nyx-sec
diff --git a/‎.config/nextest.toml‎
Lines changed: 19 additions & 0 deletions b/‎.config/nextest.toml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 94 additions & 9 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 94 additions & 9 deletions
diff --git a/‎.github/workflows/corpus_promote.yml‎
Lines changed: 167 additions & 0 deletions b/‎.github/workflows/corpus_promote.yml‎
Lines changed: 167 additions & 0 deletions
diff --git a/‎.github/workflows/docs.yml‎
Lines changed: 5 additions & 0 deletions b/‎.github/workflows/docs.yml‎
Lines changed: 5 additions & 0 deletions
@@ -0,0 +1,19 @@
+# nextest configuration
+#
+# See https://nexte.st/docs/configuration/ for the full schema.
+
+# ── Test groups ──────────────────────────────────────────────────────────────
+#
+# `hostile-input-timing` serialises the two timing-bounded
+# `hostile_input_tests` cases that pass under nextest in isolation but fail
+# under the full-suite parallel run on darwin (resource contention from the
+# other ~4000 tests pushes them past their internal budget). Pinning them to
+# a single thread within their own group keeps their wall-clock predictable
+# without slowing the rest of the suite.
+
+[test-groups]
+hostile-input-timing = { max-threads = 1 }
+
+[[profile.default.overrides]]
+filter = 'binary(hostile_input_tests) and (test(very_long_single_line_parses) or test(many_small_functions_do_not_explode))'
+test-group = 'hostile-input-timing'
@@ -8,6 +8,7 @@ on:
     branches: ["master"]
   pull_request:
     branches: ["master"]
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -197,8 +198,8 @@ jobs:
       - name: Compile check at MSRV
         run: cargo check --all-features --tests
 
-  rust-stable-test:
-    name: rust-stable-test
+  rust-stable-test-linux-without-docker:
+    name: rust-stable-test / linux-without-docker
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -210,8 +211,59 @@ jobs:
 
       - uses: taiki-e/install-action@nextest
 
-      - name: Rust tests (stable)
-        run: cargo nextest run --all-features
+      - name: Rust tests (stable, no docker)
+        run: cargo nextest run --no-fail-fast --all-features
+
+  rust-stable-test-linux-with-docker:
+    name: rust-stable-test / linux-with-docker
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+          cache: true
+
+      - uses: taiki-e/install-action@nextest
+
+      - name: Pull language images for sandbox tests
+        run: |
+          docker pull python:3-slim
+          docker pull node:20-slim
+          docker pull eclipse-temurin:21-jre-jammy
+          docker pull php:8-cli
+
+      - name: Smoke-test interpreter availability
+        run: |
+          docker run --rm python:3-slim python3 --version
+          docker run --rm node:20-slim node --version
+          docker run --rm eclipse-temurin:21-jre-jammy java -version
+          docker run --rm php:8-cli php --version
+
+      - name: Rust tests with docker (sandbox escape gate)
+        run: cargo nextest run --no-fail-fast --all-features --test dynamic_sandbox_escape --test dynamic_parity
+
+  escape-positive-control:
+    name: escape-positive-control
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+          cache: true
+
+      - uses: taiki-e/install-action@nextest
+
+      - name: Pull python image
+        run: docker pull python:3-slim
+
+      - name: Escape positive control (gate wiring check)
+        run: |
+          cargo nextest run --no-fail-fast --all-features --test dynamic_sandbox_escape \
+            -- --include-ignored positive_control_cap_sys_admin
 
   cross-platform-smoke:
     name: cross-platform-smoke
@@ -234,7 +286,7 @@ jobs:
         run: cargo build --release --all-features
 
       - name: Smoke tests
-        run: cargo nextest run --all-features --test integration_tests --test pattern_tests --test cli_validation_tests
+        run: cargo nextest run --no-fail-fast --all-features --test integration_tests --test pattern_tests --test cli_validation_tests
 
   rust-beta-test:
     name: rust-beta-test
@@ -250,7 +302,7 @@ jobs:
       - uses: taiki-e/install-action@nextest
 
       - name: Rust tests (beta)
-        run: cargo nextest run --all-features
+        run: cargo nextest run --no-fail-fast --all-features
 
   cargo-package:
     name: cargo-package
@@ -299,16 +351,18 @@ jobs:
           cache: true
           cache-key: benchmark-gate-release
 
+      - uses: taiki-e/install-action@nextest
+
       - name: Build benchmark + perf test binaries
-        run: cargo test --release --all-features --test benchmark_test --test perf_tests --no-run
+        run: cargo nextest run --release --all-features --test benchmark_test --test perf_tests --no-run
 
       - name: Accuracy regression gate (P/R/F1)
-        run: cargo test --release --all-features --test benchmark_test -- --ignored --nocapture benchmark_evaluation
+        run: cargo nextest run --no-fail-fast --release --all-features --test benchmark_test --run-ignored only --no-capture benchmark_evaluation
 
       - name: Performance regression gate
         env:
           NYX_CI_BENCH: "1"
-        run: cargo test --release --all-features --test perf_tests -- --nocapture
+        run: cargo nextest run --no-fail-fast --release --all-features --test perf_tests --no-capture
 
       - name: Upload benchmark results
         if: always()
@@ -317,3 +371,34 @@ jobs:
           name: benchmark-results
           path: tests/benchmark/results/latest.json
           if-no-files-found: warn
+
+  corpus-marker-audit:
+    name: corpus-marker-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Marker collision audit (§16.3)
+        run: python3 scripts/corpus_dashboard.py
+        # Exits non-zero if any oracle marker from one cap appears in another
+        # cap's payload bytes.  This catches cross-cap oracle collisions that
+        # would cause false-positive confirmed verdicts.
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+          cache: true
+
+      - uses: taiki-e/install-action@nextest
+
+      - name: Corpus unit tests (no_marker_collisions, all_payloads_have_fixture_paths)
+        run: cargo nextest run --no-fail-fast --lib -p nyx-scanner dynamic::corpus
+        env:
+          RUST_LOG: error
+
+      - name: Corpus dashboard sync check (Python/Rust payload table parity)
+        run: python3 scripts/check_corpus_sync.py
@@ -0,0 +1,167 @@
+name: Corpus Promote
+
+# Weekly automated promotion-PR template.
+#
+# Scans fuzz-discovered/ for candidates not yet in src/dynamic/corpus.rs
+# and opens a PR proposing them for human review (§16.4 — no auto-merge).
+#
+# Also runs the marker-collision audit as a hard gate: if any collision is
+# found the workflow fails rather than proposing the promotion.
+
+on:
+  schedule:
+    # Sundays at 09:00 UTC — offset from the fuzz run (06:00 UTC) so
+    # discovered candidates are ready before the promotion job runs.
+    - cron: "0 9 * * 0"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Dry run (print PR body but do not open)"
+        required: false
+        default: "false"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: corpus-promote
+  cancel-in-progress: true
+
+jobs:
+  promote:
+    name: Propose corpus promotions
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+          cache: true
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Build frontend
+        working-directory: frontend
+        run: |
+          npm ci
+          npm run build
+
+      # ── Marker collision audit ──────────────────────────────────────────────
+      - name: Marker collision audit
+        run: |
+          set -euo pipefail
+          cargo build --features dynamic -p nyx-scanner 2>/dev/null || true
+          cd fuzz/dynamic_corpus
+          cargo run -- audit-markers
+        env:
+          RUST_LOG: error
+
+      # ── Discover candidates ─────────────────────────────────────────────────
+      - name: Find promotion candidates
+        id: candidates
+        run: |
+          set -euo pipefail
+          count=0
+          files=""
+          if [ -d fuzz-discovered ]; then
+            while IFS= read -r f; do
+              # Skip .gitkeep, sidecar JSONs, and files already listed in corpus.rs.
+              [[ "$f" == *".gitkeep" ]] && continue
+              [[ "$f" == *".json" ]] && continue
+              bytes=$(xxd -p "$f" | tr -d '\n')
+              if ! grep -q "$bytes" src/dynamic/corpus.rs 2>/dev/null; then
+                count=$((count + 1))
+                files="$files $f"
+              fi
+            done < <(find fuzz-discovered -type f | sort)
+          fi
+          echo "count=$count" >> "$GITHUB_OUTPUT"
+          echo "files=$files" >> "$GITHUB_OUTPUT"
+
+      - name: Skip if no new candidates
+        if: steps.candidates.outputs.count == '0'
+        run: |
+          echo "No new candidates found in fuzz-discovered/. Nothing to promote."
+
+      # ── Open promotion PR ───────────────────────────────────────────────────
+      - name: Open promotion PR
+        if: >
+          steps.candidates.outputs.count != '0' &&
+          github.event.inputs.dry_run != 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          CANDIDATE_COUNT: ${{ steps.candidates.outputs.count }}
+          CANDIDATE_FILES: ${{ steps.candidates.outputs.files }}
+        run: |
+          set -euo pipefail
+          branch="corpus-promote-$(date +%Y%m%d)"
+          git checkout -b "$branch"
+
+          # Stage candidate files into fuzz-discovered (already there).
+          # The PR body provides the reviewer with everything they need.
+
+          # Build PR body into a temp file to avoid shell re-interpolation of
+          # sidecar JSON content (which may contain backticks or $(...) sequences).
+          body_file=$(mktemp)
+
+          cat > "$body_file" <<'PREAMBLE'
+          ## Corpus Promotion Proposal
+
+          This PR was generated automatically by the weekly corpus-promote workflow.
+          It does **not** auto-merge — a human reviewer must approve each candidate
+          before it can land in `src/dynamic/corpus.rs` (§16.4).
+
+          ### Candidates
+
+          The following payloads were discovered by the internal mutation fuzzer and
+          confirmed via `sink_hit && oracle_fired` against instrumented fixtures:
+
+          PREAMBLE
+
+          for f in $CANDIDATE_FILES; do
+            sidecar="${f}.json"
+            printf -- '- `%s`\n' "$f" >> "$body_file"
+            if [ -f "$sidecar" ]; then
+              printf '  ```json\n' >> "$body_file"
+              cat "$sidecar" >> "$body_file"
+              printf '\n  ```\n' >> "$body_file"
+            fi
+          done
+
+          cat >> "$body_file" <<'CHECKLIST'
+
+          ### Review checklist
+
+          - [ ] Bytes are a genuine attack vector, not a fixture artifact
+          - [ ] Oracle marker is unique (no collision with other caps)
+          - [ ] `fixture_paths` updated in `src/dynamic/corpus.rs`
+          - [ ] `since_corpus_version` set to next version
+          - [ ] `CORPUS_VERSION` bumped and bump history updated
+
+          _Generated by corpus_promote.yml — do not auto-merge._
+          CHECKLIST
+
+          git add fuzz-discovered/ || true
+          git diff --cached --quiet || git commit -m "chore: add ${CANDIDATE_COUNT} fuzzer-discovered corpus candidates"
+
+          git push origin "$branch"
+
+          gh pr create \
+            --title "chore(corpus): promote ${CANDIDATE_COUNT} fuzzer-discovered payload(s)" \
+            --body "$(cat "$body_file")" \
+            --base master \
+            --label "corpus-promotion" || true
+
+          rm -f "$body_file"
+
+      - name: Dry run summary
+        if: github.event.inputs.dry_run == 'true'
+        run: |
+          echo "Dry run: would promote ${{ steps.candidates.outputs.count }} candidate(s)."
+          echo "Files: ${{ steps.candidates.outputs.files }}"
@@ -25,6 +25,11 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          toolchain: stable
+          cache: true
+
       - name: Cache mdbook
         id: cache-mdbook
         uses: actions/cache@v5