fix: clear vendored-vector secret false-positives + unbreak rand-0.10 build#181
Merged
Merged
Conversation
… build Two follow-ups that green main after #180 and #175 respectively. 1. Secret-scanner false positives (from #180). The vendored burble conformance vectors (ble-spa-v1.json) held burble's published NON-PRODUCTION HMAC test keys as hex strings ("Fixed non-production secrets", per the file), which Gitleaks / SonarCloud / hypatia all flag as generic-api-key. No real credential — but it turned SonarCloud + the hypatia baseline red and spammed ~28 Gitleaks comments. Fix WITHOUT suppressing any scanner: drop the vendored JSON and transcribe the 3 `presence` vectors this crate tests against as Rust byte-array constants in tests/vectors.rs (same burble commit 2b5914b, provenance noted). Byte arrays are unambiguously wire test data, not credentials, so no .gitleaksignore / sonar exclusion / baseline entry is needed — secret detection stays fully armed. The byte-exact conformance proof is unchanged (presence_beacon_id_is_byte_exact still reproduces burble's oracle). Also: drop the now-unused serde_json dev-dep; refresh vendor/PROVENANCE.adoc and STATE.a2ml (test count 174 -> 173). 2. Build breakage (from #175). Dependabot re-bumped rand 0.9 -> 0.10.2, which does not compile against ndarray-rand 0.16 (Distribution/Rng trait mismatch) — exactly the break the workspace comment documents and #154 reverted before. main currently fails to build (esn: E0277/E0599). Revert the workspace pin to rand 0.9 (lock -> 0.9.4); full workspace builds again. Suggest a dependabot ignore for rand until ndarray-rand ships a 0.10-compatible release. Local: full workspace `cargo build` green; `cargo test -p bt-presence` 11 unit + 2 conformance green; clippy --all-targets -D warnings clean; fmt clean; zero secret-shaped hex strings remain in the crate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh
|
hyperpolymath
marked this pull request as ready for review
July 10, 2026 08:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
Two follow-ups that green
mainafter #180 and #175. Neither is a real defect in application logic — one is a scanner false-positive, the other a bad dependency bump.1. Secret-scanner false positives (from #180)
The
bt-presencecrate vendored burble's conformance vectors (ble-spa-v1.json), which hold burble's published non-production HMAC test keys as hex strings — the file header literally says "Fixed non-production secrets." Gitleaks / SonarCloud / hypatia all pattern-match 64-char hex asgeneric-api-key, so this turned SonarCloud ("E Security Rating on New Code") and the hypatia baseline red and posted ~28 Gitleaks comments. No real credential was ever committed.Fixed without suppressing any scanner: dropped the vendored JSON and transcribed the 3
presencevectors this crate actually tests against as Rust byte-array constants intests/vectors.rs(same burble commit2b5914b, provenance documented). Byte arrays are unambiguously wire test-data, not credentials, so no.gitleaksignore, no SonarCloud exclusion, no hypatia baseline entry is needed — your secret detection stays fully armed for real secrets. The byte-exact conformance proof is unchanged:presence_beacon_id_is_byte_exactstill reproduces burble's independent oracle. Also dropped the now-unusedserde_jsondev-dep and refreshedvendor/PROVENANCE.adoc+STATE.a2ml(test count 174 → 173).2. Build breakage (from #175)
Dependabot re-bumped
rand0.9 → 0.10.2 (#175), which does not compile againstndarray-rand 0.16(Distribution/Rng trait mismatch) — exactly the break the workspace comment documents and #154 reverted before.maincurrently fails to build (esn:E0277/E0599). Reverted the workspace pin torand 0.9(lock → 0.9.4); the full workspace builds again.RSR Quality Checklist
cargo buildgreen;cargo test -p bt-presence11 unit + 2 conformance greencargo fmt --check) — cleancargo clippy --all-targets -- -D warnings) — cleanunsafe—#[forbid(unsafe_code)]STATE.a2mlupdatedTesting
FLAGS / owner-manual
randto 0.10 (this is the 2nd time). Recommend adependabot.ymlignore forrand(and/orrand_distr) untilndarray-randships a 0.10-compatible release — otherwise the build re-breaks on the next bump.🤖 Generated with Claude Code
https://claude.ai/code/session_0172RBMz3qYjb1ttzD2i7RNh
Generated by Claude Code