general-audit: main @ 0de7631 (2026-04-29)

[intendednull]

Main @ 0de7631b12b630b402faaac1df2079f63246566d (merge of #489). Prior audit @ 958e1ec (#474). Run via /general-audit.

Method

Per lessons #426 / #438 / #474 / #477: orchestrator-direct default for diffs under ~100 files / ~2000 LOC; pre-fetch existing-issue lists; orchestrator runs cargo-audit; sibling-of-closed pass on closed-since-last-audit.

• 0 agents launched. 66-file / +12733 −4961 LOC diff. Over the file-count threshold but under the finding-density threshold; orchestrator-direct still scaled because new code clusters in 3 areas (test-hooks foundation, voice/governance test landings, ProfileState/typing caps).
• Pre-fetched existing-issue lists: /tmp/audit-issues.txt (17 entries), /tmp/security-issues.txt (26 entries), tech-debt list inline (17 entries). Total 60 unique titles for dedup.
• Orchestrator ran cargo-audit directly. Clean vs CI ignore list (8 RUSTSEC IDs); 5 of 8 still match advisory DB, 3 ignore-list IDs no longer match anything (advisories may have been dropped upstream — non-finding).
• Sibling-of-closed pass on PRs closed since 958e1ec. F1 + F2 are exactly siblings of ci:-titled commits whose actual scope was narrower than the bug class — 950e376 only edited just check-all, bd1f725 only added an eslint config file. CI workflows were never edited.
• Direct main-context sweeps for: unsafe, dbg!/eprintln!/todo!/unimplemented!, Arc<Mutex>/Arc<RwLock> w/o lock-ok, panic!/unwrap in lib prod, js_sys::eval/innerHTML, TODO/FIXME/HACK, anyhow:: in pure libs, vector caps in wire types, let _ = h.<method>().await swallow (per general-audit lessons: 2026-04-28 #477 lesson), CSP, docker pin/USER hardening, SQL prep statements, voice cap enforcement, identity malformed-bytes tests.
• Diff @ 958e1ec..0de7631: 58 commits / ~30 PRs / 66 files / +12733 −4961.

Major themes since last audit

• Test-hooks foundation (PR-1 of docs/specs/2026-04-27-event-based-waits-design.md): crates/web/src/test_hooks/ (629 LOC, 4 files: dispatcher / mod / snapshot / wire), gated behind test-hooks feature with explicit default = [], WillowTestHooks JS interface for Playwright event-based waits. crates/client exposes test-only address getters via the same feature gate.
• SEC-V-03 voice cap landed (PR fix(client): cap voice.participants + gate unknown channels (SEC-V-03) #467 / 595b5ab): MAX_VOICE_CHANNELS = 256, MAX_PARTICIPANTS_PER_CHANNEL, voice-join gated on known channels. Tests added covering unknown-channel-drop + at-cap rejection.
• SEC-V-05 follow-up (1a9503f): ProfileState.names and NetworkMeta.typing_peers LRU-capped at 10k, TTL sweep on typing_peers (5s) piggy-backed on existing 1Hz presence-tick driver.
• Voice + governance happy-path tests (PR test(client): happy-path tests for governance mutators (#416) #466 / test(client): happy-path tests for voice mutators (#414) #464): crates/client/src/tests/voice.rs (6 tests), crates/client/src/tests/governance.rs (5 tests), crates/client/src/tests/actions.rs (covered by PR test(client): cover actions.rs translation logic #483).
• Identity malformed-bytes tests (PR fbe256f / [TC-10] Identity malformed-bytes paths under-tested #424): EndpointId hex rejection, profile CBOR rejection, truncated envelope rejection. Closes TC-10 from general-audit: main @ 401e2fc (2026-04-27) #413.
• Crypto RatchetCache::clear() (PR fix(crypto): add RatchetCache::clear() for explicit key eviction (#178) #469): API method added, ZeroizeOnDrop triggered synchronously. Production callers: zero (RatchetCache itself only used in tests). See "Findings deemed not actionable" below.
• CSP meta tag added (PR fix(web): add CSP meta tag to index.html (#175) #462 / [security] No Content-Security-Policy header in web app #175): default-src 'self', script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval', frame-ancestors 'none', etc. 'unsafe-eval' weakens but is required by existing js_sys::eval sites ([WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425 [WS-1]).
• STUN URL configurable (PR fix(web): make STUN URL configurable, default empty (#179) #472 / [security] Hardcoded Google STUN server leaks user IP metadata #179): privacy-first default [] (no STUN), opt-in via window.__WILLOW_STUN_URLS.
• Trunk pin in Docker (PR build(docker): pin trunk to 0.21.14 in web image #478): closes F1 from general-audit: main @ 958e1ec (2026-04-28) #474.
• warn_and_toast_with in components (PR fix(web): route component handler errors through warn_and_toast_with #480): closes F2 from general-audit: main @ 958e1ec (2026-04-28) #474. Verified let _ = h.<method>().await zero hits across crates/web/src/components/, handlers.rs, app.rs.
• Refactors: *State → *Signals rename (refactor(web): rename ServerState/ChatState/VoiceState -> *Signals (#261) #471), prune dead_code allows (chore: prune #[allow(dead_code)] cluster (#327) #470), state tests split into per-concern files (refactor(state): split tests.rs monolith into per-concern files #486, 6 files now from one monolith).

Concerns audited

Concern	Method	Result
security: input-validation/DoS	direct	strong (caps verified: SEC-V-03 voice, SEC-V-05 typing/profile, MAX_EVENT_DEPS, MAX_DESER_SIZE)
security: auth/permissions	direct	strong (state-machine permissions tests comprehensive, apply_event enforces)
security: web/WASM	direct	strong; CSP added (one weakening from 'unsafe-eval' documented), test-hooks privacy guard exists but F1 found
security: deps/supply-chain	orchestrator (cargo audit)	clean vs ignore list (5 RUSTSEC IDs match)
tech debt	direct	stable; existing trackers cover (#332 #320–#330 #195 #485 #481), F2 found
architecture (spec drift)	direct	lock-ok comments compliant w/ docs/specs/2026-04-26-state-management-model-design.md (12 sites, all annotated)
general	direct	F1 + F2 are CI-wiring gaps
test coverage	direct	new tests landed: voice (6) + governance (5) + actions + identity malformed; state tests split + 4802 LOC; actor shutdown/broker-fanout tests added

Strong areas (re-verified, no findings)

• crates/state/src purity: zero tokio / iroh:: / std::fs / SystemTime (rg "tokio::|std::fs|SystemTime|iroh::" crates/state/src clean)
• pure-lib anyhow: zero hits in crates/{state,transport,identity,messaging,crypto,common}/src
• wire deserialize defense-in-depth: MAX_DESER_SIZE = 256 KB + per-variant WireMessage::max_size
• event-DAG insert: MAX_EVENT_DEPS = 64, MAX_ENCRYPTED_KEY_BYTES = 128
• MAX_PROFILE_NAMES = 10_000, MAX_TYPING_PEERS = 10_000, LRU evict, 5s TTL sweep
• MAX_VOICE_CHANNELS = 256, voice-join gated on known channel id
• voice + governance + actions + ephemeral + multi_peer_sync + queue + trust + profile_view test files (8 dedicated test modules)
• state tests split: dag.rs (708) + materialize.rs (1916) + permissions.rs (1087) + stress.rs (387) + sync.rs (247) + voting.rs (457) = 4802 LOC
• lock-ok comments on every legitimate lib-crate Arc/Arc (12 sites: 4 client, 1 actor test, 1 web state_bridge cached, plus search/* doc-comment-only references)
• unsafe sites all annotated (crates/actor/src/addr.rs:91 Sync for Addr, crates/web/src/state_bridge.rs:98 Send for DerivedStateActor)
• no unimplemented!() / todo!() / dbg!() / eprintln!() / FIXME / HACK in lib production
• web js_sys::eval sites: 1 user-input-interpolated ([WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425 [WS-1] tracked), rest static-string — no new XSS surface
• docker images: digest-pinned rust:1.95-slim-bookworm, nginxinc/nginx-unprivileged:1.27-alpine, all containers run USER willow/USER nginx, trunk pinned 0.21.14
• let _ = h.<method>().await zero hits across web (F2 from general-audit: main @ 958e1ec (2026-04-28) #474 properly fixed)
• SQL queries in crates/storage/src/store.rs: parameterized (?N), values passed via Box<dyn ToSql> — no concatenation injection surface
• test-hooks gated behind default = [], WillowTestHooks symbol absent from prod under spec — but enforcement gap, see F1

Findings (2 child issues)

#	Sev	Title
F1	medium	scripts/check-no-test-hooks-in-prod.sh symbol-leak guard not wired into CI / deploy workflows — only just check-all
F2	low	eslint.config.js bans waitForTimeout but no CI step or npm script runs eslint

Both findings = sibling-of-closed pattern. The ci:-prefixed commits (950e376, bd1f725) only edited local just recipe / config file but never touched .github/workflows/.

Findings deemed not actionable (verified during sweep)

• RatchetCache::clear() has no production callers. PR fix(crypto): add RatchetCache::clear() for explicit key eviction (#178) #469 closed [security] RatchetCache retains old channel keys in memory without explicit eviction #178 by adding the API; production code path stores ChannelKey directly in crates/client/src/state.rs::ServerEntry.keys: HashMap<String, ChannelKey>, dropped via leave_server (crates/client/src/servers.rs:79) which triggers ZeroizeOnDrop per-entry. So there's no leak today, the API is precautionary library surface. Borderline tech-debt ("dead code in lib?") but RatchetCache is documented public crypto primitive — not dead, just not yet adopted. Leave as-is.
• CSP 'unsafe-eval' weakens script-src. Required by existing js_sys::eval sites (theme bootstrap, focus shim, pinned-message scroll). Tracked under [WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425 [WS-1].
• 3 stale RUSTSEC ignore IDs in CI (RUSTSEC-2026-0098, 2026-0099, 2026-0104 no longer matched by current advisory DB scan). Cosmetic — won't break anything, but ignore list could be pruned. Not worth its own issue.
• 53 waitForTimeout calls remain in 6 e2e/ files — already tracked in e2e: migrate remaining specs to event-based waits #458 as migration follow-up.
• 8 #[allow(clippy::too_many_arguments)] sites — same 7 production sites as [tech-debt] Leptos components carry clippy::too_many_arguments allows — extract Props structs #195; [tech-debt] Leptos components carry clippy::too_many_arguments allows — extract Props structs #195 still tracked.

Existing-issue overlap (not re-filed)

• WS-1 (web js_sys::eval(format!()) for pinned scroll) → [WS-1] Web: js_sys::eval(format!()) for pinned-message scroll uses band-aid sanitization #425
• TD-14 (anyhow in lib crates) → [TD-14] anyhow used in 8 library crates contradicts CLAUDE.md convention #332 (verified zero hits in 6 pure-lib crates today; need to recheck network/client)
• SEC-V-02 (sync_since unbounded heads) → [SEC-V-02] sync_since builds unbounded SQL from peer-supplied heads #302
• SEC-V-05 (typing/profile maps) → [SEC-V-05] ProfileState.names / ChatMetaState.typing_peers accept unbounded attacker-supplied strings #234 — landed via 1a9503f
• SEC-V-06 (TopicAnnounce caps) → [SEC-V-06] TopicAnnounce.topics: Vec<String> has no element-count cap; enables relay CPU amplification + topic-slot exhaustion #235 (landed via 3ee8a98)
• SEC-V-07 (Event.deps + RotateChannelKey caps) → [SEC-V-07] RotateChannelKey.encrypted_keys + Event.deps vectors have no element caps #236 (landed via 7ee7e0a)
• TD-02 (convert_case 3-way split) → structural, [TD-02 follow-up] convert_case 3-way split is structural — pinned by Leptos internals + derive_more #485
• TD-03 (getrandom 3-way split) → structural, [TD-03 follow-up] getrandom 3-way split is structural — driven by aes-gcm 0.10, ahash, and iroh 0.98 #481
• All cargo-audit warnings → [DEP-01] rustls-webpki 0.103.10 has 3 open RUSTSEC advisories (name-constraint bypass + CRL panic) #223 [DEP-02] Three concurrent rand major versions + RUSTSEC-2026-0097 across all of them #246 [DEP-03] Workspace uses unmaintained bincode 1.3 for on-wire + on-disk serialization #247 [DEP-08] Unmaintained paste 1.0.15 (RUSTSEC-2024-0436) — not in CI ignore list #316 [DEP-09] Unmaintained proc-macro-error 0.4.12 (RUSTSEC-2024-0370) — not in CI ignore list #317 [DEP-10] Unmaintained atomic-polyfill 1.0.3 (RUSTSEC-2023-0089) — not in CI ignore list #318
• Prior audit findings now confirmed fixed: F1@general-audit: main @ 958e1ec (2026-04-28) #474 → build(docker): pin trunk to 0.21.14 in web image #478, F2@general-audit: main @ 958e1ec (2026-04-28) #474 → fix(web): route component handler errors through warn_and_toast_with #480, [security] RatchetCache retains old channel keys in memory without explicit eviction #178 → fix(crypto): add RatchetCache::clear() for explicit key eviction (#178) #469 (API-only fix), TC-1/TC-2/TC-6 partial → test(client): happy-path tests for governance mutators (#416) #466 test(client): happy-path tests for voice mutators (#414) #464 test(client): cover actions.rs translation logic #483, TC-10 → fbe256f

Method change vs #474

• Agents launched: 0 (same as general-audit: main @ 958e1ec (2026-04-28) #474)
• Findings filed: 2 child + 1 master + 1 lessons = 4 issues (same shape as general-audit: main @ 958e1ec (2026-04-28) #474)
• Diff was bigger (66 vs 52 files; +12733 vs +3525 LOC) — orchestrator-direct still scaled because finding density was low (most diff = test-hooks scaffolding + test landings, both well-gated and following spec)
• Time-to-finding: minutes
• Sibling-of-closed pass (lesson Async client + UI refactor: eliminate polling, context-based state #2 from general-audit lessons: 2026-04-28 #477) directly produced both findings — would have been missed by standard sweep set alone

Lessons follow-up issue describes outcome.