182 lines
5.1 KiB
Markdown
182 lines
5.1 KiB
Markdown
# Workspace Dependency Compliance Audit
|
|
|
|
**Date:** 2026-01-28
|
|
**Status:** ✅ Complete
|
|
|
|
## Overview
|
|
|
|
This document records the results of a comprehensive audit of all `Cargo.toml` files in the Attune workspace to ensure proper use of workspace dependencies. The goal was to ensure that when crates use dependencies declared in the workspace root, they consistently use `{ workspace = true }` instead of declaring version numbers directly.
|
|
|
|
## Audit Scope
|
|
|
|
All crates in the workspace were examined:
|
|
- `crates/common`
|
|
- `crates/api`
|
|
- `crates/executor`
|
|
- `crates/sensor`
|
|
- `crates/notifier`
|
|
- `crates/worker`
|
|
- `crates/cli`
|
|
|
|
## Issues Found & Fixed
|
|
|
|
### 1. attune-api: Direct argon2 Version
|
|
|
|
**Issue:** The API crate was declaring `argon2 = "0.5"` directly instead of using the workspace version.
|
|
|
|
**Before:**
|
|
```toml
|
|
argon2 = "0.5"
|
|
```
|
|
|
|
**After:**
|
|
```toml
|
|
argon2 = { workspace = true }
|
|
```
|
|
|
|
**Impact:** Ensures consistent argon2 version across all crates and simplifies dependency management.
|
|
|
|
---
|
|
|
|
### 2. attune-worker: Formatting Issue
|
|
|
|
**Issue:** The worker crate had inconsistent spacing in the workspace reference for `base64`.
|
|
|
|
**Before:**
|
|
```toml
|
|
base64 = {workspace = true}
|
|
```
|
|
|
|
**After:**
|
|
```toml
|
|
base64 = { workspace = true }
|
|
```
|
|
|
|
**Impact:** Improves code consistency and readability.
|
|
|
|
---
|
|
|
|
### 3. attune-cli: Redundant reqwest Features
|
|
|
|
**Issue:** The CLI crate was explicitly declaring features for `reqwest` that were already present in the workspace definition.
|
|
|
|
**Before:**
|
|
```toml
|
|
reqwest = { workspace = true, features = ["json"] }
|
|
```
|
|
|
|
**Workspace Definition:**
|
|
```toml
|
|
reqwest = { version = "0.13", features = ["json"] }
|
|
```
|
|
|
|
**After:**
|
|
```toml
|
|
reqwest = { workspace = true }
|
|
```
|
|
|
|
**Impact:** Eliminates redundancy and prevents confusion about which features are actually being used.
|
|
|
|
---
|
|
|
|
### 4. attune-api: utoipa Feature Extension
|
|
|
|
**Issue:** The API crate needed the `"axum_extras"` feature for `utoipa` in addition to the workspace's base features (`"chrono"`, `"uuid"`).
|
|
|
|
**Before:**
|
|
```toml
|
|
utoipa = { version = "5.4", features = ["axum_extras", "chrono", "uuid"] }
|
|
```
|
|
|
|
**After:**
|
|
```toml
|
|
utoipa = { workspace = true, features = ["axum_extras"] }
|
|
```
|
|
|
|
**Impact:** Now inherits base features from workspace and only adds the API-specific feature, following Cargo's feature inheritance pattern.
|
|
|
|
---
|
|
|
|
## Dependencies Properly Using workspace = true
|
|
|
|
The following patterns were found to be correct and idiomatic:
|
|
|
|
### Feature Extension Pattern (Correct)
|
|
|
|
**attune-cli: clap with additional features**
|
|
```toml
|
|
clap = { workspace = true, features = ["derive", "env", "string"] }
|
|
```
|
|
|
|
Workspace has:
|
|
```toml
|
|
clap = { version = "4.5", features = ["derive"] }
|
|
```
|
|
|
|
This pattern is **correct** - the CLI crate inherits the `"derive"` feature from the workspace and adds `"env"` and `"string"`. This is the idiomatic way to extend workspace dependency features in Cargo.
|
|
|
|
## Crate-Specific Dependencies (Allowed)
|
|
|
|
The audit identified 25 crate-specific dependencies that are not in the workspace. These are expected and allowed because they are only used by specific crates:
|
|
|
|
- `jsonwebtoken` (api, cli)
|
|
- `rand` (api)
|
|
- `hmac`, `sha1`, `hex` (api)
|
|
- `utoipa-swagger-ui` (api)
|
|
- `dirs`, `urlencoding`, `colored`, `comfy-table`, `indicatif`, `dialoguer` (cli)
|
|
- `wiremock`, `assert_cmd`, `predicates`, `mockito`, `tokio-test` (cli dev-dependencies)
|
|
- `tera` (executor)
|
|
- `criterion` (executor dev-dependency)
|
|
- `cron` (sensor)
|
|
- `hostname` (worker)
|
|
- `async-recursion` (common)
|
|
|
|
## Verification
|
|
|
|
All changes were verified using:
|
|
|
|
1. **Build Check:**
|
|
```bash
|
|
cargo check --workspace
|
|
```
|
|
Result: ✅ Success
|
|
|
|
2. **Workspace Dependency Compliance Script:**
|
|
```bash
|
|
./scripts/check-workspace-deps.sh
|
|
```
|
|
Result: ✅ All crates use workspace dependencies correctly (25 allowed exceptions)
|
|
|
|
3. **Test Suite:**
|
|
```bash
|
|
cargo test --workspace --lib
|
|
```
|
|
Result: ✅ All tests pass (220 tests across all crates)
|
|
|
|
## Summary
|
|
|
|
- **Total Issues Fixed:** 4
|
|
- **Files Modified:** 3 (`crates/api/Cargo.toml`, `crates/worker/Cargo.toml`, `crates/cli/Cargo.toml`)
|
|
- **Build Status:** ✅ Pass
|
|
- **Test Status:** ✅ Pass (220 tests)
|
|
- **Compliance Status:** ✅ 100% compliant
|
|
|
|
## Benefits
|
|
|
|
1. **Consistency:** All workspace dependencies now use the same version across all crates
|
|
2. **Maintainability:** Dependency versions can be updated in one place (workspace root)
|
|
3. **Clarity:** Clear distinction between workspace-managed and crate-specific dependencies
|
|
4. **Build Efficiency:** Cargo can better optimize builds with consistent dependency versions
|
|
|
|
## Recommendations
|
|
|
|
1. **Quarterly Reviews:** Run `./scripts/check-workspace-deps.sh` as part of quarterly dependency audits
|
|
2. **CI Integration:** Consider adding the compliance script to CI pipeline
|
|
3. **Documentation:** Update contributor guidelines to explain workspace dependency patterns
|
|
4. **Pre-commit Hook:** Consider adding a pre-commit hook to check workspace dependency compliance
|
|
|
|
## References
|
|
|
|
- [Cargo Workspace Documentation](https://doc.rust-lang.org/cargo/reference/workspaces.html)
|
|
- [Cargo Features Documentation](https://doc.rust-lang.org/cargo/reference/features.html)
|
|
- Project: `scripts/check-workspace-deps.sh` - Automated compliance checker |