Skip to content

Crate core, auditron demo, and 0.1.0 release prep#1

Merged
jeffreyaven merged 4 commits into
mainfrom
feature/crate-core-sidecar
Jun 13, 2026
Merged

Crate core, auditron demo, and 0.1.0 release prep#1
jeffreyaven merged 4 commits into
mainfrom
feature/crate-core-sidecar

Conversation

@jeffreyaven

@jeffreyaven jeffreyaven commented Jun 13, 2026

Copy link
Copy Markdown
Member

Implements all three CLAUDE.md milestones. Note: stackql-mcp 0.1.0 is
already published to crates.io from this branch (tag v0.1.0), so this PR
brings the repo in line with the released crate.

Milestone 1: crate core (sidecar)

  • Sidecar acquisition: downloads the platform .mcpb from the pinned
    stackql release (v0.10.500), verifies sha256 against pins baked from
    the release assets, extracts to the shared cache
    (~/.stackql/mcp-server-bin/), spawns over stdio
  • Public API: StackqlMcp::builder().mode(...).auth(...).start() ->
    RunningServer (child handle + connected rmcp client)
  • Canonical cwd-independent launch args per the packaging contract;
    modes read_only (default) / safe / delete_safe / full_access
  • Env overrides STACKQL_MCP_BIN / STACKQL_MCP_BUNDLE, sync
    Builder::command() escape hatch
  • Conformance test porting the packaging repo's smoke-test.py
    (initialize -> tools/list -> pull_provider -> list_services)

Milestone 2: vendored mode + auditron

  • fetch_bundle() + include_bundle! for vendored single-binary
    builds (verified: ~80MB release binary runs on a clean HOME with no
    downloads)
  • auditron: ratatui TUI streaming control results with the producing
    SQL always visible, Claude-drafted remediation on demand, and an
    auditor-ready evidence zip (manifest, exact SQL, per-control CSVs)
  • controls/github-core.yaml: zero-credential org posture pack
    (null_auth), including a canary control that catches provider errors
    surfacing as empty result sets

Milestone 3: release prep

  • Package metadata (readme, docs.rs all-features, package excludes
    verified with cargo package --list), README badges, pr.md launch kit

Verification

  • 21 unit tests + conformance green; fmt and clippy (-D warnings) clean
  • Live scan against the stackql org produces real findings; evidence
    zip inspected; vendored binary exercised end to end
  • This PR is CI's first actual run - watch the matrix before merging

🤖 Generated with Claude Code

jeffreyaven and others added 4 commits June 13, 2026 10:06
@jeffreyaven @claude
Add crate core: sidecar acquisition, builder API, rmcp client
ee9c6b7 
Milestone 1 of the embedded StackQL MCP server crate (stackql-mcp,
name verified free on crates.io):

- sidecar mode (default feature): downloads the platform .mcpb from the
  pinned stackql release (v0.10.500), verifies sha256 against pins baked
  from the release assets, extracts to the shared cache
  (~/.stackql/mcp-server-bin/<version>/<platform>/), spawns over stdio
- vendored feature: extract-on-first-run from caller-embedded bundle
  bytes (include_bytes!), keyed by content hash
- public API: StackqlMcp::builder().mode(Mode::ReadOnly).auth(json)
  .start() -> RunningServer exposing the child handle plus a connected
  rmcp client (Deref to the rmcp RunningService)
- canonical cwd-independent launch args per the packaging contract;
  modes read_only (default) / safe / delete_safe / full_access as
  defined by stackql's pkg/mcp_server policy
- env overrides STACKQL_MCP_BIN and STACKQL_MCP_BUNDLE, builder
  equivalents, and a sync Builder::command() escape hatch
- examples: minimal.rs (connected client) and launcher.rs (conformance
  launcher for the packaging repo smoke test)
- tests: unit (platform keys, pins, args, extract, sha256) plus a
  conformance integration test porting smoke-test.py (initialize,
  tools/list, pull_provider github, list_services github); passes
  against the real v0.10.500 bundle
- CI: fmt + clippy gates, linux/macos/windows test matrix including the
  conformance test

Deps held to the justified set: rmcp, zip, sha2, ureq (sidecar only),
serde/serde_json (already in rmcp's tree). MSRV 1.88, set by rmcp 1.x.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jeffreyaven @claude
Add auditron demo app and vendored single-binary build path
aedbed3 
Milestone 2: the terminal compliance copilot demo plus the vendored
embedding story.

stackql-mcp:
- fetch_bundle(): download the pinned platform .mcpb into the shared
  cache (sha256-verified, idempotent) - the producer step for vendored
  builds; examples/fetch_bundle.rs prints the path for pipelines
- include_bundle! macro: embed the bundle named by the compile-time
  STACKQL_MCP_BUNDLE_FILE env var for Builder::bundle_bytes

auditron (workspace member, not published):
- scan: runs a YAML control pack through the embedded server in
  read_only mode; ratatui TUI streams pass/fail/error per control with
  the producing SQL always displayed; --no-tui line output for CI
  (exit 0 all pass, 2 any fail/error)
- press e on a finding: Claude (Messages API over ureq, pluggable
  Explainer trait) explains it and drafts remediation steps; without
  ANTHROPIC_API_KEY the SQL and a hint are shown instead
- evidence: re-runs the pack and writes an auditor-ready zip - run
  manifest (pack sha256, collector identity, server_info, timings),
  the exact pack source and per-control SQL, per-control CSVs
- controls/github-core.yaml: org security posture pack on the github
  provider in null_auth mode (zero credentials) - branch protection,
  default branch, descriptions, licenses, staleness, plus an inventory
  evidence control that doubles as the run canary (provider errors
  surface as empty result sets, which would silently pass no_rows
  controls but fail the canary)

Engine learnings baked into the pack authoring notes: tool results
carry the typed DTO in structuredContent (markdown in text content);
boolean storage varies per resource (compare = 0/1, never the strings
true/false); avoid OR and NOT in WHERE (pushdown quirks).

Verified end to end in WSL: live scan against the stackql org finds
real violations; evidence zip inspected; vendored release build (~80MB)
runs on a clean HOME with no downloads. CI extended for the workspace
including a vendored build check on all three OSes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jeffreyaven @claude
Prepare crates.io release: package metadata, badges, launch kit
61db835 
- readme field and docs.rs all-features metadata; exclude the auditron
  demo, control packs, and launch kit from the published package
  (verified with cargo package --list)
- README badges for crates.io, docs.rs, and CI
- pr.md launch kit: docusaurus blog draft, r/rust and This Week in Rust
  posts, and a Rust meetup talk synopsis

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@jeffreyaven
minor ci updates
26c9d49
@jeffreyaven jeffreyaven merged commit 32a648c into main Jun 13, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeffreyaven