Run: scheduled /general-audit against main @ 88498a5.#567 @ 6404719 (2026-05-03).
27 survivors filed as sub-issues (panel at right).
Survivors by concern
security (7): F8 RevokeAdmin against genesis owner; F9 VoteThreshold::Count(0) bypass; F10 cargo install cargo-audit unpinned in CI; F16 localStorage read-failure mints fresh identity; F17 CSP connect-src wildcard; F18 CSP missing report-uri / Trusted Types / upgrade-insecure-requests; F19 CSP test uses substring matching.robustness / DoS (7): F11 EventKind String fields uncapped in EventDag::insert; F12 Content::validate caps only File; F13 SealedContent.ciphertext uncapped; F14 UpdateProfile.display_name uncapped in apply; F15 Reaction.emoji + per-message cardinality unbounded; F20 create_ephemeral_channel Result swallowed; F21 OpenEventStore mailbox failures swallowed.tech-debt (5): F2 docker-compose.yml zero healthchecks; F5 PWA manifest missing maskable / scope / id; F23 kicked-member rejection tests missing for Message/EditMessage/DeleteMessage/Reaction; F24 SetServerDescription has no check_permission rejection test; F25 channel-creation sync semantics tested only at Playwright tier.quality (3): F6 service-worker registration swallows errors; F22 search index remove_* mutations silently dropped on mailbox full; F26 docker relay entrypoint passes --tcp-port/--ws-port flags the binary does not accept (HARD RUNTIME BREAK on docker compose up).docs (4): F3 stale TODO references closed #119 in network/traits.rs; F4 just check doc-comment claims browser tests; F7 PLAN.md still pre-iroh (libp2p/GossipSub/Kademlia/mDNS); F27 README + CLAUDE.md "Local Development" reference removed relay ports 9090/9091.architecture (1): F1 Invite-mint authority enforced in client crate, not via apply_event.
Pass results
Synthesis
43 raw findings → dedup (mcp__github__search_issues, narrow per file/symbol) → 27 keeps + 16 drops.
Drops breakdown: 4 internal dupes; 3 superseded by closed [DEP-04] CI Rust toolchain and install-action use mutable tags (including in deploy.yml) #248 [GEN-10] No rust-toolchain.toml — local builds float from CI's stable-of-the-day #353 audit F8 [security]: Ed25519 verify uses non-strict mode (signature malleability) #575 [GEN-01] Deploy workflow uses sshpass -p with password + root@ + StrictHostKeyChecking=no #227 [SEC-W-08] localStorage keys not namespaced per identity; sign-out / identity-switch does not purge #245 [SEC-W-05] Ed25519 identity secret key stored unencrypted in localStorage #226 [SEC-A-06] RotateChannelKey allows divergent per-recipient keys (cross-channel/cross-recipient leak) #308 audit F5 [security]: HLC::receive accepts unbounded remote ts → clock-poisoning DoS #516 audit F20 [security]: localStorage trust + nickname stores have no integrity binding to identity key #527 audit F39 [testcov]: settings panel + back-button test should be browser-tier not Playwright #539 audit F50 [UX]: dispatcher + voice debug-format errors into user-visible warnings #549 audit F13 [security]: GitHub Actions workflows lack permissions: blocks #580 audit F19 [observability]: localStorage write failures silently dropped #586 [web] tighten is_image_url to https-only after CSP img-src https: change (#584) #597
Verification spot-check (grep + Read ±10 lines): 25/27 verified directly; 2 partially-verified (F06 closed-[network] connection_events() is a placeholder that never yields #119 mcp__github__issue_read; F26 contradiction-check passed on the meaningful claim, the "partial" was branch-coverage commentary not a contradiction). 0 dropped at verification.
Lessons-PR
Auto-opened — folds the lessons issue suggestions into .claude/skills/general-audit/SKILL.md. Human reviews + merges as they see fit.
Filed by /general-audit @ 88498a5 (2026-05-04).
Run: scheduled
/general-auditagainstmain @ 88498a5.Prior master: #567 @
6404719(2026-05-03).27 survivors filed as sub-issues (panel at right).
Survivors by concern
VoteThreshold::Count(0)bypass; F10cargo install cargo-auditunpinned in CI; F16 localStorage read-failure mints fresh identity; F17 CSPconnect-srcwildcard; F18 CSP missingreport-uri/ Trusted Types /upgrade-insecure-requests; F19 CSP test uses substring matching.EventKindString fields uncapped inEventDag::insert; F12Content::validatecaps onlyFile; F13SealedContent.ciphertextuncapped; F14UpdateProfile.display_nameuncapped in apply; F15Reaction.emoji+ per-message cardinality unbounded; F20create_ephemeral_channelResult swallowed; F21OpenEventStoremailbox failures swallowed.docker-compose.ymlzero healthchecks; F5 PWA manifest missingmaskable/scope/id; F23 kicked-member rejection tests missing for Message/EditMessage/DeleteMessage/Reaction; F24SetServerDescriptionhas nocheck_permissionrejection test; F25 channel-creation sync semantics tested only at Playwright tier.remove_*mutations silently dropped on mailbox full; F26 docker relay entrypoint passes--tcp-port/--ws-portflags the binary does not accept (HARD RUNTIME BREAK ondocker compose up).#119innetwork/traits.rs; F4just checkdoc-comment claims browser tests; F7PLAN.mdstill pre-iroh (libp2p/GossipSub/Kademlia/mDNS); F27 README + CLAUDE.md "Local Development" reference removed relay ports 9090/9091.apply_event.Pass results
--ignorelist. No drift.Synthesis
mcp__github__search_issues, narrow per file/symbol) → 27 keeps + 16 drops.rust-toolchain.toml— local builds float from CI'sstable-of-the-day #353/audit F8 [security]: Ed25519 verify uses non-strict mode (signature malleability) #575; 9 dup of open existing issues ([GEN-01] Deploy workflow usessshpass -pwith password +root@+StrictHostKeyChecking=no#227, [SEC-W-08]localStoragekeys not namespaced per identity; sign-out / identity-switch does not purge #245, [SEC-W-05] Ed25519 identity secret key stored unencrypted in localStorage #226, [SEC-A-06] RotateChannelKey allows divergent per-recipient keys (cross-channel/cross-recipient leak) #308, audit F5 [security]: HLC::receive accepts unbounded remote ts → clock-poisoning DoS #516, audit F20 [security]: localStorage trust + nickname stores have no integrity binding to identity key #527, audit F39 [testcov]: settings panel + back-button test should be browser-tier not Playwright #539 ×2, audit F50 [UX]: dispatcher + voice debug-format errors into user-visible warnings #549, audit F13 [security]: GitHub Actions workflows lack permissions: blocks #580, audit F19 [observability]: localStorage write failures silently dropped #586, [web] tighten is_image_url to https-only after CSP img-src https: change (#584) #597).mcp__github__issue_read; F26 contradiction-check passed on the meaningful claim, the "partial" was branch-coverage commentary not a contradiction). 0 dropped at verification.Lessons-PR
Auto-opened — folds the lessons issue suggestions into
.claude/skills/general-audit/SKILL.md. Human reviews + merges as they see fit.Filed by
/general-audit@88498a5(2026-05-04).