Release v1.0.1 — Maintenance & Audit Patch

Closes the gap between what the 1.0.0 release notes claimed and
what actually shipped, restores Windows builds under
--all-features, clears the post-release security advisory
backlog, and tunes crate metadata for crates.io discoverability.
No public API changes. MSRV unchanged at 1.82.0.

Fixed:
- Windows --all-features build: pprof moved under
  [target.'cfg(unix)'.dependencies] (relies on POSIX libc types).
- src/profiling.rs split: pprof-backed CpuProfiler is Unix-only;
  dhat-backed heap profiling stays cross-platform.
- RUSTSEC-2024-0408: pprof actually bumped 0.13 -> 0.14 (the 1.0.0
  changelog claimed this but it never landed in Cargo.toml).
- Rust 1.95 clippy: cleared 8 stable lints (map_unwrap_or,
  duration_suboptimal_units) and 21 latent Windows-feature lints
  (raw-pointer borrows -> addr_of_mut!, as-casts -> From/TryFrom,
  inlined format!, missing # Errors docs, attribute ordering on
  windows IPC module).
- README: removed broken links (dev/release-notes/v1.0.0.md,
  CONTRIBUTING.md), replaced fake `cargo unsafe-all-targets` with
  `cargo geiger`, corrected test count, bumped install snippets
  to 1.0.1.
- CI: MSRV check pins indexmap 2.10.0 after generate-lockfile
  (indexmap 2.14.0 requires edition2024 Cargo feature; Cargo 1.82
  cannot parse it). Security Audit job: fixed malformed step that
  ran actions/checkout@v4 instead of installing the toolchain.

Changed:
- Crate metadata for crates.io visibility:
  - Description rewritten to lead with 'async daemon framework'
    and mention Tokio.
  - Keywords: `systemd` (misleading; no systemd integration) ->
    `async`.
  - Categories: `network-programming` (incorrect; no networking)
    and `development-tools` (generic) -> `asynchronous` and
    `command-line-utilities`.
- Semver-compatible dep bumps: tokio 1.37->1.52, arc-swap 1.7->1.9,
  parking_lot 0.12->0.12.5, dashmap 6.0->6.2, once_cell 1.19->1.21,
  fastrand 2.0->2.4, pprof 0.13->0.14, proptest (dev) 1.6->1.11.
- .cargo/audit.toml: documented allow-list rationale; added
  RUSTSEC-2026-0097 (dev-only rand soundness via proptest).

Verified on Windows 11 / Rust 1.95.0:
- `cargo build --all-features` clean (was broken on 1.0.0)
- `cargo test --all-features`: 39 unit + 5 integration + 3 doc
- `cargo clippy --all-targets -- -D warnings` clean across all
  non-Unix feature combinations including windows-monitoring
- `cargo fmt --check` clean
- `cargo audit` exit 0 (3 documented allow-listed advisories)

Release notes: docs/release-notes/v1.0.1.md
Full changelog: CHANGELOG.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: James Gober

.cargo/audit.toml

@@ -1,5 +1,17 @@
 [advisories]
+# Allowed advisories with rationale:
+#
+# - RUSTSEC-2025-0052: async-std is discontinued upstream. Kept as an optional
+#   feature for existing users; will be removed in v2.0.0. Not in the default
+#   build path.
+# - RUSTSEC-2024-0384: `instant` is unmaintained. Reaches us only via
+#   signal-hook-async-std → futures-lite → async-io → instant. Removed once
+#   the async-std feature is dropped in v2.0.0.
+# - RUSTSEC-2026-0097: rand 0.9 is unsound with a custom logger using
+#   rand::rng(). Pulled in via proptest (dev-only). Not used in production
+#   code; runtime daemons do not exercise rand::rng().
 ignore = [
   "RUSTSEC-2025-0052",
   "RUSTSEC-2024-0384",
+  "RUSTSEC-2026-0097",
 ]

.github/workflows/ci.yml

@@ -130,13 +130,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Security audit
-        uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
         with:
           components: rustfmt, clippy
+
       - name: Install cargo-audit
         run: cargo install cargo-audit
+
       - name: Run security audit
         run: cargo audit
 
@@ -216,10 +217,18 @@ jobs:
       # Regenerate Cargo.lock to ensure compatibility
       - name: Delete existing Cargo.lock
         run: rm -f Cargo.lock
-        
+
       - name: Regenerate Cargo.lock with MSRV
         run: cargo generate-lockfile
-        
+
+      # Pin transitive deps that have raised their MSRV beyond ours.
+      # Cargo 1.82 lacks MSRV-aware resolver (stabilized in 1.84), so newly
+      # published versions can break the regenerated lockfile. Drop these
+      # pins when MSRV is raised.
+      - name: Pin MSRV-incompatible transitive deps
+        run: |
+          cargo update -p indexmap --precise 2.10.0 || true
+
       - name: Check MSRV compatibility (lib only, no default features)
         run: cargo check --lib --no-default-features
 

CHANGELOG.md

@@ -12,6 +12,42 @@
 
 - _No changes yet._
 
+## [1.0.1] - 2026-05-18
+
+### Fixed
+
+- **Windows build**: `cargo build --all-features` now compiles on Windows. `pprof` is moved under `[target.'cfg(unix)'.dependencies]` because it relies on POSIX libc types (`pthread_t`, `siginfo_t`, `ucontext_t`). The `profiling` feature still exposes the CPU profiler on Unix; `heap-profiling` remains cross-platform via `dhat`.
+- **Security**: `pprof` upgraded from `0.13` to `0.14`, resolving RUSTSEC-2024-0408 (unsound `std::slice::from_raw_parts` usage). The 1.0.0 CHANGELOG claimed this was done in 1.0.0-RC2; it was not — fixed here.
+- **Clippy on Rust 1.95**: cleared all 8 stable-toolchain warnings:
+  - `map_unwrap_or` in `src/config.rs` and `src/daemon.rs`
+  - `duration_suboptimal_units` (e.g. `Duration::from_millis(5000)` → `Duration::from_secs(5)`) in `src/config.rs` and `src/subsystem.rs`
+- **Windows monitoring lints** (`windows-monitoring` feature): replaced `&mut local` with `addr_of_mut!`, switched `as` casts to `From`/`TryFrom`, inlined `format!` args, added missing `# Errors` docs in `src/ipc.rs`, and corrected the inner/outer attribute ordering on the Windows IPC module.
+- **README accuracy**: removed broken links to `./dev/release-notes/v1.0.0.md` and `CONTRIBUTING.md` (neither exists in-tree), replaced the non-existent `cargo unsafe-all-targets` invocation with `cargo geiger`, and corrected the test-count claim.
+- **CI workflow**:
+  - `MSRV Check`: pin `indexmap` to `2.10.0` after `cargo generate-lockfile` because `indexmap 2.14.0+` requires the `edition2024` Cargo feature (stabilized in Rust 1.85), which Cargo 1.82 cannot parse. The MSRV-aware resolver landed in Cargo 1.84; this pin is a temporary backstop until MSRV is raised.
+  - `Security Audit`: fixed a malformed step — the `Security audit` step was incorrectly using `actions/checkout@v4` instead of installing the toolchain; corrected to install Rust before invoking `cargo audit`.
+
+### Changed
+
+- **Crate metadata** (crates.io visibility):
+  - Description rewritten to lead with "async daemon framework" and mention Tokio explicitly.
+  - Keywords: `systemd` (misleading — no systemd integration) replaced with `async`.
+  - Categories: `network-programming` (incorrect — no networking in this crate) and `development-tools` (too generic) replaced with `asynchronous` and `command-line-utilities`.
+- **Dependency bumps** (semver-compatible):
+  - `tokio` 1.37 → 1.52
+  - `parking_lot` 0.12 → 0.12.5
+  - `arc-swap` 1.7 → 1.9
+  - `dashmap` 6.0 → 6.2
+  - `once_cell` 1.19 → 1.21
+  - `fastrand` 2.0 → 2.4
+  - `pprof` 0.13 → 0.14
+  - `proptest` (dev) 1.6 → 1.11 (also resolves rand-tree warnings)
+- **`.cargo/audit.toml`**: added rationale comments for each allowlist entry. `RUSTSEC-2025-0052` (async-std discontinued) and `RUSTSEC-2024-0384` (instant unmaintained) remain allow-listed for the optional `async-std` feature path (to be removed in v2.0.0). Added `RUSTSEC-2026-0097` (dev-only rand soundness via proptest 1.11).
+
+### Removed
+
+- `dhat` dep declaration no longer hidden behind a quoted bare key (`"dhat"` → `dhat`).
+
 ## [1.0.0] - 2026-02-23
 
 ### Added
@@ -238,7 +274,8 @@ Initial pre-dev release.
 - Project scaffolding, documentation structure, and license
 
 
-[Unreleased]: https://github.com/jamesgober/proc-daemon/compare/v1.0.0...HEAD
+[Unreleased]: https://github.com/jamesgober/proc-daemon/compare/v1.0.1...HEAD
+[1.0.1]: https://github.com/jamesgober/proc-daemon/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/jamesgober/proc-daemon/compare/v1.0.0-rc2...v1.0.0
 [1.0.0-RC2]: https://github.com/jamesgober/proc-daemon/compare/v1.0.0-rc.1...v1.0.0-rc2
 [1.0.0-RC.1]: https://github.com/jamesgober/proc-daemon/compare/v0.9.0...v1.0.0-rc.1