clawdforge

Author SHA1 Message Date

Author	SHA1	Message	Date
Kayos	ebbd7cc553	clients/rust: apply audit findings — UTF-8 panic + Debug redaction + path-traversal (`062d405` → next) HIGH: - H1: truncate() uses floor_char_boundary (was panicking on multibyte boundaries) - H2: hand-written Debug for Client/ClientBuilder/AppToken redacts bearer (was leaking via dbg!()/tracing) - H3: revoke_token validates name client-side (rejects path traversal sequences) MEDIUM: - M1: From<reqwest::Error> maps timeouts to Error::Timeout (was always Transport) - M2: revoke_token accepts 2xx empty body (was rejecting RFC-correct 204 No Content) - M3: tests use assert!(matches!) instead of matches!().then_some().unwrap() - M4: ClientBuilder.max_upload_bytes optional cap - M5: lib.rs deny(missing_docs) LOW: - L1: cargo fmt - L2: drop dead AUTHORIZATION import Audit: memory/clawdforge-audits/rust-062d405.md	2026-04-28 23:26:22 -07:00
Kayos	062d405a9e	clients/rust: initial Rust SDK for clawdforge Async client over reqwest+tokio with builder-pattern Client, serde RunRequest/RunResult/FileToken/AppToken types, thiserror Error enum, streaming multipart upload via tokio::fs::File, and 14 wiremock-backed integration tests covering healthz, run-success-json, run-success-text, run-502, run-with-files, file-upload, token mint/list/revoke, auth failure, missing-token short-circuit, transport timeout, and builder validation. Doc-tested. cargo test, cargo clippy --all-targets -D warnings, and cargo build --examples all clean.	2026-04-28 22:35:16 -07:00

Kayos

ebbd7cc553

clients/rust: apply audit findings — UTF-8 panic + Debug redaction + path-traversal (062d405 → next)

HIGH:
- H1: truncate() uses floor_char_boundary (was panicking on multibyte boundaries)
- H2: hand-written Debug for Client/ClientBuilder/AppToken redacts bearer (was leaking via dbg!()/tracing)
- H3: revoke_token validates name client-side (rejects path traversal sequences)

MEDIUM:
- M1: From<reqwest::Error> maps timeouts to Error::Timeout (was always Transport)
- M2: revoke_token accepts 2xx empty body (was rejecting RFC-correct 204 No Content)
- M3: tests use assert!(matches!) instead of matches!().then_some().unwrap()
- M4: ClientBuilder.max_upload_bytes optional cap
- M5: lib.rs deny(missing_docs)

LOW:
- L1: cargo fmt
- L2: drop dead AUTHORIZATION import

Audit: memory/clawdforge-audits/rust-062d405.md

2026-04-28 23:26:22 -07:00

Kayos

062d405a9e

clients/rust: initial Rust SDK for clawdforge

Async client over reqwest+tokio with builder-pattern Client, serde
RunRequest/RunResult/FileToken/AppToken types, thiserror Error enum,
streaming multipart upload via tokio::fs::File, and 14 wiremock-backed
integration tests covering healthz, run-success-json, run-success-text,
run-502, run-with-files, file-upload, token mint/list/revoke, auth
failure, missing-token short-circuit, transport timeout, and builder
validation. Doc-tested. cargo test, cargo clippy --all-targets -D
warnings, and cargo build --examples all clean.

2026-04-28 22:35:16 -07:00

2 commits