chore: deep-maintenance follow-ups — just vet, count drift, TM-INF-018, deps#1635
Merged
Conversation
`just vet` previously failed locally with `no such command: vet` because the recipe assumed cargo-vet was already on PATH — only CI installs it (via taiki-e/install-action). Add a private `_ensure-vet` recipe that installs cargo-vet via `cargo install --locked` if it's missing, and have the three public vet recipes depend on it. Also pass `--locked` to match the CI invocation so local runs catch the same lockfile drift CI does.
Brings the lockfile forward to today's latest patch/minor versions (aws-lc-rs 1.16.3→1.17.0, tower-http 0.6.8→0.6.10, russh 0.60.2→0.60.3, napi 3.8.6→3.9.0, wasm-bindgen 0.2.120→0.2.121, …). All 29 newly-introduced versions are recorded as `safe-to-deploy` exemptions in `supply-chain/config.toml`. Every one of them is a patch or minor bump of a crate that already had an exemption entry for the previous version — i.e. consistent with the existing 594 exemptions the project already accepts. Dependabot's weekly group PR pulls in trusted-party imports proper; `cargo vet prune` will retire these exemptions once that lands. The previous attempt to do this in #1632 hit the sandbox's inability to fetch import certs (cargo-vet's webpki-roots reject the proxy CA). Adding exemptions matches the project's existing pattern without requiring outbound TLS to raw.githubusercontent.com.
README, lib.rs rustdoc, and bashkit-python README claimed 160. The compatibility.md "Quick Status" table totalled 150 with category counts that summed to 110 (broken). implementation-status.md claimed 148+14=162. Authoritative count from `crates/bashkit/src/interpreter/mod.rs`: - 135 names in `register_builtins!` (always-on) - 7 explicit `builtins.insert` calls always-on (source, ., date, hostname, uname, whoami, id) - 14 feature-gated (jq, git, ssh/scp/sftp, python/python3, sqlite/sqlite3, ts/typescript/node/deno/bun) That's 142 + 14 = 156 distinct `Builtin` trait registrations. Interpreter-dispatched keywords (let, declare, command, getopts, ...) are not counted — they're not registered as Builtin trait instances. Compatibility.md's "Quick Status" subcategories are replaced with a two-row always-on / feature-gated split since the previous breakdown didn't reconcile against the actual code.
Spec said the mitigation was "Configurable time source (fixed or offset)", but only the fixed variant was implemented. Without an offset mode, callers who need scripts to observe elapsed time at real rate (timeouts, retry loops, anything time-sensitive) had no sandbox-safe option short of fixed-epoch — which breaks ticking-clock expectations. Adds `Bash::builder().epoch_offset(seconds)` which shifts `Utc::now()` by a constant. `fixed_epoch` and `epoch_offset` are mutually exclusive on the builder (last call wins) so callers can swap modes without having to reset state. Wiring: - `Date::with_offset_seconds(i64)` in `builtins/date.rs` - New `epoch_offset: Option<i64>` field on `Bash::Builder` - Plumbed through `Interpreter::with_config` and the `date` builtin registration in `interpreter/mod.rs` (priority: fixed > offset > real clock) Tests: - 4 unit tests in `date.rs` for the struct (fixed, offset, zero, priority). - 4 integration tests in `tm_inf_018_date` exercising the full builder→exec path including builder-call ordering. Status update: TM-INF-018 spec entry and rustdoc threat-model doc both flip from NEEDED/OPEN to **MITIGATED** (opt-in). Default behavior is unchanged — embedders opt in for sandboxing.
The 2026-05-17 deep-maintenance pass surfaced a persistent RustCrypto 0.10/0.11 split (crypto-common, digest, sha1, sha2, hmac, aes, cipher, ctr, cpufeatures) pulled by turso_core 0.5 / aes-gcm 0.10 vs bashkit's direct 0.11 cohort. Tracked as #1634 with watch conditions on upstreams.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | f9a2e54 | Commit Preview URL Branch Preview URL |
May 17 2026, 05:45 PM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1632 / #1633 — works through the deferred items the maintenance pass identified.
Summary
1.
just vetrecipe (049d362)Locally failed with
no such command: vetbecause the recipe assumed cargo-vet was on PATH (CI installs it separately viataiki-e/install-action). Added a private_ensure-vetrecipe that installs it on demand, and the three public recipes depend on it. Also pass--lockedto match CI.2. cargo update + supply-chain exemptions (6875e85)
Pulls 29 patch/minor transitive bumps (
aws-lc-rs1.16→1.17,tower-http0.6.8→0.6.10,russh0.60.2→0.60.3,napi3.8→3.9,wasm-bindgen0.2.120→0.2.121, …). Adds matching exemption entries insupply-chain/config.toml— every one of them is a patch/minor of a crate that already had an exemption for the prior version, consistent with the existing 594 exemptions the project accepts. Dependabot's weekly group PR will replace these with proper imported certifications viacargo vet prune. The previous attempt to land this hit the sandbox's inability to fetch import certs (cargo-vet's webpki-roots reject the proxy CA); exemptions avoid that.3. Builtin count reconciliation (f9bfc3d)
README,
lib.rsrustdoc, and bashkit-python README claimed 160.compatibility.mdtotal said 150 with category counts summing to 110.implementation-status.mdclaimed 148+14=162. Authoritative count from the source: 142 always-on + 14 feature-gated = 156. All five surfaces now agree.compatibility.md's broken sub-category table is replaced with a two-row split that reconciles.4. TM-INF-018 mitigation (04cebad)
Spec said the mitigation was "Configurable time source (fixed or offset)" but only the fixed variant was implemented. Adds
Bash::builder().epoch_offset(seconds)which shiftsUtc::now()by a constant — keeps elapsed-time semantics, blinds absolute wall-clock.fixed_epochandepoch_offsetare mutually exclusive on the builder (last call wins). Wired throughDate::with_offset_seconds,Interpreter::with_config, and the builder. 4 unit + 4 integration tests. Spec and rustdoc threat-model doc now mark TM-INF-018 as MITIGATED (opt-in).5. Crypto stack split tracking (fc36722, issue #1634)
RustCrypto 0.10/0.11 line split (
turso_core/aes-gcm 0.10pull the old line;bashkituses the new line directly). Cannot unify without upstream releases. Filed #1634 with watch conditions onaes-gcm 0.11andturso_core 0.7+. Added tospecs/maintenance.mddeferred-items table.Test plan
just vet— passes locally now (waserror: no such command: vet)cargo build --workspacecleancargo test -p bashkit --lib— 2239 passcargo test --test threat_model_tests tm_inf_018_date— 4/4 passcargo clippy --workspace --all-targets -- -D warningscleancargo fmt --checkcleancargo vet --lockedsucceeds (25 fully audited, 7 partially audited, 619 exempted)cargo deny check— advisories ok, bans ok, licenses ok, sources okNot addressed (intentional)
turso_coreto unblock the crypto split. Embedded SQLite via Turso is a core feature, not a swap candidate. Tracked in deps: RustCrypto stack split between 0.10 and 0.11 lines (turso/aes-gcm blocked) #1634.date's default behavior to a virtual clock. That would be a breaking change for every embedder;epoch_offsetis opt-in by design.Generated by Claude Code