ci: commit Cargo.lock so cargo vet can run

[27Bslash6]

Summary

The Security workflow has been red for ~10 consecutive nightly runs (since 2026-05-11). Root cause: Cargo.lock is gitignored, but cargo vet runs cargo metadata --locked, which requires a committed lockfile matching Cargo.toml.

Every run died here before any actual vetting:

ERROR  × `cargo metadata` exited with an error:
  │ error: the lock file Cargo.lock needs to be updated but --locked was passed

All other Security jobs (Kani, 16 deep-fuzz targets, SBOM, attestation) were green — only the supply-chain gate was broken.

Changes

• Remove Cargo.lock from .gitignore
• Commit Cargo.lock (155 resolved packages)
• Regenerate supply-chain/config.toml exemptions to match the lockfile — the exemption versions had drifted since they were last written in March, so committing the lockfile alone would still have failed vet on version mismatches.

Why commit the lockfile

Modern Rust guidance is to commit Cargo.lock for any crate that ships build artifacts or runs supply-chain CI. cachekit-core does both: it ships a cdylib/staticlib consumed by cachekit-py's PyO3 FFI, and runs cargo vet. Without a pinned lockfile, "vetted" only means "vetted against whatever resolved at CI time" — a poisoned transitive release could slip in between runs.

Test plan

• cargo vet locally → Vetting Succeeded (156 exempted), exit 0
• cargo metadata --locked succeeds
• Security workflow green on this branch

Summary by CodeRabbit

• Chores
  • Refreshed supply-chain verification configuration: added and updated many exemptions and bumped numerous verification package versions.
  • Adjusted CI security workflow to alter fuzzing install behavior and expand when vetting runs.
  • Updated source-control ignore rules to stop excluding the Rust lockfile.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 294d2b0c-ddee-49c5-a0e2-264f05b14ce4

📥 Commits

Reviewing files that changed from the base of the PR and between ea65ca0 and c4f5bab.

📒 Files selected for processing (1)

• .github/workflows/security.yml

---

📝 Walkthrough

Walkthrough

Removes Cargo.lock from .gitignore, updates many cargo-vet [[exemptions.*]] entries and versions in supply-chain/config.toml, and changes CI fuzz jobs to install cargo-fuzz without --locked with explanatory comments.

Changes

Supply Chain and Build Configuration

Layer / File(s)	Summary
Git configuration \.gitignore	Removes the Cargo.lock exclusion rule, allowing the lock file to be tracked in version control.
Cargo-vet: initial exemptions and bumps supply-chain/config.toml	Adds early exemptions (aead, aes, aes-gcm, anstream, anstyle, anyhow, ctr) and bumps adjacent exemption versions.
Cargo-vet: broad dependency updates supply-chain/config.toml	Updates many exemptions and versions across utilities, crypto, platform, and parsing crates (e.g., fastrand, getrandom, futures-*, hashbrown, id-arena, indexmap, libc, lz4_flex, memchr, num-traits, once_cell, regex-syntax).
Cargo-vet: WASM, bindgen, and zero-copy updates supply-chain/config.toml	Updates WASI/WASM exemptions (wasip2/wasip3, wasm-bindgen*, wasmparser), wit-bindgen/wit-component/wit-parser, and zeroize/zerocopy-related exemptions.
CI security workflow .github/workflows/security.yml	quick-fuzz and deep-fuzz jobs install cargo-fuzz without --locked and include comments about avoiding pinned Cargo.lock conflicts with newer nightly compilers; cargo-vet job now runs on schedule or pull_request.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I’m a rabbit in the repo, nimble and spry,
I nudged Cargo’s lock so the tree could sigh,
I hopped through vet rules, versions anew,
Whispered to CI: “let cargo choose true.” 🐇🔧

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: committing Cargo.lock to enable cargo-vet execution. It is concise, specific, and directly addresses the primary change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/commit-cargo-lock

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

supply-chain/config.toml (1)

342-345: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add/track a cargo-vet audit for ring 0.17.14 (Q1 2026 priority has passed).

