Skip to content

fix(ci): green the main gates — fmt, SDK arch boundary, cargo-deny#366

Merged
bordumb merged 7 commits into
mainfrom
fix/ci-main-gates
Jul 14, 2026
Merged

fix(ci): green the main gates — fmt, SDK arch boundary, cargo-deny#366
bordumb merged 7 commits into
mainfrom
fix/ci-main-gates

Conversation

@bordumb

@bordumb bordumb commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

What

Fixes the three checks failing on main (all pre-existing — surfaced by the recent "run pre-commit hooks in CI" commit, not introduced by this branch; 999bfae4 already showed CI and cargo-deny red).

1. Format (cargo fmt --check --all)

Nine files under auths-cli, auths-infra-http, auths-pairing-protocol, and auths-verifier were left unformatted by earlier mechanical-tier commits that landed via --no-verify. cargo fmt --all applied; no behavior change.

2. Architecture boundary (scripts/check-arch.sh)

auths-sdk/src/workflows/transparency.rs did raw std::fs I/O (read/write/chmod of <log_dir>/log.key, plus create_dir_all) — forbidden in the SDK layer. Relocated that filesystem work onto FsTileStore (the auths-transparency adapter that already owns the log's on-disk layout):

  • FsTileStore::ensure_base_dir()
  • FsTileStore::load_or_create_key(create) -> Option<LogSigningKey> — returns None when the key is absent and create is false, so the workflow keeps its LogNotFound semantics without touching the filesystem.

Drops the now-dead LogIo variant and LOG_KEY_FILE const from the SDK. Satisfies the golden rule (SDK orchestrates, adapter does I/O).

3. cargo-deny advisories

  • RUSTSEC-2026-0204 (crossbeam-epoch invalid pointer deref): bump 0.9.18 -> 0.9.20. Reachable only via the criterion dev-dep.
  • RUSTSEC-2026-0189 (rmcp Streamable HTTP server DNS rebinding): documented ignore. rmcp is used only by auths-mcp-gateway with the transport-io (stdio) + transport-child-process features; the vulnerable HTTP server transport is never enabled, and the advisory explicitly states stdio/child-process transports are unaffected. The fix (rmcp >= 1.4.0) is a major upgrade from our pinned 0.9 for zero benefit at this transport posture.

Verified locally

  • cargo fmt --check --all → 0 diffs
  • bash scripts/check-arch.sh → passes
  • cargo deny check advisoriesadvisories ok
  • cargo check -p auths-transparency → clean

Note

Commits are unsigned (authored --no-gpg-sign to avoid the passphrase gate) — run auths sign origin/main..HEAD before merge if the branch-protection verify gate requires trailers.

@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auths Ready Ready Preview, Comment Jul 14, 2026 8:44am

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
f271c0c0 ❌ Failed No signature found
e18f5081 ❌ Failed No signature found
4c5ffdff ❌ Failed No signature found

Result: ❌ 0/3 commits verified


How to fix

Commit f271c0c0 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
c1ed2857 ❌ Failed No signature found
f663c931 ❌ Failed No signature found
f271c0c0 ❌ Failed No signature found
e18f5081 ❌ Failed No signature found
4c5ffdff ❌ Failed No signature found

Result: ❌ 0/5 commits verified


How to fix

Commit c1ed2857 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
667c1253 ❌ Failed No signature found
c1ed2857 ❌ Failed No signature found
f663c931 ❌ Failed No signature found
f271c0c0 ❌ Failed No signature found
e18f5081 ❌ Failed No signature found
4c5ffdff ❌ Failed No signature found

Result: ❌ 0/6 commits verified


How to fix

Commit 667c1253 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
8f046565 ❌ Failed No signature found
667c1253 ❌ Failed No signature found
c1ed2857 ❌ Failed No signature found
f663c931 ❌ Failed No signature found
f271c0c0 ❌ Failed No signature found
e18f5081 ❌ Failed No signature found
4c5ffdff ❌ Failed No signature found

Result: ❌ 0/7 commits verified


How to fix

Commit 8f046565 has no Auths signature (no Auths-Id/Auths-Device trailer).

1. Install auths

macOS: brew install auths
Linux: Download from releases

2. One-time setup (creates your identity and configures Git)

auths init

3. Sign this branch and push

auths sign origin/main..HEAD
git push --force-with-lease

For CI to verify the signer, commit an identity bundle:

auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000

Quickstart →

bordumb added 7 commits July 14, 2026 10:43
check-arch.sh forbids std::fs in auths-sdk. The transparency workflow read,
wrote, and chmod'd <log_dir>/log.key and created the log dir directly. Relocate
that filesystem work onto FsTileStore (the adapter that already owns the log's
on-disk layout) via ensure_base_dir() and load_or_create_key(); the latter
returns Option<LogSigningKey> so the workflow keeps its LogNotFound semantics
without touching the filesystem. Drops the now-unused LogIo variant and
LOG_KEY_FILE constant.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
crossbeam-epoch 0.9.18 -> 0.9.20 clears RUSTSEC-2026-0204 (invalid pointer
deref in the fmt::Pointer impl; reachable only via the criterion dev-dep).

RUSTSEC-2026-0189 (rmcp Streamable HTTP server DNS rebinding) is not exploitable
here: rmcp is used only by auths-mcp-gateway with the transport-io (stdio) and
transport-child-process features; the vulnerable HTTP server transport is never
enabled, and the advisory states stdio/child-process transports are unaffected.
The fix (rmcp >= 1.4.0) is a major upgrade from our pinned 0.9 with no security
benefit for this transport posture, so it is added to the documented ignore
list.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
Format the files left unformatted by the earlier mechanical-tier commits, which
landed via --no-verify and skipped the fmt hook. No behavior change; clears the
CI Format gate (cargo fmt --check --all).

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
The pre-commit 'end-of-file-fixer' gate (previously masked by the check-arch
failure) flagged two files. crates/auths-cli/src/ux/dialogs.rs was a dead,
empty module (a single blank line, referenced only by 'pub mod dialogs;' with
no users) over which rustfmt and end-of-file-fixer disagreed — an unwinnable
loop. Remove the module and its declaration. Add the missing trailing newline
to tests/scale/dashboard.html.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
check_primitive_inventory.py (the CR-7 drift guard, also previously masked by
check-arch) flagged the doc pin 'ml-kem 0.2' against the tree's exact pin
'ml-kem =0.2.3' (PQ-5). Update the inventory row to 0.2.3.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
The manual install was not idempotent: the guard checked for cargo-deny 0.19
but 'cargo install cargo-deny --locked' installs the latest, so once setup-rust
restored a cached non-0.19 binary the guard failed and 'cargo install' aborted
with 'binary cargo-deny already exists in destination' (exit 101). Any run with
a warm cache failed. Switch to the prebuilt-binary installer already used for
nextest and cargo-audit in ci.yml — fast, cached, and idempotent.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
'kel validate' resolved its registry/identity storage from the default
auths home via paths::auths_home(), silently dropping the global --repo
override — the confused-deputy class the repo_consistency guard catches
(offender: kel.rs). Resolve the home with storage_layout::resolve_repo_path(
ctx.repo_path), the same helper every other storage command uses, so both
the default-identity and --did paths honor --repo.

Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
Auths-Anchor-Seq: 1
@github-actions

Copy link
Copy Markdown

Auths Commit Verification

Commit Status Details
f6dce4a3 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
3140f3d3 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
50793b87 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
fb2d20d4 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
ea52928d ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
b1822987 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd
413048b0 ✅ Verified Signed by did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd

Result: ✅ 7/7 commits verified

@bordumb
bordumb merged commit 7cf27e5 into main Jul 14, 2026
26 checks passed
@bordumb
bordumb deleted the fix/ci-main-gates branch July 14, 2026 08:50
@bordumb
bordumb restored the fix/ci-main-gates branch July 16, 2026 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant