max / multithreaded

8.2 KB · 110 lines History Blame Raw

1	# Multithreaded -- Code Audit Review
2
3	Last audited: 2026-03-28 (seventh formal audit, Run 12 cross-project)
4	Previous audit: 2026-03-22 (sixth audit, coverage expansion)
5
6	## Overall Grade: A
7
8	Run 12 cross-project audit. 225 tests (35 unit lib + 190 integration). 0 clippy warnings. v0.3.2. Grade stable at A. Internal API improvements (MNW category provisioning). Link preview fix. New dep advisories: aws-lc-sys (HIGH 7.4), rustls-webpki.
9
10	## Scorecard
11
12	\| Dimension \| Grade \| Notes \|
13	\|-----------\|:-----:\|-------\|
14	\| Code Quality \| A \| Zero clippy warnings. Consistent `map_err` + `tracing::error!` error handling. Mod log failures logged (not silently dropped). Dead code removed. \|
15	\| Architecture \| A \| Clean 3-crate workspace: mt-core (time formatting), mt-db (queries/mutations), main app (routes, auth, templates). Route module properly split into forum/moderation/settings/admin. Template layer uses view-model structs. \|
16	\| Testing \| A \| 225 tests (35 unit main + 190 integration) at ~32 tests/KLOC. Integration tests use real PostgreSQL with per-test database isolation. Coverage on CRUD, permissions, bans, mute/unban/unmute handlers, CSRF, pagination, rate limiting, category edit/reorder, expired ban behavior, endorsements, footnotes, verified quoting, mentions, link previews, profiles, auth flow (PKCE/state), admin routes, mutations (bans, categories, endorsements, flags, images, link previews, mentions, users). \|
17	\| Security \| A \| All SQL parameterized. CSRF with constant-time comparison. OAuth PKCE with state nonce. Markdown via docengine (URL scheme allowlist + HTML sanitization, defense-in-depth). Fail-closed access checks on all ban/mute/suspension queries. Session cookie Secure flag configurable. \|
18	\| Performance \| A- \| Proper indexes on all query patterns (composite indexes for category listing, thread ordering, ban lookup, mod log). Partial index on ban expiration. No N+1 queries. Per-IP rate limiting on write endpoints (tower-governor). \|
19	\| Documentation \| A- \| `//!` module docs on all source files. `.env.example` documents all 9 environment variables. \|
20	\| Dependencies \| A \| Minimal deps, all justified. Rust 2024 edition. Dead deps removed (thiserror, serde, serde_json from mt-core; mt-core, thiserror from mt-db). Workspace dependency management. \|
21	\| Frontend \| A \| HTMX for dynamic interactions. Askama autoescaping on all template variables. CSRF auto-injected for forms and HTMX. Toast uses `textContent`. `body_html` sanitized by docengine (defense-in-depth). Client-side maxlength on all inputs. \|
22	\| Type Safety \| A- \| Query layer uses focused `FromRow` projections. Dead domain types removed. \|
23	\| Observability \| A \| 86 `#[instrument(skip_all)]` annotations across all route handlers and DB functions. `tracing-subscriber` with EnvFilter. \|
24	\| Concurrency \| A- \| Async throughout with tokio. Graceful shutdown (SIGINT + SIGTERM). reqwest timeouts (15s + 5s). `swap_category_order` uses transaction. Per-IP rate limiting (burst 10, 2/sec). \|
25	\| Resilience \| A- \| Graceful shutdown. HTTP client timeouts. Error logging without panics. Mod log failures logged. Rate limiting on writes. Gap: no retry on MNW API calls. \|
26	\| API Consistency \| A- \| Consistent redirect-with-toast pattern. Proper status codes (403/404/422). Health endpoint returns JSON. \|
27	\| Migration Safety \| A- \| SQLx `migrate!()` with sequential numbering (001-020). All additive. No destructive operations. \|
28	\| Codebase Size \| A \| Lean codebase for full forum with OAuth, CSRF, markdown, moderation, admin, pagination, soft-delete, and settings. \|
29
30	## Module Heatmap
31
32	\| Module \| Code \| Arch \| Test \| Security \| Perf \| Docs \| Type Safety \| Observability \| Concurrency \| Resilience \|
33	\|--------\|:----:\|:----:\|:----:\|:--------:\|:----:\|:----:\|:-----------:\|:-------------:\|:-----------:\|:----------:\|
34	\| main.rs \| A- \| A \| - \| A- \| A \| A- \| A \| A \| A \| A \|
35	\| config.rs \| A \| A \| - \| A \| - \| A \| A \| - \| - \| - \|
36	\| auth.rs \| A- \| A \| A- \| A- \| A \| A \| A \| A \| A \| B+ \|
37	\| csrf.rs \| A \| A \| A \| A+ \| A \| A \| A \| A \| - \| - \|
38	\| (docengine) \| A \| A \| A \| A+ \| A \| A \| A \| - \| - \| - \|
39	\| seed.rs \| A- \| A \| - \| A \| - \| A \| A- \| - \| - \| - \|
40	\| routes/mod.rs \| A \| A \| - \| A- \| A \| A \| A \| A \| A- \| A- \|
41	\| routes/forum.rs \| A \| A \| B+ \| A- \| A \| A \| A \| A \| A \| A- \|
42	\| routes/moderation.rs \| A \| A \| A- \| A \| A \| A \| A \| A \| A \| A- \|
43	\| routes/settings.rs \| A \| A \| A- \| A \| A \| A \| A \| A \| A- \| A- \|
44	\| routes/admin.rs \| A \| A \| A- \| A \| A \| A \| A \| A \| A \| A \|
45	\| templates/ \| A \| A \| A \| A- \| - \| A \| A \| - \| - \| - \|
46	\| mt-core/time_format.rs \| A \| A \| A \| - \| A \| A \| A \| - \| - \| - \|
47	\| mt-db/queries.rs \| A \| A \| B+ \| A+ \| A \| A \| A \| A \| A \| A \|
48	\| mt-db/mutations.rs \| A \| A \| A- \| A+ \| A \| A \| A \| A \| A- \| A \|
49
50	### Cold Spots
51
52	None — all previous cold spots resolved.
53
54	## Strengths
55
56	- Clean architecture. 3-crate workspace with proper separation. Route module split into focused files. Template layer uses view-model structs.
57	- Comprehensive CSRF. Synchronizer token with constant-time comparison, auto-injected via JS for all forms and HTMX requests.
58	- Solid test infrastructure. Full Axum app with real PostgreSQL per test. Cookie-aware client with automatic CSRF token extraction.
59	- Authorization hierarchy. Owner > mod > member correctly enforced. Owners cannot be banned. Only owners can ban mods.
60	- Input validation. Length limits on all user content. Slug format validation. UUID parsing validated. Sort/order whitelisted.
61	- SQL safety. All 40+ queries parameterized. Dynamic ORDER BY uses whitelist match.
62	- Efficient codebase. 4,808 LOC for full forum functionality.
63
64	## Weaknesses
65
66	- No retry on MNW API calls. OAuth token exchange and userinfo fetch have no retry logic.
67
68	## Mandatory Surprise
69
70	`CoreError` is a fully-defined typed error enum with 5 variants (NotFound, Unauthorized, Forbidden, Validation, Internal) that is never used anywhere in the application.
71
72	Route handlers use `map_err(\|e\| { tracing::error!(...); StatusCode::INTERNAL_SERVER_ERROR })` directly. Domain model structs in mt-core (User, Community, Category, Thread, Post, Membership, Role) are similarly defined but bypassed -- queries.rs defines its own `FromRow` structs inline.
73
74	Verdict: Genuine issue. Good architectural intent that was never integrated. Resolved: Dead code removed (error.rs, models.rs, pool.rs deleted; unused deps cleaned from mt-core and mt-db).
75
76	## Action Items
77
78	Filed in `docs/mnw/mt/todo.md`.
79
80	1. ~~[HIGH] Sanitize URL schemes in markdown rendering~~ -- Done. Allowlist (http, https, mailto, ftp), 7 tests added.
81	2. ~~[MEDIUM] Add `#[instrument(skip_all)]` to all route handlers and DB functions~~ -- Done. 86 annotations.
82	3. ~~[MEDIUM] Make session cookie `Secure` flag configurable~~ -- Done. `COOKIE_SECURE` env var.
83	4. ~~[MEDIUM] Wrap `swap_category_order` in transaction~~ -- Done.
84	5. ~~[MEDIUM] Change fail-open access checks to fail-closed~~ -- Done.
85	6. ~~[SMALL] Add `//!` module docs~~ -- Done. All source files documented.
86	7. ~~[SMALL] Remove dead code~~ -- Done. error.rs, models.rs, pool.rs deleted. Deps cleaned.
87	8. ~~[SMALL] Log mod log insert failures~~ -- Done. 15 locations across 4 files.
88	9. ~~[SMALL] Expand `.env.example`~~ -- Done. All 9 env vars documented.
89	10. ~~[SMALL] Initial git commit + configure remotes~~ -- Done.
90
91	## Metrics Over Time
92
93	\| Audit Date \| LOC \| Rust Files \| Tests \| Tests/KLOC \| Clippy Warnings \| Cold Spots \| Overall \|
94	\|------------\|-----\|-----------\|-------\|-----------\|----------------\|------------\|---------\|
95	\| 2026-03-14 \| 4,808 \| 36 \| 90 \| 18.7 \| 0 \| 7 \| B+ \|
96	\| 2026-03-14 (remediation) \| ~4,600 \| 33 \| 97 \| ~21 \| 0 \| 3 \| A- \|
97	\| 2026-03-14 (rate limit) \| ~4,700 \| 34 \| 99 \| ~21 \| 0 \| 3 \| A- \|
98	\| 2026-03-14 (coverage) \| ~4,800 \| 34 \| 106 \| ~22 \| 0 \| 1 \| A \|
99	\| 2026-03-14 (ammonia) \| ~4,800 \| 34 \| 106 \| ~22 \| 0 \| 0 \| A \|
100	\| 2026-03-16 (Run 6) \| 6,232 \| ~36\| 146 \| ~23 \| 0 \| 0 \| A \|
101	\| 2026-03-16 (P19+P20) \| ~7,000 \| ~38\| 173 \| ~25 \| 0 \| 0 \| A \|
102	\| 2026-03-17 (Run 8) \| ~7,000 \| ~38\| 222 \| ~32 \| 0 \| 0 \| A \|
103	\| 2026-03-18 (Run 9) \| ~7,000 \| ~38\| 222 \| ~32 \| 0 \| 0 \| A \|
104	\| 2026-03-22 (coverage) \| ~7,000 \| ~39\| 249 \| ~36 \| 0 \| 0 \| A \|
105	\| 2026-03-28 (Run 12) \| ~7,200 \| ~39\| 225+ \| ~32 \| 0 \| 0 \| A \|
106
107	---
108
109	See [audit_history.md](./audit_history.md) for full chronological audit log.
110