Skip to content

fix(cli): mark public asymmetric JWKs scanner-safe in runtime bundles#691

Merged
EffortlessSteven merged 2 commits into
mainfrom
claude/find-fix-bug-aZgli
May 16, 2026
Merged

fix(cli): mark public asymmetric JWKs scanner-safe in runtime bundles#691
EffortlessSteven merged 2 commits into
mainfrom
claude/find-fix-bug-aZgli

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

  • The runtime bundle profile's scanner-safe predicate only inspected the artifact kind, so RSA / ECDSA / Ed25519 entries emitted as public JWKs (no d / p / q / seed bytes) were still recorded as scanner_safe: false in manifest.json and receipts/audit-surface.json.
  • After this fix, runtime_entry_is_scanner_safe(kind, format) considers both: public-shaped formats (Jwk/Jwks) for asymmetric kinds are scanner-safe, while Pem/Der private bytes, HMAC k, and token values remain non-scanner-safe.
  • For uselesskey bundle --profile runtime --format jwk, the audit surface now reports runtime_material_count: 2 (just hmac + token) instead of 5.

Reproduction (before)

$ uselesskey bundle --profile runtime --seed test --label svc --out /tmp/b
$ jq '.artifacts[] | {path,kind,format,scanner_safe}' /tmp/b/manifest.json
{ "path":"rsa.jwk.json",     "kind":"rsa",     "format":"jwk", "scanner_safe":false }   # public-only RSA JWK ⇒ should be true
{ "path":"ecdsa.jwk.json",   "kind":"ecdsa",   "format":"jwk", "scanner_safe":false }   # public-only ECDSA JWK ⇒ should be true
{ "path":"ed25519.jwk.json", "kind":"ed25519", "format":"jwk", "scanner_safe":false }   # public-only Ed25519 JWK ⇒ should be true
{ "path":"hmac.jwk.json",    "kind":"hmac",    "format":"jwk", "scanner_safe":false }   # has secret `k` ⇒ correct
{ "path":"token.json",       "kind":"token",   ...,            "scanner_safe":false }   # has token value ⇒ correct

After

rsa.jwk.json     scanner_safe=True   # public only
ecdsa.jwk.json   scanner_safe=True   # public only
ed25519.jwk.json scanner_safe=True   # public only
hmac.jwk.json    scanner_safe=False
token.json       scanner_safe=False

The PEM/DER path is unchanged (uselesskey bundle --profile runtime --format pem still marks RSA/ECDSA/Ed25519 PEM artifacts as scanner_safe: false).

Test plan

  • cargo test -p uselesskey-cli (all 26 + 1 new integration + 5 + 4 + 4 + 3 + 6 tests pass)
  • cargo clippy -p uselesskey-cli --all-features --tests -- -D warnings
  • cargo fmt --check
  • New unit test runtime_public_jwk_outputs_are_scanner_safe covers the kind × format matrix.
  • New integration test bundle_profile_runtime_jwk_marks_public_key_artifacts_scanner_safe exercises the full bundle flow and asserts the audit-surface runtime_material_count.

Generated by Claude Code

The runtime profile's scanner-safe predicate only checked the artifact
kind, so RSA/ECDSA/Ed25519 entries emitted as public JWKs (no `d`/`p`/`q`
or seed bytes) were still recorded as `scanner_safe: false` in the bundle
manifest and audit-surface receipt. Consider the emitted format: those
public-shaped outputs are scanner-safe, while PEM/DER private bytes,
HMAC `k`, and token values remain non-scanner-safe.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 15, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 12 minutes and 53 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fb526744-a6f6-4f45-b133-5304d7c790b1

📥 Commits

Reviewing files that changed from the base of the PR and between fad488d and 89a367e.

📒 Files selected for processing (2)
  • crates/uselesskey-cli/src/main.rs
  • crates/uselesskey-cli/tests/cli.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/find-fix-bug-aZgli

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven marked this pull request as ready for review May 16, 2026 02:56
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@EffortlessSteven EffortlessSteven merged commit ade416c into main May 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants