# Multithreaded -- Audit History

Full chronological audit log. See [audit_review.md](./audit_review.md) for current state.

## Changes Since Last Audit

### Seventh formal audit (2026-03-28, Run 12 cross-project)
- **Test count:** 225 (35 unit lib + 190 integration). 0 clippy warnings. 0 failures.
- **Grade:** A (maintained). v0.3.2.
- **Internal API improvements:** MNW category auto-provisioning (Items, Blog, Devlog, Discussion) via internal API with shared secret auth.
- **Link preview fix:** Corrected URL extraction edge case.
- **New dependency advisories (action items):**
  - aws-lc-sys 0.38.0 (RUSTSEC-2026-0044 + -0048, severity 7.4 HIGH) — upgrade to 0.39.0 via `cargo update -p aws-lc-sys`
  - rustls-webpki 0.103.9 (RUSTSEC-2026-0049) — upgrade to 0.103.10 via `cargo update -p rustls-webpki`
- **Mandatory surprise:** None new. Previous surprises (CoreError dead code, link_preview IPv6 blocking) both resolved.
- **No new code findings.** All previous items remain resolved.
- **Note:** Test count 225 is lower than previous 249 — mt-core (16) and mt-db (11) unit tests may not have been captured in this run. Integration tests grew from 187 to 190.

### Test coverage expansion (2026-03-22)
- **Test count:** 222 -> 249 (+27 tests). 0 clippy warnings.
- **Grade:** A (maintained). Testing A- -> A. Three cold spots resolved.
- **auth.rs:** 3 -> 8 integration tests (+5). PKCE params, state nonce validation (3 paths), suspended user behavior.
- **admin.rs:** 6 -> 10 integration tests (+4). Search, invalid UUID handling, mod_log entry creation, non-admin access denial.
- **mutations.rs:** New test file with 18 integration tests. Covers: cleanup_expired_bans, ban upserts, swap_category_order, get_category_id_by_slugs, update_category, ensure_membership idempotency, soft_delete, create_post activity bump, toggle_endorsement, insert_flag idempotency, remove_image, link_preview dedup, mentions dedup, upsert_user.
- **seed.rs:** Type safety improved — raw `&str` role params replaced with `CommunityRole` enum (B -> A-).
- **Module heatmap updates:** auth.rs Test B- -> A-, admin.rs Test B -> A-, mutations.rs Test B -> A-, seed.rs Code B+ -> A- / Type Safety B -> A-.

### Fifth formal audit (2026-03-18, Run 9 cross-project)
- **Test count:** 222 (unchanged). 0 clippy warnings.
- **Grade:** A (maintained). v0.3.1 (deployed 2026-03-18).
- **No new findings requiring action.**
- **Observations (pre-existing, not regressions):**
  - ~~`deletion_task.abort()` in main.rs without awaiting completion~~ — Fixed: now awaits task completion after abort.
  - Inline `onsubmit` confirmation dialogs in thread.html — not screen-reader friendly. Impact: LOW, functional but not best-practice.
  - ~~No client-side maxlength on textarea inputs~~ — Fixed: maxlength added to all inputs/textareas. Server-side limits added for flag detail and ban/mute reason (1024 bytes).
- **Mandatory surprise:** URL validation in link_preview.rs blocks IPv4-mapped IPv6 addresses via host_part parsing, but IPv6 full range check uses string prefix match for unique local addresses. Intentionally restrictive (good for SSRF) — not a vulnerability.

### Phases 19 + 20 implementation (2026-03-16)
- **Test count:** 146 -> 173 (+27 tests: 19 unit + 7 integration + 1 workflow mod)
- **Grade:** A (maintained). Phases 19 (@Mentions) and 20 (Link Previews) implemented.
- **Source LOC:** ~7,000 (up from 6,232)
- **Migrations:** 12 -> 17 (013 flagging, 014 tags, 015 tracking, 016 post_mentions, 017 link_previews)
- **New files:** `src/link_preview.rs` (URL extraction + OG fetch), `tests/workflows/mentions.rs` (4 tests), `tests/workflows/link_previews.rs` (3 tests)
- **New DB functions:** `resolve_usernames_in_community`, `insert_mentions`, `list_link_previews_for_posts`, `insert_link_preview`
- **Markdown:** `extract_mention_usernames`, `resolve_mentions` with code-span awareness
- **Zero clippy warnings, all 173 tests passing.**

### Second formal audit (2026-03-16, Run 6 cross-project)
- **Test count:** 106 -> 146 (+40 tests)
- **Grade:** A (maintained). Phases 14, 15, and 21 implemented since last audit.
- **Source LOC:** 6,232 (up from ~4,800)
- **Migrations:** 10 -> 12 (post_footnotes, post_endorsements)
- **Instrument coverage:** 109/110 (99%) — near-perfect
- **New finding (LOW):** Regex compiled per-request in verify_quotes/post_process_quotes for SHA-256 hash pattern matching. Should use LazyLock.
- **Performance note:** forum.rs at 969 LOC split into forum/ directory module: views.rs (510) + actions.rs (480).
- **Mandatory surprise:** Per-request regex in quote verification — LOW (functional but inefficient).
- **Previous items verified:** All previous remediated items confirmed intact.

### First formal audit (2026-03-14)
- **Grade:** B+ (unchanged from baseline, but now backed by per-module code review)
- **Baseline was optimistic on:** Security (A- -> B+: javascript: XSS found, fail-open patterns found), Type Safety (A- -> B+: domain types confirmed unused), Observability (B -> C: zero #[instrument] is worse than "no annotations yet"), Performance (B -> A-: indexes are actually solid)
- **Baseline was pessimistic on:** Performance (B -> A-: proper composite indexes, partial indexes, no N+1)
- **Test count confirmed:** 90 (documented 72 was wrong: 56 integration + 18 unit markdown/csrf + 16 unit mt-core)
- **New findings:** 1 HIGH (javascript: XSS), 4 MEDIUM (secure cookie, transaction, fail-open, observability), 5 SMALL

### Full remediation (2026-03-14)
- **Grade:** B+ -> A- (all 10 findings resolved, grade capped by git hygiene)
- **Tests:** 90 -> 97 (+7 markdown security tests)
- **Files:** 36 -> 33 (deleted error.rs, models.rs, pool.rs)
- **Cold spots:** 7 -> 3 (resolved: markdown XSS, observability, dead code, dead docs x2)
- **Key changes:** URL scheme allowlist sanitization, 86 `#[instrument(skip_all)]`, fail-closed access checks, transaction wrapping, configurable Secure cookie, dead code + deps removed, mod log error logging, `.env.example` expanded