EvilBit-Labs · unclesp1d3r · Feb 7, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.config/nextest.toml b/.config/nextest.toml
@@ -0,0 +1,71 @@
+# DaemonEye nextest configuration
+# Documentation: https://nexte.st/docs/configuration/
+
+[store]
+# Store test results and metadata
+dir = "target/nextest"
+
+# =============================================================================
+# TEST PROFILES
+# =============================================================================
+
+[profile.default]
+# Default test execution settings
+# Fail fast to quickly identify broken tests during development
+fail-fast = true
+# Run tests with moderate parallelism by default
+test-threads = "num-cpus"
+# Show test output for failures
+failure-output = "immediate-final"
+# Status level for test results
+status-level = "pass"
+# Slow-warning at 60s, hard-kill after 120s (60s × terminate-after 2)
+slow-timeout = { period = "60s", terminate-after = 2 }
+# No retries in local development (use CI profile for flaky-test retries)
+retries = 0
+
+[profile.default.junit]
+# JUnit XML output for CI integration
+path = "target/nextest/default/junit.xml"
+report-name = "daemoneye-tests"
+
+# -----------------------------------------------------------------------------
+# CI Profile - Optimized for continuous integration
+# Usage: cargo nextest run --profile ci
+# -----------------------------------------------------------------------------
+[profile.ci]
+# Don't fail fast in CI to get full test results
+fail-fast = false
+# Use all available CPUs in CI
+test-threads = "num-cpus"
+# Show all failures at the end
+failure-output = "final"
+# Higher timeout for CI environments (may be slower)
+slow-timeout = { period = "120s", terminate-after = 3 }
+# Retry flaky tests in CI
+retries = 2
+
+[profile.ci.junit]
+path = "target/nextest/ci/junit.xml"
+report-name = "daemoneye-ci-tests"
+store-success-output = false
+store-failure-output = true
+
+# -----------------------------------------------------------------------------
+# Coverage Profile - For running with llvm-cov
+# Usage: cargo llvm-cov nextest --profile coverage
+# -----------------------------------------------------------------------------
+[profile.coverage]
+# Coverage runs should be thorough
+fail-fast = false
+# Single-threaded for accurate coverage
+test-threads = 1
+# Extended timeout for coverage instrumentation overhead
+slow-timeout = { period = "180s", terminate-after = 2 }
+# No retries - we want deterministic results
+retries = 0
+failure-output = "immediate-final"
+
+[profile.coverage.junit]
+path = "target/nextest/coverage/junit.xml"
+report-name = "daemoneye-coverage-tests"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,10 @@ on:
         branches: [main]
     workflow_dispatch:
 
+# Restrict permissions to minimum required (principle of least privilege)
+permissions:
+    contents: read
+
 defaults:
     run:
         shell: bash
@@ -42,6 +46,7 @@ jobs:
                         - 'justfile'
                         - 'rust-toolchain.toml'
                         - 'deny.toml'
+                        - '.config/nextest.toml'
                       docs:
                         - 'docs/**'
                         - '*.md'
@@ -80,7 +85,7 @@ jobs:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Run tests (all features)
-              run: cargo nextest run --all-features
+              run: cargo nextest run --profile ci --all-features
 
             - name: Build release
               run: cargo build --release --all-features
@@ -128,7 +133,7 @@ jobs:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
 
             # Run tests and build the release binary
-            - run: cargo nextest run --all-features
+            - run: cargo nextest run --profile ci --all-features
             - run: cargo build --release --all-features
 
     # Generate coverage for TLS-enabled builds - only run when Rust code changes

diff --git a/.gitignore b/.gitignore
@@ -131,3 +131,5 @@ megalinter-reports/
 # Local Claude configuration
 .claude.local.md
 .claude/*.local.md
+
+.taskmaster/
diff --git a/AGENTS.md b/AGENTS.md
@@ -449,6 +449,11 @@ pub struct Cli {
 - Checks: fmt, clippy strict, tests, benchmarks
 - Security: Dependency scanning, SLSA (Enterprise)
 
+### Security Scanners
+
+- **zizmor**: GitHub Actions permissions - add explicit `permissions:` block to workflows
+- **CodeQL rust/cleartext-logging**: Don't interpolate sensitive values in assert messages
+
 ### Code Review
 
 - Primary tool: coderabbit.ai

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/daemoneye-lib/Cargo.toml b/daemoneye-lib/Cargo.toml
@@ -99,6 +99,7 @@ prost-build = { workspace = true }
 [dev-dependencies]
 assert_cmd = { workspace = true }
 criterion = { workspace = true }
+insta = { workspace = true }
 predicates = { workspace = true }
 proptest = { workspace = true }