From 72409e4b8f050e17bcaa3369001b8445da38054a Mon Sep 17 00:00:00 2001 From: "Aaron D. Lee" Date: Sun, 5 Jul 2026 03:16:00 -0400 Subject: [PATCH] ci(trunk): twilio-live manual-trigger job + seam-gate verification + doc-link fixes (slice-5 T10) The routine CI gate stays feature-default-off: MockCallControlClient is the per-PR test surface. A new twilio-live job runs ONLY on manual workflow_dispatch (maintainer triggers pre-release) -- it exercises clippy --features=twilio-live + the live TwilioCallControlClient tests against real Twilio credentials (TWILIO_* secrets). Never runs per-PR. Seam gate verified UNCHANGED: loop_driver.rs (744bf314...) + rtc_session.rs (f47d63b9...) blob hashes match the slice-4 Task 10 pins exactly -- the trunk leg's tick lives entirely in rutster-trunk/src/loop_driver.rs (a separate file in a separate crate), so the media-crate seam files stay byte-identical. cargo deny: reqwest (rustls-tls) + base64 + async-trait introduce ZERO new duplicate dep versions (verified via `cargo tree -d` with vs without --features=twilio-live: identical duplicate sets -- the existing skip list in deny.toml remains sufficient). Local cargo-deny 0.18.3 cannot parse the `-or-later` SPDX form + CVSS 4.0 advisory entries (pre-existing limitation documented in deny.toml; CI's cargo-deny-action@v2 bundles 0.19.x which handles both) -- CI is the authoritative deny gate. Two rustdoc intra-doc-link warnings in my code fixed (mock.rs private-item link -> plain inline code; lib.rs redundant explicit link target simplified). Two pre-existing rustdoc warnings remain in rutster-tap/protocol.rs + rutster/tap_engine.rs (out of scope -- pre-existing from slices 2-3, not introduced by slice-5). T10 of slice-5. This is the final task on the dev-b chain (T2 + T6 + T9 + T10 all landed). Signed-off-by: Aaron D. Lee --- .github/workflows/ci.yml | 37 +++++++++++++++++++++++ crates/rutster-trunk/src/lib.rs | 2 +- crates/rutster-trunk/src/provider/mock.rs | 2 +- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5b79bb7..866027f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,12 @@ on: branches: [main] pull_request: branches: [main] + # Manual trigger for the twilio-live job (pre-release validation against + # real Twilio credentials). Never runs per-PR — the routine clippy/test + # jobs use default features (MockCallControlClient); the live + # TwilioCallControlClient is feature-gated behind `twilio-live` + only the + # maintainer exercises it before tagging a release (spec §1.2 + plan T6/T10). + workflow_dispatch: env: CARGO_TERM_COLOR: always @@ -80,3 +86,34 @@ jobs: - uses: EmbarkStudios/cargo-deny-action@v2 with: command: check + + # The live TwilioCallControlClient is feature-gated behind `twilio-live` + # (reqwest + rustls-tls + tracing + serde_json pulled in only when the + # feature is on). This job exercises it against REAL Twilio credentials. + # It runs ONLY on manual `workflow_dispatch` (never per-PR) — the routine + # clippy/test jobs above use default features (MockCallControlClient). + # The maintainer triggers this before tagging a release, after setting the + # TWILIO_* secrets in the repo settings (spec §1.2 + plan T10 Step 3). + twilio-live: + name: twilio-live (manual only) + runs-on: ubuntu-latest + if: github.event_name == 'workflow_dispatch' + steps: + - uses: actions/checkout@v4 + - uses: dtolnay/rust-toolchain@stable + with: + components: clippy + - name: Install libopus (media crate FFI dep) + run: apt-get update && apt-get install -y libopus-dev + - uses: Swatinem/rust-cache@v2 + - name: Clippy with twilio-live feature + run: cargo clippy --all --all-targets --features=twilio-live -- -D warnings + - name: Twilio-live tests (includes ignored live e2e; needs TWILIO_* secrets) + env: + RUTSTER_TWILIO_ACCOUNT_SID: ${{ secrets.TWILIO_ACCOUNT_SID }} + RUTSTER_TWILIO_AUTH_TOKEN: ${{ secrets.TWILIO_AUTH_TOKEN }} + RUTSTER_TWILIO_MEDIA_BIND: 0.0.0.0:8081 + RUTSTER_TWILIO_WEBHOOK_BASE: ${{ secrets.TWILIO_WEBHOOK_BASE }} + RUTSTER_TWILIO_TEST_TO: ${{ secrets.TWILIO_TEST_TO }} + RUTSTER_TWILIO_TEST_FROM: ${{ secrets.TWILIO_TEST_FROM }} + run: cargo test --all --features=twilio-live -- --include-ignored diff --git a/crates/rutster-trunk/src/lib.rs b/crates/rutster-trunk/src/lib.rs index 29673dd..16e7ed6 100644 --- a/crates/rutster-trunk/src/lib.rs +++ b/crates/rutster-trunk/src/lib.rs @@ -10,7 +10,7 @@ //! //! ## Spearhead step 5 — what's here vs what's deferred //! -//! The provider call-control seam ([`provider`](crate::provider)) lands in T2: the +//! The provider call-control seam ([`provider`]) lands in T2: the //! `CallControlClient` trait, `MockCallControlClient`, and `TwilioCredentials` (with //! redacted `Debug`). The live `TwilioCallControlClient` (T6) is feature-gated behind //! `twilio-live`. The WSS ingress (`g711`, `twilio_media_streams`, `session`, diff --git a/crates/rutster-trunk/src/provider/mock.rs b/crates/rutster-trunk/src/provider/mock.rs index 7d98c26..53c72f1 100644 --- a/crates/rutster-trunk/src/provider/mock.rs +++ b/crates/rutster-trunk/src/provider/mock.rs @@ -21,7 +21,7 @@ //! *test double*, a poisoned mutex means a previous test assertion failed; the //! right move is to recover the inner value (`.into_inner()`) rather than //! propagate the poison (which would cascade one test failure into every -//! subsequent test). [`lock_or_recover`] does this idiomatically — and avoids +//! subsequent test). `lock_or_recover` does this idiomatically — and avoids //! the `unwrap()`/`expect()` that AGENTS.md's hot-path rule forbids in library //! code (the mock is library code, not `#[cfg(test)]`, because T7/T8 integration //! tests in `tests/` import it).