chore(v0.3): closing audit fixes + items 18-20#46
Merged
TechAlchemistX merged 1 commit intomainfrom Apr 19, 2026
Merged
Conversation
Three reviewer subagents (code / security / rust) audited the
full v0.3 scope (Phase 0 + Phase 1 gcp + Phase 2 azure + licensing).
Release-verdict: GREEN. This patch lands the surfaced fixes plus
the three deferred rust-engineer refinements.
Audit-surfaced fixes:
- **Azure vault-URL regex BUG**: accepted 1-char vault names, rejected
2-char. Original inner group `([a-zA-Z0-9-]{1,22}[a-zA-Z0-9])?` was
optional so a 1-char name matched the leading `[a-zA-Z0-9]` alone.
Azure's actual rule is 3-24 chars. Flipped to require middle+last
(min 3, max 24). Added boundary tests.
- **Drift-catch assertion tautology** (security): `msg.contains("strict-
mock-no-match") || msg.contains("azure")` was always-true because
every azure error begins with `azure backend '…':`. Same for gcp.
Tightened to `msg.contains("strict-mock-no-match")` only. The outer
`unwrap_err()` remains the load-bearing regression lock.
- **Missing `docs/fragment-vocabulary.md` link** in gcp + azure
unsupported-directive errors. Aligned with the aws-secrets shorthand
error shape and the fragment-vocabulary doc registry. Tests extended
with the link-assertion.
- **gcp missing CV-1 drift-catch analog**: azure has both `--value`-leak
and missing-`--encoding-utf-8` positive locks; gcp only had the
secret-on-stdin check. Added `set_drift_catch_rejects_data_flag_on_argv`
— declares the buggy `--data=<secret>` argv form so regressions
emitting the secret on argv surface exit 97.
- **No `check_extensive` direct test** in gcp or azure — trait-default
behavior silent-inherited with no regression lock. Added one per
backend.
Items 18-20 (rust-engineer deferred refinements):
- **Item 18 — `strict::Rule` unification.** `Rule` used to flatten every
`Response` field; now `Rule { argv, response: Response }`. One struct
move in `on()` instead of seven field moves. Private struct → no API
break.
- **Item 19 — `HashMap`→`IndexMap` in `BackendUri::fragment_directives`.**
Insertion order deterministic = URI-written order. `indexmap` was
already a workspace dep. `remove` → `shift_remove` per IndexMap's
deprecation guidance. Pre-launch breaking change in the public return
type; acceptable per the pre-launch-breaking-change policy.
- **Item 20 — `Response::with_stdin_fragment(impl Into<String>)`.**
Chainable alternative to `success_with_stdin(_, Vec<String>)`. Existing
constructor kept for back-compat.
Also:
- **`SecretShowResponse::value` comment** documents the deliberate absence
of `#[serde(default)]` (Azure always includes the `value` key; omission
should error, not silently become `None`). `kid` comment documents
that `#[serde(default)]` IS load-bearing for non-cert secrets.
Gates: fmt ✅ clippy ✅ test ✅ (435 → 442, +7) deny ✅ audit ✅.
Deferred post-v0.3.0 (per audit triage):
- gcp cert-bound comment hygiene (audit-trail only).
- azure tenant/subscription factory validation (low value — `az`
accepts both GUIDs and domain names for `--tenant`).
- `azure_vault_url` dead-code removal (kept for future Level-3 probes).
- `deny.toml` AGPL exception-tightening (supply-chain future work).
Audit reports are in kb/wiki (non-tracked): three agent ranked-matrix
outputs + a consolidated triage. Release gate is now pending re-verify
smoke only.
Signed-off-by: Mandeep Patel <mandeep@techalchemist.io>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: TechAlchemistX <mandeep@techalchemist.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Final pre-
v0.3.0-tag pass. Three reviewer subagents (code / security / rust) audited the full v0.3 scope; release verdict: GREEN. This PR lands the surfaced fixes + the three deferred rust-engineer refinements.Audit-surfaced fixes
msg.contains("azure")always true in azure errors. Tightened tomsg.contains("strict-mock-no-match")only;.unwrap_err()remains the load-bearing lock. Applied to gcp + azure.docs/fragment-vocabulary.mdlink. Added to gcp + azureresolve_version+ test assertions.set_drift_catch_rejects_data_flag_on_argv.check_extensivetest in gcp or azure. Added one per backend.Items 18-20 (deferred rust-engineer refinements)
strict::Rule { argv, response: Response }unification (internal; private struct).BackendUri::fragment_directivesreturnsIndexMap<String, String>(preserves URI-written order, dropssort_unstablenoise). Pre-launch breaking change; install base zero.Response::with_stdin_fragment(impl Into<String>)chainable. Additive.Deferred post-v0.3.0
Per audit triage: gcp cert-bound comment (hygiene), azure tenant/sub factory validation (low value),
azure_vault_urldead-code removal (kept for Level-3),deny.tomlAGPL exception-tightening (supply-chain follow-up).Test plan
cargo fmt --checkcargo clippy --workspace --all-targets --all-features -- -D warningscargo test --workspace— 435 → 442 (+7: 3 azure regex boundary + 2check_extensive+ 1 gcp data-flag drift-catch + 1 delta)cargo deny checkcargo audit🤖 Generated with Claude Code