fix: SPKI cert pinning + wasmtime 29→43 + Rust 1.91#82
Merged
Conversation
SPKI pinning (fixes recurring cert rotation breakage): - Switch from SHA256(cert_DER) to SHA256(SPKI_DER) pinning - SPKI pins survive certificate renewals when key stays same - Pin both leaf SPKI and GTS WR3 intermediate CA SPKI - Update all tests to use real X.509 certs (rcgen) for SPKI extraction Wasmtime upgrade (eliminates 7 CVEs): - wasmtime 29 → 43 (latest) - Rust toolchain 1.90.0 → 1.91.0 (wasmtime 43 MSRV) - Update bindgen! macro options for wasmtime 43 API - Update add_to_linker to use HasSelf<T> type dispatch deny.toml cleanup: - Remove 7 wasmtime CVE ignores (fixed in v43) - Remove 2 unmaintained crate ignores (fxhash, paste — no longer transitive) - Only RUSTSEC-2025-0134 (rustls-pemfile) remains All 766 tests passing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
avrabe
added a commit
that referenced
this pull request
Apr 21, 2026
Bumping to 43 breaks the example's `with_context` usage — wasmtime 43's `wasmtime::Error` no longer implements anyhow's `StdError`, so `.with_context(...)` from anyhow::Context doesn't apply. The earlier PR #82 that bumped the main lib to 43 left this example on 37 for this reason. Properly bumping the example requires a port (use wasmtime's own error helpers or `map_err` explicitly). That port is out of scope for this pipeline-scaffolding PR. Trace: skip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
avrabe
added a commit
that referenced
this pull request
Apr 21, 2026
* chore: add Mythos bug-hunt pipeline + AGENTS.md restructure Scaffolds scripts/mythos/ with a four-prompt pipeline (rank, discover, validate, emit) plus portable HOWTO.md, modeled on Anthropic's Claude Mythos (April 2026). Adds a pre-release Mythos delta-pass step scoped by release type (tier-5 only for patches, tier-5+4 for minors, full tier-5 for majors/LTS). Migrates project guidance from CLAUDE.md to AGENTS.md (the tool-neutral canonical location read by Cursor, OpenCode, Claude Code, etc.) and slims CLAUDE.md to a thin pointer. Documents Kani's std::io OOM limitation so future finding reports treat CBMC OOM as "tool cannot reach" rather than "verification succeeded". Bumps examples/wasmtime-loader wasmtime 37 -> 43 to clear the April 2026 CVE patch floor (CVE-2026-34941, 34942, 34943, 35195, et al.). No runtime code change. Trace: skip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * revert: leave examples/wasmtime-loader on wasmtime 37.0 Bumping to 43 breaks the example's `with_context` usage — wasmtime 43's `wasmtime::Error` no longer implements anyhow's `StdError`, so `.with_context(...)` from anyhow::Context doesn't apply. The earlier PR #82 that bumped the main lib to 43 left this example on 37 for this reason. Properly bumping the example requires a port (use wasmtime's own error helpers or `map_err` explicitly). That port is out of scope for this pipeline-scaffolding PR. Trace: skip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two infrastructure fixes that resolve recurring CI failures:
SPKI Certificate Pinning
SHA256(cert_DER)pins every timeSHA256(SPKI_DER)pinning — pins survive cert renewals when the public key stays the same (standard approach, used by Chrome HPKP)rcgenfor SPKI extractionWasmtime 29 → 43
deny.tomlignore list)bindgen!macro updated for wasmtime 43 API (HasSelf<T>dispatch)deny.tomlcleaned: 7 wasmtime + 2 unmaintained ignores removed, onlyrustls-pemfileremainsTest plan
cargo build— cleancargo test— 766 passed, 0 failedcargo build --features runtime— wasmtime 43 compiles🤖 Generated with Claude Code