feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
# cargo-deny configuration — cargo-deny 0.18+
|
|
|
|
|
# https://embarkstudios.github.io/cargo-deny/
|
2026-03-13 00:15:49 +00:00
|
|
|
|
|
|
|
|
[advisories]
|
|
|
|
|
db-path = "~/.cargo/advisory-db"
|
|
|
|
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
unmaintained = "workspace"
|
2026-03-13 00:15:49 +00:00
|
|
|
yanked = "warn"
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
ignore = [
|
|
|
|
|
# RUSTSEC-2023-0071: rsa Marvin Attack (timing side-channel).
|
|
|
|
|
# rsa is a transitive dep; not used in network-facing key operations here.
|
|
|
|
|
# Revisit when rsa publishes a patched release.
|
|
|
|
|
{ id = "RUSTSEC-2023-0071" },
|
---
feat: API catalog surface, protocol v2 tooling, MCP expansion, on+re update
## Summary
Session 2026-03-23. Closes the loop between handler code and discoverability
across all three surfaces (browser, CLI, MCP agent) via compile-time inventory
registration. Adds protocol v2 update tooling, extends MCP from 21 to 29 tools,
and brings the self-description up to date.
## API Catalog Surface (#[onto_api] proc-macro)
- crates/ontoref-derive: new proc-macro crate; `#[onto_api(method, path,
description, auth, actors, params, tags)]` emits `inventory::submit!(ApiRouteEntry{...})`
at link time
- crates/ontoref-daemon/src/api_catalog.rs: `catalog()` — pure fn over
`inventory::iter::<ApiRouteEntry>()`, zero runtime allocation
- GET /api/catalog: returns full annotated HTTP surface as JSON
- templates/pages/api_catalog.html: new page with client-side filtering by
method, auth, path/description; detail panel per route (params table,
feature flag); linked from dashboard card and nav
- UI nav: "API" link (</> icon) added to mobile dropdown and desktop bar
- inventory = "0.3" added to workspace.dependencies (MIT, zero transitive deps)
## Protocol Update Mode
- reflection/modes/update_ontoref.ncl: 9-step DAG (5 detect parallel, 2 update
idempotent, 2 validate, 1 report) — brings any project from protocol v1 to v2
by adding manifest.ncl and connections.ncl if absent, scanning ADRs for
deprecated check_hint, validating with nickel export
- reflection/templates/update-ontology-prompt.md: 8-phase reusable prompt for
agent-driven ontology enrichment (infrastructure → audit → core.ncl →
state.ncl → manifest.ncl → connections.ncl → ADR migration → validation)
## CLI — describe group extensions
- reflection/bin/ontoref.nu: `describe diff [--fmt] [--file]` and
`describe api [--actor] [--tag] [--auth] [--fmt]` registered as canonical
subcommands with log-action; aliases `df` and `da` added; QUICK REFERENCE
and ALIASES sections updated
## MCP — two new tools (21 → 29 total)
- ontoref_api_catalog: filters catalog() output by actor/tag/auth; returns
{ routes, total } — no HTTP roundtrip, calls inventory directly
- ontoref_file_versions: reads ProjectContext.file_versions DashMap per slug;
returns BTreeMap<filename, u64> reload counters
- insert_mcp_ctx: audited and updated from 15 to 28 entries in 6 groups
- HelpTool JSON: 8 new entries (validate_adrs, validate, impact, guides,
bookmark_list, bookmark_add, api_catalog, file_versions)
- ServerHandler::get_info instructions updated to mention new tools
## Web UI — dashboard additions
- Dashboard: "API Catalog" card (9th); "Ontology File Versions" section showing
per-file reload counters from file_versions DashMap
- dashboard_mp: builds BTreeMap<String, u64> from ctx.file_versions and injects
into Tera context
## on+re update
- .ontology/core.ncl: describe-query-layer and adopt-ontoref-tooling descriptions
updated; ontoref-daemon updated ("11 pages", "29 tools", API catalog,
per-file versioning, #[onto_api]); new node api-catalog-surface (Yang/Practice)
with 3 edges; artifact_paths extended across 3 nodes
- .ontology/state.ncl: protocol-maturity blocker updated (protocol v2 complete);
self-description-coverage catalyst updated with session 2026-03-23 additions
- ADR-007: "API Surface Discoverability via #[onto_api] Proc-Macro" — Accepted
## Documentation
- README.md: crates table updated (11 pages, 29 MCP tools, ontoref-derive row);
MCP representative table expanded; API Catalog, Semantic Diff, Per-File
Versioning paragraphs added; update_ontoref onboarding section added
- CHANGELOG.md: [Unreleased] section with 4 change groups
- assets/web/src/index.html: tool counts 19→29 (EN+ES), page counts 12→11
(EN+ES), daemon description paragraph updated with API catalog + #[onto_api]
2026-03-23 00:58:27 +01:00
|
|
|
# RUSTSEC-2026-0044 / RUSTSEC-2026-0048: aws-lc-sys X.509 CN and CRL bugs.
|
|
|
|
|
# Transitive through surrealdb → stratum-db / stratum-state (stratumiops path deps).
|
|
|
|
|
# Not fixable here until stratumiops bumps surrealdb. No CN wildcard or CRL checking used.
|
|
|
|
|
{ id = "RUSTSEC-2026-0044" },
|
|
|
|
|
{ id = "RUSTSEC-2026-0048" },
|
|
|
|
|
# RUSTSEC-2026-0049: rustls-webpki CRL distribution point matching logic.
|
|
|
|
|
# Transitive through surrealdb and async-nats. Same constraint as above.
|
|
|
|
|
{ id = "RUSTSEC-2026-0049" },
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
]
|
2026-03-13 00:15:49 +00:00
|
|
|
|
|
|
|
|
[licenses]
|
|
|
|
|
allow = [
|
|
|
|
|
"MIT",
|
|
|
|
|
"MIT-0",
|
|
|
|
|
"Apache-2.0",
|
|
|
|
|
"Apache-2.0 WITH LLVM-exception",
|
|
|
|
|
"BSD-2-Clause",
|
|
|
|
|
"BSD-3-Clause",
|
|
|
|
|
"ISC",
|
|
|
|
|
"Unicode-DFS-2016",
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
"Unicode-3.0",
|
|
|
|
|
"CC0-1.0",
|
|
|
|
|
"Zlib",
|
|
|
|
|
"Unlicense",
|
|
|
|
|
"MPL-2.0",
|
|
|
|
|
"OpenSSL",
|
|
|
|
|
"CDLA-Permissive-2.0",
|
|
|
|
|
"BUSL-1.1",
|
2026-03-13 00:15:49 +00:00
|
|
|
]
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
exceptions = []
|
2026-03-13 00:15:49 +00:00
|
|
|
|
|
|
|
|
[bans]
|
|
|
|
|
multiple-versions = "warn"
|
feat: unified auth model, project onboarding, install pipeline, config management
The full scope across this batch: POST /sessions key→token exchange, SessionStore dual-index with revoke_by_id, CLI Bearer injection (ONTOREF_TOKEN), ontoref setup
--gen-keys, install scripts, daemon config form roundtrip, ADR-004/005, on+re self-description update (fully-self-described), and landing page refresh.
2026-03-13 21:14:55 +00:00
|
|
|
allow = []
|
|
|
|
|
deny = []
|
|
|
|
|
skip = []
|
|
|
|
|
skip-tree = []
|
2026-03-13 00:15:49 +00:00
|
|
|
|
|
|
|
|
[sources]
|
|
|
|
|
unknown-registry = "deny"
|
|
|
|
|
unknown-git = "deny"
|
|
|
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
|
|
|
allow-git = []
|