ADR-0089: Queue vcpkg.json Full Audit Against Pinned Baseline — 2026-05-14 UTC
Status: Accepted (2026-05-14 UTC)
Date: 2026-05-14 UTC
Author: raxx-dev-bot
Context issue: #2036
Implementing PR: #2036-pr (fix/queue-vcpkg-audit-2036)
Policy reference: ADR-0085 (docs/architecture/adr/0085-vcpkg-version-pinning-policy.md)
Companion notes: queue/vcpkg-notes.md
Summary
This ADR records the complete audit of every package in queue/vcpkg.json against the
pinned builtin-baseline SHA 3508985146f1b1d248c67ead13f8f54be5b4f5da. It serves as the
permanent audit trail for issue #2036
("Card A") and satisfies the requirements of ADR-0085 (exact-pin policy for tier-1 C++ services).
Three vcpkg-related bugs were discovered serially during the Queue staging deploy chain on
2026-05-13 UTC. The pattern: queue/vcpkg.json was originally authored with version>=
constraints that were never validated against the pinned baseline. This audit performed the
complete cross-check rather than continuing fix-forward one package at a time.
Baseline
| Field | Value |
|---|---|
builtin-baseline SHA |
3508985146f1b1d248c67ead13f8f54be5b4f5da |
| Baseline registry snapshot date | ~2024-01 (vcpkg HEAD at time of Queue scaffold) |
| Verification method | docker run ubuntu:22.04 + full vcpkg clone (non-shallow) + vcpkg install --dry-run --triplet arm64-linux --x-manifest-root=queue/; also queried ports/<package>/vcpkg.json at baseline SHA for each package |
| Verification date | 2026-05-13 UTC (commit ed5c561c) |
| Post-audit CI confirmation | vcpkg-manifest-check.yml (ADR-0087 / Card B / PR #2081) — dry-run passes on the audited manifest |
The baseline is intentionally held at this SHA. Bumping requires a separate PR (Card E, tracked under #2040, deferred post-v1).
Package Audit Table
All 9 packages from queue/vcpkg.json were examined. The "Before" column is the original
version>= minimum floor; the "After" column is the exact overrides version confirmed
to exist in the registry at the pinned baseline.
| Package | Before (version>=) | After (exact override) | Port-version at baseline | Audit verdict | Notes |
|---|---|---|---|---|---|
drogon |
1.9.3 |
1.9.6 |
(no port-version) | PINNED — version resolved upward | Latest at baseline. 1.9.6 is what the baseline resolver selects from the 1.9.3 floor. Original floor is valid but non-exact; pinned to the resolved value. |
nlohmann-json |
3.11.2 |
3.11.3 |
#1 |
PINNED — version resolved upward | Latest at baseline. Header-only; no functional difference from 3.11.2. Baseline resolves to 3.11.3. |
spdlog |
1.13.0 |
1.14.1 |
(no port-version) | PINNED — version resolved upward | Latest at baseline. Structured logging. Floor was well below the baseline resolution. |
sentry-native |
0.7.6 |
0.7.8 |
(no port-version) | PINNED — version resolved upward | Latest at baseline. Error monitoring per APM strategy. Floor was 0.7.6; baseline resolves to 0.7.8. |
curl |
8.7.1 |
8.9.1 |
#1 |
PINNED — version resolved upward | Latest at baseline. HTTP client for outbound calls. openssl feature retained (consistent with top-level openssl dep). |
openssl |
3.3.1 |
3.3.1 |
#1 |
NO CHANGE — floor was exact | The original version>= floor happened to match the exact baseline resolution. No gap. |
libpqxx |
7.9.1 |
7.9.2 |
(no port-version) | BUG FIX — version did not exist | 7.9.1 is absent from the registry at this baseline; the registry jumps from 7.9.0#1 directly to 7.9.2. This was Bug 3 from the 2026-05-13 UTC incident (first surfaced blocking #2021). Fixed to 7.9.2. |
jwt-cpp |
0.7.0 |
0.7.0 |
(no port-version) | NO CHANGE — floor was exact | Original floor matches baseline resolution. |
gtest |
1.14.0 |
1.15.2 |
(no port-version) | PINNED — version resolved upward | Latest at baseline. GoogleTest for the test suite. Floor was well below resolution. |
Summary: 9 packages reviewed. 6 version-pinned (resolved upward from version>= floor to
exact baseline value). 1 bug-fixed (libpqxx — version did not exist at baseline). 2 no-change
(floor was already exact).
Feature Audit
The drogon dependency originally declared features: ["openssl"] in addition to
features: ["postgres"]. This was removed in PR #2031
(Bug 2 from the 2026-05-13 UTC incident).
At baseline 3508985146f1b1d248c67ead13f8f54be5b4f5da, drogon's valid features are:
ctl, mysql, orm, postgres, redis, sqlite3, yaml. There is no openssl
feature. Drogon links OpenSSL automatically as a transitive dependency through the
top-level openssl entry in dependencies. Specifying openssl as a drogon feature
caused an immediate build error.
Current state: drogon declares features: ["postgres"] only. This is correct and
was verified by the Card B CI guard (vcpkg-manifest-check.yml).
| Package | Feature removed | Reason |
|---|---|---|
drogon |
openssl |
Feature does not exist at baseline 3508985146f1b1d248c67ead13f8f54be5b4f5da. OpenSSL is a transitive dep, not a named feature. |
Dockerfile Build-Dep Audit
Bug 3 from the 2026-05-13 UTC incident was bison and flex missing from the
build-stage apt-get install list. This was fixed in PR #2048.
Current queue/Dockerfile build-stage apt-get installs (verified by reading
queue/Dockerfile at HEAD):
cmake ninja-build git curl zip unzip tar pkg-config ca-certificates
libssl-dev libcurl4-openssl-dev libpq-dev uuid-dev libjsoncpp-dev libz-dev
bison flex
bison and flex are present. Drogon's port file at the pinned baseline lists
bison and flex as required native build tools for its template-compilation
component; both are satisfied.
No additional missing native build deps were identified during this audit.
Bugs Found and Resolved
| Bug class | Description | Fix PR | Status |
|---|---|---|---|
| Bug 1 | Shallow vcpkg clone cannot reach pinned builtin-baseline SHA |
#2028 | Merged |
| Bug 2 | drogon openssl feature does not exist at baseline |
#2031 | Merged |
| Bug 3 | libpqxx 7.9.1 does not exist at baseline (registry gap) |
ed5c561c (PR #2044) |
Merged |
| Bug 4 | bison + flex missing from Dockerfile build deps |
#2048 | Merged |
No additional latent bugs were found. The remaining 6 version>= constraints that
resolved upward (drogon, nlohmann-json, spdlog, sentry-native, curl, gtest)
all resolved to versions that exist in the registry at the pinned baseline. The
dry-run install passed cleanly for all 9 packages.
No-Change Findings
Two packages had version>= floors that happened to exactly match the baseline
resolution (openssl 3.3.1, jwt-cpp 0.7.0). No pin adjustment was needed beyond
converting the authoring form from version>= in the dependencies array to version
in the overrides array (required by ADR-0085's exact-pin policy).
CI Gate Confirmation
The CI guard workflow vcpkg-manifest-check.yml (ADR-0087, PR
#2081) runs
vcpkg install --dry-run against the pinned baseline on every PR that touches
queue/vcpkg.json or queue/Dockerfile. The guard:
- Validates that every declared version exists in the registry at the baseline
- Validates that every declared feature exists in the port at the baseline
- Rejects
git clone --depthin the Dockerfile vcpkg clone step (regression guard)
The audited queue/vcpkg.json passes all three checks. This PR's CI run serves as
the first post-audit gate confirmation.
Post-Launch Follow-Up
- Card E (#2040): Bump
builtin-baselineto current vcpkg HEAD. Deferred post-v1. Requires re-running the full audit procedure with updatedoverridesversions at the new baseline. - Card F: Evaluate
vcpkg-lock.json. Deferred post-v1.
When Card E lands, a new ADR superseding this one must be written following the same table format.