fix: P0+P1 hotfix batch — KV-cache crash, default features, allowlist, syslog, synthesis, tiering#181
Merged
Shreyas582 merged 10 commits intomainfrom Apr 7, 2026
Merged
Conversation
…, syslog, synthesis, tiering Fixes #147: KV-cache attention mask off-by-one crashes all live inference - Remove erroneous +1 from decode-step attention_len in both run_prompt and run_prompt_cached; hoist initial_cache_len so decode loop can account for prior cache padding. Fixes #149: Default build has no inference features - Change cli/Cargo.toml default features from [] to [onnx] so cargo install produces a working --live binary out of the box. - Add compile-time bail when --live is used on a no-inference build. Fixes #151: sc/wmic missing from Windows command allowlist - Add sc, wmic, schtasks to WINDOWS_COMMAND_ALLOWLIST so priv-esc-review and scheduled-task enumeration work on Windows. Fixes #153: read_syslog dry-run defaults to README.md - Replace ./README.md fallback with platform-appropriate log path (/var/log/syslog on Linux, System.evtx on Windows). - Fix check_tool_precondition to use the same platform path. Fixes #155: Basic tier final_answer is mechanical concatenation - Rewrite basic_tier_summary_for_task to group findings by severity, add cross-reference hints, deduplicate actions, and present prioritized recommendations. Fixes #157: PARAM_BASIC_CEILING_B=2.0 too high - Lower threshold from 2.0 to 1.0 so 1B+ models (Qwen2.5-0.5B, Llama-3.2-1B) reach Moderate tier and actually use inference.
The stdin-integration job compiles the full CLI binary from scratch without any cargo caching, causing it to routinely exceed the 20-minute timeout on GitHub Actions runners. Add Swatinem/rust-cache@v2 (matching the cross-platform job) and bump timeout to 30 minutes.
… checks When the onnx feature is enabled (now the default), build_session() could hang indefinitely in two scenarios: 1. onnxruntime DLL not found: Session::builder() blocks on dynamic loader 2. Corrupt/stub model file: commit_from_file() never returns Added ensure_ort_dylib_available() to bail early when the runtime library cannot be located on PATH or via ORT_DYLIB_PATH, and validate_model_preamble() to reject files that don't start with a valid protobuf field tag before reaching the ONNX Runtime. Also fixes three clippy warnings newly exposed by the onnx default feature: - dead_code on push_warn (cfg gate narrowed) - too_many_arguments on run_prompt_shared_buffer (allow attribute) - unnecessary_to_owned on suffix.to_vec() (removed)
The live-success-e2e job used PowerShell's echo/>> operator to append the cargo bin directory to GITHUB_PATH. On PowerShell 5.1 the >> operator writes UTF-16 LE. GitHub Actions expects UTF-8 in the GITHUB_PATH file, so subsequent steps (rust-cache, cargo test) could not find cargo/rustc. Fix: use Add-Content with -Encoding UTF8 and write unconditionally so every run guarantees PATH propagation regardless of prior runner state.
…step PowerShell 5.1's Add-Content -Encoding UTF8 writes a BOM prefix that corrupts the GITHUB_PATH file. Switch to [IO.File]::AppendAllText which writes BOM-free UTF-8. Also add an explicit cargo bin PATH fallback in the test step itself so it works even if GITHUB_PATH propagation fails on the self-hosted runner.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
P0+P1 Hotfix Batch — 6 issues across v1.8.1 and v1.9.0
P0 Critical (v1.8.1 — must ship ASAP)
#147 — KV-cache attention mask off-by-one crashes all live inference
+1from decode-stepattention_lenin bothrun_promptandrun_prompt_cachedinitial_cache_lenso the decode loop accounts for prior cache paddinginference_bridge/src/onnx_vitis.rs#149 — Default build has no inference features —
--livesilently falls back to dry-runcli/Cargo.tomldefault features from[]to["onnx"]socargo installworks out of the boxbail!when--liveis used on a no-inference buildcli/Cargo.toml,cli/src/main.rsP1 Findings Quality (v1.9.0)
#151 —
scandwmicmissing from Windows command allowlistsc,wmic,schtaskstoWINDOWS_COMMAND_ALLOWLISTpriv-esc-reviewand scheduled task enumeration on Windowscyber_tools/src/lib.rs#153 —
read_syslogdry-run defaults toREADME.md— produces bogus findings./README.mdfallback with platform-appropriate log paths (/var/log/syslogon Linux,System.evtxon Windows)check_tool_preconditionto use the same platform pathinference_bridge/src/lib.rs,core_engine/src/agent.rs#155 — Basic tier
final_answeris mechanical concatenation, not actionable synthesisbasic_tier_summary_for_taskto group findings by severity, add cross-reference hints, deduplicate actions, and present prioritized recommendationscore_engine/src/lib.rs#157 —
PARAM_BASIC_CEILING_B=2.0too high — all common 1B models skip LLMcore_engine/src/lib.rsTesting
Closes #147, closes #149, closes #151, closes #153, closes #155, closes #157