max / makenotwork

Close async-trait chronic item — required for dyn dispatch Rust 2024 native async fn in traits is not dyn-compatible. All 3 traits (StorageBackend, EmailTransport, PaymentProvider) are used as Arc<dyn Trait> for test mocking and implementation swapping. async-trait is the correct tool until RFC 3245 stabilizes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-05-09 02:35 UTC

Commit: 06422a6b88f788f496e97ff0e5589592dd677c29

Parent: f0e40b7

2 files changed, +7 insertions, -7 deletions

M server/docs/audit_review.md +6 -6

			@@ -17,7 +17,7 @@ Run 21: Ultra Fuzz (Payments, Storage, UX Wiring, Security, Performance). v0.5.7
17	17		\| Security \| A+ \| SHA-256-based constant-time compare, fail-closed scanning, CSRF everywhere, Argon2id, HMAC webhooks, PKCE S256 \|
18	18		\| Performance \| A- \| Discover page fires 5-8 queries per request (new finding). Presigned uploads, CDN fallback, session cache solid \|
19	19		\| Documentation \| A- \| Module-level //! on all major files. No README.md \|
20		-	\| Dependencies \| A- \| 4 transitive advisories (none exploitable). async-trait still present (chronic) \|
	20	+	\| Dependencies \| A- \| 4 transitive advisories (none exploitable). async-trait retained (required for dyn dispatch) \|
21	21		\| Frontend \| A \| Askama auto-escape, json_escape prevents JSON-LD XSS, HTMX patterns consistent \|
22	22		\| Type Safety \| A+ \| 36 UUID newtypes, 25+ domain enums, validated string types, Cents/PriceCents monetary newtypes \|
23	23		\| Observability \| A- \| Comprehensive #[instrument] on routes + DB. Gaps: embed/ (0), payments/ (0) -- chronic from Run 20 \|
			@@ -153,8 +153,8 @@ Zero `#[instrument]` annotations in both modules. Carried from Run 20 (#58, #59)
153	153		### 3. Storage accounting drift windows
154	154		Non-atomic confirm upload (increment storage, then update item in separate queries) and soft-delete purge (deletes items without decrementing storage or cleaning version S3 keys) create drift windows. Weekly `recalculate_all_storage_batch` corrects drift, but the window is hours to days.
155	155
156		-	### 4. async-trait still in use (CHRONIC)
157		-	3 trait definitions still use `async-trait` crate. Carried from Run 18. Fourth consecutive audit.
	156	+	### 4. async-trait retained (RESOLVED — not removable)
	157	+	3 trait definitions use `async-trait` for dyn-compatible async dispatch (`Arc<dyn StorageBackend>`, etc.). Rust 2024 native async fn in traits is not dyn-compatible — `async-trait` is the correct tool until RFC 3245 (`dyn async fn`) stabilizes. Closing chronic item.
158	158
159	159		## Bug Reports by Axis
160	160
			@@ -304,7 +304,7 @@ Connection pool exhaustion (except discover), file scanning memory, SSE connecti
304	304		76. [MEDIUM] Add `#[tracing::instrument(skip_all)]` to payments/ functions (chronic, from Run 20 #59)
305	305		77. [MINOR] Initialize PWYW amount_cents hidden field server-side (`templates/pages/purchase.html`)
306	306		78. [MINOR] Use `AuthUser` instead of `MaybeUser` for OAuth authorize (`routes/oauth.rs:253-256`)
307		-	79. [DEFERRED] Remove `async-trait` (chronic, from Run 18 #56 -> #62)
	307	+	79. ~~[DEFERRED] Remove `async-trait`~~ CLOSED — required for dyn dispatch, not removable until RFC 3245
308	308		80. [DEFERRED] Add README.md to server/ (chronic, from Run 19 #53 -> #63)
309	309		81. [DEFERRED] Split oversized route files: health.rs (846), exports.rs (842), tabs/user.rs (815)
310	310
			@@ -323,7 +323,7 @@ Connection pool exhaustion (except discover), file scanning memory, SSE connecti
323	323		\| 59 \| Add #[instrument] to payments/ \| Unfixed (chronic, carried as #76) \|
324	324		\| 60 \| Split webhook/checkout.rs (792 LOC) \| Fixed (now 684 LOC) \|
325	325		\| 61 \| Bump transitive deps \| Partially fixed (yara-x still has wasmtime advisory) \|
326		-	\| 62 \| Remove async-trait \| Unfixed (chronic, carried as #79) \|
	326	+	\| 62 \| Remove async-trait \| Closed — required for dyn dispatch, not removable \|
327	327		\| 63 \| Add README.md to server/ \| Unfixed (chronic, carried as #80) \|
328	328		\| 64 \| Split oversized route files \| Unfixed (carried as #81) \|
329	329
			@@ -333,7 +333,7 @@ Connection pool exhaustion (except discover), file scanning memory, SSE connecti
333	333
334	334		\| Item \| First flagged \| Runs unfixed \|
335	335		\|------\|--------------\|-------------\|
336		-	\| Remove async-trait \| Run 18 \| 4 (18, 19, 20, 21) \|
	336	+	\| ~~Remove async-trait~~ \| Run 18 \| Closed — required for dyn dispatch \|
337	337		\| Add #[instrument] to embed/ \| Run 20 \| 2 (20, 21) \|
338	338		\| Add #[instrument] to payments/ \| Run 20 \| 2 (20, 21) \|
339	339		\| Add README.md to server/ \| Run 19 \| 3 (19, 20, 21) \|

M server/docs/todo.md +1 -1

			@@ -230,7 +230,7 @@ the DB references deleted S3 objects (or S3 objects are orphaned with no DB refe
230	230		Edge cases: S3 deletes are idempotent (404 = success). Duplicate rows are harmless. Enqueue failure = bail before any destructive work. Crash between enqueue and S3 = retry job picks up. Crash after S3 but before DB = next scheduler tick re-processes (re-enqueue is harmless). Advisory lock prevents concurrent schedulers.
231	231
232	232		### Code Quality
233		-	- [ ] Remove `async-trait` in favor of Rust 2024 native async traits
	233	+	- ~~Remove `async-trait`~~ — kept: all 3 traits are used as `dyn` objects; Rust 2024 async fn in traits is not dyn-compatible. `async-trait` is the correct tool until `dyn async fn` stabilizes (RFC 3245)
234	234		- [ ] Add README.md to server/
235	235		- [ ] Split oversized route files: exports.rs, license_keys.rs, health.rs, tabs/user.rs
236	236		- [ ] Monitor scheduler.rs, git/mod.rs for growth