-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCargo.toml
More file actions
148 lines (122 loc) · 4.59 KB
/
Cargo.toml
File metadata and controls
148 lines (122 loc) · 4.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# SPDX-License-Identifier: PMPL-1.0-or-later
# VeriSimDB - The Veridical Simulacrum Database
# An 8-core multimodal database (octad) with self-normalization
[workspace]
resolver = "2"
members = [
"rust-core/verisim-graph",
"rust-core/verisim-vector",
"rust-core/verisim-tensor",
"rust-core/verisim-semantic",
"rust-core/verisim-document",
"rust-core/verisim-temporal",
"rust-core/verisim-provenance",
"rust-core/verisim-spatial",
"rust-core/verisim-octad",
"rust-core/verisim-normalizer",
"rust-core/verisim-drift",
"rust-core/verisim-planner",
"rust-core/verisim-api",
"rust-core/verisim-repl",
"rust-core/verisim-wal",
"rust-core/verisim-storage",
"rust-core/verisim-nif",
"benches",
]
[workspace.package]
version = "0.1.0"
edition = "2021"
authors = ["Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"]
license = "PMPL-1.0-or-later"
repository = "https://gitlab.com/hyperpolymath/verisimdb"
homepage = "https://github.com/hyperpolymath/verisimdb"
documentation = "https://github.com/hyperpolymath/verisimdb/tree/main/docs"
keywords = ["database", "multimodal", "drift-detection", "federation", "consistency"]
categories = ["database", "data-structures"]
readme = "README.adoc"
[workspace.dependencies]
# Graph modality — SimpleGraphStore is default (pure Rust, no C++ linker needed).
# Enable oxigraph-backend feature on verisim-graph for full RDF/SPARQL support.
oxigraph = "0.4"
# Vector modality (HNSW)
hnsw_rs = "0.3"
ndarray = "0.16"
# Tensor modality
burn = "0.20"
# Semantic modality
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
ciborium = "0.2" # CBOR for proof blobs
# Document modality (LZ4 compression — pure Rust via lz4_flex, no zstd C library)
tantivy = { version = "0.25", default-features = false, features = ["mmap", "lz4-compression"] }
# Temporal modality
chrono = { version = "0.4", features = ["serde"] }
# API and networking
axum = "0.8"
tokio = { version = "1", features = ["full"] }
tower = "0.5"
hyper = "1.0"
reqwest = { version = "0.13", default-features = false, features = ["json", "query", "http2", "rustls-no-provider"] }
# Serialization
# bincode removed — not used in codebase. Use postcard or ciborium for future serialization needs.
# bincode = "2.0.0-rc.3"
postcard = { version = "1.0", features = ["alloc"] }
# Error handling
thiserror = "2.0"
anyhow = "1.0"
# Logging and tracing
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
# TLS (pure Rust via ring — no OpenSSL, no aws-lc-sys/cmake)
rustls = { version = "0.23", default-features = false, features = ["ring", "std", "tls12", "logging"] }
axum-server = { version = "0.7", default-features = false, features = ["tls-rustls-no-provider"] }
# Testing
proptest = "1.4"
criterion = "0.5"
# Async
futures = "0.3"
async-trait = "0.1"
# Metrics
prometheus = "0.14"
# UUID
uuid = { version = "1.11", features = ["v4"] }
# Regex
regex = "1.11"
# Persistent storage (pure Rust, B-tree, ACID)
redb = "3.1"
# CRC (WAL integrity)
crc32fast = "1.4"
# Cryptography (ZKP proofs in semantic store)
sha2 = "0.10"
# GraphQL
async-graphql = "7.2"
async-graphql-axum = "7.2"
# gRPC
tonic = "0.14"
tonic-prost = "0.14"
prost = "0.14"
prost-types = "0.14"
[profile.release]
lto = true
codegen-units = 1
panic = "abort"
# Patch Bridge mitigations — forced upgrades for transitive CVEs in tantivy 0.25.0
# These override the versions pinned by tantivy without forking.
#
# RUSTSEC-2026-0041: lz4_flex 0.11.5 — memory leak on decompression (CVSS 8.2 HIGH)
# Chain: tantivy 0.25.0 → lz4_flex 0.11.5
# Fix: 0.11.6 adds proper offset validation. Semver-compatible, safe to patch.
#
# RUSTSEC-2026-0002: lru 0.12.5 — IterMut Stacked Borrows violation (unsound)
# Chain: tantivy 0.25.0 → lru 0.12.5
# Fix: 0.12.6+ not available in 0.12.x line. Patching to 0.12.5 is NOT possible.
# The fix is in 0.16.3 which is semver-incompatible with tantivy's lru ^0.12 pin.
# Status: UNMITIGABLE without tantivy upgrade. tantivy 0.25.0 is latest.
# Risk: Low in practice — VeriSimDB uses #![forbid(unsafe_code)] in verisim-document,
# and the IterMut violation requires specific Miri-detectable UB, not exploitable
# in normal execution. Accepted risk until tantivy 0.26.
#
# NOTE: quinn-proto 0.11.14 (Dependabot alert — build-time only, NOT runtime)
# Chain: burn 0.20 → cubecl-cpu → tracel-llvm-bundler (build dep) → reqwest 0.12 → quinn → quinn-proto
# This is a build-time dependency for LLVM artifact download, not in any production code path.
# Waiting for burn 0.21 stable release. reqwest bumped to 0.13 for direct deps.