FastCrest · rylinjames · Jun 11, 2026 · Jun 11, 2026
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
@@ -1,5 +1,22 @@
 # Changelog
 
+## v0.12.0 — 2026-06-03
+
+**Project renamed Reflex → Tether.** The package, CLI, and import surface have been renamed; a backwards-compat shim keeps the old names working through v0.13.x.
+
+### Package rename
+
+- **PyPI distribution is now `fastcrest-tether`.** Install with `pip install fastcrest-tether`. The old `reflex-vla` distribution is no longer updated.
+- **CLI command is now `tether`** (`tether serve`, `tether export`, `tether doctor`, etc.).
+- **Python import package is now `tether`** (`from tether import ...`).
+- **`TETHER_*` environment variables** are the canonical names going forward (e.g. `TETHER_NO_TELEMETRY`, `TETHER_PRO_LICENSE`). `REFLEX_*` names still mirror to `TETHER_*` for now.
+
+### Backwards compatibility shim (through v0.13.x, removed in v0.14.0)
+
+- The `reflex` Python package remains importable and re-exports the full `tether` namespace. A `DeprecationWarning` is emitted on first use.
+- The `reflex` CLI entry point continues to work and delegates to `tether`. A deprecation notice prints on each invocation.
+- Shims are removed in v0.14.0. Migrate by replacing `reflex` → `tether` in imports, CLI calls, and env vars.
+
 ## v0.11.2 — 2026-05-29
 
 **Hardening patch for the v0.11 lift program + the formal N=100/task L3 LIBERO parity gate clears `--fast-kernels`.** v0.11.1 shipped the FluxVLA lift program (fast-kernels, inference-only weights, ZMQ transport, two new families, `reflex connect`). This patch lands the post-tag hardening of those paths — a refactored monolithic serve/bench path with first-class external-data ONNX, `reflex connect`'s missing core dependency, and clean stderr/stdout separation — and records the formal N=100/task L3 parity verdict that keeps the opt-in `--fast-kernels` Triton runtime on. It also resets the version string to lockstep after a `__version__`/`pyproject` drift in v0.11.1.

@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do not open a public issue for security vulnerabilities.**
+
+Email **hello@fastcrest.com** with:
+
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or proof-of-concept (as detailed as possible)
+- Any suggested fix, if you have one
+
+You will receive an acknowledgement within 48 hours and a status update within 7 days. If the issue is confirmed, we will coordinate a fix and disclosure timeline with you before publishing anything publicly.
+
+## Supported Versions
+
+Security fixes are applied to the **latest minor release** only. We do not backport fixes to older minor versions.
+
+| Version | Supported |
+|---------|-----------|
+| latest minor | yes |
+| older minors | no |
+
+## Scope
+
+Tether serves robot-control endpoints over the network. Issues in the following areas are taken seriously and should be reported promptly:
+
+- **Network-exposed API endpoints** (`tether serve` HTTP/ZMQ surfaces) — authentication bypass, SSRF, injection, denial of service
+- **Model / checkpoint loading** — path traversal, arbitrary code execution via crafted model files
+- **License and telemetry workers** — data leakage, auth bypass
+- **Dependency vulnerabilities** that affect the runtime serve path
+
+Issues limited to local-only attack surfaces (e.g. a user who already has shell access to the serve host) are lower priority but still welcome.