docs: threat model + pre-publish security hardening#70
Merged
Conversation
Review Summary by QodoThreat model, release controls, and FastScan kernel hardening
WalkthroughsDescription• Add comprehensive threat model and release controls documentation • Enforce unsafe-operation visibility in FastScan AVX-512 kernel via lint • Add fuzzing target for FastScan b=2 compute path (previously unfuzzed) • Document index-file provenance guarantees and validation scope Diagramflowchart LR
A["Threat Model Analysis"] --> B["THREAT_MODEL.md"]
C["Release Pipeline Controls"] --> D["RELEASING.md"]
E["Index Provenance Docs"] --> F["docs/INDEX_PROVENANCE.md"]
G["FastScan Kernel Hardening"] --> H["unsafe_op_in_unsafe_fn lint"]
I["Fuzzing Coverage Gap"] --> J["fastscan_b2 fuzz target"]
H --> K["src/fastscan.rs"]
J --> L["fuzz/fuzz_targets/fastscan_b2.rs"]
B --> M["Security Posture"]
D --> M
F --> M
K --> M
L --> M
File Changes1. THREAT_MODEL.md
|
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Add #![deny(unsafe_op_in_unsafe_fn)] to fastscan.rs and wrap the AVX-512 FastScan kernel's raw loads/stores and intrinsics in an explicit unsafe block. No behavior change. Keeps the kernel's unsafe surface explicit so a future refactor cannot silently lean on the fn-level unsafe. Defense-in-depth for THREAT-SIMD-001; crate-wide rollout to the other SIMD modules tracked as a follow-up. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
RankQuantFastscan (pack_fastscan_b2 + search_asymmetric_fastscan_b2 + the scalar/AVX-512 kernel) is the one unsafe-heavy scan path the search_rankquant target does not reach. The new target drives it through the public API, crossing the 32-doc block boundary to exercise tail-padding. Closes THREAT-FUZZ-001. fuzz/Cargo.lock synced (ordered-float 4.6 to 5.3) to match the core crate's current pin; not a new dependency. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
THREAT_MODEL.md: verified attack-surface analysis with a library-owned vs deployment-owned split and an honest residual list; deployment poisoning kept qualitative and ordvec-specific. RELEASING.md: dispatch-only + required-reviewer + main-only + OIDC/SLSA/PEP-740 controls and the publish-hold. docs/INDEX_PROVENANCE.md: loaders validate structure, not origin. Links the threat model from SECURITY.md and broadens the welcomed-report categories. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
Fieldnote-Echo
force-pushed
the
docs/threat-model
branch
from
19c661d to
7987931
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces comprehensive security documentation, including a threat model (THREAT_MODEL.md), index file provenance details (docs/INDEX_PROVENANCE.md), and release guidelines (RELEASING.md). It also hardens the AVX-512 FastScan kernel in src/fastscan.rs by enforcing #![deny(unsafe_op_in_unsafe_fn)] and wrapping unsafe operations in explicit blocks. Additionally, a new fuzz target fastscan_b2 is added to cover the FastScan compute path. The reviewer suggested moving the macro_rules! step definition outside of the for loop body in src/fastscan.rs to make the code more idiomatic and readable.
…or 78% Codecov had no config, so its default patch status fired on this PR: the unsafe_op_in_unsafe_fn wrap re-indented ~80 lines of the AVX-512 FastScan kernel, which the no-AVX-512 coverage runner never executes — a false patch signal (those kernels run under Intel SDE; see #68). Make patch informational (advisory) and pin the project status to the same 78% floor coverage.yml enforces via --fail-under-lines; real coverage gating stays in the workflow. Ignore the separate fuzz/ workspace. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
…loop Address Gemini review: define macro_rules! step once before the inner loops instead of inside the 4-wide unroll, and reuse it in the remainder loop (removing a duplicated ~10-line intrinsic body). Pure code motion — step!(0) expands to exactly the old remainder body. No behaviour change; verified on real AVX-512 (the fastscan_b2_top10_matches_avx512_kernel equivalence test passes on a Zen5 host). Note: macro_rules expands at compile time, so the prior in-loop placement had no runtime cost — this is readability only. Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
Review polish: RELEASING.md says 'PyPI publish' (the wheel is built by maturin but published via the PyPI Trusted Publishing action, not 'maturin publish'). THREAT_MODEL.md says 'covered by cargo-fuzz targets' instead of 'continuously fuzzed', which could be misread as CI-continuous fuzzing (fuzzing is manual; THREAT-FUZZ-002 tracks a CI smoke job). Signed-off-by: Nelson Spence <nelson@projectnavi.ai>
project-navi-bot
approved these changes
May 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the maintained threat model and lands the tight pre-publish hardening
that lets it claim a closed state rather than a wishlist.
Threat model (
THREAT_MODEL.md)Attack-surface analysis scoped to what
ordvecactually is (a pure computelibrary — no network/auth/secrets/multi-tenancy), covering deserialization,
unsafeSIMD, the Python FFI boundary, the supply chain, and query/resourceexhaustion. Every code-level claim was verified against the tree. Clear
library-owned vs deployment-owned split; corpus-poisoning kept qualitative and
ordvec-specific (ordinal rank inversion, top-n_topoverlap, RankQuantboundary) with one established reference (PoisonedRAG) — no unverifiable
percentages.
Hardening landed here
#![deny(unsafe_op_in_unsafe_fn)]infastscan.rs+ explicitunsafe {}around the AVX-512 kernel (THREAT-SIMD-001). No behaviour change.
fastscan_b2fuzz target — the FastScan b=2 scan path was the oneunsafe-heavy kernel no existing target reached (THREAT-FUZZ-001, closed).
RELEASING.md+docs/INDEX_PROVENANCE.md; threat model linked fromSECURITY.md.Verified release posture (no code change needed)
crates.io (yank-only) + PyPI (version-burn) are immutable by construction; both
release workflows already emit SLSA build provenance fail-closed + PyPI PEP 740.
Release environments now require maintainer approval and are restricted to
main.Test plan
Full local gate, all green:
cargo fmt --all --checkcargo clippy --all-targets --all-features -- -D warningscargo test+--features experimental+--no-default-featurescargo +1.89.0 build(MSRV) ·cargo build --locked·RUSTFLAGS=-D warnings cargo buildcargo +nightly fuzz build(all 7 targets)A deep multi-hour fork-mode fuzz campaign across all targets is being run
separately before publish.
Open follow-ups (tracked in the threat model)
v*tag-protection ruleset + a basicmainruleset (GitHub settings).