This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
Summary
AI summaryZero contract shape changes and zero behavioural breaks; no upgrade actions required.
Full changelog
Companion to v0.5.8. Lands the immune-zero baseline (121 LOW findings → 0) plus canon JSON-Schema for IDE validation plus migration guides for both boundaries (v0.5.7→v0.5.8 and v0.5.8→v0.5.9).
Zero contract shape changes. Zero behavioural breaks at R1–R7. Operators upgrade with pip install -U myco and nothing else.
Five moves
1. DC2 refinement
DC2PublicFunctionDocstring now exempts @property accessors and methods overriding an abstract protocol method (Adapter / Protocol / Dimension bases). Both exemptions match the dimension's v0.5.8 docstring-stated scope that the implementation didn't honor.
2. Doctrine-anchor + link cleanup
- 32 pre-v0.5.8 kernel modules got
Governing doctrine: docs/architecture/...mdrefs (completes code → doctrine mycelium edges). - 4 subpackage
__init__.pyfiles got module docstrings with doctrine refs. - 6 v0.5.8 audit consolidation notes linked from the v0.5.8 craft via proper markdown links.
- 26 remaining public functions got one-line docstrings.
3. bounded_read_text rollout
v0.5.8 shipped the helper with zero callsites. v0.5.9 wires it into every substrate-read path: canon load, note reads, graph reads, dim-scanned code, propagate source reads, .gitignore. A multi-GB file at any of these positions now raises MycoError instead of OOM-ing the kernel.
4. Canon JSON-Schema
docs/schema/canon.schema.json(Draft 2020-12)docs/schema/README.mdwith VS Code / JetBrains / Neovim wiring snippets
IDEs that understand JSON-Schema validate _canon.yaml at edit time, before myco immune ever runs.
5. Migration guides
- v0.5.7 → v0.5.8 — translates v0.5.8's write_surface-enforcement + exit-code-differentiation into operator-visible upgrade steps
- v0.5.8 → v0.5.9 — the no-op guide ("pip install -U myco and you're done")
Release gates (all green)
- pytest: 755 passing
- ruff check + format: clean
- mypy src/myco: 0 errors
- myco immune: exit 0 with 0 findings (was 121 LOW on v0.5.8)
- myco immune --exit-on=high: exit 0
- myco hunger: clean (no drift, no backlog, no reflex signals)
- python -m build + twine check: PASSED × 2
- jsonschema-validate live _canon.yaml against schema: OK
Governing crafts
- v0.5.9 Immune Zero (design)
- v0.5.9 Release (closure)
Not in scope (documented deferrals)
- SC1 schema-consistency dim (cross-check Python
load_canonvs JSON-Schema) — v0.6+. - Full
bounded_read_textcoverage of package-resource reads — low risk; revisit only if templates approach 10 MB. - DC2 third-party ABC detection beyond the 3 whitelisted names — needs ABC introspection not available from AST walk.
Upgrading
pip install -U myco
That's it. No config changes. No script adjustments. No canon edits.
See the v0.5.8 → v0.5.9 migration guide for the full rationale.
Security Fixes
- Immune scan now reports 0 findings (down from 121 LOW in v0.5.8)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Battam1111/Myco
Agent-first cognitive substrate with 18 manifest-driven verbs (germinate / eat / assimilate / sporulate / traverse / immune / molt / …) and 25 lint dimensions enforcing contract invariants mechanically (R1–R7). Cross-session / cross-project memory via a self-validating filesystem graph — AST + markdown-link derived, not embedding-based. Provider-agnostic by design: MP1/MP2 dims forbid LLM-SDK imports in the kernel and plugin tree. Editable-default install. Works with Claude Code, Cursor, Windsurf, Zed, VS Code, and any MCP client.
Related context
Related tools
Beta — feedback welcome: [email protected]