fix: bump MSRV to 1.82, fmt + clippy cleanup

Update rust-version from 1.75 to 1.82. Add #![allow(dead_code)]
to WIP modules (federated, intel, ml). Fix clamp pattern,
suppress await_holding_lock and new_ret_no_self warnings.

Author: raffaelschneider

Cargo.toml

@@ -2,7 +2,7 @@
 name = "zentinel-agent-waf"
 version = "0.2.0"
 edition = "2021"
-rust-version = "1.75"
+rust-version = "1.82"
 authors = ["Zentinel Contributors"]
 license = "Apache-2.0"
 repository = "https://github.com/zentinelproxy/zentinel-agent-waf"

benches/waf_benchmark.rs

@@ -5,8 +5,8 @@
 //! - <50MB steady state memory
 
 use criterion::{black_box, criterion_group, criterion_main, BenchmarkId, Criterion, Throughput};
-use zentinel_agent_waf::{WafConfig, WafEngine};
 use std::collections::HashMap;
+use zentinel_agent_waf::{WafConfig, WafEngine};
 
 /// Generate realistic test payloads
 fn generate_payloads() -> Vec<(&'static str, String)> {
@@ -21,7 +21,10 @@ fn generate_payloads() -> Vec<(&'static str, String)> {
             "1'/**/UNION/**/SELECT/**/password/**/FROM/**/users--".to_string(),
         ),
         ("xss_simple", "<script>alert(1)</script>".to_string()),
-        ("xss_encoded", "%3Cscript%3Ealert(1)%3C/script%3E".to_string()),
+        (
+            "xss_encoded",
+            "%3Cscript%3Ealert(1)%3C/script%3E".to_string(),
+        ),
         ("xss_event", "<img src=x onerror=alert(1)>".to_string()),
         ("path_traversal", "../../etc/passwd".to_string()),
         ("cmd_injection", "; cat /etc/passwd".to_string()),
@@ -187,11 +190,9 @@ fn benchmark_body_sizes(c: &mut Criterion) {
         let body = generate_body_with_attack(size);
 
         group.throughput(Throughput::Bytes(size as u64));
-        group.bench_with_input(
-            BenchmarkId::new("bytes", size),
-            &body,
-            |b, input| b.iter(|| engine.check(black_box(input), black_box("body"))),
-        );
+        group.bench_with_input(BenchmarkId::new("bytes", size), &body, |b, input| {
+            b.iter(|| engine.check(black_box(input), black_box("body")))
+        });
     }
 
     group.finish();
@@ -324,12 +325,10 @@ fn benchmark_throughput(c: &mut Criterion) {
 
     // Measure raw requests per second with typical payload
     let query = "search=laptop&category=electronics&page=1";
-    let headers: HashMap<String, Vec<String>> = [(
-        "User-Agent".to_string(),
-        vec!["Mozilla/5.0".to_string()],
-    )]
-    .into_iter()
-    .collect();
+    let headers: HashMap<String, Vec<String>> =
+        [("User-Agent".to_string(), vec!["Mozilla/5.0".to_string()])]
+            .into_iter()
+            .collect();
 
     group.bench_function("requests_per_sec", |b| {
         b.iter(|| {

examples/memory_profile.rs

@@ -2,13 +2,16 @@
 //!
 //! Measures steady-state memory usage for different configurations.
 
-use zentinel_agent_waf::{WafConfig, WafEngine};
 use std::alloc::{GlobalAlloc, Layout, System};
 use std::collections::HashMap;
 use std::sync::atomic::{AtomicUsize, Ordering};
+use zentinel_agent_waf::{WafConfig, WafEngine};
 
 fn separator(char: char, width: usize) {
-    println!("{}", std::iter::repeat(char).take(width).collect::<String>());
+    println!(
+        "{}",
+        std::iter::repeat(char).take(width).collect::<String>()
+    );
 }
 
 // Custom allocator to track memory usage
@@ -128,25 +131,16 @@ fn main() {
         "  All features (PL4): {:.2} MB steady state",
         bytes_to_mb(after - before)
     );
-    println!(
-        "  Peak during init:   {:.2} MB",
-        bytes_to_mb(peak - before)
-    );
+    println!("  Peak during init:   {:.2} MB", bytes_to_mb(peak - before));
 
     // Simulate request processing
     println!();
     println!("Memory During Request Processing:");
     separator('-', 40);
 
     let headers: HashMap<String, Vec<String>> = [
-        (
-            "User-Agent".to_string(),
-            vec!["Mozilla/5.0".to_string()],
-        ),
-        (
-            "Cookie".to_string(),
-            vec!["session=abc123".to_string()],
-        ),
+        ("User-Agent".to_string(), vec!["Mozilla/5.0".to_string()]),
+        ("Cookie".to_string(), vec!["session=abc123".to_string()]),
     ]
     .into_iter()
     .collect();
@@ -181,7 +175,10 @@ fn main() {
     let total = ALLOCATED.load(Ordering::SeqCst);
     let total_peak = PEAK.load(Ordering::SeqCst);
     println!("  Total current allocation: {:.2} MB", bytes_to_mb(total));
-    println!("  Total peak allocation:    {:.2} MB", bytes_to_mb(total_peak));
+    println!(
+        "  Total peak allocation:    {:.2} MB",
+        bytes_to_mb(total_peak)
+    );
     println!();
 
     let target = 50.0;

src/api/graphql.rs

@@ -68,20 +68,23 @@ static INTROSPECTION_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
     Regex::new(r"(?i)(__schema|__type)\s*[\{\(]|__typename\b").unwrap()
 });
 
-static QUERY_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"(?i)(query|mutation|subscription)\s*[\w]*\s*[\(\{]").unwrap()
-});
+static QUERY_PATTERN: LazyLock<Regex> =
+    LazyLock::new(|| Regex::new(r"(?i)(query|mutation|subscription)\s*[\w]*\s*[\(\{]").unwrap());
 
-static DIRECTIVE_PATTERN: LazyLock<Regex> = LazyLock::new(|| {
-    Regex::new(r"@\w+").unwrap()
-});
+static DIRECTIVE_PATTERN: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"@\w+").unwrap());
 
 static INJECTION_PATTERNS: LazyLock<Vec<(Regex, &'static str)>> = LazyLock::new(|| {
     vec![
         // SQL-like patterns in variables
-        (Regex::new(r#""\s*;\s*(DROP|DELETE|UPDATE|INSERT)"#).unwrap(), "sql-in-variable"),
+        (
+            Regex::new(r#""\s*;\s*(DROP|DELETE|UPDATE|INSERT)"#).unwrap(),
+            "sql-in-variable",
+        ),
         // Script injection in string values
-        (Regex::new(r#""[^"]*<script"#).unwrap(), "script-in-variable"),
+        (
+            Regex::new(r#""[^"]*<script"#).unwrap(),
+            "script-in-variable",
+        ),
         // Template injection
         (Regex::new(r#"\$\{\{.*\}\}"#).unwrap(), "template-injection"),
         // NoSQL injection patterns
@@ -174,7 +177,11 @@ impl GraphQLInspector {
                 matched_value: format!("depth={} (max={})", depth, self.config.max_depth),
                 location: "body".to_string(),
                 base_score: 7,
-                tags: vec!["graphql".to_string(), "dos".to_string(), "depth".to_string()],
+                tags: vec![
+                    "graphql".to_string(),
+                    "dos".to_string(),
+                    "depth".to_string(),
+                ],
             })
         } else {
             None
@@ -192,7 +199,11 @@ impl GraphQLInspector {
                 matched_value: format!("fields={} (max={})", count, self.config.max_fields),
                 location: "body".to_string(),
                 base_score: 6,
-                tags: vec!["graphql".to_string(), "dos".to_string(), "fields".to_string()],
+                tags: vec![
+                    "graphql".to_string(),
+                    "dos".to_string(),
+                    "fields".to_string(),
+                ],
             })
         } else {
             None
@@ -210,10 +221,17 @@ impl GraphQLInspector {
                     rule_id: 98004,
                     rule_name: "GraphQL Batch Query Abuse".to_string(),
                     attack_type: AttackType::ProtocolAttack,
-                    matched_value: format!("batch_size={} (max={})", count, self.config.max_batch_size),
+                    matched_value: format!(
+                        "batch_size={} (max={})",
+                        count, self.config.max_batch_size
+                    ),
                     location: "body".to_string(),
                     base_score: 6,
-                    tags: vec!["graphql".to_string(), "dos".to_string(), "batch".to_string()],
+                    tags: vec![
+                        "graphql".to_string(),
+                        "dos".to_string(),
+                        "batch".to_string(),
+                    ],
                 });
             }
         }
@@ -312,7 +330,16 @@ fn calculate_depth(body: &str) -> usize {
 /// Count the number of fields in a GraphQL query (approximation)
 fn count_fields(body: &str) -> usize {
     // Simple heuristic: count identifiers that aren't keywords
-    let keywords = ["query", "mutation", "subscription", "fragment", "on", "true", "false", "null"];
+    let keywords = [
+        "query",
+        "mutation",
+        "subscription",
+        "fragment",
+        "on",
+        "true",
+        "false",
+        "null",
+    ];
 
     let mut count = 0;
     let mut in_string = false;
@@ -330,14 +357,12 @@ fn count_fields(body: &str) -> usize {
 
         if ch.is_alphanumeric() || ch == '_' {
             current_word.push(ch);
-        } else {
-            if !current_word.is_empty() {
-                let word_lower = current_word.to_lowercase();
-                if !keywords.contains(&word_lower.as_str()) && !current_word.starts_with('$') {
-                    count += 1;
-                }
-                current_word.clear();
+        } else if !current_word.is_empty() {
+            let word_lower = current_word.to_lowercase();
+            if !keywords.contains(&word_lower.as_str()) && !current_word.starts_with('$') {
+                count += 1;
             }
+            current_word.clear();
         }
     }
 

src/api/json.rs

@@ -49,10 +49,19 @@ static NOSQL_PATTERNS: LazyLock<Vec<(Regex, &'static str)>> = LazyLock::new(|| {
         (Regex::new(r#""\$exists"\s*:"#).unwrap(), "$exists operator"),
         (Regex::new(r#""\$type"\s*:"#).unwrap(), "$type operator"),
         (Regex::new(r#""\$expr"\s*:"#).unwrap(), "$expr operator"),
-        (Regex::new(r#""\$jsonSchema"\s*:"#).unwrap(), "$jsonSchema operator"),
+        (
+            Regex::new(r#""\$jsonSchema"\s*:"#).unwrap(),
+            "$jsonSchema operator",
+        ),
         // Function injection
-        (Regex::new(r#""\$function"\s*:"#).unwrap(), "$function operator"),
-        (Regex::new(r#""\$accumulator"\s*:"#).unwrap(), "$accumulator operator"),
+        (
+            Regex::new(r#""\$function"\s*:"#).unwrap(),
+            "$function operator",
+        ),
+        (
+            Regex::new(r#""\$accumulator"\s*:"#).unwrap(),
+            "$accumulator operator",
+        ),
     ]
 });
 
@@ -75,7 +84,10 @@ static SUSPICIOUS_KEYS: LazyLock<Vec<(Regex, &'static str)>> = LazyLock::new(||
         (Regex::new(r#""permissions"\s*:"#).unwrap(), "permissions"),
         (Regex::new(r#""privileges"\s*:"#).unwrap(), "privileges"),
         (Regex::new(r#""password"\s*:"#).unwrap(), "password"),
-        (Regex::new(r#""password_hash"\s*:"#).unwrap(), "password_hash"),
+        (
+            Regex::new(r#""password_hash"\s*:"#).unwrap(),
+            "password_hash",
+        ),
         (Regex::new(r#""api_key"\s*:"#).unwrap(), "api_key"),
         (Regex::new(r#""secret"\s*:"#).unwrap(), "secret"),
         (Regex::new(r#""internal"\s*:"#).unwrap(), "internal"),
@@ -129,7 +141,11 @@ impl JsonInspector {
                     matched_value: m.as_str().to_string(),
                     location: "body".to_string(),
                     base_score: 8,
-                    tags: vec!["json".to_string(), "nosql".to_string(), "injection".to_string()],
+                    tags: vec![
+                        "json".to_string(),
+                        "nosql".to_string(),
+                        "injection".to_string(),
+                    ],
                 });
             }
         }
@@ -261,7 +277,9 @@ mod tests {
 
         let where_injection = r#"{"$where": "this.password == 'test'"}"#;
         let detections = inspector.inspect(where_injection);
-        assert!(detections.iter().any(|d| d.matched_value.contains("$where")));
+        assert!(detections
+            .iter()
+            .any(|d| d.matched_value.contains("$where")));
     }
 
     #[test]

src/api/jwt.rs

@@ -105,22 +105,25 @@ impl JwtInspector {
         let mut detections = Vec::new();
 
         // Check for "none" algorithm
-        if self.config.block_none_algorithm {
-            if header.contains(r#""alg":"none""#)
+        if self.config.block_none_algorithm
+            && (header.contains(r#""alg":"none""#)
                 || header.contains(r#""alg": "none""#)
                 || header.contains(r#""alg":"None""#)
-                || header.contains(r#""alg":"NONE""#)
-            {
-                detections.push(Detection {
-                    rule_id: 98200,
-                    rule_name: "JWT None Algorithm Attack".to_string(),
-                    attack_type: AttackType::ProtocolAttack,
-                    matched_value: truncate(token, 50),
-                    location: "header:Authorization".to_string(),
-                    base_score: 9,
-                    tags: vec!["jwt".to_string(), "algorithm".to_string(), "none".to_string()],
-                });
-            }
+                || header.contains(r#""alg":"NONE""#))
+        {
+            detections.push(Detection {
+                rule_id: 98200,
+                rule_name: "JWT None Algorithm Attack".to_string(),
+                attack_type: AttackType::ProtocolAttack,
+                matched_value: truncate(token, 50),
+                location: "header:Authorization".to_string(),
+                base_score: 9,
+                tags: vec![
+                    "jwt".to_string(),
+                    "algorithm".to_string(),
+                    "none".to_string(),
+                ],
+            });
         }
 
         // Check for weak algorithms
@@ -137,7 +140,11 @@ impl JwtInspector {
                         matched_value: truncate(token, 50),
                         location: "header:Authorization".to_string(),
                         base_score: 6,
-                        tags: vec!["jwt".to_string(), "algorithm".to_string(), "weak".to_string()],
+                        tags: vec![
+                            "jwt".to_string(),
+                            "algorithm".to_string(),
+                            "weak".to_string(),
+                        ],
                     });
                     break;
                 }
@@ -223,13 +230,7 @@ impl JwtInspector {
         }
 
         // Check for injection in claims
-        let injection_patterns = [
-            "<script",
-            "javascript:",
-            "' OR ",
-            "\" OR ",
-            "; DROP ",
-        ];
+        let injection_patterns = ["<script", "javascript:", "' OR ", "\" OR ", "; DROP "];
 
         for pattern in injection_patterns {
             if payload.to_lowercase().contains(&pattern.to_lowercase()) {
@@ -276,7 +277,9 @@ fn extract_exp_claim(payload: &str) -> Option<u64> {
     for pattern in exp_patterns {
         if let Some(start) = payload.find(pattern) {
             let after_key = &payload[start + pattern.len()..];
-            let end = after_key.find(|c: char| !c.is_ascii_digit()).unwrap_or(after_key.len());
+            let end = after_key
+                .find(|c: char| !c.is_ascii_digit())
+                .unwrap_or(after_key.len());
             if let Ok(exp) = after_key[..end].parse::<u64>() {
                 return Some(exp);
             }
@@ -338,7 +341,9 @@ mod tests {
 
         let detections = inspector.inspect(&format!("Bearer {}", rs256_jwt));
         // Should not detect none algorithm or weak algorithm
-        assert!(!detections.iter().any(|d| d.rule_id == 98200 || d.rule_id == 98201));
+        assert!(!detections
+            .iter()
+            .any(|d| d.rule_id == 98200 || d.rule_id == 98201));
     }
 
     #[test]