general-audit: main @ 401e2fc (2026-04-27)

Main @ `401e2fc03d7a3d48e9d7d7cadb6c4b3370749ffd` (merge of #410). Prior audit @ `2f26d91` (#391). Run via `/general-audit`.

## Method

Spawn 8 parallel agents per concern. 7/8 stream-idle-timeout before writing findings (lessons issue follows). 1/8 (testcov) succeed. Main-context direct audit fill gaps. Second-pass grep verify each finding before file.

## Concerns audited

- security: input-validation/DoS — direct
- security: auth/permissions — direct
- security: web/WASM — direct
- security: deps/supply-chain — direct (`cargo audit` clean vs CI ignore list; all 5 warnings already tracked #223 #246 #247 #316 #317 #318)
- tech debt — direct
- architecture (spec drift) — direct
- test coverage — agent
- general — direct

## Strong areas (no findings)

- state crate purity: zero `tokio` / `iroh` / `std::fs` / `SystemTime` imports
- wire deserialize defense-in-depth: `MAX_DESER_SIZE = 256 KB` + per-variant `WireMessage::max_size` cap (`crates/transport/src/lib.rs:36,154`, `crates/common/src/wire.rs:206`)
- event verify: signature + content-hash both checked on insert (`crates/state/src/dag.rs:117`, `event.rs:300`)
- pending-buffer cap: `DEFAULT_PENDING_MAX_ENTRIES = 10_000` + age-eviction (`crates/state/src/sync.rs:139,142`)
- lock-ok comments present on every legitimate lib-crate lock (15 sites annotated; spec `docs/specs/2026-04-26-state-management-model-design.md` enforced)
- no `unimplemented!()` / `todo!()` / `dbg!()` / `eprintln!()` in lib code
- TODOs all linked to design docs (sync-queue.md, profile-card.md, whisper-mode.md, reactions-pins.md) — well-tracked
- state machine: 109+ tests; all 24 EventKind + 5 Permission variants covered
- crypto: tampering / nonce-reuse / wrong-key paths tested
- HLC: 14 tests incl. overflow + drift

## Findings (11 child issues)

### Test coverage (10)

| # | Sev | Title |
|---|-----|-------|
| TC-1 | high | Voice mutation API (`join_voice`/`leave_voice`/`toggle_mute`/`toggle_deafen`/`voice_peer_*`) zero tests at any tier |
| TC-2 | high | Governance mutations (`propose_grant_admin`/`propose_set_threshold`/`delete_role`) no client-tier test |
| TC-3 | high | `crates/client/src/mutations.rs` 1023 LOC, 39 pub methods, zero in-file tests |
| TC-4 | high | Large untested client modules: `listeners.rs` (748), `joining.rs` (465), `connect.rs` (409), `persistence_actor.rs` (280), `voice.rs` |
| TC-5 | med | WASM-divergent code in lib crates has zero `wasm_bindgen_test` coverage (only `crates/web/tests/browser.rs` uses it) |
| TC-6 | med | `crates/client/src/actions.rs` no in-file tests |
| TC-7 | med | `e2e/permissions.spec.ts` wrong-tier: single-client conditional-rendering checks belong at wasm-pack tier |
| TC-8 | low | `compare match`/`compare mismatch` trust-badge flip only Playwright-covered; client-tier infra exists |
| TC-9 | low | Worker `main.rs` entrypoints (replay/storage/agent) no tests; CLI parsing + service wiring untested |
| TC-10 | low | Identity malformed-bytes paths (invalid hex EndpointId, malformed CBOR profile) under-tested |

### Web security (1)

| # | Sev | Title |
|---|-----|-------|
| WS-1 | low | `js_sys::eval(format!("…msg-{}…", msg_id.replace('\'', "")))` defense-in-depth: stripped only single-quote, swap for `Element::scroll_into_view_with_options` |

## Dropped findings (verification falsified)

- ~F4 ChannelRevive non-member-rejection test missing~ — exists at `crates/state/src/tests.rs:4147` (`non_member_cannot_revive_channel` block).
- ~F11 `IrohNetwork` gossip path integration-only~ — duplicate of #340.
- ~F13 actor `performance.rs` 15 `#[ignore]`d tests~ — duplicate of #232.

## Existing-issue overlap noted (not re-filed)

Test density: #343 (overarching). Network coverage: #340. Relay coverage: #341. Actor ignore: #232. State integration: #274.

## Worktrees

`.worktrees/audit-{sec-input,sec-authperm,sec-webwasm,sec-deps,techdebt,arch,testcov,general}` torn down post-file.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

general-audit: main @ 401e2fc (2026-04-27) #413

Method

Concerns audited

Strong areas (no findings)

Findings (11 child issues)

Test coverage (10)

Web security (1)

Dropped findings (verification falsified)

Existing-issue overlap noted (not re-filed)

Worktrees

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

#	Sev	Title
TC-1	high	Voice mutation API (`join_voice`/`leave_voice`/`toggle_mute`/`toggle_deafen`/`voice_peer_*`) zero tests at any tier
TC-2	high	Governance mutations (`propose_grant_admin`/`propose_set_threshold`/`delete_role`) no client-tier test
TC-3	high	`crates/client/src/mutations.rs` 1023 LOC, 39 pub methods, zero in-file tests
TC-4	high	Large untested client modules: `listeners.rs` (748), `joining.rs` (465), `connect.rs` (409), `persistence_actor.rs` (280), `voice.rs`
TC-5	med	WASM-divergent code in lib crates has zero `wasm_bindgen_test` coverage (only `crates/web/tests/browser.rs` uses it)
TC-6	med	`crates/client/src/actions.rs` no in-file tests
TC-7	med	`e2e/permissions.spec.ts` wrong-tier: single-client conditional-rendering checks belong at wasm-pack tier
TC-8	low	`compare match`/`compare mismatch` trust-badge flip only Playwright-covered; client-tier infra exists
TC-9	low	Worker `main.rs` entrypoints (replay/storage/agent) no tests; CLI parsing + service wiring untested
TC-10	low	Identity malformed-bytes paths (invalid hex EndpointId, malformed CBOR profile) under-tested

general-audit: main @ 401e2fc (2026-04-27) #413

Description

Method

Concerns audited

Strong areas (no findings)

Findings (11 child issues)

Test coverage (10)

Web security (1)

Dropped findings (verification falsified)

Existing-issue overlap noted (not re-filed)

Worktrees

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions