Skip to content

Commit 731b803

Browse files
committed
Enforce custom alphabet consistency
1 parent d2e7804 commit 731b803

20 files changed

Lines changed: 230 additions & 15 deletions
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
name: Scheduled Security Audit
2+
3+
on:
4+
schedule:
5+
- cron: "17 3 * * *"
6+
workflow_dispatch:
7+
8+
permissions:
9+
contents: read
10+
11+
concurrency:
12+
group: scheduled-security-audit
13+
cancel-in-progress: false
14+
15+
jobs:
16+
advisories:
17+
name: RustSec and cargo-deny advisories
18+
runs-on: ubuntu-latest
19+
timeout-minutes: 20
20+
21+
steps:
22+
- name: Checkout repository
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
24+
25+
- name: Install Rust toolchain
26+
shell: bash
27+
run: scripts/ci_install_rust.sh
28+
29+
- name: Cache Cargo data
30+
uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
31+
with:
32+
cache-on-failure: true
33+
34+
- name: Install cargo-audit
35+
uses: taiki-e/install-action@c7eb1735f09259a5035e8e5d44b1406b1cddc0fb # v2.83.0
36+
with:
37+
tool: cargo-audit@0.22.2
38+
fallback: none
39+
40+
- name: Install cargo-deny
41+
run: cargo install --locked cargo-deny --version 0.20.2
42+
43+
- name: Check workspace and isolated-tool advisories
44+
run: scripts/check_scheduled_advisories.sh

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,11 @@
1111
attribute created only after successful JavaScript and wasm execution.
1212
- Added a fail-closed assertion that the browser success attribute is absent
1313
from the static smoke-test document.
14+
- Added a runtime alphabet-contract check that rejects hand-written
15+
`Alphabet::encode` overrides when they disagree with `Alphabet::ENCODE`,
16+
preventing API-, input-length-, or backend-dependent output.
17+
- Added daily and manually dispatchable RustSec and cargo-deny advisory checks
18+
for the workspace and isolated dudect, fuzz, and performance lockfiles.
1419
- Updated async cleanup and release-evidence documentation.
1520
- Moved the stronger RISC-V RVV proof and backend-admission review to `1.3.9`.
1621
- No core encode/decode logic, SIMD admission scope, unsafe boundary, or core

README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,9 @@ versions aligned and closes two low-severity evidence and cleanup gaps. Tokio
5959
read-all helpers now wipe replaced vector allocations before deallocation, and
6060
the Chromium wasm smoke gate requires a success attribute created only by
6161
runtime execution rather than matching a token present in static HTML.
62+
Runtime encoding also rejects custom `Alphabet::encode` overrides that
63+
disagree with their authoritative `Alphabet::ENCODE` table, and a dedicated
64+
daily workflow checks all maintained lockfiles for newly published advisories.
6265
The stronger RISC-V RVV proof and admission review is scheduled for `1.3.9`;
6366
until then, RISC-V remains QEMU-tested scalar/fallback-only. The workspace
6467
crate family stays version-aligned at `1.3.8`.

SECURITY.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ Required for release:
2828
- `cargo +nightly miri test --no-default-features` when nightly Miri is installed
2929
- `cargo deny check`
3030
- `cargo audit`
31+
- daily and manually dispatchable RustSec and cargo-deny advisory monitoring
3132
- `cargo license --json`
3233
- SBOM generation
3334
- Reproducible build check

docs/API_AUDIT.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -248,6 +248,11 @@ Decision rationale:
248248
for every emitted byte. This preserves the conservative no secret-indexed
249249
lookup posture, but it is slower than the arithmetic mappers used by built-in
250250
alphabets.
251+
- `Alphabet::ENCODE` is the authoritative output table. A hand-written
252+
`Alphabet::encode` override must agree with all 64 entries; runtime encode
253+
APIs check that contract before dispatch and return
254+
`EncodeError::InvalidAlphabet` before writing output when it is violated.
255+
Const array encoding reads `Alphabet::ENCODE` directly.
251256
- Manual `Alphabet` implementations can override `encode` or `decode`; those
252257
overrides affect the normal `Engine` path. The `ct` module scans
253258
`Alphabet::ENCODE` directly and does not depend on custom `decode`

docs/CRATE_VERSION_MATRIX.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,9 @@ shipping two low-severity hardening fixes. The Tokio companion now performs
1212
guarded read-all vector growth and wipes every replaced allocation before
1313
deallocation. The Chromium-family wasm evidence gate now requires a
1414
runtime-created DOM success attribute that is proven absent from the static
15-
HTML source. Core encode/decode behavior, SIMD admission scope, unsafe
15+
HTML source. Runtime encoding now rejects custom `Alphabet::encode` overrides
16+
that disagree with their `Alphabet::ENCODE` table, and scheduled advisory
17+
monitoring covers all maintained lockfiles. SIMD admission scope, unsafe
1618
boundaries, and the zero-dependency core posture remain unchanged. The
1719
stronger RISC-V RVV proof and backend-admission review moves to `1.3.9`.
1820

docs/DEPENDENCIES.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,8 @@ At minimum, evidence must include:
126126
- `cargo tree` for the affected feature set.
127127
- `cargo deny check`.
128128
- `cargo audit`.
129+
- `scripts/check_scheduled_advisories.sh` through the daily and manually
130+
dispatchable security-audit workflow.
129131
- `cargo license --json`.
130132
- Updated release notes and migration/security documentation when the public
131133
API or threat model changes.

docs/PLAN.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1177,6 +1177,10 @@ inside the `1.3.x` line if they remain evidence-gated and do not weaken the
11771177
wiped before it is returned to the allocator.
11781178
- Require Chromium-family wasm smoke evidence to contain a runtime-created DOM
11791179
success attribute that is absent from the static test document.
1180+
- Reject custom runtime alphabet encoders that disagree with their
1181+
authoritative `Alphabet::ENCODE` table before writing caller output.
1182+
- Add daily and manually dispatchable advisory monitoring for workspace and
1183+
isolated tool lockfiles.
11801184
- Preserve core encode/decode behavior, SIMD admission scope, unsafe
11811185
boundaries, and the zero-dependency core posture.
11821186
- Move the stronger RISC-V RVV proof and backend-admission review to `1.3.9`

docs/RELEASE_EVIDENCE.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,8 @@ The release gate runs:
142142
- all-features and no-default-features doctests plus documentation builds
143143
- `cargo deny check`
144144
- `cargo audit`
145+
- daily and manually dispatchable RustSec plus cargo-deny advisory monitoring
146+
for the workspace and isolated fuzz, dudect, and performance lockfiles
145147
- `cargo license --json`
146148
- async admission documentation packaged while the `tokio` feature remains
147149
inert and dependency-free

docs/TRUST.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ stable release.
2424
| Miri | Release gate runs Miri when nightly Miri is installed and writes evidence artifacts | `scripts/check_miri.sh`, `target/release-evidence/miri/` |
2525
| Kani | 18 bounded no-default-features harnesses verify cleanly with the Rust `1.90.0` Kani toolchain and `cargo-kani 0.67.0`; incompatible future verifier/toolchain pairs must skip explicitly rather than pretending to prove. | `scripts/check_kani.sh`, `docs/KANI.md` |
2626
| Bounds invariants | Remaining internal indexing is grouped by documented local invariants | `docs/INVARIANTS.md` |
27-
| Audit | RustSec check required | `cargo audit`, `scripts/checks.sh` |
27+
| Audit | RustSec and cargo-deny advisory checks required on every change and daily while the repository is dormant | `cargo audit`, `scripts/checks.sh`, `scripts/check_scheduled_advisories.sh`, scheduled security-audit workflow |
2828
| License policy | `cargo deny` and `cargo license --json` required | `deny.toml`, `scripts/checks.sh` |
2929
| SBOM | SPDX and CycloneDX SBOM generation in release evidence | `scripts/generate-sbom.sh` |
3030
| Reproducibility | Package/build reproducibility check in release gate | `scripts/stable_release_gate.sh` |

0 commit comments

Comments
 (0)