From 7191208f5184a5c363b2db8af8ecdee99ca92b66 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 15 Jul 2024 17:32:02 +0000
Subject: [PATCH 01/13] Bump setuptools in
 /crates/ext-processor/protobuf/protoc-gen-validate

Bumps [setuptools](https://github.com/pypa/setuptools) from 65.5.1 to 70.0.0.
- [Release notes](https://github.com/pypa/setuptools/releases)
- [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst)
- [Commits](https://github.com/pypa/setuptools/compare/v65.5.1...v70.0.0)

---
updated-dependencies:
- dependency-name: setuptools
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .../ext-processor/protobuf/protoc-gen-validate/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt b/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
index 3f7d206c..ec853936 100644
--- a/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
+++ b/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
@@ -5,6 +5,6 @@ isort==5.7.0
 build==0.3.0
 twine==3.3.0
 wheel==0.38.1
-setuptools==65.5.1
+setuptools==70.0.0
 protobuf==3.20.2
 setuptools_scm[toml]>=6.2

From 599ddfa58e5911d69b42ab20918c4a7ce5e2d82f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Jul 2024 18:14:44 +0000
Subject: [PATCH 02/13] Bump openssl from 0.10.64 to 0.10.66

Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.66.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.66)

---
updated-dependencies:
- dependency-name: openssl
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Cargo.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 4eb5db31..0ef2f214 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2256,9 +2256,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
 
 [[package]]
 name = "openssl"
-version = "0.10.64"
+version = "0.10.66"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
+checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1"
 dependencies = [
  "bitflags 2.6.0",
  "cfg-if",
@@ -2288,9 +2288,9 @@ checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.102"
+version = "0.9.103"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2"
+checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6"
 dependencies = [
  "cc",
  "libc",

From 1a13298e5f02f904d2fd583019fedfec2ee57219 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 15:14:04 -0500
Subject: [PATCH 03/13] Describe some of the metrics

---
 crates/ext-processor/src/service.rs | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/crates/ext-processor/src/service.rs b/crates/ext-processor/src/service.rs
index f5d3abbe..45bdfc82 100644
--- a/crates/ext-processor/src/service.rs
+++ b/crates/ext-processor/src/service.rs
@@ -248,7 +248,15 @@ impl BulwarkProcessor {
             "combined_decision",
             "outcome" => "restricted",
         );
+        metrics::describe_histogram!(
+            "combined_decision",
+            "Counters for each combined decision outcome."
+        );
         metrics::register_histogram!("combined_decision_score");
+        metrics::describe_histogram!(
+            "combined_decision_score",
+            "A histogram over the combined decision scores for all requests processed."
+        );
 
         let redis_pool: Option<Arc<deadpool_redis::Pool>> =
             if let Some(redis_addr) = config.state.redis_uri.as_ref() {
@@ -879,7 +887,7 @@ impl ProcessorContext {
         );
         metrics::histogram!(
             "combined_decision_score",
-            verdict.decision.pignistic().restrict
+            verdict.decision.pignistic().restrict,
         );
 
         let mut decisions: Vec<Decision> = Vec::with_capacity(self.plugin_instances.len());
@@ -913,12 +921,22 @@ impl ProcessorContext {
                     decision.pignistic().restrict,
                     "ref" => plugin_instance.plugin_reference(),
                 );
+                metrics::describe_histogram!(
+                    "decision_score",
+                    "A histogram over the individual plugin decision scores for all requests processed."
+                );
+
                 // Measure the conflict between each individual decision and the combined decision
                 metrics::histogram!(
                     "decision_conflict",
                     Decision::conflict(&[decision, verdict.decision]),
                     "ref" => plugin_instance.plugin_reference(),
                 );
+                metrics::describe_histogram!(
+                    "decision_conflict",
+                    "A histogram over the individual plugin disagreement values for all requests processed."
+                );
+
                 decisions.push(decision);
             }
             let request = self.request.clone();
@@ -949,6 +967,10 @@ impl ProcessorContext {
 
         // Measure total conflict in the combined decision
         metrics::histogram!("combined_conflict", Decision::conflict(&decisions));
+        metrics::describe_histogram!(
+            "combined_conflict",
+            "A histogram over the combined disagreement values for all requests processed."
+        );
 
         // Capturing stdio is always the last thing that happens and feedback should always be the second-to-last.
         self.capture_stdio().await;

From 65c9c060966ba5fbad2644e2e331ec4bdef64f88 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 15:14:20 -0500
Subject: [PATCH 04/13] Warn when exporting empty metrics

---
 src/admin.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/admin.rs b/src/admin.rs
index e2cb9700..ebbd26c7 100644
--- a/src/admin.rs
+++ b/src/admin.rs
@@ -3,6 +3,7 @@ use super::*;
 use http::{HeaderMap, HeaderValue};
 pub(super) use metrics_exporter_prometheus::{PrometheusBuilder, PrometheusHandle};
 use std::fmt;
+use tracing::warn;
 
 /// Axum state for the admin service.
 pub(super) struct AdminState {
@@ -97,6 +98,9 @@ pub(super) async fn metrics_handler(
         let metrics = prometheus_handle.render();
         // TODO: Add gzip compression support.
         body = metrics.into();
+        if body.is_empty() {
+            warn!("exporting empty prometheus metrics");
+        }
     } else {
         body = vec![];
     }

From ecc23afc4c64a28a9ca33d743d3103ca3b8fa77b Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 15:44:09 -0500
Subject: [PATCH 05/13] Fix clippy errors on protobuf files

---
 crates/ext-processor/src/protobuf.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crates/ext-processor/src/protobuf.rs b/crates/ext-processor/src/protobuf.rs
index 1c48d12a..0defb16d 100644
--- a/crates/ext-processor/src/protobuf.rs
+++ b/crates/ext-processor/src/protobuf.rs
@@ -11,6 +11,7 @@ pub mod envoy {
             }
         }
         pub mod core {
+            #[allow(clippy::doc_lazy_continuation)]
             #[allow(clippy::large_enum_variant)]
             pub mod v3 {
                 include!(concat!(env!("OUT_DIR"), "/envoy.config.core.v3.rs"));
@@ -21,6 +22,7 @@ pub mod envoy {
         pub mod filters {
             pub mod http {
                 pub mod ext_authz {
+                    #[allow(clippy::doc_lazy_continuation)]
                     #[allow(clippy::large_enum_variant)]
                     pub mod v3 {
                         include!(concat!(
@@ -30,6 +32,7 @@ pub mod envoy {
                     }
                 }
                 pub mod ext_proc {
+                    #[allow(clippy::doc_lazy_continuation)]
                     pub mod v3 {
                         include!(concat!(
                             env!("OUT_DIR"),
@@ -52,6 +55,7 @@ pub mod envoy {
     }
     pub mod service {
         pub mod auth {
+            #[allow(clippy::doc_lazy_continuation)]
             pub mod v3 {
                 include!(concat!(env!("OUT_DIR"), "/envoy.service.auth.v3.rs"));
             }

From a88ff325c352529e19e850e3d6985a475835abb4 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 16:12:10 -0500
Subject: [PATCH 06/13] Ignore protobuf directories

---
 .github/dependabot.yml                           | 16 ++++++++++++++++
 .../protoc-gen-validate/requirements.txt         |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 5c753458..c842e9c1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -17,3 +17,19 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+
+  - package-ecosystem: "pip"
+    directory: "/crates/ext-processor/protobuf/protoc-gen-validate"
+    schedule:
+      interval: "monthly"
+    labels: []
+    ignore:
+      - dependency-name: "*"
+
+  - package-ecosystem: "gomod"
+    directory: "/crates/ext-processor/protobuf/protoc-gen-validate"
+    schedule:
+      interval: "monthly"
+    labels: []
+    ignore:
+      - dependency-name: "*"
diff --git a/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt b/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
index ec853936..3f7d206c 100644
--- a/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
+++ b/crates/ext-processor/protobuf/protoc-gen-validate/requirements.txt
@@ -5,6 +5,6 @@ isort==5.7.0
 build==0.3.0
 twine==3.3.0
 wheel==0.38.1
-setuptools==70.0.0
+setuptools==65.5.1
 protobuf==3.20.2
 setuptools_scm[toml]>=6.2

From 07e0a0d8e486f893a6c543f42869b9a37376b518 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 9 Aug 2024 21:22:51 +0000
Subject: [PATCH 07/13] Bump dtolnay/rust-toolchain

Bumps [dtolnay/rust-toolchain](https://github.com/dtolnay/rust-toolchain) from 21dc36fb71dd22e3317045c0c31a3f4249868b17 to 7b1c307e0dcbda6122208f10795a713336a9b35a.
- [Release notes](https://github.com/dtolnay/rust-toolchain/releases)
- [Commits](https://github.com/dtolnay/rust-toolchain/compare/21dc36fb71dd22e3317045c0c31a3f4249868b17...7b1c307e0dcbda6122208f10795a713336a9b35a)

---
updated-dependencies:
- dependency-name: dtolnay/rust-toolchain
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/publish-crate.yml   | 2 +-
 .github/workflows/publish-release.yml | 6 +++---
 .github/workflows/rust.yml            | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-crate.yml b/.github/workflows/publish-crate.yml
index e8b2a3bb..01db01ba 100644
--- a/.github/workflows/publish-crate.yml
+++ b/.github/workflows/publish-crate.yml
@@ -18,7 +18,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+      uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
       with:
         toolchain: stable
         components: clippy
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 6a4f92d2..5b7f584a 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -17,7 +17,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+      uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
       with:
         toolchain: stable
         components: clippy
@@ -64,7 +64,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+      uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
       with:
         toolchain: stable
         components: clippy
@@ -115,7 +115,7 @@ jobs:
       uses: actions/checkout@v4
 
     - name: Install Rust
-      uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+      uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
       with:
         toolchain: stable
         components: clippy
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index e421289b..b13152fb 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+      - uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
         with:
           toolchain: stable
           components: rustfmt
@@ -30,7 +30,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
         with:
           toolchain: stable
           components: clippy
@@ -56,7 +56,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
         with:
           toolchain: stable
           components: clippy
@@ -119,7 +119,7 @@ jobs:
         run: /usr/bin/docker run -d --name envoy --network "${{ job.container.network }}" --network-alias envoy -p 4080:4080 -e GITHUB_ACTIONS=true -e CI=true -v "./tests/gha_envoy.yaml":"/etc/envoy/envoy.yaml" envoyproxy/envoy:v${{ matrix.envoy-version }}-latest envoy -l debug -c /etc/envoy/envoy.yaml
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@21dc36fb71dd22e3317045c0c31a3f4249868b17
+        uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a
         with:
           toolchain: ${{ matrix.rust_version }}
           components: clippy

From 70288d7703c21568e6d223a5a890de732d3f73d2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 9 Aug 2024 22:42:23 +0000
Subject: [PATCH 08/13] Bump EmbarkStudios/cargo-deny-action from 1 to 2

Bumps [EmbarkStudios/cargo-deny-action](https://github.com/embarkstudios/cargo-deny-action) from 1 to 2.
- [Release notes](https://github.com/embarkstudios/cargo-deny-action/releases)
- [Commits](https://github.com/embarkstudios/cargo-deny-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: EmbarkStudios/cargo-deny-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/dependencies.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
index e538cad5..ffc1341a 100644
--- a/.github/workflows/dependencies.yml
+++ b/.github/workflows/dependencies.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: 'cargo deny'
-      uses: EmbarkStudios/cargo-deny-action@v1
+      uses: EmbarkStudios/cargo-deny-action@v2
       with:
         command: check
         command-arguments: all

From d536a7cfe48616ded98eaea5afecbc23df3898fb Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 9 Aug 2024 22:42:28 +0000
Subject: [PATCH 09/13] Bump clechasseur/rs-cargo

Bumps [clechasseur/rs-cargo](https://github.com/clechasseur/rs-cargo) from 5cd564345ef5b1136392a1dc943b33a3a888b873 to 34eb9ee3e4186e5c7820a54393fbf081f78bc102.
- [Release notes](https://github.com/clechasseur/rs-cargo/releases)
- [Commits](https://github.com/clechasseur/rs-cargo/compare/5cd564345ef5b1136392a1dc943b33a3a888b873...34eb9ee3e4186e5c7820a54393fbf081f78bc102)

---
updated-dependencies:
- dependency-name: clechasseur/rs-cargo
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/publish-crate.yml   | 2 +-
 .github/workflows/publish-release.yml | 6 +++---
 .github/workflows/rust.yml            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish-crate.yml b/.github/workflows/publish-crate.yml
index 01db01ba..a23a710a 100644
--- a/.github/workflows/publish-crate.yml
+++ b/.github/workflows/publish-crate.yml
@@ -25,7 +25,7 @@ jobs:
         target: wasm32-wasi
 
