Latest Results
chore(deps): add Sprint 1 backend deps — libsql, refinery, validation crates (#17)
* chore(deps): add Sprint 1 backend dependencies (task T-101)
Add 9 Rust crates needed for Sprint 1 fondations hexagonales via
`cargo add` (per ADR-015 — Cargo.toml never hand-edited):
- libsql 0.9.30 features=[replication] # embedded local DB + remote sync
- refinery 0.9.1 # SQL migration toolkit (V001+)
- garde 0.22.1 features=[full] # runtime validation
- statig 0.4.1 # typed FSMs (agent state)
- regex 1.12.3 # stdout phase matching
- dirs 6.0.0 # OS-specific config/log paths
- notify 8.2.0 # filesystem watcher (S7 hot-reload)
- fs2 0.4.3 # advisory file locking
- async-trait 0.1.89 # async traits in domain Ports
Two deviations from the literal T-101 spec, deliberately documented in
CHANGELOG.md `[Unreleased].Added`:
- libsql: dropped `vector` feature (does not exist on libsql 0.9.30 —
vector ops are SQL-level: F32_BLOB, vector_extract, …, not crate
features). Verified via Context7 /tursodatabase/libsql.
- refinery: dropped `libsql` feature (does not exist on refinery 0.9.1 —
available driver features: mysql / postgres / rusqlite / tiberius /
tokio-postgres). T-107 will run V001 SQL via libsql::Connection
directly and use refinery_core::Migration only for ordering.
deny.toml updated to track 7 new transitive advisories all stemming
from libsql's replication TLS stack (rustls-webpki / atomic-polyfill /
bincode / rustls-pemfile) and to allow CDLA-Permissive-2.0 for the
Mozilla CA bundle redistributed by webpki-roots. Each ignore entry
carries a `# REASON:` block stating the upstream chain, why the path
is unreachable in S1 embedded-local mode, and the upstream condition
for re-evaluation. Total advisory ignores: 17 → 24.
Verification:
- cargo build --manifest-path src-tauri/Cargo.toml OK
- cargo clippy --workspace -- -D warnings OK
- cargo fmt --check OK
- cargo test --workspace OK (1 passed)
- cargo deny --manifest-path src-tauri/Cargo.toml check OK
(advisories ok, bans ok, licenses ok, sources ok)
Refs: ARCHI.md §3.1, ADR-015, CLAUDE.md NEVER manual edit Cargo.toml
* chore(deps): /simplify T-101 — drop libsql replication, swap fs2→fs4
/simplify review pass on commit 5fdab3d flagged P0 efficiency issue:
libsql `replication` (and inherited `remote`/`sync`/`tls`) features
pulled a full TLS/gRPC stack (hyper-rustls, rustls 0.22, rustls-webpki,
webpki-roots, tonic, tonic-web, tower-http, prost, bincode 1.3.3) that
S1 embedded-local mode never exercises. Cost: ~1500 transitive lock
lines, 6 RustSec advisory ignores, 1 license-allowance addition,
~15s of cold build time.
Changes:
- libsql: drop default features, keep only `core`. Remote-replica
features will be re-added at the sprint that introduces sync.
- fs2 → fs4. fs2 last published 2018; fs4 is the active fork with the
same `FileExt` API plus async support — pre-empts the unmaintained
advisory and matches Forgent's "no unmaintained transitives" stance.
- deny.toml: revert 6 advisory ignores (RUSTSEC-2026-0049/0098/0099/
0104 rustls-webpki, RUSTSEC-2025-0141 bincode, RUSTSEC-2025-0134
rustls-pemfile) — no longer reachable. Revert CDLA-Permissive-2.0
license allowance — webpki-roots no longer pulled. Net advisory
ignore count: 24 → 18 (only RUSTSEC-2023-0089 atomic-polyfill via
statig→heapless remains).
- CHANGELOG.md: rewrite the T-101 [Unreleased].Added entry to reflect
the simpler dep set and document the 3 deviations (vector feature
absent, refinery libsql feature absent, fs2→fs4 swap) compactly.
Verification (post-simplify):
- cargo build OK (41.34s, was 56.10s)
- cargo clippy --workspace -- -D warnings OK
- cargo fmt --check OK
- cargo test --workspace OK (1 passed)
- cargo deny check OK
(advisories ok, bans ok, licenses ok, sources ok)
Cargo.lock net change: -846 lines transitive deps removed.
Refs: ARCHI.md §3.1, ADR-015, /simplify Phase 3 P0 finding
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com> chore(deps): /simplify T-101 — drop libsql replication, swap fs2→fs4
/simplify review pass on commit 5fdab3d flagged P0 efficiency issue:
libsql `replication` (and inherited `remote`/`sync`/`tls`) features
pulled a full TLS/gRPC stack (hyper-rustls, rustls 0.22, rustls-webpki,
webpki-roots, tonic, tonic-web, tower-http, prost, bincode 1.3.3) that
S1 embedded-local mode never exercises. Cost: ~1500 transitive lock
lines, 6 RustSec advisory ignores, 1 license-allowance addition,
~15s of cold build time.
Changes:
- libsql: drop default features, keep only `core`. Remote-replica
features will be re-added at the sprint that introduces sync.
- fs2 → fs4. fs2 last published 2018; fs4 is the active fork with the
same `FileExt` API plus async support — pre-empts the unmaintained
advisory and matches Forgent's "no unmaintained transitives" stance.
- deny.toml: revert 6 advisory ignores (RUSTSEC-2026-0049/0098/0099/
0104 rustls-webpki, RUSTSEC-2025-0141 bincode, RUSTSEC-2025-0134
rustls-pemfile) — no longer reachable. Revert CDLA-Permissive-2.0
license allowance — webpki-roots no longer pulled. Net advisory
ignore count: 24 → 18 (only RUSTSEC-2023-0089 atomic-polyfill via
statig→heapless remains).
- CHANGELOG.md: rewrite the T-101 [Unreleased].Added entry to reflect
the simpler dep set and document the 3 deviations (vector feature
absent, refinery libsql feature absent, fs2→fs4 swap) compactly.
Verification (post-simplify):
- cargo build OK (41.34s, was 56.10s)
- cargo clippy --workspace -- -D warnings OK
- cargo fmt --check OK
- cargo test --workspace OK (1 passed)
- cargo deny check OK
(advisories ok, bans ok, licenses ok, sources ok)
Cargo.lock net change: -846 lines transitive deps removed.
Refs: ARCHI.md §3.1, ADR-015, /simplify Phase 3 P0 findingchore/task-T-101-cargo-deps chore(ci): wire workflow_dispatch + bootstrap-tag exclusion in release.yml (task 13) (#15)
* chore(ci): wire workflow_dispatch + bootstrap-tag exclusion in release.yml (task 13)
- `release.yml` `on.push.tags` adds `!**-bootstrap` negation pattern so the Sprint 0
marker tag (`v0.0.1-bootstrap`) is silently dropped instead of failing `verify-tag`
on version mismatch. Verified by `scripts/verify-release-tag-filter.py` against a
9-tag fixture reproducing GitHub's fnmatch+negation semantics.
- `release.yml` `on.workflow_dispatch.inputs.dry_run` (default true) lets the build +
sign matrix run from the Actions UI without creating a Release; `verify-tag` is
skipped (no tag context), `publish` is skipped under dry-run.
- Fix sign-step gating: step-level `env.X` is set AFTER step-level `if:` is evaluated,
so the previous `if: env.APPLE_CERTIFICATE != ''` always read empty. Hoisted to job-
level booleans `HAS_APPLE_CERT` / `HAS_WINDOWS_CERT` / `HAS_TAURI_SIGNING` bound to
`${{ secrets.X != '' }}`, then consumed via `if: env.HAS_X == 'true'`. Sign step
now runs when configured; explicit "Skip signing (no cert)" warnings make missing
secrets visible in dry-run summaries.
- Drop `pnpm/action-setup` `version: 9` pin → action picks up `packageManager`
(`pnpm@10.33.2`) from `package.json`, matching ci.yml harmonisation in PR #6.
- Rename Windows secret `WINDOWS_CERT` → `WINDOWS_CERTIFICATE`; add
`WINDOWS_CERTIFICATE_PASSWORD`, `APPLE_ID`, `APPLE_PASSWORD`, `APPLE_TEAM_ID` for
notarization (notarytool needs app-specific password + team identifier, not the
certificate password). 9 total secrets documented in `RELEASING.md`.
- `publish` job now fails with explicit error on empty release notes instead of
silently uploading an empty body (CHANGELOG awk extraction edge case).
`RELEASING.md` (new) documents the trigger matrix, the 9 secrets + per-secret
generation procedure (Tauri ed25519 via `tauri signer generate`, Apple Developer ID +
Keychain Access + notarytool app-specific password, Authenticode .pfx via OpenSSL
CSR + CA validation), the cut-a-release runbook (CHANGELOG / Cargo.toml /
package.json lockstep bump → annotated tag → `gh run watch`), the smoke-test runbook
for `workflow_dispatch`, the bootstrap-tag exception, and the rollback playbook.
`scripts/verify-release-tag-filter.py` (new) reproduces GitHub's tag-filter glob +
negation semantics via `fnmatch.fnmatchcase`, loads patterns straight from
`release.yml` (tolerant regex, no runtime YAML dep), asserts representative tags
behave as documented, exits 1 on any mismatch.
actionlint @ 1.7.12 → 0 errors on release.yml. Pre-existing `if: false` warnings on
`ci.yml`/`mutants.yml` (Sprint 1 gating) are unaffected.
Refs: ARCHI §17.2 + §17.3, Sprint 0 task 13.
* chore(ci): /simplify pass on task 13 release.yml + verify script
- `release.yml` `Tauri-updater signing status` was unconditional on all 4 matrix
legs (4 near-identical `::warning::` echoes per dispatch). Now gated on
`runner.os == 'Linux' && env.HAS_TAURI_SIGNING != 'true'` — the warning fires
once per workflow run on the cheapest runner, not 4×.
- `release.yml` two narrative comment blocks trimmed to one-liners (tag-pattern
explainer, `always()` rationale on the build `if:`) — the why lives in
`RELEASING.md`, the workflow file should not duplicate it.
- `scripts/verify-release-tag-filter.py` — extended the tolerant YAML-line regex
from "double-quoted only" to a 3-branch alternation (double / single / bare
scalar) with optional trailing `# comment`. Closes a LOW finding that the
parser silently broke if the workflow author switched quote style. All 9
fixtures still pass.
- `RELEASING.md` References section — dropped the broken cross-reference to
`CONTRIBUTING.md` "release process" (no such section exists).
actionlint @ 1.7.12 → 0 errors. oxlint / oxfmt --check / tsc -b clean.
verify-release-tag-filter.py exit 0 on the 9-tag fixture.
Refs: ARCHI §17.2 + §17.3, Sprint 0 task 13 simplify.
* chore(ci): address PR #15 review (cubic + coderabbit) on release workflow
- workflow_dispatch+dry_run=false now requires a tag ref; verify-tag also runs
on the manual re-publish path so CHANGELOG/Cargo.toml/package.json lockstep
is enforced. Build refuses to run when verify-tag explicitly failed (cubic P1)
- verify-release-tag-filter.py: matches() now evaluates patterns sequentially
per GitHub Actions docs (later overrides earlier); load_tag_patterns() uses
an indent-aware state machine scoped to on.push.tags so unrelated tags: keys
are ignored (cubic P2 + coderabbit nitpick)
- RELEASING.md: GNU sed range form for first-match version bump; markdownlint
MD040 fix on verify-script output fenced block (coderabbit)
* chore(ci): address PR #15 follow-up review (coderabbit) on release workflow
- release.yml CHANGELOG heading match: anchor exactly so 1.2.3 does not also
match 1.2.30. Both verify-tag (grep -E with bracketed/bare alternation +
trailing-space-or-EOL anchor) and publish awk (== full-line OR index()==1
with trailing space) updated.
- verify-release-tag-filter.py: replaced fnmatch with hand-rolled glob->regex
translator distinguishing * (no slash) from ** (cross slash) per GH Actions
semantics. Two new fixtures (releases/v1.0, v1.0/sub) cover the case.
Skipped: SHOULD_SIGN proposal — dry-run smoke testing of signing matrix is
documented intent (RELEASING.md), not a bug.
* chore(ci): address PR #15 round-3 review (cubic) on release workflow
- release.yml verify-tag CHANGELOG check: drop grep -E (which would treat
regex metachars in tag as regex, e.g. `.` matching any char), use the same
literal-string awk as publish.Extract step. Same structure both places so
future maintenance can't drift them apart.
- verify-release-tag-filter.py _glob_to_regex: extend beyond */**/?
to support [abc] / [!abc] / [^abc] character classes and \\X backslash
escape. Document limitation that minimatch extglob (+(a|b), etc.) is not
implemented. Added _self_test_translator() with 11 translator cases
(slash semantics, ?, char classes, escapes).
* chore(docs): address PR #15 round-4 review (coderabbit) on CHANGELOG
- L11: MD038 — drop leading space inside inline code span
(` - DATE` -> `- DATE`).
- L31: refresh helper-script bullet to reflect current state — references
_glob_to_regex (not fnmatch.fnmatchcase), 11-tag fixture set (not 9), and
_self_test_translator() companion. Pattern set unchanged.
* chore(ci): gate release.yml signing on SHOULD_SIGN (PR #15 round 5)
Reverse earlier decision to skip CodeRabbit's SHOULD_SIGN finding. New flag
SHOULD_SIGN = (push of tag) OR (workflow_dispatch + dry_run=false) gates:
- TAURI_SIGNING_PRIVATE_KEY env wiring on tauri build
- macOS sign step
- Windows sign step
- Tauri-updater + macOS + Windows missing-cert warnings (only on real-release
paths now)
- New ::notice:: log on dry-run runs explaining signing was skipped
Effect: workflow_dispatch dry_run=true no longer touches signing secrets at
all (build matrix smoke test only). RELEASING.md trigger matrix + smoke-test
section updated to document the new dry-run semantic.
* chore(ci): add tag-ref check to SHOULD_SIGN (PR #15 round 6, cubic P1)
cubic P1: SHOULD_SIGN previously evaluated true on workflow_dispatch
dry_run=false against a branch ref, exposing signing secrets to a build that
publish would never ship (publish gate already required tag ref). Add
startsWith(github.ref, 'refs/tags/v') so SHOULD_SIGN stays false on any
non-tag ref regardless of event/dry_run combination.
---------
Co-authored-by: Mathieu Piton <27002047+mpiton@users.noreply.github.com> Latest Branches
-1%
feat/task-T-102-app-error -1%
chore/task-T-101-cargo-deps -1%
chore/task-14-readme-badges © 2026 CodSpeed Technology