supply-chain/config.toml exempts ring 0.17.14 with “Audit priority Q1 2026”, but supply-chain/audits.toml contains no audit entries (only [audits]) for ring/0.17.14. Update by either adding a full audit entry for ring 0.17.14 (via cargo vet add-audit) or updating the exemption notes with a new timeline if the audit isn’t completed yet.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supply-chain/config.toml` around lines 342 - 345, The exemption for
[[exemptions.ring]] with version "0.17.14" lists "Audit priority Q1 2026" but
there is no corresponding audit entry in supply-chain/audits.toml; either add a
proper cargo-vet audit entry for ring 0.17.14 (use cargo vet add-audit to
produce the audit record and commit it to supply-chain/audits.toml) or update
the exemption notes to a new, accurate timeline/status if the audit is still
pending, and ensure the exemption references ring 0.17.14 so reviewers can
cross-check the audits file.

🧹 Nitpick comments (1)

supply-chain/config.toml (1)

1-635: Consider a phased audit plan for high-priority dependencies.

With 156 exemptions, the majority of the dependency tree is unvetted. While this PR correctly fixes the immediate CI breakage by syncing exemptions with the committed Cargo.lock, consider establishing a phased audit strategy:

1. Immediate priority: Security-critical crates (cryptography, unsafe code, FFI boundaries)
2. High priority: Transitive dependencies of security-critical code paths
3. Medium priority: Build-time dependencies and proc-macros
4. Deferred: Leaf dependencies with minimal code surface

Tools like cargo vet inspect can help triage the audit workload by highlighting crates with significant unsafe code or high transitive reach.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supply-chain/config.toml` around lines 1 - 635, Add a phased audit plan by
annotating high-risk exemptions and documenting rollout: update the cargo-vet
config (section [cargo-vet] and the [[exemptions]] entries) to add an
"audit_priority" or "priority" metadata (e.g. set audit_priority = "immediate"
for [[exemptions.ring]] and other crypto/FFI/unsafe crates), mark transitive
security-critical crates as "high", proc-macros/build deps as "medium", and leaf
libs as "deferred"; add a short audit roadmap comment at top of the file
describing the four phases and include a one-line instruction to run "cargo vet
inspect" to triage and generate the initial audit queue.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supply-chain/config.toml`:
- Around line 10-20: The config currently marks core crypto crates
(exemptions.aead, exemptions.aes, exemptions.aes-gcm and the ring entry at
0.17.14) as criteria = "safe-to-deploy" without audit evidence; update each
crypto exemption to either include an evidence field with links to completed
audit reports/PRs/issues (for example add an "evidence" or "audit_link"
attribute referencing the audit documents) or change the criteria value to a
more appropriate risk posture (e.g., "requires-audit" or "restricted") and add a
TODO with the expected audit deadline; ensure the ring entry explicitly
references the completed audit or is downgraded from "safe-to-deploy" until
audit links are provided.

---

Outside diff comments:
In `@supply-chain/config.toml`:
- Around line 342-345: The exemption for [[exemptions.ring]] with version
"0.17.14" lists "Audit priority Q1 2026" but there is no corresponding audit
entry in supply-chain/audits.toml; either add a proper cargo-vet audit entry for
ring 0.17.14 (use cargo vet add-audit to produce the audit record and commit it
to supply-chain/audits.toml) or update the exemption notes to a new, accurate
timeline/status if the audit is still pending, and ensure the exemption
references ring 0.17.14 so reviewers can cross-check the audits file.

---

Nitpick comments:
In `@supply-chain/config.toml`:
- Around line 1-635: Add a phased audit plan by annotating high-risk exemptions
and documenting rollout: update the cargo-vet config (section [cargo-vet] and
the [[exemptions]] entries) to add an "audit_priority" or "priority" metadata
(e.g. set audit_priority = "immediate" for [[exemptions.ring]] and other
crypto/FFI/unsafe crates), mark transitive security-critical crates as "high",
proc-macros/build deps as "medium", and leaf libs as "deferred"; add a short
audit roadmap comment at top of the file describing the four phases and include
a one-line instruction to run "cargo vet inspect" to triage and generate the
initial audit queue.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a25d67fa-1d60-4db5-a071-87af269f056d

📥 Commits

Reviewing files that changed from the base of the PR and between 03ad69a and 8886a4d.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• .gitignore
• supply-chain/config.toml

💤 Files with no reviewable changes (1)

• .gitignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check for security advisories in newly exempted cryptographic crates.

echo "Checking cryptographic crates for security advisories..."

crates=("aead:0.5.2" "aes:0.8.4" "aes-gcm:0.10.3" "cipher:0.4.4" "ctr:0.9.2" "ghash:0.5.1" "polyval:0.6.2" "universal-hash:0.5.1" "inout:0.1.4")

for crate_version in "${crates[@]}"; do
  IFS=':' read -r crate version <<< "$crate_version"
  echo "Checking $crate $version..."
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 10, ecosystem: RUST, package: \"$crate\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }" | jq -r ".data.securityVulnerabilities.nodes[] | select(.vulnerableVersionRange | test(\"$version\")) | \"VULNERABLE: \(.advisory.severity) - \(.advisory.summary) (patched in \(.firstPatchedVersion.identifier // \"none\"))\""
done

Repository: cachekit-io/cachekit-core

Length of output: 352

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Confirm ring audit note in supply-chain/config.toml
echo "== ring note =="
rg -n '"ring"|\bring\b|Audit priority|Q1 2026' supply-chain/config.toml || true
# print a small surrounding window if a ring match exists
line=$(rg -n '"ring"|Audit priority|Q1 2026' supply-chain/config.toml | head -n1 | cut -d: -f1 || true)
if [ -n "${line:-}" ]; then
  start=$((line-15)); end=$((line+15));
  sed -n "${start},${end}p" supply-chain/config.toml | nl -ba | sed 's/^/ /'
fi

# 2) Extract the specific exemption blocks for crypto crates listed
echo
echo "== crypto exemptions (criteria) =="
for c in aead aes aes-gcm cipher ctr ghash polyval universal-hash inout; do
  echo "-- $c --"
  rg -n "\\[\\[exemptions\\.${c}\\]\\]" -n supply-chain/config.toml || true
  # Print a short block around each header
  rg -n "\\[\\[exemptions\\.${c}\\]\\]" supply-chain/config.toml | while IFS=: read -r ln _; do
    start=$((ln-2)); end=$((ln+6));
    sed -n "${start},${end}p" supply-chain/config.toml | nl -ba | sed 's/^/  /'
  done
done

# 3) Check Cargo crate-type (cdylib/staticlib) if available
echo
echo "== Cargo crate-type =="
ls -1 Cargo.toml 2>/dev/null || true
if [ -f Cargo.toml ]; then
  rg -n "crate-type" Cargo.toml || true
  rg -n "\\[lib\\]" -n Cargo.toml || true
  # show lib section area
  line=$(rg -n "\\[lib\\]" Cargo.toml | head -n1 | cut -d: -f1 || true)
  if [ -n "${line:-}" ]; then
    sed -n "${line},$((line+80))p" Cargo.toml | nl -ba | sed 's/^/  /'
  fi
fi

Repository: cachekit-io/cachekit-core

Length of output: 290

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ring exemption notes (context) =="
line=$(rg -n '\\[\\[exemptions\\.ring\\]\\]' supply-chain/config.toml | head -n1 | cut -d: -f1 || true)
if [ -n "${line:-}" ]; then
  start=$((line)); end=$((line+25));
  sed -n "${start},${end}p" supply-chain/config.toml
else
  rg -n 'exemptions\.ring|Ring cryptographic library|Audit priority' supply-chain/config.toml || true
fi

echo
echo "== crypto exemptions blocks (aead,aes,aes-gcm,cipher,ctr,ghash,polyval,universal-hash,inout) =="
for c in aead aes aes-gcm cipher ctr ghash polyval universal-hash inout; do
  echo "-- $c --"
  header=$(rg -n "\\[\\[exemptions\\.${c//-/\\-}\\]\\]" supply-chain/config.toml | head -n1 | cut -d: -f1 || true)
  if [ -z "${header:-}" ]; then
    # fallback: search literal header even with hyphens
    header=$(rg -n "\\[\\[exemptions\\.${c}\\]\\]" supply-chain/config.toml | head -n1 | cut -d: -f1 || true)
  fi
  if [ -n "${header:-}" ]; then
    start=$((header)); end=$((header+25));
    sed -n "${start},${end}p" supply-chain/config.toml
  else
    echo "(not found in config)"
  fi
done

echo
echo "== Cargo crate-type (if Cargo.toml exists) =="
if [ -f Cargo.toml ]; then
  rg -n "crate-type" Cargo.toml || true
  rg -n "\\[lib\\]" Cargo.toml || true
  line=$(rg -n "\\[lib\\]" Cargo.toml | head -n1 | cut -d: -f1 || true)
  if [ -n "${line:-}" ]; then
    sed -n "${line},$((line+120))p" Cargo.toml
  fi
else
  echo "Cargo.toml not present at repo root in sandbox."
fi

Repository: cachekit-io/cachekit-core

Length of output: 8429

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "== supply-chain/config.toml: [[exemptions.ring]] block =="
line=$(rg -n '\\[\\[exemptions\\.ring\\]\\]' supply-chain/config.toml | head -n1 | cut -d: -f1)
start=$((line-3)); end=$((line+25));
sed -n "${start},${end}p" supply-chain/config.toml

Repository: cachekit-io/cachekit-core

Length of output: 127

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

line=$(rg -n '\\[\\[exemptions\\.ring\\]\\]' supply-chain/config.toml | head -n1 | cut -d: -f1 || true)
echo "found ring header at line: ${line:-<none>}"

if [ -n "${line:-}" ]; then
  start=$((line-3)); end=$((line+35));
  sed -n "${start},${end}p" supply-chain/config.toml
else
  rg -n 'exemptions\.ring|Ring cryptographic library|Audit priority' supply-chain/config.toml || true
fi

Repository: cachekit-io/cachekit-core

Length of output: 246

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
sed -n '342,370p' supply-chain/config.toml

Repository: cachekit-io/cachekit-core

Length of output: 676

---

Require evidence/audit for cryptographic “safe-to-deploy” exemptions (incl. ring)

supply-chain/config.toml exempts core crypto crates with criteria = "safe-to-deploy" (e.g., aead 0.5.2, aes 0.8.4, aes-gcm 0.10.3, cipher 0.4.4, ctr 0.9.2, ghash 0.5.1, polyval 0.6.2, universal-hash 0.5.1, inout 0.1.4). With ring 0.17.14 also set to safe-to-deploy, the config doesn’t show any audit basis for cryptographic correctness/side-channel properties—an elevated risk for a library built as cdylib/staticlib.

A GitHub advisory query for those exact crate:version pairs returned no matching “VULNERABLE” results, but that doesn’t replace documentation of the audit rationale/coverage. The ring note (“Audit priority Q1 2026”) is already past—either provide the completed-audit evidence and link(s), or update the exemptions/criteria so the release posture matches the risk level.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@supply-chain/config.toml` around lines 10 - 20, The config currently marks
core crypto crates (exemptions.aead, exemptions.aes, exemptions.aes-gcm and the
ring entry at 0.17.14) as criteria = "safe-to-deploy" without audit evidence;
update each crypto exemption to either include an evidence field with links to
completed audit reports/PRs/issues (for example add an "evidence" or
"audit_link" attribute referencing the audit documents) or change the criteria
value to a more appropriate risk posture (e.g., "requires-audit" or
"restricted") and add a TODO with the expected audit deadline; ensure the ring
entry explicitly references the completed audit or is downgraded from
"safe-to-deploy" until audit links are provided.