Tooling: harden checker against supply-chain attacks

- Pass `--locked` to every operational cargo command in checks (`cargo clippy`, `cargo nextest run` in both unit and integration tests, `cargo +nightly udeps`). Without it cargo silently re-resolves `Cargo.lock` on metadata drift, opening a window for a fresh malicious version to land mid-build across 1028 transitive crates.
- Pin `apps/desktop/rust-toolchain.toml` channel from floating `stable` to `1.95.0`.
- Pin every tool install. `cargo install` now passes `--version` + `--locked` for `cargo-audit`, `cargo-deny`, `cargo-machete`, `cargo-udeps`, `cargo-nextest`. Every `EnsureGoTool` call replaced `@latest` with a specific version: `staticcheck@v0.7.0`, `nilaway@v0.0.0-20260515015210-fd187751154f`, `misspell@v0.3.4`, `gocyclo@v0.6.0`, `ineffassign@v0.2.0`, `deadcode@v0.45.0`. Closes the wave-1-2-class "the supply-chain tool itself gets trojaned" gap.
- New `workflows-hardening` check at `scripts/check/checks/desktop-workflows-hardening.go`. Scans `.github/workflows/*.{yml,yaml}` and fails on three classes the wave-4 (TanStack, May 2026) attack chained: tag/branch-pinned third-party actions (must be SHA-pinned, with `./...` local actions exempt), `pull_request_target` triggers, and workflow-scoped `id-token: write` (must be job-scoped). Cmdr passes today; the check is a regression guard. ~190 lines + ~200 lines of tests.
- New `govulncheck` check at `scripts/check/checks/scripts-go-govulncheck.go`. Runs `govulncheck@v1.3.0` against every `go.mod`. Mirrors `cargo-audit`'s role on the Rust side: static-analysis-based, low false-positive rate.
- Bump `.mise.toml` go from `1.25.7` to `1.25.10`. The `govulncheck` check found 7 reachable stdlib vulns in cmdr's tooling on its first run (CVE fixes in `net`, `crypto/tls`, `crypto/x509`, `net/url`, `archive/tar`, `os`). 1.25.10 is the latest patch in the 1.25 line.
- Update `scripts/check/CLAUDE.md` with four new Decision entries (the `--locked` rule, the tool-version-pin rule, the workflow-hardening check, the govulncheck check) and the apps/checks table now lists `govulncheck` and the new Security row.

The Rust hardening is mostly defense in depth; cmdr already has `cargo-audit`, `cargo-deny` (licenses/bans/sources), SHA-pinned actions, and `pnpm install --frozen-lockfile` in every CI workflow. The two new checks close the gaps surfaced in our pre-launch supply-chain review: no Go-side vuln scanner, no regression guard on the workflow hardening that's already in place.

Author: vdavid

.mise.toml

@@ -1,5 +1,5 @@
 [tools]
 node = "25"
 pnpm = "11.0.9"
-go = "1.25.7"
+go = "1.25.10"
 # Rust is managed by rustup via rust-toolchain.toml

apps/desktop/rust-toolchain.toml

@@ -1,2 +1,5 @@
 [toolchain]
-channel = "stable"
+# Pinned to a specific stable version, not the floating "stable" channel.
+# A compromised rustc release would land transparently otherwise. Bump
+# deliberately, with a few days between Rust's release and our pin update.
+channel = "1.95.0"

scripts/check/CLAUDE.md

@@ -147,7 +147,9 @@ The chosen `RUST_LOG` value is echoed at the top of the timestamped log so it's
 captured. When unset, the log starts with `=== RUST_LOG unset (default warn level) ===`.
 
 **Go tool auto-install:** `EnsureGoTool(name, installPath)` checks PATH first, then runs `go install` and returns the
-full binary path. Used for staticcheck, nilaway, etc.
+full binary path. Used for staticcheck, nilaway, etc. The `installPath` MUST pin a specific version (`@vX.Y.Z` or a
+pseudo-version), never `@latest`: an `@latest` install is the Go-side equivalent of the wave-1-2 npm-registry-trojan
+vector. Same rule applies to `cargo install` calls inside checks: pin both `--version` and `--locked`.
 
 **TTY detection:** `golang.org/x/term.IsTerminal` gates the live status line; CI logs stay clean.
 
@@ -223,8 +225,9 @@ before tests.
 | Website    | Astro   | prettier, eslint, typecheck, build, html-validate, e2e                                                                                                                                                                    |
 | Website    | Docker  | docker-build                                                                                                                                                                                                              |
 | API server | TS      | oxfmt, eslint, typecheck, tests                                                                                                                                                                                           |
-| Scripts    | Go      | gofmt, go-vet, staticcheck, ineffassign, misspell, gocyclo, nilaway, deadcode, go-tests                                                                                                                                   |
+| Scripts    | Go      | gofmt, go-vet, staticcheck, ineffassign, misspell, gocyclo, nilaway, deadcode, go-tests, govulncheck                                                                                                                      |
 | Other      | Metrics | file-length (warn-only), CLAUDE.md-reminder (warn-only), changelog-commit-links                                                                                                                                           |
+| Other      | Security | workflows-hardening (SHA-pinning, no `pull_request_target`, job-scoped `id-token: write`)                                                                                                                                |
 
 ## Output format
 
@@ -260,6 +263,33 @@ dependencies (gtk3-rs, unic-\*, fxhash, proc-macro-error, etc.) trigger unmainta
 `cargo-audit` still catches critical security vulnerabilities. License, bans, and sources checks in `cargo-deny` remain
 active. See comment in `src-tauri/deny.toml`.
 
+**Decision**: every operational `cargo` command in checks passes `--locked`. **Why**: without it, cargo silently
+re-resolves `Cargo.lock` whenever upstream metadata shifts (a yank, a new transitive dep version). For a 1028-crate
+lockfile, that resolution window is wide and lets a freshly-published malicious version land mid-build. `--locked`
+fails loudly if the lockfile would change. Applies to `cargo clippy`, `cargo nextest run` (in both `desktop-rust-tests`
+and `desktop-rust-integration-tests`), and `cargo +nightly udeps`. Audit/deny/machete read `Cargo.lock` without
+updating it, so `--locked` is moot for them, but the install of those tools still uses `--locked` to lock the tool's
+own dep tree.
+
+**Decision**: every tool install pins `--version` and `--locked` (cargo) or `@vX.Y.Z` (Go). **Why**: an unpinned tool
+install (`cargo install cargo-audit` or `EnsureGoTool(..., "@latest")`) means each fresh checkout pulls whatever's
+latest. A wave-1-2-class compromise of any of these tool repositories would auto-propagate. Pinning is the Go-side
+equivalent of the pnpm `minimum-release-age` defense (a fresh version can't land without a deliberate bump).
+
+**Decision**: `workflows-hardening` check enforces three GitHub Actions invariants and acts as a regression guard.
+**Why**: cmdr's workflows are already correctly hardened (every third-party action is SHA-pinned with a comment, no
+`pull_request_target` triggers, no workflow-scoped `id-token: write`). Without an automated guard, a future PR or a
+Renovate misconfiguration could silently regress any of those without anyone noticing in review. The check fails on
+tag/branch-pinned third-party actions, on `pull_request_target` triggers (wave-4's entry vector), and on
+workflow-scoped `id-token: write` (must be job-scoped per the wave-4 OIDC-token-extraction lesson). Local actions
+(`./...`) are exempt.
+
+**Decision**: `govulncheck` runs against every Go module. **Why**: cargo-audit covers Rust deps; nothing covered Go
+until now. `govulncheck` is static-analysis-based, so it only flags vulns actually reachable from the code (low false
+positive rate). Most of cmdr's Go modules are dep-free tooling scripts but still call into the Go stdlib, which gets
+its own CVEs; the check found 7 real reachable stdlib vulns the first time it ran (fixed by bumping mise's Go pin).
+Mirrors the cargo-audit role on the Rust side.
+
 **Decision**: `cfg-gate` check to catch ungated macOS-only crate imports. **Why**: Rust code using macOS-only crates
 (from `[target.'cfg(target_os = "macos")'.dependencies]`) compiles fine on macOS but fails on Linux if the `use` isn't
 wrapped in `#[cfg(target_os = "macos")]`. CI catches this after push, but the check catches it locally and instantly. It

scripts/check/checks/desktop-rust-cargo-audit.go

@@ -143,7 +143,7 @@ func parseAuditJSON(output string) (cargoAuditReport, error) {
 // RunCargoAudit checks for security vulnerabilities.
 func RunCargoAudit(ctx *CheckContext) (CheckResult, error) {
 	if !CommandExists("cargo-audit") {
-		installCmd := exec.Command("cargo", "install", "cargo-audit")
+		installCmd := exec.Command("cargo", "install", "cargo-audit", "--version", "0.22.1", "--locked")
 		if _, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-audit: %w", err)
 		}

scripts/check/checks/desktop-rust-cargo-deny.go

@@ -19,7 +19,7 @@ func RunCargoDeny(ctx *CheckContext) (CheckResult, error) {
 
 	// Check if cargo-deny is installed
 	if !CommandExists("cargo-deny") {
-		installCmd := exec.Command("cargo", "install", "cargo-deny")
+		installCmd := exec.Command("cargo", "install", "cargo-deny", "--version", "0.19.6", "--locked")
 		if _, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-deny: %w", err)
 		}

scripts/check/checks/desktop-rust-cargo-machete.go

@@ -19,7 +19,7 @@ func RunCargoMachete(ctx *CheckContext) (CheckResult, error) {
 	rustDir := filepath.Join(ctx.RootDir, "apps", "desktop", "src-tauri")
 
 	if !CommandExists("cargo-machete") {
-		installCmd := exec.Command("cargo", "install", "cargo-machete", "--locked")
+		installCmd := exec.Command("cargo", "install", "cargo-machete", "--version", "0.9.2", "--locked")
 		if output, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-machete\n%s", indentOutput(output))
 		}

scripts/check/checks/desktop-rust-cargo-udeps.go

@@ -21,14 +21,14 @@ func RunCargoUdeps(ctx *CheckContext) (CheckResult, error) {
 
 	// Check if cargo-udeps is installed
 	if !CommandExists("cargo-udeps") {
-		installCmd := exec.Command("cargo", "install", "cargo-udeps", "--locked")
+		installCmd := exec.Command("cargo", "install", "cargo-udeps", "--version", "0.1.61", "--locked")
 		if _, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-udeps: %w", err)
 		}
 	}
 
 	// cargo-udeps requires nightly
-	cmd := exec.Command("cargo", "+nightly", "udeps", "--all-targets")
+	cmd := exec.Command("cargo", "+nightly", "udeps", "--locked", "--all-targets")
 	cmd.Dir = rustDir
 	output, err := RunCommand(cmd, true)
 	if err != nil {

scripts/check/checks/desktop-rust-clippy.go

@@ -28,7 +28,7 @@ func RunClippy(ctx *CheckContext) (CheckResult, error) {
 	// the only build pass we do. --fix is reserved for the failure branch
 	// because it ignores -D warnings, can rewrite source files, and re-running
 	// it speculatively doubled wall time on every clean run.
-	cmd := exec.Command("cargo", "clippy", "--all-targets", "--", "-D", "warnings")
+	cmd := exec.Command("cargo", "clippy", "--locked", "--all-targets", "--", "-D", "warnings")
 	cmd.Dir = rustDir
 	output, err := RunCommand(cmd, true)
 	if err != nil {
@@ -37,7 +37,7 @@ func RunClippy(ctx *CheckContext) (CheckResult, error) {
 		}
 
 		// Locally: try to auto-fix, then re-check.
-		fixCmd := exec.Command("cargo", "clippy", "--all-targets", "--fix", "--allow-dirty", "--allow-staged")
+		fixCmd := exec.Command("cargo", "clippy", "--locked", "--all-targets", "--fix", "--allow-dirty", "--allow-staged")
 		fixCmd.Dir = rustDir
 		_, _ = RunCommand(fixCmd, true)
 

scripts/check/checks/desktop-rust-integration-tests.go

@@ -60,7 +60,7 @@ func RunRustIntegrationTests(ctx *CheckContext) (CheckResult, error) {
 
 	// Make sure cargo-nextest is available (mirrors desktop-rust-tests.go).
 	if !CommandExists("cargo-nextest") {
-		installCmd := exec.Command("cargo", "install", "cargo-nextest", "--locked")
+		installCmd := exec.Command("cargo", "install", "cargo-nextest", "--version", "0.9.136", "--locked")
 		if _, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-nextest: %w", err)
 		}
@@ -72,6 +72,7 @@ func RunRustIntegrationTests(ctx *CheckContext) (CheckResult, error) {
 	// tests are still skipped.
 	cmd := exec.Command(
 		"cargo", "nextest", "run",
+		"--locked",
 		"--release",
 		"--run-ignored", "only",
 		"-E", "test(smb_integration_)",

scripts/check/checks/desktop-rust-tests.go

@@ -14,13 +14,13 @@ func RunRustTests(ctx *CheckContext) (CheckResult, error) {
 
 	// Check if cargo-nextest is installed
 	if !CommandExists("cargo-nextest") {
-		installCmd := exec.Command("cargo", "install", "cargo-nextest", "--locked")
+		installCmd := exec.Command("cargo", "install", "cargo-nextest", "--version", "0.9.136", "--locked")
 		if _, err := RunCommand(installCmd, true); err != nil {
 			return CheckResult{}, fmt.Errorf("failed to install cargo-nextest: %w", err)
 		}
 	}
 
-	cmd := exec.Command("cargo", "nextest", "run")
+	cmd := exec.Command("cargo", "nextest", "run", "--locked")
 	cmd.Dir = rustDir
 	output, err := RunCommand(cmd, true)
 	if err != nil {