     - name: Ensure generated files are available
-      uses: clechasseur/rs-cargo@5cd564345ef5b1136392a1dc943b33a3a888b873 # v2.0.2
+      uses: clechasseur/rs-cargo@34eb9ee3e4186e5c7820a54393fbf081f78bc102 # v2.0.2
       with:
         command: test
         args: -p bulwark-config -p bulwark-sdk
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 5b7f584a..d2c9f960 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -27,7 +27,7 @@ jobs:
       run: /usr/bin/sudo /usr/bin/apt install -y protobuf-compiler
 
     - name: Build release target
-      uses: clechasseur/rs-cargo@5cd564345ef5b1136392a1dc943b33a3a888b873 # v2.0.2
+      uses: clechasseur/rs-cargo@34eb9ee3e4186e5c7820a54393fbf081f78bc102 # v2.0.2
       with:
         command: build
         args: --release --target=x86_64-unknown-linux-gnu
@@ -78,7 +78,7 @@ jobs:
       run: brew install protobuf
 
     - name: Build release target
-      uses: clechasseur/rs-cargo@5cd564345ef5b1136392a1dc943b33a3a888b873 # v2.0.2
+      uses: clechasseur/rs-cargo@34eb9ee3e4186e5c7820a54393fbf081f78bc102 # v2.0.2
       with:
         command: build
         args: --release --target=x86_64-apple-darwin
@@ -129,7 +129,7 @@ jobs:
       run: brew install protobuf
 
     - name: Build release target
-      uses: clechasseur/rs-cargo@5cd564345ef5b1136392a1dc943b33a3a888b873 # v2.0.2
+      uses: clechasseur/rs-cargo@34eb9ee3e4186e5c7820a54393fbf081f78bc102 # v2.0.2
       with:
         command: build
         args: --release --target=aarch64-apple-darwin
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index b13152fb..6f3e3c0c 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -135,7 +135,7 @@ jobs:
         run: /usr/bin/docker ps
 
       - name: Run bulwark tests
-        uses: clechasseur/rs-cargo@5cd564345ef5b1136392a1dc943b33a3a888b873 # v2.0.2
+        uses: clechasseur/rs-cargo@34eb9ee3e4186e5c7820a54393fbf081f78bc102 # v2.0.2
         with:
           command: test
           args: -p bulwark-cli -p bulwark-build -p bulwark-config -p bulwark-decision -p bulwark-ext-processor -p bulwark-host -p bulwark-sdk -p bulwark-sdk-macros -- --include-ignored

From b91ab1b1db60d364c91015c1b9e9f792314717ce Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 23:28:15 -0500
Subject: [PATCH 10/13] Update bytes dependency

---
 Cargo.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 0ef2f214..bab8e167 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -574,9 +574,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.6.0"
+version = "1.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "514de17de45fdb8dc022b1a7975556c53c86f9f0aa5f534b98977b171857c2c9"
+checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50"
 
 [[package]]
 name = "cadence"

From 1ed06ebda1089ca76b23507aa7a733268d23bb12 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Fri, 9 Aug 2024 23:44:39 -0500
Subject: [PATCH 11/13] Dependabot updates GHA files sometimes

---
 .dryrunsecurity.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.dryrunsecurity.yaml b/.dryrunsecurity.yaml
index 19b3cf0f..696a8a06 100644
--- a/.dryrunsecurity.yaml
+++ b/.dryrunsecurity.yaml
@@ -1,10 +1,11 @@
 sensitiveCodepaths:
   # Files only allowed authors can modify
-  - '.github/**/*'
+  - ".github/**/*"
 allowedAuthors:
   usernames:
     # GitHub username
-    - 'sporkmonger'
+    - "sporkmonger"
+    - "dependabot"
 notificationList:
   # GitHub username or team name
-  - '@sporkmonger'
+  - "@sporkmonger"

From b9b2e301d27586ad2603dacd7a850cd7f6410d93 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Sat, 10 Aug 2024 00:07:31 -0500
Subject: [PATCH 12/13] DryRun might see Dependabot's username differently

---
 .dryrunsecurity.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.dryrunsecurity.yaml b/.dryrunsecurity.yaml
index 696a8a06..b15f1560 100644
--- a/.dryrunsecurity.yaml
+++ b/.dryrunsecurity.yaml
@@ -6,6 +6,7 @@ allowedAuthors:
     # GitHub username
     - "sporkmonger"
     - "dependabot"
+    - "dependabot[bot]"
 notificationList:
   # GitHub username or team name
   - "@sporkmonger"

From 0df63d991e0cb349a366e9073de5e47b54effea5 Mon Sep 17 00:00:00 2001
From: Bob Aman <bob@sporkmonger.com>
Date: Sat, 10 Aug 2024 01:06:44 -0500
Subject: [PATCH 13/13] Prometheus metrics were broken because the crate got
 out of sync w/ parent dependency

---
 Cargo.lock                          |  46 ++++--------
 Cargo.toml                          |   6 +-
 crates/ext-processor/src/service.rs | 106 ++++++++++++++++------------
 crates/host/src/plugin.rs           |  50 +++++++------
 src/errors.rs                       |   4 +-
 src/main.rs                         |   2 +-
 6 files changed, 109 insertions(+), 105 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index bab8e167..56e150f4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -410,7 +410,7 @@ dependencies = [
  "deadpool-redis",
  "http 1.1.0",
  "hyper 1.3.1",
- "metrics 0.21.1",
+ "metrics",
  "metrics-exporter-prometheus",
  "metrics-exporter-statsd",
  "quoted-string",
@@ -482,7 +482,7 @@ dependencies = [
  "futures",
  "http 1.1.0",
  "matchit 0.8.2",
- "metrics 0.21.1",
+ "metrics",
  "prost",
  "prost-types",
  "redis",
@@ -512,7 +512,7 @@ dependencies = [
  "hex",
  "http 1.1.0",
  "http-body-util",
- "metrics 0.21.1",
+ "metrics",
  "redis",
  "redis-test",
  "reqwest",
@@ -580,9 +580,9 @@ checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50"
 
 [[package]]
 name = "cadence"
-version = "0.29.1"
+version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f39286bc075b023101dccdb79456a1334221c768b8faede0c2aff7ed29a9482d"
+checksum = "2f338b979d9ebfff4bb9801ae8f3af0dc3615f7f1ca963f2e4782bcf9acb3753"
 dependencies = [
  "crossbeam-channel",
 ]
@@ -2036,17 +2036,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "metrics"
-version = "0.21.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fde3af1a009ed76a778cb84fdef9e7dbbdf5775ae3e4cc1f434a6a307f6f76c5"
-dependencies = [
- "ahash",
- "metrics-macros",
- "portable-atomic",
-]
-
 [[package]]
 name = "metrics"
 version = "0.23.0"
@@ -2059,9 +2048,9 @@ dependencies = [
 
 [[package]]
 name = "metrics-exporter-prometheus"
-version = "0.15.1"
+version = "0.15.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf0af7a0d7ced10c0151f870e5e3f3f8bc9ffc5992d32873566ca1f9169ae776"
+checksum = "b4f0c8427b39666bf970460908b213ec09b3b350f20c0c2eabcbba51704a08e6"
 dependencies = [
  "base64 0.22.1",
  "http-body-util",
@@ -2070,7 +2059,7 @@ dependencies = [
  "hyper-util",
  "indexmap 2.2.6",
  "ipnet",
- "metrics 0.23.0",
+ "metrics",
  "metrics-util",
  "quanta",
  "thiserror",
@@ -2080,26 +2069,15 @@ dependencies = [
 
 [[package]]
 name = "metrics-exporter-statsd"
-version = "0.6.0"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e34a620eecf9e4321ebbef8f2f8e7cd22e098f11b65f2d987ce66faaa8918418"
+checksum = "a0905009f54328c743a2046a86c88157621f473a2202cfa922cb716615c4b292"
 dependencies = [
  "cadence",
- "metrics 0.21.1",
+ "metrics",
  "thiserror",
 ]
 
