TrogonStack · yordis · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/.github/workflows/canary-container-images.yml b/.github/workflows/canary-container-images.yml
@@ -10,7 +10,9 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
+  actions: write
   contents: read
+  id-token: write
   packages: write
 
 jobs:
@@ -51,6 +53,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push canary image
+        id: build_image
         uses: docker/build-push-action@v7
         with:
           context: ${{ steps.service_config.outputs.context }}
@@ -61,3 +64,38 @@ jobs:
             ${{ steps.image.outputs.name }}:sha-${{ steps.image.outputs.short_sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          sbom: true
+          provenance: mode=max
+
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
+        with:
+          image-ref: ${{ steps.image.outputs.name }}@${{ steps.build_image.outputs.digest }}
+          scanners: vuln
+          format: table
+          output: trivy-results.txt
+          ignore-unfixed: true
+          exit-code: 0
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
+        with:
+          image: ${{ steps.image.outputs.name }}@${{ steps.build_image.outputs.digest }}
+          artifact-name: sbom-${{ matrix.service }}-spdx
+          format: spdx-json
+
+      - name: Document image security audit
+        shell: bash
+        run: |
+          {
+            echo "## Image security audit: \`${{ matrix.service }}\`"
+            echo ""
+            echo "- Image: \`${{ steps.image.outputs.name }}@${{ steps.build_image.outputs.digest }}\`"
+            echo "- Runtime base: \`debian:bookworm-20260518-slim\`"
+            echo "- SBOM artifact: \`sbom-${{ matrix.service }}-spdx\` (SPDX JSON)"
+            echo ""
+            echo "### Vulnerability scan (Trivy, image packages)"
+            echo '```text'
+            cat trivy-results.txt
+            echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/.github/workflows/docs-pages.yml b/.github/workflows/docs-pages.yml
@@ -25,14 +25,14 @@ jobs:
           fetch-depth: 0
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@fdbc4fdcf7d143a5d0a39e9a02e103b13e309024
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
-          version: 11.3.0
+          package_json_file: docs/package.json
 
       - name: Setup Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
         with:
-          node-version: 24
+          node-version: 26
           cache: pnpm
           cache-dependency-path: docs/pnpm-lock.yaml
 

diff --git a/.mise.toml b/.mise.toml
@@ -1,12 +1,12 @@
 [tools]
-buf = "1.69.0"
-"cargo:protoc-gen-buffa" = "0.6.0"
-"cargo:protoc-gen-buffa-packaging" = "0.6.0"
-node = "24.13.1"
-pnpm = "11.3.0"
-python = "3.11"
-uv = "0.9.5"
-rust = { version = "1.93.0", profile = "default" }
+buf = "1.70.0"
+"cargo:protoc-gen-buffa" = "0.7.0"
+"cargo:protoc-gen-buffa-packaging" = "0.7.0"
+node = "26.3.0"
+pnpm = "11.5.1"
+python = "3.14.5"
+uv = "0.11.18"
+rust = { version = "1.96.0", profile = "default" }
 
 [tasks.dev]
 description = "Start development environment"

diff --git a/devops/docker/compose/compose.yml b/devops/docker/compose/compose.yml
@@ -2,7 +2,7 @@ name: trogonai
 
 services:
   nats:
-    image: nats:2.11-alpine
+    image: nats:2.14.2-alpine
     command:
       - "--jetstream"
       - "--store_dir=/data"
@@ -46,7 +46,7 @@ services:
       retries: 3
 
   ngrok:
-    image: ngrok/ngrok:alpine
+    image: ngrok/ngrok:3.39.6-alpine
     env_file:
       - path: .env
         required: false

diff --git a/devops/docker/compose/services/trogon-gateway/Dockerfile b/devops/docker/compose/services/trogon-gateway/Dockerfile
@@ -1,5 +1,5 @@
 # ── Stage 1: chef — generate dependency recipe ──────────────────────────────
-FROM rust:1.93-slim AS chef
+FROM rust:1.96.0-slim-bookworm AS chef
 
 RUN cargo install cargo-chef --locked
 
@@ -26,7 +26,7 @@ RUN cargo build --release -p trogon-gateway && \
     strip target/release/trogon-gateway
 
 # ── Stage 4: runtime ────────────────────────────────────────────────────────
-FROM debian:bookworm-20250317-slim AS runtime
+FROM debian:bookworm-20260518-slim AS runtime
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates curl \

diff --git a/docs/package.json b/docs/package.json
@@ -2,7 +2,7 @@
   "name": "@trogonstack/trogonai-docs",
   "private": true,
   "type": "module",
-  "packageManager": "pnpm@11.3.0",
+  "packageManager": "pnpm@11.5.1",
   "scripts": {
     "docs:dev": "vitepress dev .",
     "docs:build": "vitepress build .",

diff --git a/rsworkspace/Cargo.lock b/rsworkspace/Cargo.lock
diff --git a/rsworkspace/Cargo.toml b/rsworkspace/Cargo.toml
@@ -33,8 +33,8 @@ async-nats = { version = "=0.47.0", default-features = false }
 async-trait = "=0.1.89"
 axum = { version = "=0.8.9", features = ["ws"] }
 bytes = "=1.11.1"
-buffa = { version = "=0.6.0", features = ["json"] }
-buffa-types = { version = "=0.6.0", features = ["json"] }
+buffa = { version = "=0.7.0", features = ["json"] }
+buffa-types = { version = "=0.7.0", features = ["json"] }
 futures = "=0.3.32"
 futures-util = "=0.3.32"
 tokio = "=1.52.1"

diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/after_then.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/after_then.stderr
@@ -7,9 +7,9 @@ error[E0599]: no method named `when` found for struct `ThenEvents<Event>` in the
    |  _____method `when` is available on `TestCase<TestCommand>`
    | |
 10 | |         .given_no_history()
-   | |          ------------------ method `when` is available on `TestCase<TestCommand, NoHistory>`
+   | |          ------------------ method `when` is available on `TestCase<TestCommand, trogon_decider::testing::NoHistory>`
 11 | |         .when(TestCommand)
-   | |          ----------------- method `when` is available on `TestCase<TestCommand, When<TestEvent, TestState, TestCommand>>`
+   | |          ----------------- method `when` is available on `TestCase<TestCommand, trogon_decider::testing::When<TestEvent, TestState, TestCommand>>`
 12 | |         .then([TestEvent::Registered])
 13 | |         .when(TestCommand);
    | |         -^^^^ method not found in `ThenEvents<TestEvent>`

diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/double_given.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/double_given.stderr
@@ -1,13 +1,13 @@
-error[E0599]: no method named `given` found for struct `TestCase<TestCommand, NoHistory>` in the current scope
+error[E0599]: no method named `given` found for struct `TestCase<TestCommand, trogon_decider::testing::NoHistory>` in the current scope
   --> tests/ui/fail/double_given.rs:11:10
    |
  9 | /     TestCase::<TestCommand>::new()
 10 | |         .given_no_history()
 11 | |         .given([]);
-   | |         -^^^^^ method not found in `TestCase<TestCommand, NoHistory>`
+   | |         -^^^^^ method not found in `TestCase<TestCommand, trogon_decider::testing::NoHistory>`
    | |_________|
    |
    |
    = note: the method was found for
-           - `TestCase<C, Given<<C as Decider>::Event>>`
+           - `TestCase<C, trogon_decider::testing::Given<<C as Decider>::Event>>`
            - `TestCase<C>`
diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/double_when.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/double_when.stderr
@@ -1,4 +1,4 @@
-error[E0599]: no method named `when` found for struct `TestCase<TestCommand, When<TestEvent, TestState, TestCommand>>` in the current scope
+error[E0599]: no method named `when` found for struct `TestCase<TestCommand, trogon_decider::testing::When<TestEvent, TestState, TestCommand>>` in the current scope
   --> tests/ui/fail/double_when.rs:12:10
    |
  9 |       TestCase::<TestCommand>::new()
@@ -7,7 +7,7 @@ error[E0599]: no method named `when` found for struct `TestCase<TestCommand, Whe
    |  _____method `when` is available on `TestCase<TestCommand>`
    | |
 10 | |         .given_no_history()
-   | |          ------------------ method `when` is available on `TestCase<TestCommand, NoHistory>`
+   | |          ------------------ method `when` is available on `TestCase<TestCommand, trogon_decider::testing::NoHistory>`
 11 | |         .when(TestCommand)
 12 | |         .when(TestCommand);
    | |_________-^^^^

diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_given.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_given.stderr
@@ -5,5 +5,5 @@ error[E0599]: no method named `when` found for struct `TestCase<TestCommand>` in
   |                                    ^^^^ method not found in `TestCase<TestCommand>`
   |
   = note: the method was found for
-          - `TestCase<C, Given<<C as Decider>::Event>>`
-          - `TestCase<C, NoHistory>`
+          - `TestCase<C, trogon_decider::testing::Given<<C as Decider>::Event>>`
+          - `TestCase<C, trogon_decider::testing::NoHistory>`
diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_initial_when.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_initial_when.stderr
@@ -7,5 +7,4 @@ error[E0599]: no method named `then_error` found for struct `TestCase<TestComman
    | |_________|
    |
    |
-   = note: the method was found for
-           - `TestCase<C, When<<C as Decider>::Event, <C as Decider>::State, C>>`
+   = note: the method was found for `TestCase<C, trogon_decider::testing::When<<C as Decider>::Event, <C as Decider>::State, C>>`
diff --git a/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_when.stderr b/rsworkspace/crates/trogon-decider/tests/ui/fail/missing_when.stderr
@@ -1,12 +1,11 @@
-error[E0599]: no method named `then_error` found for struct `TestCase<TestCommand, NoHistory>` in the current scope
+error[E0599]: no method named `then_error` found for struct `TestCase<TestCommand, trogon_decider::testing::NoHistory>` in the current scope
   --> tests/ui/fail/missing_when.rs:11:10
    |
  9 | /     TestCase::<TestCommand>::new()
 10 | |         .given_no_history()
 11 | |         .then_error(TestDecisionError::AlreadyRegistered);
-   | |         -^^^^^^^^^^ method not found in `TestCase<TestCommand, NoHistory>`
+   | |         -^^^^^^^^^^ method not found in `TestCase<TestCommand, trogon_decider::testing::NoHistory>`
    | |_________|
    |
    |
-   = note: the method was found for
-           - `TestCase<C, When<<C as Decider>::Event, <C as Decider>::State, C>>`
+   = note: the method was found for `TestCase<C, trogon_decider::testing::When<<C as Decider>::Event, <C as Decider>::State, C>>`
diff --git a/rsworkspace/crates/trogon-nats/src/jetstream/mocks.rs b/rsworkspace/crates/trogon-nats/src/jetstream/mocks.rs
@@ -932,7 +932,7 @@ impl JetStreamKvKeys for MockJetStreamKvStore {
         match result {
             Ok(keys) => {
                 let items: Vec<Result<String, kv::WatcherError>> = keys.into_iter().map(Ok).collect();
-                Ok(futures::stream::iter(items.into_iter()))
+                Ok(futures::stream::iter(items))
             }
             Err(kind) => Err(kv::HistoryError::new(kind)),
         }