Skip to content

refactor(rustls): fold core-rustls-pki content into uselesskey-rustls::srp::pki#598

Merged
EffortlessSteven merged 3 commits into
mainfrom
refactor/fold-rustls-pki-into-srp
May 12, 2026
Merged

refactor(rustls): fold core-rustls-pki content into uselesskey-rustls::srp::pki#598
EffortlessSteven merged 3 commits into
mainfrom
refactor/fold-rustls-pki-into-srp

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Why

PR-2 of the v0.8.0 SRP collapse lane, analogous to #595 for core-hmac-spec.

uselesskey-core-rustls-pki was a published, standalone microcrate (~234 LoC) that owned the rustls-pki conversion traits while uselesskey-rustls (the canonical adapter) re-exported them. Following the v0.7.0 fold pattern (#565-#570) and the just-merged #595, ownership now sits with the public package (uselesskey-rustls) and the previously-published microcrate becomes a thin re-export shim for v0.7.x compat.

This keeps the public path uselesskey_rustls::{RustlsPrivateKeyExt, RustlsCertExt, RustlsChainExt} byte-identical for downstream consumers while inverting the underlying dep graph.

What

  • New crates/uselesskey-rustls/src/srp/{mod.rs,pki.rs} carry the three extension traits, all impls (RSA / ECDSA / Ed25519 / X.509 self-signed + chain), and the inline #[cfg(test)] mod tests block.
  • crates/uselesskey-rustls/src/lib.rs declares pub mod srp (doc-hidden) and re-exports the pki traits at the top level. Public surface unchanged.
  • uselesskey-rustls/Cargo.toml drops the dep on uselesskey-core-rustls-pki, adds a direct rustls-pki-types dep, and rewires feature flags to depend only on the local key-type crates.
  • uselesskey-core-rustls-pki becomes a thin shim: pub use uselesskey_rustls::srp::pki::*. Its Cargo.toml uses uselesskey-rustls.workspace = true and routes features to uselesskey-rustls/*.
  • The shim's tests/{integration,deterministic,snapshots_rustls_pki}.rs and snapshot files move under crates/uselesskey-rustls/tests/. The deterministic seed (uselesskey-rustls-pki-snap-seed-v1) and snapshot file names are preserved, so existing snapshots match byte-for-byte.
  • xtask::PUBLISH_CRATES moves uselesskey-core-rustls-pki to a post-uselesskey-rustls slot under a "rustls compatibility shim" comment, matching the post-fold uselesskey-core-hmac-spec position.
  • xtask::plan::dependents() makes uselesskey-core-rustls-pki a leaf and adds it as a uselesskey-rustls dependent. The core_rustls_pki_change_is_isolated_to_shim test (previously _expands_to_rustls) is updated.
  • docs/explanation/architecture.md, docs/metadata/workspace-docs.json, and docs/reference/support-matrix.md describe the crate as a compatibility shim.
  • Both uselesskey-rustls and uselesskey-core-rustls-pki bump to 0.7.2 so the shim's re-export of uselesskey_rustls::srp::pki resolves against a registry version that ships the new path. Downstream consumers keep version = "0.7.1"; cargo's ^0.7.1 semantics accept 0.7.2.

docs-sync helper for SRP-fold PRs

The uselesskey-rustls snippet in the X.509 + rustls dependency example was the first case where a single crate is bumped ahead of the workspace-wide release_version: "0.7.1". xtask::docs_sync::SnippetDependency gains an optional version override field; the override is set to "0.7.2" on the uselesskey-rustls snippet entry in docs/metadata/workspace-docs.json. The override path has unit-test coverage so subsequent SRP folds can reuse the same hook without rediscovering the failure mode.

Out of scope

Shim crate deletion — that is a later v0.8.0 PR (PR-4 of the collapse lane).

Test plan

  • cargo build --workspace --all-targets --all-features --locked
  • cargo test -p uselesskey-rustls --all-features (131 passed, including moved integration + snapshot tests)
  • cargo test -p uselesskey-core-rustls-pki --all-features (shim has no tests; doctest of pub use compiles)
  • cargo clippy --workspace --all-targets --all-features --locked -- -D warnings
  • cargo xtask fmt
  • cargo xtask publish-check
  • cargo xtask publish-preflight (57 passed, 0 failed)
  • cargo xtask docs-sync --check
  • cargo xtask scanner-safe-reference --check
  • cargo xtask typos
  • cargo test -p xtask --all-features --locked -- --test-threads=1 (274 passed)

Inverts the dep direction between `uselesskey-rustls` and
`uselesskey-core-rustls-pki`. The `RustlsPrivateKeyExt`,
`RustlsCertExt`, and `RustlsChainExt` traits and their impls for
RSA, ECDSA, Ed25519, and X.509 fixture types now live in
`crates/uselesskey-rustls/src/srp/pki.rs`;
`uselesskey-core-rustls-pki` becomes a thin re-export shim
re-exporting `uselesskey_rustls::srp::pki::*` to preserve the
v0.7.x public-internal surface for downstream pinners.

This matches the v0.7.0 fold pattern established for `core-cache`,
`core-id`, `core-hash`, `core-factory`, `token-spec`, etc. (#565-#570
and follow-ups) and the v0.8.0 hmac-spec fold (#595) where the owner
crate took canonical ownership and the previously-published microcrate
became a compatibility shim.

Mechanical changes:

- New `crates/uselesskey-rustls/src/srp/{mod.rs,pki.rs}` carry the
  three extension traits, all impl blocks, and the inline
  `#[cfg(test)] mod tests` blocks.
- `crates/uselesskey-rustls/src/lib.rs` declares `pub mod srp` (doc-
  hidden) and re-exports the pki traits at the top level. The public
  `uselesskey_rustls::{RustlsPrivateKeyExt, RustlsCertExt,
  RustlsChainExt}` path is unchanged.
- `uselesskey-rustls/Cargo.toml` drops the dep on
  `uselesskey-core-rustls-pki` and gains a direct `rustls-pki-types`
  dep; per-key-type feature flags drop the
  `uselesskey-core-rustls-pki/*` re-export legs.
- `uselesskey-core-rustls-pki/src/lib.rs` is now a thin shim:
  `pub use uselesskey_rustls::srp::pki::*`. Its Cargo.toml drops the
  direct rustls-pki-types and key-type deps, adds
  `uselesskey-rustls.workspace = true`, and routes its features to
  `uselesskey-rustls/*`.
- The shim's `tests/{integration,deterministic,snapshots_rustls_pki}.rs`
  and snapshot files move under `crates/uselesskey-rustls/tests/`.
  Snapshot file names and contents are preserved (same deterministic
  seed `uselesskey-rustls-pki-snap-seed-v1`); only the Rust import
  paths are rewritten from `uselesskey_core_rustls_pki::*` to
  `uselesskey_rustls::*`.
- `xtask::PUBLISH_CRATES` moves `uselesskey-core-rustls-pki` to a
  post-`uselesskey-rustls` slot under a "rustls compatibility shim"
  comment, matching `uselesskey-core-hmac-spec` after the hmac fold.
- `xtask::plan::dependents()` makes `uselesskey-core-rustls-pki` a
  leaf and adds it as a `uselesskey-rustls` dependent (so a rustls
  source change still triggers a shim rebuild).
- `docs/explanation/architecture.md`,
  `docs/metadata/workspace-docs.json`, and
  `docs/reference/support-matrix.md` describe the crate as a
  compatibility shim.

Both `uselesskey-rustls` and `uselesskey-core-rustls-pki` bump to
0.7.2 so the shim's re-export of `uselesskey_rustls::srp::pki`
resolves against a registry version that ships the new path:
`cargo publish --dry-run -p uselesskey-core-rustls-pki` would otherwise
resolve against the published v0.7.1 of `uselesskey-rustls`, which
does not have `srp::pki`, and fail with `E0432: unresolved imports`.

Downstream consumers (`uselesskey`, `uselesskey-bdd-steps`,
`uselesskey-interop-tests`) keep their existing `version = "0.7.1"`
constraint — cargo treats it as `^0.7.1`, which accepts v0.7.2.

This is PR-2 of the v0.8.0 SRP collapse lane. The shim crate stays
published for v0.7.x compat and is scheduled for removal in a later
v0.8.0 PR.
The `uselesskey-rustls` v0.7.2 bump (PR-2 of the v0.8.0 SRP collapse
lane) outpaces the workspace-wide `release_version: "0.7.1"` field
in `docs/metadata/workspace-docs.json`, which docs-sync uses to render
all dependency snippets uniformly. The preflight `doc-versions` lane
checks each rendered snippet against the per-crate
`Cargo.toml` version, so a uniform `0.7.1` snippet for
`uselesskey-rustls` would fail against its bumped manifest.

Add an optional `version` override to `SnippetDependency`, route it
through `render_single_dependency_snippet`, and set the override to
`"0.7.2"` on the `uselesskey-rustls` snippet entry. The other deps
in the same snippets continue to render against the workspace-wide
`release_version` field. Regenerate the README and how-to dependency
blocks accordingly.

This same pattern can be reused on subsequent SRP-fold PRs where a
single fold-target crate bumps ahead of the rest of the workspace.
Adds a unit test exercising the new optional `version` field on
`SnippetDependency`, locking in the SRP-fold pattern where a single
crate has been bumped ahead of the workspace-wide `release_version`
(e.g. v0.8.0 SRP folds where one crate goes to 0.7.2 while the rest
of the workspace stays on 0.7.1) so future regressions on the
override path are caught in `cargo test -p xtask`.

Also fixes the existing snippet-rendering test to provide the new
`version: None` field after the struct literal added the field.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 34 minutes and 50 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 93c01448-4df3-4247-863d-9dd3f415e8c2

📥 Commits

Reviewing files that changed from the base of the PR and between ead628b and 255fb4f.

⛔ Files ignored due to path filters (6)
  • Cargo.lock is excluded by !**/*.lock
  • crates/uselesskey-rustls/tests/snapshots/snapshots_rustls_pki__chain_rustls_conversion.snap is excluded by !**/*.snap
  • crates/uselesskey-rustls/tests/snapshots/snapshots_rustls_pki__ecdsa_rustls_conversion.snap is excluded by !**/*.snap
  • crates/uselesskey-rustls/tests/snapshots/snapshots_rustls_pki__ed25519_rustls_conversion.snap is excluded by !**/*.snap
  • crates/uselesskey-rustls/tests/snapshots/snapshots_rustls_pki__rsa_rustls_conversion.snap is excluded by !**/*.snap
  • crates/uselesskey-rustls/tests/snapshots/snapshots_rustls_pki__self_signed_rustls_conversion.snap is excluded by !**/*.snap
📒 Files selected for processing (23)
  • CHANGELOG.md
  • Cargo.toml
  • README.md
  • crates/uselesskey-core-rustls-pki/Cargo.toml
  • crates/uselesskey-core-rustls-pki/README.md
  • crates/uselesskey-core-rustls-pki/src/lib.rs
  • crates/uselesskey-core-rustls-pki/tests/testutil.rs
  • crates/uselesskey-rustls/Cargo.toml
  • crates/uselesskey-rustls/README.md
  • crates/uselesskey-rustls/src/lib.rs
  • crates/uselesskey-rustls/src/srp/mod.rs
  • crates/uselesskey-rustls/src/srp/pki.rs
  • crates/uselesskey-rustls/tests/pki_deterministic.rs
  • crates/uselesskey-rustls/tests/pki_integration.rs
  • crates/uselesskey-rustls/tests/snapshots_rustls_pki.rs
  • crates/uselesskey/README.md
  • docs/explanation/architecture.md
  • docs/how-to/choose-features.md
  • docs/metadata/workspace-docs.json
  • docs/reference/support-matrix.md
  • xtask/src/docs_sync.rs
  • xtask/src/main.rs
  • xtask/src/plan.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/fold-rustls-pki-into-srp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 255fb4fc0b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

uselesskey-rsa = { path = "../uselesskey-rsa", version = "0.7.1", optional = true }
uselesskey-ecdsa = { path = "../uselesskey-ecdsa", version = "0.7.1", optional = true }
uselesskey-ed25519 = { path = "../uselesskey-ed25519", version = "0.7.1", optional = true }
uselesskey-rustls.workspace = true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Disable default features on the shim dependency

With this dependency written as uselesskey-rustls.workspace = true, Cargo enables uselesskey-rustls's default x509 feature even when a compatibility-shim user asks for uselesskey-core-rustls-pki --no-default-features or only --features rsa. I checked cargo tree -e features -p uselesskey-core-rustls-pki --no-default-features, and it still activates uselesskey-rustls feature "default" plus uselesskey-x509, so the old optional-feature surface is no longer preserved and consumers trying to avoid X.509/ring/rcgen deps still get them. Please set this dependency to default-features = false and let the forwarding feature list opt into x509/rsa/ecdsa/ed25519 explicitly.

Useful? React with 👍 / 👎.

@EffortlessSteven EffortlessSteven merged commit ed117dc into main May 12, 2026
6 checks passed
EffortlessSteven added a commit that referenced this pull request May 12, 2026
Removes 29 fully-folded published-internal compatibility shim crates that
v0.7.x carried as one-minor-release re-export shells over content already
owned by the public crates' `srp::*` modules. This is PR-4 of the v0.8.0
SRP collapse lane and is a BREAKING change for downstream consumers that
pinned the shim crate names directly.

Scope (29 crates removed)

Core internals (11) -> uselesskey_core::srp::*:
- uselesskey-core-cache, -factory, -hash, -id, -seed, -sink
- uselesskey-core-keypair, -keypair-material
- uselesskey-core-negative, -negative-der, -negative-pem

JWK internals (5) -> uselesskey_jwk::srp::*:
- uselesskey-core-kid, -jwk, -jwk-builder, -jwk-shape, -jwks-order

Token internals (4) -> uselesskey_token::srp::*:
- uselesskey-core-base62, -token, -token-shape, uselesskey-token-spec

X.509 internals (5) -> uselesskey_x509::srp::*:
- uselesskey-core-x509, -x509-spec, -x509-derive,
  -x509-negative, -x509-chain-negative

Folded standalones (3):
- uselesskey-core-hmac-spec -> uselesskey_hmac::srp::spec (content moved
  in v0.7.2 via #595; shim removed here)
- uselesskey-core-rustls-pki -> uselesskey_rustls::srp::pki (content moved
  in v0.7.2 via #598; shim removed here)
- uselesskey-pgp-native -> uselesskey_pgp::native (feature = "native";
  content moved in v0.7.2 via #599; shim removed here)

Conditional duplicate (1):
- uselesskey-jose-openid was byte-equal to uselesskey_jsonwebtoken::JwtKeyExt;
  consumers should depend on uselesskey-jsonwebtoken directly.

Why

The v0.7.x line shipped each fold (#595, #598, #599 and predecessors) with
the shim crate retained as a published-internal re-export so v0.7.x
downstreams kept compiling for one minor release. v0.8.0 removes the
shims per the SRP collapse plan; crate-surface contracts at the module
boundary instead of the crate boundary. The published surface goes from
51 to 22 public + 3 workspace-internal.

Migration

Downstream consumers should:
- Replace `uselesskey-core-<x>` imports with `uselesskey_core::srp::<x>`
- Replace `uselesskey-core-jwk*` / `-kid` / `-jwks-order` with `uselesskey_jwk`
- Replace `uselesskey-token-spec` / `-core-base62` / `-core-token*` with
  `uselesskey_token` and its `srp::*` modules
- Replace `uselesskey-core-x509*` with `uselesskey_x509::srp::*`
- Replace `uselesskey-core-hmac-spec` with `uselesskey_hmac::srp::spec`
- Replace `uselesskey-core-rustls-pki` with `uselesskey_rustls::srp::pki`
- Replace `uselesskey-pgp-native` with `uselesskey-pgp` `features = ["native"]`
- Replace `uselesskey-jose-openid::JoseOpenIdKeyExt` with
  `uselesskey_jsonwebtoken::JwtKeyExt`

A full crate-to-module mapping table will land in
docs/how-to/migrate-from-v0.7.md (PR-5).

What this PR touches

- Removes 29 crate directories from `crates/`.
- Updates the workspace `Cargo.toml` `[workspace] members` and
  `[workspace.dependencies]` to drop the removed names.
- Updates `xtask` PUBLISH_CRATES, MUTANT_CRATES, dependents() map,
  `compatibility_shim_owner` callsite, `is_adapter_crate` allowlist,
  and the public-surface internal-shard guard.
- Removes the `is_adapter_crate` jose-openid / pgp-native entries.
- Removes obsolete plan.rs tests that pinned per-shim impact propagation.
- Migrates internal callers (`uselesskey-rsa/-ecdsa/-ed25519` keypair.rs,
  `uselesskey-bdd-steps`, all `fuzz/fuzz_targets/*.rs`) to canonical
  owner-crate `srp::*` paths.
- Regenerates `docs/metadata/workspace-docs.json`, the support matrix,
  and the public-surface survey.
- Resets `policy/no-panic-baseline.toml` to reflect the new module
  topology (deleted crate paths drop out; their canonical owner-crate
  paths are now the only home of the same panic-family findings).
- Notes the cleanup in `CHANGELOG.md` `[Unreleased] Removed`,
  `AGENTS.md`, `CLAUDE.md`, and `docs/explanation/architecture.md`.

Cross-refs: #595 (HmacSpec fold), #598 (rustls-pki fold), #599 (pgp-native
fold) shipped the content moves; this PR removes the now-empty shim
crates.

Validation

- `cargo check --workspace --all-targets --all-features` clean.
- `cargo test --workspace --all-features --exclude uselesskey-bdd --no-run`
  clean.
- `cargo fmt --check` clean.
- `cargo clippy --workspace --all-targets --all-features -- -D warnings`
  clean (only `aws-lc-rs` build-script `NASM found` informational note).
- `cargo xtask public-surface` clean: 35 workspace crates (17 public +
  7 adapter + 11 workspace-only; 0 published-internals remaining).
- `cargo xtask docs-sync --check` clean.
- `cargo xtask check-file-policy` clean (844 files matched, 0 unmatched).
- `cargo xtask no-blob` clean.
- `cargo xtask typos` clean.
- `cargo xtask publish-preflight` clean through every step except the
  expected uncommitted-tree check.
- `cargo test -p xtask -- --test-threads=1` all 245 tests pass; one
  pre-existing parallel-mode CWD test-isolation flake is unrelated to
  this PR.
EffortlessSteven added a commit that referenced this pull request May 12, 2026
* chore(workspace): remove folded internal shim crates

Removes 29 fully-folded published-internal compatibility shim crates that
v0.7.x carried as one-minor-release re-export shells over content already
owned by the public crates' `srp::*` modules. This is PR-4 of the v0.8.0
SRP collapse lane and is a BREAKING change for downstream consumers that
pinned the shim crate names directly.

Scope (29 crates removed)

Core internals (11) -> uselesskey_core::srp::*:
- uselesskey-core-cache, -factory, -hash, -id, -seed, -sink
- uselesskey-core-keypair, -keypair-material
- uselesskey-core-negative, -negative-der, -negative-pem

JWK internals (5) -> uselesskey_jwk::srp::*:
- uselesskey-core-kid, -jwk, -jwk-builder, -jwk-shape, -jwks-order

Token internals (4) -> uselesskey_token::srp::*:
- uselesskey-core-base62, -token, -token-shape, uselesskey-token-spec

X.509 internals (5) -> uselesskey_x509::srp::*:
- uselesskey-core-x509, -x509-spec, -x509-derive,
  -x509-negative, -x509-chain-negative

Folded standalones (3):
- uselesskey-core-hmac-spec -> uselesskey_hmac::srp::spec (content moved
  in v0.7.2 via #595; shim removed here)
- uselesskey-core-rustls-pki -> uselesskey_rustls::srp::pki (content moved
  in v0.7.2 via #598; shim removed here)
- uselesskey-pgp-native -> uselesskey_pgp::native (feature = "native";
  content moved in v0.7.2 via #599; shim removed here)

Conditional duplicate (1):
- uselesskey-jose-openid was byte-equal to uselesskey_jsonwebtoken::JwtKeyExt;
  consumers should depend on uselesskey-jsonwebtoken directly.

Why

The v0.7.x line shipped each fold (#595, #598, #599 and predecessors) with
the shim crate retained as a published-internal re-export so v0.7.x
downstreams kept compiling for one minor release. v0.8.0 removes the
shims per the SRP collapse plan; crate-surface contracts at the module
boundary instead of the crate boundary. The published surface goes from
51 to 22 public + 3 workspace-internal.

Migration

Downstream consumers should:
- Replace `uselesskey-core-<x>` imports with `uselesskey_core::srp::<x>`
- Replace `uselesskey-core-jwk*` / `-kid` / `-jwks-order` with `uselesskey_jwk`
- Replace `uselesskey-token-spec` / `-core-base62` / `-core-token*` with
  `uselesskey_token` and its `srp::*` modules
- Replace `uselesskey-core-x509*` with `uselesskey_x509::srp::*`
- Replace `uselesskey-core-hmac-spec` with `uselesskey_hmac::srp::spec`
- Replace `uselesskey-core-rustls-pki` with `uselesskey_rustls::srp::pki`
- Replace `uselesskey-pgp-native` with `uselesskey-pgp` `features = ["native"]`
- Replace `uselesskey-jose-openid::JoseOpenIdKeyExt` with
  `uselesskey_jsonwebtoken::JwtKeyExt`

A full crate-to-module mapping table will land in
docs/how-to/migrate-from-v0.7.md (PR-5).

What this PR touches

- Removes 29 crate directories from `crates/`.
- Updates the workspace `Cargo.toml` `[workspace] members` and
  `[workspace.dependencies]` to drop the removed names.
- Updates `xtask` PUBLISH_CRATES, MUTANT_CRATES, dependents() map,
  `compatibility_shim_owner` callsite, `is_adapter_crate` allowlist,
  and the public-surface internal-shard guard.
- Removes the `is_adapter_crate` jose-openid / pgp-native entries.
- Removes obsolete plan.rs tests that pinned per-shim impact propagation.
- Migrates internal callers (`uselesskey-rsa/-ecdsa/-ed25519` keypair.rs,
  `uselesskey-bdd-steps`, all `fuzz/fuzz_targets/*.rs`) to canonical
  owner-crate `srp::*` paths.
- Regenerates `docs/metadata/workspace-docs.json`, the support matrix,
  and the public-surface survey.
- Resets `policy/no-panic-baseline.toml` to reflect the new module
  topology (deleted crate paths drop out; their canonical owner-crate
  paths are now the only home of the same panic-family findings).
- Notes the cleanup in `CHANGELOG.md` `[Unreleased] Removed`,
  `AGENTS.md`, `CLAUDE.md`, and `docs/explanation/architecture.md`.

Cross-refs: #595 (HmacSpec fold), #598 (rustls-pki fold), #599 (pgp-native
fold) shipped the content moves; this PR removes the now-empty shim
crates.

Validation

- `cargo check --workspace --all-targets --all-features` clean.
- `cargo test --workspace --all-features --exclude uselesskey-bdd --no-run`
  clean.
- `cargo fmt --check` clean.
- `cargo clippy --workspace --all-targets --all-features -- -D warnings`
  clean (only `aws-lc-rs` build-script `NASM found` informational note).
- `cargo xtask public-surface` clean: 35 workspace crates (17 public +
  7 adapter + 11 workspace-only; 0 published-internals remaining).
- `cargo xtask docs-sync --check` clean.
- `cargo xtask check-file-policy` clean (844 files matched, 0 unmatched).
- `cargo xtask no-blob` clean.
- `cargo xtask typos` clean.
- `cargo xtask publish-preflight` clean through every step except the
  expected uncommitted-tree check.
- `cargo test -p xtask -- --test-threads=1` all 245 tests pass; one
  pre-existing parallel-mode CWD test-isolation flake is unrelated to
  this PR.

* xtask: drop deleted crates from pr-test orchestration

PR #602 removed 29 shim crates but missed updating the xtask pr
step's per-crate test target list. CI hit
`error: cannot specify features for packages outside of workspace`
for `uselesskey-core-base62`. Update the test-targets list to match
the post-deletion workspace.

The impacted-crates set is derived from the path components of
changed files (`crates/<name>/...`); paths to deleted crates still
appear in the diff and leaked into the test target list. Filter the
list to crates whose `crates/<name>/Cargo.toml` still exists in the
worktree, naturally dropping any crate the PR deletes. Add unit
tests covering the deleted-shim and stale-dir cases.

* chore(fuzz): migrate remaining fuzz targets off deleted shim crates

The shim deletion PR caught 24 of the fuzz targets but left 24 others
still importing the removed crate names (core_factory_cache,
core_x509_negative, fuzz_factory_concurrent, etc.), which broke
`cargo fuzz build`.

Re-point every remaining fuzz target at canonical owner-crate paths:

- uselesskey-core-factory  -> uselesskey_core::Factory
- uselesskey-core-id       -> uselesskey_core::{ArtifactId, DerivationVersion, Seed}
                              + uselesskey_core::srp::identity::derive_seed
- uselesskey-core-hash     -> uselesskey_core::srp::hash::*
- uselesskey-core-keypair-material
                           -> uselesskey_core::srp::keypair_material::*
- uselesskey-core-negative-pem
                           -> uselesskey_core::negative::*
- uselesskey-core-token-shape
                           -> uselesskey_token::srp::shape::*
- uselesskey-core-kid      -> uselesskey_jwk::srp::kid::*
- uselesskey-core-jwk-shape
                           -> uselesskey_jwk::{AnyJwk, Jwks, ...}
- uselesskey-core-jwks-order
                           -> uselesskey_jwk::srp::ordering::*
- uselesskey-core-x509-spec / x509-negative
                           -> uselesskey_x509::{X509Spec, ChainSpec,
                              X509Negative, ChainNegative, KeyUsage,
                              NotBeforeOffset}

* xtask(test): make publish_order_is_topological CWD-independent

The test invoked `cargo metadata` without --manifest-path. When run
in parallel with other xtask tests that change CWD, cargo metadata
could not locate the working directory. Pass --manifest-path derived
from CARGO_MANIFEST_DIR so the test is deterministic under
--test-threads > 1.

* xtask(test): set explicit current_dir on cargo metadata invocation

The prior --manifest-path fix wasn't sufficient because cargo's
working-directory lookup happens before it reads --manifest-path.
When a parallel test deletes its tempdir, the process CWD becomes
invalid and cargo aborts with "Could not locate working directory"
before even seeing the --manifest-path arg.

Explicitly set Command::current_dir to the workspace root so cargo
does not depend on the process CWD at all.
@EffortlessSteven EffortlessSteven mentioned this pull request May 12, 2026
4 tasks
EffortlessSteven added a commit that referenced this pull request May 12, 2026
TLS contract-pack and public crate-surface cleanup release. Bumps
workspace to 0.8.0. CHANGELOG entry curated from merged PRs:
#485-#605 (TLS lane #585/#587/#588/#589, task-first how-tos
#590-#594, SRP collapse #595/#598/#599/#602, migration guide #603,
Clippy ratchets #505, dep bumps #484-#491).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant