xtask: add tls contract-pack proof#588
Conversation
Completes the v0.8.0 TLS lane started by the design doc in #585 and the CLI implementation in #587. Extends `cargo xtask bundle-proof` with a new `--profile tls` arm that produces the release-evidence proof artifact for the TLS contract pack, mirroring the OIDC precedent shipped in v0.7.0. What this PR does: - Adds `tls` to `BUNDLE_PROOF_SUPPORTED_PROFILES` and wires the per-profile default-out-dir / json-filename / markdown-filename / markdown-title / claim-boundary / expected-artifacts helpers. - Adds `TLS_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY` (matches the design-doc scope: pack shape, not downstream verifier correctness; no revocation, no mTLS, no production CA custody). - Drives `bundle`, `verify-bundle`, `inspect-bundle`, the CLI tls contract-pack tests, x509 owner tests, and `no-blob` against the generated TLS bundle, and validates the 7 expected artifacts: 4 cert PEMs (valid leaf, valid chain, 4 negative classes) plus the per-fixture rejection evidence markdown. - Adds `tls-contract-pack-proof` to `release_evidence_steps_minor()` after `oidc-contract-pack-proof`. Patch lane stays unchanged: full contract-pack proofs are minor-only by design. - Adds the "TLS contract-pack proof" row to the minor release-summary table next to the scanner-safe and OIDC rows. Tests: - `bundle_proof_tls_profile_constant_includes_tls` covers the supported profile list, helper outputs, default out dir, and the 7 expected artifact paths. - `bundle_proof_receipt_enforces_tls_contract_pack_contents` and `bundle_proof_receipt_rejects_incomplete_tls_contract_pack` mirror the OIDC receipt tests against a `tls_bundle_proof_manifest()` helper. - `bundle_proof_markdown_summarizes_tls_contract_checks` covers the rendered markdown. - `release_evidence_minor_step_list_includes_tls_contract_pack_proof` and `release_evidence_patch_step_list_excludes_tls_contract_pack_proof` pin the step-list wiring on both lanes. - Updates the existing minor-lane dry-run / summary tests to also assert the new TLS step and artifacts. Validation: - `cargo xtask bundle-proof --profile tls --out target/release-evidence/tls` succeeds end-to-end. Generated bundle has the 6 PEMs + evidence/tls-profile.md + 2 receipts; `tls-contract-pack-proof.{json,md}` are written with all 7 contract-pack checks present. - `cargo xtask bundle-proof --profile scanner-safe` and `--profile oidc` still succeed (regression-clean). - `cargo xtask release-evidence --version 0.8.0-dev --dry-run --summary` plans 16 commands including the new tls step; the `--patch --dry-run` variant plans 10 commands with tls excluded. - `cargo fmt --check -p xtask` and `cargo clippy -p xtask --all-targets -- -D warnings` clean. Out of scope: - `crates/uselesskey-cli/` — the TLS profile already exists post-#587; this PR is xtask-only. - Task-first TLS how-to docs (planned for PR-D). - rustls/tonic adapter helpers (future release). Cross-refs: - Design: `docs/release/v0.8.0-tls-profile-design.md` (PR #585). - CLI impl: PR #587. - OIDC proof precedent (template followed here): `oidc-contract-pack-proof.{json,md}` and the `OIDC_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY` constant.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Task-first user-facing how-to for the `uselesskey bundle --profile tls` contract pack. Walks readers through generating the bundle, the six certificate fixtures (valid leaf, valid chain, four negatives), the expected verifier outcomes per fixture, the documented hostname constants, and the release-grade evidence command. Mirrors the OIDC how-to pattern: terse, task-first prose, explicit "what this proves / does not prove" claim boundaries, and a scanner-safety note that points back to publish-recovery and the design doc for out-of-scope coverage. Completes the v0.8.0 TLS contract-pack lane: design (#585) + CLI profile (#587) + xtask bundle-proof (#588) + this user-facing piece. Pure docs PR; no source changes.
Why
Completes the v0.8.0 TLS contract-pack lane:
docs/release/v0.8.0-tls-profile-design.md.feat(cli): add tls bundle profile.The TLS profile design (PR-A) calls out PR-C explicitly: a new
cargo xtask bundle-proof --profile tlsinvocation, folded into the v0.8.0 release-evidence matrix. This is that PR.What
tlstoBUNDLE_PROOF_SUPPORTED_PROFILES. Extendsdefault_bundle_proof_out_dir,bundle_proof_json_filename,bundle_proof_markdown_filename,bundle_proof_markdown_title,bundle_proof_claim_boundary, andbundle_proof_expected_artifactsto covertls.TLS_CONTRACT_PACK_PROOF_CLAIM_BOUNDARY(matches the design-doc scope: pack shape, not downstream verifier correctness; no revocation, no mTLS, no production CA custody).bundle_proof()that runs the CLI tls contract-pack tests anduselesskey-x509owner tests alongside the standardbundle,verify-bundle,inspect-bundle, andno-blobcommands.certs/{valid-leaf, valid-chain, negative-expired-leaf, negative-not-yet-valid, negative-wrong-hostname, negative-untrusted-root}.pemplusevidence/tls-profile.md. Both materialization and audit-surface receipts are required as for OIDC.tls-contract-pack-proofintorelease_evidence_steps_minor()after the OIDC step. Adds the corresponding row to the minor release-summary table.release_evidence_steps_patch()— full contract-pack proofs are minor-only, matching the OIDC precedent.[Unreleased]### Addedentry under the existing v0.8.0 TLS PR-B entry.Tests added:
bundle_proof_tls_profile_constant_includes_tls(the requested sanity test) covers the supported-profile list, every helper, and the 7 expected artifact paths.bundle_proof_receipt_enforces_tls_contract_pack_contents/bundle_proof_receipt_rejects_incomplete_tls_contract_packmirror the OIDC receipt tests against a newtls_bundle_proof_manifest()helper.bundle_proof_markdown_summarizes_tls_contract_checkscovers the rendered markdown.release_evidence_minor_step_list_includes_tls_contract_pack_proofandrelease_evidence_patch_step_list_excludes_tls_contract_pack_proofpin step-list wiring on both lanes.Validation
cargo build -p xtask— clean.cargo xtask bundle-proof --profile tls --out target/release-evidence/tls— succeeds end-to-end. Generated bundle has all 9 files (6 cert PEMs + evidence markdown + 2 receipts);tls-contract-pack-proof.{json,md}written with all 7 contract-pack checkspresent: true,scanner_safe: true,private_key_material: false,symmetric_secret_material: false,runtime_material_count: 0.cargo xtask bundle-proof --profile scanner-safeand--profile oidcstill succeed (regression-clean).cargo xtask release-evidence --version 0.8.0-dev --dry-run --summaryplans 16 commands includingtls-contract-pack-proofand lists the TLS proof artifacts in the receipt.cargo xtask release-evidence --version 0.8.0-dev --patch --dry-run --summaryplans 10 commands withtls-contract-pack-proofcorrectly absent.cargo test -p xtask(single-threaded) — 273 passed. (Parallel runs hit the existingpublish_order_is_topologicalcargo metadatarace; isolated reruns pass. Unrelated to these changes.)cargo fmt --check -p xtask— clean.cargo clippy -p xtask --all-targets -- -D warnings— clean.Out of scope
crates/uselesskey-cli/— the TLS profile already exists post-feat(cli): add tls bundle profile #587; this PR is xtask-only.uselesskey-rustls/uselesskey-tonicadapter helpers (future release; design doc fixes the contract, not the API).Test plan
cargo build -p xtaskcargo test -p xtask bundle_proof_tls(the requested unit test)cargo test -p xtask -- --test-threads=1(273 passed)cargo fmt --check -p xtaskcargo clippy -p xtask --all-targets -- -D warningscargo xtask bundle-proof --profile tls --out target/release-evidence/tlsend-to-endcargo xtask bundle-proof --profile scanner-safesucceedscargo xtask bundle-proof --profile oidcsucceedscargo xtask release-evidence --version 0.8.0-dev --dry-run --summaryincludes tls stepcargo xtask release-evidence --version 0.8.0-dev --patch --dry-run --summaryexcludes tls step