Skip to content

Docs: create ADR documenting cargo-audit quality-gate adoption #332

Description

@coderabbitai

Summary

Raised via: PR #323, requested by @leynos

docs/developers-guide.md documents the cargo-audit tooling and make audit workflow, but no Architecture Decision Record (ADR) exists to capture the formal rationale for adopting cargo-audit as a quality gate.


Context

PR #323 integrates cargo-audit as a Makefile and CI gate. The developer guide covers the mechanics, but the decision record is absent. Existing ADRs (adr-001, adr-002, adr-003) establish precedent for the format.


Resolution

Create docs/adr-NNN-adopt-cargo-audit-quality-gate.md following the repository ADR template, covering:

  • Context: RustSec advisory database, prior absence of automated dependency auditing.
  • Decision: Adopt cargo-audit (via cargo binstall) as a Makefile target (make audit) and CI gate.
  • Consequences: Advisory database fetched on each CI run; Cargo.lock required adjacent to each audited manifest; allowed warnings vs. hard failures under default policy.
  • Migration plan: Remove stale lockfiles, refresh Cargo.lock as part of adoption.
  • Goals / Non-goals: Gate on vulnerabilities; informational advisories remain warnings.

References

  • PR: Adopt cargo audit gate #323
  • Existing ADRs: docs/adr-001-login-auth-reply-compatibility-layers.md, docs/adr-002-compatibility-guardrails-and-augmentation.md, docs/adr-003-login-authentication-and-reply-augmentation.md

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions