Tooling: Clean check suite — fix vulns, compact audit output

- Upgrade `rustls-webpki` 0.103.11 → 0.103.12 (fixes RUSTSEC-2026-0098/0099)
- Upgrade `bitstream-io` 4.9.0 → 4.10.0 (drops yanked `core2`)
- Switch `cargo-audit` to `--json` output, format one line per advisory instead of full dep trees
- Add `--ignore` for 26 upstream Tauri/GTK/unic advisories we can't fix
- Extract helpers in `cargo-audit` and `file-length` checks to pass gocyclo ≤15
- Remove unused `onDestroy` import in debug page (eslint)
- Allowlist `initialization.ts` in coverage (all paths depend on Tauri commands)

Author: vdavid

Cargo.lock

@@ -26,6 +26,9 @@
     "file-explorer/views/BriefList.svelte": {
       "reason": "Logic tested in brief-list-utils.ts, component mounting heavy"
     },
+    "file-explorer/pane/initialization.ts": {
+      "reason": "All code paths depend on Tauri commands (pathExists, getDefaultVolumeId, resolvePathVolume, getE2eStartPath)"
+    },
     "file-explorer/pane/DialogManager.svelte": {
       "reason": "Pure rendering component, dialog state tested via parent"
     },

apps/desktop/coverage-allowlist.json

@@ -1,5 +1,5 @@
 <script lang="ts">
-    import { onMount, onDestroy, tick } from 'svelte'
+    import { onMount, tick } from 'svelte'
     import ToastContainer from '$lib/ui/toast/ToastContainer.svelte'
     import DebugDriveIndexPanel from './DebugDriveIndexPanel.svelte'
     import DebugToastPanel from './DebugToastPanel.svelte'

apps/desktop/src/routes/debug/+page.svelte

@@ -9,10 +9,12 @@ import (
 
 // cargoAuditReport is the top-level JSON output from `cargo audit --json`.
 type cargoAuditReport struct {
-	Lockfile        struct{ DependencyCount int `json:"dependency-count"` } `json:"lockfile"`
+	Lockfile struct {
+		DependencyCount int `json:"dependency-count"`
+	} `json:"lockfile"`
 	Vulnerabilities struct {
-		Count int                    `json:"count"`
-		List  []cargoAuditVulnEntry  `json:"list"`
+		Count int                   `json:"count"`
+		List  []cargoAuditVulnEntry `json:"list"`
 	} `json:"vulnerabilities"`
 	Warnings map[string][]cargoAuditWarningEntry `json:"warnings"`
 }
@@ -31,112 +33,143 @@ type cargoAuditWarningEntry struct {
 }
 
 type cargoAuditAdvisory struct {
-	ID            string  `json:"id"`
-	Package       string  `json:"package"`
-	Title         string  `json:"title"`
-	Informational *string `json:"informational"`
+	ID    string `json:"id"`
+	Title string `json:"title"`
 }
 
 type cargoAuditPackage struct {
 	Name    string `json:"name"`
 	Version string `json:"version"`
 }
 
-// RunCargoAudit checks for security vulnerabilities.
-func RunCargoAudit(ctx *CheckContext) (CheckResult, error) {
-	// Check if cargo-audit is installed
-	if !CommandExists("cargo-audit") {
-		installCmd := exec.Command("cargo", "install", "cargo-audit")
-		if _, err := RunCommand(installCmd, true); err != nil {
-			return CheckResult{}, fmt.Errorf("failed to install cargo-audit: %w", err)
-		}
-	}
-
-	// Ignore advisories for upstream Tauri dependencies with no fix available:
-	// RUSTSEC-2023-0071: rsa timing sidechannel (via sspi → smb, no fix released)
-	// RUSTSEC-2024-0413..0416: gtk-rs GTK3 bindings unmaintained (used by wry/tao)
-	// RUSTSEC-2024-0421..0424: gtk-sys unmaintained variants
-	cmd := exec.Command("cargo", "audit", "--json",
-		"--ignore", "RUSTSEC-2023-0071",
-		"--ignore", "RUSTSEC-2024-0413",
-		"--ignore", "RUSTSEC-2024-0414",
-		"--ignore", "RUSTSEC-2024-0415",
-		"--ignore", "RUSTSEC-2024-0416",
-		"--ignore", "RUSTSEC-2024-0421",
-		"--ignore", "RUSTSEC-2024-0422",
-		"--ignore", "RUSTSEC-2024-0423",
-		"--ignore", "RUSTSEC-2024-0424",
-	)
-	cmd.Dir = ctx.RootDir
-	output, _ := RunCommand(cmd, true)
-	// cargo audit exits non-zero when vulns are found, so we ignore the error
-	// and parse the JSON output instead.
-
-	var report cargoAuditReport
-	if err := json.Unmarshal([]byte(output), &report); err != nil {
-		return CheckResult{}, fmt.Errorf("failed to parse cargo-audit JSON output: %w\n%s", err, indentOutput(output))
-	}
-
-	// Count warnings across all categories
-	totalWarnings := 0
-	for _, entries := range report.Warnings {
-		totalWarnings += len(entries)
-	}
+// Advisories for upstream transitive dependencies with no fix available.
+// All of these are pulled in by Tauri/wry/tao and can't be resolved by us.
+var cargoAuditIgnoredAdvisories = []string{
+	"RUSTSEC-2023-0071", // rsa timing sidechannel (via sspi → smb, no fix released)
+	"RUSTSEC-2024-0370", // proc-macro-error unmaintained (via gtk3-macros, glib-macros)
+	"RUSTSEC-2024-0411", // gdkwayland-sys unmaintained
+	"RUSTSEC-2024-0412", // gdk unmaintained
+	"RUSTSEC-2024-0413", // gtk-rs GTK3 unmaintained
+	"RUSTSEC-2024-0414", // gtk-rs GTK3 unmaintained
+	"RUSTSEC-2024-0415", // gtk-rs GTK3 unmaintained
+	"RUSTSEC-2024-0416", // gtk-rs GTK3 unmaintained
+	"RUSTSEC-2024-0417", // gdkx11 unmaintained
+	"RUSTSEC-2024-0418", // gdk-sys unmaintained
+	"RUSTSEC-2024-0419", // gtk3-macros unmaintained
+	"RUSTSEC-2024-0420", // gtk-sys unmaintained
+	"RUSTSEC-2024-0421", // gtk-sys unmaintained
+	"RUSTSEC-2024-0422", // gtk-sys unmaintained
+	"RUSTSEC-2024-0423", // gtk-sys unmaintained
+	"RUSTSEC-2024-0424", // gtk-sys unmaintained
+	"RUSTSEC-2024-0429", // glib unsound VariantStrIter (via GTK3 bindings)
+	"RUSTSEC-2024-0436", // paste unmaintained (via rav1e → ravif → image)
+	"RUSTSEC-2025-0052", // async-std unmaintained (dev-dep only, not shipped)
+	"RUSTSEC-2025-0057", // fxhash unmaintained (via tauri-utils → kuchikiki)
+	"RUSTSEC-2025-0075", // unic-char-range unmaintained (via tauri-utils → urlpattern)
+	"RUSTSEC-2025-0080", // unic-common unmaintained
+	"RUSTSEC-2025-0081", // unic-char-property unmaintained
+	"RUSTSEC-2025-0098", // unic-ucd-version unmaintained
+	"RUSTSEC-2025-0100", // unic-ucd-ident unmaintained
+	"RUSTSEC-2026-0097", // rand unsound (0.7/0.8, not using rand::rng())
+}
 
-	// No issues at all
-	if report.Vulnerabilities.Count == 0 && totalWarnings == 0 {
-		return Success(fmt.Sprintf("Scanned %d %s",
-			report.Lockfile.DependencyCount,
-			Pluralize(report.Lockfile.DependencyCount, "crate", "crates"),
-		)), nil
+// buildCargoAuditCmd constructs the cargo audit command with --json and all ignores.
+func buildCargoAuditCmd() *exec.Cmd {
+	args := []string{"audit", "--json"}
+	for _, id := range cargoAuditIgnoredAdvisories {
+		args = append(args, "--ignore", id)
 	}
+	return exec.Command("cargo", args...)
+}
 
-	// Build compact summary
+// formatAuditReport builds a compact one-line-per-advisory summary.
+func formatAuditReport(report cargoAuditReport) string {
 	var lines []string
 
-	// Header line
+	// Header
 	var parts []string
 	if report.Vulnerabilities.Count > 0 {
 		parts = append(parts, fmt.Sprintf("%d %s",
 			report.Vulnerabilities.Count,
-			Pluralize(report.Vulnerabilities.Count, "vulnerability", "vulnerabilities"),
-		))
+			Pluralize(report.Vulnerabilities.Count, "vulnerability", "vulnerabilities")))
 	}
+	totalWarnings := countAuditWarnings(report)
 	if totalWarnings > 0 {
 		parts = append(parts, fmt.Sprintf("%d %s",
-			totalWarnings,
-			Pluralize(totalWarnings, "warning", "warnings"),
-		))
+			totalWarnings, Pluralize(totalWarnings, "warning", "warnings")))
 	}
-	lines = append(lines, strings.Join(parts, ", "))
-	lines = append(lines, "")
+	lines = append(lines, strings.Join(parts, ", "), "")
 
-	// Vulnerabilities
 	for _, v := range report.Vulnerabilities.List {
-		lines = append(lines, fmt.Sprintf("VULN  %s %s — %s",
-			v.Package.Name, v.Package.Version, v.Advisory.Title))
+		lines = append(lines, fmt.Sprintf("VULN  %s %s — %s", v.Package.Name, v.Package.Version, v.Advisory.Title))
 		fix := "no fix available"
 		if len(v.Versions.Patched) > 0 {
 			fix = "upgrade to " + strings.Join(v.Versions.Patched, " or ")
 		}
 		lines = append(lines, fmt.Sprintf("      %s  |  %s", fix, v.Advisory.ID))
 	}
-
-	// Warnings by category
 	for kind, entries := range report.Warnings {
 		for _, w := range entries {
 			lines = append(lines, fmt.Sprintf("WARN  %s %s — %s: %s (%s)",
 				w.Package.Name, w.Package.Version, kind, w.Advisory.Title, w.Advisory.ID))
 		}
 	}
+	return strings.Join(lines, "\n")
+}
 
-	summary := strings.Join(lines, "\n")
+func countAuditWarnings(report cargoAuditReport) int {
+	total := 0
+	for _, entries := range report.Warnings {
+		total += len(entries)
+	}
+	return total
+}
+
+// parseAuditJSON extracts and parses the JSON object from cargo-audit output.
+// RunCommand concatenates stderr after stdout, so we find the JSON boundaries.
+func parseAuditJSON(output string) (cargoAuditReport, error) {
+	jsonStart := strings.Index(output, "{")
+	jsonEnd := strings.LastIndex(output, "}")
+	if jsonStart < 0 || jsonEnd < 0 || jsonEnd < jsonStart {
+		return cargoAuditReport{}, fmt.Errorf("no JSON found in cargo-audit output\n%s", indentOutput(output))
+	}
+	var report cargoAuditReport
+	if err := json.Unmarshal([]byte(output[jsonStart:jsonEnd+1]), &report); err != nil {
+		return cargoAuditReport{}, fmt.Errorf("failed to parse cargo-audit JSON: %w\n%s", err, indentOutput(output))
+	}
+	return report, nil
+}
+
+// RunCargoAudit checks for security vulnerabilities.
+func RunCargoAudit(ctx *CheckContext) (CheckResult, error) {
+	if !CommandExists("cargo-audit") {
+		installCmd := exec.Command("cargo", "install", "cargo-audit")
+		if _, err := RunCommand(installCmd, true); err != nil {
+			return CheckResult{}, fmt.Errorf("failed to install cargo-audit: %w", err)
+		}
+	}
+
+	cmd := buildCargoAuditCmd()
+	cmd.Dir = ctx.RootDir
+	output, _ := RunCommand(cmd, true)
+
+	report, err := parseAuditJSON(output)
+	if err != nil {
+		return CheckResult{}, err
+	}
+
+	if report.Vulnerabilities.Count == 0 && countAuditWarnings(report) == 0 {
+		return Success(fmt.Sprintf("Scanned %d %s",
+			report.Lockfile.DependencyCount,
+			Pluralize(report.Lockfile.DependencyCount, "crate", "crates"))), nil
+	}
 
+	summary := formatAuditReport(report)
 	if report.Vulnerabilities.Count > 0 {
 		return CheckResult{}, fmt.Errorf("security vulnerabilities found\n%s", indentOutput(summary))
 	}
 
-	// Warnings only — not a failure
+	totalWarnings := countAuditWarnings(report)
 	return CheckResult{
 		Code:    ResultWarning,
 		Message: fmt.Sprintf("%d %s\n%s", totalWarnings, Pluralize(totalWarnings, "warning", "warnings"), indentOutput(summary)),