Add versioned public corpus generation and verification via xtask

[EffortlessSteven]

Motivation

• Produce a canonical, versioned fixture corpus that downstream parsers and other-language test suites can consume without depending on repository internals.
• Ensure deterministic, order-independent generation of a small, useful set of fixture cases (good and negative) to make release diffs and compatibility explicit.
• Provide a reproducible verification step so checked-in corpus artifacts can be rebuilt and byte-compared to prevent accidental drift.

Description

• Add a new cargo xtask corpus command group with Build and Verify subcommands and wire the CLI to call corpus::build() and corpus::verify() in xtask/src/main.rs.
• Implement corpus generation and verification logic in xtask/src/corpus.rs, including deterministic fixture creation from a stable seed, per-case case.json metadata, a top-level manifest.json, BLAKE3 file hashes, and README emission.
• Emit a deterministic directory layout under corpus/v{version}/ with semantic case IDs and families (x509/, jwks/, tokens/, negative/), and include an initial minimal corpus at corpus/v0.5.1/.
• Update workspace and xtask dependencies (blake3, tempfile, and the uselesskey facade) in xtask/Cargo.toml and the root Cargo.toml so the xtask can instantiate fixtures and compute hashes, and add unit tests covering build/verify invariants.

Testing

• Ran unit tests with cargo test -p xtask, which completed successfully (106 passed, 0 failed).
• Built the corpus with cargo xtask corpus build, which produced corpus/v0.5.1 successfully.
• Verified the checked-in corpus byte-for-byte with cargo xtask corpus verify, which passed.
• Ran the repository no-blob check via cargo xtask no-blob, which completed successfully.

---

Codex Task

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[gitguardian]

⚠️ GitGuardian has uncovered 4 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
29312746	Triggered	JSON Web Token	7f52eca	corpus/v0.5.1/tokens/jwt_hs256_basic/authorization_header.txt	View secret
29312745	Triggered	Generic High Entropy Secret	7f52eca	xtask/src/corpus.rs	View secret
29312746	Triggered	JSON Web Token	7f52eca	corpus/v0.5.1/tokens/jwt_hs256_basic/token.txt	View secret
29312744	Triggered	Generic Private Key	7f52eca	corpus/v0.5.1/x509/x509_chain_good_default/leaf_key.pk8.pem	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 6 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 6 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 68f3557a-81db-4052-b761-0627755b86c9

📥 Commits

Reviewing files that changed from the base of the PR and between e79ad4d and beccbf0.

⛔ Files ignored due to path filters (13)

• Cargo.lock is excluded by !**/*.lock
• corpus/v0.5.1/negative/pem_corrupt_truncated/private_key_corrupt.pem is excluded by !**/*.pem
• corpus/v0.5.1/negative/pem_corrupt_truncated/reference_public_key.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_good_default/chain.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_good_default/intermediate_cert.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_good_default/leaf_cert.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_good_default/leaf_key.pk8.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_good_default/root_cert.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_revoked_leaf/intermediate_cert.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_revoked_leaf/leaf_cert.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_revoked_leaf/leaf_revocation.crl.pem is excluded by !**/*.pem
• corpus/v0.5.1/x509/x509_chain_revoked_leaf/root_cert.pem is excluded by !**/*.pem
• fuzz/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (15)

• Cargo.toml
• corpus/README.md
• corpus/v0.5.1/README.md
• corpus/v0.5.1/jwks/jwk_set_rotated_phase_2/case.json
• corpus/v0.5.1/jwks/jwk_set_rotated_phase_2/jwks.json
• corpus/v0.5.1/manifest.json
• corpus/v0.5.1/negative/pem_corrupt_truncated/case.json
• corpus/v0.5.1/tokens/jwt_hs256_basic/authorization_header.txt
• corpus/v0.5.1/tokens/jwt_hs256_basic/case.json
• corpus/v0.5.1/tokens/jwt_hs256_basic/token.txt
• corpus/v0.5.1/x509/x509_chain_good_default/case.json
• corpus/v0.5.1/x509/x509_chain_revoked_leaf/case.json
• xtask/Cargo.toml
• xtask/src/corpus.rs
• xtask/src/main.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/add-versioned-fixture-corpus

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 94d0dcfd3c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Rename HS256 case or emit an actual HS256 token

corpus_cases labels this fixture as jwt_hs256_basic/"HS256", but the token bytes come from TokenSpec::oauth_access_token() (line 174), which emits a JWT header with "alg":"RS256". Downstream consumers using the case ID/description to drive HS256 verification tests will get false failures against a mislabeled corpus artifact. Please make the metadata and emitted token algorithm consistent (either rename to RS256-shaped or generate a real HS256 fixture).

Useful? React with 👍 / 👎.