mkit (Rust workspace)

This directory holds the mkit Cargo workspace.

Toolchain

• Rust 1.95.0 (pinned in rust-toolchain.toml)
• Edition 2024 (workspace default)
• Resolver 3

Workspace layout

rust/
├── crates/
│   ├── mkit-core/              # hash, object, serialize, store, chunker,
│   │                           # pack, delta, refs, index, worktree,
│   │                           # ignore, repo_lock, ops/*, sign, protocol
│   ├── mkit-transport-memory/
│   ├── mkit-transport-file/
│   ├── mkit-transport-http/
│   ├── mkit-transport-s3/
│   ├── mkit-transport-ssh/
│   ├── mkit-attest/            # jcs, statement, envelope, signers, verify
│   └── mkit-cli/               # bin "mkit"
└── fuzz/                       # cargo-fuzz targets (delta, pack, tree)

Gates

cd rust
cargo fmt --check
cargo clippy --all-targets -- -D warnings
cargo test --workspace

CI runs the above matrix on ubuntu-latest + macos-latest (.github/workflows/rust.yml). A weekly job runs cargo audit and cargo deny check (.github/workflows/rust-security.yml). A reproducible-build smoke test diffs two sequential release builds (.github/workflows/reproducible-build.yml).

Contracts

• Every on-disk / wire byte is pinned by golden vectors under tests/golden/. Any change must update both the vector and the relevant docs/SPEC-*.md in the same PR.
• mkit version emits exactly mkit <X.Y.Z>\n — asserted by both a snapshot test in crates/mkit-cli/tests/version_snapshot.rs and a CI step that runs the release binary.
• scripts/verify-rename.sh enforces the public-surface rename gate on every push.
• Fuzz harnesses enforce the six guardrails documented in docs/FUZZ.md (≤100 iterations, ≤64 KiB input, bounded per-op allocations, 100 ms per-iteration cap, no unbounded loops, seeded PRNG).