robintra/perf-sentinel v0.6.1

on GitHub

What's new in v0.6.1

v0.6.1 is a hardening release. No public API break, no behavior change for already-clean inputs. The audit pass that started in 0.6.0 continues here with a security tightening across CORS, the CI ack TOML loader, the SARIF result body and the OTLP gRPC listener. Hot-path tightening lands across the detection and scoring stages, and dependencies are bumped to the latest patch lines.

Security hardening

• CORS ["*"] combined with [daemon.ack] api_key is now rejected at config load instead of a startup WARN. Header-based X-API-Key auth is not blocked by allow_credentials = false, so wildcard CORS plus an API key let any browser origin replay a captured key. Operators that want wildcard CORS for development must explicitly unset api_key.
• acknowledgments::load_from_file refuses to follow symlinks on the CI baseline TOML path, mirroring the daemon JSONL store discipline. Closes the "hostile collaborator plants a symlink in a CI runner working tree" vector.
• SARIF finding_to_result strips BiDi and invisible-format characters from the message body and logical locations, in addition to the ack metadata path that was already sanitized in 0.5.27. A hostile span emitting service.name = "alice<RLO>@evil" no longer renders mirrored in GitHub or GitLab code-scanning UIs.
• OTLP gRPC listener caps HTTP/2 concurrent streams at 256 per connection via tonic's max_concurrent_streams and concurrency_limit_per_connection. Bounds the blast radius of a misbehaving client on non-loopback binds.

Performance: hot-path tightening

• Probe-before-allocate exemplar sanitization in report::metrics::sanitize_exemplar_value (returns Cow<'_, str>). Trace IDs are almost always already valid hex and now skip the allocation on the hot path.
• chatty detection runs in a single pass over the trace's HTTP-out spans (count and indices collected together) instead of two iterations.
• serialized detection sorts via sort_unstable_by_key on u64 end timestamps, faster than the stable variant with no observable difference downstream.
• HTTP query-param Vec is pre-sized from the ampersand count, capped at 100, eliminating the doubling-growth path on URLs with many parameters.
• Avoidable-finding dedup HashMap capacity matches the avoidable-finding count instead of the total finding count, removing the over-allocation when most findings are slow or fanout.

Refactors

• detect::n_plus_one::parse_timestamp_ms is a thin adapter over crate::time::parse_iso8601_utc_to_ms instead of a duplicate implementation. The shared time.rs module is now the single source of truth for civil-date arithmetic across the crate.
• default_region is lowercased once at config load, mirroring the existing service_regions discipline so downstream resolvers no longer pay a to_ascii_lowercase allocation per call.
• OtlpRejectReason::as_str, AckFailureReason::as_str, ScaphandreScrapeReason::as_str are const fn matching the pattern already in place on Confidence::as_str and FindingType::as_str.
• OTLP span-index cap is named MAX_SPANS_PER_RESOURCE instead of two duplicated 100_000 literals in build_span_index and build_scope_index.
• OtlpRejectReason::ALL fixed-size array exposes every variant for exhaustive pre-warming, keeping the MetricsState::new startup loop drift-free.

Dependency bumps

• opentelemetry-proto 0.31 to 0.32 (adds KeyValue::key_strindex for the OTel Profiling signal, three test sites updated to ..Default::default() for forward compatibility).
• tonic 0.14.5 to 0.14.6.
• tokio 1.52.2 to 1.52.3.

Helm chart

charts/perf-sentinel 0.2.32 to 0.2.33, appVersion 0.6.0 to 0.6.1. The artifacthub.io/changes annotation surfaces the security and performance items on Artifact Hub.

Full Changelog: v0.6.0...v0.6.1