chore(deps): consolidate verified dependency updates

[yacosta738]

Related Issues

• Consolidates open dependency update PRs into a single verified batch.

---

Summary

• combines the verified dependency bumps from PRs chore(deps): bump com.google.devtools.ksp from 2.3.6 to 2.3.7 #615, chore(deps): bump org.cyclonedx.bom from 3.1.0 to 3.2.4 #616, chore(deps): bump org.openrewrite.rewrite from 7.28.0 to 7.31.0 #618, chore(deps): bump io.netty:netty-bom from 4.1.132.Final to 4.2.12.Final #619, chore(deps): bump com.github.spotbugs from 6.4.8 to 6.5.1 #620, chore(deps): bump com.autonomousapps.dependency-analysis from 3.6.1 to 3.9.0 #621, chore(deps): bump com.gradleup.shadow from 9.3.1 to 9.4.1 #622, chore(deps): bump the rust-cerebro-dependencies group across 1 directory with 2 updates #625, chore(deps): bump the rust-runtime-dependencies group across 1 directory with 8 updates #626, and chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #642 into one branch
• refreshes Gradle, Cargo, and pnpm lockfiles required by those updates
• adapts agent-runtime SHA-256/HMAC code and WhatsApp signature tests so the updated Rust crates remain compatible

---

Tested Information

• Ran make all successfully on chore/deps-consolidation-safe
• During verification, also refreshed gradle/build-logic/gradle.lockfile with bash ./scripts/gradlew.sh :build-logic:dependencies --configuration compileClasspath --write-locks

---

Documentation Impact

• Docs updated in:
• No docs update required because this PR only consolidates dependency updates, lockfile refreshes, and compatibility fixes without changing user-facing behavior or documented setup.
• I verified the documentation matches the current behavior.

---

Breaking Changes

• None.

---

Checklist

• I have checked that there isn’t already a PR solving the same problem.
• I have read the Contributing Guidelines.
• My PR title follows Conventional Commits.
• I have rebased/merged the latest main (or justified why not needed).
• I ran the relevant tests locally and they pass.
• I updated documentation or explained why no documentation changes were needed.
• I confirmed there are no unintended breaking changes.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

Chores

• Updated core cryptographic and network libraries to latest stable versions for improved security and reliability
• Upgraded development build tools and build system plugins across the platform
• Advanced runtime dependencies to latest stable releases
• Updates enhance system stability, security, and overall platform performance

Walkthrough

The PR updates multiple dependency versions across Rust, Node.js, and Gradle ecosystems, including cryptographic libraries (hmac, sha2), web tooling (vite, astro), build plugins, and refactors hex encoding methods in Rust from manual formatting to the hex crate.

Changes

Cohort / File(s)	Summary
Cryptographic Library Updates clients/agent-runtime/Cargo.toml, modules/cerebro/Cargo.toml	Bumps hmac 0.12→0.13 and sha2 0.10→0.11 for webhook signature verification and hashing operations.
HMAC KeyInit Trait Imports clients/agent-runtime/src/gateway/mod.rs, clients/agent-runtime/src/gateway/whatsapp.rs, clients/agent-runtime/tests/whatsapp_webhook_security.rs	Adds hmac::KeyInit trait imports to support new_from_slice() method required by updated hmac library.
Hex Encoding Refactoring clients/agent-runtime/src/memory/response_cache.rs, clients/agent-runtime/src/search/index.rs, clients/agent-runtime/src/security/pairing.rs	Replaces manual hex formatting using format!("{:x}", ...) with hex::encode() for digest-to-string conversion.
Other Rust Dependencies clients/agent-runtime/Cargo.toml, clients/agent-runtime/crates/robot-kit/Cargo.toml, modules/cerebro/Cargo.toml	Updates rusqlite 0.38→0.39, cron 0.15→0.16, tokio-tungstenite 0.28→0.29, const-oid 0.9→0.10, rppal 0.19→0.22, toml 0.8→1.1, and dev dependency wat 1.245.1→1.247.0.
Web Tooling Dependencies clients/web/apps/docs/package.json, clients/web/apps/marketing/package.json, clients/web/pnpm-workspace.yaml	Updates vite 7.3.2→8.0.10, astro 6.0.8→6.1.6, and postcss 8.5.8→8.5.10 in npm and pnpm workspace catalogs.
Gradle Build Plugins gradle/build-logic/gradle.lockfile, gradle/libs.versions.toml	Bumps multiple Gradle plugin versions: dependency-analysis 3.6.1→3.9.0, SpotBugs 6.4.8→6.5.1, KSP 2.3.5→2.3.6, shadow 9.3.1→9.4.1, CycloneDX 3.1.0→3.2.4, OpenRewrite 7.28.0→7.31.0; also updates Netty BOM 4.1.132.Final→4.2.12.Final.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

area:rust, area:gradle, risk:high, risk:security

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits style with 'chore(deps):' prefix and clearly describes the main change: consolidating verified dependency updates across the codebase.
Description check	✅ Passed	Description covers all required sections: Related Issues, Summary, Tested Information, Documentation Impact, Breaking Changes, and Checklist. All key information is provided and well-structured.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deps-consolidation-safe

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying corvus with    Cloudflare Pages

Latest commit:	54ea879
Status:	✅  Deploy successful!
Preview URL:	https://368f8d26.corvus-42x.pages.dev
Branch Preview URL:	https://chore-deps-consolidation-saf.corvus-42x.pages.dev

View logs

[github-actions]

✅ Contributor Report

User: @yacosta738
Status: Passed (12/13 metrics passed)

Metric	Description	Value	Threshold	Status
PR Merge Rate	PRs merged vs closed	92%	>= 30%	✅
Repo Quality	Repos with ≥100 stars	0	>= 0	✅
Positive Reactions	Positive reactions received	11	>= 1	✅
Negative Reactions	Negative reactions received	0	<= 5	✅
Account Age	GitHub account age	3101 days	>= 30 days	✅
Activity Consistency	Regular activity over time	108%	>= 0%	✅
Issue Engagement	Issues with community engagement	0	>= 0	✅
Code Reviews	Code reviews given to others	604	>= 0	✅
Merger Diversity	Unique maintainers who merged PRs	2	>= 0	✅
Repo History Merge Rate	Merge rate in this repo	93%	>= 0%	✅
Repo History Min PRs	Previous PRs in this repo	276	>= 0	✅
Profile Completeness	Profile richness (bio, followers)	90	>= 0	✅
Suspicious Patterns	Spam-like activity detection	1	N/A	❌

---

_{Contributor Report evaluates based on public GitHub activity. Analysis period: 2025-04-25 to 2026-04-25}

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@clients/agent-runtime/Cargo.toml`:
- Line 106: Resolve the duplicated dependency versions by running cargo tree -d
to find which transitive crates pull older versions (likely via sigstore and
x509-cert), then unify versions by either updating those upstream crates or
adding explicit dependency overrides in Cargo.toml to force the newer semver
versions; after unifying, update call sites to match any API changes: check uses
of rusqlite::params! and rusqlite::Connection APIs (v0.38→0.39 tightened
errors), cron::Schedule::At pattern usages, and tokio_tungstenite::connect_async
calls in the modules that open channels (qq, lark, dingtalk, discord) and adjust
code to new function signatures/types where required.

In `@clients/agent-runtime/src/gateway/whatsapp.rs`:
- Line 6: There are two implementations of verify_whatsapp_signature; keep the
implementation in whatsapp.rs as the single source of truth, remove the
duplicate implementation in mod.rs, and add a re-export in the parent module so
callers still resolve verify_whatsapp_signature from the module root (e.g., add
pub use self::whatsapp::verify_whatsapp_signature; in the mod file). Ensure the
whatsapp.rs version retains the Hmac/KeyInit imports and signatures used by
callers and run cargo build/tests to confirm no symbol regressions.

In `@clients/web/apps/docs/package.json`:
- Line 30: The devDependency "vite" is hard-pinned to "8.0.10" in package.json
which bypasses the workspace catalog and forces an incompatible Vite/Astro
combo; change the "vite" entry to use the workspace catalog alias (e.g., replace
the literal "8.0.10" value with the same catalog spec used elsewhere like
"catalog:vite") so the project picks up the catalog-managed, Astro-compatible
Vite version; also apply the same change to the other package that was
hard-pinned (the marketing app) and run your workspace install/update to refresh
the lockfile.

In `@clients/web/apps/marketing/package.json`:
- Line 31: The package.json currently hard-pins "vite": "8.0.10", which
conflicts with Astro 6.1 and breaks the catalog pattern; change the dependency
to a Vite 7.x semver (e.g., "vite": "7.x") so this app is compatible with Astro
6.1, and add a short TODO noting to switch to the catalog-managed dependency
(catalog:vite) once the catalog is fixed to require Vite 7.x for Astro 6.1;
update package.json's "vite" entry and any related install/test steps to use the
new semver.

In `@clients/web/pnpm-workspace.yaml`:
- Around line 22-32: The pnpm catalog currently lists "vite: 8.0.10" while
"astro: 6.1.6" requires Vite 7; change the vite entry from 8.0.10 to a Vite
7-compatible constraint (e.g., "^7.3.x") so Astro no longer warns or auto-adds
an override and to avoid the Vite 8 production-build regression; also update the
per-app pins that consume the catalog (apps "docs" and "marketing" which
currently import loadEnv from "vite") to use the catalog's Vite 7 version
(remove or replace any explicit 8.x pin in those package.jsons).

In `@gradle/libs.versions.toml`:
- Line 24: The dependency catalog bump to netty "4.2.12.Final" is being
overridden by the enforcement logic: update the safeNettyVersion constant in
com.profiletailors.check.locking.gradle.kts (the enforcement function that pins
io.netty:* resolutions) from 4.1.132.Final to 4.2.12.Final so the catalog
upgrade actually takes effect; after updating, re-run dependency sync and
spot-check code that builds TLS contexts—search for
SslContextBuilder.endpointIdentificationAlgorithm, any custom SslContext
creation, ALPN code, and epoll/kqueue/io_uring transport usage to ensure
hostname verification behavior and source compatibility are handled (adjust
SslContextBuilder.endpointIdentificationAlgorithm or system properties where
necessary).

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4e7dcae1-11ee-4791-94d3-9a448bbcb648

📥 Commits

Reviewing files that changed from the base of the PR and between 6563e86 and 54ea879.

⛔ Files ignored due to path filters (3)

• clients/agent-runtime/Cargo.lock is excluded by !**/*.lock
• clients/web/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• modules/cerebro/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (14)

• clients/agent-runtime/Cargo.toml
• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/web/apps/docs/package.json
• clients/web/apps/marketing/package.json
• clients/web/pnpm-workspace.yaml
• gradle/build-logic/gradle.lockfile
• gradle/libs.versions.toml
• modules/cerebro/Cargo.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: sonar
• GitHub Check: pr-checks-build-logic
• GitHub Check: pr-checks
• GitHub Check: core-checks
• GitHub Check: submit-gradle
• GitHub Check: Cloudflare Pages

🧰 Additional context used

📓 Path-based instructions (7)

**/*

⚙️ CodeRabbit configuration file

**/*: Security first, performance second.
Validate input boundaries, auth/authz implications, and secret management.
Look for behavioral regressions, missing tests, and contract breaks across modules.

Files:

• clients/web/apps/docs/package.json
• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• modules/cerebro/Cargo.toml
• clients/web/apps/marketing/package.json
• clients/agent-runtime/src/search/index.rs
• clients/web/pnpm-workspace.yaml
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml
• gradle/build-logic/gradle.lockfile
• gradle/libs.versions.toml

clients/agent-runtime/**/Cargo.toml

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/**/Cargo.toml: Preserve release-size profile assumptions in Cargo.toml and avoid adding heavy dependencies unless clearly justified
Do not add heavy dependencies for minor convenience; justify new crate additions

Files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/Cargo.toml

clients/agent-runtime/src/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

clients/agent-runtime/src/**/*.rs: Never log secrets, tokens, raw credentials, or sensitive payloads in any logging statements
Avoid unnecessary allocations, clones, and blocking operations to maintain performance and efficiency

Files:

• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Run cargo fmt --all -- --check, cargo clippy --all-targets -- -D warnings, and cargo test for code validation, or document which checks were skipped and why

Files:

• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

**/*.rs

⚙️ CodeRabbit configuration file

**/*.rs: Focus on Rust idioms, memory safety, and ownership/borrowing correctness.
Flag unnecessary clones, unchecked panics in production paths, and weak error context.
Prioritize unsafe blocks, FFI boundaries, concurrency races, and secret handling.

Files:

• clients/agent-runtime/src/memory/response_cache.rs
• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Treat src/security/, src/gateway/, src/tools/ as high-risk surfaces and never broaden filesystem/network execution scope without explicit policy checks

Files:

• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/src/gateway/mod.rs

clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs

📄 CodeRabbit inference engine (clients/agent-runtime/AGENTS.md)

Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Files:

• clients/agent-runtime/src/security/pairing.rs
• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/src/gateway/mod.rs

🧠 Learnings (5)

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Do not add heavy dependencies for minor convenience; justify new crate additions

Applied to files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• modules/cerebro/Cargo.toml
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/Cargo.toml : Preserve release-size profile assumptions in `Cargo.toml` and avoid adding heavy dependencies unless clearly justified

Applied to files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• modules/cerebro/Cargo.toml
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/**/*.rs : Run `cargo fmt --all -- --check`, `cargo clippy --all-targets -- -D warnings`, and `cargo test` for code validation, or document which checks were skipped and why

Applied to files:

• clients/agent-runtime/crates/robot-kit/Cargo.toml
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/main.rs : Preserve CLI contract unless change is intentional and documented; prefer explicit errors over silent fallback for unsupported critical paths

Applied to files:

• clients/agent-runtime/src/gateway/whatsapp.rs
• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/search/index.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml

📚 Learning: 2026-02-17T12:31:17.076Z

Learnt from: CR
Repo: dallay/corvus PR: 0
File: clients/agent-runtime/AGENTS.md:0-0
Timestamp: 2026-02-17T12:31:17.076Z
Learning: Applies to clients/agent-runtime/src/{security,gateway,tools,config}/**/*.rs : Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable

Applied to files:

• clients/agent-runtime/tests/whatsapp_webhook_security.rs
• clients/agent-runtime/src/gateway/mod.rs
• clients/agent-runtime/Cargo.toml

🔇 Additional comments (10)

clients/agent-runtime/src/search/index.rs (1)

769-769: LGTM — hex::encode swap is byte-identical to the prior format!("{:x}", ...) output and matches the established codebase pattern (pairing.rs::hash_token).

Both produce 64-char lowercase hex of the SHA-256 digest, so workspace fingerprint compatibility (and the compatibility_decision rebuild logic that compares stored vs. expected fingerprints) is preserved across the upgrade. hasher.finalize() and Sha256::digest() outputs in sha2 0.11 still impl AsRef<[u8]>, so this compiles under the new crate version.

Also applies to: 773-773

clients/agent-runtime/src/memory/response_cache.rs (1)

75-75: LGTM — equivalent output, and existing on-disk cache rows remain valid.

hex::encode(hash) yields the same 64-char lowercase hex as format!("{:064x}", ...) for a 32-byte SHA-256 digest, so previously-stored prompt_hash PRIMARY KEY values still match new computed keys after the upgrade. cache_key_deterministic, _varies_by_*, and length-64 assertions in tests cover this.

clients/agent-runtime/src/security/pairing.rs (1)

205-205: LGTM — secure-by-default preserved.

hex::encode(Sha256::digest(...)) produces identical lowercase 64-char hex to the prior implementation, so persisted token hashes remain valid across restart, is_token_hash still recognizes them, and is_authenticated's constant-time comparison path is unchanged. No widening of access constraints.

clients/agent-runtime/Cargo.toml (1)

72-73: No action required — hmac 0.13.0 stable has been released.

The original concern was based on outdated information. As of 2026-03-29, hmac 0.13.0 stable is now available on crates.io (superseding 0.13.0-rc.0). The requirement hmac = "0.13" will correctly resolve to the stable release, and both suggested fixes are unnecessary.

			> Likely an incorrect or invalid review comment.

modules/cerebro/Cargo.toml (2)

29-29: No action needed — cerebro's sha2 usage is already compatible with 0.11.

The code uses hex::encode(digest), which relies on AsRef<[u8]> and is unaffected by sha2's type output changes (GenericArray → Array). No explicit type names or GenericArray imports exist in the codebase.

---

34-34: Verify toml 0.8 → 1.1 migration in parse usage — no breaking changes identified.

One usage found in modules/cerebro/src/config.rs:205: toml::from_str(&contents) with error formatted to string. This simple parse pattern remains stable across toml versions. The ["parse"] feature and default-features = false are correct and match the actual usage; no Value, Table, or advanced error APIs are used. No additional compatibility work needed.

clients/agent-runtime/crates/robot-kit/Cargo.toml (1)

61-61: rppal dependency is declared but not yet used — no current breakage risk from the 0.19→0.22 upgrade.

GPIO implementation is documented as future work (comments show "// Would use rppal" and current code reads GPIO via sysfs). Since rppal isn't called anywhere, the version bump poses no immediate compilation risk. Before GPIO code is added, ensure CI includes a cargo test --features gpio target (ideally on Linux) to catch breaking changes in rppal's APIs.

clients/agent-runtime/src/gateway/mod.rs (2)

36-36: No actionable issue in this import-only change.

---

8007-8007: No actionable issue in this test import adjustment.

clients/agent-runtime/tests/whatsapp_webhook_security.rs (1)

9-9: LGTM — KeyInit import correctly aligned with updated hmac crate.

Hmac::<Sha256>::new_from_slice requires KeyInit in scope under the bumped hmac API; the test helper now compiles cleanly and continues to exercise the same fail-closed verification paths.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm no duplicate majors of these crates in the resolved graph
rg -nP '^name = "(const-oid|sha2|hmac|rusqlite|cron|tokio-tungstenite)"' clients/agent-runtime/Cargo.lock -A1
# Locate call sites for the bumped crates
rg -nP --type=rust -C2 '\b(rusqlite::|cron::Schedule|tokio_tungstenite::|const_oid::)' clients/agent-runtime/src/

Repository: dallay/corvus

Length of output: 35023

---

🏁 Script executed:

# Check which versions are directly specified in Cargo.toml
cat clients/agent-runtime/Cargo.toml | grep -A2 -E '(rusqlite|cron|tokio-tungstenite|const-oid|sha2|hmac) ='

# Run cargo tree -d to show duplicate crates
cargo tree -d 2>/dev/null | head -100

Repository: dallay/corvus

Length of output: 720

---

Resolve dependency duplication before merging.

The lock file contains multiple major version conflicts in the resolved graph that require active resolution:

• const-oid: both 0.9.6 and 0.10.2 present
• hmac: both 0.12.1 and 0.13.0 present
• sha2: both 0.10.9 and 0.11.0 present
• tokio-tungstenite: both 0.28.0 and 0.29.0 present

Likely causes are transitive pulls from sigstore and x509-cert conflicting with your direct pins. Verify that call sites handle the API changes correctly:

• rusqlite::params! macro and Connection methods (v0.38→0.39 tightened error types)
• cron::Schedule::At patterns in tools/schedule.rs
• tokio_tungstenite::connect_async in channels (qq.rs, lark.rs, dingtalk.rs, discord.rs)

Run cargo tree -d to identify which transitive deps are pulling older versions, then either update those upstream deps or add explicit constraints to unify versions.

Also applies to: 109-109, 122-122, 128-128, 219-219

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/Cargo.toml` at line 106, Resolve the duplicated
dependency versions by running cargo tree -d to find which transitive crates
pull older versions (likely via sigstore and x509-cert), then unify versions by
either updating those upstream crates or adding explicit dependency overrides in
Cargo.toml to force the newer semver versions; after unifying, update call sites
to match any API changes: check uses of rusqlite::params! and
rusqlite::Connection APIs (v0.38→0.39 tightened errors), cron::Schedule::At
pattern usages, and tokio_tungstenite::connect_async calls in the modules that
open channels (qq, lark, dingtalk, discord) and adjust code to new function
signatures/types where required.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm there are indeed two definitions of verify_whatsapp_signature.
rg -nP --type=rust -C2 '\bfn\s+verify_whatsapp_signature\b'

# 2) Inspect the mod.rs version's imports to see if KeyInit is brought in elsewhere in the file/module.
rg -nP --type=rust -C1 '\buse\s+hmac::' clients/agent-runtime/src/gateway/

# 3) Find which version is actually exported/used by callers (router wiring, re-exports).
rg -nP --type=rust -C2 '\bverify_whatsapp_signature\b'

# 4) Check whether mod.rs re-exports the whatsapp.rs version (which would make the mod.rs copy dead code).
rg -nP --type=rust -C1 '\bpub\s+use\s+.*whatsapp' clients/agent-runtime/src/gateway/mod.rs

Repository: dallay/corvus

Length of output: 13562

---

Deduplicate verify_whatsapp_signature: move to single location in whatsapp.rs and re-export from mod.rs.

Two separate implementations of verify_whatsapp_signature exist (whatsapp.rs:135 and mod.rs:3136), creating a maintenance hazard on a security-critical path. While both have access to KeyInit (explicitly in whatsapp.rs:6, via module-level import in mod.rs:36), the duplication itself is the problem—any future update to one risks diverging from the other.

