diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 991f03d..8f2fea4 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -67,3 +67,15 @@ jobs: - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} + # Keep this list in lockstep with `[advisories].ignore` in + # deny.toml — rustsec/audit-check does NOT read deny.toml, so + # the two layers drift silently if only one is updated. + # Every entry here must have a matching deny.toml entry with + # the full multi-line justification; this file records only + # the IDs. + # + # RUSTSEC-2024-0437 — protobuf 2.28 uncontrolled recursion. + # Transitive via raft-engine → prometheus (metrics only, not + # a network-facing deserializer). Full rationale and + # re-audit triggers live in deny.toml. + ignore: RUSTSEC-2024-0437 diff --git a/.planning/fork-raft-engine-lz4-verification.md b/.planning/fork-raft-engine-lz4-verification.md index 3ffd62f..512f942 100644 --- a/.planning/fork-raft-engine-lz4-verification.md +++ b/.planning/fork-raft-engine-lz4-verification.md @@ -55,16 +55,36 @@ In `Cargo.toml` at the workspace root: ```toml [workspace.dependencies] -raft-engine = { git = "https://github.com/humancto/raft-engine", rev = "e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535", default-features = false, features = ["internals", "scripting"] } +raft-engine = { version = "0.4.2", git = "https://github.com/humancto/raft-engine", rev = "e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535", default-features = false, features = [ + "internals", +] } ``` -- `default-features = false` strips `lz4-compression` from the default list. -- `features = ["internals", "scripting"]` keeps the two other default - features `raft-engine` ships with `default = ["internals", "scripting", "lz4-compression"]`. -- `lz4-compression` is deliberately excluded. Mango configs must set - `batch-compression-threshold = 0` (enforced by the fork's +- `default-features = false` strips ALL three upstream default + features: `lz4-compression`, `scripting`, AND `internals`. +- `features = ["internals"]` re-enables ONLY `internals` — the Raft + log reader/writer types that `mango-raft` (Phase 1 impl PRs) needs. +- `lz4-compression` is deliberately excluded: that's the entire reason + the fork exists (it pulls `lz4-sys`, a C FFI dep). Mango configs must + set `batch-compression-threshold = 0` (enforced by the fork's `Config::sanitize`); compression happens above raft-engine in `mango-raft` via `lz4_flex`. +- `scripting` is deliberately excluded: it pulls `rhai` → + `smartstring`, which is MPL-2.0 — an allow-list widening mango does + not want to take for a feature mango does not use. `scripting` is + raft-engine's TiKV-admin-CLI path; mango has no consumer of that + surface. (Diverges from this doc's earlier versions, which listed + `["internals", "scripting"]`; dropped during PR #49 implementation + after cargo-deny flagged MPL-2.0 transitively. Going forward, fork + rebases MUST NOT quietly re-enable `scripting` — if upstream moves + anything mango needs from `internals` into `scripting`, update this + file and the license allow-list in the SAME PR.) +- `version = "0.4.2"` on the git dep is load-bearing for cargo-deny + (`wildcards = "deny"` rejects a git dep without `version =`). It + also matches the fork's `package.version`, so the single + `[[exemptions.raft-engine]] version = "0.4.2"` cargo-vet entry + continues to cover both the active fork and the post-retirement + upstream (see §"Supply-chain audit posture" below). Verified absence of lz4-sys: @@ -84,8 +104,12 @@ Retirement steps (in order): 2. Run `cargo update -p raft-engine` in a mango branch, repoint the workspace dep to `tikv/raft-engine` at the merged SHA: ```toml - raft-engine = { git = "https://github.com/tikv/raft-engine", rev = "", default-features = false, features = ["internals", "scripting"] } + raft-engine = { version = "", git = "https://github.com/tikv/raft-engine", rev = "", default-features = false, features = [ + "internals", + ] } ``` + (Keep `features = ["internals"]` only — do NOT re-add `scripting`; + see §"How mango consumes the fork" for the license rationale.) 3. Run the full mango test suite (`cargo nextest run --workspace`). 4. If tests pass, open a mango PR with the repointing, get `rust-expert` APPROVE, merge. @@ -150,25 +174,47 @@ If mango needs a newer upstream SHA before #397 merges: ## Supply-chain audit posture The fork is public, pinned by SHA (not tag, not branch), and adds -zero `unsafe` tokens on top of upstream. `cargo vet` keys -exemptions on `(crate_name, crate_version)` — both the fork and -upstream ship `package.version = "0.4.2"`, so the same -`[[exemptions.raft-engine]] version = "0.4.2"` entry in -`supply-chain/config.toml` covers both while the fork is active -and after retirement. - -Caveats that change this: - -1. **Patch-version bumps are not auto-covered.** If either the - fork or upstream bumps `package.version` (raft-engine - historically bumps on master without publishing to crates.io - — see ADR 0002 §B3), the exemption stops matching and needs - a new `version = "0.4.3"` line. Watch for this on rebase. -2. **SHA swaps are silent to vet.** `cargo vet` verifies the - resolved git hash against the locked source, but the hash is - not part of exemption identity. Changing the fork SHA without - bumping `package.version` requires no vet edits. -3. **`review-by` is a mango convention, not a vet behavior.** +zero `unsafe` tokens on top of upstream. + +**Exemption keying (load-bearing, verified against cargo-vet 0.10 +behavior).** `cargo vet` keys exemptions on the fully-resolved +source, which for a git dep is +`@git:` — not on `package.version` +alone. This is true EVEN when `[policy.raft-engine]` sets +`audit-as-crates-io = true` (which governs how audits are +interpreted, not how exemptions are matched). As a result, the +mango exemption in `supply-chain/config.toml` MUST carry the +SHA-qualified form: + +```toml +[[exemptions.raft-engine]] +version = "0.4.2@git:e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535" +criteria = "safe-to-deploy" +``` + +This exemption covers the active fork at this specific SHA only. +It does NOT automatically cover: + +- A rebased fork SHA — new exemption line at the new + `0.4.2@git:` form required (the old line can be removed + in the same PR). +- Post-retirement upstream crates.io 0.4.2 — new exemption line at + plain `version = "0.4.2"` required (the SHA-qualified line can + be removed in the retirement PR). + +In short: every fork rebase and the fork retirement are +exemption-churning events. Those are already flagged as manual +actions in the "Rebase policy" and "Retirement plan" sections; +this section just spells out the specific config.toml edit. + +Other caveats: + +1. **Patch-version bumps on either side are not auto-covered.** + If either the fork or upstream bumps `package.version` + (raft-engine historically bumps on master without publishing + to crates.io — see ADR 0002 §B3), the exemption stops matching + and needs a new line. Watch for this on rebase. +2. **`review-by` is a mango convention, not a vet behavior.** Mango annotates every exemption with a `review-by: YYYY-MM-DD` note. Those dates do not auto-regenerate on source change. When rebasing the fork OR retiring to upstream, manually @@ -177,6 +223,8 @@ Caveats that change this: ## Last updated -2026-04-24 (fork created, PR #397 opened, mango still on skeleton -phase — dep not yet wired into a workspace `Cargo.toml`; that lands -with PR-1). +2026-04-24 — PR #49 wires the dep into the workspace and +`crates/mango-storage` skeleton. Feature set tightened to +`["internals"]` only (dropped `scripting` after cargo-deny flagged +MPL-2.0 via `rhai`/`smartstring`; see §"How mango consumes the fork" +for the full rationale). Fork created, upstream PR #397 open. diff --git a/.planning/mango-storage-skeleton.plan.md b/.planning/mango-storage-skeleton.plan.md new file mode 100644 index 0000000..655b03d --- /dev/null +++ b/.planning/mango-storage-skeleton.plan.md @@ -0,0 +1,393 @@ +# PR-1: `crates/mango-storage` skeleton (ROADMAP:815) + +## Goal + +Ship the scaffolding for `crates/mango-storage` with its two load-bearing +dependencies declared but _no trait or impl code yet_: + +- `redb` (KV storage engine per ADR 0002) +- `raft-engine` pinned to the `humancto/raft-engine` fork at + SHA `e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535`, with + `default-features = false` and `features = ["internals"]` — + the fork removes `lz4-sys` from the build graph per ADR 0002 §W5's + build-time mitigation. (The plan originally called for + `["internals", "scripting"]`; dropped during implementation — see + "Deviations from plan" below.) + +Line 816 (trait definition) is a separate item. This PR closes line 815 +only. The Cargo.toml dep entries prove the fork integrates cleanly end +to end (deny.toml + cargo-vet + cargo-geiger + workspace build); the +lib.rs is a placeholder matching the shape of `crates/mango/src/lib.rs`. + +## Non-goals + +- No `Backend` / `RaftLogStore` trait definition (that's ROADMAP:816, its own PR). +- No impl against redb, no impl against raft-engine. +- No benches, no property tests, no differential harness (those are + ROADMAP:819–829, each their own PR). +- No CI wiring changes beyond what the workspace already picks up by + virtue of the new crate being a workspace member. +- No `#![allow(unsafe_code)]` at the crate root and **no** enrollment in + `workspace.metadata.mango.miri`. The skeleton has zero unsafe. Impl + PRs (ROADMAP:817, :818) will enroll as part of their own diff. + +## Scope — exact file list + +1. **`Cargo.toml`** (workspace root): + - Add `"crates/mango-storage"` to `[workspace].members`. + - Add `redb = "4.1"` to `[workspace.dependencies]`. + - Add the fork-pinned `raft-engine` entry to `[workspace.dependencies]` + with a block comment pointing at ADR 0002 §W5 and the fork-tracking + file. Multi-line shape to stay under 100 columns (match `subtle` + at `Cargo.toml:91-93` as precedent). + +2. **`deny.toml`**: + - Add `"https://github.com/humancto/raft-engine"` to `allow-git` with + a justification pointing at ADR 0002 §W5 and the retirement trigger + (upstream PR #397 merging → drop this line). + +3. **`supply-chain/config.toml`**: + - Add `[policy.mango-storage]` stanza matching the shape of + `[policy.mango]` / `[policy.mango-proto]` (lines 16–34): first-party + crate, `audit-as-crates-io = false`, `criteria = "safe-to-deploy"`, + boilerplate `notes` referencing CODEOWNERS + PR review. + - Add `[[exemptions.]]` entries for every transitive dep that + `cargo vet check` flags after the new deps resolve. Every exemption + note MUST carry `review-by: 2026-10-23` (180 days out, matching the + house convention — every existing exemption uses this date). For + `raft-engine` itself the exemption keys on `(crate_name, +crate_version)` — the fork and upstream both ship + `package.version = "0.4.2"` (verify against fork `Cargo.toml` HEAD + before committing), so one `[[exemptions.raft-engine]] version = "0.4.2"` + entry covers both while the fork is active and after retirement, + exactly as documented in `.planning/fork-raft-engine-lz4-verification.md` + §"Supply-chain audit posture." + - **Fallback if cargo-vet rejects the git source outright** (not just + "needs exemption"): add `audit-as-crates-io = true` to a dedicated + `[policy.raft-engine]` stanza, which makes vet treat the git source + as if it were the crates.io tarball at the matching version. Try + plain exemption first; escalate only if vet refuses. + +4. **`unsafe-baseline.json`**: + - Run `bash scripts/geiger-update-baseline.sh` with the new crate in + place and commit the resulting per-crate `"mango-storage": {...}` + entry. Skeleton has zero unsafe so all counts will be 0; the entry + keeps the baseline a source of truth. + +5. **`crates/mango-storage/Cargo.toml`** (new): + - `[package]` block with `name = "mango-storage"`, `publish = false` + (matches `mango-proto` / `mango-loom-demo` — pre-stable crate that + depends on a git-pinned fork that can't be published to crates.io + anyway), `description = "Mango storage backend (Phase 1 skeleton; Backend + RaftLogStore traits land per ROADMAP.md)."`, + and the workspace-inherited version/edition/rust-version/license/ + repository/authors fields. + - `[dependencies]`: + ```toml + redb.workspace = true + raft-engine.workspace = true + ``` + Consumer side uses `.workspace = true` **without** `default-features` + or `features` override — the workspace entry's full shape (including + `default-features = false, features = ["internals", "scripting"]`) + inherits verbatim. Writing `raft-engine = { workspace = true, features = [...] }` + here would **add** to the workspace feature set, which is exactly the + footgun we want to avoid — an accidental re-enable of + `lz4-compression` would re-introduce the C dep. + - `[lints] workspace = true` (same one-liner as `crates/mango/Cargo.toml:11-12`). + +6. **`crates/mango-storage/src/lib.rs`** (new): + - Crate-level doc comment shape (matches `crates/mango/src/lib.rs:1-4`): + ```rust + //! mango-storage — the storage backend crate for mango. + //! + //! This crate is currently a placeholder skeleton. `Backend` and + //! `RaftLogStore` trait definitions land per ROADMAP.md (Phase 1); + //! implementations follow in their own PRs. + ``` + - `#![deny(missing_docs)]` at the crate root. Workspace already sets + `unsafe_code = "forbid"`; we do **not** restate it and do **not** + add `#![allow(unsafe_code)]` — the skeleton has no unsafe. + - One `pub const VERSION: &str = env!("CARGO_PKG_VERSION");` with a + doc comment matching the shape in `crates/mango/src/lib.rs:8-12`. + - `#[cfg(test)] mod tests { ... }` with the exact `#![allow(clippy::unwrap_used, clippy::expect_used, clippy::panic, clippy::indexing_slicing, clippy::unnecessary_literal_unwrap, clippy::arithmetic_side_effects)]` + prologue copied verbatim from `crates/mango/src/lib.rs:16-23` + (prophylactic — the single smoke test today doesn't trip these, but + the next test added must not either). + - Single test `version_matches_cargo_manifest`: `assert_eq!(VERSION, "0.1.0");` + — literal from `Cargo.toml:96` (`[workspace.package].version = "0.1.0"`). + - **No** watchdog smoke test here. The one in `crates/mango/src/lib.rs:39-43` + is a single-oracle for `scripts/test-watchdog.sh`; duplicating it in + every crate is overkill. Add a one-line comment at the top of + `mod tests` noting "watchdog smoke lives in `mango`; not duplicated." + - **No** README.md in the crate dir (matches `crates/mango/` / + `crates/mango-proto/`). + +## Dependency pins (load-bearing) + +### `redb` + +```toml +# Pure-Rust embedded key-value store. Chosen in ADR 0002. +# `"4.1.0"` in Cargo semver = `^4.1.0` = `>= 4.1.0, < 5.0.0`. +# ADR 0002 verified against 4.1.0 specifically; the pin is visible in +# the manifest for that reason. Minor/patch bumps inside the 4.x range +# arrive via Dependabot. +redb = "4.1.0" +``` + +### `raft-engine` (fork) + +```toml +# tikv/raft-engine via the humancto/raft-engine fork. +# Fork exists to feature-gate lz4-sys (C FFI) out of the default build +# graph — see .planning/fork-raft-engine-lz4-verification.md and ADR +# 0002 §W5. `default-features = false` drops ALL THREE upstream +# defaults (`lz4-compression`, `scripting`, `internals`); we re-enable +# ONLY `internals` (the Raft log reader/writer types mango-raft needs). +# `scripting` is dropped because it pulls rhai -> smartstring (MPL-2.0), +# an allow-list widening mango does not want to take for a feature +# mango does not use. `lz4-compression` is dropped because that's the +# entire reason the fork exists. +# `version = "0.4.2"` is load-bearing for cargo-deny (wildcards = "deny" +# requires an explicit version on git deps) AND for cargo-vet +# (`[policy.raft-engine] audit-as-crates-io = true` keys exemptions on +# the package.version, not the git rev). +# +# Mango configs MUST set batch-compression-threshold = 0 (enforced at +# runtime by the fork's Config::sanitize when lz4-compression is off). +# +# Retirement tracked against tikv/raft-engine#397. When that merges: +# swap git URL to tikv/raft-engine at the merged SHA (steps in +# .planning/fork-raft-engine-lz4-verification.md §"Retirement plan"). +# Dependabot does NOT auto-bump git rev pins; retirement is a manual +# action. +raft-engine = { version = "0.4.2", git = "https://github.com/humancto/raft-engine", rev = "e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535", default-features = false, features = [ + "internals", +] } +``` + +## Edge cases and risks + +1. **`cargo vet` friction on first use of both crates.** + Neither `redb` nor `raft-engine` (nor their transitive graphs) has + exemptions yet. Plan: run `cargo vet check` locally, enumerate every + flagged crate, add `[[exemptions.]] version = "..." criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — transitive, audit pending"`. + This is the single largest review-surface expansion in the PR; the + reviewer will scan the exemption list for sanity but the gate is that + `cargo vet` goes green, not that each crate is justified individually. + +2. **cargo-vet exemption keying for `raft-engine` itself.** + `cargo vet` exemptions key on `(crate_name, crate_version)` — git + origin and SHA are not part of the exemption identity. The fork + ships `package.version = "0.4.2"` (same as upstream), so a single + `[[exemptions.raft-engine]] version = "0.4.2"` entry covers both the + active fork and the post-retirement upstream. Patch-version bumps + break this matching and need a new `version = "0.4.3"` line. Watch + on rebase. This is all already spelled out in + `.planning/fork-raft-engine-lz4-verification.md` §"Supply-chain audit + posture" — the plan just reuses that policy. + +3. **`cargo-geiger` baseline for storage deps (ROADMAP:823 precursor).** + Line 823 is a future gate: "redb 4.1.0 = 37 unsafe tokens; raft-engine + master @ pinned SHA = 49 tokens. Either +10 over baseline trips CI." + We do **not** wire that gate in this PR. We **do** run + `cargo geiger --workspace` locally and record totals in the PR + description so line 823's PR has a starting point. `unsafe-baseline.json` + only tracks first-party totals; transitive counts live in the PR body. + +4. **`deny.toml` `[sources]` gate.** + `allow-git = []` today → `cargo deny check sources` fails immediately + on any git dep. Adding `"https://github.com/humancto/raft-engine"` to + the allowlist is mandatory and lands in the same commit as the + workspace Cargo.toml edit. + +5. **`[bans] multiple-versions = "deny"` + protobuf dedup.** + `raft-engine` uses `protobuf` / `raft-proto` internally; `mango-proto` + already uses `prost = "0.13"`. These are different crates (`rust-protobuf` + vs `prost`), so no direct version collision. However, `cargo tree --workspace` + run as part of PR validation will surface any transitive dupes. If + something duplicates, the fix is a scoped `skip` entry in `deny.toml` + `[bans]` with a tracking issue link — in this PR or a fast-follow, + whichever the diff ends up being. + +6. **Feature list accuracy on `raft-engine`.** + Upstream fork's `default = ["internals", "scripting", "lz4-compression"]`. + Verify against the fork's `Cargo.toml` at SHA `e1d738d` before + committing. If the fork's `default = [...]` ever gains a new entry + (e.g., on rebase), our `default-features = false, features = ["internals", "scripting"]` + silently drops the new feature. Accept that and reverify on every fork + rebase — this is the tradeoff for the explicit-allowlist feature + approach, documented in the fork-tracking file. + +7. **Workspace lint friction on an empty skeleton.** + - `unreachable_pub = "warn"` — `pub const VERSION` is exported, + re-exported from nothing, so fine. + - `incompatible_msrv = "deny"` — both `redb 4.1.0` and the fork's + transitive graph compile on Rust 1.89. Verified by the fork's CI + matrix (`redb` publishes its MSRV; fork inherits upstream's). + - `disallowed_types` — `std::sync::{Mutex, RwLock}`, etc. The skeleton + doesn't name any of these. Impl PRs will wrap via `parking_lot`. + - `#[non_exhaustive]` policy — skeleton has no `pub enum`, so no + annotation needed yet. + +8. **MSRV check at `cargo check @ 1.89`.** + Both deps need to resolve on workspace MSRV 1.89. Blocker if not. + Verified for redb 4.1.0; verified for the fork by its own CI. If a + transitive dep bumps its MSRV above 1.89 between now and merge, that + trips the `.github/workflows/msrv.yml` gate and we pin the offender + down. + +9. **Dependabot does not auto-bump git rev pins.** + Stated upfront so nobody is surprised when no PR appears after + upstream #397 merges. Retirement is manual per + `.planning/fork-raft-engine-lz4-verification.md` §"Retirement plan." + +## Test strategy + +1. `cargo check --workspace` — proves the skeleton compiles and the + fork git dep resolves. +2. `cargo check --workspace --all-features` — same with any features. +3. `! cargo tree -p mango-storage --edges no-dev -i lz4-sys` — inverse + tree check exits nonzero iff `lz4-sys` is not in the graph, which is + the assertion we want. Clean PASS/FAIL without relying on `grep`'s + empty-output convention. +4. `cargo tree -p mango-storage --edges no-dev -i redb` and + `cargo tree -p mango-storage --edges no-dev -i raft-engine` — both + resolve (exit 0). +5. `cargo nextest run -p mango-storage` — runs the one version smoke test. +6. `cargo clippy --workspace --all-targets -- -D warnings` — clean. +7. `cargo fmt --check` — clean. +8. `cargo deny check sources` — green (the new `allow-git` entry covers + the fork URL). +9. `cargo deny check bans` — green (no new multi-version violations). +10. `cargo vet check` — green (exemptions cover every transitive). +11. `bash scripts/geiger-check.sh` — green (first-party baseline unchanged; + `mango-storage` added with all-zero counts). +12. `cargo run -q -p xtask-vet-ttl` — green (every new exemption note + carries `review-by: 2026-10-23`). + +All of these run on CI via the existing workflows (`ci.yml`, `vet.yml`, +`geiger.yml`, `msrv.yml`, `public-api.yml`). The PR just has to be green. + +## Rollback plan + +Revert the PR with `git revert`. Nothing in this PR depends on +migrations, state, or external systems — it's additive scaffolding and +the ADR/fork record PR (#48) already landed independently. + +If the fork turns out to be unusable at consumption time (cargo-vet +blocks outright even with `audit-as-crates-io = true`, or the +no-default-features build breaks in a way the fork's CI didn't catch), +escape hatch is to temporarily accept the C dep (Option A from ADR +0002 §W5) by removing `default-features = false` — but that regresses +the pure-Rust north-star and must be explicitly documented as a +regression in ROADMAP:815's text. This should be caught by steps 3 and +8 of the test strategy above, not discovered post-merge. + +## Commit plan + +**Single atomic commit.** The PR is small enough that three separate +commits would only aid bisect at the cost of non-compiling intermediate +states (e.g., declaring `raft-engine.workspace = true` in a consumer +crate before the workspace entry exists fails to build). Prior art: +`mango-proto`'s landing PR was a single commit followed by fast-follow +cleanups. Match that. + +Commit message shape: + +``` +feat(storage): add mango-storage skeleton with redb + raft-engine fork deps + +Adds the Phase 1 storage crate skeleton per ROADMAP:815. This is +scaffolding only — no trait definitions yet (those land in ROADMAP:816's +own PR), no implementations. + +- crates/mango-storage skeleton: publish = false, deny(missing_docs), + single VERSION-matches-manifest smoke test +- Cargo.toml: add redb = "4.1.0" and raft-engine git-pinned to the + humancto/raft-engine fork at e1d738d, default-features = false, + features = ["internals", "scripting"] +- deny.toml: allowlist the fork's git URL (retires when + tikv/raft-engine#397 merges per .planning/fork-raft-engine-lz4-verification.md) +- supply-chain/config.toml: [policy.mango-storage] first-party stanza + + exemptions for the new transitive deps +- unsafe-baseline.json: regenerated via scripts/geiger-update-baseline.sh + +Closes ROADMAP:815. Next item: ROADMAP:816 (Backend + RaftLogStore +trait definition). +``` + +## File list (final) + +- `Cargo.toml` (workspace root): 3 edits (member + redb + raft-engine) +- `crates/mango-storage/Cargo.toml` (new) +- `crates/mango-storage/src/lib.rs` (new) +- `deny.toml`: 1 edit (`allow-git`) +- `supply-chain/config.toml`: 1 policy stanza + N exemption stanzas +- `unsafe-baseline.json`: 1 new per-crate entry + +## Out of scope, explicitly + +- Trait definitions (ROADMAP:816) +- Trait implementations (ROADMAP:817, :818) +- Differential bbolt oracle harness (ROADMAP:819) +- Chaos / crash-recovery / disk-full / engine-swap tests (ROADMAP:820–827) +- Benchmarks (ROADMAP:828, :829) +- CI gate wiring for cargo-geiger's +10-over-baseline rule on storage + deps (ROADMAP:823) +- `lz4_flex` as a dep of `mango-raft` (Phase 1, but for `mango-raft`, not here) +- Dependabot rules for git rev bumps (does not exist; fork retirement + is manual) + +## PR description — must include + +For the reviewer's artifact-of-record: + +- `cargo geiger --workspace` totals output (not just the first-party + numbers — the transitive ones, which seed ROADMAP:823's gate). +- `cargo tree -p mango-storage --edges no-dev -i lz4-sys` output (empty, + proving the build-time pure-Rust north-star is intact). +- `cargo tree --workspace --duplicates` output (proves `[bans] multiple-versions = "deny"` is not tripped). +- Pointer to the fork-tracking doc and ADR 0002 §W5 for reviewer context. + +## Deviations from plan (during implementation) + +1. **`features = ["internals"]` instead of `["internals", "scripting"]`.** + The plan called for `["internals", "scripting"]` (both non-lz4 upstream + defaults). During implementation `cargo deny check licenses` failed + with MPL-2.0 from `smartstring` 1.0.1, pulled in by `rhai` which is + pulled in by `raft-engine`'s `scripting` feature. Rationale for + dropping `scripting` rather than widening the allow-list: `scripting` + is raft-engine's TiKV-admin-CLI path; mango has no consumer of it, so + widening the license allow-list for a feature mango will never use is + the wrong tradeoff. Fork-tracking doc + (`.planning/fork-raft-engine-lz4-verification.md`) updated in the + same PR to match. If a future rebase of the fork moves anything mango + needs from `internals` into `scripting`, re-enable `scripting` AND + widen the license allow-list for MPL-2.0 in the same PR. + +2. **`version = "0.4.2"` added to the git dep line.** + The plan didn't list this. Added after `cargo deny check bans` failed + with `wildcards = "deny"` on a git dep lacking a `version =` field. + Load-bearing: without it, cargo-deny rejects the PR. Also aligns with + cargo-vet's `[policy.raft-engine] audit-as-crates-io = true` behavior + (keys the exemption on `package.version` = `"0.4.2"`). + +3. **`skip` entries in `[bans]` for 4 transitive duplicates.** + `bitflags@1.3.2`, `getrandom@0.2.17`, `hashbrown@0.14.5`, `syn@1.0.109` + — all major-version gaps in raft-engine 0.4.2's transitive graph vs + the modern workspace tree. Not listed in the plan's edge-cases + section explicitly; added with retirement triggers pointing at the + upstream raft-engine bump. Matches the plan's "Edge cases and risks" + item #5, which anticipated this class of friction but did not + enumerate the specific crates. + +4. **RUSTSEC-2024-0437 added to `[advisories] ignore`.** + `protobuf` 2.28 (uncontrolled recursion) is pulled in transitively + via `raft-engine` → `prometheus` (metrics only, not a network-facing + deserializer). Added to deny.toml's ignore list with a multi-line + justification and three named re-audit triggers. Also mirrored in + `.github/workflows/audit.yml` as `ignore: RUSTSEC-2024-0437` input to + `rustsec/audit-check` (that action does NOT read deny.toml). Not + listed in the plan — discovered when `cargo deny check advisories` + ran as part of local validation. diff --git a/Cargo.lock b/Cargo.lock index e70f89b..5982648 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -24,6 +24,12 @@ dependencies = [ "memchr", ] +[[package]] +name = "allocator-api2" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923" + [[package]] name = "anyhow" version = "1.0.102" @@ -70,6 +76,12 @@ version = "4.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b75356056920673b02621b35afd0f7dda9306d03c79a30f5c56c44cf256e3de" +[[package]] +name = "autocfg" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" + [[package]] name = "bincode" version = "1.3.3" @@ -79,12 +91,24 @@ dependencies = [ "serde", ] +[[package]] +name = "bitflags" +version = "1.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" + [[package]] name = "bitflags" version = "2.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3" +[[package]] +name = "byteorder" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" + [[package]] name = "bytes" version = "1.11.1" @@ -116,6 +140,65 @@ dependencies = [ "crossbeam-utils", ] +[[package]] +name = "crc32fast" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "crossbeam" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1137cd7e7fc0fb5d3c5a8678be38ec56e819125d8d7907411fe24ccb943faca8" +dependencies = [ + "crossbeam-channel", + "crossbeam-deque", + "crossbeam-epoch", + "crossbeam-queue", + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-channel" +version = "0.5.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "82b8f8f868b36967f9606790d1903570de9ceaf870a7bf9fbbd3016d636a2cb2" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-deque" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51" +dependencies = [ + "crossbeam-epoch", + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-epoch" +version = "0.9.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-queue" +version = "0.3.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115" +dependencies = [ + "crossbeam-utils", +] + [[package]] name = "crossbeam-utils" version = "0.8.21" @@ -215,6 +298,17 @@ dependencies = [ "pin-project-lite", ] +[[package]] +name = "fail" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe5e43d0f78a42ad591453aedb1d7ae631ce7ee445c7643691055a9ed8d3b01c" +dependencies = [ + "log", + "once_cell", + "rand", +] + [[package]] name = "fastrand" version = "2.4.1" @@ -239,6 +333,16 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "fs2" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9564fc758e15025b46aa6643b1b77d047d1a56a1aea6e01002ac0c7026876213" +dependencies = [ + "libc", + "winapi", +] + [[package]] name = "futures-core" version = "0.3.32" @@ -319,6 +423,16 @@ dependencies = [ "wasip2", ] +[[package]] +name = "hashbrown" +version = "0.14.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +dependencies = [ + "ahash", + "allocator-api2", +] + [[package]] name = "hashbrown" version = "0.16.1" @@ -331,12 +445,24 @@ version = "0.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" +[[package]] +name = "hex" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" + [[package]] name = "ident_case" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39" +[[package]] +name = "if_chain" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cd62e6b5e86ea8eeeb8db1de02880a6abc01a397b2ebb64b5d74ac255318f5cb" + [[package]] name = "indexmap" version = "2.11.4" @@ -344,7 +470,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5" dependencies = [ "equivalent", - "hashbrown", + "hashbrown 0.16.1", ] [[package]] @@ -489,6 +615,14 @@ dependencies = [ "tonic-build", ] +[[package]] +name = "mango-storage" +version = "0.1.0" +dependencies = [ + "raft-engine", + "redb", +] + [[package]] name = "matchers" version = "0.2.0" @@ -504,6 +638,15 @@ version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" +[[package]] +name = "memoffset" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4" +dependencies = [ + "autocfg", +] + [[package]] name = "mio" version = "1.2.0" @@ -527,6 +670,19 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "034a0ad7deebf0c2abcf2435950a6666c3c15ea9d8fad0c0f48efa8a7f843fed" +[[package]] +name = "nix" +version = "0.26.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b" +dependencies = [ + "bitflags 1.3.2", + "cfg-if", + "libc", + "memoffset", + "pin-utils", +] + [[package]] name = "nu-ansi-term" version = "0.50.3" @@ -542,6 +698,26 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967" +[[package]] +name = "num-derive" +version = "0.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed3955f1a9c7c0c15e092f9c887db08b1fc683305fdf6eb6684f22555355e202" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.117", +] + +[[package]] +name = "num-traits" +version = "0.2.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" +dependencies = [ + "autocfg", +] + [[package]] name = "once_cell" version = "1.21.4" @@ -560,6 +736,29 @@ version = "2.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f38d5652c16fde515bb1ecef450ab0f6a219d619a7274976324d5e377f7dceba" +[[package]] +name = "parking_lot" +version = "0.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a" +dependencies = [ + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall", + "smallvec", + "windows-link 0.2.1", +] + [[package]] name = "petgraph" version = "0.7.1" @@ -576,6 +775,12 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" +[[package]] +name = "pin-utils" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" + [[package]] name = "powerfmt" version = "0.2.0" @@ -610,6 +815,33 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "prometheus" +version = "0.13.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d33c28a30771f7f96db69893f78b857f7450d7e0237e9c8fc6427a81bae7ed1" +dependencies = [ + "cfg-if", + "fnv", + "lazy_static", + "memchr", + "parking_lot", + "protobuf", + "thiserror", +] + +[[package]] +name = "prometheus-static-metric" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8f30cdb09c39930b8fa5e0f23cbb895ab3f766b187403a0ba0956fc1ef4f0e5" +dependencies = [ + "lazy_static", + "proc-macro2", + "quote", + "syn 1.0.109", +] + [[package]] name = "prost" version = "0.13.5" @@ -662,6 +894,12 @@ dependencies = [ "prost", ] +[[package]] +name = "protobuf" +version = "2.28.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "106dd99e98437432fed6519dedecfade6a06a73bb7b2a1e019fdd2bee5778d94" + [[package]] name = "quote" version = "1.0.45" @@ -677,6 +915,37 @@ version = "5.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" +[[package]] +name = "raft-engine" +version = "0.4.2" +source = "git+https://github.com/humancto/raft-engine?rev=e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535#e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535" +dependencies = [ + "byteorder", + "crc32fast", + "crossbeam", + "fail", + "fs2", + "hashbrown 0.14.5", + "hex", + "if_chain", + "lazy_static", + "libc", + "log", + "nix", + "num-derive", + "num-traits", + "parking_lot", + "prometheus", + "prometheus-static-metric", + "protobuf", + "rayon", + "scopeguard", + "serde", + "serde_repr", + "strum", + "thiserror", +] + [[package]] name = "rand" version = "0.8.6" @@ -716,6 +985,44 @@ dependencies = [ "rand_core", ] +[[package]] +name = "rayon" +version = "1.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fb39b166781f92d482534ef4b4b1b2568f42613b53e5b6c160e24cfbfa30926d" +dependencies = [ + "either", + "rayon-core", +] + +[[package]] +name = "rayon-core" +version = "1.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22e18b0f0062d30d4230b2e85ff77fdfe4326feb054b9783a3460d8435c8ab91" +dependencies = [ + "crossbeam-deque", + "crossbeam-utils", +] + +[[package]] +name = "redb" +version = "4.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e925444704b5f17d32bf42f5b6e2df050bceebc3dcd6e71cc73dafe8092e839" +dependencies = [ + "libc", +] + +[[package]] +name = "redox_syscall" +version = "0.5.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d" +dependencies = [ + "bitflags 2.11.1", +] + [[package]] name = "regex" version = "1.12.3" @@ -751,7 +1058,7 @@ version = "1.1.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" dependencies = [ - "bitflags", + "bitflags 2.11.1", "errno", "libc", "linux-raw-sys", @@ -806,6 +1113,17 @@ dependencies = [ "syn 2.0.117", ] +[[package]] +name = "serde_repr" +version = "0.1.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "175ee3e80ae9982737ca543e96133087cbd9a485eecc3bc4de9c1a37b47ea59c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "serde_spanned" version = "0.6.9" @@ -877,6 +1195,28 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "strum" +version = "0.26.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06" +dependencies = [ + "strum_macros", +] + +[[package]] +name = "strum_macros" +version = "0.26.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be" +dependencies = [ + "heck", + "proc-macro2", + "quote", + "rustversion", + "syn 2.0.117", +] + [[package]] name = "syn" version = "1.0.109" @@ -912,6 +1252,26 @@ dependencies = [ "windows-sys", ] +[[package]] +name = "thiserror" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52" +dependencies = [ + "thiserror-impl", +] + +[[package]] +name = "thiserror-impl" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.117", +] + [[package]] name = "thread_local" version = "1.1.9" @@ -1141,6 +1501,28 @@ dependencies = [ "wit-bindgen", ] +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + [[package]] name = "windows-link" version = "0.1.3" diff --git a/Cargo.toml b/Cargo.toml index 9197604..6d53ab5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,6 +3,7 @@ resolver = "2" members = [ "crates/mango", "crates/mango-proto", + "crates/mango-storage", "crates/mango-loom-demo", "crates/mango-madsim-demo", "crates/xtask-vet-ttl", @@ -92,6 +93,44 @@ subtle = { version = "2.6", default-features = false, features = [ "const-generics", ] } +# Phase 1 storage-backend deps (ROADMAP:815). See +# .planning/adr/0002-storage-engine.md and +# .planning/fork-raft-engine-lz4-verification.md. +# +# redb: pure-Rust embedded KV store. Pin shape `"4.1.0"` = `^4.1.0` +# (>= 4.1.0, < 5.0.0) — ADR 0002 verified 4.1.0 specifically; the pin +# is visible in the manifest for that reason. Minor/patch bumps inside +# the 4.x range arrive via Dependabot. +redb = "4.1.0" + +# raft-engine via the humancto/raft-engine fork. +# Fork exists to feature-gate lz4-sys (C FFI) out of the default build +# graph — see ADR 0002 §W5. `default-features = false` drops all three +# upstream defaults (`internals`, `scripting`, `lz4-compression`); we +# re-enable only `internals` because: +# - `lz4-compression` pulls lz4-sys (C FFI) — the entire reason the +# fork exists. +# - `scripting` pulls rhai → smartstring (MPL-2.0), an allow-list +# widening we do not want to take for a feature mango doesn't use. +# Scripting is raft-engine's TiKV-admin-CLI path; mango has no +# consumer of that surface. +# - `internals` exposes the Raft log reader/writer types mango-raft +# (Phase 1 impl PRs) actually needs. +# Consumers MUST write `raft-engine.workspace = true` with NO local +# `features = [...]` — local features ADD to the workspace set, which +# would re-enable features we deliberately turned off. +# +# Mango configs MUST set batch-compression-threshold = 0 (enforced by +# the fork's Config::sanitize when lz4-compression is off). +# +# Retirement: when tikv/raft-engine#397 merges, swap git URL to +# tikv/raft-engine at the merged SHA per the procedure in +# .planning/fork-raft-engine-lz4-verification.md §"Retirement plan". +# Dependabot does NOT auto-bump git rev pins; retirement is manual. +raft-engine = { version = "0.4.2", git = "https://github.com/humancto/raft-engine", rev = "e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535", default-features = false, features = [ + "internals", +] } + [workspace.package] version = "0.1.0" edition = "2021" diff --git a/crates/mango-storage/Cargo.toml b/crates/mango-storage/Cargo.toml new file mode 100644 index 0000000..1d4a28d --- /dev/null +++ b/crates/mango-storage/Cargo.toml @@ -0,0 +1,23 @@ +[package] +name = "mango-storage" +version.workspace = true +edition.workspace = true +rust-version.workspace = true +license.workspace = true +repository.workspace = true +authors.workspace = true +description = "Mango storage backend (Phase 1 skeleton; Backend + RaftLogStore traits land per ROADMAP.md)." +publish = false + +[dependencies] +redb.workspace = true +# Consumed via `.workspace = true` with NO feature override: the workspace +# entry's `default-features = false, features = ["internals"]` inherits +# verbatim. Adding a local `features = [...]` here would ADD to the +# workspace set — re-enabling `lz4-compression` would re-introduce the +# C FFI dep (ADR 0002 §W5), and re-enabling `scripting` would pull +# MPL-2.0 (via rhai/smartstring). +raft-engine.workspace = true + +[lints] +workspace = true diff --git a/crates/mango-storage/src/lib.rs b/crates/mango-storage/src/lib.rs new file mode 100644 index 0000000..f33e79e --- /dev/null +++ b/crates/mango-storage/src/lib.rs @@ -0,0 +1,43 @@ +//! mango-storage — the storage backend crate for mango. +//! +//! This crate is currently a placeholder skeleton. The `Backend` and +//! `RaftLogStore` trait definitions land per `ROADMAP.md` (Phase 1); +//! implementations follow in their own PRs. +//! +//! Dependencies declared here — `redb` and a git-pinned fork of +//! `raft-engine` — are wired so subsequent trait and impl PRs can +//! consume them via `.workspace = true`. The fork exists to keep +//! `lz4-sys` (C FFI) out of the default build graph; see +//! `.planning/adr/0002-storage-engine.md` §W5 and +//! `.planning/fork-raft-engine-lz4-verification.md`. + +#![deny(missing_docs)] + +/// The package version string, captured at build time from +/// `CARGO_PKG_VERSION`. Kept as a crate-level constant so downstream +/// tests can assert on the shipped version without re-reading +/// `Cargo.toml`. +pub const VERSION: &str = env!("CARGO_PKG_VERSION"); + +#[cfg(test)] +mod tests { + #![allow( + clippy::unwrap_used, + clippy::expect_used, + clippy::panic, + clippy::indexing_slicing, + clippy::unnecessary_literal_unwrap, + clippy::arithmetic_side_effects + )] + + // Watchdog smoke lives in `crates/mango/src/lib.rs`; the single + // oracle for `scripts/test-watchdog.sh` is sufficient and not + // duplicated per crate. + + use super::*; + + #[test] + fn version_matches_cargo_manifest() { + assert_eq!(VERSION, "0.1.0"); + } +} diff --git a/deny.toml b/deny.toml index 5478707..c6092a6 100644 --- a/deny.toml +++ b/deny.toml @@ -61,13 +61,27 @@ unsound = "all" # at every MSRV bump and crate major-version review. ignore = [ { id = "RUSTSEC-2025-0141", reason = "bincode 1.3.3 formally unmaintained (the bincode team ceased development after a harassment incident; they consider 1.3.3 a complete version). Pulled in as a TRANSITIVE DEV-DEP of madsim 0.2.30 through mango-madsim-demo; not a runtime dep of any mango crate (sim scaffolding only). Blast radius: deterministic-simulator tests that serialize data the test itself controls — no untrusted input path. The advisory is informational (category `unmaintained`, no active CVE). Re-audit trigger: next madsim minor bump (0.3.x) — upstream may migrate to postcard/bitcode — or by 2026-10-23. See docs/madsim.md and .planning/0-5-3-madsim-dev-dep.plan.md." }, + { id = "RUSTSEC-2024-0437", reason = "protobuf 2.28.0 uncontrolled recursion (stack overflow on crafted input). Pulled TRANSITIVELY through raft-engine 0.4.2 → prometheus 0.13.4 (metrics, internal use only — not a network-facing deserializer). Patch is protobuf >= 3.7.2, but the dep is behind two upstream crates we do not control in this PR. Mitigations in the mango skeleton: (a) mango-storage ships no code that invokes protobuf parsing; (b) when mango-raft (Phase 1 impl PRs) starts calling raft-engine APIs that deserialize, those call sites will be under the `parser fuzz in the phase that introduces the parser` rule from ROADMAP's Reviewer's contract, with crafted-input fuzz corpora as the direct mitigation for this advisory class. Re-audit triggers (any): (1) raft-engine upstream bumps prometheus past the fixed protobuf version, (2) tikv/raft-engine#397 merges and we re-pin against a fresher master that may have bumped prometheus, (3) review-by 2026-10-23. See ADR 0002 §W5 and .planning/fork-raft-engine-lz4-verification.md." }, ] [bans] multiple-versions = "deny" # When a dupe is unavoidable during a major-version migration, add an -# entry here with an issue link and a removal target. Empty today. -skip = [] +# entry here with an issue link and a removal target. +skip = [ + # --- raft-engine 0.4.2 transitive-dep duplicates --- + # All four entries below are major-version gaps in raft-engine's + # transitive graph (via nix 0.26, rust-protobuf, prometheus, etc.) + # vs. the modern workspace tree. Fixing them requires upstream + # raft-engine bumps beyond what the humancto/raft-engine fork + # carries today. Retirement trigger: the upstream bump or + # tikv/raft-engine#397 (whichever first drags its dep graph forward). + # See ADR 0002 §W5 and .planning/fork-raft-engine-lz4-verification.md. + { crate = "bitflags@1.3.2", reason = "raft-engine 0.4.2 transitive via nix 0.26; modern tree uses bitflags 2.x. Retires on raft-engine upstream bumping nix." }, + { crate = "getrandom@0.2.17", reason = "raft-engine 0.4.2 transitive; modern tree uses getrandom 0.3.x. Retires on raft-engine upstream refresh." }, + { crate = "hashbrown@0.14.5", reason = "raft-engine 0.4.2 transitive; modern tree uses hashbrown 0.16.x. Retires on raft-engine upstream refresh." }, + { crate = "syn@1.0.109", reason = "raft-engine 0.4.2 transitive via older proc-macro crates (serde_repr, strum_macros 0.26, etc.); modern tree uses syn 2.x. Retires on raft-engine upstream refresh." }, +] skip-tree = [] wildcards = "deny" # Crate-level bans. Security axis mandates rustls — no OpenSSL path. @@ -86,8 +100,15 @@ deny = [ [sources] # Prod dep tree comes from crates.io. Any git-dep or alternate # registry requires an explicit allowlist entry below with a -# justification — empty today. +# justification. unknown-registry = "deny" unknown-git = "deny" allow-registry = ["https://github.com/rust-lang/crates.io-index"] -allow-git = [] +# humancto/raft-engine is a fork of tikv/raft-engine that feature-gates +# the unconditional `lz4-sys` C FFI dep behind a Cargo feature (default-on +# upstream to preserve BC; we consume with default-features = false). +# See ADR 0002 §W5 and .planning/fork-raft-engine-lz4-verification.md. +# Retirement trigger: upstream tikv/raft-engine#397 merging — when that +# lands, swap the workspace `raft-engine` dep to point at tikv/raft-engine +# at the merged SHA and DROP this allow-git entry in the same PR. +allow-git = ["https://github.com/humancto/raft-engine"] diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 0593a74..30634f2 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -28,6 +28,15 @@ audit-as-crates-io = false criteria = "safe-to-deploy" notes = "first-party workspace crate; audit-as-crates-io=false so cargo-vet does not require third-party audits for mango's own code. safe-to-deploy is governed by in-tree review (CODEOWNERS + PR review)." +[policy.mango-storage] +audit-as-crates-io = false +criteria = "safe-to-deploy" +notes = "first-party workspace crate; audit-as-crates-io=false so cargo-vet does not require third-party audits for mango's own code. safe-to-deploy is governed by in-tree review (CODEOWNERS + PR review)." + +[policy.raft-engine] +audit-as-crates-io = true +notes = """humancto/raft-engine fork of tikv/raft-engine (see ADR 0002 §W5, .planning/fork-raft-engine-lz4-verification.md). `audit-as-crates-io = true` governs how third-party audits are interpreted (git source audited as-if the crates.io tarball at matching package.version), NOT how exemption entries match. Exemptions for a git dep key on the full resolved source (`0.4.2@git:`), so the companion `[[exemptions.raft-engine]]` entry carries the SHA-qualified version — see .planning/fork-raft-engine-lz4-verification.md §"Supply-chain audit posture" for the full rule and the retirement/rebase edits it implies. The fork's incremental delta over upstream (two commits feature-gating lz4-sys) is audited separately via rust-expert's two-round review of the fork and via upstream PR tikv/raft-engine#397.""" + [policy.xtask-vet-ttl] audit-as-crates-io = false criteria = "safe-to-deploy" @@ -63,6 +72,11 @@ version = "0.3.6" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.autocfg]] +version = "1.5.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (build-dep), audit pending" + [[exemptions.bincode]] version = "1.3.3" criteria = "safe-to-deploy" @@ -88,11 +102,56 @@ version = "2.5.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.const-random]] +version = "0.1.18" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.const-random-macro]] +version = "0.1.16" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.crc32fast]] +version = "1.5.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.crossbeam]] +version = "0.8.4" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.crossbeam-channel]] +version = "0.5.4" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.crossbeam-deque]] +version = "0.8.6" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rayon), audit pending" + +[[exemptions.crossbeam-epoch]] +version = "0.9.9" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (crossbeam), audit pending" + +[[exemptions.crossbeam-queue]] +version = "0.3.12" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + [[exemptions.crossbeam-utils]] version = "0.8.8" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.crunchy]] +version = "0.2.4" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (tiny-keccak), audit pending" + [[exemptions.darling]] version = "0.14.4" criteria = "safe-to-deploy" @@ -128,6 +187,11 @@ version = "0.5.4" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.fail]] +version = "0.5.1" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (fault-injection), audit pending" + [[exemptions.fastrand]] version = "2.4.1" criteria = "safe-to-deploy" @@ -143,6 +207,11 @@ version = "0.5.7" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — petgraph dep, audit pending" +[[exemptions.fs2]] +version = "0.4.3" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (file locking), audit pending" + [[exemptions.futures-core]] version = "0.3.32" criteria = "safe-to-deploy" @@ -183,6 +252,11 @@ version = "0.3.4" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — rust-random, audit pending" +[[exemptions.hashbrown]] +version = "0.14.5" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (pins 0.14.5; modern tree uses 0.16.x), audit pending" + [[exemptions.hashbrown]] version = "0.16.1" criteria = "safe-to-deploy" @@ -193,6 +267,11 @@ version = "1.0.1" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.if_chain]] +version = "1.0.3" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai), audit pending" + [[exemptions.itertools]] version = "0.14.0" criteria = "safe-to-deploy" @@ -203,6 +282,11 @@ version = "1.0.18" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — dtolnay, audit pending" +[[exemptions.js-sys]] +version = "0.3.95" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/web-time); wasm targets only. audit pending" + [[exemptions.libc]] version = "0.2.185" criteria = "safe-to-deploy" @@ -243,6 +327,11 @@ version = "2.8.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — BurntSushi, audit pending" +[[exemptions.memoffset]] +version = "0.6.5" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (nix 0.26), audit pending" + [[exemptions.mio]] version = "1.2.0" criteria = "safe-to-deploy" @@ -258,6 +347,16 @@ version = "0.2.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.nix]] +version = "0.26.4" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (pins 0.26.4; modern tree on newer nix), audit pending" + +[[exemptions.no-std-compat]] +version = "0.4.1" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/spin), audit pending" + [[exemptions.num-conv]] version = "0.2.1" criteria = "safe-to-deploy" @@ -273,6 +372,16 @@ version = "0.3.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.parking_lot]] +version = "0.12.5" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, Amanieu, audit pending" + +[[exemptions.parking_lot_core]] +version = "0.9.12" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (parking_lot), Amanieu, audit pending" + [[exemptions.petgraph]] version = "0.7.1" criteria = "safe-to-deploy" @@ -283,6 +392,11 @@ version = "0.2.17" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — taiki-e, audit pending" +[[exemptions.portable-atomic]] +version = "1.13.1" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (once_cell), taiki-e, audit pending" + [[exemptions.ppv-lite86]] version = "0.2.21" criteria = "safe-to-deploy" @@ -298,6 +412,16 @@ version = "1.0.106" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — dtolnay, audit pending" +[[exemptions.prometheus]] +version = "0.13.4" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (metrics), audit pending" + +[[exemptions.prometheus-static-metric]] +version = "0.5.1" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (prometheus helper), audit pending" + [[exemptions.prost]] version = "0.13.5" criteria = "safe-to-deploy" @@ -318,6 +442,11 @@ version = "0.13.5" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — tokio-rs prost, audit pending" +[[exemptions.protobuf]] +version = "2.28.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rust-protobuf 2.x via prometheus), audit pending" + [[exemptions.quote]] version = "1.0.45" criteria = "safe-to-deploy" @@ -328,6 +457,11 @@ version = "5.3.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — getrandom transitive, r-efi maintainers, audit pending" +[[exemptions.raft-engine]] +version = "0.4.2@git:e1d738d9ad1c1fc4f5b21c8c73bf605b5696f535" +criteria = "safe-to-deploy" +notes = 'review-by: 2026-10-23 — Mango WAL backend via humancto/raft-engine fork. cargo-vet keys exemptions on the full resolved source (`0.4.2@git:` for git deps), NOT on `package.version` alone, even with `[policy.raft-engine] audit-as-crates-io = true`. That means this exemption covers THIS SPECIFIC FORK SHA only: rebasing the fork requires a new exemption line at the new `0.4.2@git:` form, and retiring to upstream crates.io 0.4.2 requires a new exemption at plain `version = "0.4.2"`. See ADR 0002 §W5 and .planning/fork-raft-engine-lz4-verification.md §"Supply-chain audit posture".' + [[exemptions.rand]] version = "0.8.6" criteria = "safe-to-deploy" @@ -338,6 +472,26 @@ version = "0.6.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.rayon]] +version = "1.12.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, audit pending" + +[[exemptions.rayon-core]] +version = "1.13.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rayon), audit pending" + +[[exemptions.redb]] +version = "4.1.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — Mango KV backend per ADR 0002, audit pending" + +[[exemptions.redox_syscall]] +version = "0.5.18" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (parking_lot_core on redox), audit pending" + [[exemptions.regex]] version = "1.12.3" criteria = "safe-to-deploy" @@ -353,6 +507,16 @@ version = "0.8.10" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — rust-lang, audit pending" +[[exemptions.rhai]] +version = "1.24.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (scripting engine), audit pending" + +[[exemptions.rhai_codegen]] +version = "3.1.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai proc-macros), audit pending" + [[exemptions.rustix]] version = "1.1.4" criteria = "safe-to-deploy" @@ -388,6 +552,11 @@ version = "1.0.228" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — serde-rs/dtolnay, audit pending" +[[exemptions.serde_repr]] +version = "0.1.20" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, dtolnay, audit pending" + [[exemptions.serde_spanned]] version = "0.6.9" criteria = "safe-to-deploy" @@ -403,11 +572,21 @@ version = "0.4.12" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.smartstring]] +version = "1.0.1" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai), audit pending" + [[exemptions.socket2]] version = "0.6.3" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.spin]] +version = "0.5.2" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (no-std-compat), audit pending" + [[exemptions.spin]] version = "0.9.4" criteria = "safe-to-deploy" @@ -428,6 +607,16 @@ version = "3.27.0" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — Stebalien, audit pending" +[[exemptions.thiserror]] +version = "1.0.43" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, dtolnay, audit pending" + +[[exemptions.thiserror-impl]] +version = "1.0.43" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive, dtolnay, audit pending" + [[exemptions.thread_local]] version = "1.1.9" criteria = "safe-to-deploy" @@ -438,6 +627,11 @@ version = "0.3.41" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — jhpratt, audit pending" +[[exemptions.tiny-keccak]] +version = "2.0.2" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (const-random), audit pending" + [[exemptions.tokio]] version = "1.52.1" criteria = "safe-to-deploy" @@ -518,6 +712,46 @@ version = "0.11.1+wasi-snapshot-preview1" criteria = "safe-to-deploy" notes = "review-by: 2026-10-23 — madsim 0.2.30 transitive (dev-dep via mango-madsim-demo), audit pending" +[[exemptions.wasm-bindgen]] +version = "0.2.118" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/web-time); wasm targets only. audit pending" + +[[exemptions.wasm-bindgen-macro]] +version = "0.2.118" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/web-time); wasm targets only. audit pending" + +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.118" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/web-time); wasm targets only. audit pending" + +[[exemptions.wasm-bindgen-shared]] +version = "0.2.118" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai/web-time); wasm targets only. audit pending" + +[[exemptions.web-time]] +version = "1.1.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (rhai on wasm targets), audit pending" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — raft-engine 0.4.2 transitive (fs2); Windows targets only. audit pending" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — winapi prebuilt-import-lib helper; Windows targets only. audit pending" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" +notes = "review-by: 2026-10-23 — winapi prebuilt-import-lib helper; Windows targets only. audit pending" + [[exemptions.windows-link]] version = "0.1.3" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index eaf0ea3..11cfc65 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -13,6 +13,13 @@ version = "0.57.1" when = "2026-04-17" trusted-publisher = "github:bytecodealliance/wit-bindgen" +[[audits.bytecode-alliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 +start = "2019-03-16" +end = "2026-08-21" + [[audits.bytecode-alliance.wildcard-audits.wasip2]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -31,6 +38,15 @@ start = "2025-08-13" end = "2027-01-08" notes = "The Bytecode Alliance is the author of this crate" +[[audits.bytecode-alliance.audits.allocator-api2]] +who = "Chris Fallin " +criteria = "safe-to-deploy" +delta = "0.2.18 -> 0.2.20" +notes = """ +The changes appear to be reasonable updates from Rust's stdlib imported into +`allocator-api2`'s copy of this code. +""" + [[audits.bytecode-alliance.audits.async-task]] who = "Chris Fallin " criteria = "safe-to-deploy" @@ -77,6 +93,35 @@ criteria = "safe-to-deploy" delta = "2.10.0 -> 2.11.1" notes = "Minor updates, nothing awry here." +[[audits.bytecode-alliance.audits.crossbeam-channel]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.8" +notes = """ +This diff does what it says on the tin for this version range, notably fixing a +race condition, improving handling of durations, and additionally swapping out a +spin lock with a lock from the standard library. Minor bits of `unsafe` code +are modified but that's expected given the nature of this crate. +""" + +[[audits.bytecode-alliance.audits.crossbeam-epoch]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.9.9 -> 0.9.15" +notes = """ +In general crossbeam has quite a lot of unsafe code as it's a primitive tool for +concurrency but this update isn't adding any extra unsafe than there already +was and all the updates here are related to odds-and-ends maintenance. In +other words everything is as one would expect from a minor update for this +crate. +""" + +[[audits.bytecode-alliance.audits.crossbeam-epoch]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.9.15 -> 0.9.18" +notes = "Nontrivial update but mostly around dependencies and how `unsafe` code is managed. Everything looks the same shape as before." + [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -112,12 +157,23 @@ criteria = "safe-to-deploy" delta = "0.50.1 -> 0.50.3" notes = "CI changes, Rust changes, nothing out of the ordinary." +[[audits.bytecode-alliance.audits.num-traits]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.2.19" +notes = "As advertised: a numeric library. The only `unsafe` is from some float-to-int conversions, which seems expected." + [[audits.bytecode-alliance.audits.parking]] who = "Chris Fallin " criteria = "safe-to-deploy" version = "2.2.1" notes = "forbid-unsafe crate with straightforward imports." +[[audits.bytecode-alliance.audits.pin-utils]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + [[audits.bytecode-alliance.audits.sharded-slab]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -141,6 +197,12 @@ who = "Pat Hickey " criteria = "safe-to-deploy" delta = "0.9.4 -> 0.9.8" +[[audits.bytecode-alliance.audits.static_assertions]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "No dependencies and completely a compile-time crate as advertised. Uses `unsafe` in one module as a compile-time check only: `mem::transmute` and `ptr::write` are wrapped in an impossible-to-run closure." + [[audits.bytecode-alliance.audits.tracing-log]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -172,6 +234,13 @@ Additional review comments can be found at https://crrev.com/c/4723145/31 """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.either]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -333,6 +402,40 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.strum]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.strum_macros]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.25.3" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.mozilla.audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.allocator-api2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.20 -> 0.2.21" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.bitflags]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -380,6 +483,38 @@ criteria = "safe-to-deploy" delta = "2.9.4 -> 2.10.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.8 -> 0.5.11" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.11 -> 0.5.12" +notes = "Minimal change fixing a memory leak." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Glenn Watson " +criteria = "safe-to-deploy" +delta = "0.5.12 -> 0.5.13" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.13 -> 0.5.14" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.5.14 -> 0.5.15" +notes = "Fixes a regression from an earlier version which could lead to a double free" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -442,6 +577,12 @@ version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.indexmap]] who = "Erich Gubler " criteria = "safe-to-deploy" @@ -454,6 +595,31 @@ criteria = "safe-to-deploy" delta = "0.4.26 -> 0.4.29" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.memoffset]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.6.5 -> 0.7.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-derive]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.3.3" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-derive]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.3 -> 0.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-derive]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.powerfmt]] who = "Alex Franchuk " criteria = "safe-to-deploy" @@ -482,6 +648,63 @@ criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.strum]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.0 -> 0.26.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.strum_macros]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.25.3 -> 0.26.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thin-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.2.5" +notes = "I own this crate, and most of its versions were codeveloped and reviewed by Nika Layzell. This version was not explicitly reviewed by her, but it was specifically a release that made the code pass miri and was reviewed by me. Firefox uses it in the gecko-ffi configuration which is less thoroughly tested and more dangerous but we're reasonably confident in it. The real danger is from C++ code failing to use it correctly in FFI but that's just how FFI is." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thin-vec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.7" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thin-vec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.12" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thin-vec]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.2.12 -> 0.2.14" +notes = "Minor API additions, trivial no-std support, and minor inlining tweaks." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thin-vec]] +who = "Emilio Cobos Álvarez " +criteria = "safe-to-deploy" +delta = "0.2.14 -> 0.2.16" +notes = "All patches either authored or reviewed by me." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.thiserror]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.69" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.thiserror-impl]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.69" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.time]] who = "Lars Eggert " criteria = "safe-to-deploy" diff --git a/unsafe-baseline.json b/unsafe-baseline.json index 75c1b86..90bf1fa 100644 --- a/unsafe-baseline.json +++ b/unsafe-baseline.json @@ -1,6 +1,6 @@ { "generated_by": "scripts/geiger-update-baseline.sh", - "generated_at": "2026-04-23T00:00:00Z", + "generated_at": "2026-04-24T00:00:00Z", "cargo_geiger_version": "0.13.0", "crates": { "mango": { @@ -23,6 +23,13 @@ "item_impls": 0, "item_traits": 0, "methods": 0 + }, + "mango-storage": { + "functions": 0, + "exprs": 0, + "item_impls": 0, + "item_traits": 0, + "methods": 0 } }, "totals": {