-[[package]]
-name = "metrics-macros"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38b4faf00617defe497754acde3024865bc143d44a86799b24e191ecff91354f"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.68",
-]
-
 [[package]]
 name = "metrics-util"
 version = "0.17.0"
@@ -2109,7 +2087,7 @@ dependencies = [
  "crossbeam-epoch",
  "crossbeam-utils",
  "hashbrown 0.14.5",
- "metrics 0.23.0",
+ "metrics",
  "num_cpus",
  "quanta",
  "sketches-ddsketch",
diff --git a/Cargo.toml b/Cargo.toml
index 02b16d3b..36f138ff 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -34,8 +34,8 @@ clap = { version = "4.4.3", features = ["derive"] }
 clap_complete = "4.5.2"
 color-eyre = "0.6.2"
 hyper = { version = "1.2.0", features = ["server"] }
-metrics-exporter-prometheus = "0.15.0"
-metrics-exporter-statsd = "0.6.0"
+metrics-exporter-prometheus = "0.15.3"
+metrics-exporter-statsd = "0.8.0"
 quoted-string = "0.6.1"
 tower = { version = "0.4.13", features = ["tokio", "tracing"] }
 tower-http = { version = "0.5.0", features = [
@@ -119,7 +119,7 @@ futures = "0.3"
 hex = "0.4.3"
 http = "1.0"
 matchit = "0.8.2"
-metrics = "0.21.1"
+metrics = "0.23.0"
 owo-colors = "3.5.0"
 redis = { version = "0.25", features = [
     "tokio-comp",
diff --git a/crates/ext-processor/src/service.rs b/crates/ext-processor/src/service.rs
index 45bdfc82..7fb3e0a6 100644
--- a/crates/ext-processor/src/service.rs
+++ b/crates/ext-processor/src/service.rs
@@ -232,27 +232,31 @@ impl BulwarkProcessor {
     /// * `config` - The root of the Bulwark configuration structure to be used to initialize the service.
     pub async fn new(config: Config) -> Result<Self, PluginLoadError> {
         // Get all outcomes registered even if those outcomes don't happen immediately.
-        metrics::register_counter!(
+        metrics::counter!(
             "combined_decision",
             "outcome" => "trusted",
-        );
-        metrics::register_counter!(
+        )
+        .absolute(0);
+        metrics::counter!(
             "combined_decision",
             "outcome" => "accepted",
-        );
-        metrics::register_counter!(
+        )
+        .absolute(0);
+        metrics::counter!(
             "combined_decision",
             "outcome" => "suspected",
-        );
-        metrics::register_counter!(
+        )
+        .absolute(0);
+        metrics::counter!(
             "combined_decision",
             "outcome" => "restricted",
-        );
-        metrics::describe_histogram!(
+        )
+        .absolute(0);
+        metrics::describe_counter!(
             "combined_decision",
             "Counters for each combined decision outcome."
         );
-        metrics::register_histogram!("combined_decision_score");
+        metrics::histogram!("combined_decision_score").record(0.0);
         metrics::describe_histogram!(
             "combined_decision_score",
             "A histogram over the combined decision scores for all requests processed."
@@ -352,16 +356,18 @@ impl BulwarkProcessor {
         let mut plugin_instance = plugin_instance.lock().await;
         let result = plugin_instance.handle_init().await;
         match result {
-            Ok(_) => metrics::increment_counter!(
+            Ok(_) => metrics::counter!(
                 "plugin_wasm_on_init",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "ok"
-            ),
-            Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Err(_) => metrics::counter!(
                 "plugin_wasm_on_init",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         result
     }
@@ -376,16 +382,18 @@ impl BulwarkProcessor {
             .handle_request_enrichment(request, labels)
             .await;
         match result {
-            Ok(_) => metrics::increment_counter!(
+            Ok(_) => metrics::counter!(
                 "plugin_wasm_on_request",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "ok"
-            ),
-            Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Err(_) => metrics::counter!(
                 "plugin_wasm_on_request",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         result
     }
@@ -400,16 +408,18 @@ impl BulwarkProcessor {
             .handle_request_decision(request, labels)
             .await;
         match result {
-            Ok(_) => metrics::increment_counter!(
+            Ok(_) => metrics::counter!(
                 "plugin_wasm_on_request_decision",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "ok"
-            ),
-            Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Err(_) => metrics::counter!(
                 "plugin_wasm_on_request_decision",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         result
     }
@@ -425,16 +435,18 @@ impl BulwarkProcessor {
             .handle_response_decision(request, response, labels)
             .await;
         match result {
-            Ok(_) => metrics::increment_counter!(
+            Ok(_) => metrics::counter!(
                 "plugin_wasm_on_response_decision",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "ok"
-            ),
-            Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Err(_) => metrics::counter!(
                 "plugin_wasm_on_response_decision",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         result
     }
@@ -451,16 +463,18 @@ impl BulwarkProcessor {
             .handle_decision_feedback(request, response, labels, verdict)
             .await;
         match result {
-            Ok(_) => metrics::increment_counter!(
+            Ok(_) => metrics::counter!(
                 "plugin_wasm_on_decision_feedback",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "ok"
-            ),
-            Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Err(_) => metrics::counter!(
                 "plugin_wasm_on_decision_feedback",
                 "ref" => plugin_instance.plugin_reference(),
                 "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         result
     }
@@ -881,14 +895,13 @@ impl ProcessorContext {
             .verdict
             .as_ref()
             .expect("cannot execute feedback phase without verdict");
-        metrics::increment_counter!(
+        metrics::counter!(
             "combined_decision",
             "outcome" => verdict.outcome.to_string(),
-        );
-        metrics::histogram!(
-            "combined_decision_score",
-            verdict.decision.pignistic().restrict,
-        );
+        )
+        .increment(1);
+        metrics::histogram!("combined_decision_score",)
+            .record(verdict.decision.pignistic().restrict);
 
         let mut decisions: Vec<Decision> = Vec::with_capacity(self.plugin_instances.len());
         let mut feedback_phase_tasks = JoinSet::new();
@@ -918,9 +931,10 @@ impl ProcessorContext {
                     });
                 metrics::histogram!(
                     "decision_score",
-                    decision.pignistic().restrict,
+
                     "ref" => plugin_instance.plugin_reference(),
-                );
+                )
+                .record(decision.pignistic().restrict);
                 metrics::describe_histogram!(
                     "decision_score",
                     "A histogram over the individual plugin decision scores for all requests processed."
@@ -929,9 +943,9 @@ impl ProcessorContext {
                 // Measure the conflict between each individual decision and the combined decision
                 metrics::histogram!(
                     "decision_conflict",
-                    Decision::conflict(&[decision, verdict.decision]),
                     "ref" => plugin_instance.plugin_reference(),
-                );
+                )
+                .record(Decision::conflict(&[decision, verdict.decision]));
                 metrics::describe_histogram!(
                     "decision_conflict",
                     "A histogram over the individual plugin disagreement values for all requests processed."
@@ -966,7 +980,7 @@ impl ProcessorContext {
         join_all(feedback_phase_tasks, |_| {}).await;
 
         // Measure total conflict in the combined decision
-        metrics::histogram!("combined_conflict", Decision::conflict(&decisions));
+        metrics::histogram!("combined_conflict").record(Decision::conflict(&decisions));
         metrics::describe_histogram!(
             "combined_conflict",
             "A histogram over the combined disagreement values for all requests processed."
@@ -1004,11 +1018,12 @@ impl ProcessorContext {
                 .to_vec()
                 .join(","),
         );
-        metrics::increment_counter!(
+        metrics::counter!(
             "plugin_request_phase_decision",
             "outcome" => outcome.to_string(),
             "observe_only" => self.thresholds.observe_only.to_string(),
-        );
+        )
+        .increment(1);
 
         let mut restricted = false;
         let end_of_stream = self.request.body().is_empty();
@@ -1106,11 +1121,12 @@ impl ProcessorContext {
                 .to_vec()
                 .join(","),
         );
-        metrics::increment_counter!(
+        metrics::counter!(
             "plugin_response_phase_decision",
             "outcome" => outcome.to_string(),
             "observe_only" => self.thresholds.observe_only.to_string(),
-        );
+        )
+        .increment(1);
 
         let response = self
             .response
diff --git a/crates/host/src/plugin.rs b/crates/host/src/plugin.rs
index dd85d4e9..dda5ac6d 100644
--- a/crates/host/src/plugin.rs
+++ b/crates/host/src/plugin.rs
@@ -436,14 +436,16 @@ impl PluginInstance {
             .call_handle_init(self.store.as_context_mut())
             .await;
         match result {
-            Ok(Ok(_)) => metrics::increment_counter!(
+            Ok(Ok(_)) => metrics::counter!(
                 "plugin_on_init",
                 "ref" => self.plugin_reference(), "result" => "ok"
-            ),
-            Ok(Err(_)) | Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Ok(Err(_)) | Err(_) => metrics::counter!(
                 "plugin_on_init",
                 "ref" => self.plugin_reference(), "result" => "error"
-            ),
+            )
+            .increment(1),
         }
 
         // Initialization doesn't return anything unless there's an error
@@ -483,14 +485,16 @@ impl PluginInstance {
             )
             .await;
         match result {
-            Ok(Ok(_)) => metrics::increment_counter!(
+            Ok(Ok(_)) => metrics::counter!(
                 "plugin_on_request",
                 "ref" => self.plugin_reference(), "result" => "ok"
-            ),
-            Ok(Err(_)) | Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Ok(Err(_)) | Err(_) => metrics::counter!(
                 "plugin_on_request",
                 "ref" => self.plugin_reference(), "result" => "error"
-            ),
+            )
+            .increment(1),
         }
         let labels: HashMap<String, String> = result??.into_iter().collect();
 
@@ -528,14 +532,16 @@ impl PluginInstance {
             )
             .await;
         match result {
-            Ok(Ok(_)) => metrics::increment_counter!(
+            Ok(Ok(_)) => metrics::counter!(
                 "plugin_on_request_decision",
                 "ref" => self.plugin_reference(), "result" => "ok"
-            ),
-            Ok(Err(_)) | Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Ok(Err(_)) | Err(_) => metrics::counter!(
                 "plugin_on_request_decision",
                 "ref" => self.plugin_reference(), "result" => "error"
-            ),
+            )
+            .increment(1),
         }
 
         Ok(result??.into())
@@ -594,14 +600,16 @@ impl PluginInstance {
             )
             .await;
         match result {
-            Ok(Ok(_)) => metrics::increment_counter!(
+            Ok(Ok(_)) => metrics::counter!(
                 "plugin_on_request_body_decision",
                 "ref" => self.plugin_reference(), "result" => "ok"
-            ),
-            Ok(Err(_)) | Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Ok(Err(_)) | Err(_) => metrics::counter!(
                 "plugin_on_request_body_decision",
                 "ref" => self.plugin_reference(), "result" => "error"
-            ),
+            )
+            .increment(1),
         }
 
         Ok(result??.into())
@@ -661,14 +669,16 @@ impl PluginInstance {
             )
             .await;
         match result {
-            Ok(Ok(_)) => metrics::increment_counter!(
+            Ok(Ok(_)) => metrics::counter!(
                 "plugin_on_decision_feedback",
                 "ref" => self.plugin_reference(), "result" => "ok"
-            ),
-            Ok(Err(_)) | Err(_) => metrics::increment_counter!(
+            )
+            .increment(1),
+            Ok(Err(_)) | Err(_) => metrics::counter!(
                 "plugin_on_decision_feedback",
                 "ref" => self.plugin_reference(), "result" => "error"
-            ),
+            )
+            .increment(1),
         }
 
         // Decision feedback doesn't return anything unless there's an error
diff --git a/src/errors.rs b/src/errors.rs
index 1b8baff7..ef192f88 100644
--- a/src/errors.rs
+++ b/src/errors.rs
@@ -20,8 +20,8 @@ pub enum MetricsError {
     Prometheus(#[from] metrics_exporter_prometheus::BuildError),
     #[error("failed to install StatsD metrics exporter: {0}")]
     Statsd(#[from] metrics_exporter_statsd::StatsdError),
-    #[error("failed to install metrics exporter: {0}")]
-    Install(#[from] metrics::SetRecorderError),
+    #[error("failed to install StatsD metrics exporter: {0}")]
+    SetStatsd(#[from] metrics::SetRecorderError<metrics_exporter_statsd::StatsdRecorder>),
 }
 
 #[derive(thiserror::Error, Debug)]
diff --git a/src/main.rs b/src/main.rs
index d2770a5e..232acb85 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -183,7 +183,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 .build(prefix)
                 .map_err(MetricsError::from)?;
 
-                metrics::set_boxed_recorder(Box::new(recorder)).map_err(MetricsError::from)?;
+                metrics::set_global_recorder(recorder).map_err(MetricsError::from)?;
             } else {
                 let thresholds = config_root.thresholds;
                 prometheus_handle = Some(