release: v0.8.2 — audit followups + RUSTSEC bumps by avrabe · Pull Request #113 · pulseengine/sigil

avrabe · 2026-05-11T06:12:28Z

Patch release. Bundles four already-merged audit-followup PRs and bumps version + CHANGELOG.

Merged in this release

PR	Theme
#107	cargo-deny CI step hardening (closes #103)
#108	discharge `lemma_le64_injective` Verus admit (audit C-1 partial)
#109	repair fuzz_public_key target (audit follow-up from #98)
#110	clear 3 RUSTSEC advisories: rand 0.9.x, wasmtime 43.0.x, rustls-webpki 0.103.x (fixes #102)

Companion work on `main` after this lands

feat(benches): criterion benches for signature verification (#89) #111 — criterion benches for signature verification (Add criterion benchmarks for signature verification paths #89)
verify: Kani matrix — fix wasm_module filter, document unwind failures #112 — lift Kani `wasm_module` mask; document `merkle` + `format` (audit C-7 partial)

These two will roll to v0.8.3 to keep this patch release coherent on the security + honesty story.

Deferred (still tracked)

C-4 / [audit] Enforce SPKI cert pinning — migrate keyless HTTP from ureq to rustls #95 — enforce SPKI cert pinning at the TLS layer (ureq → rustls-direct).
M-1 ff / Per-component attestation for cFS WASM components: mission-specific signing policies #79 comment — `no_std` verifier path for embedded / cFS.
feat: post-quantum signature support (SLH-DSA / FIPS 205) #46 — post-quantum SLH-DSA backend.
MIRAI prototype — evaluate abstract interpretation on crypto parser paths (varint + DSSE) #91 — MIRAI abstract-interpretation prototype.

Test plan

`cargo build --workspace --release` clean at 0.8.2
`cargo audit` returns 0 vulnerabilities with the new ignore-list
Cargo.lock updated to 0.8.2 for wsc, wsc-attestation, wsc-cli
CI passes
After merge: tag `v0.8.2` triggers release.yml + publish-to-crates-io.yml (trusted-publishing now configured correctly per session publish-to-crates-io.yml: configure Trusted Publishing on crates.io for pulseengine/sigil #105 resolution)

See CHANGELOG.md for the per-finding release notes.

Patch release bundling four merged PRs: #107 — cargo-deny CI step hardening (closes #103) #108 — discharge lemma_le64_injective Verus admit (audit C-1 partial) #109 — repair fuzz_public_key target (audit follow-up from #98) #110 — clear 3 RUSTSEC advisories via dep bumps (fixes #102) Companion work on 0.8.2+next: #111 — criterion benches for signature verification (#89) #112 — lift Kani wasm_module mask; document merkle + format See CHANGELOG.md for the full release notes. Trace: skip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

codecov · 2026-05-11T09:06:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

avrabe merged commit 57c5b71 into main May 11, 2026
29 of 30 checks passed

avrabe deleted the release/v0.8.2 branch May 11, 2026 17:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

release: v0.8.2 — audit followups + RUSTSEC bumps#113

release: v0.8.2 — audit followups + RUSTSEC bumps#113
avrabe merged 1 commit into
mainfrom
release/v0.8.2

avrabe commented May 11, 2026

Uh oh!

codecov Bot commented May 11, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

avrabe commented May 11, 2026

Merged in this release

Companion work on `main` after this lands

Deferred (still tracked)

Test plan

Uh oh!

codecov Bot commented May 11, 2026

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant