From bef708fd734b5ee2aa949f7b691a86b396d2a4c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 05:33:41 +0000 Subject: [PATCH 1/4] chore(deps): Bump napi in /src/code-validator/guest Bumps [napi](https://github.com/napi-rs/napi-rs) from 2.16.17 to 3.9.0. - [Release notes](https://github.com/napi-rs/napi-rs/releases) - [Commits](https://github.com/napi-rs/napi-rs/compare/napi@2.16.17...napi-v3.9.0) --- updated-dependencies: - dependency-name: napi dependency-version: 3.9.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- src/code-validator/guest/Cargo.lock | 136 ++++++++++++++++++++--- src/code-validator/guest/host/Cargo.toml | 2 +- 2 files changed, 123 insertions(+), 15 deletions(-) diff --git a/src/code-validator/guest/Cargo.lock b/src/code-validator/guest/Cargo.lock index 3935381..d94e936 100644 --- a/src/code-validator/guest/Cargo.lock +++ b/src/code-validator/guest/Cargo.lock @@ -265,7 +265,7 @@ checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4" dependencies = [ "glob", "libc", - "libloading", + "libloading 0.8.9", ] [[package]] @@ -430,13 +430,9 @@ dependencies = [ [[package]] name = "ctor" -version = "0.2.9" +version = "1.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32a2785755761f3ddc1492979ce1e48d2c00d09311c39e4466429188f3dd6501" -dependencies = [ - "quote", - "syn", -] +checksum = "6d765eb1c0bda10d31e0ea185f5ee15da532d60b0912d2bd1441783439e749c5" [[package]] name = "digest" @@ -548,6 +544,94 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb" +[[package]] +name = "futures" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b147ee9d1f6d097cef9ce628cd2ee62288d963e16fb287bd9286455b241382d" +dependencies = [ + "futures-channel", + "futures-core", + "futures-executor", + "futures-io", + "futures-sink", + "futures-task", + "futures-util", +] + +[[package]] +name = "futures-channel" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" +dependencies = [ + "futures-core", + "futures-sink", +] + +[[package]] +name = "futures-core" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" + +[[package]] +name = "futures-executor" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "baf29c38818342a3b26b5b923639e7b1f4a61fc5e76102d4b1981c6dc7a7579d" +dependencies = [ + "futures-core", + "futures-task", + "futures-util", +] + +[[package]] +name = "futures-io" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cecba35d7ad927e23624b22ad55235f2239cfa44fd10428eecbeba6d6a717718" + +[[package]] +name = "futures-macro" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e835b70203e41293343137df5c0664546da5745f82ec9b84d40be8336958447b" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "futures-sink" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c39754e157331b013978ec91992bde1ac089843443c49cbc7f46150b0fad0893" + +[[package]] +name = "futures-task" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" + +[[package]] +name = "futures-util" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" +dependencies = [ + "futures-channel", + "futures-core", + "futures-io", + "futures-macro", + "futures-sink", + "futures-task", + "memchr", + "pin-project-lite", + "slab", +] + [[package]] name = "generic-array" version = "0.14.7" @@ -914,6 +998,16 @@ dependencies = [ "windows-link", ] +[[package]] +name = "libloading" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "754ca22de805bb5744484a5b151a9e1a8e837d5dc232c2d7d8c2e3492edc8b60" +dependencies = [ + "cfg-if", + "windows-link", +] + [[package]] name = "libredox" version = "0.1.14" @@ -1012,15 +1106,17 @@ dependencies = [ [[package]] name = "napi" -version = "2.16.17" +version = "3.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "55740c4ae1d8696773c78fdafd5d0e5fe9bc9f1b071c7ba493ba5c413a9184f3" +checksum = "f1d395473824516f38dd1071a1a37bc57daa7be65b293ebba4ead5f7abb017a2" dependencies = [ "bitflags 2.11.0", "ctor", - "napi-derive", + "futures", + "napi-build", "napi-sys", - "once_cell", + "nohash-hasher", + "rustc-hash", "tokio", ] @@ -1061,13 +1157,19 @@ dependencies = [ [[package]] name = "napi-sys" -version = "2.4.0" +version = "3.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "427802e8ec3a734331fec1035594a210ce1ff4dc5bc1950530920ab717964ea3" +checksum = "8eb602b84d7c1edae45e50bbf1374696548f36ae179dfa667f577e384bb90c2b" dependencies = [ - "libloading", + "libloading 0.9.0", ] +[[package]] +name = "nohash-hasher" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451" + [[package]] name = "nom" version = "7.1.3" @@ -1530,6 +1632,12 @@ version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" +[[package]] +name = "slab" +version = "0.4.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" + [[package]] name = "spin" version = "0.10.0" diff --git a/src/code-validator/guest/host/Cargo.toml b/src/code-validator/guest/host/Cargo.toml index f792e99..7b901ef 100644 --- a/src/code-validator/guest/host/Cargo.toml +++ b/src/code-validator/guest/host/Cargo.toml @@ -17,7 +17,7 @@ crate-type = ["cdylib", "rlib"] [dependencies] hyperlight-host = { workspace = true } -napi = { version = "2", features = ["async", "napi6"] } +napi = { version = "3", features = ["async", "napi6"] } napi-derive = "2" sha2 = "0.11" hex = "0.4" From ea90659e266654edaab096358c00529ee96df3e4 Mon Sep 17 00:00:00 2001 From: Simon Davies Date: Mon, 1 Jun 2026 16:17:25 +0100 Subject: [PATCH 2/4] build(deps): bump napi to 3 in code-validator guest host MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bump napi and napi-derive together to v3 (they are version-coupled); napi-build stays at v2 (no v3 exists). No Rust code changes are needed — the 3.x API used by the host crate is source-compatible. napi-derive 3 makes `napi build` emit JSDoc into the generated src/code-validator/guest/host/index.d.ts, which is not Prettier-formatted. That file is a build artifact (the hand-written canonical types live in src/code-validator/guest/index.d.ts), so it is now gitignored and prettierignored, matching how other generated *.d.ts files are handled. Signed-off-by: Simon Davies --- .gitignore | 3 +++ .prettierignore | 4 ++++ src/code-validator/guest/Cargo.lock | 24 +++++++++++------------- src/code-validator/guest/host/Cargo.toml | 2 +- src/code-validator/guest/host/index.d.ts | 0 5 files changed, 19 insertions(+), 14 deletions(-) create mode 100644 .prettierignore delete mode 100644 src/code-validator/guest/host/index.d.ts diff --git a/.gitignore b/.gitignore index ce55669..6fadebf 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,6 @@ plugins/plugin-schema-types.js plugins/host-modules.d.ts output-hyperagent-*/ scripts/bash-bundle/_tmp_bundle.js + +# Generated NAPI binding type declarations (emitted by `napi build`) +src/code-validator/guest/host/index.d.ts diff --git a/.prettierignore b/.prettierignore new file mode 100644 index 0000000..5ff1168 --- /dev/null +++ b/.prettierignore @@ -0,0 +1,4 @@ +# Generated NAPI binding type declarations (emitted by `napi build`). +# napi-derive >= 3 writes JSDoc into this file, which is not Prettier-formatted. +# The canonical, hand-written types live in src/code-validator/guest/index.d.ts. +src/code-validator/guest/host/index.d.ts diff --git a/src/code-validator/guest/Cargo.lock b/src/code-validator/guest/Cargo.lock index d94e936..53e4e02 100644 --- a/src/code-validator/guest/Cargo.lock +++ b/src/code-validator/guest/Cargo.lock @@ -360,18 +360,18 @@ checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b" [[package]] name = "convert_case" -version = "0.6.0" +version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec182b0ca2f35d8fc196cf3404988fd8b8c739a4d270ff118a398feb0cbec1ca" +checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9" dependencies = [ "unicode-segmentation", ] [[package]] name = "convert_case" -version = "0.10.0" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9" +checksum = "affbf0190ed2caf063e3def54ff444b449371d55c58e513a95ab98eca50adb49" dependencies = [ "unicode-segmentation", ] @@ -1128,12 +1128,12 @@ checksum = "c9c366d2c8c60b86fa632df75f745509b52f9128f91a6bad4c796e44abb505e1" [[package]] name = "napi-derive" -version = "2.16.13" +version = "3.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7cbe2585d8ac223f7d34f13701434b9d5f4eb9c332cccce8dee57ea18ab8ab0c" +checksum = "89b3f766e04667e6da0e181e2da4f85475d5a6513b7cf6a80bea184e224a5b42" dependencies = [ - "cfg-if", - "convert_case 0.6.0", + "convert_case 0.11.0", + "ctor", "napi-derive-backend", "proc-macro2", "quote", @@ -1142,15 +1142,13 @@ dependencies = [ [[package]] name = "napi-derive-backend" -version = "1.0.75" +version = "5.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1639aaa9eeb76e91c6ae66da8ce3e89e921cd3885e99ec85f4abacae72fc91bf" +checksum = "0d5af30503edf933ce7377cf6d4c877a62b0f1107ea05585f1b5e430e88d5baf" dependencies = [ - "convert_case 0.6.0", - "once_cell", + "convert_case 0.11.0", "proc-macro2", "quote", - "regex", "semver", "syn", ] diff --git a/src/code-validator/guest/host/Cargo.toml b/src/code-validator/guest/host/Cargo.toml index 7b901ef..47aa7d2 100644 --- a/src/code-validator/guest/host/Cargo.toml +++ b/src/code-validator/guest/host/Cargo.toml @@ -18,7 +18,7 @@ crate-type = ["cdylib", "rlib"] [dependencies] hyperlight-host = { workspace = true } napi = { version = "3", features = ["async", "napi6"] } -napi-derive = "2" +napi-derive = "3" sha2 = "0.11" hex = "0.4" base64 = "0.22" diff --git a/src/code-validator/guest/host/index.d.ts b/src/code-validator/guest/host/index.d.ts deleted file mode 100644 index e69de29..0000000 From 1e17809c9e90328b3141319557ab47a8d8dbcea7 Mon Sep 17 00:00:00 2001 From: Simon Davies Date: Wed, 3 Jun 2026 10:38:48 +0100 Subject: [PATCH 3/4] chore(deps): regenerate artifacts for napi 3.9.0 bump Rebuilding the code-validator guest host crate with napi/napi-derive 3.x makes api build emit a generated loader (host/index.js) alongside the already-ignored host/index.d.ts. Both are build artifacts: the canonical loader/types live in src/code-validator/guest/index.{js,d.ts}, so ignore host/index.js in .gitignore and .prettierignore for consistency. Also prune the now-orphaned convert_case 0.10.0 entry from the guest Cargo.lock (only napi-derive 2 pulled it in; napi-derive 3 uses 0.11.0). Verified on Linux+KVM: TS suite (2505) and analysis-guest Rust tests (124) pass, including the previously-failing mcp/module-store runtime integrity checks; prettier, tsc, and guest clippy/fmt are clean. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Simon Davies --- .gitignore | 3 ++- .prettierignore | 8 +++++--- src/code-validator/guest/Cargo.lock | 15 +++------------ 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/.gitignore b/.gitignore index 6fadebf..8c89d3d 100644 --- a/.gitignore +++ b/.gitignore @@ -55,5 +55,6 @@ plugins/host-modules.d.ts output-hyperagent-*/ scripts/bash-bundle/_tmp_bundle.js -# Generated NAPI binding type declarations (emitted by `napi build`) +# Generated NAPI binding loader + type declarations (emitted by `napi build`) src/code-validator/guest/host/index.d.ts +src/code-validator/guest/host/index.js diff --git a/.prettierignore b/.prettierignore index 5ff1168..48a950f 100644 --- a/.prettierignore +++ b/.prettierignore @@ -1,4 +1,6 @@ -# Generated NAPI binding type declarations (emitted by `napi build`). -# napi-derive >= 3 writes JSDoc into this file, which is not Prettier-formatted. -# The canonical, hand-written types live in src/code-validator/guest/index.d.ts. +# Generated NAPI binding loader + type declarations (emitted by `napi build`). +# napi-derive >= 3 writes JSDoc into the .d.ts and emits a loader .js, neither of +# which is Prettier-formatted. The canonical, hand-written loader/types live in +# src/code-validator/guest/index.js and src/code-validator/guest/index.d.ts. src/code-validator/guest/host/index.d.ts +src/code-validator/guest/host/index.js diff --git a/src/code-validator/guest/Cargo.lock b/src/code-validator/guest/Cargo.lock index f378986..a91d719 100644 --- a/src/code-validator/guest/Cargo.lock +++ b/src/code-validator/guest/Cargo.lock @@ -358,15 +358,6 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3d52eff69cd5e647efe296129160853a42795992097e8af39800e1060caeea9b" -[[package]] -name = "convert_case" -version = "0.10.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "633458d4ef8c78b72454de2d54fd6ab2e60f9e02be22f3c6104cdc8a4e0fceb9" -dependencies = [ - "unicode-segmentation", -] - [[package]] name = "convert_case" version = "0.11.0" @@ -1127,7 +1118,7 @@ version = "3.5.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "89b3f766e04667e6da0e181e2da4f85475d5a6513b7cf6a80bea184e224a5b42" dependencies = [ - "convert_case 0.11.0", + "convert_case", "ctor", "napi-derive-backend", "proc-macro2", @@ -1141,7 +1132,7 @@ version = "5.0.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0d5af30503edf933ce7377cf6d4c877a62b0f1107ea05585f1b5e430e88d5baf" dependencies = [ - "convert_case 0.11.0", + "convert_case", "proc-macro2", "quote", "semver", @@ -1403,7 +1394,7 @@ version = "0.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04e6cf4b6e695b526cb430a6f445d3ccb9908696b99f1c1f8a1480af38bed5e6" dependencies = [ - "convert_case 0.11.0", + "convert_case", "fnv", "ident_case", "indexmap", From 1533fb6033406dcee80d1dce49a1f9539012ff6b Mon Sep 17 00:00:00 2001 From: Simon Davies Date: Wed, 3 Jun 2026 11:15:38 +0100 Subject: [PATCH 4/4] fix(code-validator): embed analysis runtime from OUT_DIR to keep hash in sync The host build script recorded ANALYSIS_RUNTIME_SHA256 from the runtime binary it built, but embedded the bytes via include_bytes! pointed at the live build-target binary. include_bytes! is expanded by rustc at host-crate compile time, after build.rs runs. When the runtime binary was rebuilt between the hash being recorded and a later host relink (e.g. the extra clippy + build cycle in the Lint & Test CI job, where the guest is built three times), the embedded bytes and the recorded hash desynced, causing the load-time integrity check to fail (Expected , got ). Stage the runtime bytes into OUT_DIR and embed that copy. The staged file is written in lock-step with the hash and is only ever touched by this build script, so the embedded bytes and integrity hash can never diverge. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: Simon Davies --- src/code-validator/guest/host/build.rs | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/code-validator/guest/host/build.rs b/src/code-validator/guest/host/build.rs index d7dca9b..619bd7f 100644 --- a/src/code-validator/guest/host/build.rs +++ b/src/code-validator/guest/host/build.rs @@ -174,9 +174,24 @@ fn bundle_runtime() { let hash_hex = hex::encode(hash); let out_dir = env::var_os("OUT_DIR").unwrap(); - let dest_path = Path::new(&out_dir).join("host_resource.rs"); + let out_dir = Path::new(&out_dir); + + // Stage the runtime binary into OUT_DIR and embed that copy rather than the + // live build-target binary. `include_bytes!` is expanded by rustc when the + // host crate is compiled, which happens after this build script runs. If we + // pointed `include_bytes!` at the mutable target-dir binary, a later rebuild + // of the runtime (e.g. by clippy or a subsequent `cargo build` that does not + // re-trigger this script) could change those bytes while the recorded + // ANALYSIS_RUNTIME_SHA256 stays stale, producing a `.node` whose embedded + // bytes and integrity hash disagree. The OUT_DIR copy is written here, in + // lock-step with the hash, and is only ever touched by this build script, so + // the embedded bytes and hash can never desync. + let embedded_path = out_dir.join("analysis-runtime.bin"); + fs::write(&embedded_path, &runtime_bytes).expect("Failed to stage runtime binary in OUT_DIR"); + + let dest_path = out_dir.join("host_resource.rs"); let contents = format!( - r#"pub(crate) static ANALYSIS_RUNTIME: &[u8] = include_bytes!({runtime_resource:?}); + r#"pub(crate) static ANALYSIS_RUNTIME: &[u8] = include_bytes!({embedded_path:?}); pub(crate) const ANALYSIS_RUNTIME_SHA256: &str = "{hash_hex}";"# );