From d444db8ff1f4d66d3314dec0ece826a71f2ba300 Mon Sep 17 00:00:00 2001 From: RomirJ Date: Wed, 10 Jun 2026 21:59:42 -0700 Subject: [PATCH 1/2] chore: release + packaging hygiene (v0.12.0 changelog, SECURITY.md, dependabot) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - CHANGELOG.md: add v0.12.0 — 2026-06-03 entry summarising the Reflex → Tether rename; PyPI dist is fastcrest-tether; CLI/import are tether; reflex compat shim (DeprecationWarning) through v0.13.x, removed v0.14.0; REFLEX_* env vars mirror to TETHER_*. - SECURITY.md: new standard security policy — report to playindus@gmail.com (canonical contact from CONTRIBUTING.md), 48 h ack / 7-day SLA, latest minor supported, robot-control network endpoints flagged as high-priority. - .github/dependabot.yml: weekly pip + github-actions dependency updates. - .DS_Store: git rm --cached (was tracked; .gitignore already covers it). No discord-status / PyPI-stats script found anywhere in the repo — item 5 is a no-op (see PR description for details). Co-Authored-By: Claude Opus 4.7 (1M context) --- .DS_Store | Bin 6148 -> 0 bytes .github/dependabot.yml | 11 +++++++++++ CHANGELOG.md | 17 +++++++++++++++++ SECURITY.md | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 61 insertions(+) delete mode 100644 .DS_Store create mode 100644 .github/dependabot.yml create mode 100644 SECURITY.md diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index feca8613504bcd7430524202412f605a970dd548..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~JqiLr422VS3&Cbf%V|7-HyA`u-~~i21wpZ&qx41vI)z6#m+=T zbn`f`MFtU>!%bynVPcAXCwIBY>3lz3j@RpDteEA>YT$!Ro{xoGkN^pg011!)3H%HJ zJGWu;MJOW)kN^pc1nmD%;HEXTh5D}p!AAgSkF*=sK1)E0C7?C6g(3sfXoW_r`WRw) zZ-`o{NKSp&Hs}YZb^Uy{)~Y3 z+x>QfkIJ+4?ei>u$gHg!9O~r=FP8vp>?mHs-SE8F0$NjBC^9f!1RMhc34E2n6Mwc5 Aa{vGU diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..47762116 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/CHANGELOG.md b/CHANGELOG.md index c8fc9be5..9dedd80a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +## v0.12.0 — 2026-06-03 + +**Project renamed Reflex → Tether.** The package, CLI, and import surface have been renamed; a backwards-compat shim keeps the old names working through v0.13.x. + +### Package rename + +- **PyPI distribution is now `fastcrest-tether`.** Install with `pip install fastcrest-tether`. The old `reflex-vla` distribution is no longer updated. +- **CLI command is now `tether`** (`tether serve`, `tether export`, `tether doctor`, etc.). +- **Python import package is now `tether`** (`from tether import ...`). +- **`TETHER_*` environment variables** are the canonical names going forward (e.g. `TETHER_LICENSE_KEY`). `REFLEX_*` names still mirror to `TETHER_*` for now. + +### Backwards compatibility shim (through v0.13.x, removed in v0.14.0) + +- The `reflex` Python package remains importable and re-exports the full `tether` namespace. A `DeprecationWarning` is emitted on first use. +- The `reflex` CLI entry point continues to work and delegates to `tether`. A deprecation notice prints on each invocation. +- Shims are removed in v0.14.0. Migrate by replacing `reflex` → `tether` in imports, CLI calls, and env vars. + ## v0.11.2 — 2026-05-29 **Hardening patch for the v0.11 lift program + the formal N=100/task L3 LIBERO parity gate clears `--fast-kernels`.** v0.11.1 shipped the FluxVLA lift program (fast-kernels, inference-only weights, ZMQ transport, two new families, `reflex connect`). This patch lands the post-tag hardening of those paths — a refactored monolithic serve/bench path with first-class external-data ONNX, `reflex connect`'s missing core dependency, and clean stderr/stdout separation — and records the formal N=100/task L3 parity verdict that keeps the opt-in `--fast-kernels` Triton runtime on. It also resets the version string to lockstep after a `__version__`/`pyproject` drift in v0.11.1. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..e3651035 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +## Reporting a Vulnerability + +**Do not open a public issue for security vulnerabilities.** + +Email **playindus@gmail.com** with: + +- A description of the vulnerability and its potential impact +- Steps to reproduce or proof-of-concept (as detailed as possible) +- Any suggested fix, if you have one + +You will receive an acknowledgement within 48 hours and a status update within 7 days. If the issue is confirmed, we will coordinate a fix and disclosure timeline with you before publishing anything publicly. + +## Supported Versions + +Security fixes are applied to the **latest minor release** only. We do not backport fixes to older minor versions. + +| Version | Supported | +|---------|-----------| +| latest minor | yes | +| older minors | no | + +## Scope + +Tether serves robot-control endpoints over the network. Issues in the following areas are taken seriously and should be reported promptly: + +- **Network-exposed API endpoints** (`tether serve` HTTP/ZMQ surfaces) — authentication bypass, SSRF, injection, denial of service +- **Model / checkpoint loading** — path traversal, arbitrary code execution via crafted model files +- **License and telemetry workers** — data leakage, auth bypass +- **Dependency vulnerabilities** that affect the runtime serve path + +Issues limited to local-only attack surfaces (e.g. a user who already has shell access to the serve host) are lower priority but still welcome. From 3fa2f966617bdce536d4aa03de0f976b422f653d Mon Sep 17 00:00:00 2001 From: RomirJ Date: Wed, 10 Jun 2026 22:02:03 -0700 Subject: [PATCH 2/2] =?UTF-8?q?review:=20SECURITY=20contact=20=E2=86=92=20?= =?UTF-8?q?hello@fastcrest.com;=20real=20env=20var=20example?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the brand contact (README's hello@fastcrest.com) in the public SECURITY.md rather than a personal gmail, and reference real env vars (TETHER_NO_TELEMETRY / TETHER_PRO_LICENSE) in the CHANGELOG instead of the nonexistent TETHER_LICENSE_KEY. Co-Authored-By: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 2 +- SECURITY.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9dedd80a..169a3ffb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ - **PyPI distribution is now `fastcrest-tether`.** Install with `pip install fastcrest-tether`. The old `reflex-vla` distribution is no longer updated. - **CLI command is now `tether`** (`tether serve`, `tether export`, `tether doctor`, etc.). - **Python import package is now `tether`** (`from tether import ...`). -- **`TETHER_*` environment variables** are the canonical names going forward (e.g. `TETHER_LICENSE_KEY`). `REFLEX_*` names still mirror to `TETHER_*` for now. +- **`TETHER_*` environment variables** are the canonical names going forward (e.g. `TETHER_NO_TELEMETRY`, `TETHER_PRO_LICENSE`). `REFLEX_*` names still mirror to `TETHER_*` for now. ### Backwards compatibility shim (through v0.13.x, removed in v0.14.0) diff --git a/SECURITY.md b/SECURITY.md index e3651035..48407be0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ **Do not open a public issue for security vulnerabilities.** -Email **playindus@gmail.com** with: +Email **hello@fastcrest.com** with: - A description of the vulnerability and its potential impact - Steps to reproduce or proof-of-concept (as detailed as possible)