ruvnet · ruvnet · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026 · Apr 26, 2026
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -0,0 +1,60 @@
+# cargo-audit configuration for the ruvector workspace.
+#
+# Ignored advisories MUST have a justification. Anything fixable should be
+# fixed via a dependency bump rather than ignored here. Re-evaluate the
+# `until` dates periodically.
+
+[advisories]
+ignore = [
+    # ------------------------------------------------------------------
+    # Vulnerabilities (genuinely no upstream fix available)
+    # ------------------------------------------------------------------
+
+    # rsa 0.9.x — Marvin Attack (timing sidechannel on RSA decryption).
+    # No fixed upgrade is available from upstream `rsa`. We do not expose
+    # an RSA decryption oracle: TLS in this workspace runs on rustls with
+    # Ed25519/X25519 suites, and `rsa` is pulled only transitively (e.g.
+    # SQL drivers, JWT verification paths) where we never decrypt
+    # attacker-controlled ciphertexts under a long-lived RSA key.
+    # Re-evaluate when the `rsa` crate ships a constant-time implementation.
+    "RUSTSEC-2023-0071",
+
+    # ------------------------------------------------------------------
+    # "Unmaintained" warnings (informational, not vulnerabilities)
+    # ------------------------------------------------------------------
+    # These are pulled transitively through deps we do not control. They
+    # are not exploitable on their own; they are notices that the upstream
+    # crate is no longer accepting patches. We mute them to keep CI clean
+    # and revisit when the parent dep migrates.
+
+    "RUSTSEC-2021-0140",  # rusttype — transitive via plotters; pure rendering, no untrusted input
+    "RUSTSEC-2022-0054",  # wee_alloc — transitive via wasm-bindgen-cli internals
+    "RUSTSEC-2024-0370",  # proc-macro-error — build-time only (proc-macro), no runtime exposure
+    "RUSTSEC-2024-0380",  # pqcrypto-dilithium — replaced by pqcrypto-mldsa, awaiting parent migration
+    "RUSTSEC-2024-0381",  # pqcrypto-kyber — replaced by pqcrypto-mlkem, awaiting parent migration
+    "RUSTSEC-2024-0384",  # instant — transitive via parking_lot/older time deps
+    "RUSTSEC-2024-0388",  # derivative — transitive proc-macro
+    "RUSTSEC-2024-0436",  # paste — transitive proc-macro, build-time only
+    "RUSTSEC-2025-0119",  # number_prefix — transitive via indicatif rendering
+    "RUSTSEC-2025-0124",  # rand_os — transitive, replaced by getrandom in modern code paths
+    "RUSTSEC-2025-0134",  # rustls-pemfile — transitive; rustls itself is current
+    "RUSTSEC-2025-0141",  # bincode — unmaintained notice; we pin a known-good version
+    "RUSTSEC-2026-0105",  # core2 — transitive, no_std fallback for std::io types
+
+    # ------------------------------------------------------------------
+    # Soundness/unsoundness notices in deps we do not directly control
+    # ------------------------------------------------------------------
+
+    # lru — IterMut Stacked Borrows violation. Used transitively; we do
+    # not call IterMut from the affected crate. Track parent dep upgrade.
+    "RUSTSEC-2024-0408",
+
+    # pprof — unsound `slice::from_raw_parts` usage. Only loaded behind
+    # benchmark/profiling features, never in production binaries.
+    "RUSTSEC-2026-0002",
+
+    # rand — unsoundness when using a custom global logger with rand::rng().
+    # We never install a custom logger in the rand call path. Awaiting
+    # transitive upgrade across the workspace.
+    "RUSTSEC-2026-0097",
+]
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,8 @@ on:
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
+  # Skip building unused proc-macro features in test bin link steps
+  CARGO_INCREMENTAL: 0
 
 jobs:
   fmt:
@@ -67,10 +69,158 @@ jobs:
       - name: Clippy (workspace)
         run: cargo clippy --workspace --exclude ruvector-postgres --all-targets -- -W warnings
 
+  # The full workspace test suite exceeds the 30-minute timeout on a single
+  # runner. We split the work into parallel matrix jobs grouped by domain so
+  # each shard fits comfortably under the timeout, and use `cargo-nextest` for
+  # faster test discovery and execution.
   test:
-    name: Tests
+    name: Tests (${{ matrix.name }})
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    # `core-and-rest` is the catch-all shard and compiles ~50 crates; on a
+    # cold cache the build alone has hit ~90min, so headroom matters more
+    # than tight feedback for this job. Faster shards still finish in ~10–20m.
+    timeout-minutes: 150
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: vector-index
+            packages: >-
+              -p ruvector-rabitq
+              -p ruvector-rulake
+              -p ruvector-diskann
+              -p ruvector-graph
+              -p ruvector-gnn
+              -p ruvector-cnn
+          - name: rvagent
+            packages: >-
+              -p rvagent-a2a
+              -p rvagent-acp
+              -p rvagent-backends
+              -p rvagent-cli
+              -p rvagent-core
+              -p rvagent-mcp
+              -p rvagent-middleware
+              -p rvagent-subagents
+              -p rvagent-tools
+              -p rvagent-wasm
+          - name: ruvix
+            packages: >-
+              -p ruvix-aarch64
+              -p ruvix-bench
+              -p ruvix-boot
+              -p ruvix-cap
+              -p ruvix-demo
+              -p ruvix-drivers
+              -p ruvix-hal
+              -p ruvix-integration
+              -p ruvix-nucleus
+              -p ruvix-proof
+              -p ruvix-queue
+              -p ruvix-region
+              -p ruvix-sched
+              -p ruvix-shell
+              -p ruvix-types
+              -p ruvix-vecgraph
+          - name: ruqu-quantum
+            packages: >-
+              -p ruqu
+              -p ruqu-algorithms
+              -p ruqu-core
+              -p ruqu-exotic
+              -p ruqu-wasm
+          - name: ml-research-heavy
+            # Heaviest crates split into their own shard so ml-research
+            # doesn't exceed the 45-min timeout.
+            packages: >-
+              -p ruvector-attention
+              -p ruvector-mincut
+              -p ruvector-fpga-transformer
+              -p ruvector-graph-transformer
+          - name: ml-research-rest
+            packages: >-
+              -p ruvector-scipix
+              -p ruvector-sparse-inference
+              -p ruvector-sparsifier
+              -p ruvector-solver
+              -p ruvector-domain-expansion
+              -p ruvector-robotics
+          - name: core-and-rest-heavy
+            # Hoist the known-heavy long-tail crates out of core-and-rest
+            # so neither shard exceeds the 90-min timeout.
+            packages: >-
+              -p ruvllm
+              -p ruvllm-cli
+              -p ruvector-dag
+              -p ruvector-nervous-system
+              -p ruvector-math
+              -p ruvector-consciousness
+              -p prime-radiant
+              -p mcp-brain
+              -p ruvector-decompiler
+          - name: core-and-rest
+            # Everything else: core, delta, server/cluster, etc.
+            # Uses --workspace + --exclude to subtract the groups above so we
+            # don't have to enumerate ~100 crates by hand.
+            packages: >-
+              --workspace
+              --exclude ruvector-postgres
+              --exclude ruvector-decompiler
+              --exclude ruvllm
+              --exclude ruvllm-cli
+              --exclude ruvector-dag
+              --exclude ruvector-nervous-system
+              --exclude ruvector-math
+              --exclude ruvector-consciousness
+              --exclude prime-radiant
+              --exclude mcp-brain
+              --exclude ruvector-rabitq
+              --exclude ruvector-rulake
+              --exclude ruvector-diskann
+              --exclude ruvector-graph
+              --exclude ruvector-gnn
+              --exclude ruvector-cnn
+              --exclude rvagent-a2a
+              --exclude rvagent-acp
+              --exclude rvagent-backends
+              --exclude rvagent-cli
+              --exclude rvagent-core
+              --exclude rvagent-mcp
+              --exclude rvagent-middleware
+              --exclude rvagent-subagents
+              --exclude rvagent-tools
+              --exclude rvagent-wasm
+              --exclude ruvix-aarch64
+              --exclude ruvix-bench
+              --exclude ruvix-boot
+              --exclude ruvix-cap
+              --exclude ruvix-demo
+              --exclude ruvix-drivers
+              --exclude ruvix-hal
+              --exclude ruvix-integration
+              --exclude ruvix-nucleus
+              --exclude ruvix-proof
+              --exclude ruvix-queue
+              --exclude ruvix-region
+              --exclude ruvix-sched
+              --exclude ruvix-shell
+              --exclude ruvix-types
+              --exclude ruvix-vecgraph
+              --exclude ruqu
+              --exclude ruqu-algorithms
+              --exclude ruqu-core
+              --exclude ruqu-exotic
+              --exclude ruqu-wasm
+              --exclude ruvector-attention
+              --exclude ruvector-mincut
+              --exclude ruvector-scipix
+              --exclude ruvector-fpga-transformer
+              --exclude ruvector-sparse-inference
+              --exclude ruvector-sparsifier
+              --exclude ruvector-solver
+              --exclude ruvector-graph-transformer
+              --exclude ruvector-domain-expansion
+              --exclude ruvector-robotics
     steps:
       - uses: actions/checkout@v4
 
@@ -82,20 +232,35 @@ jobs:
 
       - name: Cache Rust
         uses: Swatinem/rust-cache@v2
+        with:
+          key: test-${{ matrix.name }}
+
+      - name: Install cargo-nextest
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-nextest
 
-      - name: Run tests (workspace)
-        run: cargo test --workspace --exclude ruvector-postgres --exclude ruvector-decompiler
+      - name: Run tests (${{ matrix.name }})
+        run: cargo nextest run --no-fail-fast ${{ matrix.packages }}
+
+      - name: Run doctests (${{ matrix.name }})
+        # nextest does not run doctests; do them in a separate step. Cheap
+        # because compilation is already cached from the nextest run.
+        run: cargo test --doc ${{ matrix.packages }}
 
   audit:
     name: Security audit
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    continue-on-error: true
     steps:
       - uses: actions/checkout@v4
 
       - name: Install cargo-audit
-        run: cargo install cargo-audit --locked
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-audit
 
       - name: Run cargo audit
+        # Configuration (including the justified ignore list) lives in
+        # .cargo/audit.toml at the workspace root.
         run: cargo audit