- .cargo/config.toml: strip all clippy::* lints from rustflags; they are
unknown to rustc and produce spurious 'unknown lint' warnings on every
cargo build/check/test invocation. Only rustc-native lints (unsafe_code,
trivial_casts, rust_2018_idioms, etc.) remain. clippy lints must be
enforced exclusively via the cargo clippy invocation in CI.
- crypto/hash.rs: replace unreachable!() in sha256_hmac with
#[allow(clippy::expect_used)] + .expect(). unreachable!() triggers
clippy::panic which is globally denied; the structural infallibility of
HmacSha256::new_from_slice makes expect() correct here.
- protocol/obfuscation.rs: replace unreachable!() in generate_nonce with
#[allow(clippy::panic)] + panic!() and add adversarial-RNG regression
test that verifies the panic fires after MAX_NONCE_ATTEMPTS exhaustion.
- tls_front/fetcher.rs: fallback branch in build_client_config now calls
ClientConfig::builder_with_provider(provider) instead of
ClientConfig::builder(), preventing a silent crypto-backend switch from
ring to the global default in the error path.
- transport/middle_proxy/secret.rs: (1) add max_len < PROXY_SECRET_MIN_LEN
early guard at function entry so callers get an explicit validation error
before any HTTP round-trip; (2) replace data.len() + chunk.len() with
checked_add to prevent usize overflow bypassing the hard cap; (3) remove
temp file on write failure; (4) add six streaming-cap regression tests
covering cap rejection, overflow guard, and boundary acceptance.
- pool_config.rs: replace silent .is_some() drain with while-let that logs
JoinError, making panics in reconnect tasks visible in production logs.
Add tokio regression test verifying panicking tasks yield JoinError.
- runtime_edge.rs: revert EdgeConnectionsCacheEntry visibility from pub to
pub(crate); the type is internal to the api module and must not be
exported beyond crate scope.
- Copilot issues for dashed lint names, unreachable!/clippy::panic, and
tokio::rename atomicity were confirmed false positives via empirical
cargo clippy runs and POSIX semantics analysis.
- secret.rs: swap resp.bytes() for resp.chunk() loop; reject each chunk before
it is appended so hard_cap is never exceeded in memory (OOM/DoS fix).
Replace fixed ".tmp" suffix with unique_temp_path() (timestamp + atomic
counter) to prevent concurrent-writer collisions on the cache file.
- pool_config.rs: add MAX_CONCURRENT_RECONNECTS=32 and batch the reconnect_all
task spawn loop to prevent a thundering-herd burst on large pools.
- buffer_pool.rs: call fill(0u8) before clear() in return_buffer() to
overwrite the initialized region of every returned buffer (OWASP ASVS L2
V8.3.6). Add unsafe backing-byte test to verify zeroization at the
allocation level, not merely via the safe len==0 API.
- api/events.rs, api/runtime_stats.rs: restrict ApiEventStore and
MinimalCacheEntry from pub to pub(crate) — both are consumed only within
the api module tree and should not be part of the public API surface.
Rebase the security hardening stack onto upstream/main after telemt/flow was
merged upstream. This keeps the transport, TLS fronting, middle-proxy, CI
policy, and regression-test changes in a clean PR branch without including
private .David_docs material.
David Osipov