Consolidate platform primitives and harden runtime contracts#3
Open
cnluzhang wants to merge 14 commits into
Open
Consolidate platform primitives and harden runtime contracts#3cnluzhang wants to merge 14 commits into
cnluzhang wants to merge 14 commits into
Conversation
Replace brittle source-scanning assertions with behavioral unit coverage, add invalid persisted-cron integration coverage, and document intentional error and lock boundaries. Signed-off-by: Lu Zhang <lu@wdl.dev>
Centralize repeated JS and Rust contracts for request handling, retries, Redis keys, observability, queue dispatch, ownership, and secret envelopes; align runtime and deployment wiring; and replace drift-prone fixtures and tests with shared behavioral coverage. Signed-off-by: Lu Zhang <lu@wdl.dev>
There was a problem hiding this comment.
Pull request overview
This PR consolidates duplicated platform primitives across JS tiers and Rust sidecars by moving shared logic into common “owner” modules, then pinning cross-language behavior with fixture-backed tests to prevent drift (Redis key grammar, request-id sanitization, internal-auth envelopes, workflow payload limits, R2 metadata mapping, S3 retry policy, etc.).
Changes:
- Centralize shared primitives (base64 codec, S3 retry loop, Redis token locks, optimistic retries, gateway header stripping, platform-domain normalization) and wire them into runtime/control/do-runtime/scheduler/workflows.
- Replace source-scanning assertions with behavior/contract tests backed by shared fixtures (JS + Rust) to lock in key grammars and public error envelopes.
- Refactor test harness loaders/stubs to import production owners (shared-* modules) instead of duplicating logic in per-test stubs.
Reviewed changes
Copilot reviewed 225 out of 227 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/version.test.js | Adds assertions for shared route-plane Redis key helpers in shared/version.js. |
| tests/unit/stream-prefix.test.js | New unit test for stream line-prefixing helper. |
| tests/unit/s3-retry.test.js | New unit tests for shared S3 transient retry policy/helpers. |
| tests/unit/runtime-wrapper-generate.test.js | Tests wrapper generator parity across flavors (abort shim + class detection). |
| tests/unit/runtime-tail-worker.test.js | Updates tail worker test wiring to import shared errors module. |
| tests/unit/runtime-service-binding.test.js | Updates service-binding tests for new loader/tail envelope wiring. |
| tests/unit/runtime-r2-host.test.js | Adds coverage for mapped R2 HTTP metadata extraction. |
| tests/unit/runtime-r2-client.test.js | Adds coverage for R2 httpMetadata normalization + writing expiry header. |
| tests/unit/runtime-pool-boundary.test.js | Updates boundary test to new runtime-load API (getLoadedWorkerStub). |
| tests/unit/runtime-loaded-facade-surface.test.js | Uses repo-file URL injection for R2 utils instead of stubbed inline logic. |
| tests/unit/runtime-lib.test.js | Verifies runtime base64 exports are sourced from shared owner + fail-closed semantics. |
| tests/unit/runtime-kv-binding.test.js | Updates KV binding loader wiring for shared base64 + bounded body reader. |
| tests/unit/runtime-internal-auth.test.js | Updates runtime internal auth harness for getLoadedWorkerStub. |
| tests/unit/runtime-do-client.test.js | Adds regression test for DO owner-hint hint handling behavior. |
| tests/unit/runtime-dispatch-workflows.test.js | Pins workflow payload limits against shared fixture/contract. |
| tests/unit/runtime-dispatch-handlers.test.js | Extends dispatch tests for invalid base64 handling + falsey thrown value tail logging. |
| tests/unit/runtime-binding-surface.test.js | Updates KV binding surface tests to use shared base64/bounded-body modules. |
| tests/unit/redis-lock.test.js | New unit tests for shared Redis token lock helper. |
| tests/unit/r2-utils.test.js | Adds tests for shared R2 bucket grammar + HTTP metadata mapping/expiry helpers. |
| tests/unit/queue-keys.test.js | New unit tests + fixture-driven parser tests for shared queue key grammar. |
| tests/unit/internal-auth.test.js | Pins internal-auth literals/rotation and failure envelope to shared fixture. |
| tests/unit/integration-test-plan.test.js | Adds tests for tolerant integration-duration report parsing + warning behavior. |
| tests/unit/integration-pool.test.js | Uses shared integration-environment constants/helpers for local env wiring. |
| tests/unit/gateway-websocket.test.js | Updates websocket tests to import gateway-lib module. |
| tests/unit/gateway-lib.test.js | Adds tests for internal header stripping helper. |
| tests/unit/fake-redis.test.js | Ensures shared-redis stub uses production decode semantics + fake WatchError. |
| tests/unit/cross-language-identity.test.js | Extends identity fixture coverage to KV IDs. |
| tests/unit/control-shared-stub.test.js | New tests for control shared stub re-export contract and bounded-body enforcement. |
| tests/unit/control-s3.test.js | Wires control S3 module tests to shared S3 retry module. |
| tests/unit/control-r2.test.js | Adds tests for consolidated control R2 object request/error/not-found handling. |
| tests/unit/control-logs-tail.test.js | Uses compiled auth roles + shared ns-pattern in log-tail handler tests. |
| tests/unit/control-index.test.js | Adds whoami URL omission test + uses shared hostname parsing. |
| tests/unit/control-handlers-workers.test.js | Uses compiled control graph instead of local control-lib stub. |
| tests/unit/control-d1-store.test.js | Uses shared Redis stub + shared ns-pattern replacement in D1 store tests. |
| tests/unit/control-d1-model.test.js | Uses shared ns-pattern replacement in D1 model tests. |
| tests/unit/bounded-body.test.js | Adds test coverage for new bounded stream reader behavior and edge cases. |
| tests/integration/service-bindings-rpc.test.js | Removes throw-literal eslint disables (tests still throw plain objects). |
| tests/integration/queue-native-dispatch.test.js | Adds integration coverage for invalid base64 queue message handling. |
| tests/integration/helpers/env.js | Consolidates local integration env constants/helpers. |
| tests/integration/cron-triggers.test.js | Adds integration test for invalid persisted cron ref cleanup. |
| tests/helpers/mocks/observability.js | No-op observability mock now re-exports production formatError/sanitizeRequestId. |
| tests/helpers/mocks/fake-redis.js | Adds shared-redis stub URL helper backed by production RESP decode semantics. |
| tests/helpers/load-shared-module.js | Adds shared-base64 module mapping for runtime-lib module loader. |
| tests/helpers/load-runtime-r2-binding.js | Wires runtime R2 binding loader to shared S3 retry module. |
| tests/helpers/load-runtime-dispatch.js | Wires runtime dispatch loader to shared errors module for tail-forwarder. |
| tests/helpers/load-do-owner-registry.js | Uses sharedRedisStubUrl for shared-redis replacements. |
| tests/helpers/load-do-host-actor.js | Reuses production DO ownership code constants via protocol data-url. |
| tests/helpers/load-d1-owner-registry.js | Uses sharedRedisStubUrl for shared-redis replacements. |
| tests/helpers/load-control-routing.js | Uses control shared stub owner rather than local literal constants. |
| tests/helpers/load-control-lib.js | Wires compiled control graph to shared-errors + control-lib mapping. |
| tests/helpers/load-auth-index.js | Uses sharedRedisStubUrl + shared redis-lock/version module wiring. |
| tests/helpers/control-handler-harness.js | Drops obsolete formatError re-export from no-op harness stub. |
| tests/fixtures/workflow-limits.json | New fixture pinning workflow payload limits + too-large code. |
| tests/fixtures/scheduler-projection-contract.json | New fixture pinning scheduler projections and Redis key shapes. |
| tests/fixtures/request-id-sanitizer.json | Extends request-id fixture with Unicode whitespace/BOM cases and UTF-8 length cases. |
| tests/fixtures/queue-key-parse.json | New cross-language fixture for queue key parser behavior. |
| tests/fixtures/observability-contract.json | Extends observability fixture with structured-log envelope contract. |
| tests/fixtures/internal-auth-contract.json | New cross-language fixture for internal-auth literals and rotation semantics. |
| tests/fixtures/cross-language-identity.json | Extends identity fixture with KV ID cases. |
| terraform/modules/compute/security_groups.tf | Clarifies ECS runtime SG sharing constraints vs Kubernetes NetworkPolicies. |
| system-workers/s3-cleanup/src/index.js | Switches cleanup worker to shared S3 retry helper. |
| shared/version.js | Adds shared constants + Redis key helpers for route-plane registries; adds next-version key. |
| shared/secret-envelope.js | Enforces canonical JSON field ordering for secret envelope (stable cross-language encoding). |
| shared/s3-retry.js | New shared S3 transient retry helper module. |
| shared/redis-lock.js | New shared Redis token lock helpers (acquire/renew/release). |
| shared/queue-keys.js | Tightens queue key parsers via shared ns/queue-name validation. |
| shared/owner-lease.js | Extracts generic optimistic retry helper and reuses it for watch retry loop. |
| shared/observability.js | Updates request-id sanitization to enforce 128 UTF-8 byte limit. |
| shared/ns-pattern.js | Adds platform domain normalization helpers + D1 database ID regex owner. |
| shared/internal-auth.js | Exposes internal-auth failure code/message constants; uses them in response. |
| shared/d1-transport.js | Removes obsolete lint-ignore comment. |
| shared/bounded-body.js | Adds shared readBoundedStreamBytes helper and reuses it from readBoundedBytes. |
| shared/base64.js | Makes Buffer base64 decoding fail-closed by validating against atob-like grammar. |
| scripts/run-parallel.js | Uses extracted stream-prefix helper. |
| scripts/integration-test-plan.js | Splits duration report parsing (full report vs records) and improves tolerance/warnings. |
| scripts/integration-environment.js | Centralizes local integration constants and helper constructors. |
| scripts/_stream-prefix.js | New shared helper for prefixing stream output lines. |
| rust/workflows/src/tests.rs | Uses shared temp-env override helper from wdl-rust-common test-support. |
| rust/workflows/src/server.rs | Uses shared internal-auth failure response + constants from wdl-rust-common. |
| rust/workflows/src/api/tick/dispatch.rs | Uses shared runtime endpoint selector + shared workflow too-large code constant. |
| rust/workflows/src/api/progress.rs | Uses shared runtime endpoint selector function. |
| rust/workflows/src/api/limits.rs | Introduces workflow payload-too-large code const + fixture parity test. |
| rust/workflows/src/api.rs | Adds shared runtime endpoint helper for workflows crate. |
| rust/workflows/Cargo.toml | Adds dev-dep on wdl-rust-common with test-support feature. |
| rust/supervisor/src/renew.rs | Uses shared temp-env override helper for tests. |
| rust/supervisor/src/drain.rs | Uses shared temp-env override helper for tests. |
| rust/supervisor/Cargo.toml | Adds dev-dep on wdl-rust-common test-support feature. |
| rust/scheduler/src/test_fixtures.rs | New fixture loader module for scheduler projection contract. |
| rust/scheduler/src/queue/registry.rs | Adds deadlock-avoidance note + fixture-driven hydrate_consumer test. |
| rust/scheduler/src/queue/keys.rs | Removes inline tests in favor of shared fixture/contract coverage. |
| rust/scheduler/src/queue/delayed.rs | Uses shared wake stream/field constants from wdl-rust-common queue_keys. |
| rust/scheduler/src/lib.rs | Adds test_fixtures module behind cfg(test). |
| rust/scheduler/src/cron/sweep.rs | Uses shared cron key parsing/scan pattern + slot expiry helper; fixture-driven tests. |
| rust/scheduler/src/cron/slot.rs | Adds slot_expire_at helper + fixture-driven tests. |
| rust/scheduler/src/cron/reference.rs | Centralizes cron worker key helpers + fixture-driven projection contract tests. |
| rust/redis-proxy/src/queue.rs | Uses shared delayed-wake stream/field constants from wdl-rust-common. |
| rust/redis-proxy/src/lib.rs | Uses shared internal-auth failure response + constants from wdl-rust-common. |
| rust/redis-proxy/src/kv/cursor.rs | Extracts pipeline builder for existence probes + adds test for packed commands. |
| rust/common/src/test_env.rs | New serialized process-env override helper (test-support gated). |
| rust/common/src/request_id.rs | Expands request-id sanitization to handle Unicode whitespace/BOM trimming semantics. |
| rust/common/src/metrics.rs | Uses shared observability fixture loader rather than duplicating include_str logic. |
| rust/common/src/lib.rs | Adds test-support feature-gated module export and shared fixture helpers. |
| rust/common/Cargo.toml | Adds test-support feature flag. |
| runtime/tail-forwarder.js | Introduces shared tail envelope helper with finish + finishError. |
| runtime/runtime.js | Updates module ownership comment (runtime/load.js owns wrapper). |
| runtime/r2-utils.js | Adds shared R2 HTTP metadata mapping + expiry helpers. |
| runtime/r2-client.js | Normalizes httpMetadata via shared mapping + cache expiry helpers. |
| runtime/load/wrapper-generate.js | Deduplicates generated wrapper source snippets across wrapper flavors. |
| runtime/load/env-build.js | Simplifies requiredCallerSecrets materialization and avoids null-prototype objects. |
| runtime/load.js | Adds shared getLoadedWorkerStub wrapper (record isolate; optional sibling eviction). |
| runtime/lib.js | Uses shared base64 codec owner and re-exports it for runtime helpers. |
| runtime/internal.js | Switches to getLoadedWorkerStub for internal dispatch loader path. |
| runtime/index.js | Switches to getLoadedWorkerStub and enables eviction only for gateway-routed active loads. |
| runtime/dispatch/workflow-json.js | Exports workflow payload limit constants + too-large code constant. |
| runtime/dispatch.js | Uses shared tail envelope helper with error normalization. |
| runtime/config-user.capnp | Embeds new shared modules (base64, s3-retry, shared-errors) into workerd bundles. |
| runtime/bindings/service.js | Uses getLoadedWorkerStub and shared tail envelope helper; avoids eviction for pinned versions. |
| runtime/bindings/r2/metadata.js | Uses shared R2 metadata mapping + cache expiry helpers. |
| runtime/bindings/r2.js | Uses shared S3 retry helper module. |
| runtime/bindings/kv.js | Uses shared base64 + bounded-body stream reader. |
| runtime/bindings/do.js | Uses shared do-transport hint-cache wrappers and replay policy helper. |
| package.json | Tightens knip hints policy and adds yaml dev dependency. |
| package-lock.json | Locks yaml@2.9.0 in dev deps. |
| knip.jsonc | Treats runtime/d1-client.js as an entry (injected into loaded workers) instead of ignored file. |
| gateway/websocket.js | Uses shared gateway internal header stripping helper. |
| gateway/runtime.js | Uses shared Redis key constants from shared-version. |
| gateway/lib.js | Introduces shared internal header stripping helper. |
| gateway/index.js | Uses shared header stripping helper + shared platform domain normalization owner. |
| docs/testing.md | Documents preference for importing production owners in tests and sharedRedisStubUrl usage. |
| docs/security.zh.md | Clarifies internal-auth token rotation semantics wording. |
| docs/rust-sidecar-standards.zh.md | Documents test-support feature for shared temp-env override helper. |
| docs/rust-sidecar-standards.md | Documents test-support feature for shared temp-env override helper. |
| docs/redis-key-layout.zh.md | Documents bundle __meta__ parsing/fail-closed semantics. |
| docs/redis-key-layout.md | Documents bundle __meta__ parsing/fail-closed semantics. |
| docs/modules/workflows.zh.md | Documents shared workflow payload limits contract + shared runtime endpoint selector. |
| docs/modules/workflows.md | Documents shared workflow payload limits contract + shared runtime endpoint selector. |
| docs/modules/runtime.zh.md | Documents shared runtime loader wrapper and env budget estimation approach. |
| docs/modules/runtime.md | Documents shared runtime loader wrapper and env budget estimation approach. |
| docs/modules/queues-cron.zh.md | Documents shared wake stream field owners + shared queue parser fixture. |
| docs/modules/queues-cron.md | Documents shared wake stream field owners + shared queue parser fixture. |
| docs/modules/log-tail-observability.md | Documents that tail-forwarder owns consistent envelope timing/thrown normalization. |
| docs/modules/infra.zh.md | Adds note about ECS SG granularity vs Kubernetes caller matrices. |
| docs/modules/infra.md | Adds note about ECS SG granularity vs Kubernetes caller matrices. |
| docs/modules/gateway.zh.md | Documents gateway internal-header stripping behavior + platform domain normalization. |
| docs/modules/gateway.md | Documents gateway internal-header stripping behavior + platform domain normalization. |
| docs/modules/durable-objects.zh.md | Documents DO ownership code vocabulary owner + hint-cache transport semantics. |
| docs/modules/durable-objects.md | Documents internal-auth requirement for do-runtime + ownership vocabulary owner. |
| docs/modules/cli.zh.md | Clarifies when control returns namespace URL hint. |
| docs/modules/cli.md | Clarifies when control returns namespace URL hint. |
| docker-compose.images.yml | Deduplicates published image definitions via YAML anchors. |
| do-runtime/protocol.js | Introduces DO_OWNERSHIP_CODE vocabulary constants. |
| do-runtime/owner-client.js | Uses DO_OWNERSHIP_CODE constants for stable error codes. |
| do-runtime/config.capnp | Embeds new shared modules (base64, s3-retry, respond alias). |
| do-runtime/actor.js | Uses DO_OWNERSHIP_CODE constants for stable error codes. |
| deploy/kubernetes/README.zh.md | Refactors local metadata guard into reusable kustomize component. |
| deploy/kubernetes/README.md | Refactors local metadata guard into reusable kustomize component. |
| deploy/kubernetes/overlays/local-metadata-guard/metadata-egress-policy.yaml | Deletes per-overlay policy in favor of shared component. |
| deploy/kubernetes/overlays/local-metadata-guard/kustomization.yaml | Uses shared metadata-guard component. |
| deploy/kubernetes/overlays/local-ingress-metadata-guard/kustomization.yaml | Uses shared metadata-guard component. |
| deploy/kubernetes/components/metadata-guard/metadata-egress-policy.yaml | New reusable metadata egress NetworkPolicy component. |
| deploy/kubernetes/components/metadata-guard/kustomization.yaml | Declares metadata-guard as a kustomize Component. |
| deploy/kubernetes/base/network-policy.yaml | Adjusts ingress source list (removes system-runtime selector entry). |
| control/s3.js | Imports S3 retry constant from shared owner. |
| control/optimistic.js | Adds control wrapper around shared optimistic retries + WatchError classification. |
| control/json-body.js | Adds shared JSON body parser with bounded-body support and stable error envelopes. |
| control/handlers/versions.js | Uses shared bundle meta parsing + asset prefix helper. |
| control/handlers/promote.js | Uses shared platformDomainFromEnv owner. |
| control/handlers/ns-secrets.js | Adds explicit BundleMetaError handling/logging at namespace secret mutation boundary. |
| control/handlers/hosts.js | Uses shared platformDomainFromEnv + shared hostsKey helper. |
| control/handlers/delete-plan.js | Uses shared key constants and helpers for namespace/hosts membership sets. |
| control/errors.js | Introduces ControlAbort + coded error response helpers with safe JSON error contract. |
| control/d1-model.js | Uses shared D1 database ID regex from shared ns-pattern owner. |
| control/d1-migrations.js | Uses shared Redis token lock helpers; logs lock-release failures safely. |
| control/bundle.js | Uses shared workerd dependency version parser helper. |
| control/bindings.js | Uses shared D1 database ID regex; preserves LinkError at binding link boundary. |
| auth/lib.js | Clarifies AuthPolicyError intent relative to control error shape without cross-imports. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Lu Zhang <lu@wdl.dev>
Pin internal auth and request-id contracts, protect DO transport and wrapper intrinsics from tenant mutation, tighten secret and error handling, and align tests and module documentation. Signed-off-by: Lu Zhang <lu@wdl.dev>
Capture owner-endpoint parsing intrinsics before tenant code runs, add adversarial regression coverage, and align compatibility, module, and changelog documentation with the final branch behavior. Signed-off-by: Lu Zhang <lu@wdl.dev>
Reset inherited build definitions in published-image overrides and pin the Compose configuration contract. Signed-off-by: Lu Zhang <lu@wdl.dev>
- Validate owner endpoints, scoped records, generations, and canonical identities. - Harden D1, R2, DO alarm, request-id, and RPC trust boundaries. - Align JS/Rust scheduler contracts, Terraform network checks, tests, and docs. Signed-off-by: Lu Zhang <lu@wdl.dev>
- Document structural DO RPC serialization and its 1 MiB boundary. - Record Terraform subnet validation as a plan-time upgrade impact. Signed-off-by: Lu Zhang <lu@wdl.dev>
- Capture Map intrinsics so cached owner metadata cannot be leaked or forged. - Reject empty service target metadata during promote and watched deploy commit. - Clarify alarm handler snapshot semantics and optimistic retry ownership. Signed-off-by: Lu Zhang <lu@wdl.dev>
- Recheck watched routes when dependent metadata disappears before EXEC. - Retry promote, platform alias, and bump races while preserving stable corruption failures. - Cover supported active-version transitions and projection cleanup. Signed-off-by: Lu Zhang <lu@wdl.dev>
Fence delete and DO ownership transitions, propagate invocation-local request context, bound diagnostics and response bodies, align queue and version contracts, update SigV4, and pin shutdown windows across deployment targets. Signed-off-by: Lu Zhang <lu@wdl.dev>
Pipeline owner, delete-lock, and Redis-time reads into one watched snapshot, align Redis test doubles, and retry workflow metadata reads without masking stable corrupt metadata during unrelated route churn. Signed-off-by: Lu Zhang <lu@wdl.dev>
38ee90a to
75ec567
Compare
Fence delegated issuance and deletion races Centralize DO alarm, ownership, and transport validation Align cross-tier fixtures, diagnostics, and request propagation Signed-off-by: Lu Zhang <lu@wdl.dev>
Fence version deletion across workflow restart handoff Preserve definitions-only workers and fail closed on malformed projections Make request context outermost-only and enforce forward-only worker bounds Return subnet validation to Terraform and AWS provider boundaries Signed-off-by: Lu Zhang <lu@wdl.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Intentional behavior changes
PLATFORM_DOMAINis normalized across tiers as an ALB-compatible ASCII DNS hostname of at most 126 bytes with an alphabetic final label;/whoamino longer advertises the internalworkers.localfallback as a public namespace URL2026-04-01, legacy error serialization, and explicit enhanced serialization after it becomes the workerd default; Runtime revalidates the same forward-only floor for retained metadataObject.prototypekeys; persisted secret envelopes require canonical JSON field order and canonical base64Headers-form R2httpMetadata.Expiresmust be a canonical IMF-fixdatetoJSON()hooks and rejects sparse arrays, circular structures, non-plain objects, and non-JSON values before dispatch409 target_drift@wdl-dev/aws-sigv43.0.1 uses stable request snapshots, rejects redirects, requires lowercase regions, and performs response cleanup without blocking retry progressSecurity and correctness
x-wdl-*headers before forwardingWeakMaphandlersx-request-idfor service-side correlationwhole:orversion:operation kind plus a random token, are refreshed before the final mutation, and are token-checked inside the final WATCH snapshot; only whole-worker deletion blocks new DO ownership, so inactive-version deletion does not interrupt active DO trafficGET/HEADrequests, explicit pre-dispatch fence responses retain bounded rediscovery, and discarded response bodies are cancelled best-effort without delaying fallbackwf:by-versionreferrer; version delete checks both forms so it cannot pass through the restart handoffNon-goals
Validation
Completed across the review cycle, with final default-build integration against
77533a2:npm run lintnpm run lint:unusednpm run typechecknpm run typecheck:strictnpm run test:unitnpm run compile:workerd(5 base configs); full integration compiled all 9 configscargo fmt --manifest-path rust/Cargo.toml --all --checkcargo clippy --manifest-path rust/Cargo.toml --workspace --all-targets -- -D warningscargo test --manifest-path rust/Cargo.toml --workspacecargo deny --manifest-path rust/Cargo.toml check --config rust/deny.tomlnpm run test:integration(54 files across 4 shards with default image build enabled; 53 passed initially, whileworkflows-runtime-coreobservedrunningbefore itsqueuedassertion; a focused default-build rerun passed)git diff --check