Skip to main content

max / makenotwork

docs: prune stale todo items + refresh upstream-blocked list - Drop "Warning-only admin action" — admin_warn_user already exists at routes/admin/users.rs:102. - Drop "Custom domains not in getting-started flow" — already linked from site-docs/public/guide/getting-started.md:172. - Drop "Confirm Cache-Control on S3 uploads" — verified; all presign_upload call sites pass CACHE_CONTROL_IMMUTABLE. - Refresh Upstream Blocked from cargo audit: • Drop yara-x wasmtime gate (now on wasmtime 43.0.2) • Drop aws-sdk-s3 lru advisory (resolved) • Drop async-stripe instant advisory (resolved via rc.5 migration) • Add three new rustls-webpki advisories (2026-0098/-0099/-0104). - Fix async-trait line numbers (payments/mod.rs:60 -> :70, storage.rs:175 -> :169). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-05-21 01:50 UTC
Commit: cba4de71a367c0e175a0d7caef901a9f01e68bac
Parent: 912b338
1 file changed, +3 insertions, -8 deletions
M server/docs/todo.md +3 -8
@@ -131,9 +131,7 @@ Full plan: `plans/small-creator-onramp.md`. Charter creator pricing lock was rep
131 131
132 132 From `todo-creator-trust-audit.md` migration 2026-05-12.
133 133
134 - - [ ] **Warning-only admin action**: moderation.md describes a 4-step ladder starting with "Direct Message," but code only implements suspend/unsuspend/terminate. (`routes/admin/users.rs`)
135 134 - [ ] **Content archive guarantee unimplemented**: 12-month preservation listed under "Planned Guarantees" in guarantees.md — mark clearly as planned, not current.
136 - - [ ] **Custom domains not in getting-started flow**: feature exists but hard to find. Link from getting-started.md.
137 135 - [ ] **Creator storefront preview/demo**: first-time visitors can't see what a page looks like before signing up.
138 136 - [ ] **Creator status notification channel**: on health status transitions, email opted-in creators. WAM tickets already fire on transitions; extend monitor to dispatch creator-facing emails. (`monitor.rs`, `notifications.rs`)
139 137
@@ -257,7 +255,6 @@ Findings from phases 1-8, grouped by the website area they affect. Six items lan
257 255 Cheap wins to land before scale forces them. Ordered by cost-impact-if-ignored.
258 256
259 257 - [ ] **Verify CDN coverage of paid downloads** (cross-references Cloudflare Phase 1). Grep `routes/storage/` and `routes/api/...` for download paths; confirm presigned URLs route through `cdn.makenot.work`.
260 - - [ ] **Confirm `Cache-Control` on S3 uploads** — already done; keep monitored.
261 258 - [ ] **PoM alert on `pg_stat_activity` saturation.** MNW pool (25) + MT pool share one Postgres. Add probe + alert before exhaustion is the first signal.
262 259 - [ ] **Rate limit + concurrency cap on `/api/domains/caddy-ask`** — ACME issuance abuse target at scale.
263 260 - [ ] **Document Tailscale break-glass SSH path** — admin :2200 is tailnet-only; public :22 is mnw-cli only. Runbook step in `deploy/SSH_ACCESS.md`. Cross-reference the no-disabling-Tailscale-SSH-without-fallback memory rule.
@@ -283,7 +280,7 @@ All SERIOUS items resolved through Run 23. Items below are MINOR/NOTE and accept
283 280
284 281 From rust-code-assessment review. Gaps to consider, not defects.
285 282
286 - - [ ] **`async-trait` everywhere is dated.** `PaymentProvider` (`payments/mod.rs:60`) and `StorageBackend` (`storage.rs:175`) use `#[async_trait]`. Rust 1.75+ native `async fn` in traits; only `dyn`-dispatched methods need the macro. Narrow `async-trait` to dyn sites, drop heap allocation elsewhere.
283 + - [ ] **`async-trait` everywhere is dated.** `PaymentProvider` (`payments/mod.rs:70`) and `StorageBackend` (`storage.rs:169`) use `#[async_trait]`. Rust 1.75+ native `async fn` in traits; only `dyn`-dispatched methods need the macro. Narrow `async-trait` to dyn sites, drop heap allocation elsewhere.
287 284 - [ ] **`#[tracing::instrument]` cardinality review.** Default to `skip_all` + explicit fields. At ~92K LOC the index cost matters.
288 285 - [ ] **No mutation score for MNW server.** pter measured 70.2% on 2026-05-14; MNW never measured. Run `cargo-mutants` on `validation/` or `payments/` first.
289 286 - [ ] **`define_pg_uuid_id!` / `impl_str_enum!` would benefit from being proc-macros.** Better diagnostics, IDE go-to-definition, doc comments. Defer until a third macro joins.
@@ -396,10 +393,8 @@ Forward-looking work, no sprint assigned. Each category is a flat list of items.
396 393
397 394 Waiting on upstream crates; no action.
398 395
399 - - [ ] `yara-x`: needs `wasmtime >=42.0.2` (RUSTSEC-2026-0095, -0096)
400 - - [ ] `aws-sdk-s3`: `lru` fix (RUSTSEC-2026-0002)
401 - - [ ] `async-stripe`: `instant` fix (RUSTSEC-2024-0384)
402 - - [ ] `rsa` (RUSTSEC-2023-0071) via `sqlx-mysql` + `yara-x` — no fix available
396 + - [ ] `rsa` (RUSTSEC-2023-0071, Marvin Attack) via `sqlx-mysql` + `yara-x` — no fix available upstream
397 + - [ ] `rustls-webpki` (RUSTSEC-2026-0098 / -0099 / -0104) — name-constraint and CRL parsing advisories, waiting on transitive bump
403 398
404 399 ---
405 400