Tags: dfinity/agent-rs
Tags
chore: 0.48.0 — rustls crypto provider selection via cargo features (#… …732) * feat(ic-agent): make rustls crypto provider selectable via cargo features Reqwest 0.13's `rustls` feature hardcodes aws-lc-rs as the crypto provider, which conflicts with workspaces (e.g. dfinity/ic) that still pull in reqwest 0.12 with ring: Cargo unifies rustls 0.23 with both `ring` and `aws_lc_rs` features active, and `CryptoProvider::from_crate_features()` returns None, breaking any direct rustls user that relies on the process-default builder pattern. Switch ic-agent's reqwest feature from `rustls` to `rustls-no-provider`, take a direct optional `rustls` dep, and expose two new features: - `tls-aws-lc-rs` (default): installs aws-lc-rs as the process-wide rustls default in the Agent::new default-client path - `tls-ring`: installs ring instead Features are additive: when both are on, aws-lc-rs wins (enabling `tls-ring` while the default is on never silently flips behavior). Downstreams who need ring opt out of defaults: `default-features = false, features = ["pem", "tls-ring"]`. Tests cover three scenarios in process-isolated integration test files: matching-provider install, idempotency when an application installs first, and the expected panic when neither feature is enabled. CI runs the default (aws-lc-rs), --all-features (both on, aws-lc-rs wins), tls-ring alone, and the no-TLS panic path; the previous blanket `--no-default-features` pass is dropped (no-op for crates without features, broken for ic-agent without a provider). Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * chore(ic-agent): drop deprecated http_transport module The `http_transport` module (`ReqwestTransport`, `AgentBuilder::with_transport`, `AgentBuilder::with_arc_transport`) has been deprecated since v0.38.0 in favor of the dedicated builder methods (`with_url`, `with_http_client`, `with_arc_route_provider`, `with_max_response_body_size`, `with_max_tcp_error_retries`). The original comment in `agent/mod.rs` already slated it for removal "after 0.40"; 0.48.0 is the natural breakage window alongside the rustls provider feature changes. No workspace or dfinity/sdk consumer references these symbols. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * chore: prepare 0.48.0 release Bump workspace version 0.47.3 → 0.48.0 and add a CHANGELOG entry covering: - new `tls-aws-lc-rs` (default) / `tls-ring` cargo features for rustls crypto provider selection - breaking: `default-features = false` now requires an explicit TLS feature (or `with_http_client`) to avoid a runtime panic - breaking: removal of the long-deprecated `http_transport` module Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * perf(ic-agent): skip default_provider() construction when already installed `install_default_crypto_provider` was previously building a fresh `CryptoProvider` on every `Agent::new` only to discard it when `install_default()` returned `Err` (default already set). Fast-path the common warm case with `CryptoProvider::get_default().is_some()`. The check has a benign TOCTOU race: `install_default()` is itself atomic, so concurrent installers still produce a single winner. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(ic-agent): make rustls dep target-conditional so wasm builds with default features The default `tls-aws-lc-rs` feature pulled in aws-lc-sys, which fails to cross-compile to wasm32-unknown-unknown. Move the rustls dep into the non-wasm target table so wasm consumers can use default features unchanged. The runtime crypto-provider install was already `cfg(not(target_family = "wasm"))`. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(ic-agent): install rustls provider in dynamic-routing doctest The customized-instantiation example builds a reqwest::Client directly instead of going through Agent::new, so reqwest's rustls-no-provider mode panicked with "No provider set". Install the aws-lc-rs provider at the start of main and note why. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(ref-tests): enable tls-aws-lc-rs so rustls provider is installed ref-tests depended on ic-agent with only the pem feature, which compiles neither tls-aws-lc-rs nor tls-ring. install_default_crypto_provider then becomes a no-op, and Agent::new's reqwest client panics with "No provider set" because use_rustls_tls() builds the TLS config eagerly even though pocket-ic is reached over plain HTTP. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * ci: restructure test workflow into named, single-purpose steps Reorganize the test matrix into discrete steps (workspace --all-features, ic-agent default, tls-ring only, no-TLS panic path, WASM, ref-tests, SoftHSM) with a header comment summarizing which step covers what. Switch ref-tests invocations from `cd ref-tests && cargo test` to `cargo test -p ref-tests` so they run from the workspace root. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * test(ic-agent): compare CryptoProvider identity via wide pointer The provider-identity assertions cast `&'static dyn SecureRandom` to `*const ()`, discarding the vtable. Two distinct ZST-backed impls would then alias on the data pointer alone. Compare the full wide pointer (data + vtable) so type identity is preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(ci): collapse no-TLS step's run to one line The step used a backslash line-continuation inside a YAML plain scalar. Plain scalars fold newlines into spaces but don't interpret escapes, so the shell received a literal `\` followed by a space — escaping the space into a single literal-space word rather than continuing the command. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * fix(ci): install Chrome via browser-actions/setup-chrome to avoid snap-store flakes The apt `chromium-chromedriver` package on Ubuntu 24.04 is a transitional shim that installs Chromium from the snap store, which intermittently times out fetching assertions from api.snapcraft.io and fails the job. Switch to browser-actions/setup-chrome, which downloads Chrome and a matching chromedriver directly without going through snap. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * Revert "fix(ci): install Chrome via browser-actions/setup-chrome to avoid snap-store flakes" This reverts commit 4dd17ee. --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
chore: release 0.47.3 — subnet-scoped create_canister + EffectiveId r… …outing (#731) * feat: Support effective_subnet_id in CreateCanisterBuilder Generalize the effective_canister_id field to effective_id so it can hold either a canister id or a subnet id, and add with_effective_subnet_id to let subnet administrators route create_canister calls to a specific subnet. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * chore: pin pocket-ic to IC git rev for integration tests Switch the workspace pocket-ic dependency to a git rev so the client library stays in lockstep with the pocket-ic server binary downloaded by download_reftest_assets.sh. The script now derives the IC commit from Cargo.toml so the binary and crate cannot drift apart. icx is published to crates.io (which rejects git deps), so it pins a released pocket-ic semver directly instead of inheriting the workspace entry. Also harden the download script with set -euo pipefail and IFS reset. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * feat: Add subnet-scoped HTTP API methods to Agent Mirror the existing canister-scoped flow with three new public methods that hit the subnet-scoped HTTP endpoints introduced in IC interface spec 0.60.0: - update_signed_subnet -> POST /api/v4/subnet/<sid>/call - request_status_signed_subnet -> POST /api/v3/subnet/<sid>/read_state - wait_signed_subnet -> polling loop on the above Internally these share verify_for_subnet / check_delegation_for_subnet (which already existed for read_state_subnet_metrics et al.), so no new verification logic is introduced. Only a single private helper, call_subnet_endpoint, is added alongside the existing call_endpoint. Also clarify that sign_request_status accepts either an effective canister id or an effective subnet id: rename its argument to effective_id and document SignedRequestStatus::effective_canister_id accordingly. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * feat: Route CreateCanister via subnet endpoints for effective_subnet_id Replace CreateCanisterBuilder's plain effective_id: Principal field with a private EffectiveId { Canister(p) | Subnet(s) } enum and dispatch on it in call()/call_and_wait(): - Canister(p) takes the existing AsyncCall path unchanged. - Subnet(s) signs the management-canister update via UpdateBuilder::sign() and submits it through Agent::update_signed_subnet, polling with wait_signed_subnet if the call is only accepted. The option-resolution and Candid encoding that used to live in build() is factored out into a private prepare() helper so both paths share it. build() keeps its existing AsyncCall return type and now errors when called with a subnet-routed builder, since subnet routing is not expressible through the generic AsyncCall surface. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * test: Cover create_canister with effective_subnet_id end-to-end Add a ref-test that: - Boots PocketIC with a cloud_engine subnet whose subnet_admins include the agent's identity (mirroring icp-cli-network-launcher's setup). - Calls create_canister via with_effective_subnet_id and asserts the new canister lands on the expected subnet. The PocketIC setup is encapsulated in a new with_subnet_admin_agent helper in ref-tests utils so future subnet-admin tests can reuse it. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * chore: fmt * docs: Update CHANGELOG for subnet-scoped create_canister support Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * chore: Release 0.47.3 Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * fix: delegate AsyncCall/IntoFuture impls to inherent call methods The AsyncCall impl was routing through build(), which errors when effective_subnet_id is set. Delegate to the inherent call/call_and_wait methods that handle both canister and subnet routing paths. Co-Authored-By: Claude Sonnet 4.6 <[email protected]> * chore: Bump pocket-ic rev to include state_machine_tests delegation fix Picks up dfinity/ic#10226, which adds the /subnet/<id>/type path to get_delegation_for_subnet so canister-signature delegations issued by pocket-ic include the subnet type and pass the tightened validation. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * refactor: unify subnet/canister routing behind EffectiveId enum Replaces the duplicated `_subnet` call-stack (update_signed_subnet, request_status_signed_subnet, wait_signed_subnet) with a single `EffectiveId` enum dispatched inside the existing methods. Bare `Principal` arguments still resolve to `EffectiveId::Canister(_)` via `From`, preserving the released API. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> * docs: clarify that the three effective-id setters shadow each other Note on as_provisional_create_with_specified_id, with_effective_canister_id, and with_effective_subnet_id that they all write to the same field and only the last call wins, so users chaining a builder are not surprised by a silently overwritten value. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
chore(deps): bump rustls-webpki from 0.103.12 to 0.103.13 (#730) Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.12 to 0.103.13. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.12...v/0.103.13) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
chore: pin GitHub Actions to commit SHAs (#722) * chore: pin actions to SHA in .github/workflows/fmt.yml * chore: pin actions to SHA in .github/workflows/lint.yml * chore: pin actions to SHA in .github/workflows/netlify.yml * chore: pin actions to SHA in .github/workflows/publish.yml * chore: pin actions to SHA in .github/workflows/release.yml * chore: pin actions to SHA in .github/workflows/shellcheck.yml * chore: pin actions to SHA in .github/workflows/test.yml
chore(deps): bump rustls-webpki from 0.103.10 to 0.103.12 (#727) Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.10 to 0.103.12. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.12) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
PreviousNext