QA rules & ANSSI compliance

This document defines the quality and safety rules applicable to the entire gitrust project. Each batch must satisfy these rules before merge.

1. Mandatory compilation gates

Any modification must pass these 4 gates without error:

Gate Commande Critère
Formatage cargo fmt --all -- --check Zéro diff
Linting cargo clippy --workspace -- -D warnings Zéro warning
Tests unitaires cargo test --workspace 100% pass
Build CSS npx tailwindcss -i static/css/input.css -o static/css/style.css --minify Si templates modifiés

Additional gates (to be installed)

Gate Outil Rôle
Audit dépendances cargo audit Détection CVE dans les deps
Licences & bans cargo deny check Licences compatibles, pas de crate bannie
Secrets dans le code Recherche de patterns sensibles Pas de token/mot de passe en dur

2. Safety rules (ANSSI PA-074)

2.1 Mandatory Rust Lints (already in place)

#![forbid(unsafe_code)]                    // core, web, hooks
#![deny(unsafe_code)]                      // git, ssh (FFI nécessaire)
#![deny(clippy::unwrap_used)]
#![deny(clippy::expect_used)]
#![deny(clippy::panic)]
#![deny(clippy::indexing_slicing)]
#![deny(clippy::mem_forget)]

2.2 Safety checklist by feature

Before any implementation affecting authentication, secrets or permissions, check:

  • [ ] Secrets jamais en clair en base — hash SHA-256 ou bcrypt
  • [ ] Secrets jamais loggés — vérifier tracing::info/debug/warn, Display et Debug impls ne révèlent pas le secret
  • [ ] Comparaison constant-timesubtle::ConstantTimeEq pour toute validation de secret (pas de == sur des hash)
  • [ ] Rate-limiting — endpoint d'authentification protégé
  • [ ] CSRF — token valide sur toute action mutante (POST/PUT/DELETE)
  • [ ] Ownership vérifiée (anti-IDOR) — le user ne peut agir que sur ses propres ressources (vérifier user_id côté serveur)
  • [ ] Expiration obligatoire — tout token/session a une durée de vie max
  • [ ] Audit log — création, révocation, utilisation suspecte tracées
  • [ ] Zeroize — types sensibles implémentent Zeroize/ZeroizeOnDrop
  • [ ] Path traversal — validation des chemins disque (pas de .., /, \)

2.3 SEC-Markers

The code uses //SEC-XX comments to trace security decisions. Any new control must be marked with the next available number in its category:

Préfixe Catégorie Exemples
SEC-C Cryptographie Timing attack, CSRF, PKCE
SEC-H HTTP/Headers X-Forwarded-For, cookies, nonce
SEC-L Logique métier Hashing, validation, defaults
SEC-M Mémoire/sessions Rate-limit DoS, refresh tokens

3. Tests required by category

3.1 Coverage matrix

Catégorie Quand appliquer Exemples
Unitaire Logique pure (validation, parsing, conversion) RepoSlug::new("../evil") → erreur
Intégration Service avec DB (CRUD, contraintes, transactions) PatService::validate token expiré → None
Handler Endpoint HTTP (status, redirect, CSRF, auth) POST sans CSRF → 403
E2E Playwright Flow utilisateur complet Créer token → copier → cloner un dépôt
Sécurité négatif Tout bypass imaginable Token user A sur ressource user B → 401

3.2 Test rules

  1. Integration tests on real DB — no mocks for the persistence layer (mocks hide migration bugs)
  2. Negative tests required — for each happy path, test at least: input invalid, unauthenticated, unauthorized, expired, revoked
  3. E2E tests in French — consistent with the UI (locale fr-FR)
  4. No sleep() in tests — use retry/poll with timeout
  5. Isolated test data — each test creates its own data (no dependency on execution order)

4. Code Rules

4.1 Framework boundary

  • Never modify crates/rustwarden-core/
  • Reuse framework services before implementing (auth, users, sessions, ResourceService, i18n, middleware)
  • If a service is missing, extend it on the gitrust side (wrappers, impls feature)

4.2 Assets

  • Zero CDN — all CSS/JS served from static/
  • Framework CSP blocks external domains

4.3 Error handling

  • GitrustError with IntoResponse for HTTP mapping
  • No .unwrap() / .expect() / panic!() / [index]
  • User errors: generic messages (no internal information leak)

4.4 Border validation

  • Validate user inputs (forms, query params, headers)
  • Do not re-validate between internal services
  • Newtypes with construction validation (RepoSlug, TeamSlug, Fingerprint, TokenHash)

5. Pre-merge checklist

Before each batch merge:

  • [ ] cargo fmt --all -- --check passe
  • [ ] cargo clippy --workspace -- -D warnings passe
  • [ ] cargo test --workspace — tous les tests passent
  • [ ] Tests E2E Playwright passent (npm run test:e2e)
  • [ ] CSS rebuild si templates modifiés
  • [ ] Aucun secret en clair dans le code ou les logs
  • [ ] Checklist sécurité §2.2 validée (si applicable)
  • [ ] Pas de modification dans crates/rustwarden-core/