web_store and crawl_adapter fields to AppState (types.rs)
- Initialize persistent adapter and web store in create_router (routes.rs)
- Update crawl/discover endpoint to use persistent adapter
- Update crawl/stats endpoint to include WebMemoryStore metrics
- Stats now show tier distribution (full/delta/centroid/archived)

This enables persistent stats accumulation across requests and
prepares for production Common Crawl ingestion per ADR-115.

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
feat(adr-115): add CDX caching for Common Crawl queries
977c487 
- Add CdxCacheEntry struct with TTL (24h expiration)
- Add cdx_cache DashMap to CommonCrawlAdapter
- Cache CDX query results before URL filtering
- Track cache hits/misses in CommonCrawlStats
- Expose cache stats in /v1/pipeline/crawl/stats endpoint
- Calculate and display cache hit rate percentage

This eliminates redundant CDX API calls when querying the same
domain pattern multiple times, reducing latency and API load.

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
fix(adr-115): deserialize CDX length/offset from strings
284004f 
Common Crawl CDX API returns length and offset as strings, not
integers. Add custom deserialize_string_to_u64 function to handle
the type conversion.

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
fix(adr-115): increase CDX timeout, disable filters for POC
9e9496e 
- Increase request timeout to 120s for slow CDX responses
- Add connect_timeout (30s) and pool_idle_timeout (90s)
- Disable default MIME/status filters for simpler queries
- Update default crawl index to CC-MAIN-2026-08
- Use expect() instead of unwrap_or_default() for clearer errors

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
feat(adr-115): add CDX connectivity diagnostic endpoint
0c94ca9 
- Add /v1/pipeline/crawl/test endpoint for diagnosing CDX issues
- Add tracing for CDX query URLs and errors
- Tests connectivity to Common Crawl index API

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet
fix(adr-115): switch to native-tls for Common Crawl compatibility
b5c0ddb 
Common Crawl servers don't send proper TLS close_notify, causing
rustls to error. Switch to native-tls which is more lenient.

- Change reqwest feature from rustls-tls to native-tls
- Add openssl to build dependencies
- Add libssl3 to runtime image

Co-Authored-By: claude-flow <ruv@ruv.net>
fix(adr-115): force HTTP/1.1 and disable connection pooling for Commo…
38b79dc 
…n Crawl

Common Crawl CDX servers have issues with HTTP/2 and connection reuse:
- Force HTTP/1.1 with http1_only() to avoid protocol issues
- Disable connection pooling (pool_max_idle_per_host=0) since CC closes connections
- Add tcp_nodelay for lower latency
fix(adr-115): use adapter's HTTP client for connectivity test
287ed69 
The diagnostic endpoint was using reqwest::get() which creates a new
client with default settings, potentially using rustls instead of our
configured native-tls client. Now uses adapter.test_connectivity()
which uses the properly configured HTTP client.
feat(adr-115): add external HTTPS test for network diagnostics
e71bb52 
Compare Common Crawl connectivity against httpbin.org to determine
if the issue is Cloud Run networking or specifically Common Crawl.
fix(adr-115): use discover_from_records to avoid double CDX query
20fd63a 
The discover endpoint was calling query_cdx twice:
1. Once explicitly to get cdx_records_found
2. Again inside discover_domain

Due to URL deduplication in query_cdx, the second call returned
0 records. Fixed by adding discover_from_records() which accepts
pre-fetched CDX records.
feat(adr-115): add retry with exponential backoff for Common Crawl
8e01645 
Common Crawl CDX servers are flaky and sometimes return incomplete
responses. Added 3-attempt retry with exponential backoff (1s, 2s)
for both CDX queries and connectivity tests.
feat(adr-115): add multi-endpoint connectivity diagnostics
7d66233 
Test Internet Archive CDX, data.commoncrawl.org, and httpbin.org
to diagnose if the issue is specific to index.commoncrawl.org.
fix(adr-115): add Accept and Connection headers for CDX requests
d1807ff 
Try adding HTTP headers that might help with server compatibility:
- Accept: application/json
- Connection: close (avoid keep-alive issues)
feat(adr-115): add sample CDX fallback for Cloud Run connectivity issues
ee15e5f 
When the CDX API at index.commoncrawl.org is unreachable from Cloud Run,
fall back to pre-computed sample CDX records for demonstration purposes.
This allows testing the full pipeline (WARC fetch, extraction, injection)
while the CDX connectivity issue is being investigated.
@ruvnet
fix(security): patch command injection and SONA bugs, publish mincut-…
d35ea33 
…wasm

Security:
- Fix #256: Add sanitizeShellArg() to MCP workers_create handler
  preventing shell command injection via name/preset/triggers params

Bug fixes:
- Fix #257: Add fallback parser in sona-wrapper.js for Rust debug
  format strings from SonaEngine.getStats()
- Fix #258: Add force parameter to BackgroundLoop::run_cycle() so
  forceLearn() bypasses 100-trajectory minimum requirement

Features:
- Fix #254: Build and publish @ruvector/mincut-wasm@0.1.0 to npm
- Add Wayback Machine fallback for Common Crawl CDX API

Published:
- @ruvector/mincut-wasm@0.1.0
- ruvector@0.2.13

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet merged commit 5c4c97d into main Mar 17, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment