security: make CI gates blocking, add smoke test, clean up dead code

- gitleaks, cargo audit, trivy fs now block pipeline on findings - add smoke test (docker run + curl /health) in release workflow - deny.toml: add review date to RUSTSEC-2025-0119 ignore - remove unused validation functions (maven, npm, crate) - replace blanket #![allow(dead_code)] with targeted allows
2026-04-12 16:10:31 +00:00 · 2026-03-15 19:25:00 +00:00
parent d886426957
commit 233b83f902
8 changed files with 27 additions and 67 deletions
--- a/nora-registry/src/error.rs
+++ b/nora-registry/src/error.rs
@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

-#![allow(dead_code)]
 //! Application error handling with HTTP response conversion
 //!
 //! Provides a unified error type that can be converted to HTTP responses
@@ -18,6 +17,7 @@ use thiserror::Error;
 use crate::storage::StorageError;
 use crate::validation::ValidationError;

+#[allow(dead_code)] // Wiring into handlers planned for v0.3
 /// Application-level errors with HTTP response conversion
 #[derive(Debug, Error)]
 pub enum AppError {
@@ -40,6 +40,7 @@ pub enum AppError {
    Validation(#[from] ValidationError),
 }

+#[allow(dead_code)]
 /// JSON error response body
 #[derive(Serialize)]
 struct ErrorResponse {
@@ -74,6 +75,7 @@ impl IntoResponse for AppError {
    }
 }

+#[allow(dead_code)]
 impl AppError {
    /// Create a not found error
    pub fn not_found(msg: impl Into<String>) -> Self {
--- a/nora-registry/src/openapi.rs
+++ b/nora-registry/src/openapi.rs
@@ -5,7 +5,8 @@
 //!
 //! Functions in this module are stubs used only for generating OpenAPI documentation.

-#![allow(dead_code)]
+
+#![allow(dead_code)] // utoipa doc stubs — not called at runtime, used by derive macros

 use axum::Router;
 use std::sync::Arc;
--- a/nora-registry/src/secrets/mod.rs
+++ b/nora-registry/src/secrets/mod.rs
@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

-#![allow(dead_code)] // Foundational code for future S3/Vault integration

 //! Secrets management for NORA
 //!
@@ -34,6 +33,7 @@ use async_trait::async_trait;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;

+#[allow(dead_code)] // Variants used by provider impls; external error handling planned for v0.4
 /// Secrets provider error
 #[derive(Debug, Error)]
 pub enum SecretsError {
@@ -56,9 +56,11 @@ pub enum SecretsError {
 #[async_trait]
 pub trait SecretsProvider: Send + Sync {
    /// Get a secret by key (required)
+    #[allow(dead_code)]
    async fn get_secret(&self, key: &str) -> Result<ProtectedString, SecretsError>;

    /// Get a secret by key (optional, returns None if not found)
+    #[allow(dead_code)]
    async fn get_secret_optional(&self, key: &str) -> Option<ProtectedString> {
        self.get_secret(key).await.ok()
    }
--- a/nora-registry/src/secrets/protected.rs
+++ b/nora-registry/src/secrets/protected.rs
@@ -13,12 +13,14 @@ use zeroize::{Zeroize, Zeroizing};
 /// - Implements Zeroize: memory is overwritten with zeros when dropped
 /// - Debug shows `***REDACTED***` instead of actual value
 /// - Clone creates a new protected copy
+#[allow(dead_code)] // Used internally by SecretsProvider impls; external callers planned for v0.4
 #[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct ProtectedString {
    inner: String,
 }

+#[allow(dead_code)]
 impl ProtectedString {
    /// Create a new protected string
    pub fn new(value: String) -> Self {
@@ -68,6 +70,7 @@ impl From<&str> for ProtectedString {
 }

 /// S3 credentials with protected secrets
+#[allow(dead_code)] // S3 storage backend planned for v0.4
 #[derive(Clone, Zeroize)]
 #[zeroize(drop)]
 pub struct S3Credentials {
@@ -77,6 +80,7 @@ pub struct S3Credentials {
    pub region: Option<String>,
 }

+#[allow(dead_code)]
 impl S3Credentials {
    pub fn new(access_key_id: String, secret_access_key: String) -> Self {
        Self {
--- a/nora-registry/src/validation.rs
+++ b/nora-registry/src/validation.rs
@@ -1,7 +1,6 @@
 // Copyright (c) 2026 Volkov Pavel | DevITWay
 // SPDX-License-Identifier: MIT

-#![allow(dead_code)]
 //! Input validation for artifact registry paths and identifiers
 //!
 //! Provides security validation to prevent path traversal attacks and
@@ -309,63 +308,6 @@ pub fn validate_docker_reference(reference: &str) -> Result<(), ValidationError>
    Ok(())
 }

-/// Validate Maven artifact path.
-///
-/// Maven paths follow the pattern: groupId/artifactId/version/filename
-/// Example: `org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar`
-pub fn validate_maven_path(path: &str) -> Result<(), ValidationError> {
-    validate_storage_key(path)
-}
-
-/// Validate npm package name.
-pub fn validate_npm_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 214 {
-        return Err(ValidationError::TooLong {
-            max: 214,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    Ok(())
-}
-
-/// Validate Cargo crate name.
-pub fn validate_crate_name(name: &str) -> Result<(), ValidationError> {
-    if name.is_empty() {
-        return Err(ValidationError::EmptyInput);
-    }
-
-    if name.len() > 64 {
-        return Err(ValidationError::TooLong {
-            max: 64,
-            actual: name.len(),
-        });
-    }
-
-    // Check for path traversal
-    if name.contains("..") || name.contains('/') {
-        return Err(ValidationError::PathTraversal);
-    }
-
-    // Crate names: alphanumeric, underscores, hyphens
-    for c in name.chars() {
-        if !matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_' | '-') {
-            return Err(ValidationError::ForbiddenCharacter(c));
-        }
-    }
-
-    Ok(())
-}
-
 #[cfg(test)]
 mod tests {
    use super::*;