The Hardened Edition

Why Now

When a package grows faster than expected, you have two choices: ride the wave or harden the foundation. We chose the foundation.

The score calculation was wrong. sync_faf.py was counting top-level YAML keys against a hardcoded 21-slot total instead of reading scores.faf_score. GEMINI.md showed 42% when the actual score was 100%. Fixed.

The PUT endpoint accepted arbitrary JSON with no limits. A malicious payload could create a massive YAML file and commit it to GitHub. Fixed.

What's New

Input Validation

Every PUT request is now validated before processing:

MAX_UPDATES    = 50      # No payload bombs
MAX_KEY_LENGTH = 100     # No key stuffing
MAX_VALUE_LENGTH = 10000 # No value flooding

# Returns 400 with clear error if exceeded

YAML Round-Trip Safety

Before committing to GitHub, every mutation is now round-trip tested:

yaml.safe_load(yaml.dump(data)) == data  # Must match
# If not: 400, commit blocked

Special characters, nested structures, unicode — if it doesn't survive the round-trip, it doesn't get committed.

X-FAF-Version Header

Every response now includes the endpoint version. Clients can verify they're talking to the right deployment.

X-FAF-Agent-Detected: gemini
X-FAF-Version: 1.1.0

find_faf_file

Now exported in the package. Discovers project.faf, .faf, or any *.faf file in a directory.

Try It

The Numbers

• v1.1.0 - Released March 7, 2026
• 57/57 - Tests passing (7 tiers + integration)
• 100% - Trophy score
• 3,000+ - PyPI downloads (zero advertising)
• 14 - New Tier 7 unit tests

The Ecosystem