Skip to content

xtask: add tls contract-pack proof#588

Merged
EffortlessSteven merged 1 commit into
mainfrom
xtask/tls-contract-pack-proof
May 12, 2026
Merged

xtask: add tls contract-pack proof#588
EffortlessSteven merged 1 commit into
mainfrom
xtask/tls-contract-pack-proof

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Why

Completes the v0.8.0 TLS contract-pack lane:

The TLS profile design (PR-A) calls out PR-C explicitly: a new cargo xtask bundle-proof --profile tls invocation, folded into the v0.8.0 release-evidence matrix. This is that PR.

What

  • Adds tls to BUNDLE_PROOF_SUPPORTED_PROFILES. Extends default_bundle_proof_out_dir, bundle_proof_json_filename, bundle_proof_markdown_filename, bundle_proof_markdown_title, bundle_proof_claim_boundary, and bundle_proof_expected_artifacts to cover tls.
  • Adds TLS_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY (matches the design-doc scope: pack shape, not downstream verifier correctness; no revocation, no mTLS, no production CA custody).
  • Adds a TLS-specific arm to bundle_proof() that runs the CLI tls contract-pack tests and uselesskey-x509 owner tests alongside the standard bundle, verify-bundle, inspect-bundle, and no-blob commands.
  • The TLS proof validates 7 expected artifacts: certs/{valid-leaf, valid-chain, negative-expired-leaf, negative-not-yet-valid, negative-wrong-hostname, negative-untrusted-root}.pem plus evidence/tls-profile.md. Both materialization and audit-surface receipts are required as for OIDC.
  • Wires tls-contract-pack-proof into release_evidence_steps_minor() after the OIDC step. Adds the corresponding row to the minor release-summary table.
  • Does not add TLS to release_evidence_steps_patch() — full contract-pack proofs are minor-only, matching the OIDC precedent.
  • CHANGELOG: new [Unreleased] ### Added entry under the existing v0.8.0 TLS PR-B entry.

Tests added:

  • bundle_proof_tls_profile_constant_includes_tls (the requested sanity test) covers the supported-profile list, every helper, and the 7 expected artifact paths.
  • bundle_proof_receipt_enforces_tls_contract_pack_contents / bundle_proof_receipt_rejects_incomplete_tls_contract_pack mirror the OIDC receipt tests against a new tls_bundle_proof_manifest() helper.
  • bundle_proof_markdown_summarizes_tls_contract_checks covers the rendered markdown.
  • release_evidence_minor_step_list_includes_tls_contract_pack_proof and release_evidence_patch_step_list_excludes_tls_contract_pack_proof pin step-list wiring on both lanes.
  • Updates the existing minor-lane dry-run / summary tests to also assert the new TLS step.

Validation

  • cargo build -p xtask — clean.
  • cargo xtask bundle-proof --profile tls --out target/release-evidence/tls — succeeds end-to-end. Generated bundle has all 9 files (6 cert PEMs + evidence markdown + 2 receipts); tls-contract-pack-proof.{json,md} written with all 7 contract-pack checks present: true, scanner_safe: true, private_key_material: false, symmetric_secret_material: false, runtime_material_count: 0.
  • cargo xtask bundle-proof --profile scanner-safe and --profile oidc still succeed (regression-clean).
  • cargo xtask release-evidence --version 0.8.0-dev --dry-run --summary plans 16 commands including tls-contract-pack-proof and lists the TLS proof artifacts in the receipt.
  • cargo xtask release-evidence --version 0.8.0-dev --patch --dry-run --summary plans 10 commands with tls-contract-pack-proof correctly absent.
  • cargo test -p xtask (single-threaded) — 273 passed. (Parallel runs hit the existing publish_order_is_topological cargo metadata race; isolated reruns pass. Unrelated to these changes.)
  • cargo fmt --check -p xtask — clean.
  • cargo clippy -p xtask --all-targets -- -D warnings — clean.

Out of scope

  • crates/uselesskey-cli/ — the TLS profile already exists post-feat(cli): add tls bundle profile #587; this PR is xtask-only.
  • Task-first TLS how-to docs (planned for PR-D).
  • uselesskey-rustls / uselesskey-tonic adapter helpers (future release; design doc fixes the contract, not the API).

Test plan

  • cargo build -p xtask
  • cargo test -p xtask bundle_proof_tls (the requested unit test)
  • cargo test -p xtask -- --test-threads=1 (273 passed)
  • cargo fmt --check -p xtask
  • cargo clippy -p xtask --all-targets -- -D warnings
  • cargo xtask bundle-proof --profile tls --out target/release-evidence/tls end-to-end
  • Regression: cargo xtask bundle-proof --profile scanner-safe succeeds
  • Regression: cargo xtask bundle-proof --profile oidc succeeds
  • cargo xtask release-evidence --version 0.8.0-dev --dry-run --summary includes tls step
  • cargo xtask release-evidence --version 0.8.0-dev --patch --dry-run --summary excludes tls step

Completes the v0.8.0 TLS lane started by the design doc in #585 and the
CLI implementation in #587. Extends `cargo xtask bundle-proof` with a
new `--profile tls` arm that produces the release-evidence proof
artifact for the TLS contract pack, mirroring the OIDC precedent shipped
in v0.7.0.

What this PR does:

- Adds `tls` to `BUNDLE_PROOF_SUPPORTED_PROFILES` and wires the
  per-profile default-out-dir / json-filename / markdown-filename /
  markdown-title / claim-boundary / expected-artifacts helpers.
- Adds `TLS_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY` (matches the design-doc
  scope: pack shape, not downstream verifier correctness; no revocation,
  no mTLS, no production CA custody).
- Drives `bundle`, `verify-bundle`, `inspect-bundle`, the CLI tls
  contract-pack tests, x509 owner tests, and `no-blob` against the
  generated TLS bundle, and validates the 7 expected artifacts:
  4 cert PEMs (valid leaf, valid chain, 4 negative classes) plus the
  per-fixture rejection evidence markdown.
- Adds `tls-contract-pack-proof` to `release_evidence_steps_minor()`
  after `oidc-contract-pack-proof`. Patch lane stays unchanged: full
  contract-pack proofs are minor-only by design.
- Adds the "TLS contract-pack proof" row to the minor release-summary
  table next to the scanner-safe and OIDC rows.

Tests:

- `bundle_proof_tls_profile_constant_includes_tls` covers the supported
  profile list, helper outputs, default out dir, and the 7 expected
  artifact paths.
- `bundle_proof_receipt_enforces_tls_contract_pack_contents` and
  `bundle_proof_receipt_rejects_incomplete_tls_contract_pack` mirror the
  OIDC receipt tests against a `tls_bundle_proof_manifest()` helper.
- `bundle_proof_markdown_summarizes_tls_contract_checks` covers the
  rendered markdown.
- `release_evidence_minor_step_list_includes_tls_contract_pack_proof`
  and `release_evidence_patch_step_list_excludes_tls_contract_pack_proof`
  pin the step-list wiring on both lanes.
- Updates the existing minor-lane dry-run / summary tests to also assert
  the new TLS step and artifacts.

Validation:

- `cargo xtask bundle-proof --profile tls --out target/release-evidence/tls`
  succeeds end-to-end. Generated bundle has the 6 PEMs + evidence/tls-profile.md
  + 2 receipts; `tls-contract-pack-proof.{json,md}` are written with all
  7 contract-pack checks present.
- `cargo xtask bundle-proof --profile scanner-safe` and `--profile oidc`
  still succeed (regression-clean).
- `cargo xtask release-evidence --version 0.8.0-dev --dry-run --summary`
  plans 16 commands including the new tls step; the `--patch --dry-run`
  variant plans 10 commands with tls excluded.
- `cargo fmt --check -p xtask` and `cargo clippy -p xtask --all-targets
  -- -D warnings` clean.

Out of scope:

- `crates/uselesskey-cli/` — the TLS profile already exists post-#587;
  this PR is xtask-only.
- Task-first TLS how-to docs (planned for PR-D).
- rustls/tonic adapter helpers (future release).

Cross-refs:

- Design: `docs/release/v0.8.0-tls-profile-design.md` (PR #585).
- CLI impl: PR #587.
- OIDC proof precedent (template followed here):
  `oidc-contract-pack-proof.{json,md}` and the
  `OIDC_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY` constant.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 50 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1bc58790-ff2c-46b8-90d9-a381e2f93140

📥 Commits

Reviewing files that changed from the base of the PR and between aa68340 and 27a1d88.

📒 Files selected for processing (2)
  • CHANGELOG.md
  • xtask/src/main.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch xtask/tls-contract-pack-proof

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven merged commit 16744e0 into main May 12, 2026
6 checks passed
EffortlessSteven added a commit that referenced this pull request May 12, 2026
Task-first user-facing how-to for the `uselesskey bundle --profile tls`
contract pack. Walks readers through generating the bundle, the six
certificate fixtures (valid leaf, valid chain, four negatives), the
expected verifier outcomes per fixture, the documented hostname
constants, and the release-grade evidence command.

Mirrors the OIDC how-to pattern: terse, task-first prose, explicit
"what this proves / does not prove" claim boundaries, and a
scanner-safety note that points back to publish-recovery and the
design doc for out-of-scope coverage.

Completes the v0.8.0 TLS contract-pack lane: design (#585) + CLI
profile (#587) + xtask bundle-proof (#588) + this user-facing piece.
Pure docs PR; no source changes.
@EffortlessSteven EffortlessSteven mentioned this pull request May 12, 2026
4 tasks
EffortlessSteven added a commit that referenced this pull request May 12, 2026
TLS contract-pack and public crate-surface cleanup release. Bumps
workspace to 0.8.0. CHANGELOG entry curated from merged PRs:
#485-#605 (TLS lane #585/#587/#588/#589, task-first how-tos
#590-#594, SRP collapse #595/#598/#599/#602, migration guide #603,
Clippy ratchets #505, dep bumps #484-#491).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant