ruvector/deny.toml
rUv e2439ff62f
feat(timesfm): TimesFM 1.0 200M decoder-only inference port to candle (#603)
* feat(timesfm): TimesFM 1.0 200M decoder-only inference port to candle

Native Rust/candle port of google-research/timesfm (pytorch_patched_decoder.py)
for temporal embeddings + zero-shot forecasting inside RuVector. Behind an opt-in
`candle` feature (default = [], cpu-fallback pattern like ruvector-hailo); no
lockfile churn (candle 0.9.2 already pinned by ruvllm).

- config.rs: TimesfmConfig (1280 dim, 20 layers, 16 heads, 80 head_dim, patch 32/128)
- model.rs: ResidualBlock patch embedding, sinusoidal pos-emb (no RoPE), 20x decoder
  (fused qkv, learnable per-head-dim softplus scaling, causal+padding mask), RevIN
  instance norm, forward [B,N,128,10] + autoregressive decode to arbitrary horizon
- scripts/convert_weights.py: HF safetensors → VarBuilder key remap (--dry-run)
- 12 tests (shape + RevIN numerical regression); clippy -D warnings clean

Adversarial review caught + fixed a real RevIN bug (masked_mean_std did a global
mean/std instead of the reference's first-qualifying-patch selection) + added
regression tests. Honest scope: dimensionally + structurally faithful, but real
numerical weight-parity vs the published safetensors is NOT yet verified (tests
run on dummy weights). Open low-impact faithfulness deviations documented in code.

Co-Authored-By: claude-flow <ruv@ruv.net>

* style(timesfm): rustfmt the crate (format the RevIN-fix edits) — green the Rustfmt gate for this crate

Our crate is now fmt-clean + clippy-clean; the remaining workspace-wide fmt
diffs are pre-existing in other crates, out of scope for this PR.

Co-Authored-By: claude-flow <ruv@ruv.net>

* feat(timesfm): weight-parity validated against official PyTorch reference

Drives the candle TimesFM 1.0 200M port from "compiles on dummy weights" to
a real numerical PASS against google/timesfm-1.0-200m.

Measured (f32 CPU, deterministic 512-pt series, horizon 128):
  max-abs-diff = 8.58e-6   MAE = 3.25e-6   rel-error = 5.83e-7
(target was <1e-2; we hit the f32 accumulation floor ~1e-5.)

Bridge: the real torch_model.ckpt state_dict (253 keys) maps 1:1 through
scripts/convert_weights.py with zero unmapped/missing keys.

Bug found + fixed (src/model.rs build_mask): the attention mask used
f32::NEG_INFINITY for masked positions. With real 0/1 paddings the padding
term `padding * -inf` computes `0 * -inf = NaN`, poisoning the whole mask
so softmax emitted NaN for every row (every forecast value was NaN). The
old `nan_to_zero` guard silently failed (where_cond dtype mismatch -> fallback
`NaN * 1 = NaN`). Replaced with the reference's large *finite* negative
(-0.7 * f32::MAX) and element-wise `minimum` merge, exactly matching
convert_paddings_to_mask + causal_mask + merge_masks. No NaN, exact parity.

Added:
  - examples/parity.rs       end-to-end parity runner with metrics + verdict
  - tests/parity.rs          gated integration test (skips cleanly w/o the
                             814MB artifacts; never fabricates a pass)
  - scripts/gen_reference.py reference forecast generator (official decoder)

Co-Authored-By: claude-flow <ruv@ruv.net>

* bench(timesfm): forward-only latency bench — 45ms/forecast (200M, ctx512/h128, warm CPU); parity validated 8.58e-6

* feat(timesfm): predictive-pruning module for Darwin (ADR-191 §2)

Add crates/timesfm/src/prune.rs: forecast an optimization curve's plateau
from its first K points with TimesFM and decide PRUNE vs CONTINUE against a
viability threshold (lower=better, like exploitability). Decoupled — operates
on a generic Vec<f32>, no cross-repo poker-darwin dep.

- decide_prune(): forecast tail to target horizon, plateau = mean of last
  horizon/4 steps; PRUNE iff plateau > threshold. Guards: non-finite forecast
  => CONTINUE conf 0 (never kill on a broken forecast); already-viable
  (best_so_far <= threshold) => CONTINUE. Scale-invariant confidence.
- examples/predictive_prune.rs + tests/prune.rs: two synthetic curves with
  REAL weights — doomed (floor 0.20) => PRUNE (forecast plateau 1.98, conf
  0.72); healthy (already below 0.05) => CONTINUE. Both decisions correct.
  Skips cleanly when weights absent (no fabricated pass).
- Honest calibration note: TimesFM mean-reverts upward on short synthetic
  decays so absolute plateau is biased high; decision rides the robust
  relative-ordering + already-viable signals, not absolute calibration.
- Doc-comment shows how poker-darwin calls this on its champion curve.

Tests: 12 shape + parity + prune = 14/14 green (candle); light build green.

Co-Authored-By: claude-flow <ruv@ruv.net>

* test(timesfm): bench24 harness for GCP 24-case deployment test (ADR-191 Phase B)

24 distinct forecast cases (varied period/trend/amp/noise/freq_id; ctx=512,
horizon=128) on real weights. Per-case latency + finiteness assert, aggregate
mean/p50/p95/p99, throughput, peak RSS, machine-readable JSON line. Non-finite
output is a hard FAIL (exit 1), never a silent pass.

Local baseline (ruvultra, 32-thread CPU): 24/24 finite, mean 42.5ms p95 44.2ms,
throughput 23.5 fps, peak RSS 1.55GB.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(ci) + feat(timesfm): README, publish=true, research-nightly shard, rustfmt

CI fixes:
  - timesfm added to research-nightly shard (-p timesfm)
  - timesfm excluded from core-and-rest shard (--exclude timesfm)
  - cargo fmt -p timesfm: model.rs + 4 example files formatted
  - cargo fmt -p ruvector-graph: typed_graph_bench.rs + 4 src files
    (pre-existing rustfmt failure blocking the PR)

crates/timesfm/README.md (new):
  - Architecture diagram (ResidualBlock → 20× decoder → RevIN → output)
  - Feature flags table (candle/cuda/metal/hub)
  - Quick-start: inference + weight loading workflow
  - Known limitations section (weight parity, MLP mask, pos-emb shift)
  - References (ICML 2024 paper, HuggingFace model card)

crates/timesfm/Cargo.toml:
  - publish = true (was false)
  - readme = "README.md"

Co-Authored-By: claude-flow <ruv@ruv.net>

* chore: cargo fmt ruvector-proof-gate (pre-existing rustfmt CI blocker)

Co-Authored-By: claude-flow <ruv@ruv.net>

* chore: cargo fmt temporal-coherence + tiny-dancer-core (pre-existing)

Co-Authored-By: claude-flow <ruv@ruv.net>

* chore: cargo fmt tiny-dancer-node + ruvllm openmythos (pre-existing)

Co-Authored-By: claude-flow <ruv@ruv.net>

* chore: cargo fmt rvf-runtime/store.rs (pre-existing)

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(ci): timesfm tests run with --features candle in research-nightly

The research-nightly shard was running timesfm without --features candle,
causing a compile error (all model code is behind the feature gate).

Fix: remove timesfm from the shared nextest run; add a dedicated step
that runs only timesfm tests with --features candle.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(ruvllm): remove broken private-item doc link (DepthLora)

Code Quality CI was failing: public doc in mod.rs linked to private
recurrent::DepthLora. Replace with plain backtick name.

Pre-existing issue surfaced by rustfmt touching the file.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(ruvllm): fix all private-item rustdoc links in openmythos/mod.rs

Three doc comments linked to private items (LtiInjection, RecurrentBlock,
DepthLora) in the recurrent module. rustdoc's -D warnings caught them.
Replaced with plain-text names. Pre-existing, surfaced by rustfmt touching
the file.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(ruvllm): fix private attention module doc link

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(timesfm): gate bench/bench24 examples behind candle feature

The bench and bench24 examples import candle_core/candle_nn/timesfm::model
unconditionally, breaking Clippy and stock workspace builds that run without
--features candle. Add [[example]] required-features = ["candle"] so they are
skipped when the feature is off, matching parity/predictive_prune which already
self-gate via #[cfg(feature = "candle")].

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(maxsim): add ruvector-maxsim to workspace + make clippy-clean

The research-nightly CI shard referenced -p ruvector-maxsim (added 578400d1d,
2026-06-21) but the crate was never a workspace member, so the shard aborted
with 'package ID ruvector-maxsim did not match any packages' before reaching
the timesfm candle test step in the same shard. Add the crate to workspace
members so the shard resolves and timesfm tests actually run.

The crate's self-imposed #![warn(missing_docs)] plus an unused param and a dead
ground_truth() helper would otherwise fail the workspace 'Clippy (deny warnings)'
job once it's a member, so: document the public error/types fields, underscore
the unused gen_corpus dims param, and drop the dead ground_truth() (main builds
ground truth inline). cargo clippy -p ruvector-maxsim --all-targets -- -D warnings
is clean; 19 tests pass.

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(clippy): clear pre-existing workspace clippy + fmt debt under -D warnings

The timesfm candle compile error was masking the rest of the workspace from
'Clippy (deny warnings)' (cargo clippy --workspace --all-targets -- -D warnings);
once timesfm/maxsim compile, these pre-existing lints (also red on main) surface.
All trivial, no behavior change:

- proof-gate: needless &seq.to_le_bytes() borrows (hash bytes identical via
  AsRef), allow items_after_test_module, allow dead queries field in example
- photonlayer-wasm: swap approx-PI 3.14 test literal for 2.5 (arbitrary fill)
- coherence-hnsw / gnn example: allow(needless_range_loop) where index is reused
- gnn / hnsw-repair: allow(too_many_arguments) on bench fns; sort_by->sort_by_key;
  &mut Vec -> &mut [_]
- graph bench: drop black_box around unit validate_node().unwrap()
- sota-bench: drop unused imports, .max().min()->.clamp(), remove redundant parens
- maxsim: rustfmt + Cargo.lock sync (now a workspace member)

cargo clippy --workspace --all-targets --no-deps -- -D warnings: clean (exit 0)
cargo fmt --all -- --check: clean (exit 0)

Co-Authored-By: claude-flow <ruv@ruv.net>

* fix(deny): ignore RUSTSEC-2026-0186 (memmap2 unsound, transitive)

cargo-deny's advisories check fails on RUSTSEC-2026-0186 — an 'unsound'
(not exploitable) Unchecked-pointer-offset advisory against memmap2 0.9.x,
pulled transitively via safetensors/candle mmap loading and other crates.
No fixed 0.9 release exists yet and we don't pass attacker-controlled offsets
to memmap2. Add it to the justified ignore list (re-review 2026-08-01),
matching the existing deny.toml pattern. 'cargo deny check advisories' is now
clean locally.

Co-Authored-By: claude-flow <ruv@ruv.net>

---------

Co-authored-by: ruvnet <ruvnet@gmail.com>
2026-06-25 13:52:42 -04:00

227 lines
11 KiB
TOML

# cargo-deny configuration — supply-chain policy for the ruvector
# workspace. See the supply-chain CI workflow (`.github/workflows/
# supply-chain.yml`) for how this gets enforced on every PR + on a
# weekly scheduled scan.
#
# Run locally:
# cargo install --locked cargo-deny
# cargo deny check
#
# Four sub-checks run: advisories, bans, licenses, sources.
# Each fails the run independently; together they form the crate-graph
# half of our supply-chain defence (npm side is in the same workflow).
[graph]
# Sensible target set so we don't pull in checks for triples we never
# build day-to-day. wasm32-unknown-unknown is gated per-crate by the
# `wasm` features and gets its own checks in the wasm CI jobs.
targets = [
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "aarch64-unknown-linux-gnu" },
{ triple = "x86_64-apple-darwin" },
{ triple = "aarch64-apple-darwin" },
]
# ─────────────────────────────────────────────────────────────────────
# 1) advisories — RustSec DB scan
# ─────────────────────────────────────────────────────────────────────
[advisories]
db-urls = ["https://github.com/RustSec/advisory-db"]
version = 2
# Surface yanked crates as warnings. Promote to `deny` once we've
# migrated off whichever transitive holds the yanked version.
yanked = "warn"
# Whitelist specific RUSTSEC IDs with justification + re-review date.
# Every entry MUST carry a justification and an explicit re-review
# date — we revisit on each minor release at minimum. Dependabot will
# auto-resolve most of these as upstreams publish fixes; this list is
# meant to shrink over time.
ignore = [
# ── Real vulnerabilities (need active migration path) ────────────
# rsa 0.9.x — Marvin Attack timing sidechannel (RUSTSEC-2023-0071).
# No patched version exists; the RustCrypto/RSA team is rewriting
# to constant-time. Used by `ruvector-kalshi` for Kalshi exchange
# API signing (RSA-PSS-SHA256, mandated by the exchange). Mitigation
# per the advisory: "local use on a non-compromised computer is
# fine" — we sign locally and an attacker would need to observe
# sub-ms timing across many requests through the network response
# timing to recover the key. Risk is acceptable for trading-bot
# use; re-review on 2026-08-01 or when `rsa 0.10` ships with the
# constant-time fix (track: https://github.com/RustCrypto/RSA/issues/626).
"RUSTSEC-2023-0071",
# ── Unsoundness (no exploit path in our usage) ───────────────────
# rand 0.8.5 — unsound only when paired with a *custom logger* that
# logs during random number generation (RUSTSEC-2026-0097). We use
# `tracing` and never log inside RNG draws; the unsound condition
# cannot be triggered. Re-review on `rand 0.9` adoption across the
# workspace.
"RUSTSEC-2026-0097",
# imageproc 0.25.0 — three unsoundness advisories around image
# sampling / bounds checks. Pulled transitively via the scipix
# examples crate, never reached by the publish artifacts of any
# crates.io-published member. Unsound != exploitable here: inputs
# are caller-controlled image buffers in offline experiments.
# Re-review on 2026-08-01 or when imageproc publishes 0.26 with
# the fixes.
"RUSTSEC-2026-0115",
"RUSTSEC-2026-0116",
"RUSTSEC-2026-0117",
# ── Unmaintained transitive deps (informational, no CVE) ─────────
# proc-macro-error 1.x — unmaintained, transitively required by
# several proc-macro deps (clap-derive ecosystem). 2.x is API
# incompatible. Dependabot tracking. Re-review on 2026-07-01.
"RUSTSEC-2024-0370",
# proc-macro-error2 — the (also now unmaintained) fork of the above,
# pulled transitively via validator_derive -> validator (ruvector-scipix
# example). Same crate family as RUSTSEC-2024-0370, no maintained
# successor yet. Informational. Re-review on 2026-07-01.
"RUSTSEC-2026-0173",
# number_prefix — unmaintained, used transitively by indicatif. No
# known successor; indicatif itself is still maintained. Informational.
"RUSTSEC-2025-0119",
# paste 1.0.x — archived upstream 2024-10. Pulled transitively via
# nalgebra/simba and several proc-macro deps. No vulnerability,
# just informational. Re-review on 2026-08-01.
"RUSTSEC-2024-0436",
# bincode 1.x — unmaintained, 2.x is API-incompatible. Multiple
# call sites across rvf + serialization layers; migration queued.
# Re-review on 2026-07-01.
"RUSTSEC-2025-0141",
# instant 0.1.x — unmaintained. Transitive via async-std / wasm
# adapters. Replacement is `web-time` but several transitives still
# pin instant directly. Re-review on 2026-07-15.
"RUSTSEC-2024-0384",
# rand_os 0.x — unmaintained, replaced by getrandom. Transitive via
# legacy rand internals; modern paths use getrandom directly.
"RUSTSEC-2021-0140",
# core2 0.4.0 — yanked, but pulled transitively via the rav1e/
# image/imageproc chain (offline-only scipix examples crate).
# Re-review when imageproc bumps off ravif 0.13.
"RUSTSEC-2025-0124",
# rustls-pemfile 1.x — unmaintained, replaced by rustls-pki-types'
# builtin PEM parser. Transitive via reqwest / tokio-tungstenite.
# Migration is a transitive bump; Dependabot tracking.
"RUSTSEC-2025-0134",
# rusttype 0.9 — unmaintained (RUSTSEC-2026-0105). Used by
# imageproc's text-rendering path which we don't exercise (scipix
# offline experiments only). No safe upgrade available. Re-review
# 2026-08-01.
"RUSTSEC-2026-0105",
# memmap2 0.9.x — unsound `Unchecked pointer offset` API (RUSTSEC-2026-0186,
# "unsound", not an exploitable vuln). Transitive via safetensors/candle
# mmap loading and other crates; no fixed release on the 0.9 line yet.
# We don't pass attacker-controlled offsets to memmap2. Re-review 2026-08-01.
"RUSTSEC-2026-0186",
]
# ─────────────────────────────────────────────────────────────────────
# 2) bans — explicit crate-name allow/block list
# ─────────────────────────────────────────────────────────────────────
[bans]
# 136-member workspace pulls both Tokio and async-std families,
# producing legitimate version skew (e.g. nalgebra 0.32 vs 0.33 across
# linear-algebra crates). Track for cleanup but `warn`, not `deny`.
multiple-versions = "warn"
# Refuse `version = "*"` for crates.io deps in any of our Cargo.tomls
# — that's how typosquatting + accidental floats land malicious
# versions. Demoted to `warn` for now because several internal/path
# wildcards exist in the mcp-brain + consciousness experiment crates
# (those use `workspace = "*"` for path-only deps which cargo-deny
# can't always distinguish from registry wildcards). Tracked for
# tightening to `deny` once those are migrated to explicit version
# constraints. Re-review on 2026-08-01.
wildcards = "warn"
# Highlight transitively-pulled-in deep deps so reviewers can audit
# tree growth without explicit blessing.
highlight = "all"
# Concretely forbidden crates — empty for now. Use this slot to
# quickly block a compromised package mid-flight without editing the
# workflow.
deny = []
# Allow internal workspace path deps to use `version = "*"` until the
# tighten-up pass lands. Listed crates have been audited as path-only.
allow-wildcard-paths = true
# ─────────────────────────────────────────────────────────────────────
# 3) licenses — what we'll allow in the graph
# ─────────────────────────────────────────────────────────────────────
[licenses]
version = 2
# Matches `actions/dependency-review-action`'s allow-list in the
# supply-chain workflow so the two checks agree.
#
# Additions vs sublinear-time-solver's allowlist:
# * BSL-1.0 — Boost Software License (xxhash-rust transitive
# via rvf-wire → mcp-brain-server + benchmarks)
# * CDLA-Permissive-2.0 — used by tch-rs / onnxruntime style deps
# * NCSA — University of Illinois/NCSA Open Source
# License (LLVM family deps)
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0",
"MPL-2.0",
"Zlib",
"CC0-1.0",
"BSL-1.0",
"CDLA-Permissive-2.0",
"NCSA",
]
confidence-threshold = 0.8
exceptions = []
# Workspace-internal crates without `license = "..."` set are research
# / examples crates with `publish = false`. Ignore them rather than
# failing the run — they're never shipped to crates.io. If one is ever
# flipped to `publish = true`, the publish flow's `cargo publish` step
# will refuse it without an explicit license, so this is safe.
private = { ignore = true }
# ─────────────────────────────────────────────────────────────────────
# 4) sources — which registries / git remotes the graph can pull from
# ─────────────────────────────────────────────────────────────────────
[sources]
# Default: only the official crates.io registry. Anything else (private
# mirror, git dep) must be explicitly allowed.
unknown-registry = "deny"
# `warn` instead of `deny` for ruvector because the workspace pulls
# several legitimate git deps (vendored hailo bindings, in-flight
# upstream fixes pinned to commits). Promote to `deny` once those
# have crates.io releases. Each unknown-git appearance shows up in
# the CI log so reviewers can challenge it on a per-PR basis.
unknown-git = "warn"
# Allow-list for git remotes — populated on demand. If a future PR
# needs a git dep, this is where the reviewer adds it with a
# justification comment.
allow-git = []
allow-registry = ["https://github.com/rust-lang/crates.io-index"]