Skip to content

chore(ci): pin Rust toolchain, mirror RSA advisory, gate dead code#1509

Merged
chaliy merged 4 commits intomainfrom
claude/fix-issue-H4eXe
May 2, 2026
Merged

chore(ci): pin Rust toolchain, mirror RSA advisory, gate dead code#1509
chaliy merged 4 commits intomainfrom
claude/fix-issue-H4eXe

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented May 2, 2026

Summary

Punch-list cleanup from the Turso/SQLite review notes (items #9-11):

  • feat(bashkit): Phase 9 - Network allowlist and HTTP client #10 — Pin Rust toolchain. A same-day rustc 1.95 release broke CI. rust-toolchain.toml now pins to 1.94.1 and every dtolnay/rust-toolchain@stable ref across .github/workflows/* is pinned to @1.94.1. Bumps are now deliberate. @nightly refs (fuzz, nightly workflow, ci fuzz-check) intentionally untouched.
  • feat(bashkit): Phase 8 - OverlayFs and MountableFs #9 — Triage Dependabot moderate alert feat(bench): add benchmark tool to compare bashkit, bash, and just-bash #27 (RUSTSEC-2023-0071, Marvin Attack on rsa, transitive via russh ssh-key). No upstream patch (modpow implementation is not constant-time RustCrypto/RSA#19). The advisory is already ignored by rustsec/audit-check in CI; mirrored into deny.toml so cargo deny check succeeds locally and the accepted risk is documented in one place. The Dependabot alert itself still needs a manual UI dismissal with reason "no patched version available".
  • feat(bashkit-cli): Phase 10 - MCP server mode #11 — Pre-existing clippy dead_code baseline. Without --all-features, cargo clippy on main emitted warnings for items only used from feature-gated callsites (builtins/curl.rs::same_origin, SENSITIVE_HEADERS; the entire credential module + pub use Credential; BashBuilder::logic_only). Added matching #[cfg(feature = "...")] attributes so default-feature and single-feature builds are warning-free for contributors who don't pass --all-features.
  • Docs. AGENTS.md now spells out that the toolchain pin in rust-toolchain.toml and the dtolnay/rust-toolchain@<version> workflow refs are bumped together.

Test plan

  • cargo fmt --all -- --check
  • cargo clippy --all-targets --all-features -- -D warnings
  • cargo clippy -p bashkit --all-targets (default features)
  • cargo clippy -p bashkit --all-targets --no-default-features
  • cargo clippy -p bashkit --all-targets --features http_client (and ssh, scripted_tool, sqlite individually)
  • cargo test --workspace --lib --bins --tests --features http_client,ssh,sqlite -- --skip ssh_supabase — 86 test groups, 0 failures (ssh_supabase_connects skipped: needs live network to supabase.sh)
  • rustup confirms 1.94.1 is selected from the new rust-toolchain.toml

Generated by Claude Code

chaliy added 4 commits May 2, 2026 15:50
@chaliy
chore(ci): pin Rust toolchain to 1.94.1
eca79f9 
Same-day rustc 1.95 release broke CI. Pin rust-toolchain.toml
channel and dtolnay/rust-toolchain@stable refs to 1.94.1 so a
future rustc release no longer auto-rolls into CI/local builds.
Bump deliberately when adopting new lints. Nightly refs (fuzz,
nightly workflow, ci fuzz-check) remain on @nightly.
@chaliy
chore(deps): mirror RUSTSEC-2023-0071 ignore in deny.toml
a87bfb7 
Marvin Attack on rsa (transitive via russh ssh-key) has no upstream
patch (RustCrypto/RSA#19). The advisory is already ignored in CI's
rustsec/audit-check step and is the same vuln Dependabot surfaces as
moderate alert #27. Mirroring it in deny.toml lets `cargo deny check`
succeed locally and documents the accepted risk in one place.
@chaliy
chore(bashkit): gate dead code behind feature cfgs
03ea876 
Without --all-features, cargo clippy on main emitted dead_code warnings
for items only referenced from feature-gated callsites:

* builtins/curl.rs: same_origin / SENSITIVE_HEADERS — used only inside
  the http_client redirect path
* lib.rs: mod credential + pub use Credential — entire module is wired
  through #[cfg(feature = "http_client")] callers
* lib.rs: BashBuilder::logic_only — only called from the scripted_tool
  module

Add the matching #[cfg(...)] attributes so the warnings disappear in
default-feature and single-feature builds, keeping local `cargo clippy`
clean for contributors who don't pass --all-features.
@chaliy
chore(docs): note pinned Rust toolchain in AGENTS.md
15921e9 
Document that the rust-toolchain.toml channel and the
dtolnay/rust-toolchain@<version> refs in CI are pinned together
and bumped deliberately, so a future contributor doesn't revert
to "stable" without realizing why.
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 2, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit 15921e9 Commit Preview URL

Branch Preview URL		 May 02 2026, 04:40 PM

@chaliy chaliy merged commit 512c26b into main May 2, 2026
34 checks passed
@chaliy chaliy deleted the claude/fix-issue-H4eXe branch May 2, 2026 16:51
@codecov
Copy link
Copy Markdown

codecov Bot commented May 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@chaliy chaliy mentioned this pull request May 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy