Skip to content

fix: resolve RUSTSEC-2023-0089 and RUSTSEC-2025-0141 advisories #161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
unclesp1d3r merged 14 commits into from
Mar 17, 2026
Merged

fix: resolve RUSTSEC-2023-0089 and RUSTSEC-2025-0141 advisories #161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
ebc614b
chore(config): add initial configuration for Coderabbit integration
unclesp1d3r Mar 17, 2026
74da84a
chore(mergify): update queue and pull request rules for auto-approval
unclesp1d3r Mar 17, 2026
7433d9a
feat(config): add configuration files for tessl mcp server
unclesp1d3r Mar 17, 2026
303f5c4
chore(config): update .gitignore to include AI assistant artifacts
unclesp1d3r Mar 17, 2026
2a65927
feat(agent): add agent rules documentation and link to RULES.md
unclesp1d3r Mar 17, 2026
caf536d
chore(gitignore): add .gitignore files for various skill directories
unclesp1d3r Mar 17, 2026
582e04c
chore(deny): remove ignored advisories as all RUSTSEC issues resolved
unclesp1d3r Mar 17, 2026
770c62c
chore(deps): update dependencies for improved stability and performance
unclesp1d3r Mar 17, 2026
060fb20
chore(procmond): add additional failure case seeds for property-based…
unclesp1d3r Mar 17, 2026
3c75545
fix(procmond): increase command line arg length limit in proptest
unclesp1d3r Mar 17, 2026
3607a5d
Merge branch 'main' into 131-rustsec-2023-0089-atomic-polyfill-is-unm…
unclesp1d3r Mar 17, 2026
dd65077
docs: Dosu updates for PR #161
dosubot[bot] Mar 17, 2026
8f0ba88
fix: address PR review feedback from Copilot
unclesp1d3r Mar 17, 2026
e47e4e5
fix(agents): restore @ directive syntax in AGENTS.md
unclesp1d3r Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .agents/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
3 changes: 3 additions & 0 deletions .claude/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
0 .coderabbitai.yaml → .coderabbit.yaml
View file
Open in desktop
File renamed without changes.
4 changes: 4 additions & 0 deletions .codex/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[mcp_servers.tessl]
type = "stdio"
command = "tessl"
args = [ "mcp", "start" ]
3 changes: 3 additions & 0 deletions .codex/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
12 changes: 12 additions & 0 deletions .cursor/mcp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"mcpServers": {
"tessl": {
"type": "stdio",
"command": "tessl",
"args": [
"mcp",
"start"
]
}
}
}
2 changes: 2 additions & 0 deletions .cursor/rules/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Managed by Tessl
tessl__*.mdc
3 changes: 3 additions & 0 deletions .cursor/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
12 changes: 12 additions & 0 deletions .gemini/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"mcpServers": {
"tessl": {
"type": "stdio",
"command": "tessl",
"args": [
"mcp",
"start"
]
}
}
}
3 changes: 3 additions & 0 deletions .gemini/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
3 changes: 3 additions & 0 deletions .github/skills/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Managed by Tessl
tessl__*
tessl:*
14 changes: 10 additions & 4 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,8 +128,14 @@ megalinter-reports/
# Added by goreleaser init:
.intentionally-empty-file.o

