You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
release: v3.1.1 - Critical Security Fixes and Performance Restoration
- Bumped version to 3.1.1.
- Addressed SQLi, Path Traversal, and Race Condition vulnerabilities.
- Restored search throughput to 690+ ops/s via path validation caching.
- Stabilized concurrent SQLite operations with retries and BEGIN IMMEDIATE.
- Created detailed changelog and updated documentation index.
LedgerMind v3.1.1 is a critical security and stability release. It addresses multiple high-severity vulnerabilities found during the audit and restores peak performance for concurrent search operations.
4
+
5
+
## Highlights
6
+
7
+
### 🛡️ Hardened Security
8
+
-**Atomic File Locking:** Fixed TOCTOU race conditions in `FileSystemLock` using atomic `O_EXCL` operations and improved `fcntl` queuing.
9
+
-**Strict Path Validation:** Implemented robust Path Traversal protection in `SemanticStore` using path canonicalization.
10
+
-**SQL Injection Defenses:** Eliminated all string-formatted SQL queries in `EpisodicStore`, moving to a mandatory parameterized template pattern.
11
+
-**Constant-Time Comparisons:** Fixed API key timing attack vulnerability in the gateway (Sentinel security patch).
12
+
13
+
### ⚡ Performance & Stability
14
+
-**Path Validation Caching:** Added `lru_cache` to file ID validation, restoring hybrid search throughput from 250 ops/s to **690+ ops/s**.
15
+
-**Concurrent SQLite Optimization:** Resolved "database is locked" errors by switching to `BEGIN IMMEDIATE` transactions and implementing exponential backoff retries.
16
+
-**Bolt N+1 Fix:** Optimized grounding link retrieval by batching metadata fetches.
17
+
18
+
### 🧪 Infrastructure & Quality
19
+
-**Minimal CI Pipeline:** Introduced a new GitHub Actions workflow with integrated security scanning (Bandit, Safety, Pip-audit) and linting (Ruff, Black, MyPy).
20
+
-**Automated Audit Tracking:** Established a procedural standard for resolving audit-identified issues with mandatory regression testing.
21
+
22
+
### 🎮 UX & Integration
23
+
-**A11y Support:** Added accessibility information to the VS Code extension status bar for better screen reader compatibility.
24
+
25
+
## What's Changed
26
+
- feat: add minimal CI pipeline with security scanning by @sl4m3 in [#50](https://github.com/sl4m3/ledgermind/pull/50)
27
+
- security: critical fixes for SQLi, Path Traversal, and Race Conditions by @sl4m3 in [#52](https://github.com/sl4m3/ledgermind/pull/52)
28
+
- perf: restore peak search throughput with lru_cache validation by @sl4m3 in [#55](https://github.com/sl4m3/ledgermind/pull/55)
29
+
- fix(core): resolve SQLite concurrency deadlocks by @sl4m3 in [#58](https://github.com/sl4m3/ledgermind/pull/58)
0 commit comments