Main @ 00aa515ddae554bf52cad5d0d0566f2730c0aaf0 (merge of #409 ). Prior audit @ 401e2fc (#413 , same date). Run via /general-audit.
Method
Per lessons from #426 (yesterday's run, 7/8 subagents stream-idle-timed-out), this run:
Skipped 8-agent fan-out entirely. Lesson Comprehensive multi-peer E2E tests across all browsers #3 Pre-fetched existing-issue lists to dedup directly (/tmp/audit-issues.txt, /tmp/all-quality-issues.txt).Orchestrator ran cargo-audit (lesson Add deep-review skill for iterative code review #5 Direct main-context sweeps for: unsafe, dbg!/eprintln!/todo!/unimplemented!, Arc<Mutex>/Arc<RwLock> w/o lock-ok, panic!/unwrap/expect, js_sys::eval/innerHTML, TODO/FIXME/HACK, anyhow:: in pure libs, vector caps in wire types, .ok(); swallow.Diff @ 401e2fc 00aa515 : 6 commits (3 PRs) touching 4 files (relay shutdown log, agent read_resource scope-gate, web relay popover Esc/focus). All clean — gates added, tests added.
Concerns audited
Strong areas (no findings)
Same as #413 + verified still standing:
state crate purity: zero tokio / iroh / std::fs / SystemTime
wire deserialize defense-in-depth: MAX_DESER_SIZE = 256 KB + per-variant WireMessage::max_size
event verify: signature + content-hash both checked on insert
pending-buffer cap: 10k + age-eviction
lock-ok comments present on every legitimate lib-crate lock (15 sites)
no unimplemented!() / todo!() / dbg!() / eprintln!() / FIXME / HACK in lib code
TODOs all linked to design docs (sync-queue.md, profile-card.md, whisper-mode.md, reactions-pins.md, multi-grove, illustration, [network] connection_events() is a placeholder that never yields #119
crypto: tampering / nonce-reuse / wrong-key paths tested
HLC: 14 tests incl. overflow + drift
Findings (2 child issues)
#
Sev
Title
AUD-1
low
Web: bare unsafe impl Send for DerivedStateActor lacks SAFETY comment (crates/web/src/state_bridge.rs:87)
AUD-2
medium
Agent: TokenScope::ReadOnly leaks JoinLink credentials via willow://server/join-links (crates/agent/src/scopes.rs:47-51)
Existing-issue overlap noted (not re-filed)
Dropped findings (verification falsified during sweep)
None. Both surviving findings independently verified by re-reads.
Method change vs #413
Agents launched: 0 (vs 8). Direct orchestrator sweep only.
Findings filed: 2 child + 1 master + 1 lessons = 4 issues (vs 13 in general-audit: main @ 401e2fc (2026-04-27) #413
Time-to-finding: minutes (vs hours of timeout-thrash).
Worktrees: none (no agents fanning out → no need).
Tradeoff: orchestrator context grows. Today's diff was tiny + last audit was 1 day ago, so unique-finding surface was small either way. For larger diffs / longer gaps this approach may need 1-2 narrow agents to extend reach — but not 8.
Lessons follow-up issue describes outcome.
Main @
00aa515ddae554bf52cad5d0d0566f2730c0aaf0(merge of #409). Prior audit @401e2fc(#413, same date). Run via/general-audit.Method
Per lessons from #426 (yesterday's run, 7/8 subagents stream-idle-timed-out), this run:
/tmp/audit-issues.txt,/tmp/all-quality-issues.txt).unsafe,dbg!/eprintln!/todo!/unimplemented!,Arc<Mutex>/Arc<RwLock>w/o lock-ok,panic!/unwrap/expect,js_sys::eval/innerHTML,TODO/FIXME/HACK,anyhow::in pure libs, vector caps in wire types,.ok();swallow.Concerns audited
TopicAnnounce.topics: Vec<String>has no element-count cap; enables relay CPU amplification + topic-slot exhaustion #235 [SEC-V-05]ProfileState.names/ChatMetaState.typing_peersaccept unbounded attacker-supplied strings #234 [SEC-V-07]RotateChannelKey.encrypted_keys+Event.depsvectors have no element caps #236 cover bounds work)cargo auditclean vs CI ignore list; 5 warnings tracked [DEP-01] rustls-webpki 0.103.10 has 3 open RUSTSEC advisories (name-constraint bypass + CRL panic) #223 [DEP-02] Three concurrentrandmajor versions + RUSTSEC-2026-0097 across all of them #246 [DEP-03] Workspace uses unmaintainedbincode 1.3for on-wire + on-disk serialization #247 [DEP-08] Unmaintainedpaste 1.0.15(RUSTSEC-2024-0436) — not in CI ignore list #316 [DEP-09] Unmaintainedproc-macro-error 0.4.12(RUSTSEC-2024-0370) — not in CI ignore list #317 [DEP-10] Unmaintainedatomic-polyfill 1.0.3(RUSTSEC-2023-0089) — not in CI ignore list #318)docs/specs/2026-04-26-state-management-model-design.md)Strong areas (no findings)
Same as #413 + verified still standing:
tokio/iroh/std::fs/SystemTimeMAX_DESER_SIZE = 256 KB+ per-variantWireMessage::max_sizeunimplemented!()/todo!()/dbg!()/eprintln!()/FIXME/HACKin lib codeFindings (2 child issues)
unsafe impl SendforDerivedStateActorlacks SAFETY comment (crates/web/src/state_bridge.rs:87)TokenScope::ReadOnlyleaks JoinLink credentials viawillow://server/join-links(crates/agent/src/scopes.rs:47-51)Existing-issue overlap noted (not re-filed)
js_sys::eval(format!(...))for pinned-message scroll → [WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425 [WS-1]anyhow::Resultin 5 lib-crate files → [TD-14] anyhow used in 8 library crates contradicts CLAUDE.md convention #332 [TD-14]topics: Vec<String>no element cap → [SEC-V-06]TopicAnnounce.topics: Vec<String>has no element-count cap; enables relay CPU amplification + topic-slot exhaustion #235 [SEC-V-06]randmajor versions + RUSTSEC-2026-0097 across all of them #246 [DEP-03] Workspace uses unmaintainedbincode 1.3for on-wire + on-disk serialization #247 [DEP-08] Unmaintainedpaste 1.0.15(RUSTSEC-2024-0436) — not in CI ignore list #316 [DEP-09] Unmaintainedproc-macro-error 0.4.12(RUSTSEC-2024-0370) — not in CI ignore list #317 [DEP-10] Unmaintainedatomic-polyfill 1.0.3(RUSTSEC-2023-0089) — not in CI ignore list #318Dropped findings (verification falsified during sweep)
None. Both surviving findings independently verified by re-reads.
Method change vs #413
Tradeoff: orchestrator context grows. Today's diff was tiny + last audit was 1 day ago, so unique-finding surface was small either way. For larger diffs / longer gaps this approach may need 1-2 narrow agents to extend reach — but not 8.
Lessons follow-up issue describes outcome.