caveman audit. commit 6404719b. prev master #513 @ b901575 (2026-05-02).
Setup
- 9 parallel sweep agents (1 sibling-of-closed + 8 concern-split). 1 timed out (sec-web), backfilled manually.
- cargo audit clean against current ignore list. 3 stale RUSTSEC IDs cleanup pending.
- 38 raw → 25 filed after dedup (12 dups/superseded) + verify (0 dropped).
Stats
Concern split + survivors
- arch — 1 (F2 split-dispatch in materialize.rs)
- general — 5 (F1 leaky sentinel, F2 silent media failures, F5 Debug action desc, F6 dual-clipboard fallback, F7 silent equivocation)
- sec-auth — 6 (F1 ghost-member via GrantPermission, F2 Ed25519 non-strict verify, F3 AssignRole no member precondition, F4 unauth DH wrap, F5 applied_events poisoning, F6 soft-accept unknown deps)
- sec-deps — 2 (F1 workflows lack permissions:, F5 sshpass apt unpinned)
- sec-input — 2 (F2 ServerData by attacker server_id, F3 Content::File size_bytes unbounded)
- sec-web — 1 (F1 CSP img-src vs auto-embed mismatch)
- techdebt — 3 (F1 ICE swallow, F2 localStorage write swallow, F6 JsValue Debug log)
- testcov — 4 (F1 permanent test.skip, F2/F3/F4 waitForTimeout migrations)
- advisory-drift — 1 (3 stale RUSTSEC IDs)
Filed children
(populated as sub-issues — see GitHub UI panel)
Pass 1 sibling-of-closed
0 findings. 5 commit pre-fix verifications, all clean (replay storage parity, web window-access, transition timing, scripts npm). Auto-fix-batch PRs filtered out via commit-prefix pre-filter (only fix:/feat:/perf:/refactor: drilled).
Cargo-audit posture
7 active advisories; all 7 in ignore list. 3 ignored IDs (RUSTSEC-2026-0098, 0099, 0104) no longer match active advisories — stale, see audit-drift.F1. Ignore list could be pruned to 7 entries.
Filed by /general-audit @ 6404719 (2026-05-03).
caveman audit. commit
6404719b. prev master #513 @b901575(2026-05-02).Setup
Stats
sshpass -pwith password +root@+StrictHostKeyChecking=no#227, [GEN-06] Input elements (welcome / channel rename / command palette) lack accessible labels #267, Migrate client SyncRequest to heads-based sync protocol #43, intra-batch)_ =>arms inmaterialize.rssilently absorb newEventKindvariants #230, [DEP-04] CI Rust toolchain and install-action use mutable tags (including in deploy.yml) #248×2, [SEC-V-05]ProfileState.names/ChatMetaState.typing_peersaccept unbounded attacker-supplied strings #234, [SEC-W-04] Peer-supplied URLs auto-embedded as<img>with no scheme/host allowlist — passive-tracking vector #243, [SEC-W-08]localStoragekeys not namespaced per identity; sign-out / identity-switch does not purge #245, [TD-05] 219 bareDuration::from_secs/millisliterals #323)Concern split + survivors
Filed children
(populated as sub-issues — see GitHub UI panel)
Pass 1 sibling-of-closed
0 findings. 5 commit pre-fix verifications, all clean (replay storage parity, web window-access, transition timing, scripts npm). Auto-fix-batch PRs filtered out via commit-prefix pre-filter (only fix:/feat:/perf:/refactor: drilled).
Cargo-audit posture
7 active advisories; all 7 in ignore list. 3 ignored IDs (RUSTSEC-2026-0098, 0099, 0104) no longer match active advisories — stale, see audit-drift.F1. Ignore list could be pruned to 7 entries.
Filed by
/general-audit@6404719(2026-05-03).