Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Code owners are automatically requested for review on pull requests that touch
# matching paths. Combined with branch protection (require review from Code
# Owners), this ensures every change to main has an accountable reviewer.
#
# Swap @joeldsouzax for a @devrandom-labs/<team> slug to share ownership.

* @joeldsouzax
43 changes: 43 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
name: Bug report
about: Report incorrect behavior in bombay (NOT a security vulnerability)
title: "bug: "
labels: bug
---

<!--
SECURITY: Do NOT report vulnerabilities here. Use the private advisory form:
https://github.com/devrandom-labs/bombay/security/advisories/new (see SECURITY.md)
-->

## What happened

<!-- A clear description of the bug. -->

## Affected area / feature

<!-- core (actor / mailbox / supervision / registry), remote (zenoh), macros,
console, actors — and the enabled feature flags. -->

## Version

<!-- Crate version or git commit / tag. -->

## Reproduction

<!-- Minimal failing test, actor definition, or code snippet. -->

```rust
// minimal repro
```

## Expected vs. actual

- **Expected:**
- **Actual:**

## Environment

- OS / target:
- Single-node or across nodes (Zenoh remote):
- Tokio flavor (multi-thread / current-thread):
7 changes: 7 additions & 0 deletions .github/ISSUE_TEMPLATE/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Disable blank issues so reporters pick a template — and, crucially, steer
# security reports to the PRIVATE advisory form instead of a public issue.
blank_issues_enabled: false
contact_links:
- name: Report a security vulnerability
url: https://github.com/devrandom-labs/bombay/security/advisories/new
about: Please report vulnerabilities privately — never in a public issue. See SECURITY.md.
34 changes: 34 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
name: Feature request
about: Propose an addition to bombay (new capability, actor, or API)
title: "feat: "
labels: enhancement
---

## Problem / motivation

<!-- What are you trying to do that bombay doesn't support today? -->

## Proposed change

<!--
bombay is 0.x and under active development, so both additions (new public item /
actor / feature flag) and changes to existing APIs are in scope. If your proposal
is a breaking change, say so — it's allowed, just call it out.
-->

## Breaking change?

<!-- Does this change an existing signature/type/behavior? Yes/No, and why it's worth it. -->

## Affected area / feature

<!-- core / remote (zenoh) / macros / console / actors. -->

## Alternatives considered

<!-- Other approaches, and why the proposed one is preferable. -->

## Additional context

<!-- Zenoh capabilities involved, nexus integration constraints, prior art. -->
36 changes: 36 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
<!-- Thanks for contributing to bombay! Please fill out the sections below. -->

## Summary

<!-- What does this PR change, and why? Reference the card (#NNN). -->

## Type of change

- [ ] `feat` — new functionality (new public item, actor, feature flag, example)
- [ ] `fix` — bug fix
- [ ] `docs` — documentation only
- [ ] `test` — tests / coverage only
- [ ] `chore` / `ci` / `refactor` — no public behavior change

## API impact (REQUIRED)

bombay is `0.x` and under active development. Breaking changes are allowed, but
never accidental — declare them:

- [ ] **No public API change** — purely additive or internal, or
- [ ] **Breaking change** — a signature/type/behavior/error-variant/feature-flag
changed. It is intentional, scoped, and described below (with the migration
for downstream consumers).

## Verification

- [ ] `nix flake check` passes locally (the single gate: clippy, fmt, taplo,
typos, audit, deny, nextest, doctest, actionlint, nixfmt, deadnix,
shellcheck).
- [ ] New behavior is covered test-first (the failing test came first).
- [ ] `README.md` updated if the public API changed (it is a per-*card*
public-API document — see `CLAUDE.md`).

## Notes

<!-- Anything reviewers should know: trade-offs, follow-ups, security impact. -->
47 changes: 47 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Dependabot keeps dependencies current and security-patched. It complements the
# `cargo audit` + `cargo deny` gate in `nix flake check`: that gate *blocks* a PR
# when a vulnerable/banned dependency is present, while Dependabot *continuously*
# watches and opens the fix PR — even when CI isn't running.
#
# Routine version churn is kept quiet: minor/patch updates are grouped into a
# single PR per ecosystem, and major bumps are left for deliberate, reviewed
# adoption (a major transport/runtime bump — tokio, zenoh, libp2p — can ripple
# into the public API and wants a human in the loop). Security updates bypass the
# `ignore` rules below — a real advisory always gets its own PR.
version: 2
updates:
# Rust crate dependencies (Cargo.toml / Cargo.lock).
- package-ecosystem: cargo
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: "chore(deps)"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
groups:
cargo:
patterns: ["*"]
update-types:
- minor
- patch

# GitHub Actions used by the workflows in .github/workflows/.
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 5
commit-message:
prefix: "ci(deps)"
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
groups:
actions:
patterns: ["*"]
update-types:
- minor
- patch
46 changes: 46 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# CodeQL static analysis for first-party Rust source. This is the one piece the
# nix/crane gate does NOT cover: cargo-audit/cargo-deny scan *dependencies*, and
# clippy lints style/correctness, but CodeQL does security dataflow analysis of
# our own code. `build-mode: none` means CodeQL extracts from source without a
# full build, so it does not need the nix-pinned toolchain reproduced here.
name: CodeQL

on:
pull_request:
branches:
- main
push:
branches:
- main
schedule:
# Weekly, so newly-published CodeQL queries run against the released code
# even when nothing changes. (Fixed time; Mondays 05:23 UTC.)
- cron: "23 5 * * 1"

# Don't pile up redundant analyses on rapid pushes.
concurrency:
group: codeql-${{ github.ref }}
cancel-in-progress: true

jobs:
analyze:
name: Analyze (rust)
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: rust
build-mode: none

- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:rust"
72 changes: 72 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Security Policy

`bombay` is a Zenoh-native actor framework (a hard-fork of kameo). Actors are
addressable across a dataspace and exchange messages over the network, so the
remote layer decodes bytes from untrusted peers — we take the security of this
crate and the systems that depend on it seriously, and we appreciate responsible
disclosure of vulnerabilities.

## Supported Versions

Security fixes target the latest released minor line. bombay is `0.x` and under
active development (see [`CLAUDE.md`](./CLAUDE.md)), so a fix that must change
observable behavior is handled as a coordinated release; following the SemVer
`0.x` convention a breaking fix bumps the minor version.

| Version | Supported |
|---------|--------------------|
| 0.21.x | :white_check_mark: |
| < 0.21 | :x: |

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues,
discussions, or pull requests.**

Report privately through GitHub's built-in advisory workflow:

1. Go to the repository's **Security** tab.
2. Click **Report a vulnerability** (GitHub Private Vulnerability Reporting).
3. Provide a clear description, affected version(s), and reproduction steps.

A maintainer will receive your report privately, and you can collaborate on a
fix through the same private advisory.

Direct link: <https://github.com/devrandom-labs/bombay/security/advisories/new>

### What to include

- The area affected (`core` — actor/mailbox/supervision/registry, `remote` —
the Zenoh transport, `macros`, `console`, `actors`) and the version or git
commit.
- A description of the impact (e.g. memory unsafety, panic on an untrusted
remote message, mailbox/supervision isolation break, resource exhaustion).
- A minimal reproduction (a failing test, an actor definition, or the bytes that
trigger it).

## Response Expectations

- **Acknowledgement:** within 3 business days.
- **Triage & severity assessment:** within 7 business days.
- **Fix & coordinated disclosure:** timeline communicated during triage, scaled
to severity. We will credit reporters who wish to be acknowledged.

## Scope

In scope: vulnerabilities in this crate's source — including memory safety,
panics on untrusted/malformed input (especially messages decoded by the remote
layer), actor isolation or supervision failures that let one actor corrupt
another, unbounded resource growth reachable from the network, and supply-chain
issues in declared dependencies.

Out of scope: vulnerabilities in downstream applications that merely depend on
`bombay`, issues requiring a non-default explicitly-unsafe configuration, and
denial-of-service that requires a trusted local peer already inside the
dataspace's authorization boundary.

## Supply-Chain Hygiene

Every change is gated by `nix flake check`, which runs `cargo audit`
(RUSTSEC advisory database) and `cargo deny` (advisories, license, and source
bans) on the full dependency tree. Dependabot continuously monitors and opens
update pull requests, and CodeQL scans first-party Rust source on pull requests.
36 changes: 36 additions & 0 deletions _typos.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# typos spell-checker config. Wired into `nix flake check` as the `bombay-typos`
# gate. Real misspellings are fixed in the tree; this file only records the
# genuine false positives (crate names, deliberate abbreviations, literal test
# data) and the one area not worth fixing yet.
[files]
# NOTE: the gate runs `typos <abs-nix-store-path>`, and typos matches
# slash-bearing exclude globs relative to CWD (the build sandbox), not the walked
# root — so a non-`**`-anchored path silently misses. Anchor every path exclude
# with `**/`. (Same footgun cesr's _typos.toml documents.)
extend-exclude = [
# Dependency checksums — pure noise.
"Cargo.lock",
# The libp2p remote layer (src/remote*) is vendored kameo code that M1 DELETES
# and rewrites over Zenoh (cards #2–#6). It carries a typo'd *public* type,
# `DowncastRegsiteredActorRefError`; renaming a public type in code about to be
# deleted is churn. Re-tighten (drop these) once the Zenoh remote lands.
"**/src/remote.rs",
"**/src/remote/**",
]

[default.extend-words]
# `ratatui` — the TUI crate, referenced by name in the console docs.
ratatui = "ratatui"
# `strat` — deliberate abbreviation of "strategy": a local/loop binding in the
# console renderer and the supervision/pubsub step tests.
strat = "strat"
# `ofo` — "one-for-one" supervision-strategy abbreviation in a step-fn name.
ofo = "ofo"
# `mis` — used as a prefix/abbreviation in docs and step tests.
mis = "mis"
# `seens` — a local Vec binding in a core integration test; it sits next to a
# `seen` binding, so "correcting" it would collide with that name.
seens = "seens"
# `Alph` — a literal input string in a TUI render test; changing it to "Alpha"
# alters the asserted terminal grid, so it is data, not a misspelling.
alph = "alph"
2 changes: 1 addition & 1 deletion actors/tests/steps/pool.rs
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ impl Message<Hold> for Recorder {
// A factory whose closures assign monotonically increasing slot ids
// ===========================================================================

/// A clonable handle to the slot allocator + shared counter map a factory uses.
/// A cloneable handle to the slot allocator + shared counter map a factory uses.
/// The factory built from this assigns slot ids `0, 1, 2, …` in worker-creation
/// order, so the initial N workers get slots `0..N` (worker index == slot id),
/// and any replacement gets a slot id `>= N`.
Expand Down
Loading
Loading