backbay-labs · bb-connor · Mar 19, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -603,17 +603,19 @@ jobs:
           # desktop and workbench Tauri crates. Keep excluding the long-lived
           # desktop Tauri surface from the changed-line floor until it has a
           # dedicated changed-line gate instead of inheriting legacy branch
-          # churn. Also exclude standalone crates still outside the combined
-          # coverage set, the out-of-workspace `logos-z3` crate, and test-only
-          # Rust sources that do not emit stable LCOV entries in this job. The
-          # root workspace coverage run installs Z3 and uses `--all-features`,
-          # so `clawdstrike-logos` solver-gated paths remain in scope here.
+          # churn. Also exclude vendored upstream Rust snapshots, standalone
+          # crates still outside the combined coverage set, the out-of-workspace
+          # `logos-z3` crate, and test-only Rust sources that do not emit stable
+          # LCOV entries in this job. The root workspace coverage run installs
+          # Z3 and uses `--all-features`, so `clawdstrike-logos` solver-gated
+          # paths remain in scope here.
           grep -v '^apps/agent/src-tauri/' changed_rust_files.txt \
             | grep -v '^apps/desktop/src-tauri/' \
             | grep -v '^apps/workbench/src-tauri/' \
             | grep -v '^crates/bridges/hush-go-native/' \
             | grep -v '^crates/libs/logos-z3/' \
             | grep -v '^packages/sdk/hush-py/hush-native/' \
+            | grep -v '^vendor/hushspec/' \
             | grep -Ev '(^|/)build\.rs$' \
             | grep -Ev '(^|/)tests/|_test\.rs$|_tests\.rs$|integration_tests\.rs$' \
             | grep -Ev '^crates/libs/hunt-(correlate|query|scan)/src/(lib|error)\.rs$' \

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/apps/desktop/src-tauri/Cargo.lock b/apps/desktop/src-tauri/Cargo.lock
diff --git a/crates/libs/clawdstrike/Cargo.toml b/crates/libs/clawdstrike/Cargo.toml
@@ -8,7 +8,7 @@ repository.workspace = true
 rust-version.workspace = true
 keywords = ["security", "ai-agent", "policy", "clawdstrike"]
 categories = ["authentication", "command-line-utilities"]
-readme = "../../README.md"
+readme = "README.md"
 
 [dependencies]
 # Always available (WASM-compatible detection modules)
@@ -30,7 +30,7 @@ tokio = { workspace = true, optional = true }
 dirs = { workspace = true, optional = true }
 nono = { workspace = true, optional = true }
 serde_yaml = { workspace = true, optional = true }
-hushspec = { version = "0.1.0", path = "../../../vendor/hushspec", optional = true }
+hushspec = { version = "0.1.1", path = "../../../vendor/hushspec", optional = true }
 toml = { workspace = true, optional = true }
 glob = { workspace = true, optional = true }
 chrono = { workspace = true, optional = true }

diff --git a/crates/libs/clawdstrike/build.rs b/crates/libs/clawdstrike/build.rs
@@ -0,0 +1,31 @@
+use std::fs;
+use std::path::PathBuf;
+
+fn main() {
+    println!("cargo:rustc-check-cfg=cfg(has_nono_signal_mode)");
+
+    let Ok(manifest_dir) = std::env::var("CARGO_MANIFEST_DIR").map(PathBuf::from) else {
+        return;
+    };
+    let is_packaged_verify_build = manifest_dir
+        .components()
+        .collect::<Vec<_>>()
+        .windows(2)
+        .any(|window| {
+            matches!(window, [target, package]
+            if target.as_os_str() == "target" && package.as_os_str() == "package")
+        });
+
+    let capability_path = manifest_dir.join("../../../infra/vendor/nono/src/capability.rs");
+
+    let has_signal_mode = !is_packaged_verify_build
+        && fs::read_to_string(capability_path)
+            .map(|source| {
+                source.contains("pub enum SignalMode") && source.contains("fn signal_mode")
+            })
+            .unwrap_or(false);
+
+    if has_signal_mode {
+        println!("cargo:rustc-cfg=has_nono_signal_mode");
+    }
+}