# Local Claude configuration
# AI assistant artifacts
.claude.local.md
.claude/*.local.md

.taskmaster/
.full-review
docs/plans
.cursor/commands
.github/prompts
.kiro/specs/*
.worktrees/
**/tessl__*
**/*.local.md
.tessl/tiles/
12 changes: 12 additions & 0 deletions .mcp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"mcpServers": {
"tessl": {
"type": "stdio",
"command": "tessl",
"args": [
"mcp",
"start"
]
}
}
}
239 changes: 157 additions & 82 deletions .mergify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,88 +1,163 @@
pull_request_rules:
- name: Auto-approve and merge dependabot PRs
conditions:
- base = main
- author = dependabot[bot]
- -draft
- label != do-not-merge
- -files~=\.github/workflows/release\.yml
- check-success = DCO
- check-success = quality
- check-success = test
- check-success = test-cross-platform (macos-15, macOS)
- check-success = test-cross-platform (windows-2022, Windows)
- check-success = test-cross-platform (ubuntu-22.04, Linux)
- check-success = coverage
actions:
review:
type: APPROVE
message: Automatically approved by Mergify
merge:
method: squash
queue_rules:
# ─────────────────────────────────────────────────────────────────────────
# 1. dosubot — lint only
# ─────────────────────────────────────────────────────────────────────────
- name: dosubot
merge_method: squash
autoqueue: true
queue_conditions:
- base = main
- label != do-not-merge
- author = dosubot[bot]
merge_conditions:
- check-success = quality

- name: Auto-approve and merge dosubot PRs
conditions:
- base = main
- author = dosubot[bot]
- -draft
- label != do-not-merge
- check-success = DCO
- check-success = quality
- check-success = test
- check-success = test-cross-platform (macos-15, macOS)
- check-success = test-cross-platform (windows-2022, Windows)
- check-success = test-cross-platform (ubuntu-22.04, Linux)
- check-success = coverage
actions:
review:
type: APPROVE
message: Automatically approved by Mergify
merge:
method: squash
# ─────────────────────────────────────────────────────────────────────────
# 2. dependabot-workflows — workflow-only changes, lint only
# ─────────────────────────────────────────────────────────────────────────
- name: dependabot-workflows
merge_method: squash
autoqueue: true
queue_conditions:
- base = main
- label != do-not-merge
- author = dependabot[bot]
- "-files ~= ^(?!\\.github/workflows/)"
merge_conditions:
- check-success = quality

# ─────────────────────────────────────────────────────────────────────────
# 3. dependabot — non-workflow changes, full CI
# ─────────────────────────────────────────────────────────────────────────
- name: dependabot
merge_method: squash
autoqueue: true
queue_conditions:
- base = main
- label != do-not-merge
- author = dependabot[bot]
merge_conditions:
- check-success = quality
- check-success = test
- "check-success = test-cross-platform (macos-15, macOS)"
- "check-success = test-cross-platform (windows-2022, Windows)"
- "check-success = test-cross-platform (ubuntu-22.04, Linux)"
- check-success = coverage
- check-success = DCO

- name: Auto-merge release-plz PRs
conditions:
- base = main
- head ~= ^release-plz-
- -draft
- label != do-not-merge
- check-success = DCO
actions:
merge:
method: squash
# ─────────────────────────────────────────────────────────────────────────
# 4. default — manually enqueued by maintainers, full CI
# Repo permissions restrict who can send the /queue command.
# ─────────────────────────────────────────────────────────────────────────
- name: default
merge_method: squash
merge_conditions:
- check-success = quality
- check-success = test
- "check-success = test-cross-platform (macos-15, macOS)"
- "check-success = test-cross-platform (windows-2022, Windows)"
- "check-success = test-cross-platform (ubuntu-22.04, Linux)"
- check-success = coverage
- check-success = DCO
Comment on lines +52 to +61
Copy link

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

find . -name ".mergify.yml" -type f

Repository: EvilBit-Labs/DaemonEye

Length of output: 80

🏁 Script executed:

cat ./.mergify.yml

Repository: EvilBit-Labs/DaemonEye

Length of output: 5957

🌐 Web query:

Mergify queue_conditions admission merge_conditions timing documentation

💡 Result:

  • queue_conditions (admission / enqueueing): These conditions are evaluated to decide whether a PR can be accepted into a merge queue. If autoqueue: true, the PR is added as soon as it matches queue_conditions (you can even omit CI from queue_conditions to “queue early”). If you use the queue action, the PR still must match the queue rule’s queue_conditions to actually enter the queue. [1], [2]

