interledger · sanducb · Sep 22, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,60 +5,141 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
-
 env:
   CARGO_TERM_COLOR: always
-
 jobs:
-  test:
-    name: Test
+  lint-build-test:
+    name: Lint, build, unit test, docs (Linux)
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
 
-    - name: Install Rust stable
-      uses: actions-rs/toolchain@v1
-      with:
-        toolchain: stable
-        override: true
-        profile: minimal
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
 
-    - name: Cache dependencies
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cargo/registry
-          ~/.cargo/git
-          target
-        key: ${{ runner.os }}-cargo-stable-${{ hashFiles('**/Cargo.lock') }}
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
 
-    - name: Check formatting
-      run: cargo fmt --all -- --check
+      - name: rustfmt
+        run: cargo fmt --all -- --check
 
-    - name: Check clippy
-      run: cargo clippy --all-targets --all-features -- -D warnings
+      - name: clippy (all targets, all features)
+        run: cargo clippy --all-targets --all-features -- -D warnings
 
-    - name: Run tests
-      run: cargo test --all-features -- --skip integration
+      - name: Build (all targets, all features)
+        run: cargo build --all-targets --all-features --locked
 
-    - name: Run doc tests
-      run: cargo test --doc
+      - name: Unit tests only (lib, bins)
+        run: cargo test --all-features --lib --bins -- --nocapture
 
-    - name: Build with snippets feature
-      run: cargo build --release --features snippets
+      - name: Docs build
+        run: cargo doc --no-deps
 
-  docs:
-    name: Build documentation
+  integration:
+    name: Integration tests with Selenium (Linux)
     runs-on: ubuntu-latest
+    services:
+      selenium:
+        image: selenium/standalone-chromium:140.0
+        ports:
+          - 4444:4444
+          - 7900:7900
+        env:
+          SE_NODE_MAX_SESSIONS: 1
+        options: >-
+          --shm-size=2g
     steps:
-    - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Prepare integration env
+        run: |
+          set -euo pipefail
+          mkdir -p tests/integration
+          PRIVATE_KEY_PATH="$GITHUB_WORKSPACE/tests/integration/private.key"
+          cat > tests/integration/.env <<EOF
+          OPEN_PAYMENTS_WALLET_ADDRESS=https://ilp.interledger-test.dev/carilas
+          OPEN_PAYMENTS_KEY_ID=${{ secrets.OPEN_PAYMENTS_KEY_ID }}
+          OPEN_PAYMENTS_PRIVATE_KEY_PATH=$PRIVATE_KEY_PATH
+          TEST_WALLET_EMAIL="${{ secrets.TEST_WALLET_EMAIL }}"
+          TEST_WALLET_PASSWORD="${{ secrets.TEST_WALLET_PASSWORD }}"
+          EOF
+          if echo "${{ secrets.OPEN_PAYMENTS_PRIVATE_KEY_PEM }}" | grep -q 'BEGIN PRIVATE KEY'; then
+            printf '%s' "${{ secrets.OPEN_PAYMENTS_PRIVATE_KEY_PEM }}" | tr -d '\r' > "$PRIVATE_KEY_PATH"
+          else
+            printf '%s' "${{ secrets.OPEN_PAYMENTS_PRIVATE_KEY_PEM }}" | base64 -d > "$PRIVATE_KEY_PATH"
+          fi
+          chmod 600 "$PRIVATE_KEY_PATH"
+          test -s "$PRIVATE_KEY_PATH"
+      - name: Run integration tests
+        env:
+          WEBDRIVER_URL: http://localhost:4444
+        run: |
+          cargo test --tests -- --nocapture
+
+  security:
+    name: Security audit and dependency checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: cargo-audit (vulnerabilities)
+        uses: rustsec/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: cargo-deny (licenses, bans)
+        uses: EmbarkStudios/cargo-deny-action@v2
+        with:
+          command: check bans licenses sources advisories
+
+  coverage:
+    name: Test coverage (tarpaulin)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
 
-    - name: Install Rust stable
-      uses: actions-rs/toolchain@v1
-      with:
-        toolchain: stable
-        override: true
-        profile: minimal
+      - name: Install tarpaulin
+        run: |
+          cargo install cargo-tarpaulin --locked
 
-    - name: Build docs
-      run: cargo doc --no-deps --features snippets 
+      - name: Run coverage (unit tests only)
+        run: |
+          # run unit tests by limiting to lib and bins; generate cobertura xml at coverage.xml
+          cargo tarpaulin --out Xml --output-dir target/tarpaulin --timeout 1200 --packages open-payments --lib --bins
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          files: target/tarpaulin/coverage.xml
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/release-automation.yml b/.github/workflows/release-automation.yml
@@ -0,0 +1,36 @@
+name: Release Automation
+
+on:
+  workflow_dispatch:
+    inputs:
+      level:
+        description: "Release level (patch|minor|major)"
+        required: true
+        default: patch
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Install cargo-release
+        run: cargo install cargo-release --locked
+
+      - name: Run cargo-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cargo release ${{ github.event.inputs.level }} --no-dev-version --execute
+
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,38 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  publish:
+    name: Publish to crates.io
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Rust (stable)
+        uses: dtolnay/rust-toolchain@master
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Verify version matches tag
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          VERSION_PREFIX="v"
+          CRATE_VERSION=$(grep '^version = ' Cargo.toml | head -n1 | sed -E 's/version = "([^"]+)"/\1/')
+          if [ "${TAG#${VERSION_PREFIX}}" != "$CRATE_VERSION" ]; then
+            echo "Crate version $CRATE_VERSION does not match tag $TAG" >&2
+            exit 1
+          fi
+
+      - name: Publish
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+        run: cargo publish --locked
+
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "open-payments-specifications"]
+	path = open-payments-specifications
+	url = https://github.com/interledger/open-payments-specifications
diff --git a/Cargo.toml b/Cargo.toml
@@ -10,6 +10,7 @@ readme = "README.md"
 keywords = ["open-payments", "interledger", "payments", "http-signatures", "gnap"]
 categories = ["api-bindings", "web-programming", "asynchronous"]
 homepage = "https://github.com/interledger/open-payments-rust"
+rust-version = "1.84"
 
 [features]
 default = []
@@ -156,3 +157,5 @@ tokio = { version = "1.45.0", features = ["full"] }
 dotenv = "0.15"
 tempfile = "3.20.0"
 uuid = { version = "1.16", features = ["v4", "serde"] }
+wiremock = { version = "0.6" }
+thirtyfour = { version = "0.33" }
diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ More phone numbers: https://tel.meet/htd-eefo-ovn?hs=5
 
 ### Prerequisites
 
-- [Rust](https://www.rust-lang.org/tools/install) (>= 1.43.1)
+- [Rust](https://www.rust-lang.org/tools/install) (>= 1.70)
 - [Git](https://git-scm.com/downloads)
 
 ### Environment Setup
@@ -125,4 +125,3 @@ For examples and snippets:
 [dependencies]
 open-payments = { version = "0.1.1", features = ["snippets"] }
 ```
-```
diff --git a/cargo-deny.toml b/cargo-deny.toml
@@ -0,0 +1,33 @@
+[advisories]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = []
+
+[licenses]
+unlicensed = "deny"
+allow = [
+    "Apache-2.0",
+    "MIT",
+    "BSD-3-Clause",
+    "BSD-2-Clause",
+    "ISC",
+    "Unicode-DFS-2016"
+]
+deny = [
+]
+copyleft = "warn"
+confidence-threshold = 0.92
+
+[bans]
+multiple-versions = "warn"
+wildcards = "deny"
+deny = []
+skip = []
+skip-tree = []
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+
diff --git a/open-payments-specifications b/open-payments-specifications