Skip to content

[codex] Resolve review findings and stabilize gates#188

Merged
jeremi merged 11 commits into
mainfrom
codex/resolve-review-findings
Jul 2, 2026
Merged

[codex] Resolve review findings and stabilize gates#188
jeremi merged 11 commits into
mainfrom
codex/resolve-review-findings

Conversation

@jeremi

@jeremi jeremi commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

This PR carries the reviewed local main changes plus cleanup commits that resolve the remaining actionable findings from the review pass and the follow-up PR review feedback.

What changed

  • Restores the root CI advisory gate by promoting cargo deny back to full cargo deny check.
  • Adds scoped deny.toml ignores for RUSTSEC-2026-0194 and RUSTSEC-2026-0195, with review triggers for upstream quick-xml movement and untrusted XLSX/XML inputs.
  • Stabilizes the Notary 413 body-limit tests by asserting the request-limit path through an explicit oversized Content-Length instead of racing a socket upload.
  • Stabilizes the Relay redaction aggregate test by making the unordered aggregate row assertion order-insensitive.
  • Removes stale nested sha256 fields from the Notary posture example and regenerated OpenAPI sample, with a regression assertion for Notary posture artifacts.
  • Repairs the Lab monorepo quick start by moving submodule mappings to root .gitmodules, making just setup initialize lab/vendor/* paths from the superproject root, and defaulting Lab source variables to the monorepo source paths.

Why

The quick-xml advisories currently have no direct upgrade path in this workspace because calamine and the pinned Crosswalk/phonenumber stack still constrain quick-xml. The gate should still run in CI, so the risk is accepted narrowly and review-triggered instead of leaving advisories out of CI.

The two flaky tests were passing in isolation but could fail under full workspace runs because one depended on network upload timing and the other assumed aggregate row ordering from DataFusion.

The Notary posture public example had drifted from the live response shape by retaining nested artifact hashes the current code no longer emits.

The Lab README documented a clean monorepo quick start, but the justfile and nested .gitmodules layout still reflected the old vendor/sibling checkout model.

Validation

Ran locally before publishing and during review follow-up:

  • cargo fmt --check
  • cargo check --locked --workspace --all-targets
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo test --locked --workspace
  • cargo deny check
  • cd products/notary && just openapi-check
  • cd crates/registry-relay && just openapi-contract
  • focused Notary body-limit and posture tests
  • focused Relay aggregate redaction test
  • python3 -m unittest lab/scripts/test_esignet_relay_lab.py lab/scripts/test_check_release_source_model.py
  • cd lab && scripts/check-release-source-model.sh monorepo
  • cd lab && just --summary
  • git diff --check

Remaining note: Relay is still not opted into the workspace lints table because its public test-support/env-mutation path needs a separate focused cleanup.

jeremi added 10 commits July 2, 2026 17:32
Registry Notary has no dependency on the manifest crates; only Relay
consumes registry-manifest-core.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
A tag-push run and a manual dispatch for the same tag could race and
clobber each other's published assets. Key the concurrency group on
workflow+ref with cancel-in-progress: false so a second run queues
instead of cancelling a publish mid-flight.

Security review notes: release-provenance surface. No publish steps
change, only run serialization; cancellation stays disabled because
image push, asset upload with --clobber, cosign signing, and SLSA
provenance are not safely cancellable.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
The quick start still described the pre-monorepo standalone repo:
cloning jeremi/registry-lab with submodules, just quick as the entry
point, and a vendor-submodule pin workflow for Platform/Relay/Notary/
Manifest that no longer exists. Describe the monorepo checkout and
just release-fast instead, keeping sibling-checkout overrides as a
labeled alternative.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
[workspace.lints.rust] unsafe_code = "forbid" was declared but no
member crate had [lints] workspace = true, so it was enforced nowhere.
Opt in the 23 members with no unsafe code; the five that use unsafe
(libyaml FFI, libc setrlimit, env::set_var in test support) carry a
comment explaining why they stay out.

Security review notes: hardens the unsafe-code posture only; no code
or dependency changes. Verified by a temporary unsafe probe failing
compilation in an opted-in crate, then a clean workspace check.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
The OpenAPI 200 example for /admin/v1/posture lacked the deployment
and audit sections the server emits at the default tier, and nothing
gated example fidelity. Add the missing sections, pin the example's
top-level keys to the live document in a standalone_http test for both
tiers, and regenerate the committed OpenAPI artifact (which also
catches info.version up from 0.6.2 to 0.8.3).

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
The root gate ran only fmt, a workspace check, and registryctl tests;
OpenAPI drift and dependency policy were manual discipline and drifted
repeatedly. Gate the full workspace test suite, cargo deny check for
bans/licenses/sources, the notary openapi-check recipe, and the relay
openapi-contract recipe, with a build cache to keep runtime sane.

Clippy and the cargo-deny advisories section are deliberately not yet
gated: the tree currently fails them (4 pre-existing lints; fresh
RUSTSEC advisories on anyhow and quick-xml). They will be promoted
once fixed rather than silenced.

Security review notes: both new actions (taiki-e/install-action,
Swatinem/rust-cache) are pinned to the same full commit SHAs already
trusted in the per-product workflows; tools are version-pinned
(cargo-deny 0.19.8, just 1.51.0). No deny.toml ignores added.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
cargo clippy --workspace --all-targets -- -D warnings is the house
convention but the tree had drifted: is_none_or over map_or(true, ..),
a field reassign after Default::default(), a derivable Default impl,
two too_many_arguments sites (annotated, matching the 48 existing
allow sites), three needless borrows, and a useless format! in a test
fixture. All behavior-preserving; relay, notary-core, notary-server,
and notary test suites pass.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Lockfile-only bump to 1.0.103. The two quick-xml advisories
(RUSTSEC-2026-0194/0195) remain open: calamine 0.35 pins ^0.39 and
phonenumber pins <=0.38 under the pinned Crosswalk dependency, so no
upgrade path exists until upstream moves; no deny.toml ignore added.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
The workspace is clippy-clean under -D warnings as of the preceding
lint fixes, so gate it. The cargo-deny advisories section stays local:
the remaining RUSTSEC advisories (quick-xml 0194/0195) have no upgrade
path until calamine and phonenumber move upstream.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ebc9325ca8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lab/README.md Outdated
Comment thread lab/README.md
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@jeremi jeremi merged commit 6c7e980 into main Jul 2, 2026
10 checks passed
@jeremi jeremi deleted the codex/resolve-review-findings branch July 2, 2026 13:35

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c180c2c424

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lab/justfile
default_manifest_src := if path_exists("../registry-manifest/Cargo.toml") == "true" { "../registry-manifest" } else { if path_exists("../../registry-manifest/Cargo.toml") == "true" { "../../registry-manifest" } else { "./vendor/registry-manifest" } }
default_stack_src := if path_exists("../Cargo.toml") == "true" { if path_exists("../crates/registry-relay/Cargo.toml") == "true" { ".." } else { "" } } else { "" }
default_relay_src := if default_stack_src != "" { "../crates/registry-relay" } else { if path_exists("../registry-relay/Cargo.toml") == "true" { "../registry-relay" } else { if path_exists("../../registry-relay/Cargo.toml") == "true" { "../../registry-relay" } else { "./vendor/registry-relay" } } }
default_notary_src := if default_stack_src != "" { default_stack_src } else { if path_exists("../registry-notary/Cargo.toml") == "true" { "../registry-notary" } else { if path_exists("../../registry-notary/Cargo.toml") == "true" { "../../registry-notary" } else { "./vendor/registry-notary" } } }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point notary client smoke at the package root

In a clean monorepo checkout this new default exports REGISTRY_NOTARY_SOURCE_DIR=.., but lab/scripts/smoke-notary-client.py only looks for the Python client at ${REGISTRY_NOTARY_SOURCE_DIR}/bindings/python before falling back to sibling/vendor checkouts. The monorepo client actually lives under products/notary/bindings/python, so just notary-client (and the release check step that invokes the same smoke) still exits with “Registry Notary Python client was not found” unless a separate sibling checkout or manual REGISTRY_NOTARY_CLIENT_SOURCE_DIR is present. Fresh evidence beyond the earlier vendor-default comment is that the new monorepo default now points at a real root that still lacks the expected bindings/python layout.

Useful? React with 👍 / 👎.

Comment thread lab/README.md
Comment on lines 669 to +671
`scripts/check-release-source-model.sh source` compares sibling Platform,
Relay, and Notary SHAs with the Lab `vendor/` pins and fails on mismatches or
dirty source checkouts. Use `REGISTRY_LAB_ALLOW_PENDING_PINS=1` only while the
final source commits are still waiting for the Lab submodule pin update.
`scripts/check-release-source-model.sh vendor` proves that the selected release
paths resolve to committed Lab pins.
Relay, and Notary SHAs with the Lab `vendor/` pins (Crosswalk, registry-atlas,
and the eSignet Relay authenticator) and fails on mismatches or dirty source

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Stop documenting the broken source-mode proof

For users following this documented source proof with sibling Platform/Relay/Notary checkouts, the validator still calls compare_pin against lab/vendor/registry-platform, lab/vendor/registry-relay, and lab/vendor/registry-notary, but this monorepo change leaves only Crosswalk/atlas/eSignet under lab/vendor. Even with all sibling source env vars set and REGISTRY_LAB_ALLOW_PENDING_PINS=1, scripts/check-release-source-model.sh source fails when it tries to read the removed vendor dirs, so this source-proof path is no longer runnable as described.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant