You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs/developers-guide.md documents the cargo-audit tooling and make audit workflow, but no Architecture Decision Record (ADR) exists to capture the formal rationale for adopting cargo-audit as a quality gate.
Context
PR #323 integrates cargo-audit as a Makefile and CI gate. The developer guide covers the mechanics, but the decision record is absent. Existing ADRs (adr-001, adr-002, adr-003) establish precedent for the format.
Resolution
Create docs/adr-NNN-adopt-cargo-audit-quality-gate.md following the repository ADR template, covering:
Context: RustSec advisory database, prior absence of automated dependency auditing.
Decision: Adopt cargo-audit (via cargo binstall) as a Makefile target (make audit) and CI gate.
Consequences: Advisory database fetched on each CI run; Cargo.lock required adjacent to each audited manifest; allowed warnings vs. hard failures under default policy.
Migration plan: Remove stale lockfiles, refresh Cargo.lock as part of adoption.
Goals / Non-goals: Gate on vulnerabilities; informational advisories remain warnings.
Summary
Raised via: PR #323, requested by @leynos
docs/developers-guide.mddocuments thecargo-audittooling andmake auditworkflow, but no Architecture Decision Record (ADR) exists to capture the formal rationale for adoptingcargo-auditas a quality gate.Context
PR #323 integrates
cargo-auditas a Makefile and CI gate. The developer guide covers the mechanics, but the decision record is absent. Existing ADRs (adr-001,adr-002,adr-003) establish precedent for the format.Resolution
Create
docs/adr-NNN-adopt-cargo-audit-quality-gate.mdfollowing the repository ADR template, covering:cargo-audit(viacargo binstall) as a Makefile target (make audit) and CI gate.Cargo.lockrequired adjacent to each audited manifest; allowed warnings vs. hard failures under default policy.Cargo.lockas part of adoption.References
docs/adr-001-login-auth-reply-compatibility-layers.md,docs/adr-002-compatibility-guardrails-and-augmentation.md,docs/adr-003-login-authentication-and-reply-augmentation.md