chore(main): release convergio 0.3.40

[Roberdan]

🤖 I have created a release beep boop

0.3.40 (2026-06-24)

Features

• cli: add cvg llm call + mcp llm.call action (w5, adr-0058) (44529a5)
• cli: cvg llm call + MCP llm.call action (W5, ADR-0058) (e54730e)
• connector: add csv + http-json reference connectors (w4, adr-0057) (6dad82b)
• connector: add federated query path with refusal gate (w4, adr-0057) (0ecabce)
• connector: csv + http-json reference connectors (W4, ADR-0057) (382dd05)
• connector: federated query path + refusal gate (W4, ADR-0057) (358c437)
• durability: add ontology branch diff + merge-as-plan generator (w4, adr-0056) (37cf12a)
• durability: add plan outcome gate (w4, adr-0055) (93cd0ec)
• durability: ontology branch diff + merge-as-plan (W4, ADR-0056) (c10fb5e)
• durability: W11 A11yGate phase-2 — axe-core integration + capability install (67b38f2)
• executor: implement cost-of-pass tracking (w10) (dbc7b06)
• executor: implement pass_rate/cost routing algorithm (w8, adr-0062) (0b8968f)
• ontology: add bitemporal as-of reads + http query params (w3, adr-0053) (37c6811)
• ontology: add deterministic entity-resolution engine (w3, adr-0055) (a7fa6d6)
• ontology: add immutable purpose registry (w2, adr-0054) (8a2a473)
• ontology: bitemporal as-of reads + HTTP query params (W3, ADR-0053) (41f3f91)
• ontology: deterministic entity-resolution engine (W3, ADR-0055) (d0f3696)
• ontology: enforce requires_purpose on object write path (w2, adr-0082) (48b62a7)
• ontology: enforce requires_purpose on object write path (W2, ADR-0082) (b24f449)
• ontology: immutable purpose registry + cvg purpose (W2, ADR-0054) (c79c9d2)
• server: add capability purposes field + install-time registration check (w2, adr-0054) (ce10d1f)
• server: add llm gateway egress redaction, schema validation, prov bundle (w5, adr-0058) (a2d3c0c)
• server: capability purposes field + install-time registration check (W2, ADR-0054) (3e7f60d)
• server: LLM gateway egress safety + output-schema validation + PROV (W5, ADR-0058) (6f46c6b)
• server: wire purpose registry http route + cvg purpose cli (w2, adr-0054) (ab1f1bd)
• thor: add optional coverage/a11y/i18n steps to cargo:auto (w3) (2f73951)
• tui: add ontology events inspector panel (w6, adr-0059) (7e28939)
• tui: add ontology inspector panels (w6, adr-0059) (2a24795)
• tui: ontology events inspector panel (W6, ADR-0059) (e5439e7)
• tui: ontology inspector panels (W6, ADR-0059) (90bf4d9)

Refactoring

• repo: extract llm gateway routes into convergio-llm-gateway-routes (4f3c08b)
• repo: extract llm gateway routes into convergio-llm-gateway-routes (6d538d1)
• repo: extract ontology routes into convergio-ontology-routes (d01e52a)
• repo: extract ontology routes into convergio-ontology-routes (115d516)

Documentation

• adr: ADR-0082 purpose-mismatch enforcement on ontology write path (ccf2327)
• docs: add adr-0082 purpose-mismatch enforcement on ontology write path (596b001)

---

This PR was generated with Release Please. See documentation.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[Roberdan]

🔴 CI blocked — RUSTSEC-2026-0185 (quinn-proto, HIGH 7.5)

cargo audit ha trovato una vulnerabilità ad alta severità che impedisce il merge di questa release:

Campo	Valore
Crate	quinn-proto 0.11.14
Advisory	RUSTSEC-2026-0185
Severità	7.5 HIGH
Pubblicata	2026-06-22
Fix	aggiornare a >= 0.11.15

Catena di dipendenza:

quinn-proto 0.11.14
└── quinn 0.11.9
    └── reqwest 0.12.28
        ├── hf-hub 0.5.0  ←  fastembed 5.17.2 (mergiata oggi)
        └── jsonschema / altri crate convergio

Come sbloccare la release:

# In locale, dal root del workspace:
cargo update quinn-proto
# oppure, se quinn ha rilasciato una patch:
cargo update quinn

# Poi commita il Cargo.lock aggiornato:
git add Cargo.lock
git commit -m "fix(deps): bump quinn-proto to >=0.11.15 (RUSTSEC-2026-0185)"
git push

Questo aggiornerà il Cargo.lock al quinn-proto 0.11.15 che contiene il fix, farà ripartire la CI, e permetterà di mergare la release.

L'advisory è stato pubblicato il 22 giugno, due giorni dopo l'apertura di questa PR — non era visibile al momento della creazione.

---

Generated by Claude Code

[Roberdan]

Automated PR status audit — 2026-06-25

PR #488 · chore(main): release convergio 0.3.40 · age: 8 days · label: autorelease: pending

Check	Result
fmt + clippy + test	✅ pass
cargo deny check licenses	✅ pass
Docs drift (advisory)	✅ pass
Sync Cargo.lock + docs/INDEX.md	✅ pass
cargo deny + audit	❌ FAILURE

The cargo deny + audit check is failing (last run 2026-06-24 07:15–07:16 UTC). This check covers both advisory-database vulnerability scanning and dependency policy enforcement. This is a required check and blocks merging the release.

Recommended action: Review the audit failure logs at the check run to identify the affected dependency, then either update the crate, add an ignore entry with a rationale in deny.toml, or patch the dependency before merging.

---

No PRs are older than 14 days. This is the only open PR.

---

Generated by Claude Code

[Roberdan]

CI Status — automated scan (2026-06-26)

Check	Status
fmt + clippy + test	✅ pass
cargo deny check licenses	✅ pass
Docs drift (advisory)	✅ pass
Sync Cargo.lock + docs/INDEX.md	✅ pass
cargo deny + audit	❌ fail

Blocking issue: RUSTSEC-2026-0185 — Remote memory exhaustion in quinn-proto 0.11.14 (severity 7.5 high, published 2026-06-22).

Dependency chain: quinn-proto 0.11.14 → quinn 0.11.9 → reqwest 0.12.28 → multiple convergio crates (convergio-reports, convergio-embed, convergio-server, convergio-cli, etc.)

Fix: Upgrade reqwest to a version that pulls in quinn-proto >= 0.11.15, or add a [patch] override in Cargo.toml.

This advisory is shared across all currently open PRs (#488, #507, #508) — it predates all three branches and needs to be fixed upstream (on main) rather than in each individual PR.

---

Generated by Claude Code

[Roberdan]

Automated CI Status Report — 2026-06-27

Age: 10 days open (opened 2026-06-17). Reaches 14-day review threshold on 2026-07-01.

Job	Status
fmt + clippy + test	✅ passing
Docs drift (advisory)	✅ passing
license-check	✅ passing
cargo deny + audit	❌ failing
Post-release-please polish	✅ passing

Failing job: cargo audit step in the cargo deny + audit job (run 28081895061).

Note: This same cargo audit failure appears on all open branches — it is a pre-existing vulnerability advisory in a workspace dependency, not introduced by this release PR. Resolving the advisory on main and rebasing this branch should clear the block.

This PR is ready to merge on all other checks. The release covers: LLM gateway (W5/ADR-0058), CSV+HTTP connectors (W4/ADR-0057), ontology bitemporal reads (W3/ADR-0053), A11y gate phase-2 (W11), and several other features. Action needed: investigate and resolve the cargo audit advisory blocking CI, then merge.

---

Generated by Claude Code

[Roberdan]

CI Status — 2026-06-28

Automated PR audit run.

Summary across all 3 open PRs

PR	Title	Age	fmt+clippy+test	cargo deny+audit	Docs drift
#488	release 0.3.40	11 days	✅ pass	❌ fail	✅ pass
#507	bump uuid 1.23.4	3 days	✅ pass	❌ fail	✅ pass
#508	bump rmcp 1.8.0	3 days	✅ pass	❌ fail	✅ pass

Root cause — same advisory on all 3

RUSTSEC-2026-0185 — Remote memory exhaustion in quinn-proto (severity: 7.5 HIGH)
Published: 2026-06-22 · Fix: upgrade to quinn-proto >= 0.11.15

Dependency chain: quinn-proto 0.11.14 → quinn 0.11.9 → reqwest 0.12.28 → most convergio crates (convergio-reports, convergio-embed, convergio-server, convergio-cli, etc.)

Advisory URL: https://rustsec.org/advisories/RUSTSEC-2026-0185

Action needed

The vulnerability sits in the base branch. Until reqwest or quinn is bumped to a version that pulls quinn-proto >= 0.11.15, this check will fail on every PR. Recommended fix:

cargo update quinn-proto
# verify the resolved version is >= 0.11.15, then commit Cargo.lock

Once main is updated, this release PR and the two dependabot PRs (#507, #508) can be rebased or re-run and should pass.

Age flag

No PR has crossed the 14-day review threshold yet. PR #488 is at 11 days — flag will trigger on 2026-07-01 if still open.

---

Posted by automated CI audit routine.

---

Generated by Claude Code

[Roberdan]

CI status — automated scan (2026-06-29)

Blocker on this PR and all 3 open PRs: cargo deny + audit is failing across the board due to the same advisory.

Advisory	Severity	Introduced
RUSTSEC-2026-0185	7.5 high	2026-06-22

Vulnerable crate: quinn-proto 0.11.14 — remote memory exhaustion via unbounded out-of-order stream reassembly.
Fix: upgrade to >= 0.11.15.
Pull chain: quinn-proto → quinn 0.11.9 → reqwest 0.12.28 (pulled by jsonschema, hf-hub/fastembed, and several convergio-* crates directly).

This is a workspace-wide issue — all three open PRs (#488, #507, #508) fail on the same advisory because they all share the same Cargo.lock. The fix needs to land on main first (a cargo update quinn-proto or a reqwest/quinn bump that pulls in quinn-proto ≥ 0.11.15), then this release PR can be rebased.

Also flagged on PR #508 (rmcp 1.7.0 → 1.8.0): that release contains a source-breaking API change (Peer::peer_info() return type changed to Option<Arc<R::PeerInfo>>). The fmt + clippy + test check passes on that PR, so the code appears to have adapted, but worth a conscious review before merge.

Age summary:

• chore(main): release convergio 0.3.40 #488 (release 0.3.40): 12 days — hits the 14-day review threshold on 2026-07-01
• chore(deps): bump uuid from 1.23.3 to 1.23.4 #507 (uuid bump): 4 days
• chore(deps): bump rmcp from 1.7.0 to 1.8.0 #508 (rmcp bump): 4 days

---

Generated by Claude Code

[Roberdan]

Automated CI status report — 2026-06-30

Status: CI partially failing (13 days open — hits 14-day review threshold tomorrow)

Check	Result
fmt + clippy + test	✅ pass
cargo deny check licenses	✅ pass
Docs drift (advisory)	✅ pass
cargo deny + audit	❌ FAIL

Blocking: RUSTSEC-2026-0185 — quinn-proto remote memory exhaustion (severity 7.5 HIGH)

cargo audit found 1 vulnerability in the current Cargo.lock:

• Crate: quinn-proto 0.11.14
• Title: Remote memory exhaustion from unbounded out-of-order stream reassembly
• Advisory: RUSTSEC-2026-0185 — published 2026-06-22
• Fix: upgrade to >= 0.11.15
• Dep chain: reqwest 0.12.28 → quinn 0.11.9 → quinn-proto 0.11.14

This vulnerability was published 3 days before this PR's last CI run and affects main as well — all three open PRs are failing the same check. The fix is to run cargo update -p quinn-proto on main (or bump reqwest/quinn to pull in a patched quinn-proto), then rebase this release PR.

Also noted: a warning in the deny output about an unnecessary skip entry for redox_syscall@0.5.18 in deny.toml — not blocking but worth a cleanup pass.

---

Generated by Claude Code