Skip to content

fix: trivial sweep + final triage flips — banner token redaction, stale deny ignores, dead derives (closes #1777, #1778, #1785)#1796

Merged
jamie8johnson merged 3 commits into
mainfrom
fix-trivial-archeo2
Jun 12, 2026
Merged

fix: trivial sweep + final triage flips — banner token redaction, stale deny ignores, dead derives (closes #1777, #1778, #1785)#1796
jamie8johnson merged 3 commits into
mainfrom
fix-trivial-archeo2

Conversation

@jamie8johnson

Copy link
Copy Markdown
Owner

Trivial sweep + final audit-triage flips, closing out the v1.42.0 campaign's bookkeeping.

Trivial sweep (closes #1777, #1778, #1785)

  • serve banner: session token stays out of journald/container logs. The tokenized URL prints only when stdout is a terminal; on a non-TTY stdout the banner prints the URL without the token plus an accurate hint that the token is per-launch and terminal-only. Pinned via auth_banner_tty / auth_banner_non_tty tests.
  • deny.toml: stale RUSTSEC ignores pruned — RUSTSEC-2024-0388 (derivative) and RUSTSEC-2024-0384 (instant); both crates left Cargo.lock with the keyring chain.
  • cross_project.rs: unused Serialize derives + orphaned serde attrs dropped from CrossProjectCaller/CrossProjectCallee — the cross cores remap them field by field; zero direct serialization sites.
  • kind.rs module doc corrected (graph commands route through detect_fallback/detect_kind_for_store).
  • cqs-verify skill: notes-list parser uses the {notes, count} object shape from fix(core): read and notes-list union schemas across surfaces; --stdin invocations bypass the daemon (closes #1775) #1789.

Triage flips (docs/audit-triage.md)

Gates: post-merge build clean, targeted suites green (serve 134, kind 26, cross_project 15), provenance lint clean on the full diff vs main.

🤖 Generated with Claude Code

jamie8johnson and others added 3 commits June 11, 2026 18:23
…ken-free banner logging, kind doc, verify-skill parser (closes #1777, #1778, #1785)

- deny.toml: prune stale RUSTSEC-2024-0388 (derivative) and RUSTSEC-2024-0384
  (instant) ignores — both crates left Cargo.lock with the keyring chain;
  SECURITY.md already lists only the live three, no change there.
- cross_project.rs: drop unused Serialize derives + orphaned serde attrs from
  CrossProjectCaller/CrossProjectCallee — the cross cores remap them to
  CallerEntry/CalleeEntry field by field, zero direct serialization sites.
- serve banner: print the tokenized URL only when stdout is a terminal; on a
  non-TTY stdout print the URL without the token plus an accurate hint that the
  token is per-launch and terminal-only — keeps the session secret out of
  journald/container logs. Pinned via auth_banner_tty/auth_banner_non_tty tests.
- kind.rs: correct the stale module-doc claim — graph commands route through it
  via detect_fallback/detect_kind_for_store.
- cqs-verify SKILL.md: notes-list parser uses r["count"] now that notes list
  returns {notes, count}; callers/callees parser lines verified against current
  shapes (both already use count).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
CQ-V1.42-9 → #1793; CQ-V1.42-13/14 → #1795 (residual #1790);
API-V1.40-2/3/5/6/9 + DS-V1.40-8/10 → #1792; API-V1.40-10 closed
(keep-both verdict); PB-V1.40-9 refuted with live WAL-on-v9fs evidence.
Remaining open: PERF-V1.40-7, RM-V1.40-4, RM-V1.40-5 (easy perf trio,
polish-wave candidates).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

deny.toml: prune stale advisory ignores (derivative, instant)

1 participant