max / multithreaded

5.9 KB · 72 lines History Blame Raw

1	# Multithreaded -- Audit History
2
3	Full chronological audit log. See [audit_review.md](./audit_review.md) for current state.
4
5	## Changes Since Last Audit
6
7	### Seventh formal audit (2026-03-28, Run 12 cross-project)
8	- Test count: 225 (35 unit lib + 190 integration). 0 clippy warnings. 0 failures.
9	- Grade: A (maintained). v0.3.2.
10	- Internal API improvements: MNW category auto-provisioning (Items, Blog, Devlog, Discussion) via internal API with shared secret auth.
11	- Link preview fix: Corrected URL extraction edge case.
12	- New dependency advisories (action items):
13	- aws-lc-sys 0.38.0 (RUSTSEC-2026-0044 + -0048, severity 7.4 HIGH) — upgrade to 0.39.0 via `cargo update -p aws-lc-sys`
14	- rustls-webpki 0.103.9 (RUSTSEC-2026-0049) — upgrade to 0.103.10 via `cargo update -p rustls-webpki`
15	- Mandatory surprise: None new. Previous surprises (CoreError dead code, link_preview IPv6 blocking) both resolved.
16	- No new code findings. All previous items remain resolved.
17	- Note: Test count 225 is lower than previous 249 — mt-core (16) and mt-db (11) unit tests may not have been captured in this run. Integration tests grew from 187 to 190.
18
19	### Test coverage expansion (2026-03-22)
20	- Test count: 222 -> 249 (+27 tests). 0 clippy warnings.
21	- Grade: A (maintained). Testing A- -> A. Three cold spots resolved.
22	- auth.rs: 3 -> 8 integration tests (+5). PKCE params, state nonce validation (3 paths), suspended user behavior.
23	- admin.rs: 6 -> 10 integration tests (+4). Search, invalid UUID handling, mod_log entry creation, non-admin access denial.
24	- mutations.rs: New test file with 18 integration tests. Covers: cleanup_expired_bans, ban upserts, swap_category_order, get_category_id_by_slugs, update_category, ensure_membership idempotency, soft_delete, create_post activity bump, toggle_endorsement, insert_flag idempotency, remove_image, link_preview dedup, mentions dedup, upsert_user.
25	- seed.rs: Type safety improved — raw `&str` role params replaced with `CommunityRole` enum (B -> A-).
26	- Module heatmap updates: auth.rs Test B- -> A-, admin.rs Test B -> A-, mutations.rs Test B -> A-, seed.rs Code B+ -> A- / Type Safety B -> A-.
27
28	### Fifth formal audit (2026-03-18, Run 9 cross-project)
29	- Test count: 222 (unchanged). 0 clippy warnings.
30	- Grade: A (maintained). v0.3.1 (deployed 2026-03-18).
31	- No new findings requiring action.
32	- Observations (pre-existing, not regressions):
33	- ~~`deletion_task.abort()` in main.rs without awaiting completion~~ — Fixed: now awaits task completion after abort.
34	- Inline `onsubmit` confirmation dialogs in thread.html — not screen-reader friendly. Impact: LOW, functional but not best-practice.
35	- ~~No client-side maxlength on textarea inputs~~ — Fixed: maxlength added to all inputs/textareas. Server-side limits added for flag detail and ban/mute reason (1024 bytes).
36	- Mandatory surprise: URL validation in link_preview.rs blocks IPv4-mapped IPv6 addresses via host_part parsing, but IPv6 full range check uses string prefix match for unique local addresses. Intentionally restrictive (good for SSRF) — not a vulnerability.
37
38	### Phases 19 + 20 implementation (2026-03-16)
39	- Test count: 146 -> 173 (+27 tests: 19 unit + 7 integration + 1 workflow mod)
40	- Grade: A (maintained). Phases 19 (@Mentions) and 20 (Link Previews) implemented.
41	- Source LOC: ~7,000 (up from 6,232)
42	- Migrations: 12 -> 17 (013 flagging, 014 tags, 015 tracking, 016 post_mentions, 017 link_previews)
43	- New files: `src/link_preview.rs` (URL extraction + OG fetch), `tests/workflows/mentions.rs` (4 tests), `tests/workflows/link_previews.rs` (3 tests)
44	- New DB functions: `resolve_usernames_in_community`, `insert_mentions`, `list_link_previews_for_posts`, `insert_link_preview`
45	- Markdown: `extract_mention_usernames`, `resolve_mentions` with code-span awareness
46	- Zero clippy warnings, all 173 tests passing.
47
48	### Second formal audit (2026-03-16, Run 6 cross-project)
49	- Test count: 106 -> 146 (+40 tests)
50	- Grade: A (maintained). Phases 14, 15, and 21 implemented since last audit.
51	- Source LOC: 6,232 (up from ~4,800)
52	- Migrations: 10 -> 12 (post_footnotes, post_endorsements)
53	- Instrument coverage: 109/110 (99%) — near-perfect
54	- New finding (LOW): Regex compiled per-request in verify_quotes/post_process_quotes for SHA-256 hash pattern matching. Should use LazyLock.
55	- Performance note: forum.rs at 969 LOC split into forum/ directory module: views.rs (510) + actions.rs (480).
56	- Mandatory surprise: Per-request regex in quote verification — LOW (functional but inefficient).
57	- Previous items verified: All previous remediated items confirmed intact.
58
59	### First formal audit (2026-03-14)
60	- Grade: B+ (unchanged from baseline, but now backed by per-module code review)
61	- Baseline was optimistic on: Security (A- -> B+: javascript: XSS found, fail-open patterns found), Type Safety (A- -> B+: domain types confirmed unused), Observability (B -> C: zero #[instrument] is worse than "no annotations yet"), Performance (B -> A-: indexes are actually solid)
62	- Baseline was pessimistic on: Performance (B -> A-: proper composite indexes, partial indexes, no N+1)
63	- Test count confirmed: 90 (documented 72 was wrong: 56 integration + 18 unit markdown/csrf + 16 unit mt-core)
64	- New findings: 1 HIGH (javascript: XSS), 4 MEDIUM (secure cookie, transaction, fail-open, observability), 5 SMALL
65
66	### Full remediation (2026-03-14)
67	- Grade: B+ -> A- (all 10 findings resolved, grade capped by git hygiene)
68	- Tests: 90 -> 97 (+7 markdown security tests)
69	- Files: 36 -> 33 (deleted error.rs, models.rs, pool.rs)
70	- Cold spots: 7 -> 3 (resolved: markdown XSS, observability, dead code, dead docs x2)
71	- Key changes: URL scheme allowlist sanitization, 86 `#[instrument(skip_all)]`, fail-closed access checks, transaction wrapping, configurable Secure cookie, dead code + deps removed, mod log error logging, `.env.example` expanded
72