From 3aacf1c91e88b82c9bed0a852b56bfaf28b82d3e Mon Sep 17 00:00:00 2001
From: OM <om@vyrox.dev>
Date: Thu, 11 Jun 2026 02:03:19 +0530
Subject: [PATCH] ci(proxy): add cargo CI workflow (fmt, clippy, test, audit)

The Rust proxy had no CI; its 35 tests and the clippy/fmt/audit gates ran
nowhere on push. Add cargo-ci.yml running fmt --check, clippy -D warnings,
the test suite single-threaded (the audit/nonce IO tests are order-sensitive),
and a rustsec audit in a separate job. Every action is pinned to a full commit
SHA and the workflow has contents: read only.
---
 .github/workflows/cargo-ci.yml | 51 ++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 .github/workflows/cargo-ci.yml

diff --git a/.github/workflows/cargo-ci.yml b/.github/workflows/cargo-ci.yml
new file mode 100644
index 0000000..8a4522e
--- /dev/null
+++ b/.github/workflows/cargo-ci.yml
@@ -0,0 +1,51 @@
+name: Cargo CI
+
+# Gates the Rust containment proxy: format, lint, tests, and a dependency audit.
+# Every action is pinned to a full commit SHA, not a tag, so a compromised or
+# retagged action cannot slip new code into CI.
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Rust toolchain (stable, with rustfmt + clippy)
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
+
+      - name: Cache cargo build
+        uses: Swatinem/rust-cache@aa7c1c80a07a27a84c0aa76d0cef0aad3830e330 # v2.7.8
+
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+
+      - name: Clippy (deny warnings)
+        run: cargo clippy --all-targets -- -D warnings
+
+      - name: Tests
+        # Single-threaded so the deterministic IO tests (audit/nonce) do not race.
+        run: cargo test --all -- --test-threads=1
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Security audit
+        uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}