File: crates/state/src/materialize.rs:99-185
Severity: tech-debt
Obvious? no
check_permission (lines 99-138) hand-rolls three independent permission tiers: governance match (Propose/Vote/CreateServer), an admin-only matches! block (GrantPermission/RevokePermission/RenameServer/SetServerDescription), and the required_permission() table. apply_event then re-matches a near-identical governance subset (lines 151-182) before delegating to apply_mutation. Three separate match/matches! constructs over the same enum, none exhaustive, each maintained independently — recipe for permission/dispatch drift when adding a new admin-only or governance variant. Per docs/specs/2026-04-12-state-authority-and-mutations.md the table is meant to be a single source of truth; here it is three.
Fix: collapse into one exhaustive classifier function (fn classify(kind: &EventKind) -> EventClass { Governance | AdminOnly | Permissioned(Permission) | Membership | Unrestricted }) called by both check_permission and apply_event.
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
crates/state/src/materialize.rs:99-185Severity: tech-debt
Obvious? no
check_permission(lines 99-138) hand-rolls three independent permission tiers: governance match (Propose/Vote/CreateServer), an admin-onlymatches!block (GrantPermission/RevokePermission/RenameServer/SetServerDescription), and therequired_permission()table.apply_eventthen re-matches a near-identical governance subset (lines 151-182) before delegating toapply_mutation. Three separatematch/matches!constructs over the same enum, none exhaustive, each maintained independently — recipe for permission/dispatch drift when adding a new admin-only or governance variant. Perdocs/specs/2026-04-12-state-authority-and-mutations.mdthe table is meant to be a single source of truth; here it is three.Fix: collapse into one exhaustive classifier function (
fn classify(kind: &EventKind) -> EventClass { Governance | AdminOnly | Permissioned(Permission) | Membership | Unrestricted }) called by bothcheck_permissionandapply_event.Filed by
/general-audit@6404719(2026-05-03). master: #567.