feat: initial v0.1 scaffold

[Taure]

Summary

Initial v0.1 scaffold of nova_cache — a general-purpose KV cache library for the Nova ecosystem.

Public API

• get/2,3, put/3,4, fetch/3,4, delete/2, delete_many/2, invalidate/2, clear/1

Architecture

• nova_cache_adapter behaviour with adapter-owns-its-process model; State is opaque to nova_cache
• nova_cache_invalidator transport behaviour; default impl nova_cache_invalidator_pg over pg
• nova_cache_ets adapter: per-cache gen_server + ETS table, direct concurrent reads/writes, TTL sweep, soft LRU max_size
• nova_cache_single_flight ETS-backed dedup for fetch/3 — no extra process per cache
• nova_cache_registry ETS index of Name -> {AdapterMod, State}, monitored for crashes

Invalidation model

Best-effort eventual delivery. TTL is the correctness backstop. Per-cache config:

• best_effort (default) — subscribe; serve stale on miss
• ttl_only — skip broadcasts entirely
• strict — best-effort + refuses to start without ttl_default

Decisions reached during scoping

• Adapter-owns-its-process; State opaque to nova_cache
• stats/1 dropped from the adapter behaviour; OTel counters are the only telemetry surface
• {pattern, Pattern} dropped from invalidate/2; delete_many/2 replaces it
• Invalidation as a swappable transport behaviour (not nova_pubsub-coupled); pg-backed default
• LRU as the documented eviction policy for max_size
• Single-flight default-on; configurable timeout
• Negative caching opt-in only; supports per-call short TTL
• Sub-second TTLs (ms granularity throughout)
• nova_cache MUST NOT become a dependency of nova core

Test plan

• rebar3 compile — clean
• rebar3 ct — 14/14 pass
• rebar3 xref — clean
• rebar3 dialyzer — clean
• rebar3 hank — clean
• rebar3 fmt --check — clean
• Validate the CI workflow runs green
• Validate the release workflow tags v0.1.0 once merged

Follow-ups (not in v0.1)

• Redis adapter (nova_cache_redis) — v0.2
• HTTP response caching plugin — separate repo, never inside nova_cache
• Layered / read-through adapter — v0.3 or user-space
• opentelemetry_nova_cache sibling for trace/metric pipeline

[github-actions]

ℹ️ 15 OTP CVEs auto-ignored (already fixed in running version)

These CVEs are patched in the installed OTP version but NVD data
has not been updated to reflect this. They are excluded from the
scan via an auto-generated .trivyignore.

CVE	Details
CVE-2026-32147	Fixed in 28.4.3, running 28.5 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in SFTP chroot
CVE-2026-28808	Fixed in 28.4.2, running 28.5 — ScriptAlias CGI targets bypass directory auth (mod_auth vs mod_cgi path mismatch)
CVE-2026-32144	Fixed in 28.4.2, running 28.5 — OCSP designated-responder authorization bypass — missing signature verification (RFC 6960 §4.2.2.2)
CVE-2026-28810	Fixed in 28.4.2, running 28.5 — Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
CVE-2026-23943	Fixed in 28.4.1, running 28.5 — Pre-auth SSH DoS via unbounded zlib inflate
CVE-2026-23942	Fixed in 28.4.1, running 28.5 — SFTP root escape via component-agnostic prefix check in ssh_sftpd
CVE-2026-23941	Fixed in 28.4.1, running 28.5 — Request smuggling via first-wins Content-Length parsing in inets httpd
CVE-2026-21620	Fixed in 28.3.2, running 28.5 — TFTP Path Traversal
CVE-2016-1000107	Fixed in 28.0.4, running 28.5 — Httpd CGI Scripts Environment Variable Pollution AKA "httpoxy"
CVE-2025-58050	Fixed in 28.0.3, running 28.5 — Buffer Read Overflow on Regular Expressions with (*scs:) and (*ACCEPT)
CVE-2025-48038	Fixed in 28.0.3, running 28.5 — SSH Unverified File Handles can Cause Excessive Use of System Resources
CVE-2025-48039	Fixed in 28.0.3, running 28.5 — SSH Unverified Paths can Cause Excessive Use of System Resources
CVE-2025-48040	Fixed in 28.0.3, running 28.5 — SSH Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
CVE-2025-48041	Fixed in 28.0.3, running 28.5 — SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
CVE-2025-4748	Fixed in 28.0.1, running 28.5 — Absolute Path in Zip Module