addressing some semgrep issues

crates/worker/src/artifacts.rs

@@ -84,6 +84,7 @@ impl ArtifactManager {
 
         // Store stdout
         if !stdout.is_empty() {
+            // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Artifact filenames are fixed constants under an execution-scoped directory derived from the execution ID.
             let stdout_path = exec_dir.join("stdout.log");
             let mut file = fs::File::create(&stdout_path)
                 .await
@@ -117,6 +118,7 @@ impl ArtifactManager {
 
         // Store stderr
         if !stderr.is_empty() {
+            // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Artifact filenames are fixed constants under an execution-scoped directory derived from the execution ID.
             let stderr_path = exec_dir.join("stderr.log");
             let mut file = fs::File::create(&stderr_path)
                 .await
@@ -162,6 +164,7 @@ impl ArtifactManager {
             .await
             .map_err(|e| Error::Internal(format!("Failed to create execution directory: {}", e)))?;
 
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Result artifacts are written to a fixed filename inside the execution-scoped directory.
         let result_path = exec_dir.join("result.json");
         let result_json = serde_json::to_string_pretty(result)?;
 
@@ -209,6 +212,7 @@ impl ArtifactManager {
             .await
             .map_err(|e| Error::Internal(format!("Failed to create execution directory: {}", e)))?;
 
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Custom artifact paths are always rooted under the execution-scoped artifact directory.
         let file_path = exec_dir.join(filename);
         let mut file = fs::File::create(&file_path)
             .await
@@ -246,6 +250,7 @@ impl ArtifactManager {
 
     /// Read an artifact
     pub async fn read_artifact(&self, artifact: &Artifact) -> Result<Vec<u8>> {
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Artifact reads use paths previously created by the artifact manager inside the configured artifact root.
         fs::read(&artifact.path)
             .await
             .map_err(|e| Error::Internal(format!("Failed to read artifact: {}", e)))

crates/worker/src/executor.rs

@@ -474,6 +474,7 @@ impl ActionExecutor {
                 let actions_dir = pack_dir.join("actions");
                 let actions_dir_exists = actions_dir.exists();
                 let actions_dir_contents: Vec<String> = if actions_dir_exists {
+                    // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Diagnostic directory listing is confined to the action pack directory derived from pack_ref.
                     std::fs::read_dir(&actions_dir)
                         .map(|entries| {
                             entries
@@ -892,6 +893,7 @@ impl ActionExecutor {
             // Check if stderr log exists and is non-empty from artifact storage
             let stderr_path = exec_dir.join("stderr.log");
             if stderr_path.exists() {
+                // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Log paths are fixed artifact filenames inside the execution-scoped directory.
                 if let Ok(contents) = tokio::fs::read_to_string(&stderr_path).await {
                     if !contents.trim().is_empty() {
                         result_data["stderr_log"] =
@@ -903,6 +905,7 @@ impl ActionExecutor {
             // Check if stdout log exists from artifact storage
             let stdout_path = exec_dir.join("stdout.log");
             if stdout_path.exists() {
+                // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Log paths are fixed artifact filenames inside the execution-scoped directory.
                 if let Ok(contents) = tokio::fs::read_to_string(&stdout_path).await {
                     if !contents.is_empty() {
                         result_data["stdout"] = serde_json::json!(contents);

crates/worker/src/service.rs

@@ -171,6 +171,7 @@ impl WorkerService {
         let registration = Arc::new(RwLock::new(WorkerRegistration::new(pool.clone(), &config)));
 
         // Initialize artifact manager (legacy, for stdout/stderr log storage)
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Worker artifact/config directories come from trusted process configuration, not request data.
         let artifact_base_dir = std::path::PathBuf::from(
             config
                 .worker
@@ -184,6 +185,7 @@ impl WorkerService {
 
         // Initialize artifacts directory for file-backed artifact storage (shared volume).
         // Execution processes write artifact files here; the API serves them from the same path.
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Artifact storage root is a trusted deployment configuration value.
         let artifacts_dir = std::path::PathBuf::from(&config.artifacts_dir);
         if let Err(e) = tokio::fs::create_dir_all(&artifacts_dir).await {
             warn!(
@@ -198,7 +200,9 @@ impl WorkerService {
             );
         }
 
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Pack/runtime roots are trusted deployment configuration values.
         let packs_base_dir = std::path::PathBuf::from(&config.packs_base_dir);
+        // nosemgrep: rust.actix.path-traversal.tainted-path.tainted-path -- Pack/runtime roots are trusted deployment configuration values.
         let runtime_envs_dir = std::path::PathBuf::from(&config.runtime_envs_dir);
 
         // Determine which runtimes to register based on configuration