Two coupled majors that have been blocking the rest of the
Dart-side dependency lift in Studio (the constraint solver
pins meta/characters/etc. through these). Picked up:
- grpc 5.1.0 (was 4.2.0)
- protobuf 6.0.0 (was 4.2.0)
- analyzer 13.0.0, _fe_analyzer_shared 100.0.0
- google_cloud 0.5.0, googleapis_auth 2.3.1 (transitive)
The bindings now live in `lib/src/generated/fai/v1/` only —
the well-known-types `lib/src/generated/google/protobuf/`
copy has been deleted. protobuf 6 ships its own bundled
`well_known_types/google/protobuf/empty.pb.dart` and the
`HubAdminClient` API expects the *packaged* Empty type;
emitting a local copy created two distinct Empty types and
broke every `_admin.<rpc>(Empty())` call site.
`tools/generate.sh` now skips the WKT generation pass and
wipes `lib/src/generated/google/` on every run so the
duplicate-types breakage can't regress silently. The
import in `hub_client.dart` switches from the local copy to
`package:protobuf/well_known_types/google/protobuf/empty.pb
.dart`.
Smoke-verified: dart analyze clean, dart test green
(4 tests). Bumped to 0.17.0 — Studio absorbs in the next
commit.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
18 scenarios that verify the security script's rules still
trip on every tripwire — PATs, AWS keys, PEM headers, env
files, allowlist exempts, confidentiality terms, marketing
phrases, .security-allow exclusion, plus message-mode
(Conventional Commits, DCO, Claude trailer, banned phrases).
Wired into the security workflow as a second-line gate after
the diff-based check. Catches the refactor-weakens-a-rule
class of regression: the diff scan can be green while a rule
silently no-ops; the harness fails loudly when that happens.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
Mirrors the hook + script from `fai/platform`@1ebf893 verbatim
so commits to fai_dart_sdk go through the same gate: secrets,
forbidden filenames, confidentiality references, marketing-
speak, DCO sign-off, Conventional Commits subject, no Claude
co-author trailer.
No `.security-allow` needed here — the SDK has no banned-words
gate or policy doc that mentions the filtered terms verbatim.
A full-history dry-run came back clean.
Activate once per clone with `bash tools/install-hooks.sh`.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>
Proto codegen wired in. tools/generate.sh wraps protoc against
../fai_platform/proto/, including the well-known types (Empty,
Struct, Timestamp) so they are generated alongside fai's own
messages — protobuf 4.x doesn't ship them as importable Dart
types, so we have to generate them ourselves.
HubClient now exposes typed methods backed by real RPCs:
- healthy() — Hub.Health probe (returns false on connect refused).
- listCapabilities() — HubAdmin.ListCapabilities.
- eventLog() — HubAdmin.EventLog with type filter.
- listApprovals() — HubAdmin.ListApprovals (status filter).
- approve() / reject() — HubAdmin.DecideApproval.
Generated bindings under lib/src/generated/ are excluded from
analyze (out of our style control). protoc_plugin pinned to
22.2.0 in tools/generate.sh comment because newer plugins
generate code against protobuf 6.x, while grpc 4.x still
constrains us to protobuf 4.x.
Bumps fai_dart_sdk 0.1.0 -> 0.2.0.
Signed-off-by: flemming-it <stefan.a.flemming@googlemail.com>