Azure · ZhidongPeng · Jun 8, 2026 · May 19, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
diff --git a/.github/workflows/bloat.yml b/.github/workflows/bloat.yml
@@ -0,0 +1,168 @@
+name: Bloat Budget
+
+# Enforce a hard cargo-bloat budget so silent binary
+# growth blocks merge. The musl static builds themselves live in
+# .github/workflows/reusable-build.yml (build-linux-amd64 / build-linux-arm64
+# / build-windows-amd64 / build-windows-arm64); this workflow only adds the
+# per-(target, role) regression gate on top of them.
+#
+# Per-target ceilings exist on purpose: a Linux musl binary and a Windows
+# MSVC binary (with static_vcruntime + windows-sys) have very different
+# baselines. One shared ceiling would either let Windows regress silently
+# or false-flag every Linux PR. See ci/README.md for the override path.
+
+on:
+  push:
+    branches: ["main", "dev"]
+  pull_request:
+    branches: ["main", "dev"]
+
+env:
+  CARGO_TERM_COLOR: always
+  # Strict default: every non-first-party crate must stay under this share of
+  # the text section. Per-(target, crate) exceptions live in the matrix below
+  # as `crate_share_overrides` so they're auditable and narrowly scoped.
+  MAX_CRATE_SHARE: "0.10"        # 10% of text per non-first-party crate
+
+concurrency:
+  group: bloat-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
+jobs:
+  bloat-budget:
+    name: bloat (${{ matrix.target }} / ${{ matrix.crate }})
+    runs-on: ${{ matrix.runs_on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # -------- Linux x86_64 musl --------
+          - target: x86_64-unknown-linux-musl
+            runs_on: ubuntu-latest
+            crate: azure-proxy-agent
+            max_binary_bytes: "20000000"   # ~20 MB
+            # Vendored OpenSSL (approved crypto) is structurally ~20% of text
+            # for the agent on musl; HMAC-SHA256 in proxy_agent_shared pulls it.
+            crate_share_overrides: "openssl_sys=0.25"
+            apt_packages: musl-tools
+          - target: x86_64-unknown-linux-musl
+            runs_on: ubuntu-latest
+            crate: ProxyAgentExt
+            max_binary_bytes: "9000000"   # ~9 MB
+            crate_share_overrides: "clap_builder=0.15 regex_automata=0.15"
+            apt_packages: musl-tools
+          - target: x86_64-unknown-linux-musl
+            runs_on: ubuntu-latest
+            crate: proxy_agent_setup
+            max_binary_bytes: "6000000"   # ~6 MB
+            # proxy_agent_setup is tiny (~1 MiB text after the openssl gate),
+            # so a normal-sized clap derive parser is ~30% by share.
+            crate_share_overrides: "clap_builder=0.35"
+            apt_packages: musl-tools
+
+          # -------- Linux aarch64 musl (native arm64 runner) --------
+          - target: aarch64-unknown-linux-musl
+            runs_on: ubuntu-24.04-arm
+            crate: azure-proxy-agent
+            max_binary_bytes: "20000000" 
+            crate_share_overrides: "openssl_sys=0.15"
+            apt_packages: musl-tools
+          - target: aarch64-unknown-linux-musl
+            runs_on: ubuntu-24.04-arm
+            crate: ProxyAgentExt
+            max_binary_bytes: "16000000"
+            crate_share_overrides: "clap_builder=0.15 regex_automata=0.15"
+            apt_packages: musl-tools
+          - target: aarch64-unknown-linux-musl
+            runs_on: ubuntu-24.04-arm
+            crate: proxy_agent_setup
+            max_binary_bytes: "11000000"
+            crate_share_overrides: "clap_builder=0.35"
+            apt_packages: musl-tools
+
+          # -------- Windows x86_64 MSVC --------
+          - target: x86_64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: azure-proxy-agent
+            max_binary_bytes: "10000000"
+          - target: x86_64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: ProxyAgentExt
+            max_binary_bytes: "5000000"
+            crate_share_overrides: "clap_builder=0.20 regex_automata=0.15 regex_syntax=0.15"
+          - target: x86_64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: proxy_agent_setup
+            max_binary_bytes: "4000000"
+            crate_share_overrides: "clap_builder=0.35 regex_automata=0.20 regex_syntax=0.15"
+
+          # -------- Windows aarch64 MSVC (cross-compiled on x64 runner) --------
+          - target: aarch64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: azure-proxy-agent
+            max_binary_bytes: "8000000"
+            # No vendored OpenSSL on Windows (BCrypt), but the binary is much
+            # smaller so tokio's fixed cost crosses 10% by share.
+            crate_share_overrides: "tokio=0.12"
+          - target: aarch64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: ProxyAgentExt
+            max_binary_bytes: "5000000"
+            crate_share_overrides: "clap_builder=0.20 regex_automata=0.20 regex_syntax=0.15"
+          - target: aarch64-pc-windows-msvc
+            runs_on: windows-latest
+            crate: proxy_agent_setup
+            max_binary_bytes: "4000000"
+            crate_share_overrides: "clap_builder=0.25 regex_automata=0.20 regex_syntax=0.15"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install apt packages (Linux only)
+        if: runner.os == 'Linux' && matrix.apt_packages != ''
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ${{ matrix.apt_packages }}
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          key: bloat-${{ matrix.target }}-${{ matrix.crate }}
+
+      - name: Install cargo-bloat
+        run: cargo install cargo-bloat --locked
+
+      - name: Run cargo-bloat
+        shell: bash
+        run: |
+          cargo bloat --release --crates \
+            --target ${{ matrix.target }} \
+            -p ${{ matrix.crate }} \
+            --message-format json > bloat.json
+
+      - name: Enforce budget
+        shell: bash
+        run: |
+          overrides=""
+          for kv in ${{ matrix.crate_share_overrides }}; do
+            overrides="$overrides --crate-share-override $kv"
+          done
+          python3 ci/check_bloat.py \
+            --bloat-json bloat.json \
+            --max-binary-bytes ${{ matrix.max_binary_bytes }} \
+            --max-crate-share ${{ env.MAX_CRATE_SHARE }} \
+            $overrides \
+            | tee bloat-report.txt
+
+      - name: Upload bloat report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: bloat-report-${{ matrix.target }}-${{ matrix.crate }}
+          path: |
+            bloat.json
+            bloat-report.txt
+          if-no-files-found: warn
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,7 @@
 
 # Visual Studio cache/options directory
 .vs/
+
+# pentest run & results
+/pentest/*/results/
+__pycache__/
diff --git a/Cargo.lock b/Cargo.lock