Changelog#

Added feature

• v0.1.7 Security Hardening: Completed a comprehensive 28-point security audit and remediation sweep, making the VEX Protocol production-ready for multi-tenant environments.
• Blue Agent Reflection: Introduced a dynamic "Reflection" phase for Blue agents. Agents now reconsider their stance based on debate arguments instead of having a hardcoded bias toward agreement.
• Fast API Key Verification: Eliminated potential DoS vectors by implementing O(1) jump-lookups for API keys using UUID prefixes, ensuring verification remains instant regardless of user count.
• Fortified Nonce Caching: Replaced manual tracking with a robust, TTL-based moka cache to prevent replay attacks while maintaining strictly bounded memory usage.
• Isolated Multi-Tenancy: Hardened tenant isolation across the entire stack—from LLM cache keys to job queue retrieval—ensuring zero data leakage between different users.
• SSRF & Infrastructure Shielding: Added active protection against internal network probing by blocking loopback and localhost connections in LLM and MCP providers.
• Bounded Vector Storage: Implemented mandatory capacity limits (100k entries) on in-memory vector stores to prevent memory exhaustion attacks.

Changed breaking

• JWT Protection Protocol: Restricted supported JWT algorithms strictly to HS256 to prevent algorithm confusion attacks.
• Worker Robustness: Refactored the job processor loop to handle malformed payloads gracefully, ensuring worker threads stay alive while bad jobs are moved to DeadLetter.
• Consensus Engine Safety: Added zero-vote guards to all consensus calculations to eliminate division-by-zero risks in confidence reporting.

Fixed fix

• Anti-Injection Refinement: Flattened greedy regex patterns in the input sanitizer to eliminate ReDoS vulnerabilities.
• Git Anchor Sanitization: Added strict filtering for branch names in the Git backend to prevent command manipulation.
• Clippy & Workspace Cleanup: Resolved all remaining lints and unused imports, achieving a perfectly clean build across all 13 workspace crates.

Added feature

• v0.1.6 Ecosystem Synchronization: Bumped all 13 workspace crates to v0.1.6 to recover from the partial v0.1.5 release and ensure consistent versioning across the registry.

Changed breaking

• LlmProvider Migration: Removed legacy LlmBackend references in vex-runtime and integration tests in favor of the unified LlmProvider trait.
• Workflow Renaming: Renamed vex-cli to vex-protocol-cli in release.yml and Cargo.toml to resolve the registration conflict on crates.io.

Fixed fix

• CI/CD Stabilization: Resolved hidden compilation errors in vex-algoswitch and vex-router benchmarks, examples, and tests discovered by the --all-targets CI flag.
• WSL Green Build: Verified 100% build compatibility and test pass rates in WSL 2 for all targets and features.
• AppState Signature: Fixed signature mismatch in vex-api integration tests by correctly initializing the optional Router arc.
• Lint Stabilization: Refactored vex-router gateway with argument structs to resolve Clippy too_many_arguments and redundant_closure errors.
• Workspace Cleanup: Removed redundant imports and applied global cargo fmt for a perfectly organized codebase.
• Benchmark Registry: Fixed incorrect crate names and missing dev-dependencies (criterion) in benchmark configurations.

Added feature

• Blockchain Anchoring backends: Integrated real blockchain providers including Ethereum (EIP-4844 calldata), Celestia (Blobstream), and OpenTimestamps for cryptographic proof of the audit log.
• Persistent VectorStore: Replaced in-memory stub with a full SQLite-backed embedding store in vex-persist. Added semantic similarity search (cosine similarity) wired into vex-temporal for context-aware compression.
• Real WebSocket MCP Client: Implemented a functional JSON-RPC over WebSocket client in vex-llm with TLS support and async request/response matching.
• Job Result Retrieval: Added GET /api/v1/jobs/{job_id} endpoint to retrieve persistent execution results from the queue store.
• WSL Build & Test Suite: Verified the entire workspace builds and passes 550+ tests in Windows Subsystem for Linux (WSL) for cross-platform reliability.
• Structured Debate Voting: Red agent now returns structured JSON (is_challenge, confidence, reasoning, suggested_revision) instead of keyword heuristics. Falls back to keyword detection gracefully.
• LLM Safety Judge: sanitize_prompt_async optionally calls an LLM to perform secondary safety evaluation before any prompt reaches an agent (use_safety_judge: true in SanitizeConfig::prompt()).
• Regex-Based Injection Detection: Replaced contains() loop with a compiled OnceLock<Regex> covering 30+ injection patterns including 2025-aware adaptive attacks.
• Audit Types to vex-core: AuditEvent, AuditEventType, ActorType, HashParams, Signature moved from vex-persist to vex-core/src/audit.rs for better separation of concerns. Re-exported at crate root.
• Actor Attribution in Audit Log: AuditStore::log() now accepts ActorType and pseudonymizes Human actors with SHA-256 (ISO 42001 A.6.2.8 compliance).
• Ed25519 Signatures: Signature::create() / Signature::verify() backed by real ed25519-dalek keys for multi-party audit authorization.
• Intelligent LLM Routing (vex-router): Integrated a smart routing layer with cost/latency/quality optimization.
  • Adversarial Role Detection: Automatically upgrades query quality if system prompts contain "shadow", "adversarial", or "red agent".
  • Routing Observability: Comprehensive metrics for cost savings and precision reporting via GET /api/v1/routing/stats.
• AlgoSwitch Optimization (vex-algoswitch): New optimization crate for dynamic runtime algorithm selection.
  • Self-Optimizing Merkle Search: Conditionally switches between recursive and iterative traversal based on data density.
  • Optimized Audit Hashing: Adaptive hashing for non-critical event trails to maximize throughput while maintaining ISO 42001 compliance.
• CLI Tenant Discovery: vex verify now queries SQLite directly (SELECT DISTINCT tenant_id) to auto-discover all tenants.

Changed breaking

• Blue Agent Confidence: Debate vote now uses blue_agent.fitness.max(0.5) — reports actual evolved fitness rather than a hardcoded 0.8.
• AppState: Now holds Arc<dyn LlmProvider> to share LLM access with the sanitizer safety judge.
• sanitize_prompt renamed: Sync variant kept as sanitize_prompt, async variant is sanitize_prompt_async<L: LlmProvider>.

Fixed fix

• Removed erroneous mount = "0.4" (Iron web framework) dependency from vex-llm.
• Fixed gen_audit_cli.rs import path after audit types moved to vex-core.

Added feature

• Tenant-Scoped Rate Limiting: Per-tenant limits using the governor crate (GCRA algorithm).
  • TenantRateLimiter with configurable tiers (Free, Standard, Pro, Unlimited).
  • JWT-based tenant identification with fallback to x-client-id header.
• A2A Protocol Integration: Full Agent-to-Agent communication suite.
  • Endpoints: /.well-known/agent.json, /a2a/tasks, /a2a/tasks/{id}.
  • Standardized agent capability advertising via agent cards.
  • NonceCache hardening: Partial eviction (10%) at 20k entries to prevent memory reset attacks.
• LLM Resilience & Caching: Production-grade response optimization.
  • Circuit Breaker pattern for provider failover.
  • CachedProvider for response memoization using moka.
• OpenAPI Documentation: Interactive Swagger UI at /swagger-ui.
  • Full utoipa integration for all API schemas.
• HTTPS Enforcement: Production security requirement with native tokio-rustls.
• Parallel Evolution: Performance optimization for genome processing via rayon.
• Property-Based Testing: Added proptest for cryptographic primitives verification.
• Crates.io Readiness: All 11 crates now have complete metadata (keywords, categories, READMEs).

Changed breaking

• BREAKING: Replaced global RateLimiter with TenantRateLimiter.
• BREAKING: Unified API router signature and updated axum to 0.8.
• Improved Observability: Injected request_id and tenant_id into all telemetry spans.
• Workspace Standardization: All internal crate dependencies now use workspace = true.

Security security

• Input Sanitization: Expanded jailbreak patterns for 2025 adaptive attacks (stylistic proxies, audit chain bypass attempts).
• A2A Replay Protection: Hardened nonce cache with partial eviction to prevent OOM-based replay windows.
• Audit Trail Integrity: Refactored compute_hash to use structured parameters (ISO 42001 compliance).

Fixed fix

• Middleware JWT claim extraction for tenant identification.
• OpenAPI schema generation errors.
• Axum 0.8 / Hyper 1.0 compatibility issues.
• All Clippy warnings resolved (zero-warning build).

Added feature

• Merkle Anchoring: New vex-anchor crate for anchoring audit logs to external providers.
• Security Hardening: Implemented 12 critical security remediations (ISO 42001 alignment).
• Audit Persistence: Enhanced AuditStore with optimized Merkle branch retrieval.
• Verification CLI: Enhanced vex verify command for deep audit chain inspection.

Fixed fix

• Concurrent mutation bugs in the evolution engine.
• Formatting issues in CI pipelines.

Added feature

• MCP Tool Suite: Added built-in tools for JsonPath, Regex, Uuid, DateTime, and Hash.
• Evolution Schema: Introduced SQLite-backed persistence for agent genome generations.
• Orchestrator Improvements: Parallelized agent execution using tokio::spawn.

Changed breaking

• Workspace Refactor: Standardized naming conventions and error handling across all crates.
• Cleanup: Removed unused imports and optimized dependencies.

Added feature

• Initial release of the VEX Protocol.
• Core adversarial verification engine.
• Temporal memory with horizon-based decay.
• Merkle tree-based audit trails.
• JWT Authentication and SQLite persistence.
• Initial support for DeepSeek, Mistral, and OpenAI.