# Multithreaded -- Code Audit Review

**Last audited:** 2026-03-28 (seventh formal audit, Run 12 cross-project)
**Previous audit:** 2026-03-22 (sixth audit, coverage expansion)

## Overall Grade: A

Run 12 cross-project audit. 225 tests (35 unit lib + 190 integration). 0 clippy warnings. v0.3.2. Grade stable at A. Internal API improvements (MNW category provisioning). Link preview fix. New dep advisories: aws-lc-sys (HIGH 7.4), rustls-webpki.

## Scorecard

| Dimension | Grade | Notes |
|-----------|:-----:|-------|
| Code Quality | A | Zero clippy warnings. Consistent `map_err` + `tracing::error!` error handling. Mod log failures logged (not silently dropped). Dead code removed. |
| Architecture | A | Clean 3-crate workspace: mt-core (time formatting), mt-db (queries/mutations), main app (routes, auth, templates). Route module properly split into forum/moderation/settings/admin. Template layer uses view-model structs. |
| Testing | A | 225 tests (35 unit main + 190 integration) at ~32 tests/KLOC. Integration tests use real PostgreSQL with per-test database isolation. Coverage on CRUD, permissions, bans, mute/unban/unmute handlers, CSRF, pagination, rate limiting, category edit/reorder, expired ban behavior, endorsements, footnotes, verified quoting, mentions, link previews, profiles, auth flow (PKCE/state), admin routes, mutations (bans, categories, endorsements, flags, images, link previews, mentions, users). |
| Security | A | All SQL parameterized. CSRF with constant-time comparison. OAuth PKCE with state nonce. Markdown via docengine (URL scheme allowlist + HTML sanitization, defense-in-depth). Fail-closed access checks on all ban/mute/suspension queries. Session cookie Secure flag configurable. |
| Performance | A- | Proper indexes on all query patterns (composite indexes for category listing, thread ordering, ban lookup, mod log). Partial index on ban expiration. No N+1 queries. Per-IP rate limiting on write endpoints (tower-governor). |
| Documentation | A- | `//!` module docs on all source files. `.env.example` documents all 9 environment variables. |
| Dependencies | A | Minimal deps, all justified. Rust 2024 edition. Dead deps removed (thiserror, serde, serde_json from mt-core; mt-core, thiserror from mt-db). Workspace dependency management. |
| Frontend | A | HTMX for dynamic interactions. Askama autoescaping on all template variables. CSRF auto-injected for forms and HTMX. Toast uses `textContent`. `body_html` sanitized by docengine (defense-in-depth). Client-side maxlength on all inputs. |
| Type Safety | A- | Query layer uses focused `FromRow` projections. Dead domain types removed. |
| Observability | A | 86 `#[instrument(skip_all)]` annotations across all route handlers and DB functions. `tracing-subscriber` with EnvFilter. |
| Concurrency | A- | Async throughout with tokio. Graceful shutdown (SIGINT + SIGTERM). reqwest timeouts (15s + 5s). `swap_category_order` uses transaction. Per-IP rate limiting (burst 10, 2/sec). |
| Resilience | A- | Graceful shutdown. HTTP client timeouts. Error logging without panics. Mod log failures logged. Rate limiting on writes. Gap: no retry on MNW API calls. |
| API Consistency | A- | Consistent redirect-with-toast pattern. Proper status codes (403/404/422). Health endpoint returns JSON. |
| Migration Safety | A- | SQLx `migrate!()` with sequential numbering (001-020). All additive. No destructive operations. |
| Codebase Size | A | Lean codebase for full forum with OAuth, CSRF, markdown, moderation, admin, pagination, soft-delete, and settings. |

## Module Heatmap

| Module | Code | Arch | Test | Security | Perf | Docs | Type Safety | Observability | Concurrency | Resilience |
|--------|:----:|:----:|:----:|:--------:|:----:|:----:|:-----------:|:-------------:|:-----------:|:----------:|
| main.rs | A- | A | - | A- | A | A- | A | A | A | A |
| config.rs | A | A | - | A | - | A | A | - | - | - |
| auth.rs | A- | A | A- | A- | A | A | A | A | A | B+ |
| csrf.rs | A | A | A | A+ | A | A | A | A | - | - |
| (docengine) | A | A | A | A+ | A | A | A | - | - | - |
| seed.rs | A- | A | - | A | - | A | A- | - | - | - |
| routes/mod.rs | A | A | - | A- | A | A | A | A | A- | A- |
| routes/forum.rs | A | A | B+ | A- | A | A | A | A | A | A- |
| routes/moderation.rs | A | A | A- | A | A | A | A | A | A | A- |
| routes/settings.rs | A | A | A- | A | A | A | A | A | A- | A- |
| routes/admin.rs | A | A | A- | A | A | A | A | A | A | A |
| templates/ | A | A | A | A- | - | A | A | - | - | - |
| mt-core/time_format.rs | A | A | A | - | A | A | A | - | - | - |
| mt-db/queries.rs | A | A | B+ | A+ | A | A | A | A | A | A |
| mt-db/mutations.rs | A | A | A- | A+ | A | A | A | A | A- | A |

### Cold Spots

None — all previous cold spots resolved.

## Strengths

- **Clean architecture.** 3-crate workspace with proper separation. Route module split into focused files. Template layer uses view-model structs.
- **Comprehensive CSRF.** Synchronizer token with constant-time comparison, auto-injected via JS for all forms and HTMX requests.
- **Solid test infrastructure.** Full Axum app with real PostgreSQL per test. Cookie-aware client with automatic CSRF token extraction.
- **Authorization hierarchy.** Owner > mod > member correctly enforced. Owners cannot be banned. Only owners can ban mods.
- **Input validation.** Length limits on all user content. Slug format validation. UUID parsing validated. Sort/order whitelisted.
- **SQL safety.** All 40+ queries parameterized. Dynamic ORDER BY uses whitelist match.
- **Efficient codebase.** 4,808 LOC for full forum functionality.

## Weaknesses

- **No retry on MNW API calls.** OAuth token exchange and userinfo fetch have no retry logic.

## Mandatory Surprise

**`CoreError` is a fully-defined typed error enum with 5 variants (NotFound, Unauthorized, Forbidden, Validation, Internal) that is never used anywhere in the application.**

Route handlers use `map_err(|e| { tracing::error!(...); StatusCode::INTERNAL_SERVER_ERROR })` directly. Domain model structs in mt-core (User, Community, Category, Thread, Post, Membership, Role) are similarly defined but bypassed -- queries.rs defines its own `FromRow` structs inline.

**Verdict: Genuine issue.** Good architectural intent that was never integrated. **Resolved:** Dead code removed (error.rs, models.rs, pool.rs deleted; unused deps cleaned from mt-core and mt-db).

## Action Items

Filed in `docs/mnw/mt/todo.md`.

1. ~~**[HIGH]** Sanitize URL schemes in markdown rendering~~ -- Done. Allowlist (http, https, mailto, ftp), 7 tests added.
2. ~~**[MEDIUM]** Add `#[instrument(skip_all)]` to all route handlers and DB functions~~ -- Done. 86 annotations.
3. ~~**[MEDIUM]** Make session cookie `Secure` flag configurable~~ -- Done. `COOKIE_SECURE` env var.
4. ~~**[MEDIUM]** Wrap `swap_category_order` in transaction~~ -- Done.
5. ~~**[MEDIUM]** Change fail-open access checks to fail-closed~~ -- Done.
6. ~~**[SMALL]** Add `//!` module docs~~ -- Done. All source files documented.
7. ~~**[SMALL]** Remove dead code~~ -- Done. error.rs, models.rs, pool.rs deleted. Deps cleaned.
8. ~~**[SMALL]** Log mod log insert failures~~ -- Done. 15 locations across 4 files.
9. ~~**[SMALL]** Expand `.env.example`~~ -- Done. All 9 env vars documented.
10. ~~**[SMALL]** Initial git commit + configure remotes~~ -- Done.

## Metrics Over Time

| Audit Date | LOC | Rust Files | Tests | Tests/KLOC | Clippy Warnings | Cold Spots | Overall |
|------------|-----|-----------|-------|-----------|----------------|------------|---------|
| 2026-03-14 | 4,808 | 36 | 90 | 18.7 | 0 | 7 | B+ |
| 2026-03-14 (remediation) | ~4,600 | 33 | 97 | ~21 | 0 | 3 | A- |
| 2026-03-14 (rate limit)  | ~4,700 | 34 | 99 | ~21 | 0 | 3 | A- |
| 2026-03-14 (coverage)   | ~4,800 | 34 | 106 | ~22 | 0 | 1 | A  |
| 2026-03-14 (ammonia)    | ~4,800 | 34 | 106 | ~22 | 0 | 0 | A  |
| 2026-03-16 (Run 6)     | 6,232  | ~36| 146 | ~23 | 0 | 0 | A  |
| 2026-03-16 (P19+P20)   | ~7,000 | ~38| 173 | ~25 | 0 | 0 | A  |
| 2026-03-17 (Run 8)     | ~7,000 | ~38| 222 | ~32 | 0 | 0 | A  |
| 2026-03-18 (Run 9)     | ~7,000 | ~38| 222 | ~32 | 0 | 0 | A  |
| 2026-03-22 (coverage)  | ~7,000 | ~39| 249 | ~36 | 0 | 0 | A  |
| 2026-03-28 (Run 12)   | ~7,200 | ~39| 225+ | ~32 | 0 | 0 | A  |

---

See [audit_history.md](./audit_history.md) for full chronological audit log.