fix(ci): green the main gates — fmt, SDK arch boundary, cargo-deny#366
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Auths Commit Verification
Result: ❌ 0/3 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/5 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/6 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
Auths Commit Verification
Result: ❌ 0/7 commits verified How to fixCommit 1. Install auths macOS: 2. One-time setup (creates your identity and configures Git) auths init3. Sign this branch and push auths sign origin/main..HEAD
git push --force-with-leaseFor CI to verify the signer, commit an identity bundle: auths id export-bundle --alias main --output .auths/ci-bundle.json --max-age-secs 31536000 |
check-arch.sh forbids std::fs in auths-sdk. The transparency workflow read, wrote, and chmod'd <log_dir>/log.key and created the log dir directly. Relocate that filesystem work onto FsTileStore (the adapter that already owns the log's on-disk layout) via ensure_base_dir() and load_or_create_key(); the latter returns Option<LogSigningKey> so the workflow keeps its LogNotFound semantics without touching the filesystem. Drops the now-unused LogIo variant and LOG_KEY_FILE constant. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
crossbeam-epoch 0.9.18 -> 0.9.20 clears RUSTSEC-2026-0204 (invalid pointer deref in the fmt::Pointer impl; reachable only via the criterion dev-dep). RUSTSEC-2026-0189 (rmcp Streamable HTTP server DNS rebinding) is not exploitable here: rmcp is used only by auths-mcp-gateway with the transport-io (stdio) and transport-child-process features; the vulnerable HTTP server transport is never enabled, and the advisory states stdio/child-process transports are unaffected. The fix (rmcp >= 1.4.0) is a major upgrade from our pinned 0.9 with no security benefit for this transport posture, so it is added to the documented ignore list. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
Format the files left unformatted by the earlier mechanical-tier commits, which landed via --no-verify and skipped the fmt hook. No behavior change; clears the CI Format gate (cargo fmt --check --all). Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
The pre-commit 'end-of-file-fixer' gate (previously masked by the check-arch failure) flagged two files. crates/auths-cli/src/ux/dialogs.rs was a dead, empty module (a single blank line, referenced only by 'pub mod dialogs;' with no users) over which rustfmt and end-of-file-fixer disagreed — an unwinnable loop. Remove the module and its declaration. Add the missing trailing newline to tests/scale/dashboard.html. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
check_primitive_inventory.py (the CR-7 drift guard, also previously masked by check-arch) flagged the doc pin 'ml-kem 0.2' against the tree's exact pin 'ml-kem =0.2.3' (PQ-5). Update the inventory row to 0.2.3. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
The manual install was not idempotent: the guard checked for cargo-deny 0.19 but 'cargo install cargo-deny --locked' installs the latest, so once setup-rust restored a cached non-0.19 binary the guard failed and 'cargo install' aborted with 'binary cargo-deny already exists in destination' (exit 101). Any run with a warm cache failed. Switch to the prebuilt-binary installer already used for nextest and cargo-audit in ci.yml — fast, cached, and idempotent. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
'kel validate' resolved its registry/identity storage from the default auths home via paths::auths_home(), silently dropping the global --repo override — the confused-deputy class the repo_consistency guard catches (offender: kel.rs). Resolve the home with storage_layout::resolve_repo_path( ctx.repo_path), the same helper every other storage command uses, so both the default-identity and --did paths honor --repo. Auths-Id: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Device: did:keri:EB5cPHY0t-ejNC_rUzPS1dclTvd6kG-R9mQzjozCuGgd Auths-Anchor-Seq: 1
8f04656 to
f6dce4a
Compare
Auths Commit Verification
Result: ✅ 7/7 commits verified |
What
Fixes the three checks failing on
main(all pre-existing — surfaced by the recent "run pre-commit hooks in CI" commit, not introduced by this branch;999bfae4already showedCIandcargo-denyred).1. Format (
cargo fmt --check --all)Nine files under
auths-cli,auths-infra-http,auths-pairing-protocol, andauths-verifierwere left unformatted by earlier mechanical-tier commits that landed via--no-verify.cargo fmt --allapplied; no behavior change.2. Architecture boundary (
scripts/check-arch.sh)auths-sdk/src/workflows/transparency.rsdid rawstd::fsI/O (read/write/chmod of<log_dir>/log.key, pluscreate_dir_all) — forbidden in the SDK layer. Relocated that filesystem work ontoFsTileStore(theauths-transparencyadapter that already owns the log's on-disk layout):FsTileStore::ensure_base_dir()FsTileStore::load_or_create_key(create) -> Option<LogSigningKey>— returnsNonewhen the key is absent andcreateis false, so the workflow keeps itsLogNotFoundsemantics without touching the filesystem.Drops the now-dead
LogIovariant andLOG_KEY_FILEconst from the SDK. Satisfies the golden rule (SDK orchestrates, adapter does I/O).3. cargo-deny advisories
0.9.18 -> 0.9.20. Reachable only via thecriteriondev-dep.rmcpis used only byauths-mcp-gatewaywith thetransport-io(stdio) +transport-child-processfeatures; the vulnerable HTTP server transport is never enabled, and the advisory explicitly states stdio/child-process transports are unaffected. The fix (rmcp >= 1.4.0) is a major upgrade from our pinned0.9for zero benefit at this transport posture.Verified locally
cargo fmt --check --all→ 0 diffsbash scripts/check-arch.sh→ passescargo deny check advisories→advisories okcargo check -p auths-transparency→ cleanNote
Commits are unsigned (authored
--no-gpg-signto avoid the passphrase gate) — runauths sign origin/main..HEADbefore merge if the branch-protection verify gate requires trailers.