chore(security): ignore RUSTSEC-2023-0071, gate jwt backend

[polaz]

Summary

Document and suppress RUSTSEC-2023-0071 ("Marvin Attack", timing sidechannel in rsa 0.9.x), and add a CI gate so the decision is enforced, not implicit.

Dependency chain: rsa 0.9.10 -> jsonwebtoken (rust_crypto) -> structured-proxy.

Why ignore (not fix)

1. No fix exists. Latest rsa is 0.10.0-rc; the advisory has patched: [] / unaffected: [] in the RustSec DB. Nothing to upgrade to.
2. Backend stays pure-Rust rust_crypto over aws_lc_rs (C FFI), required by no-FFI consumers (e.g. CoordiNode ADR-013).
3. Not exploitable here. structured-proxy only verifies incoming JWTs with a public key (DecodingKey + decode(), src/auth/mod.rs:115). Marvin leaks the private key via private-op timing (decrypt/sign), which never runs on the verify path. The only EncodingKey/encode usage is inside #[cfg(test)] and uses Ed25519, not RSA.

Changes

• deny.toml: ignore RUSTSEC-2023-0071 (struct form with reason) + full rationale comment.
• .cargo/audit.toml: mirror the ignore for standalone cargo audit.
• Cargo.toml: expose jwt crypto backend as crate features — rust_crypto (default, pure Rust) / aws_lc_rs (opt-in, constant-time, C FFI). Backends are mutually exclusive; jsonwebtoken is now default-features = false + use_pem.
• .github/workflows/ci.yml:
  • replace --all-features with a per-backend matrix (both backends can't be enabled together — jsonwebtoken panics at runtime otherwise);
  • add a Security Audit job running cargo-deny check advisories (reads deny.toml).

Testing

• cargo nextest run — 121/121 passed on both backends (rust_crypto and aws_lc_rs).
• cargo clippy --all-targets -Dwarnings + cargo fmt --check — clean.
• cargo deny check advisories → advisories ok; cargo audit → exit 0.
• Verified the ignore is meaningful: removing the config makes cargo audit fail on RUSTSEC-2023-0071; with it, it passes.
• Cargo.lock unchanged — default dependency graph and default backend are identical.

Follow-up

Remove the ignore once RustCrypto ships a constant-time rsa stable release.

Closes #48

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 1be1643a-7176-44d0-8e11-b1d95a126b87

📥 Commits

Reviewing files that changed from the base of the PR and between 44d178a and 0b550fb.

📒 Files selected for processing (1)

• src/lib.rs

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Added selectable JWT cryptographic backends (RustCrypto or AWS LC RS), with a default backend.
  • Added compile-time validation to ensure exactly one JWT backend is enabled.
• Bug Fixes
  • Prevents invalid or ambiguous JWT backend feature combinations from compiling.
• Chores
  • Updated CI to run quality checks across backend configurations and restricted some steps per backend.
  • Added security advisory scanning to CI and narrowed advisory ignore rules for timing-related RSA concerns.

Walkthrough

Adds mutually exclusive rust_crypto (default) and aws_lc_rs feature flags to Cargo.toml that forward to the corresponding jsonwebtoken backend features, with compile-time guards in src/lib.rs enforcing valid feature combinations. The CI quality-checks job is split into a two-leg strategy matrix to build and test both backends. A new security-audit CI job runs cargo-deny. Both deny.toml and .cargo/audit.toml are created to suppress RUSTSEC-2023-0071 with documented rationale.

Changes

Dual crypto backend feature flags, compile-time guards, CI matrix, and advisory suppression

Layer / File(s)	Summary
jsonwebtoken backend feature flags Cargo.toml	jsonwebtoken is changed to default-features = false, features = ["use_pem"]. A default = ["rust_crypto"] crate feature and two mutually exclusive backend features (rust_crypto, aws_lc_rs) are added, each forwarding to the matching jsonwebtoken/* feature, with comments documenting the requirement that exactly one must be selected.
Compile-time feature enforcement src/lib.rs	#[cfg(...)] guards with compile_error! macros enforce that exactly one JWT backend feature is enabled: errors if both rust_crypto and aws_lc_rs are enabled, and errors if neither is enabled.
CI backend matrix and security-audit job .github/workflows/ci.yml	quality-checks gains a strategy matrix with rust_crypto and aws_lc_rs legs; Clippy, Build, and Test use matrix.backend.flags. Format and Publish dry-run are gated to the rust_crypto leg. A new security-audit job runs EmbarkStudios/cargo-deny-action with command: check advisories.
Advisory suppression configuration deny.toml, .cargo/audit.toml	Both files are created with an [advisories] ignore entry for RUSTSEC-2023-0071, each including comments explaining the pure-Rust backend choice, the absence of a patched rsa release, and that only the public-key verification path is used.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• structured-world/structured-proxy#28: Introduces JWT auth middleware that depends on the jsonwebtoken backend feature flags and compile-time validation introduced in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: ignoring a security advisory and gating JWT backend selection via features.
Description check	✅ Passed	The description comprehensively documents the rationale for ignoring the advisory, architectural changes, and testing performed, all directly related to the changeset.
Linked Issues check	✅ Passed	The PR fully addresses issue #48 by documenting the RUSTSEC-2023-0071 ignore with clear rationale, adding enforcement via compile-time guards, and exposing backend selection as features enabling future switching.
Out of Scope Changes check	✅ Passed	All changes directly support the linked issue objectives: advisory ignores, backend feature gating, CI validation, and compile-time backend enforcement are all scoped to the security advisory suppression and backend architecture.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/#48-rustsec-2023-0071-ignore

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Cargo.toml`:
- Around line 86-97: Add compile-time guard macros in src/lib.rs to enforce
mutually exclusive JWT backend configuration. Create two compile_error! guards:
one that triggers when both rust_crypto and aws_lc_rs features are enabled
together, and another that triggers when neither feature is enabled. This
ensures invalid feature combinations are caught at compile time rather than
causing runtime panics in the jsonwebtoken crate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 666704c0-af5d-40f2-98f4-48fa8edd5c40

📥 Commits

Reviewing files that changed from the base of the PR and between 1acf2c6 and 44d178a.

📒 Files selected for processing (4)

• .cargo/audit.toml
• .github/workflows/ci.yml
• Cargo.toml
• deny.toml

[greptile-apps]

Greptile Summary

This PR formally suppresses RUSTSEC-2023-0071 (Marvin Attack timing sidechannel in rsa 0.9.x) with documented rationale, and restructures the JWT crypto backend as an explicit, mutually-exclusive crate feature pair (rust_crypto / aws_lc_rs).

• Advisory suppression: deny.toml and .cargo/audit.toml both ignore RUSTSEC-2023-0071 with full inline justification (no patched release exists; the advisory only affects private-key operations, which are never performed on this verify-only path).
• Feature gating: jsonwebtoken is now default-features = false + use_pem; a [features] block exposes the two mutually-exclusive backends, with rust_crypto as the default. compile_error! guards in src/lib.rs turn any invalid combination into a build failure instead of a runtime panic.
• CI: --all-features is replaced with a per-backend matrix so both legs are exercised, and a new security-audit job runs cargo-deny check advisories (via a SHA-pinned third-party action) to enforce the advisory decision in CI.

Confidence Score: 5/5

Safe to merge — the changes are purely additive configuration and build-system hardening with no logic changes to the proxy runtime.

All changes are in build tooling, CI configuration, and crate feature declarations. The compile-time guards are correct and the advisory suppression is well-justified with a clear remediation path. No auth, network, or data-handling code was modified.

No files require special attention.

Important Files Changed

Filename	Overview
.cargo/audit.toml	New file mirroring the deny.toml advisory ignore for cargo-audit; well-documented with clear rationale
deny.toml	New file adding structured cargo-deny configuration; RUSTSEC-2023-0071 ignore is properly justified with inline rationale and issue link
Cargo.toml	Exposes jwt crypto backend as mutually exclusive crate features (rust_crypto default, aws_lc_rs opt-in); jsonwebtoken switched to default-features = false + use_pem
.github/workflows/ci.yml	Replaces --all-features with a per-backend matrix and adds a Security Audit job; third-party actions are correctly SHA-pinned
src/lib.rs	Adds compile_error! guards to turn jsonwebtoken's runtime panic on invalid backend combinations into a build-time error; doc comment updated

_{Reviews (2): Last reviewed commit: "feat(auth): guard mutually-exclusive jwt..." | Re-trigger Greptile}