  • merge_conditions (merge gate at the front): These conditions are evaluated to decide whether a queued PR can be merged once it reaches the front of the queue (typically stricter: full CI, approvals, etc.). For merge-queue “draft/temporary PR” operation, check-related merge conditions are evaluated against the temporary PR, not the original. [1]

  • Timing-related knobs/fields (queue processing):

    • batch_max_wait_time: how long Mergify may wait to form a batch (default shown as 30s). [1]
    • checks_timeout: how long the queue waits for pending checks before dequeueing (min 60s). [1]
    • Condition attributes you can use/inspect include queued-at and queue-merge-started-at timestamps. [3]

Sources:
[1] Mergify Docs — “Using Queue Rules” (queue_rules, queue_conditions vs merge_conditions, autoqueue, timing options) (docs.mergify.com)
[2] Mergify Docs — “Queue” action (still must satisfy queue_conditions; name parameter behavior) (docs.mergify.com)
[3] Mergify Docs — “Conditions” reference (queued-at, queue-merge-started-at) (docs.mergify.com)

Citations:

Add queue_conditions to the default queue to enforce base-branch and merge-policy guards.

The default queue lacks queue_conditions, unlike all three bot queues (dosubot, dependabot-workflows, dependabot), which each enforce base = main and label != do-not-merge at admission time. Without these guards, /queue can admit PRs against non-main branches or flagged with do-not-merge. Mergify evaluates queue_conditions during enqueueing and merge_conditions only at the front—so these admission controls are essential for policy consistency. Copy the same base and label guards to the default queue for operator safety.

Suggested fix 
   - name: default
     merge_method: squash
+    queue_conditions:
+      - base = main
+      - label != do-not-merge
     merge_conditions:
       - check-success = quality
       - check-success = test
       - "check-success = test-cross-platform (macos-15, macOS)"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: default
merge_method: squash
merge_conditions:
- check-success = quality
- check-success = test
- "check-success = test-cross-platform (macos-15, macOS)"
- "check-success = test-cross-platform (windows-2022, Windows)"
- "check-success = test-cross-platform (ubuntu-22.04, Linux)"
- check-success = coverage
- check-success = DCO
- name: default
merge_method: squash
queue_conditions:
- base = main
- label != do-not-merge
merge_conditions:
- check-success = quality
- check-success = test
- "check-success = test-cross-platform (macos-15, macOS)"
- "check-success = test-cross-platform (windows-2022, Windows)"
- "check-success = test-cross-platform (ubuntu-22.04, Linux)"
- check-success = coverage
- check-success = DCO
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.mergify.yml around lines 52 - 61, The default queue declaration named
"default" is missing queue_conditions that enforce admission-time guards; add a
queue_conditions block to the "default" queue mirroring the bot queues by
requiring base = main and label != do-not-merge so PRs targeting non-main
branches or labeled do-not-merge cannot be enqueued; keep the existing
merge_conditions intact (merge_method and merge_conditions) and ensure the new
queue_conditions use the same syntax as in the dosubot/dependabot queues.


pull_request_rules:
# ─────────────────────────────────────────────────────────────────────────
# Auto-approve bot PRs
# ─────────────────────────────────────────────────────────────────────────
- name: Auto-approve dosubot PRs
conditions:
- base = main
- -draft
- author = dosubot[bot]
actions:
review:
type: APPROVE
message: Automatically approved by Mergify

- name: Keep bot PRs up to date with main
conditions:
- base = main
- -conflict
- -draft
- or:
- author = dependabot[bot]
- author = dosubot[bot]
- head ~= ^release-plz-
actions:
update: {}
- name: Auto-approve dependabot PRs
conditions:
- base = main
- -draft
- author = dependabot[bot]
actions:
Comment on lines +67 to +82
review:
type: APPROVE
message: Automatically approved by Mergify

# ─────────────────────────────────────────────────────────────────────────
# Keep PRs up to date
# ─────────────────────────────────────────────────────────────────────────
- name: Keep PRs up to date with main
conditions:
- base = main
- -conflict
- -draft
actions:
update: {}

merge_protections:
- name: CI must pass
description: >-
All CI checks must pass. Release-plz PRs are exempt because
they only bump versions and changelogs (code was already tested
on main), and GITHUB_TOKEN-triggered force-pushes suppress CI.
if:
- base = main
- "-head ~= ^release-plz-"
success_conditions:
- check-success = quality
- check-success = test
- check-success = test-cross-platform (macos-15, macOS)
- check-success = test-cross-platform (windows-2022, Windows)
- check-success = test-cross-platform (ubuntu-22.04, Linux)
- check-success = coverage
# ─────────────────────────────────────────────────────────────────────────
# 1. Conventional commits (skip for bots)
# ─────────────────────────────────────────────────────────────────────────
- name: Enforce conventional commit
description: >-
Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/.
Skipped for dependabot and dosubot.
if:
- base = main
- author != dependabot[bot]
- author != dosubot[bot]
success_conditions:
- "title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\\(.+\\))?!?:"

# ─────────────────────────────────────────────────────────────────────────
# 2. Full CI for non-bot authors or dependabot with non-workflow changes
# ─────────────────────────────────────────────────────────────────────────
- name: Full CI must pass
description: >-
All CI checks must pass. Activates for non-bot authors, or dependabot
when files exist outside .github/workflows/.
if:
- base = main
- or:
- and:
- author != dependabot[bot]
- author != dosubot[bot]
- and:
- author = dependabot[bot]
- "files ~= ^(?!\\.github/workflows/)"
success_conditions:
- check-success = quality
- check-success = test
- "check-success = test-cross-platform (macos-15, macOS)"
- "check-success = test-cross-platform (windows-2022, Windows)"
- "check-success = test-cross-platform (ubuntu-22.04, Linux)"
- check-success = coverage
- check-success = DCO

# ─────────────────────────────────────────────────────────────────────────
# 3. Lint-only for bots with workflow-only changes
# ─────────────────────────────────────────────────────────────────────────
- name: Lint must pass for bot workflow PRs
description: >-
Lint check must pass for dosubot or dependabot when all files are
within .github/workflows/.
if:
- base = main
- or:
- author = dosubot[bot]
- and:
- author = dependabot[bot]
- "-files ~= ^(?!\\.github/workflows/)"
success_conditions:
- check-success = quality

- name: Do not merge outdated PRs
description: Make sure PRs are within 3 commits of the base branch before merging
if:
- base = main
success_conditions:
- "#commits-behind <= 3"
# ─────────────────────────────────────────────────────────────────────────
# 4. Outdated PR protection
# ─────────────────────────────────────────────────────────────────────────
- name: Do not merge outdated PRs
description: Make sure PRs are within 3 commits of the base branch before merging
if:
- base = main
success_conditions:
- "#commits-behind <= 3"
1 change: 1 addition & 0 deletions .tessl/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
tiles/
11 changes: 11 additions & 0 deletions .tessl/RULES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Agent Rules

This file is updated when running `tessl install`. If a linked file is missing, make sure to run the command to download any missing tiles from the registry.

## popey/github-action-monitor — post-push-monitor

@tiles/popey/github-action-monitor/rules/post-push-monitor.md [post-push-monitor](tiles/popey/github-action-monitor/rules/post-push-monitor.md)

## tessl/cli-setup — query_library_docs

@tiles/tessl/cli-setup/steering/query_library_docs.md [query_library_docs](tiles/tessl/cli-setup/steering/query_library_docs.md)
4 changes: 4 additions & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,3 +567,7 @@ When generating code:
---

**Remember**: DaemonEye is security-focused. Prioritize security, performance, and reliability. When in doubt, choose the more secure and observable approach.

## Agent Rules <!-- tessl-managed -->

@.tessl/RULES.md follow the [instructions](.tessl/RULES.md)
Loading
Loading