Release v0.12.0: gate OOM hook behind opt-in feature, bump version

Makes masstin compile cleanly on stable Rust while keeping the full OOM
recovery hook in the published release binaries.

## Problem

The EVTX carving path installs `std::alloc::set_alloc_error_hook` so
that allocation failures triggered by the `evtx` crate when it parses
corrupt BinXML from unallocated space become catchable panics instead
of process aborts. That function is still nightly-only, so the crate
attribute `#![feature(alloc_error_hook)]` on `src/lib.rs` forced the
whole crate to require nightly — including a plain `cargo install masstin`
from crates.io, which is not acceptable for a tool aimed at responders.

## Fix

- New Cargo feature `nightly-oom-hook`, disabled by default.
- `lib.rs` gates the nightly attribute with
  `#![cfg_attr(feature = "nightly-oom-hook", feature(alloc_error_hook))]`
  so stable sees no unstable-feature attribute at all.
- `parse_carve.rs` has two `install_oom_hook()` definitions:
  - `#[cfg(feature = "nightly-oom-hook")]` — the real hook
  - `#[cfg(not(...))]` — a no-op stub
- `.github/workflows/release.yml` switched from stable to nightly and
  now builds with `--features nightly-oom-hook` on all three targets,
  so the binaries published under GitHub Releases carry full OOM
  protection out of the box.
- README: short build-note paragraph explaining the policy. End users
  downloading released binaries see a normal executable and never
  interact with Rust or nightly. Contributors compiling from source on
  stable get a fully functional masstin; only the OOM recovery in the
  carving path becomes a no-op, which only affects the 1% of images
  with pathological BinXML corruption.

Version bumped from 0.11.0 to 0.12.0 — significant feature release
covering parse-custom, EVTX carving hardening, and this build policy.

Verified locally that both `cargo build --release` and
`cargo build --release --features nightly-oom-hook` compile cleanly
on the nightly toolchain currently installed.

Author: jupyterj0nes

.github/workflows/release.yml

@@ -28,13 +28,20 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+      - name: Install Rust (nightly — required by the opt-in nightly-oom-hook feature)
+        uses: dtolnay/rust-toolchain@nightly
         with:
           targets: ${{ matrix.target }}
 
-      - name: Build
-        run: cargo build --release --target ${{ matrix.target }}
+      - name: Build with nightly-oom-hook feature enabled
+        # The released binaries enable `nightly-oom-hook` so EVTX carving
+        # can catch BinXML-triggered OOM aborts from the evtx crate and
+        # continue processing the rest of the image. End users run a
+        # normal executable — they never interact with Rust or nightly.
+        # Contributors building from source on stable can use plain
+        # `cargo build` without the feature; everything still works,
+        # only the carving OOM protection becomes a no-op.
+        run: cargo build --release --target ${{ matrix.target }} --features nightly-oom-hook
 
       - name: Rename binary (Windows)
         if: matrix.os == 'windows-latest'

Cargo.lock

@@ -1,12 +1,24 @@
 [package]
 name = "masstin"
-version = "0.11.0"
+version = "0.12.0"
 edition = "2021"
 description = "Lateral movement tracker for anything! A DFIR tool that parses forensic artifacts and visualizes lateral movement in graph databases. Written by Toño Díaz (@jupyterjones)"
 authors = ["Tono Diaz (@jupyterj0nes)"]
 repository = "https://github.com/jupyterjones/masstin"
 license = "AGPL-3.0-only"
 
+# Optional features
+#
+# `nightly-oom-hook` installs std::alloc::set_alloc_error_hook during EVTX
+# carving so allocation failures from malformed BinXML can be caught and
+# the offending chunk rejected, instead of aborting the whole process.
+# The hook is nightly-only today, so the feature is opt-in. The official
+# release binaries are built with this feature enabled on nightly Rust.
+# Plain `cargo build` on stable compiles cleanly with a no-op stub.
+[features]
+default = []
+nightly-oom-hook = []
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]

Cargo.toml

@@ -51,6 +51,8 @@ Named after the [Mastín Leonés](https://en.wikipedia.org/wiki/Spanish_Mastiff)
 | **EVTX carving** | `carve-image` scans raw disk data for EVTX chunks (`ElfChnk`) in unallocated space — recovers lateral movement events even after logs AND VSS are deleted. Implements **Tier 1** (full 64 KB chunks) and **Tier 2** (orphan record detection); **Tier 3** (template matching for partially overwritten records) is planned. Builds synthetic EVTX files grouped by provider and parses them through the full pipeline. Hardened against upstream `evtx` crate bugs (infinite loops, multi-GB OOMs) via thread isolation + `alloc_error_hook`. Corrupted chunks can be skipped with `--skip-offsets`. | [EVTX carving](https://weinvestigateanything.com/en/tools/evtx-carving-unallocated/) |
 | **Multi-artifact parsing** | 32+ Windows Event IDs from 11 EVTX sources + Scheduled Tasks XML + MountPoints2 registry + Linux logs + Winlogbeat JSON + Cortex XDR | [Artifacts](#supported-artifacts) |
 | **Custom parsers (YAML)** | `parse-custom` action parses arbitrary VPN / firewall / proxy logs via YAML rule files with 3 extractor types (csv, regex, keyvalue) and nested sub-extract. Ships with 8 researched rules and 31 sub-parsers out of the box: Palo Alto GlobalProtect (5), Palo Alto TRAFFIC with User-ID filter (2), Cisco AnyConnect (4), Cisco ASA (6), Fortinet SSL VPN (3), Fortinet FortiGate (4), OpenVPN (4), Squid proxy (3). Every rule is backed by vendor official documentation — see [`rules/README.md#references`](rules/README.md#references). Full schema spec in [`docs/custom-parsers.md`](docs/custom-parsers.md). | [Custom parsers](https://weinvestigateanything.com/en/tools/masstin-custom-parsers/) |
+
+> **Build note.** Core masstin builds on **stable Rust** with a plain `cargo build --release` — the default configuration does not require nightly. The EVTX carving path ships with an optional OOM-recovery hook (`nightly-oom-hook` Cargo feature) that uses `std::alloc::set_alloc_error_hook`, which is currently nightly-only. The official **pre-built release binaries** on the [Releases page](https://github.com/jupyterj0nes/masstin/releases) are compiled on nightly with this feature enabled, so end users downloading those binaries get the full OOM protection automatically — no Rust toolchain required at runtime. Contributors building from source on stable get a fully functional masstin; the OOM hook becomes a no-op stub, which only affects the 1% of forensic images with pathological BinXML corruption in carved chunks.
 | **Event classification** | Every event classified as `SUCCESSFUL_LOGON`, `FAILED_LOGON`, `LOGOFF` or `CONNECT` with human-readable failure reasons | [CSV format](https://weinvestigateanything.com/en/tools/masstin-csv-format/) |
 | **Unified timeline** | All sources merged into a single chronological CSV with 14 standardized columns | [CSV format](https://weinvestigateanything.com/en/tools/masstin-csv-format/) |
 | **Cross-platform timeline** | Windows EVTX + Linux SSH + EDR data in one timeline — `parse-image` auto-merges across OS boundaries, or use `merge` for manual combination | |

README.md

@@ -1,4 +1,8 @@
-#![feature(alloc_error_hook)]
+// Crate-level feature gate for the optional OOM hook used by EVTX carving.
+// Only activated when the `nightly-oom-hook` Cargo feature is on, and only
+// compiles on nightly Rust. On stable (or nightly without the feature),
+// the gate is not emitted and masstin builds cleanly.
+#![cfg_attr(feature = "nightly-oom-hook", feature(alloc_error_hook))]
 
 use clap::{Parser, ValueEnum};
 use std::fs;

src/lib.rs

@@ -25,13 +25,31 @@ const EVTX_CHUNK_SIZE: usize = 65536; // 64KB
 const RECORD_MAGIC: &[u8; 4] = b"\x2a\x2a\x00\x00";
 const SCAN_BLOCK_SIZE: usize = 4 * 1024 * 1024; // 4MB read blocks
 
-/// Main entry point for carve-image action
-pub fn carve_image(files: &[String], output: Option<&String>, unalloc_only: bool, skip_offsets: &[u64]) {
-    // Convert OOM aborts into panics so the isolated-thread validator can recover
-    // when the evtx crate tries to allocate multi-GB buffers on corrupt BinXML.
+/// Install a global allocation error hook that converts OOM aborts into panics,
+/// so the isolated-thread validator below can recover when the evtx crate tries
+/// to allocate multi-GB buffers on corrupt BinXML.
+///
+/// On nightly with `--features nightly-oom-hook`, this is the real hook. On
+/// stable (or nightly without the feature) it's a no-op stub: allocation
+/// failures will abort the process as they would without masstin's protection.
+/// The official release binaries are built on nightly with the feature enabled.
+#[cfg(feature = "nightly-oom-hook")]
+fn install_oom_hook() {
     std::alloc::set_alloc_error_hook(|layout| {
         panic!("allocation of {} bytes failed (caught by masstin hook)", layout.size());
     });
+}
+
+#[cfg(not(feature = "nightly-oom-hook"))]
+fn install_oom_hook() {
+    // No-op on stable. carve-image still works; the catch_unwind isolation
+    // thread recovers from panics (including OOM re-raised via other paths),
+    // but a bare `abort()` from the allocator propagates out as before.
+}
+
+/// Main entry point for carve-image action
+pub fn carve_image(files: &[String], output: Option<&String>, unalloc_only: bool, skip_offsets: &[u64]) {
+    install_oom_hook();
 
     let start_time = std::time::Instant::now();