Keep whatsapp.rs as the single source of truth and have mod.rs re-export it (pub use self::whatsapp::verify_whatsapp_signature;), then remove the inline duplicate in mod.rs. This also aligns with the guideline: "Do not silently weaken security policy or access constraints; keep default behavior secure-by-default with deny-by-default where applicable."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/agent-runtime/src/gateway/whatsapp.rs` at line 6, There are two
implementations of verify_whatsapp_signature; keep the implementation in
whatsapp.rs as the single source of truth, remove the duplicate implementation
in mod.rs, and add a re-export in the parent module so callers still resolve
verify_whatsapp_signature from the module root (e.g., add pub use
self::whatsapp::verify_whatsapp_signature; in the mod file). Ensure the
whatsapp.rs version retains the Hmac/KeyInit imports and signatures used by
callers and run cargo build/tests to confirm no symbol regressions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, check if the files exist and examine the package.json
find . -name "package.json" -path "*/clients/web/apps/docs/*" | head -5

Repository: dallay/corvus

Length of output: 94

---

🏁 Script executed:

# Look for pnpm-workspace.yaml
find . -name "pnpm-workspace.yaml" | head -5

Repository: dallay/corvus

Length of output: 113

---

🏁 Script executed:

# List files in the relevant directory
git ls-files clients/web/apps/docs/ | head -20

Repository: dallay/corvus

Length of output: 1335

---

🏁 Script executed:

# Examine the package.json file to check line 30 and devDependencies
cat -n clients/web/apps/docs/package.json | grep -A 30 -B 5 "vite"

Repository: dallay/corvus

Length of output: 286

---

🏁 Script executed:

# Get the full package.json to see all devDependencies
cat -n clients/web/apps/docs/package.json

Repository: dallay/corvus

Length of output: 1363

---

🏁 Script executed:

# Examine pnpm-workspace.yaml, especially line 32 and context
cat -n clients/web/pnpm-workspace.yaml | head -50

Repository: dallay/corvus

Length of output: 1260

---

🏁 Script executed:

# Also check the root pnpm-workspace.yaml to understand the catalog setup
cat -n pnpm-workspace.yaml | grep -A 5 -B 5 "vite"

Repository: dallay/corvus

Length of output: 722

---

🏁 Script executed:

# Check if there are any comments in clients/web/pnpm-workspace.yaml explaining the Vite/Astro issue
cat clients/web/pnpm-workspace.yaml

Repository: dallay/corvus

Length of output: 966

---

🏁 Script executed:

# Check Vite 8 and Astro 6.1 compatibility via web search would be better, but first let's see if there are any comments in the file
rg -i "vite|astro" clients/web/pnpm-workspace.yaml -B 2 -A 2

Repository: dallay/corvus

Length of output: 620

---

🏁 Script executed:

# Search for any comments in the codebase mentioning vite and astro compatibility issues
rg -i "vite.*astro|astro.*vite" --type-list | head -20

Repository: dallay/corvus

Length of output: 447

---

🏁 Script executed:

# Check git history or comments about this hard pin
rg -i "vite|astro" clients/web/apps/docs/ -B 3 -A 3 --type-list

Repository: dallay/corvus

Length of output: 447

---

🏁 Script executed:

# Look for any issue tracking or TODO comments in the entire clients/web directory
rg -i "todo|fixme|bug|issue" clients/web/ --type-list | grep -i "vite\|astro"

Repository: dallay/corvus

Length of output: 447

---

🏁 Script executed:

# Check astro.config.mjs to see if there's any indication of compatibility issues
cat -n clients/web/apps/docs/astro.config.mjs

Repository: dallay/corvus

Length of output: 10654

---

🏁 Script executed:

# Search for any TODO, FIXME, or comments about vite/astro in the codebase
rg "TODO|FIXME|NOTE|BUG" clients/web/ -B 2 -A 2

Repository: dallay/corvus

Length of output: 1792

---

🏁 Script executed:

# Look for any issues or comments in git history about vite pinning
git log --all --oneline --grep="vite" | head -10

Repository: dallay/corvus

Length of output: 656

---

🏁 Script executed:

# Check if there are other package.json files with similar patterns to understand the intent
find clients/web -name "package.json" -exec grep -l "vite" {} \;

Repository: dallay/corvus

Length of output: 259

---

🏁 Script executed:

# Check how other apps handle vite in their package.json
for file in clients/web/apps/dashboard/package.json clients/web/apps/marketing/package.json clients/web/apps/rook-dashboard/package.json; do
  echo "=== $file ==="
  cat "$file" | grep -A 10 "devDependencies"
done

Repository: dallay/corvus

Length of output: 1063

---

🏁 Script executed:

# Check the git commit history for the vite hard pin to understand why it was done
git log -p --all -- clients/web/apps/docs/package.json | grep -B 10 -A 10 "vite.*8.0.10" | head -40

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

# Verify Vite 8 and Astro 6.1 compatibility - let's look at package lock files
rg "vite.*8.0.10|astro.*6.1" clients/web/apps/docs/pnpm-lock.yaml -B 2 -A 2 | head -20

Repository: dallay/corvus

Length of output: 832

---

🏁 Script executed:

# Let's check the full git history to see if there was an issue or discussion
git log --all --format="%h %s" --grep="astro\|vite" | head -20

Repository: dallay/corvus

Length of output: 1575

---

🏁 Script executed:

# Search for any comments or issues in markdown files about vite/astro incompatibility
rg -i "vite.*astro|astro.*vite|incompatible|break" clients/web/ --type md

Repository: dallay/corvus

Length of output: 405

---

🏁 Script executed:

# Let's check what version of Astro is actually being used in the lock file
rg "astro@" clients/web/apps/docs/pnpm-lock.yaml | head -5

Repository: dallay/corvus

Length of output: 543

---

🏁 Script executed:

# Check if marketing app also has the same issue and if this is deliberate
cat -n clients/web/apps/marketing/package.json

Repository: dallay/corvus

Length of output: 1536

---

🏁 Script executed:

# Look for any recent commits specifically about the vite pin in these apps
git log --all -p -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | grep -B 5 -A 5 "vite" | head -50

