fix(prover): apply cargo fmt formatting to prover and cli source files

zredlined · zredlined · commit f8a78cf91161 · 2026-04-03T21:40:24.000-07:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/openshell-cli/src/main.rs b/crates/openshell-cli/src/main.rs
@@ -1877,13 +1877,14 @@ async fn main() -> Result<()> {
         // Top-level policy (was `sandbox policy`)
         // -----------------------------------------------------------
         Some(Commands::Policy {
-            command: Some(PolicyCommands::Prove {
-                policy,
-                credentials,
-                registry,
-                accepted_risks,
-                compact,
-            }),
+            command:
+                Some(PolicyCommands::Prove {
+                    policy,
+                    credentials,
+                    registry,
+                    accepted_risks,
+                    compact,
+                }),
         }) => {
             // Prove runs locally — no gateway needed.
             let exit_code = openshell_prover::prove(
diff --git a/crates/openshell-prover/src/accepted_risks.rs b/crates/openshell-prover/src/accepted_risks.rs
@@ -106,10 +106,7 @@ fn path_matches_risk(path: &FindingPath, risk: &AcceptedRisk) -> bool {
 /// A finding is accepted if **all** of its paths match at least one accepted
 /// risk entry for that query. If only some paths match, the finding stays
 /// active with the unmatched paths.
-pub fn apply_accepted_risks(
-    findings: Vec<Finding>,
-    accepted: &[AcceptedRisk],
-) -> Vec<Finding> {
+pub fn apply_accepted_risks(findings: Vec<Finding>, accepted: &[AcceptedRisk]) -> Vec<Finding> {
     if accepted.is_empty() {
         return findings;
     }
diff --git a/crates/openshell-prover/src/credentials.rs b/crates/openshell-prover/src/credentials.rs
@@ -213,10 +213,7 @@ fn load_api_registry(path: &Path) -> Result<ApiCapability> {
 /// Load credentials and all API registries from the registry directory.
 ///
 /// Expects `{registry_dir}/apis/*.yaml`.
-pub fn load_credential_set(
-    credentials_path: &Path,
-    registry_dir: &Path,
-) -> Result<CredentialSet> {
+pub fn load_credential_set(credentials_path: &Path, registry_dir: &Path) -> Result<CredentialSet> {
     let creds = load_credentials(credentials_path)?;
 
     let mut api_registries = HashMap::new();
diff --git a/crates/openshell-prover/src/lib.rs b/crates/openshell-prover/src/lib.rs
@@ -50,7 +50,9 @@ pub fn prove(
             if crate_registry.is_dir() {
                 std::borrow::Cow::Owned(crate_registry)
             } else {
-                std::borrow::Cow::Owned(std::env::current_dir().unwrap_or_default().join("registry"))
+                std::borrow::Cow::Owned(
+                    std::env::current_dir().unwrap_or_default().join("registry"),
+                )
             }
         });
 
@@ -177,8 +179,7 @@ filesystem_policy:
         let reg_dir = registry_dir();
 
         let pol = policy::parse_policy(&policy_path).expect("parse policy");
-        let cred_set =
-            credentials::load_credential_set(&creds_path, &reg_dir).expect("load creds");
+        let cred_set = credentials::load_credential_set(&creds_path, &reg_dir).expect("load creds");
         let bin_reg = registry::load_binary_registry(&reg_dir).expect("load registry");
 
         let z3_model = model::build_model(pol, cred_set, bin_reg);
@@ -198,9 +199,10 @@ filesystem_policy:
 
         // At least one critical or high finding.
         assert!(
-            findings
-                .iter()
-                .any(|f| matches!(f.risk, finding::RiskLevel::Critical | finding::RiskLevel::High)),
+            findings.iter().any(|f| matches!(
+                f.risk,
+                finding::RiskLevel::Critical | finding::RiskLevel::High
+            )),
             "expected at least one critical/high finding"
         );
     }
@@ -213,8 +215,7 @@ filesystem_policy:
         let reg_dir = registry_dir();
 
         let pol = policy::parse_policy(&policy_path).expect("parse policy");
-        let cred_set =
-            credentials::load_credential_set(&creds_path, &reg_dir).expect("load creds");
+        let cred_set = credentials::load_credential_set(&creds_path, &reg_dir).expect("load creds");
         let bin_reg = registry::load_binary_registry(&reg_dir).expect("load registry");
 
         let z3_model = model::build_model(pol, cred_set, bin_reg);
diff --git a/crates/openshell-prover/src/queries.rs b/crates/openshell-prover/src/queries.rs
@@ -99,14 +99,10 @@ pub fn check_data_exfiltration(model: &ReachabilityModel) -> Vec<Finding> {
                 .to_owned(),
         );
     }
-    remediation.push(
-        "Restrict filesystem read access to only the paths the agent needs.".to_owned(),
-    );
+    remediation
+        .push("Restrict filesystem read access to only the paths the agent needs.".to_owned());
 
-    let paths: Vec<FindingPath> = exfil_paths
-        .into_iter()
-        .map(FindingPath::Exfil)
-        .collect();
+    let paths: Vec<FindingPath> = exfil_paths.into_iter().map(FindingPath::Exfil).collect();
 
     let n_paths = paths.len();
     vec![Finding {
@@ -142,8 +138,7 @@ pub fn check_write_bypass(model: &ReachabilityModel) -> Vec<Finding> {
 
                     // Check: binary bypasses L7 and can write
                     if cap.bypasses_l7() && cap.can_write() {
-                        let cred_actions =
-                            collect_credential_actions(model, &ep.host, &cap);
+                        let cred_actions = collect_credential_actions(model, &ep.host, &cap);
                         if !cred_actions.is_empty()
                             || model.credentials.credentials_for_host(&ep.host).is_empty()
                         {
@@ -161,8 +156,7 @@ pub fn check_write_bypass(model: &ReachabilityModel) -> Vec<Finding> {
 
                     // Check: L4-only endpoint + binary can construct HTTP + credential has write
                     if !ep.is_l7_enforced() && cap.can_construct_http {
-                        let cred_actions =
-                            collect_credential_actions(model, &ep.host, &cap);
+                        let cred_actions = collect_credential_actions(model, &ep.host, &cap);
                         if !cred_actions.is_empty() {
                             bypass_paths.push(WriteBypassPath {
                                 binary: b.path.clone(),
@@ -193,9 +187,7 @@ pub fn check_write_bypass(model: &ReachabilityModel) -> Vec<Finding> {
     vec![Finding {
         query: "write_bypass".to_owned(),
         title: "Write Bypass Detected — Read-Only Intent Violated".to_owned(),
-        description: format!(
-            "{n} path(s) allow write operations despite read-only policy intent."
-        ),
+        description: format!("{n} path(s) allow write operations despite read-only policy intent."),
         risk: RiskLevel::High,
         paths,
         remediation: vec![
diff --git a/crates/openshell-prover/src/report.rs b/crates/openshell-prover/src/report.rs
@@ -283,7 +283,10 @@ pub fn render_report(findings: &[Finding], policy_path: &str, credentials_path:
                 risk_label(finding.risk).dimmed(),
                 finding.title.dimmed()
             );
-            println!("  {}", format!("Reason: {}", finding.accepted_reason).dimmed());
+            println!(
+                "  {}",
+                format!("Reason: {}", finding.accepted_reason).dimmed()
+            );
             println!();
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -283,7 +283,10 @@ pub fn render_report(findings: &[Finding], policy_path: &str, credentials_path:`
`283`	`283`	`risk_label(finding.risk).dimmed(),`
`284`	`284`	`finding.title.dimmed()`
`285`	`285`	`);`
`286`		`- println!(" {}", format!("Reason: {}", finding.accepted_reason).dimmed());`
	`286`	`+ println!(`
	`287`	`+ " {}",`
	`288`	`+ format!("Reason: {}", finding.accepted_reason).dimmed()`
	`289`	`+ );`
`287`	`290`	`println!();`
`288`	`291`	`}`
`289`	`292`	`}`