diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index feca8613..00000000 Binary files a/.DS_Store and /dev/null differ diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..47762116 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/CHANGELOG.md b/CHANGELOG.md index c8fc9be5..169a3ffb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## v0.12.0 — 2026-06-03 + +**Project renamed Reflex → Tether.** The package, CLI, and import surface have been renamed; a backwards-compat shim keeps the old names working through v0.13.x. + +### Package rename + +- **PyPI distribution is now `fastcrest-tether`.** Install with `pip install fastcrest-tether`. The old `reflex-vla` distribution is no longer updated. +- **CLI command is now `tether`** (`tether serve`, `tether export`, `tether doctor`, etc.). +- **Python import package is now `tether`** (`from tether import ...`). +- **`TETHER_*` environment variables** are the canonical names going forward (e.g. `TETHER_NO_TELEMETRY`, `TETHER_PRO_LICENSE`). `REFLEX_*` names still mirror to `TETHER_*` for now. + +### Backwards compatibility shim (through v0.13.x, removed in v0.14.0) + +- The `reflex` Python package remains importable and re-exports the full `tether` namespace. A `DeprecationWarning` is emitted on first use. +- The `reflex` CLI entry point continues to work and delegates to `tether`. A deprecation notice prints on each invocation. +- Shims are removed in v0.14.0. Migrate by replacing `reflex` → `tether` in imports, CLI calls, and env vars. + ## v0.11.2 — 2026-05-29 **Hardening patch for the v0.11 lift program + the formal N=100/task L3 LIBERO parity gate clears `--fast-kernels`.** v0.11.1 shipped the FluxVLA lift program (fast-kernels, inference-only weights, ZMQ transport, two new families, `reflex connect`). This patch lands the post-tag hardening of those paths — a refactored monolithic serve/bench path with first-class external-data ONNX, `reflex connect`'s missing core dependency, and clean stderr/stdout separation — and records the formal N=100/task L3 parity verdict that keeps the opt-in `--fast-kernels` Triton runtime on. It also resets the version string to lockstep after a `__version__`/`pyproject` drift in v0.11.1. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..48407be0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +## Reporting a Vulnerability + +**Do not open a public issue for security vulnerabilities.** + +Email **hello@fastcrest.com** with: + +- A description of the vulnerability and its potential impact +- Steps to reproduce or proof-of-concept (as detailed as possible) +- Any suggested fix, if you have one + +You will receive an acknowledgement within 48 hours and a status update within 7 days. If the issue is confirmed, we will coordinate a fix and disclosure timeline with you before publishing anything publicly. + +## Supported Versions + +Security fixes are applied to the **latest minor release** only. We do not backport fixes to older minor versions. + +| Version | Supported | +|---------|-----------| +| latest minor | yes | +| older minors | no | + +## Scope + +Tether serves robot-control endpoints over the network. Issues in the following areas are taken seriously and should be reported promptly: + +- **Network-exposed API endpoints** (`tether serve` HTTP/ZMQ surfaces) — authentication bypass, SSRF, injection, denial of service +- **Model / checkpoint loading** — path traversal, arbitrary code execution via crafted model files +- **License and telemetry workers** — data leakage, auth bypass +- **Dependency vulnerabilities** that affect the runtime serve path + +Issues limited to local-only attack surfaces (e.g. a user who already has shell access to the serve host) are lower priority but still welcome.