Repository: dallay/corvus

Length of output: 1478

---

🏁 Script executed:

# Check what the actual resolved vite version is in the lock file
rg "vite@8" clients/web/apps/docs/pnpm-lock.yaml -B 2 -A 10 | head -30

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

# Let me check when vite was bumped to 8.0.10 specifically
git log --all --oneline --follow -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | head -20

Repository: dallay/corvus

Length of output: 103

---

🏁 Script executed:

# Check the specific commit that added 8.0.10
git show 0ef9b53 | head -100

Repository: dallay/corvus

Length of output: 5296

---

🏁 Script executed:

# Find the specific commit that introduced vite 8.0.10
git log --all --oneline -- clients/web/apps/docs/package.json clients/web/apps/marketing/package.json | xargs -I {} git show {} | grep -B 5 "vite.*8.0.10" | head -30

Repository: dallay/corvus

Length of output: 2756

---

🏁 Script executed:

# More direct search for when vite 8.0.10 was introduced
git log --all -p -- clients/web/apps/docs/package.json | grep -B 20 "8.0.10" | head -50

Repository: dallay/corvus

Length of output: 884

---

🏁 Script executed:

# Let me check if there are any build or runtime errors related to vite in the test logs or CI
find . -name "*.md" -o -name "*.txt" | xargs grep -l "vite.*astro\|astro.*vite" 2>/dev/null | head -10

Repository: dallay/corvus

Length of output: 69

---

🌐 Web query:

Vite 8 Astro 6.1 compatibility issues

💡 Result:

Astro 6.1 is not compatible with Vite 8. Astro 6 uses Vite 7 internally and actively warns against using Vite 8, as full support is still in progress (WIP PR #15819).

Citations:

• 1: Update to Vite 8 withastro/astro#15819
• 2: https://astro.build/blog/astro-610/
• 3: https://www.gitclear.com/open_repos/withastro/astro/release/astro@6.1.0
• 4: https://github.com/withastro/astro/blob/refs/heads/next/packages/astro/CHANGELOG.md
• 5: https://github.com/withastro/astro/releases/tag/astro%406.1.0

---

🏁 Script executed:

# Check the README for any mention of vite/astro compatibility
cat README.md | grep -i "vite\|astro" -B 2 -A 2

Repository: dallay/corvus

Length of output: 1123

---

Change vite to use catalog: instead of hard-pinning to 8.0.10.

All other devDependencies use catalog:, but vite is hard-pinned here and in clients/web/apps/marketing/package.json, bypassing the workspace catalog and risking silent desyncs. More critically: Astro 6.1.6 (in the catalog) is incompatible with Vite 8. Astro 6 uses Vite 7 internally and actively warns against Vite 8, as full support is still in progress. This pin forces a broken combination.

♻️ Proposed change

-    "vite": "8.0.10"
+    "vite": "catalog:"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"vite": "8.0.10"
	"vite": "catalog:"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/docs/package.json` at line 30, The devDependency "vite" is
hard-pinned to "8.0.10" in package.json which bypasses the workspace catalog and
forces an incompatible Vite/Astro combo; change the "vite" entry to use the
workspace catalog alias (e.g., replace the literal "8.0.10" value with the same
catalog spec used elsewhere like "catalog:vite") so the project picks up the
catalog-managed, Astro-compatible Vite version; also apply the same change to
the other package that was hard-pinned (the marketing app) and run your
workspace install/update to refresh the lockfile.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "package.json" -path "*/clients/web/apps/*" 2>/dev/null | head -5

Repository: dallay/corvus

Length of output: 39

---

🏁 Script executed:

git ls-files clients/web/apps/ | grep -E "(package\.json|pnpm-workspace\.yaml)"

Repository: dallay/corvus

Length of output: 217

---

🏁 Script executed:

cat -n clients/web/apps/marketing/package.json | sed -n '25,40p'

Repository: dallay/corvus

Length of output: 282

---

🏁 Script executed:

cat -n clients/web/pnpm-workspace.yaml | sed -n '25,40p'

Repository: dallay/corvus

Length of output: 457

---

🏁 Script executed:

cat -n clients/web/pnpm-workspace.yaml | sed -n '1,30p'

Repository: dallay/corvus

Length of output: 969

---

🏁 Script executed:

for file in clients/web/apps/*/package.json; do
  echo "=== $file ==="; 
  grep -A2 '"devDependencies"' "$file" | grep -E '"vite"|"astro"' || true;
done

Repository: dallay/corvus

Length of output: 249

---

🏁 Script executed:

for file in clients/web/apps/*/package.json; do
  echo "=== $(basename $(dirname $file)) ===";
  sed -n '/"devDependencies"/,/^  }/p' "$file" | grep -E '"(vite|astro)"';
done

Repository: dallay/corvus

Length of output: 219

---

🌐 Web query:

Vite 8 Astro 6.1 incompatibility compatibility

💡 Result:

Astro 6.1 is incompatible with Vite 8. Astro 6.1 requires Vite ^7 (specifically ^7.3.1 as seen in dependencies for Astro 6.x), and explicitly warns users when Vite 8 is detected. Full support for Vite 8 is in progress via an open pull request but not yet merged into a stable release as of 2026-04-25. To avoid issues: - Do not install or override to Vite 8. - If using packages that hoist Vite 8 (e.g., @tailwindcss/vite), add overrides: {"vite": "^7"} to package.json. - Astro dev server shows a warning on Vite 8 detection, and astro add cloudflare auto-adds the override.

Citations:

• 1: Update to Vite 8 withastro/astro#15819
• 2: https://astro.build/blog/astro-610/
• 3: https://github.com/withastro/astro/blob/refs/heads/next/packages/astro/CHANGELOG.md
• 4: https://www.npmjs.com/package/astro?activeTab=dependencies
• 5: Update Vite peer dependency to v7 withastro/astro#14362

---

Align with catalog dependency management, but note the root cause is incompatibility in the catalog itself.

The hard-pinned version is inconsistent with the catalog pattern (though docs also hard-pins). However, the underlying issue is more critical: Astro 6.1 is incompatible with Vite 8, and the catalog defines both together. Using catalog: would propagate this incompatibility rather than solve it. The catalog should be fixed to require Vite 7.x with Astro 6.1.x, or both packages updated together to compatible versions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/apps/marketing/package.json` at line 31, The package.json
currently hard-pins "vite": "8.0.10", which conflicts with Astro 6.1 and breaks
the catalog pattern; change the dependency to a Vite 7.x semver (e.g., "vite":
"7.x") so this app is compatible with Astro 6.1, and add a short TODO noting to
switch to the catalog-managed dependency (catalog:vite) once the catalog is
fixed to require Vite 7.x for Astro 6.1; update package.json's "vite" entry and
any related install/test steps to use the new semver.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Does Astro 6.1.x officially support Vite 8 as a top-level dependency, and is vitejs/vite issue #22307 (8.0.10 production build crash) fixed yet?

💡 Result:

Yes—Astro 6.1.x does not officially support Vite 8 as a top-level dependency. Evidence: Astro 6 uses Vite 7 for both dev server and production bundling (“Astro v6.0 upgrades to Vite v7.0 as the development server and production bundler”). Additionally, Astro 6.1 includes logic to warn when Vite 8 is detected at the top level and automatically adds a package.json override to force Vite ^7 (so Vite 8 is treated as a problematic/unsupported configuration, not a supported top-level choice). Vite #22307 ([8.0.10] breaks production build) is not marked as fixed/closed in the issue itself; it remains open. Therefore, as of 2026-04-25, that specific bug is not confirmed as fixed yet. However, it’s also worth noting that other Vite 8 production issues have been closed after subsequent patch releases (e.g., #21990 is said to have been fixed in Vite 8.0.3). That does not imply #22307 is fixed.

Citations:

• 1: https://github.com/withastro/astro/blob/refs/heads/next/packages/astro/CHANGELOG.md
• 2: https://v6.docs.astro.build/fr/guides/upgrade-to/v6/
• 3: https://astro.build/blog/astro-610/
• 4: [8.0.10] breaks production build vitejs/vite#22307

---

🏁 Script executed:

# Check if the mentioned files exist and inspect their Vite entries
fd -t f "package.json" clients/web/apps/docs clients/web/apps/marketing 2>/dev/null | head -5

Repository: dallay/corvus

Length of output: 132

---

🏁 Script executed:

# Check for astro.config.mjs files in docs and marketing apps
fd -t f "astro.config.mjs" clients/web/apps/ 2>/dev/null

Repository: dallay/corvus

Length of output: 140

---

🏁 Script executed:

# Search for loadEnv imports from vite in the codebase
rg "loadEnv.*from.*vite" clients/web/apps/docs clients/web/apps/marketing 2>/dev/null

Repository: dallay/corvus

Length of output: 285

---

🏁 Script executed:

# Check docs/package.json around line 30
cat -n clients/web/apps/docs/package.json | sed -n '25,35p'

Repository: dallay/corvus

Length of output: 286

---

🏁 Script executed:

# Check marketing/package.json around line 31
cat -n clients/web/apps/marketing/package.json | sed -n '25,35p'

Repository: dallay/corvus

Length of output: 282

---

Vite 8.0.10 is incompatible with Astro 6.1.6 — this bump will degrade docs/marketing builds.

Two separate problems:

1. Astro 6.1 explicitly does not support Vite 8 at the top level. Astro 6.1 warns on dev server startup when Vite 8 is detected and automatically adds a "overrides": { "vite": "^7" } entry to package.json. Both clients/web/apps/docs and clients/web/apps/marketing consume astro: catalog: (now 6.1.6) and import loadEnv directly from "vite" in their astro.config.mjs — surfacing the warning on every dev start and risking runtime breakage from API drift.

2. Vite 8.0.10 has an open production-build regression. [8.0.10] breaks production build vitejs/vite#22307 breaks production builds with Uncaught TypeError: Class extends value undefined is not a constructor or null. This is a shippable-output risk for static-built apps like marketing/docs.

Recommended: keep Vite on the ^7 line that Astro 6.1 expects (e.g., latest 7.3.x) until Astro publishes a Vite-8-compatible release. This resolves the per-app pins at clients/web/apps/docs/package.json (line 30) and clients/web/apps/marketing/package.json (line 31).

♻️ Suggested catalog change (option A: stay on Vite 7)

-  vite: 8.0.10
+  vite: 7.3.2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@clients/web/pnpm-workspace.yaml` around lines 22 - 32, The pnpm catalog
currently lists "vite: 8.0.10" while "astro: 6.1.6" requires Vite 7; change the
vite entry from 8.0.10 to a Vite 7-compatible constraint (e.g., "^7.3.x") so
Astro no longer warns or auto-adds an override and to avoid the Vite 8
production-build regression; also update the per-app pins that consume the
catalog (apps "docs" and "marketing" which currently import loadEnv from "vite")
to use the catalog's Vite 7 version (remove or replace any explicit 8.x pin in
those package.jsons).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 1) Confirm safeNettyVersion is bumped alongside the catalog.
rg -nP --type=kotlin -C2 '\bsafeNettyVersion\b'

# 2) Find any other hardcoded 4.1.132.Final references that would conflict.
rg -nP -C2 '4\.1\.132\.Final'

# 3) Confirm the new value is referenced where expected.
rg -nP -C2 '4\.2\.12\.Final'

# 4) Surface custom Netty handler/SSL usage that may need retesting on 4.2.x.
rg -nP --type=kotlin --type=java -C2 '\b(SslContextBuilder|ChannelInitializer|EpollEventLoopGroup|IoUringEventLoopGroup|ByteBufAllocator)\b'

Repository: dallay/corvus

Length of output: 10557

---

🌐 Web query:

Netty 4.2.12.Final release notes breaking changes vs 4.1.x SslHandler

💡 Result:

Netty 4.2.12.Final does not publish a dedicated, SslHandler-specific “release notes / breaking changes” page in the sources I found. However, the main TLS/SSL-related behavioral breaking change when moving from Netty 4.1.x to Netty 4.2.x (which affects SslHandler usage/config) is documented in the official Netty 4.2 Migration Guide: 1) Hostname verification (endpoint identification) is enabled by default for client TLS in Netty 4.2 - In Netty 4.2, Netty changes the default endpoint identification algorithm from null (in 4.1) to HTTPS (in 4.2). - Impact: client TLS handshakes will now perform hostname verification by default, which can break systems that previously relied on disabled/implicit hostname verification. - Override to restore Netty 4.1 behavior via system property: io.netty.handler.ssl.defaultEndpointVerificationAlgorithm=NONE. - Migration guidance is to explicitly configure endpoint validation using SslContextBuilder.endpointIdentificationAlgorithm(...), and the guide notes this is required/important to avoid surprises. 2) SslHandler-related API deprecations/renames exist in the 4.2.x line (not specifically “4.2.12 vs 4.1.x”, but relevant to upgrading) - The Netty 4.2.12.Final API reference indicates SslHandler has methods such as closeOutbound/handshakeFuture. - The Netty 4.2.9.Final deprecated list includes that older SslHandler methods such as getCloseNotifyTimeoutMillis/setCloseNotifyTimeout.../isEncrypted(ByteBuf) are deprecated in favor of newer getCloseNotifyFlushTimeoutMillis/setCloseNotifyFlushTimeout.../isEncrypted(ByteBuf, boolean). This matters if your upgrade touches those methods. What I could not find (in the sources available here) - A formal “Netty 4.2.12.Final release notes” document listing SslHandler-breaking changes specifically between 4.2.11.Final and 4.2.12.Final. - The Netty 4.2 migration guide instead covers the larger, cross-4.2 family breaking changes that typically surface when upgrading from 4.1.x. If you tell me which exact upgrade path you mean (e.g., 4.1.x -> 4.2.12.Final, or 4.2.11.Final -> 4.2.12.Final), and which SslHandler APIs/config you use (JdkSslContext/OpenSsl, endpointIdentificationAlgorithm usage, ALPN, closeNotify timeouts), I can narrow this down to only the relevant breaking changes.

Citations:

• 1: https://github.com/netty/netty/wiki/Netty-4.2-Migration-Guide/a10ee106556811a19df985b9e37da130f9d4f07c
• 2: https://netty.io/4.2/api/io/netty/handler/ssl/SslHandler.html
• 3: https://netty.io/4.2/api/deprecated-list.html

---

Update safeNettyVersion to 4.2.12.Final and re-verify TLS endpoint verification defaults on the 4.2 line.

The catalog bump on line 24 to 4.2.12.Final is currently inert. The enforcement function in gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts (lines 61–68) pins every io.netty:* resolution to safeNettyVersion (still 4.1.132.Final on line 8). Without syncing that constant, the enforcement silently overrides the catalog and downgrades all Netty deps back to 4.1.x—no upgrade occurs, and stale lockfiles remain.

More critically: Netty 4.2.x enables TLS hostname verification by default (was disabled in 4.1.x). Systems relying on unverified or self-signed certs will break on upgrade unless explicitly configured via SslContextBuilder.endpointIdentificationAlgorithm(...) or the system property override. Custom SslContext, ALPN, and transport code (epoll/kqueue/io_uring) should also be spot-checked for source-incompatible changes before upgrade lands.

Required sync in com.profiletailors.check.locking.gradle.kts

-val safeNettyVersion = "4.1.132.Final"
+val safeNettyVersion = "4.2.12.Final"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@gradle/libs.versions.toml` at line 24, The dependency catalog bump to netty
"4.2.12.Final" is being overridden by the enforcement logic: update the
safeNettyVersion constant in com.profiletailors.check.locking.gradle.kts (the
enforcement function that pins io.netty:* resolutions) from 4.1.132.Final to
4.2.12.Final so the catalog upgrade actually takes effect; after updating,
re-run dependency sync and spot-check code that builds TLS contexts—search for
SslContextBuilder.endpointIdentificationAlgorithm, any custom SslContext
creation, ALPN code, and epoll/kqueue/io_uring transport usage to ensure
hostname verification behavior and source compatibility are handled (adjust
SslContextBuilder.endpointIdentificationAlgorithm or system properties where
necessary).

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 6 file(s) based on 6 unresolved review comments.

A stacked PR containing fixes has been created.

• Stacked PR: #657
• Files modified:

• clients/agent-runtime/src/gateway/mod.rs
• clients/web/apps/docs/package.json
• clients/web/apps/marketing/package.json
• clients/web/pnpm-lock.yaml
• clients/web/pnpm-workspace.yaml
• gradle/build-logic/src/main/kotlin/com.profiletailors.check.locking.gradle.kts

Time taken: 8m 6s

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud