Fix 1856 (#1857)

* started new dev branch; added audit file

* Sync .cicd security fix and harden hatch_build against silent CFFI degradation (#1856)

Carry over two release-readiness items from the zlmdb 26.6.1 release:

- Bump .cicd (wamp-cicd) 8f520a9 -> f77ca2b to pick up the script/shell
  injection fix in the shared identifiers.yml reusable workflow
  (GHSA-6658-6vq6-hjpr): untrusted GitHub event fields are passed via env:
  as quoted data with a fail-closed branch-name allowlist.

- hatch_build.py: fail the wheel build hard when NVX was requested
  (AUTOBAHN_USE_NVX) but the CFFI extension did not compile, instead of
  silently emitting a structurally-valid-but-unintended py3-none-any wheel.
  A transient native-compile crash (e.g. gcc SIGSEGV under QEMU ARM64
  emulation) now aborts with a non-zero exit so CI can retry it. Unlike
  zlmdb's mandatory LMDB extension, autobahn's NVX is optional (pure-Python
  fallback), so AUTOBAHN_USE_NVX=0 still yields a legitimate pure-Python
  wheel.

Note: This work was completed with AI assistance (Claude Code).

Author: oberstet

.audit/oberstet_fix_1856.md

@@ -0,0 +1,8 @@
+- [ ] I did **not** use any AI-assistance tools to help create this pull request.
+- [x] I **did** use AI-assistance tools to *help* create this pull request.
+- [x] I have read, understood and followed the projects' [AI Policy](https://github.com/crossbario/autobahn-python/blob/main/AI_POLICY.md) when creating code, documentation etc. for this pull request.
+
+Submitted by: @oberstet
+Date: 2026-06-16
+Related issue(s): #1856
+Branch: oberstet:1856

.cicd

@@ -26,6 +26,8 @@ Changelog
 
 * Bump shared ``.ai`` (wamp-ai) and ``.cicd`` (wamp-cicd) submodules to match zlmdb exactly (#1853)
 * Fix ``scripts/update_flatbuffers.sh`` git-version capture for submodule checkouts (``.git`` is a file, not a directory) (#1853)
+* Bump the ``.cicd`` (wamp-cicd) submodule to pick up the script/shell-injection fix in the shared ``identifiers.yml`` reusable workflow (untrusted GitHub event fields are now passed via ``env:`` as quoted data with a fail-closed branch-name allowlist) (#1856)
+* Fail wheel builds hard when NVX was requested (``AUTOBAHN_USE_NVX``) but the CFFI extension did not compile, instead of silently degrading to a pure-Python (``py3-none-any``) wheel. A transient native-compile crash (e.g. a ``gcc`` SIGSEGV under QEMU ARM64 emulation) now aborts the build with a non-zero exit so CI can retry it, rather than uploading a structurally valid but unintended artifact. Building with ``AUTOBAHN_USE_NVX=0`` still produces a pure-Python wheel as before (#1856)
 
 25.12.2
 -------

docs/changelog.rst

@@ -49,21 +49,44 @@ def initialize(self, version, build_data):
         built_nvx = False
         built_flatc = False
 
-        # Check if NVX build is disabled
-        if os.environ.get("AUTOBAHN_USE_NVX", "1") not in ("0", "false"):
+        # NVX (Native Vector Extensions) is an OPTIONAL accelerator: autobahn
+        # ships pure-Python fallbacks for both the XOR masker and the UTF-8
+        # validator (see autobahn.websocket.xormasker), and AUTOBAHN_USE_NVX=0
+        # is an explicitly supported configuration that yields a legitimate
+        # pure-Python (py3-none-any) wheel.
+        nvx_requested = os.environ.get("AUTOBAHN_USE_NVX", "1") not in ("0", "false")
+
+        if nvx_requested:
             # Build CFFI modules (NVX)
             built_nvx = self._build_cffi_modules(build_data)
         else:
             print("AUTOBAHN_USE_NVX is disabled, skipping CFFI build")
 
+        # When NVX was requested but no extension was produced, the CFFI compile
+        # failed silently (_build_cffi_modules swallows compile errors and just
+        # returns False). Refuse to degrade a platform wheel into a structurally
+        # valid but unintended pure-Python (py3-none-any) wheel: fail the build
+        # hard so that a transient native-compile crash (e.g. a gcc SIGSEGV
+        # under QEMU ARM64 emulation) aborts with a non-zero exit and is retried
+        # by CI, instead of being uploaded as a degraded artifact. See #1856.
+        if nvx_requested and not built_nvx:
+            raise RuntimeError(
+                "NVX CFFI extension was requested (AUTOBAHN_USE_NVX) but was not "
+                "built - refusing to emit a pure-Python (py3-none-any) autobahn "
+                "wheel. See the build log above for the underlying compile "
+                "failure. Set AUTOBAHN_USE_NVX=0 to intentionally build a "
+                "pure-Python wheel."
+            )
+
         # Build and bundle the flatc compiler (developer convenience). The
         # binary FlatBuffers schemas (reflection.bfbs, wamp.bfbs) are NOT
         # generated here: they are committed to the source tree and shipped
         # as-is, so a package build never needs to *run* flatc (required for
-        # cross-compilation - see module docstring).
+        # cross-compilation - see module docstring). flatc is best-effort and
+        # does NOT gate the wheel tag.
         built_flatc = self._build_flatc(build_data)
 
-        # If we built any extensions, mark this as a platform-specific wheel
+        # If we built any extensions, mark this as a platform-specific wheel.
         if built_nvx or built_flatc:
             build_data["infer_tag"] = True
             build_data["pure_python"] = False