⚡ Bolt: Optimize security headers middleware

[EffortlessSteven]

💡 What: Introduced CachedSecurityHeaders to pre-parse and store HeaderValues in AppState.
🎯 Why: SecurityHeadersConfig was parsing header values from strings on every request, causing unnecessary CPU overhead and allocation.
📊 Impact: Eliminates parsing for ~10 security headers per request.
🔬 Measurement: Verified with cargo test -p app-http.

---

PR created automatically by Jules for task 17667632625229066772 started by @EffortlessSteven

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 6792b75 and a057f57.

⛔ Files ignored due to path filters (1)

• oasdiff.tar.gz is excluded by !**/*.gz

📒 Files selected for processing (2)

• .github/workflows/ci-ac.yml
• bootstrap-tools.sh

Walkthrough

Adds a cached security headers mechanism to the HTTP middleware, updates AppState and re-exports, refactors CI templating and artifact naming for safety, and refreshes multiple tool versions, download logic, and checksums across scripts and xtask code.

Changes

Cohort / File(s)	Summary
CI workflow templates \.github/workflows/ci-scope-guard.yml, \.github/workflows/tier1-selftest.yml	Replaces unsafe sed interpolation with envsubst and explicit exports; adds a step to sanitize branch names (slashes → dashes) and uses sanitized output for artifact naming.
HTTP middleware: security headers crates/app-http/src/middleware/security_headers.rs, crates/app-http/src/middleware/mod.rs, crates/app-http/src/lib.rs, crates/app-http/src/middleware/platform_auth.rs	Adds CachedSecurityHeaders (From<&SecurityHeadersConfig>, apply_headers), wires a new cached_security_headers: Arc<CachedSecurityHeaders> field into AppState, re-exports the type, and updates middleware/tests to use cached header application.
Tooling install/bootstrap bootstrap-tools.sh, scripts/tools.sha256, crates/xtask/src/commands/tools_checksum_update.rs, crates/xtask/src/commands/tools_checksum_verify.rs	Bumps oasdiff and buf versions; changes download/extract flow to download archives to temp, checksum the archive, extract conditionally, updates checksums and URLs; alters arch mapping for buf and fixes oasdiff extension handling.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Middleware as SecurityMiddleware
  participant State as AppState\n(contains CachedSecurityHeaders)
  participant Response as Response

  Client->>Middleware: send request
  Middleware->>State: read cached headers
  State-->>Middleware: CachedSecurityHeaders
  Middleware->>Response: apply non-None headers via apply_headers()
  Middleware-->>Client: return response with headers

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble headers cached and neat,

No parse each time — what a treat!
CI trims slashes, tools get new shoes,
Binaries verified, no cryptic blues.
Hop, patch, and ship — a rabbit's quick beat.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 54.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main optimization—caching security headers to reduce per-request parsing overhead, which aligns with the core changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the motivation, implementation (CachedSecurityHeaders), and measured impact of the security headers optimization.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bolt/optimize-security-headers-17667632625229066772

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Optimizes app-http’s security headers middleware by pre-parsing configured header values once at startup and reusing them per request via AppState, reducing per-request CPU and allocations in the HTTP layer.

Changes:

• Added CachedSecurityHeaders to pre-parse and store HeaderValues derived from SecurityHeadersConfig.
• Updated security_headers_middleware to apply headers from state.cached_security_headers instead of parsing on every request.
• Extended AppState and related re-exports/tests to include the cached headers structure.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
crates/app-http/src/middleware/security_headers.rs	Introduces cached header values and switches middleware to apply cached headers.
crates/app-http/src/middleware/platform_auth.rs	Updates test AppState construction to populate cached_security_headers.
crates/app-http/src/middleware/mod.rs	Re-exports CachedSecurityHeaders from the middleware module.
crates/app-http/src/lib.rs	Adds cached_security_headers to AppState, initializes it during state construction, and re-exports it publicly.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

CachedSecurityHeaders introduces new behavior (pre-parsing and then applying cached HeaderValues), but the unit tests in this module still only exercise SecurityHeadersConfig::apply_headers. Add tests that validate CachedSecurityHeaders::from(&config).apply_headers(...) produces the same headers as config.apply_headers(...) (including the disabled case), so regressions like missing/renamed headers are caught.

[Copilot]

security_headers_middleware still extracts State<AppState> by value, which in axum typically clones the entire AppState per request. Since AppState contains SecurityHeadersConfig with multiple Strings, this can add per-request allocations and may offset part of the intended performance win. Consider extracting a cheaper state (e.g., store AppState behind Arc and use State<Arc<AppState>>, or make security_headers_config itself Arc and/or expose only the cached headers to this middleware).

[Copilot]

In this test helper, security_headers_config and cached_security_headers are initialized from separate SecurityHeadersConfig::default() instances. It would be more robust to derive the cached headers from the same security_headers_config value stored in AppState, so future changes to the config used in this test can't accidentally diverge from what is being cached.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/app-http/src/lib.rs (1)

248-375: 🧹 Nitpick | 🔵 Trivial

Prevent cache/config drift on AppState.

AppState now exposes both security_headers_config and cached_security_headers publicly. If any caller mutates the config post-construction, the cache becomes stale. Consider making these fields private and exposing a method that updates both, or documenting that AppState is immutable after creation.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/app-http/src/lib.rs` around lines 248 - 375, AppState exposes public
fields security_headers_config and cached_security_headers which can diverge if
callers mutate the config after construction; make those fields private (remove
pub from security_headers_config and cached_security_headers in the AppState
struct), add a controlled mutator on AppState (e.g. update_security_headers(&mut
self, new_cfg: SecurityHeadersConfig) or refresh_security_headers_from(&self,
...) if using interior mutability) that updates both the SecurityHeadersConfig
and its CachedSecurityHeaders in sync, and update with_config/new to initialize
them via the new private fields; alternatively, document that AppState is
immutable after creation and ensure no public setters exist for those symbols.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/app-http/src/middleware/security_headers.rs`:
- Around line 328-376: CachedSecurityHeaders::from currently drops invalid
header strings silently by calling HeaderValue::from_str(...).ok(), which hides
misconfigurations once cached; update the From<&SecurityHeadersConfig> for
CachedSecurityHeaders implementation to attempt parsing each header with
HeaderValue::from_str and when parsing fails emit a single warning (e.g.,
tracing::warn! or the crate's logger) that includes the header name, the
offending config string, and the parse error, then continue with None for that
field so the behavior is unchanged but misconfigs are visible; apply this to all
fields parsed (content_security_policy, strict_transport_security,
permissions_policy, cross_origin_* etc.) inside CachedSecurityHeaders::from.

In `@scripts/tools.sha256`:
- Around line 22-28: The atlas checksum keys in scripts/tools.sha256 use the
pattern atlas-latest-{os}-{arch} which doesn't match the bootstrap lookup
atlas-v0.31.0-{os}-{arch}, causing checksum checks (and ENFORCE_CHECKSUMS) to
fail; fix by renaming the atlas entries in scripts/tools.sha256 from
atlas-latest-linux-amd64, atlas-latest-linux-arm64, atlas-latest-darwin-amd64,
atlas-latest-darwin-arm64, atlas-latest-windows-amd64 to
atlas-v0.31.0-linux-amd64, atlas-v0.31.0-linux-arm64,
atlas-v0.31.0-darwin-amd64, atlas-v0.31.0-darwin-arm64,
atlas-v0.31.0-windows-amd64 (or alternatively update the bootstrap lookup to
accept atlas-latest-* and ensure the automated updater maintains the chosen key
format).

---

Outside diff comments:
In `@crates/app-http/src/lib.rs`:
- Around line 248-375: AppState exposes public fields security_headers_config
and cached_security_headers which can diverge if callers mutate the config after
construction; make those fields private (remove pub from security_headers_config
and cached_security_headers in the AppState struct), add a controlled mutator on
AppState (e.g. update_security_headers(&mut self, new_cfg:
SecurityHeadersConfig) or refresh_security_headers_from(&self, ...) if using
interior mutability) that updates both the SecurityHeadersConfig and its
CachedSecurityHeaders in sync, and update with_config/new to initialize them via
the new private fields; alternatively, document that AppState is immutable after
creation and ensure no public setters exist for those symbols.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff55d9e and a441c9e.

📒 Files selected for processing (7)

• .github/workflows/ci-scope-guard.yml
• .github/workflows/tier1-selftest.yml
• crates/app-http/src/lib.rs
• crates/app-http/src/middleware/mod.rs
• crates/app-http/src/middleware/platform_auth.rs
• crates/app-http/src/middleware/security_headers.rs
• scripts/tools.sha256

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Log invalid header values when building the cache.

CachedSecurityHeaders::from silently drops invalid header values. With caching, a bad config now becomes a persistent, invisible failure. Consider logging parse errors once during cache creation to make misconfiguration obvious.

♻️ Proposed helper for parsing with warning

+fn parse_header(name: &str, value: &str) -> Option<HeaderValue> {
+    match HeaderValue::from_str(value) {
+        Ok(v) => Some(v),
+        Err(e) => {
+            tracing::warn!(header = name, value = %value, error = %e, "Invalid security header value");
+            None
+        }
+    }
+}
+
 impl From<&SecurityHeadersConfig> for CachedSecurityHeaders {
     fn from(config: &SecurityHeadersConfig) -> Self {
@@
-            x_frame_options: HeaderValue::from_str(&config.x_frame_options).ok(),
+            x_frame_options: parse_header("X-Frame-Options", &config.x_frame_options),

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/app-http/src/middleware/security_headers.rs` around lines 328 - 376,
CachedSecurityHeaders::from currently drops invalid header strings silently by
calling HeaderValue::from_str(...).ok(), which hides misconfigurations once
cached; update the From<&SecurityHeadersConfig> for CachedSecurityHeaders
implementation to attempt parsing each header with HeaderValue::from_str and
when parsing fails emit a single warning (e.g., tracing::warn! or the crate's
logger) that includes the header name, the offending config string, and the
parse error, then continue with None for that field so the behavior is unchanged
but misconfigs are visible; apply this to all fields parsed
(content_security_policy, strict_transport_security, permissions_policy,
cross_origin_* etc.) inside CachedSecurityHeaders::from.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This PR bundles multiple unrelated changes together: the main security headers optimization, tool checksum updates for oasdiff and atlas, and GitHub workflow improvements. While all changes appear correct individually, bundling unrelated changes makes it harder to review, understand the impact, and potentially revert specific changes if needed. Consider splitting unrelated changes into separate PRs in the future. Specifically: 1) Security headers optimization (primary focus), 2) Tool version updates, 3) GitHub workflow improvements for artifact naming and variable substitution.

[Copilot]

The conversion from SecurityHeadersConfig to CachedSecurityHeaders silently ignores headers that fail to parse using .ok(). While this matches the previous per-request behavior, it would be beneficial to add tracing warnings when header parsing fails during initialization, similar to the warning used for the SECURITY_HEADERS_ENABLED environment variable. This would help diagnose configuration issues at startup rather than discovering them through missing headers in production. Consider adding something like .map_err(|e| tracing::warn!("Failed to parse header: {}", e)).ok() for each header that might fail parsing.

Suggested change

	.and_then(|v| HeaderValue::from_str(v).ok()),
	x_frame_options: HeaderValue::from_str(&config.x_frame_options).ok(),
	x_content_type_options: HeaderValue::from_str(&config.x_content_type_options).ok(),
	x_xss_protection: HeaderValue::from_str(&config.x_xss_protection).ok(),
	strict_transport_security: config
	.strict_transport_security
	.as_ref()
	.and_then(|v| HeaderValue::from_str(v).ok()),
	referrer_policy: HeaderValue::from_str(&config.referrer_policy).ok(),
	permissions_policy: config
	.permissions_policy
	.as_ref()
	.and_then(|v| HeaderValue::from_str(v).ok()),
	cross_origin_embedder_policy: config
	.cross_origin_embedder_policy
	.as_ref()
	.and_then(|v| HeaderValue::from_str(v).ok()),
	cross_origin_opener_policy: config
	.cross_origin_opener_policy
	.as_ref()
	.and_then(|v| HeaderValue::from_str(v).ok()),
	cross_origin_resource_policy: HeaderValue::from_str(
	&config.cross_origin_resource_policy,
	)
	.and_then(|v| {
	HeaderValue::from_str(v)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Content-Security-Policy header from config: {}",
	e
	);
	})
	.ok()
	}),
	x_frame_options: HeaderValue::from_str(&config.x_frame_options)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse X-Frame-Options header from config: {}",
	e
	);
	})
	.ok(),
	x_content_type_options: HeaderValue::from_str(&config.x_content_type_options)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse X-Content-Type-Options header from config: {}",
	e
	);
	})
	.ok(),
	x_xss_protection: HeaderValue::from_str(&config.x_xss_protection)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse X-XSS-Protection header from config: {}",
	e
	);
	})
	.ok(),
	strict_transport_security: config
	.strict_transport_security
	.as_ref()
	.and_then(|v| {
	HeaderValue::from_str(v)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Strict-Transport-Security header from config: {}",
	e
	);
	})
	.ok()
	}),
	referrer_policy: HeaderValue::from_str(&config.referrer_policy)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Referrer-Policy header from config: {}",
	e
	);
	})
	.ok(),
	permissions_policy: config
	.permissions_policy
	.as_ref()
	.and_then(|v| {
	HeaderValue::from_str(v)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Permissions-Policy header from config: {}",
	e
	);
	})
	.ok()
	}),
	cross_origin_embedder_policy: config
	.cross_origin_embedder_policy
	.as_ref()
	.and_then(|v| {
	HeaderValue::from_str(v)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Cross-Origin-Embedder-Policy header from config: {}",
	e
	);
	})
	.ok()
	}),
	cross_origin_opener_policy: config
	.cross_origin_opener_policy
	.as_ref()
	.and_then(|v| {
	HeaderValue::from_str(v)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Cross-Origin-Opener-Policy header from config: {}",
	e
	);
	})
	.ok()
	}),
	cross_origin_resource_policy: HeaderValue::from_str(
	&config.cross_origin_resource_policy,
	)
	.map_err(|e| {
	tracing::warn!(
	"Failed to parse Cross-Origin-Resource-Policy header from config: {}",
	e
	);
	})

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR title/description focuses on optimizing the security headers middleware, but this file also updates multiple bootstrap tool versions/checksums (oasdiff/buf/atlas). Consider either updating the PR description to explicitly mention these tooling changes (and why they’re included), or splitting them into a separate PR to keep scope/auditability tight.

[Copilot]

AppState is a public struct in a publishable crate, and adding a new public field is a semver-breaking API change for any downstream users constructing AppState via struct literals. If AppState is intended to be part of the public API, consider making the new field private (and initializing it in AppState::new), or providing a non-exhaustive / builder-based construction pattern to avoid breaking external callers.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The bootstrap-tools.sh script does not correctly handle linux arm64 architecture for buf downloads. Line 80 maps arm64 to "arm64" for buf_arch, but buf releases use "aarch64" for Linux arm64 (as seen in tools_checksum_update.rs line 98). This will cause buf installation to fail on Linux arm64 systems.

The mapping should match what was done in tools_checksum_verify.rs line 203, where arm64 is mapped to "aarch64" specifically for linux.

Suggested change

	local buf_arch; case "$arch" in amd64) buf_arch="x86_64" ;; arm64) buf_arch="arm64" ;; esac
	local buf_arch; case "$arch" in amd64) buf_arch="x86_64" ;; arm64) if [ "$os" = "linux" ]; then buf_arch="aarch64"; else buf_arch="arm64"; fi ;; esac

[Copilot]

The conversion from SecurityHeadersConfig to CachedSecurityHeaders silently ignores header parsing failures by using .ok() on HeaderValue::from_str results. If a header value contains invalid characters, it will be silently omitted from responses, potentially creating a security vulnerability.

Consider adding logging (using tracing::warn!) when header parsing fails during initialization, similar to how the from_sources method logs parsing errors. This would help detect configuration issues early rather than silently dropping security headers.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

crates/xtask/src/commands/tools_checksum_verify.rs (1)

190-197: ⚠️ Potential issue | 🔴 Critical

Fix hardcoded tar.gz extension—Windows oasdiff assets are still .zip files.
The current code generates incorrect URLs for Windows: v1.11.10 release assets are oasdiff_1.11.10_windows_amd64.zip and oasdiff_1.11.10_windows_arm64.zip, not tar.gz. The inline comment claiming "1.11.10 uses tar.gz" is inaccurate. The hardcoded ext = "tar.gz" will produce 404 URLs and cause checksum verification to fail on Windows. Use platform-conditional logic to set the extension (tar.gz for Linux/macOS, zip for Windows).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/xtask/src/commands/tools_checksum_verify.rs` around lines 190 - 197,
The oasdiff URL builder in the "oasdiff" arm uses a hardcoded ext = "tar.gz"
which is incorrect for Windows releases; change the extension selection to be
platform-conditional (e.g., set ext to "zip" when os == "windows", otherwise
"tar.gz") so the formatted URL in the Ok(format!(...)) produces the correct
asset name; update the ext variable near the oas_arch calculation in the
"oasdiff" match arm in tools_checksum_verify.rs accordingly.

bootstrap-tools.sh (1)

88-95: ⚠️ Potential issue | 🔴 Critical

Fix buf download architecture name for Linux arm64.

The checksum updater generates checksums for buf-Linux-aarch64, but bootstrap attempts to download buf-Linux-arm64 on Linux arm64 systems, which will fail with a 404. Update the architecture mapping to use aarch64 for Linux arm64:

-  local buf_arch; case "$arch" in amd64) buf_arch="x86_64" ;; arm64) buf_arch="arm64" ;; esac
+  local buf_arch
+  case "$arch" in
+    amd64) buf_arch="x86_64" ;;
+    arm64)
+      if [ "$os" = "linux" ]; then
+        buf_arch="aarch64"
+      else
+        buf_arch="arm64"
+      fi
+      ;;
+  esac

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bootstrap-tools.sh` around lines 88 - 95, The download arch mapping is wrong
for Linux arm64: update the buf_arch assignment so arm64 maps to "aarch64" for
Linux (or conditionally set buf_arch="aarch64" when os == "linux" && arch ==
"arm64") so the constructed bin/url (variables buf_arch, bin, url, v, arch)
matches the checksum key (buf-Linux-aarch64) and avoids 404s.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@crates/xtask/src/commands/tools_checksum_update.rs`:
- Around line 118-145: The atlas entry with name "atlas" and version "v0.31.0"
has incorrect download URLs; replace each Platform.url in that Tool/Platform
list so they point to the community-edition artifacts named with the
atlas-community- prefix (i.e., use
"https://release.ariga.io/atlas/atlas-community-linux-amd64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-linux-arm64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-darwin-amd64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-darwin-arm64-v0.31.0", and for
Windows include the .exe suffix
"https://release.ariga.io/atlas/atlas-community-windows-amd64-v0.31.0.exe");
update the Platform.url values accordingly in the existing Platforms vector for
the atlas v0.31.0 entry.

---

Outside diff comments:
In `@bootstrap-tools.sh`:
- Around line 88-95: The download arch mapping is wrong for Linux arm64: update
the buf_arch assignment so arm64 maps to "aarch64" for Linux (or conditionally
set buf_arch="aarch64" when os == "linux" && arch == "arm64") so the constructed
bin/url (variables buf_arch, bin, url, v, arch) matches the checksum key
(buf-Linux-aarch64) and avoids 404s.

In `@crates/xtask/src/commands/tools_checksum_verify.rs`:
- Around line 190-197: The oasdiff URL builder in the "oasdiff" arm uses a
hardcoded ext = "tar.gz" which is incorrect for Windows releases; change the
extension selection to be platform-conditional (e.g., set ext to "zip" when os
== "windows", otherwise "tar.gz") so the formatted URL in the Ok(format!(...))
produces the correct asset name; update the ext variable near the oas_arch
calculation in the "oasdiff" match arm in tools_checksum_verify.rs accordingly.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a441c9e and 6792b75.

📒 Files selected for processing (4)

• bootstrap-tools.sh
• crates/xtask/src/commands/tools_checksum_update.rs
• crates/xtask/src/commands/tools_checksum_verify.rs
• scripts/tools.sha256

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

atlas v0.31.0 release ariga.io binaries

💡 Result:

Atlas v0.31.0 was released on Feb 6, 2025 (GitHub release tag v0.31.0). The release notes highlight custom schema rules, pgvector support, drift detection, and multi-project ER diagrams. [1]

Ariga CDN (“ariga.io” binaries) for v0.31.0 (community edition):

• Linux amd64: https://release.ariga.io/atlas/atlas-community-linux-amd64-v0.31.0 [2]
• Linux arm64: https://release.ariga.io/atlas/atlas-community-linux-arm64-v0.31.0 [2]

For other install methods, the release notes also point to the installer script (curl -sSf https://atlasgo.sh | sh) and the general Windows download endpoint under release.ariga.io. [1]

Sources: [1] [2]

---

🌐 Web query:

site:release.ariga.io atlas v0.31.0

💡 Result:

I couldn’t find any indexed results on release.ariga.io for “atlas v0.31.0” via web search.

However, the Atlas v0.31.0 release notes are available on the project’s GitHub Releases page. It was released on February 6, 2025, and highlights include custom schema rules, pgvector support, simpler drift detection, and multi-project ER diagrams. [1]

---

Update atlas v0.31.0 URLs to use the correct community edition paths.
The release binaries use atlas-community- prefix (e.g., atlas-community-linux-amd64-v0.31.0, not atlas-linux-amd64-v0.31.0). Verify and correct all five platform URLs to match the actual release artifacts on release.ariga.io.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@crates/xtask/src/commands/tools_checksum_update.rs` around lines 118 - 145,
The atlas entry with name "atlas" and version "v0.31.0" has incorrect download
URLs; replace each Platform.url in that Tool/Platform list so they point to the
community-edition artifacts named with the atlas-community- prefix (i.e., use
"https://release.ariga.io/atlas/atlas-community-linux-amd64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-linux-arm64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-darwin-amd64-v0.31.0",
"https://release.ariga.io/atlas/atlas-community-darwin-arm64-v0.31.0", and for
Windows include the .exe suffix
"https://release.ariga.io/atlas/atlas-community-windows-amd64-v0.31.0.exe");
update the Platform.url values accordingly in the existing Platforms vector for
the atlas v0.31.0 entry.

[github-actions]

Test Results

245 tests   207 ✅  12m 14s ⏱️
 25 suites   38 💤
  1 files      0 ❌

Results for commit a057f57.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 12 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Architecture mismatch for buf on Linux ARM64: The buf_arch mapping on line 99 sets buf_arch to "arm64" for all arm64 platforms, but buf releases use "aarch64" for Linux ARM64 (see tools_checksum_update.rs line 98 which uses buf-Linux-aarch64). This causes the download URL to be incorrect (buf-Linux-arm64 instead of buf-Linux-aarch64), which will fail to download the tool. Add an os-specific check: case "$arch" in amd64) buf_arch="x86_64" ;; arm64) if [ "$os" = "linux" ]; then buf_arch="aarch64"; else buf_arch="arm64"; fi ;; esac

[Copilot]

PR contains unrelated changes: The PR title and description focus on "Optimize security headers middleware", but the changes also include tool version updates (oasdiff 1.11.7→1.11.10, buf 1.45.0→1.50.0, atlas latest→v0.31.0), CI workflow fixes (artifact naming, envsubst usage, sccache disabling), and bootstrap script improvements. Consider whether these should be in separate PRs for better traceability and easier review, or update the PR description to mention all changes.

[Copilot]

Duplicate success message: Line 21 prints "Checksum OK for $key" within the success branch, but line 28 also prints the same message unconditionally after the if block. This causes the success message to be printed twice. Remove the echo statement on line 28.

Suggested change

echo "Checksum OK for $key"