Problem
EmbeddingGuardConfig::ema_floor (crates/zeph-config/src/sanitizer.rs) accepts any f32 from TOML without bounds checking:
0.0 — freezes the centroid in steady state (no adaptation)1.0 — reverts to the original vulnerable running-mean behavior- Negative values — centroid diverges
Every other security-sensitive config field in this codebase uses a custom deserializer (e.g., validate_decay_lambda, validate_similarity_threshold in memory.rs).
Fix
Add a custom deserializer rejecting values outside (0.0, 1.0]. Follow the validate_decay_lambda pattern in crates/zeph-config/src/memory.rs.
Priority
P3 — admin-only config error, not exploitable remotely.
Related: PR fixing #2311
Problem
EmbeddingGuardConfig::ema_floor(crates/zeph-config/src/sanitizer.rs) accepts anyf32from TOML without bounds checking:0.0— freezes the centroid in steady state (no adaptation)1.0— reverts to the original vulnerable running-mean behaviorEvery other security-sensitive config field in this codebase uses a custom deserializer (e.g.,
validate_decay_lambda,validate_similarity_thresholdinmemory.rs).Fix
Add a custom deserializer rejecting values outside
(0.0, 1.0]. Follow thevalidate_decay_lambdapattern incrates/zeph-config/src/memory.rs.Priority
P3 — admin-only config error, not exploitable remotely.
Related: PR fixing #2311