From cb7bd38872ea3e41bf442aca26299c9eba694ab0 Mon Sep 17 00:00:00 2001
From: ruvnet <ruvnet@gmail.com>
Date: Sat, 2 May 2026 01:01:54 -0400
Subject: [PATCH] =?UTF-8?q?ci(ruvector-hailo):=20cargo-audit=20+=20clippy?=
 =?UTF-8?q?=20+=20test=20+=20doc=20workflow=20(ADR-172=20=C2=A75c)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes ADR-172 §5c (no cargo-audit in CI). New GitHub Actions workflow
.github/workflows/hailo-backend-audit.yml runs four jobs on every
push/PR touching the hailo-backend branch's three crates or its ADRs:

* audit       — `cargo audit --deny warnings` against the cluster
                crate's Cargo.lock (205 deps; 0 vulns at land time)
* clippy      — `cargo clippy --all-targets -- -D warnings` (cached)
* test        — full suite: 75 lib + 12 cluster + 18 CLI + 7 doctest
* doc-warnings — `RUSTDOCFLAGS='-D missing-docs' cargo doc` (locks in
                  iter-75's #![warn(missing_docs)] enforcement)

Independent of the parent workspace's CI because the hailo crates are
excluded from the default workspace build (need libhailort for the
worker bin which CI can't install).

Also lands `crates/ruvector-hailo-cluster/deny.toml` for a future
cargo-deny pass: x86_64 + aarch64 targets, MIT/Apache/BSD/ISC license
allowlist, denies wildcards + unknown registries + unknown git sources.
Workflow doesn't run cargo-deny yet — config sits ready for the iter
92 follow-up after a clean `cargo deny check` pass against the dep tree.

Co-Authored-By: claude-flow <ruv@ruv.net>
---
 .github/workflows/hailo-backend-audit.yml | 102 ++++++++++++++++++++++
 crates/ruvector-hailo-cluster/deny.toml   |  56 ++++++++++++
 2 files changed, 158 insertions(+)
 create mode 100644 .github/workflows/hailo-backend-audit.yml
 create mode 100644 crates/ruvector-hailo-cluster/deny.toml

diff --git a/.github/workflows/hailo-backend-audit.yml b/.github/workflows/hailo-backend-audit.yml
new file mode 100644
index 000000000..72de57314
--- /dev/null
+++ b/.github/workflows/hailo-backend-audit.yml
@@ -0,0 +1,102 @@
+# ruvector-hailo CI: cargo-audit + cargo-deny + clippy + test pyramid
+#
+# Closes ADR-172 §5c (no cargo-audit in CI). Runs on every push +
+# PR touching the hailo-backend branch's three crates. Independent of
+# the parent workspace's CI because the hailo crates are excluded from
+# the default workspace build (need libhailort for the worker bin).
+name: hailo-backend audit
+
+on:
+  push:
+    branches: [hailo-backend, main]
+    paths:
+      - 'crates/ruvector-hailo-cluster/**'
+      - 'crates/ruvector-hailo/**'
+      - 'crates/hailort-sys/**'
+      - 'docs/adr/ADR-167-*.md'
+      - 'docs/adr/ADR-168-*.md'
+      - 'docs/adr/ADR-169-*.md'
+      - 'docs/adr/ADR-170-*.md'
+      - 'docs/adr/ADR-171-*.md'
+      - 'docs/adr/ADR-172-*.md'
+      - 'docs/adr/ADR-173-*.md'
+      - 'docs/adr/ADR-174-*.md'
+      - '.github/workflows/hailo-backend-audit.yml'
+  pull_request:
+    paths:
+      - 'crates/ruvector-hailo-cluster/**'
+      - 'crates/ruvector-hailo/**'
+      - 'crates/hailort-sys/**'
+      - '.github/workflows/hailo-backend-audit.yml'
+
+jobs:
+  audit:
+    name: cargo-audit (cluster)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Install cargo-audit
+        run: cargo install --locked cargo-audit
+      - name: Run cargo audit
+        working-directory: crates/ruvector-hailo-cluster
+        # `--deny warnings` makes any vuln advisory a hard CI fail. The
+        # cluster crate is the only one with a Cargo.lock under audit's
+        # default scope (hailort-sys/ruvector-hailo lock files are gated
+        # on the `hailo` feature which CI can't build without libhailort).
+        run: cargo audit --deny warnings
+
+  clippy:
+    name: clippy --all-targets -D warnings (cluster)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            crates/ruvector-hailo-cluster/target
+          key: ${{ runner.os }}-cargo-${{ hashFiles('crates/ruvector-hailo-cluster/Cargo.lock') }}
+      - name: Run clippy
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo clippy --all-targets -- -D warnings
+
+  test:
+    name: test (cluster — lib + integration + cli + doctest)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            crates/ruvector-hailo-cluster/target
+          key: ${{ runner.os }}-cargo-test-${{ hashFiles('crates/ruvector-hailo-cluster/Cargo.lock') }}
+      - name: Run all suites
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo test
+      - name: Run doctests
+        working-directory: crates/ruvector-hailo-cluster
+        run: cargo test --doc
+
+  doc-warnings:
+    name: missing-docs check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install protoc
+        run: sudo apt-get update && sudo apt-get install -y protobuf-compiler
+      - name: Build docs with -D missing-docs
+        working-directory: crates/ruvector-hailo-cluster
+        env:
+          RUSTDOCFLAGS: "-D missing-docs"
+        run: cargo doc --no-deps --lib
diff --git a/crates/ruvector-hailo-cluster/deny.toml b/crates/ruvector-hailo-cluster/deny.toml
new file mode 100644
index 000000000..b2d2a56f2
--- /dev/null
+++ b/crates/ruvector-hailo-cluster/deny.toml
@@ -0,0 +1,56 @@
+# cargo-deny config for ruvector-hailo-cluster.
+#
+# Run with `cargo deny check` after installing cargo-deny.
+# CI surfaces this in the hailo-backend-audit workflow (planned iter 92
+# follow-up — workflow currently runs cargo-audit; cargo-deny lands once
+# this config has had a pass against the dep tree).
+#
+# Closes ADR-172 §5b/§5c (build supply chain hardening).
+
+[graph]
+# Targets we actually ship: x86 dev hosts + Pi 5 deploys.
+targets = [
+    { triple = "x86_64-unknown-linux-gnu" },
+    { triple = "aarch64-unknown-linux-gnu" },
+]
+
+[advisories]
+# Block on any unfixed vuln. Same threshold as the cargo-audit job.
+yanked = "deny"
+ignore = []
+
+[licenses]
+# Permissive licenses we accept. GPL-family stays denied for now (no
+# GPL deps in the cluster crate; flag if one sneaks in).
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Zlib",
+    "MPL-2.0",
+    "CC0-1.0",
+    "0BSD",
+]
+confidence-threshold = 0.93
+
+[bans]
+# Explicit bans for things we don't want creeping in.
+multiple-versions = "warn"
+wildcards = "deny"
+highlight = "all"
+
+# Deny known-unsound or notoriously slow crates if they appear via
+# transitive deps. Empty today; populate as the dep tree grows.
+deny = []
+
+[sources]
+# Only crates.io. No git or path deps from outside the workspace.
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []