caveman audit. main @ b901575. last audit @ 0de7631 (#492).
Run summary
- 11 PRs merged since last audit (2026-04-29 → 2026-05-02).
- 9 parallel sweep agents fanned out (sibling-of-closed + 4 security splits + tech-debt + architecture + test-coverage + general-review). All completed cleanly, no timeouts.
- 53 raw findings → dedup against open issues → 40 survivors → grep verification → 2 dropped (false premise, F28 + F52). 38 survivors filed as sub-issues below.
cargo audit clean (0 unhandled vulns, all 10 RUSTSEC ignores still valid).
Top hot picks
Dups + supersedes (skipped)
| Finding |
Reason |
| F2 |
dup of #172 |
| F4 |
dup of #233 |
| F6 |
dup of #234 |
| F11 |
intra-audit dup of F5 |
| F12 |
superseded by #230 |
| F17 |
superseded by #171 |
| F22 |
dup of #227 |
| F24 |
dup of #248 |
| F29 |
superseded by #253 |
| F30 |
superseded by #332 |
| F32 |
superseded by #321 |
| F33 |
superseded by #259 |
| F48 |
dup of #270 |
Dropped after verification
- F28 — claim "missing
// state: lock-ok marker on state_bridge.rs:31" was false; marker exists at line 23. Architecture-tension angle is captured by F38.
- F52 — claim "no aria-live for chat" was false;
crates/web/src/components/chat.rs:387 has aria-live="polite". Broader uneven-coverage observation too soft to file.
RUSTSEC ignore-list health
All 10 IDs in .github/workflows/ci.yml still present in advisory-db. No drift. Skip pruning this run.
Survivors
filed below as sub-issues. master issue auto-closes when last child closes (per skill rule).
caveman audit. main @
b901575. last audit @0de7631(#492).Run summary
cargo auditclean (0 unhandled vulns, all 10 RUSTSEC ignores still valid).Top hot picks
HLC::receiveaccepts unboundedremote.millis→ single message poisons clock forever (crates/messaging/src/hlc.rs:172). exploitable DoS.crates/state/src/dag.rs:130). amplifies cost of malformed events.peer_idwhile JoinRequest no longer does (crates/client/src/listeners.rs:444). spoof voice participants..svgattachments embedded asdata:image/svg+xmlURLs without sanitisation (crates/web/src/components/message.rs:14). XSS surface.sshpass -pwith password +root@+StrictHostKeyChecking=no#227) —deploy.ymluses sshpass +StrictHostKeyChecking=notoroot@(4 sites). MITM + password-as-only-secret.Dups + supersedes (skipped)
Dropped after verification
// state: lock-okmarker onstate_bridge.rs:31" was false; marker exists at line 23. Architecture-tension angle is captured by F38.crates/web/src/components/chat.rs:387hasaria-live="polite". Broader uneven-coverage observation too soft to file.RUSTSEC ignore-list health
All 10 IDs in
.github/workflows/ci.ymlstill present in advisory-db. No drift. Skip pruning this run.Survivors
filed below as sub-issues. master issue auto-closes when last child closes (per skill rule).