dfinity · lwshang · Jun 1, 2026 · May 28, 2026
@@ -52,76 +52,53 @@ jobs:
         run: |
           ./scripts/download_reftest_assets.sh
 
-      # ---------------------------------------------------------------------
-      # Test matrix
-      # ---------------------------------------------------------------------
-      # Native (Linux + macOS + Windows):
-      #   - Test: workspace (--all-features)        all crates except ref-tests
-      #   - Test: ic-agent (default features)       ship config smoke
-      #   - Test: ic-agent (tls-ring only)          alternate TLS provider
-      #   - Test: ic-agent (no TLS, panic path)     asserts the expected panic
-      #
-      # Linux-only (need extra system setup or have CI resource limits):
-      #   - Test: WASM (ic-agent, wasm-bindgen)     browser target
-      #   - Test: ref-tests (pocket-ic)             integration baseline
-      #   - Test: ref-tests + SoftHSM               HSM-backed identity
-      # ---------------------------------------------------------------------
-
-      - name: Test - workspace (--all-features)
-        # Covers every crate except ref-tests with --all-features. For ic-agent
-        # this enables both TLS providers; the additivity rule selects the
-        # aws-lc-rs code path at runtime.
-        shell: bash
-        run: cargo test --workspace --exclude ref-tests --all-features --no-fail-fast
-
-      - name: Test - ic-agent (default features)
-        # Ship-config smoke: build & test with only the default feature set
-        # (pem + tls-aws-lc-rs), the configuration downstream users get by
-        # default. Catches cfg gates that compile under --all-features but
-        # break with defaults alone.
-        shell: bash
-        run: cargo test -p ic-agent --no-fail-fast
-
-      - name: Test - ic-agent (tls-ring only)
-        # Exercises the tls-ring code path (the minimal-feature config that
-        # dfinity/ic relies on to avoid rustls provider conflicts).
-        shell: bash
-        run: cargo test -p ic-agent --no-default-features --features pem,tls-ring --no-fail-fast
-
-      - name: Test - ic-agent (no TLS, panic path)
-        # When no TLS feature is enabled, building the default reqwest client
-        # must panic with "No provider set". The integration test asserts this
-        # via #[should_panic]; run only that test, since the rest of ic-agent's
-        # lib tests would also panic for the same (expected) reason.
-        shell: bash
-        run: cargo test -p ic-agent --no-default-features --features pem --test crypto_provider_neither --no-fail-fast
-
-      - name: Test - WASM (ic-agent, wasm-bindgen)
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        run: CARGO_TARGET_DIR=target/wasm wasm-pack test --chrome --headless ic-agent --features wasm-bindgen
-
-      - name: Test - ref-tests (pocket-ic)
+      - name: Run Tests (ref-tests)
         # ref-tests are skipped on macOS CI: the GitHub Actions macOS runner has
         # a low per-process thread limit (kern.maxthreadsperproc) that cannot be
         # raised without root. pocket-ic spawns many OS threads per subnet, and
         # tokio's blocking thread pool accumulates idle threads across sequential
         # tests, exhausting the limit before all tests finish. This is a CI
         # resource constraint — ref-tests work fine on a local macOS machine.
-        # --test-threads=1 keeps the thread footprint manageable on Linux too.
         if: ${{ matrix.os == 'ubuntu-latest' }}
         shell: bash
-        run: cargo test -p ref-tests --no-fail-fast -- --test-threads=1
+        run: |
+          cd ref-tests
+          cargo test --no-fail-fast -- --test-threads=1
+        env:
+          RUST_BACKTRACE: 1
+
+      - name: Run Tests
+        shell: bash
+        run: |
+          # Test all features and no features for each package.
+          # ref-tests is excluded here and run separately with --test-threads=1
+          # to avoid exhausting OS thread limits when pocket-ic spawns many threads.
+          for p in $(cargo metadata --no-deps --format-version 1 | jq -r '.packages[] | select(.name != "ref-tests") | .manifest_path'); do
+            pushd $(dirname $p)
+            cargo test --all-features --no-fail-fast
+            cargo test --no-default-features --no-fail-fast
+            popd
+          done
+        env:
+          RUST_BACKTRACE: 1
+
+      - name: Run Tests (WASM)
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: |
+          CARGO_TARGET_DIR=target/wasm wasm-pack test --chrome --headless ic-agent --features wasm-bindgen
 
-      - name: Test - ref-tests + SoftHSM
+      - name: Run Tests (SoftHSM)
         if: ${{ matrix.os == 'ubuntu-latest' }}
         run: |
           set -ex
           softhsm2-util --init-token --slot $HSM_SLOT_INDEX --label "agent-rs-token" --so-pin $HSM_SO_PIN --pin $HSM_PIN
           # create key:
           pkcs11-tool -k --module $HSM_PKCS11_LIBRARY_PATH --login --slot-index $HSM_SLOT_INDEX -d $HSM_KEY_ID --key-type EC:prime256v1 --pin $HSM_PIN
 
-          cargo test -p ref-tests --all-features --no-fail-fast -- --nocapture --test-threads=1
+          cd ref-tests
+          cargo test --all-features --no-fail-fast -- --nocapture --test-threads=1
         env:
+          RUST_BACKTRACE: 1
           HSM_PKCS11_LIBRARY_PATH: /usr/lib/softhsm/libsofthsm2.so
           HSM_SO_PIN: 123456
           HSM_PIN: 1234

@@ -8,20 +8,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
-## [0.48.0] - 2026-05-21
-
-* `ic-agent`: Added cargo features `tls-aws-lc-rs` (default) and `tls-ring` to select the rustls crypto provider used by the default `reqwest::Client`. Features are additive: when both are enabled, aws-lc-rs is installed as the process-wide rustls default. Reqwest's `rustls` feature (which hardcoded aws-lc-rs) has been swapped for `rustls-no-provider`; ic-agent now installs the chosen provider via `CryptoProvider::install_default()` on the default-client path, idempotently (an application-installed provider is not overwritten). When the user supplies a client via `AgentBuilder::with_http_client`, ic-agent installs no provider.
-
-### Breaking Changes
-
-* `ic-agent`:
-  * Default feature set changed from `["pem"]` to `["pem", "tls-aws-lc-rs"]`. Stock-default users are unaffected (aws-lc-rs has been the only crypto provider available since 0.46.0). The `rustls` dependency is declared `cfg(not(target_family = "wasm"))`, so wasm consumers using default features are also unaffected — aws-lc-sys (which does not cross-compile to wasm) is not pulled in on wasm targets.
-  * Consumers using `default-features = false` on a non-wasm target must now opt into a TLS feature, otherwise `Agent::new` panics with "No provider set" when constructing the default reqwest client.
-    * Migration: add `tls-aws-lc-rs` (matches previous behavior) or `tls-ring` (matches reqwest 0.12 behavior) to the feature list, or supply your own `reqwest::Client` via `AgentBuilder::with_http_client`.
-    * Example: `ic-agent = { version = "0.48", default-features = false, features = ["pem", "tls-ring"] }`.
-  * Removed the deprecated `http_transport` module (`ReqwestTransport`, `AgentBuilder::with_transport`, `AgentBuilder::with_arc_transport`), deprecated since 0.38.0.
-    * Migration: use the dedicated `AgentBuilder` methods (`with_url`, `with_http_client`, `with_arc_route_provider`, `with_max_response_body_size`, `with_max_tcp_error_retries`).
-
 ## [0.47.3] - 2026-05-15
 
 * `ic-agent`: Added the `EffectiveId` enum (`Canister(Principal)` | `Subnet(Principal)`) and widened `Agent::update_signed`, `query_signed`, `request_status_signed`, `request_status_raw`, `wait`, `wait_signed`, `read_state_raw`, `verify`, and `sign_request_status` to accept `impl Into<EffectiveId>`. Passing a bare `Principal` is unchanged (treated as `EffectiveId::Canister(_)`); passing `EffectiveId::Subnet(_)` routes to the subnet-scoped HTTP endpoints (`/api/v4/subnet/<id>/call`, `/api/v3/subnet/<id>/read_state`, `/api/v3/subnet/<id>/query`) introduced in IC interface spec 0.60.0.

@@ -13,7 +13,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.48.0"
+version = "0.47.3"
 authors = ["DFINITY Stiftung <sdk@dfinity.org>"]
 edition = "2021"
 repository = "https://github.com/dfinity/agent-rs"
@@ -30,10 +30,10 @@ license = "Apache-2.0"
 #   a comment listing those crates). Otherwise, features are declared in the individual crate Cargo.toml.
 #
 # The path dependencies below ensure all workspace members use the same version of internal crates.
-ic-agent = { path = "ic-agent", version = "0.48.0", default-features = false }
-ic-identity-hsm = { path = "ic-identity-hsm", version = "0.48.0" }
-ic-transport-types = { path = "ic-transport-types", version = "0.48.0" }
-ic-utils = { path = "ic-utils", version = "0.48.0" }
+ic-agent = { path = "ic-agent", version = "0.47.3", default-features = false }
+ic-identity-hsm = { path = "ic-identity-hsm", version = "0.47.3" }
+ic-transport-types = { path = "ic-transport-types", version = "0.47.3" }
+ic-utils = { path = "ic-utils", version = "0.47.3" }
 ic-utils-bindgen = { path = "ic-utils-bindgen" }
 ref-tests = { path = "ref-tests" }
 
@@ -88,7 +88,6 @@ rand = "0.10.1"
 rangemap = "1.7"
 reqwest = { version = "0.13.2", default-features = false }
 ring = "0.17"
-rustls = { version = "0.23", default-features = false }
 sec1 = "0.7.2"
 semver = "1.0.7"
 serde = "1.0.215"

@@ -19,15 +19,9 @@ targets = ["x86_64-unknown-linux-gnu", "wasm32-unknown-unknown"]
 features = ["wasm-bindgen"]
 
 [features]
-default = ["pem", "tls-aws-lc-rs"]
+default = ["pem"]
 pem = ["dep:pem", "pkcs8/pem"]
 ring = ["dep:ring"]
-# rustls crypto provider selection. Features are additive: if both are enabled,
-# aws-lc-rs is installed as the process-wide rustls default (the ring code is
-# compiled in but unused). To use ring, set `default-features = false` and
-# enable `tls-ring` explicitly.
-tls-aws-lc-rs = ["dep:rustls", "rustls/aws-lc-rs"]
-tls-ring = ["dep:rustls", "rustls/ring"]
 ic_ref_tests = ["default"] # Used to separate integration tests for ic-ref which need a server running.
 wasm-bindgen = [
     "dep:js-sys",
@@ -75,7 +69,7 @@ pem = { workspace = true, optional = true }
 pkcs8 = { workspace = true, features = ["std"] }
 rand = { workspace = true }
 rangemap = { workspace = true }
-reqwest = { workspace = true, default-features = false, features = ["blocking", "json", "rustls-no-provider", "stream"] }
+reqwest = { workspace = true, default-features = false, features = ["blocking", "json", "rustls", "stream"] }
 ring = { workspace = true, optional = true }
 sec1 = { workspace = true, features = ["pem"] }
 serde = { workspace = true, features = ["derive"] }
@@ -91,12 +85,6 @@ tracing = { workspace = true, optional = true }
 url = { workspace = true }
 
 [target.'cfg(not(target_family = "wasm"))'.dependencies]
-# rustls is only used off-wasm: on wasm the reqwest client is the browser's
-# fetch API, and the rustls crypto-provider install is gated
-# `cfg(not(target_family = "wasm"))`. Keeping the dep target-conditional means
-# wasm consumers can use the default features without pulling in aws-lc-sys
-# (which doesn't cross-compile to wasm32-unknown-unknown).
-rustls = { workspace = true, default-features = false, features = ["std", "tls12"], optional = true }
 tokio = { workspace = true, default-features = false, features = ["time", "sync"] }
 
 [target.'cfg(target_family = "wasm")'.dependencies]
@@ -115,7 +103,6 @@ tracing-subscriber = { workspace = true }
 
 [target.'cfg(not(target_family = "wasm"))'.dev-dependencies]
 mockito = { workspace = true }
-rustls = { workspace = true, features = ["aws-lc-rs", "ring"] }
 tokio = { workspace = true, features = ["full"] }
 
 [target.'cfg(target_family = "wasm")'.dev-dependencies]

@@ -0,0 +1,8 @@
+//! This module has been deprecated in favor of builder methods on `AgentBuilder`.
+
+#[deprecated(since = "0.38.0", note = "use the AgentBuilder methods")]
+#[doc(hidden)]
+pub mod reqwest_transport;
+#[doc(hidden)]
+#[allow(deprecated)]
+pub use reqwest_transport::ReqwestTransport;