cloud-sdk is security-sensitive infrastructure software. Treat
authentication, bearer tokens, request signing if ever added, endpoint parsing,
pagination, action polling, retry logic, rate-limit handling, TLS transport,
DNS operations, certificate operations, CI, release scripts, and dependency
updates as high-risk until reviewed and tested.
Run these regularly and before releases:
scripts/checks.sh
scripts/check_latest_tools.sh
scripts/release_0_1_gate.sh
cargo deny check
cargo audit
scripts/generate-sbom.shGitHub Actions run CI. GitHub CodeQL default setup should be enabled in the repository security settings. Do not add an advanced CodeQL workflow while default setup is active.
The dependency policy lives in deny.toml. Unknown registries and git sources
are denied by default. Git dependencies require exact rev pinning and a
documented exception before use.
New third-party crates require:
- current version check before admission;
- license and maintenance review;
- feature impact review;
- no hidden
std, network, TLS, native-code, async-runtime, filesystem, or secret-storage expansion in core crates; - tests for the behavior being admitted;
cargo deny checkandcargo auditevidence.
The default SDK must not store API tokens. Callers provide authorization at the transport boundary. Optional transport adapters must redact and sanitize their owned secret storage, while callers remain responsible for original token and response buffers. Any future secret-bearing helper must be optional, reviewed, tested, and isolated from the default no_std graph.
Do not publish exploitable security details before a fix is available. Open a private security advisory or contact the maintainers directly once the public repository security channels are configured.